Content, Breach, Content

DefCon 2018: Ten Biggest Hacks, Security Developments and Research Findings

At the massive DefCon 2018 conference (aka Defcon 26) this weekend in Las Vegas, hackers and security gurus documented and discussed a range of vulnerabilities across multiple platforms -- including printers, mobile and IoT (Internet of Things) devices, voting machines, critical infrastructure and more.

Here's a sampling of the major hacks, vulnerabilities and issues tacked at Def Con 26, held at Caesars Palace Las Vegas Hotel & Casino :

1. HP Printer Vulnerabilities: Tens of millions of fax-ready HP OfficeJet inkjet printers are vulnerable to a simple hack that gives an attacker full control over a targeted printer, ThreatPost reports. The information originated from Check Point, which documented two critical vulnerabilities. HP released patches for both vulnerabilities (CVE-2018-5925 and CVE-2018-5924), ThreatPost noted.

2. Slot Machines Go Dark: Dozens of slot machines went offline simultaneously at the Linq casino. The casino says it's investigating the outage and the timing -- with Def Con in town -- was purely coincidental, according to Mashable.

3. Google Engineer Receives Warning: Matt Linton, a senior software engineer at Google, was temporarily barred from Caesars Palace after tweeting in jest that rich BlackHat attendees are better targets for hackers than DefCon attendees, Wired says.

4. U.S. Election and Voting System Hacks: An 11-year-old boy hacked a replica of the Florida state election website and change voting results in under 10 minutes, Wired reports.

5. Politician Website Hacks: Three of every 10 candidates running for the U.S. House of Representatives have significant security problems with their websites, according to a team of four independent researchers led by NIST veteran expert, Reuters reports.

6. Police Bodycam Hacks: Josh Mitchell, a consultant at the security firm Nuix, analyzed five body camera models from five different companies: Vievu, Patrol Eyes, Fire Cam, Digital Ally, and CeeSc. In all but the Digital Ally device, vulnerabilities would allow an attacker to download footage off a camera, edit things out or potentially make more intricate modifications, and then re-upload it, leaving no indication of the change, Wired reports. Or an attacker could simply delete footage they don't want law enforcement to have.

7. Medical Device Hacks: One set of researchers showed off hacks to pacemakers and insulin pumps which could potentially prove lethal, while another researcher explained how hospital patients’ vital signs could be falsified in real-time, CSO reports.

8. Android Mobile Device Hacks: Kryptowire described about 47 vulnerabilities in the firmware and default apps of 25 Android smartphone models, 11 of which are also sold in the U.S., Bleeping Computer reports. Some of the most dangerous of these vulnerabilities allow an attacker to retrieve or send SMS texts from the user's phone, take screenshots or record videos of the phone's screen, retrieve the user's contacts list, force the installation of third-party arbitrary apps without the user's knowledge or consent, or even wipe the user's data from the device, Bleeping Computer adds.

9. Automobile, Car and IoT Insecurity: IoT security provider Zingbox, demonstrated attacks against infotainment systems built into cars. Associated malware can exfiltrate the driver’s personal information via SMS messages, the company asserts.

10. Water Infrastructure Hacks: New cyberattacks against urban water services can be launched using a botnet of smart commercial irrigation systems, according to Ben-Gurion University of the Negev (BGU) researchers.

Bonus - NSA vs. Nation States: Rob Joyce, senior advisory for cybersecurity strategy at the NSA, described how Russia, China, Iran, and North Korea are using different techniques in the pursuit of different aims against the United States, Dark Reading reports.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.