DEF CON and Black Hat convey collectively hackers and safety professionals from everywhere in the world. Each August, they collect in Las Vegas for a slew of occasions, known as Hacker Summer season Camp.
We weren’t at this yr’s Hacker Summer season Camp, however we adopted the proceedings intently, and listed here are the tasks that stood out essentially the most for us:
(Evil)Doggie
Automobiles are computer systems on wheels, they usually have a bigger assault floor. In 2015, two safety researchers remotely hacked and managed a Jeep Cherokee with a Wired reporter in it, displaying the world that vehicles could possibly be hacked like different gadgets, and contributing to the push for automotive safety as a important a part of cybersecurity.
Doggie is an open supply and modular CAN bus-to-USB adapter, excellent for automotive safety hobbyists and professionals. It’s a Swiss Military knife software that gives CAN bus evaluation, sniffing, and injection for diagnostics and penetration testing. The modular design helps six completely different microcontroller and CAN transceiver configurations.
(Evil)Doggie (📷: Faraday Safety)
Octavio Gianatiempo and Gaston Aznarez of Faraday Safety offered an offensive safety model at Black Hat Arsenal Lab, affectionately nicknamed (Evil)Doggie. It employs energetic manipulation methods like spoofing and body injection to use vulnerabilities within the CAN bus. It’s cheaper than a Flipper Zero and has a “good-evil” change. What extra might you ask for?
nyanBOX
nyanBOX is an open supply gadget for testing and interacting with 2.4GHz and BLE networks. It’s constructed on an ESP32 WROOM32U microcontroller paired with three nRF24 modules and an OLED show.
nyanBOX (📷: Joseph Buhagiar)
Options embrace scanning, deauthentication, beacon spamming, and machine detection (Pwnagotchi, Flipper Zero, and different nyanBOX gadgets). The RPG-inspired leveling system provides customers expertise factors for utilizing the machine’s instruments and options. The rank is broadcast to different customers once they scan for close by gadgets.
It’s a fork of the nRFBOX challenge by CiferTech and is totally appropriate with the unique {hardware}. PCB recordsdata, schematics, and invoice of supplies are within the GitHub repository.
Invitation Is All You Want
“Invitation is all you want” affords a preview of what might go flawed when an LLM-powered utility is infiltrated.
Ben Nassi, Stav Cohen, and Or Yair, the authors of the analysis challenge, use a immediate injection exploit inside a Google Calendar invitation to poison Gemini’s context. They escalate this assault to manage good dwelling gadgets, open functions, and obtain recordsdata.
Whereas the affect of this challenge is comparatively minimal, it highlights the potential dangers of giving management to agentic AI. Since immediate injection is sure to be a recurring vulnerability of those techniques, one can think about the potential dangers if LLM-enabled functions are granted OS and hardware-level management.
This particular vulnerability has been mounted, and you may learn extra about it within the “Invitation Is All You Want” paper.
Promptfoo
Promptfoo is an open supply platform for evaluating and pink teaming LLM functions. It’s an rising software for the subsequent frontier of cybersecurity, and it claims to assist builders determine vulnerabilities resembling knowledge leaks, jailbreaks, and immediate injections, earlier than manufacturing. It helps automated pink teaming and efficiency analysis, and might be run domestically.
Immediate injection might stay a “whack-a-mole” scenario because of the very design of LLMs and LLM-enabled functions. In case you are constructing an LLM utility, Prompfoo could be helpful for security and reliability testing.
Quantum Sensor
2025 is the Worldwide Yr of Quantum Science and Know-how (IYQ), marking 100 years since Werner Heisenberg developed the idea of quantum mechanics. Though the quantum period appears a far-shot aim, quantum expertise is discovering utility in the present day.
DEFCON’s Quantum Village cofounders have created the primary absolutely open supply, hackable quantum sensor. The Uncut Gem challenge, which they dub quantum computing’s Apple II second, makes use of off-the-shelf elements and a nitrogen-vacancy (NV) Centre diamond with defects inside the lattice that allow particular quantum results.
The Uncut Gem Quantum Sensor (📷: Quantum VIllage)
Related sensors have been constructed by elite, well-funded labs, however that is the primary try at making a quantum sensor that anybody can hack and construct upon. It may be assembled for about $120 to $160, however the worth is anticipated to drop in future iterations.
The Uncut Gem sensor is not excellent, however it may be used to discover medical functions, GPS-jamming countermeasures, in addition to chip debugging with magnetometry. It was showcased as a part of the Quantum Village badge.
Glitch.IO
Fault injection assaults alter a tool’s voltage pulse to bypass protections and expose {hardware} secrets and techniques, with instruments just like the ChipWhisperer.
Glitch.IO is an affordable, highly effective glitcher that “goals to be a typical within the {hardware} hacker’s toolbox”. It consists of devoted glitching {hardware}, a software program framework for creating fault injection functions, and a “recipe” library for publicly-known assaults.
Safety Marketing consultant Ramiro Pareja-Veredas offered Glitch.IO on the Black Hat convention, utilizing a recipe to bypass the Raspberry Pi Pico 2’s fault injection countermeasure.
AI could be a brand new Wild West of digital safety and offense, however previous safety threats stay simply as related. What stood out to you at Hacker Summer season Village?
