Black Hat and DEF CON 2022: Hacking tractors and satellites, and the cyberwar in Ukraine

Black Hat 2022 logo on stage

Courtesy photo

The annual Black Hat cybersecurity conference and DEF CON hacking conference in Las Vegas celebrated its 25th anniversary this month. The conferences began in 1997.

To get a sense of how it went, we checked in with some attendees about the event.

“There was a real sense that we’re all in this together both because of the increasing challenge of the threats and that COVID has taught us not to take anything for granted,” said Bryson Bort, founder and CEO of cybersecurity company SCYTHE. 

Bryson Bort mug

Bryson Bort

Bort said the event was well attended, despite COVID concerns, and “there was a lot of excitement around having a real BH and DC conference since 2019.”

Trends at the conferences reflect what we see in today’s cybersecurity landscape, Bort said. 

The more complicated the tech stack, the more attack surface available for vulnerability. Chris Krebs, founding partner of Krebs Stamos Group, spoke about this in the keynote address, “Black Hat at 25: Where Do We Go from Here?

The supply chain is at an increased security risk, and we’re due for another SolarWinds attack, Krebs said. “Companies that are shipping software products are shipping targets,” Venture Beat reported

The federal government is a key part of cybersecurity. Bort pointed to Krebs’ talk, as well as talks by National Cyber Director Chris Inglis; CISA Director Jen Easterly; and Viktor Zhora, director of the State Service of Special Communications and Information Protection of Ukraine. 

Zhora’s visit was unannounced and painted a bleak picture, according to Brandon Vigliarolo of The Register. He said Ukraine had detected more than 1,600 “major cyber incidents” so far in 2022. Several huge incidents happened between March and April, Zhora said, including discovery of the “Industroyer2,” a successor to the Industroyer malware discovered in 2017.

Can we hack that? 

A highlight of DEF CON this year was the hacking of a John Deere tractor by the hacker known as Sick Codes. He hacked into the system and loaded the video game “Doom,” perhaps to let farmers play the game while harvesting?

Another presentation getting a lot of buzz is the hack and takeover of a SpaceX Starlink satellite by Lennert Wouters, a researcher at the KU Leuven University in Belgium. He created his own modchip and said he’d release the code and info on Github so that others can do the same. 

Once he gained entry, he used the opportunity to send a tweet:

Bort said the presentation by Patrick Wardle, founder of Objective-See, was worth a mention. He demonstrated a weakness in Zoom on Macs in which hackers can enter through the Zoom MacOS installer. Since the event, Zoom has released an update

Conference frustrations

Our friend Chris Roberts, hacker and founder of the HillBilly Hit Squad and CISO at Boom Supersonic, offered his sarcastic takedown in a post on LinkedIn lamenting the advertising of solutions at the conference. 

Chris Roberts

Chris Roberts

“Cybersecurity Solved… Apparently if we just implement the products from these 3 companies we’ll solve all the problems we experience in our digital realm.

“One fixes human errors, I mean heck we’ve only been working at that for what, several thousand years? They’ve come along and fixed it all! Even fixing the folks that keep clicking things, or falling for those darn princes, dates, and gift cards… I mean how hard can it be to change thousands of years of ingrained behavior? Not too hard apparently!

He went into detail about companies and their advertising in the post before he added this zinger:

“Oh, and incase you’re NOT convinced, about half the companies out in Las Vegas this past week offered you a prize for just listening, and handing over YOUR data/being scanned… so best case you get protected, worst case you get a free watch. (That’ll track you)”

Roberts discussed the human element of cybersecurity in a recent Fast Future podcast:

“It’s the human. So it’s not throwing more technology at the problem. It’s not saying, ‘Oh, I mean, you’re right, humans are a risk, well, then let’s change that. Now. Let’s turn them into our biggest asset.’ Because in security, I can’t have eyes everywhere all the time. And I can’t monitor it all the time, no matter what anybody says we can do. So why don’t I turn those risks into my resources? And I effectively train them, I effectively work with them, I continually help them. I give them assets that they can use not just in the office, where they can take home and help their kids understand about these things online. That they can basically help their parents, their grandparents, their family, if they’re on a farm, that they can go talk to hands out there and say, ‘Hey, what do you think about this? You’re doing this. Why?’ So you enable somebody to go from a risk to basically becoming an asset and an advocate for and you do it in a such a positive way, everybody’s gonna get hit with spam. Well, rather than reprimanding you, when you turn say, ‘Hey, look, I just got this,’ ‘Oh you’re awesome. Hey, here’s a coffee card for Dutch Brothers, or here’s a coffee card for you know, whatever the coffee places in whatever state they’re in. Thank you for bringing that to my attention.’ Even if you get 100 of them. You know what, those frickin’ 100 coffee cards are a hell of a lot cheaper than doing an incident response.”

Hopefully, everyone had a safe and fun trip to Vegas this year and learned a little more about not getting hacked.