Plaintext: Stories of Our Favorite Hacks

Welcome to Dark Reading in Plaintext, where each day we bring you insights around one topic important to cybersecurity professionals. Subscribe to get this delivered to your inbox!

Tale as Old as Time…

More conferences returning to in-person events (Pwn2Own this week, Hack the Capitol earlier this month, and RSA Conference in two weeks) means one thing: storytime! When people meet for the first time, they talk about things they’ve done. Old friends and colleagues share war-stories and laugh over old exploits. We like stories as much as anyone else, so here are some hacks that we remember.

What's This Thing? It is 2006. Steve Stasiukonis, vice-president and founder of Secure Network Technologies wants to know what would happen if he scatters several USB drives around a credit union’s parking lot, smoking areas, and other areas where employees frequently congregated. This social engineering attack didn’t require any talking, bribes, or fancy tricks--just the fact that humans are innately curious. “The best part of the whole scheme was its convenience,” Stasiukonis wrote.

I Need a Soda. As hacking demonstrations go, the distinctive red Coca-Cola can makes quite an impression. Researchers from Ben-Gurion University used a “lightweight object with a shiny surface” – the aforementioned Coke can – to create an eavesdropping device capable of capturing audio conversations from up to 35 meters (114 feet) away. “Completely innocent devices” can serve as optical implants, university researcher Ben Nassi said at Black Hat Asia 2022.

Speed. I am Speed. For a while, car hacking meant an exciting demonstration from the hacking duo Charlie Miller and Chris Valasek. We watched Miller and Valasek on a laptop bring the 2014 Jeep Cherokee Wired reporter Andy Greenberg was driving on a St. Louis highway to a full stop. The eye-popping part? Miller and Valasek were some 10 miles away from the car. They followed up a year later to control the acceleration and turn the steering wheel on the same model Jeep. Carmakers paid attention to their activities, as did regulators.

It’s Drive Time! Miller and Valasek have moved onto newer areas of research, but other security researchers have stepped up their car hacking efforts, especially for connected cars. Then we have Stanislas Lejay, who decided to reverse engineer his twenty-plus year old sportscar’s computerized speed limiter, instead of mucking around on a newer modern car. “Communicating with your car and building your own tools for it is actually not that hard,” Lejay said.

That Airplane Needs Some Help. The last thing any of us wants to think about when sitting in a metal tube thousands of feet in the air is what kind of things a hacker would be able to do. IOActive’s Ruben Santamarta discovered he could access debug codes to an inflight entertainment system while on a flight from Warsaw to Dubai. An attack combining the various flaws could “create a baffling and disconcerting situation for passengers,” Santamarta said at the time.

Headlines on Tap

• Ahead of the RSA Conference, MITRE discusses the new supply chain security framework.
• A Log4j exploit has enterprise data lakes and AI applications in its crosshairs, Zectonal says.
• Russian operatives are harnessing AI and other tech in the country's misinformation operations against Ukraine.

Subscribe to receive Dark Reading Weekly every Thursday morning!

On That Note?

We asked past Black Hat attendees to think about lessons learned from a specific security incident -- that of an attacker cracking water supply systems in a Florida city and changing settings to regulate the amount of lye in water.

Check out the rest of the 2021 Black Hat Attendee Survey and stay tuned for the 2022 report, coming soon!