Tens of researchers showcased their work last week at the DEF CON hacking conference. They presented research on hacking phones, cars, satellite communications, traffic lights, smart home devices, printers, and popular software services, among many others.
Here is a summary of some of the most interesting presentations from DEF CON 2020:
Hacking Samsung smartphones via Find My Mobile
A series of vulnerabilities affecting Samsung’s Find My Mobile could have been chained to track a phone, wipe it remotely and perform various other activities, according to cybersecurity company Char49. The flaws were patched by Samsung last year.
Vulnerabilities in Qualcomm chips expose over 1 billion devices to attacks
Check Point has identified hundreds of vulnerabilities that expose devices with Qualcomm Snapdragon chips to attacks. At least one billion devices are believed to be affected and while Qualcomm has developed patches, it’s now up to OEMs to distribute them to end-users.
Vulnerabilities exposed thousands of HDL smart devices to remote attacks
Several vulnerabilities found by SentinelOne researchers in smart devices made by HDL could have been exploited to remotely hack thousands of impacted devices found in homes and buildings. The vendor released patches after being notified.
New techniques for bypassing biometric systems
Yamila Levalle from Dreamlab Technologies has demonstrated some new techniques for bypassing biometric systems, particularly fingerprint scanners, using 3D printing.
Zoom vulnerabilities allowed data theft and malware deployment
Zoom recently patched some vulnerabilities that could have been used by an attacker with access to a device to steal user data and execute malware. The researcher who discovered the flaws described his findings.
Analysis of a Boeing 747-400 from a hacker’s perspective
Researchers from Pen Test Partners presented the systems of a Boeing 747-400 airplane, focusing on systems that could be of interest to a hacker. They pointed out that some updates are still performed using floppy disks.
Hacking smart traffic light systems
Researchers at Netherlands-based applied security research company Zolder showed how they hacked a traffic light management system that is connected to a smartphone app. They talked about how a hacker could remotely control traffic lights. The affected product is used in over 10 municipalities in the Netherlands.
TLS 1.3 enables a new type of domain fronting
Domain fronting has been used to bypass internet censorship and monitoring, but it stopped being popular in 2018 when Google and AWS stopped supporting it. A researcher from SIXGEN says he has found a new form of domain fronting that leverages TLS 1.3.
Targeting satellite communications using home TV equipment
Researcher James Pavur demonstrated an attack on satellite broadband communications networks using $300-worth of home television equipment. He showed that he could intercept sensitive data transmitted on satellite links by some of the world’s largest organizations.
Hacking a Tesla’s battery management system
A researcher from Rapid7 described how he was able to hack a Tesla’s battery management system to obtain more power for the electric vehicle. While he bricked a car during his experiments, he ultimately did manage to make a car faster.
Hacking Spark clusters
A researcher from Qonto showed how an attacker could “pop a shell” on hundreds of Apache Spark nodes. Such an attack can result in a malicious actor gaining access to highly sensitive information belonging to a company.
Researchers from SafeBreach found potentially serious vulnerabilities in the Windows Print Spooler service, the same service that was targeted by the notorious Stuxnet malware in attacks on Iran. A vulnerability in the Print Spooler service was also identified by researchers from Tencent Security Xuanwu Lab.