Security Experts:

DEF CON 2020 Wrap-Up: Hacking Phones, Cars and Satellites

Tens of researchers showcased their work last week at the DEF CON hacking conference. They presented research on hacking phones, cars, satellite communications, traffic lights, smart home devices, printers, and popular software services, among many others.

Here is a summary of some of the most interesting presentations from DEF CON 2020:

Hacking Samsung smartphones via Find My Mobile

A series of vulnerabilities affecting Samsung’s Find My Mobile could have been chained to track a phone, wipe it remotely and perform various other activities, according to cybersecurity company Char49. The flaws were patched by Samsung last year.

Vulnerabilities in Qualcomm chips expose over 1 billion devices to attacks

Check Point has identified hundreds of vulnerabilities that expose devices with Qualcomm Snapdragon chips to attacks. At least one billion devices are believed to be affected and while Qualcomm has developed patches, it’s now up to OEMs to distribute them to end-users.

DEF CON 2020 summary

Vulnerabilities exposed thousands of HDL smart devices to remote attacks

Several vulnerabilities found by SentinelOne researchers in smart devices made by HDL could have been exploited to remotely hack thousands of impacted devices found in homes and buildings. The vendor released patches after being notified.

New techniques for bypassing biometric systems

Yamila Levalle from Dreamlab Technologies has demonstrated some new techniques for bypassing biometric systems, particularly fingerprint scanners, using 3D printing.

Related: Black Hat Wrap-Up: IoT and Hardware Vulnerabilities Take the Spotlight

Zoom vulnerabilities allowed data theft and malware deployment

Zoom recently patched some vulnerabilities that could have been used by an attacker with access to a device to steal user data and execute malware. The researcher who discovered the flaws described his findings.

Analysis of a Boeing 747-400 from a hacker’s perspective

Researchers from Pen Test Partners presented the systems of a Boeing 747-400 airplane, focusing on systems that could be of interest to a hacker. They pointed out that some updates are still performed using floppy disks.

Hacking smart traffic light systems

Researchers at Netherlands-based applied security research company Zolder showed how they hacked a traffic light management system that is connected to a smartphone app. They talked about how a hacker could remotely control traffic lights. The affected product is used in over 10 municipalities in the Netherlands.

TLS 1.3 enables a new type of domain fronting

Domain fronting has been used to bypass internet censorship and monitoring, but it stopped being popular in 2018 when Google and AWS stopped supporting it. A researcher from SIXGEN says he has found a new form of domain fronting that leverages TLS 1.3.

Targeting satellite communications using home TV equipment

Researcher James Pavur demonstrated an attack on satellite broadband communications networks using $300-worth of home television equipment. He showed that he could intercept sensitive data transmitted on satellite links by some of the world’s largest organizations.

Hacking a Tesla’s battery management system

A researcher from Rapid7 described how he was able to hack a Tesla’s battery management system to obtain more power for the electric vehicle. While he bricked a car during his experiments, he ultimately did manage to make a car faster.

Hacking Spark clusters

A researcher from Qonto showed how an attacker could “pop a shell” on hundreds of Apache Spark nodes. Such an attack can result in a malicious actor gaining access to highly sensitive information belonging to a company.

Printer attacks

Researchers from SafeBreach found potentially serious vulnerabilities in the Windows Print Spooler service, the same service that was targeted by the notorious Stuxnet malware in attacks on Iran. A vulnerability in the Print Spooler service was also identified by researchers from Tencent Security Xuanwu Lab.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.