5 scariest cybersecurity threats at Black Hat, Defcon

The Black Hat hackers conference begins July 31, 2013, in Las Vegas. CBSNews.com

Las VegasAn annual show-and-tell of some of the most alarming security breaches currently known is underway at two hacker conferences being held in Las Vegas this week. Cybersecurity researchers, hackers, government agencies and privacy advocates converge at Black Hat and Defcon to share the results of some shocking research.

Black Hat has already made headlines with the recent death of presenter Barnaby Jack, a hacker who was most famous for making an ATM machine spit out money, and the highly anticipated keynote speech, which will be given by National Security Agency director Keith Alexander.

Defcon's founder Jeff Moss made waves when he wrote a blog post asking the Feds to stay home this year, in light of the revelation that data was secretly gathered by the government from telecommunications and Internet companies.

But shrouded beneath the headlines is a multitude of unnerving hacks that threaten everything from cars, to spying TVs, to medical devices. Here are five of the scariest security threats presented at this year's hacker conferences.

Hacking humans

Before his death, Barnaby Jack was scheduled to give a presentation on the vulnerabilities of implanted medical devices. Anything from pacemakers to surgery schedules are at risk, and cybersecurity experts believe the medical community needs a wake-up call.

"His was going to be an amazing talk around, really, the state of the medical side of the field and all of the devices we're bringing in that are electronic, that are networked," David Kennedy, founder of information security firm TrustedSec and friend of Jack's, told CBSNews.com.

"If you think about it, when we go to a hospital all of that stuff is connected together. If a an attacker can get into that, manipulate and change it, they can actually cause deaths. They can cause other symptoms, things like that. They can replace medical records, they can have you have a different operation."

Surveillance TVs

A presentation by iSEC Partners will demonstrate how a malicious attacker can hijack the front-facing camera or microphone of a Samsung Smart TV and turn it into a surveillance device. Researchers Aaron Grattafiori and Josh Yavor will also reveal the fixes that Samsung has made, and talk about what other Smart TV makers should focus on.

Cars gone wild

At Defcon, IOActive's director of security intelligence Chris Valasek and Twitter security engineer Charlie Miller will release details of how they were able to reverse engineer the software of the Ford Escape and Toyota Prius. Demonstrated recently to Forbes, the researchers were able to use their laptops to kill power steering, spoof the car's GPS system and adjust the speedometer.

Power grids and water plants at risk

Trend Micro threat researcher Kyle Wilhoit is presenting a trap called an industrial control systems (ICS) honeypot that is set up to spy on and profile nefarious cyberattackers. His findings reveal that our critical infrastructure is not only vulnerable to attacks, but has already been targeted.

"The power grid is said to be inherently insecure, and there are confirmations of that. And also water plants are statistically insecure, primarily because there's not a lot of governing factors that come into place on municipal water supplies," Wilhoit told CBSNews.com. "Likewise on the power grid, they're using archaic technology that was deployed when power generation was the primary concern and not necessarily security."

Hacked by an iPhone charger

Georgia Tech Information Security Center researchers will reveal how they were able to hack into an iPhone using its charger at a Black Hat briefing on Wednesday.

"We were able to successfully publish a malicious app and use it to remotely launch attacks on a controlled group of devices," Georgia Tech research scientists Tielei Wang said in a statement. "Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps -- all without the user's knowledge."

The researchers say they notified Apple of their findings and the company has made strides to fix the issues.

Black Hat is currently underway, with presentations starting Wednesday. Defcon starts on Thursday. 

Editor's note: This article originally stated that Charlie Miller and Chris Valasek worked at iSEC. It has been corrected to reflect that Valasek is IOActive's director of security intelligence and Miller is a security engineer at Twitter.

Comments