Black Hat 2019: The Craziest, Most Terrifying Things We Saw

The real star of the opening ceremonies was Black Hat founder Jeff Moss' shimmering shoes. Also known as Dark Tangent, Moss sported a pair of sparkling, glimmering sneakers; his "sparkly shoes," as he said onstage. "If the lasers hit me just right, I may be able to blind one or two of you."

These phones look great, but they're actually low-cost fakes from China. Each costs about $50, and come preloaded with malware for no extra charge! The bogus iPhone is particularly impressive. It runs a highly modified version of Android that's a dead ringer for iOS. It even has a carefully made fake compass app, albeit one that always points up. Thanks to Afilias for showing us these weird devices.

Security researcher Mikko Hypponen pondered the consequences of cyberwar becoming an actual shooting war in his presentation at Black Hat. It's an important issue in this age of state-sponsored hackers and Russian election meddling. He also presented audiences with the best way to describe the job of a security expert: "What we do is like Tetris. When you're successful it disappears. When you screw up it piles up."

How many ways can malicious software infect other code? Let us count the ways! No, really, count them. That's what some researchers did. They expected to find a handful of ways, but instead came up with 20-plus variations.

GPS is great; it helps you get where you need to go and you don't have to keep a musty atlas in your car anymore. But Global Navigation Satellite Systems (GNSS) like GPS are easily spoofed, and that's a problem if you're designing an autonomous vehicle that relies too heavily on GNSS. In this Black Hat talk, we saw that kind of scary, wonky things happen to a driverless car when you mess with navigation signals.

Remember Spectre and Meltdown? These were the big scary vulnerabilities researchers found in CPUs some years ago that grabbed headlines for weeks. Now, Bitdefender researchers have found a similar vulnerability in all modern Intel chips.

Ever get jealous about your friend who inexplicably has thousands more followers on Instagram? Don't be, because they probably bought them. But where do those phony followers come from, and who are they, really? That's the question GoSecure researchers Masarah Paquet-Clouston (pictured) and Olivier Bilodeau tried to answer in their Black Hat talk. They uncovered an enormous ecosystem of resellsers and middlemen built on a backbone of bogus IP addresses and IoT devices infected with malware. Those bogus likes can't be worth all that.

5G is really cool and really fast and it's basically going to solve all our problems forever, including some nasty security flaws that have persisted in wireless standards. However, researchers found some unique quirks in 5G that allowed them to identify devices, throttle their internet speed, and drain the battery of IoT devices.

Every now and again you'll see a story about a security company or a government that has a super-secret iPhone vulnerability it's using for some such nefarious activity. One Google security researcher wondered if such things could really exist, and found 10 bugs in the process. In the end, she and her colleague were able to extract files and partially seize control of an iPhone just by sending it text messages.

Black Hat presenters don't always have the cozy relationship with the companies and organizations they investigate, a point driven home this year when Ruben Santamarta unveiled his potential attacks on the Boeing 787 network. He believes it's possible to reach sensitive systems through a variety of entry points, but Boeing says it's all bogus. It's hard to say who to believe in this tale, but Max Eddy points out that Santamarta has fully shown his work.

Who would write a book about guys who were famous 20 years ago? Joe Menn, journalist and author, that's who. His book is titled Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World. The group used to be semi-anonymous, going by handles like Deth Veggie, Dildog, and Mudge. With the release of the book, they spoke at Black Hat under their real names for the first time. Neil hasn't read it yet, but the group certainly rocked this Black Hat; he encountered them three days in a row.

Tuesday night he jumped into a cab with the group in front of him, which turned out to be Deth Veggie and the gang. Wednesday Neil got pulled into an invite-only lunch panel featuring Deth Veggie, author Joe Menn, Dug Song of Duo Security, and Heather Adkins, currently Google's senior director of security, among others. Joe interviewed Mudge, Dildog, and Deth Veggie, and there was much rejoicing.

A cavalcade of brilliant hackers have passed through this group. Most are currently employed with security companies or government agencies. One is even running for president. Neil looks forward to reading the history of this inspiring bunch of hacktivists.

No one has used a deepfake video to try and sway public opinion. We think. But Matt Price and Mark Price (no relation) think that it could happen at any time. That's why they set out to examine how deepfakes are made, how they can be detected, and how to detect them better. On that last point, they created a tool that looks at the mouths to try and ferret out fakes. It worked a little better than 50 percent of the time, which hopefully bodes well for the future.

If Mouthnet won't save us, though, maybe the mice can! Researchers are looking at how trained mice discern different speech patterns. Their little brains might hold the key to detecting deepfake videos, hopefully before a carefully released phony video causes some real damage. (ALEXANDRA ROBINSON/AFP/Getty Images)

When we talk about Russian election interference or Russian troll farms, we assume that the intelligence agencies of Mother Russia are in lockstep and acting as part of a single, cunning plan. According to one researcher, that couldn't be further from the truth. Rather, Russia has an alphabet soup of intelligence agencies, jostling for resources and prestige, and completely willing to play dirty to get ahead. Sometimes, the consequences are dire.

In a session about the Russian Dark Web, researchers examined how recent Russian laws are making it harder to police activity within that country. Russia is now building a kind of internal internet, designed to function even when cut off from the international web. This has the "unintended" consequence of making it much harder to get at Russian sites that carry out illegal activity.

Nobody likes bloatware, but who makes sure that preinstalled apps aren't wolves wrapped in wooly disguises? The answer is Google. Senior Security Engineer Maddie Stone described the challenges of identifying malicious apps among preinstalled apps. One problem: preinstalled apps have higher privileges and weird behaviors by virtue of being preinstalled, which makes finding the dangerous ones extra hard.

Bluetooth-enabled locks you open with an app have got to be more secure than boring metal pins and tumblers, right? Not at Black Hat. With a little know-how and some low-cost hardware, two researchers were able to open doors and extract all kinds of useful information. Maybe we should just stick with skeleton keys.

Let's say you're a hacker, and you're making pretty good money working for your local government. What's to stop you from moonlighting, and earn a little extra money by, say, infiltrating the supply chain for video game developers? Apparently nothing, if FireEye's research is to be believed. Considering that the hackers in question work for the Chinese government, it's a bit surprising to see the group enriching themselves on the side. This might be the first security research that got a hacker in trouble with their boss.