Internet-connected cameras, USB sticks and even a web browser promising anonymity have serious security flaws, according to researchers preparing to lay bare the dangers of online life at conferences in Las Vegas this week.Cyber security researchers from across the world will gather for the Black Hat and Def Con conferences, aiming to expose vulnerabilities in devices and software that people trust to fix the problems and try to make companies more careful when designing technology.
As the threat of cyber attacks rises, large companies worried about the effect of having customer data or intellectual property stolen are beginning to devote more of their IT budgets to security. Investment is flooding into cyber security start-ups, putting the experts who can discover flaws in high demand.
Often there is no way of knowing if these "proof-of-concept" hacks have been done by cyber criminals or what information they may have stolen. Some require sophisticated know-how, others are simpler than hacking into a laptop.
So-called "white hat" researchers — hackers who work to improve security — often inform the owner of the product or technology in advance of the talk at the event, giving them time to fix the problem.
One key talk has been cancelled by lawyers for Carnegie Mellon University where the speakers were based.
The researchers were funded by the US Department for Homeland Security. In a talk entitled You don’t have to be the NSA to break Tor: de-anonymising users on a budget, researchers Alexander Volynkin and Michael McCord were due to show how they could break into Tor, a browser that promises greater online privacy.
Josh Cannel, a senior researcher at Malwarebytes Labs, part of a cyber security company, said the fact that even Tor could be hacked showed there was no "perfect solution" to online privacy.
Talks that remain on the programme include a presentation on Dropcam, the internet-connected video camera, often used for home security or monitoring children. Dropcam was recently acquired by Nest, a division of Google. Researchers from Synack, a start-up run by two former National Security Agency analysts, found a way to tap the microphone, monitor audio and steal video from the device.
Unlike many of the hacks, it required physical access to the machine. Patrick Wardle and Colby Moore said people could easily buy hacked cameras online from eBay or Craigslist, or accept one as a gift, without realising they were being spied upon. Nest said: "It doesn’t compromise the security of Dropcam servers or the connections to them and to the best of our knowledge, no devices have been accessed and compromised remotely."
By Hannah Kuchler (BusinessDay Live)
