The best hacks and security research from Black Hat and Def Con 2024

Thousands of hackers, researchers and security professionals descended on the Black Hat and Def Con security conferences in Las Vegas this week, an annual pilgrimage aimed at sharing the latest research, hacks, and knowledge across the security community. And TechCrunch was on the ground to report on the back-to-back shows and to cover some of the latest research.

CrowdStrike took center stage, and picked up an “epic fail” award it certainly didn’t want. But the company acknowledged it messed up and handled its scandal several weeks after releasing a buggy software update that sparked a global IT outage. Hackers and security researchers seemed largely willing to forgive, though maybe not easily forget.

As another round of Black Hat and Def Con conferences wrap up, we look back at some of the highlights and the best in research from the show that you might’ve missed.

Hacking Ecovac robots to spy on their owners over the internet

Security researchers revealed in a Def Con talk that it was possible to hijack a range of Ecovacs home vacuum and lawnmower robots by sending a malicious Bluetooth signal to a vulnerable robot within a close proximity. From there, the on-board microphone and camera can be remotely activated over the internet, allowing the attacker to spy on anyone within ear- and camera-shot of the robot.

The bad news is that Ecovacs never responded to the researchers, or TechCrunch’s request for comment, and there is no evidence that the bugs were ever fixed. The good news is that we still got this incredible screenshot of a dog taken from the on-board camera of a hacked Ecovacs robot. 

The long game of infiltrating the LockBit ransomware game and doxing its ringleader

An intense cat and mouse game between security researcher Jon DiMaggio and the ringleader of the LockBit ransomware and extortion racket, known only as LockBitSupp, led DiMaggio down a rabbit hole of open source intelligence gathering to identify the real-world identity of the notorious hacker. 

In his highly detailed diary series, DiMaggio, spurred on by an anonymous tip of an email address allegedly used by LockBitSupp and a deep-rooted desire to get justice for the gang’s victims, finally identified the man, and got there even before federal agents publicly named the hacker as the Russian national, Dmitry Khoroshev. At Def Con, DiMaggio told his story from his perspective to a crowded room for the first time.

Hacker develops laser microphone that can hear your keyboard taps

Renowned hacker Samy Kamkar developed a new technique aimed at stealthily determining each tap from a laptop’s keyboard by aiming an invisible laser through a nearby window. The technique, demonstrated at Def Con and as explained by Wired, “takes advantage of the subtle acoustics created by tapping different keys on a computer,” and works so long as the hacker has a line-of-sight from the laser to the target laptop itself. 

Prompt injections can easily trick Microsoft Copilot

A new prompt injection technique developed by Zenity shows it’s possible to extract sensitive information from Microsoft’s AI-powered chatbot companion, Copilot. Zenity chief technology officer Michael Bargury demonstrated the exploit at the Black Hat conference, showing how to manipulate Copilot AI’s prompt to alter its output.

In one example he tweeted out, Bargury showed it was possible to feed in HTML code containing a bank account number controlled by a malicious attacker and trick Copilot into returning that bank account number in responses returned to ordinary users. That can be used to trick unsuspecting people into sending money to the wrong place, the basis of some popular business scams. 

we got an ~RCE on M365 Copilot by sending an email

by ~RCE I mean full remote control over
its actions – search for sensitive content (sharepoint, email, calendar, teams), execute plugins
and outputs – bypass DLP controls, manipulate references, social engineer its users on our… pic.twitter.com/r1yMRLXKAG

— mbg @ defcon (@mbrg0) August 8, 2024

Six companies saved from hefty ransoms, thanks to ransomware flaws in ransomware leak sites

Security researcher Vangelis Stykas set out to scope dozens of ransomware gangs and identify potential holes in their public-facing infrastructure, such as their extortion leak sites. In his Black Hat talk, Stykas explained how he found vulnerabilities in the web infrastructure of three ransomware gangs — Mallox, BlackCat, and Everest — allowing him to get decryption keys to two companies and notify four others before the gangs could deploy ransomware, saving in total six companies from hefty ransoms. 

Ransomware isn’t getting better, but the tactics law enforcement are using against gangs that encrypt and extort their victims are getting more novel and interesting, and this could be an approach to consider with gangs going forward.