The 14 Scariest Things We Saw at Black Hat 2022

Black Hat never fails to deliver exciting, enlightening, and distressing discussions about the state of cybersecurity. This is what we saw at Black Hat that impressed and worried us the most.


1. A Quarter Century of Hacking

The Black Hat security conference turned 25 this year, and the relentless passage of time was enough to scare some of our reporters. The conference marked the occasion by focusing its two keynote presentations on the future of security. Both were a bit grim, touching on the impact of an ongoing cyberwar in Ukraine, the rise of online disinformation, and the political turbulence following unfounded claims that the 2020 US election was fraudulent. 

Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA) ticked through many of the challenges facing the world of cybersecurity. His talk was a call for attendees and security companies to embrace a set of principles to help guide them in the turbulent times he saw ahead. 

In her keynote, journalist Kim Zetter described how many of the most shocking security stories of recent years—Stuxnet, the Colonial pipeline attack, and so on—were predictable and preceded by many warning signs. Of particular note was her description of how difficult it is to cover election security in an era when legitimate concerns and research are misappropriated as disinformation.


2. SMS Codes Flunk MFA

SMS Codes Flunk MFA


(Credit: Getty Images/PaperFox))

When password security isn’t enough, banks and sensitive websites turn to multi-factor authentication. But not all factors are equal. A Swedish research team demonstrated that sending an authentication code via a text message is inherently insecure. They identified a number of recent breaches involving a failure of two-factor authentication and went on to demonstrate hacking techniques. If a hacker has your login credentials and your phone number, text-based authentication won’t protect you.


3. Ghost in the Touch Screen

Ghost in the Touch Screen


(Credit: Getty Images/d3sign)

We know that a keylogger can steal the words we type, and a gimmicked USB drive can pretend to be a keyboard, inputting unwanted commands. Surely the touch-screen interface is more secure? Nope. An academic research team explained how they managed an attack that triggers touch-screen events from several centimeters away. If you set your device down on the table containing their hidden antennas, the attack can use its invisible finger to take control


4. Cyber Harm Reduction

Cyber Harm Reduction


(Credit: Getty Images/Abu Hanifah)

Not everything at Black Hat involves privacy gloom and security doom. One briefing exhorted security leaders to take a step back and change the way they handle risky security behaviors. If you just say “don’t do that,” some will do it anyway. You need to protect those people (and those around them) by reducing the negative consequences of their risky behavior. This harm-reduction philosophy has proven effective in medicine for years, for example providing clean needles rather than telling addicts “No drugs!” It can work in security too. 


5. Investigating WTF Just Happened

Log4j alert


(Credit: Getty Images/style-photography)

Another Black Hat briefing tackled a systemic issue in the cybersecurity field: the lack of a clear historical narrative regarding major cyber incidents. If organizations don’t take the time to investigate how cybersecurity incidents happen, they could be doomed to repeat history. That’s the problem a team of researchers sought to answer by creating the Major Cyber Incident Investigations Playbook.

The document contains a guide for creating independent review boards at organizations, from deciding who should be on the board to presenting investigation results to interested parties. These groups would be tasked with gathering the facts about cybersecurity incidents, and then sharing that information with the wider cybersecurity community online. Currently, the document is available on GitHub.


6. Malware Searching for Job Searchers

Malware Searching for Job Searchers


(Credit: Kathrin Ziegler / Getty Images)

At a different Black Hat briefing, two threat intelligence experts from PwC said global threat actors are taking advantage of “the great resignation” and targeting job seekers online with phishing links. The main offenders are groups from Iran and North Korea. The hackers create fake websites, job descriptions, job posts, and social media profiles to deliver malicious links and file attachments to their victims.

Do not click links in your emails or in LinkedIn messages you receive from strangers. That advice is doubly important when you’re on the job. Explaining to your manager that you infected the company network with malware because you opened a link about an amazing job opportunity at another company isn’t a great look.


7. Startups Shirk Security

A Black Hat briefing Thursday about ways to improve bug-bounty rewards offered a reminder of how fast-growing startups that don’t incorporate security into their early planning can wind up having to speedrun “infosec.”

Luta Security founder and CEO Katie Moussouris reminded attendees of how she discovered serious vulnerabilities in the Clubhouse app last year, then struggled to get the company’s attention(Opens in a new window): “It took me a couple of weeks even to find the right contact.” 

The company eventually did respond, at which point she learned that Clubhouse’s bug-bounty program was not only saddled with a non-disclosure-agreement requirement but was run by one of the co-founders in his probably nonexistent spare time. Noting that Clubhouse’s venture-capital funding valued it at about $4 billion(Opens in a new window), Moussouris griped: “They had fewer employees at that company than I have at my company!” Clubhouse did, however, finally fix those bugs.


8. Taking a Bite Out of Apple Security

Macs are way more secure than PCs, right? Everybody knows that. The layers of security keep growing with every update to macOS. However, not every component of the operating platform keeps up with those security upgrades.

One persistent researcher dug deep into macOS and came up with a process-injection attack that allowed him to bypass all those security layers. He demonstrated using this attack to escape the sandbox, escalate privileges, and get around the ever-vigilant System Integrity Protection system. The security hole is fixed in macOS Monterey and even back-ported to Big Sur and Catalina, but it won’t be totally closed until every app gets a simple tweak.


9. Wolf in ELAM’s Clothing

Wolf in ELAM's Clothing


(Photo Illustration by Avishek Das/SOPA Images/LightRocket via Getty Images)

Microsoft is doing its best to make Windows more secure, but sometimes security efforts can backfire. The Early Launch Antimalware (ELAM) system lets security programs launch super-early in the boot process and protects them against all tampering. There’s no way to fake an ELAM driver, as Microsoft must approve them, nor can you tweak or change existing drivers. But one very persistent researcher found a way in through existing approved drivers with lax approval rules. The result? A program that could not only enter the secure bunker provided by ELAM, but also shoot down the antivirus programs already residing there.

Recommended by Our Editors


10. Bug Hunting Exposes Bug Hunters

Bug Hunting Exposes Bug Hunters


(Credit: Getty Images/Peter Dazeley)

Being a security bug hunter is an exciting life. You could earn a six-figure bounty for detecting and reporting a serious security flaw. You could also get sued or charged with a crime. Recent policy changes protect honest hackers, but they don’t address one particular problem. In gathering information to prove a reported bug, hunters often capture scads of personal information records. One bug hunter teamed up with a lawyer to engagingly present the problem and, if not a solution, a better direction.


11. Key Fobs Should Know Better

Recording and replaying radio signals is easily done with a laptop and the right equipment. That’s why car key fobs employ a rolling code system, where each button press sends a different signal. A pre-recorded signal shouldn’t be accepted. Researchers discovered that for some cars, however, playing multiple old signals can roll back the rolling code system and let an attacker unlock your car’s doors. Worse, the researchers discovered that there was no time limit for their attack, with old codes being accepted over 100 days after they were captured.


12. Using Zoom IMs to Zoom Malware

Zoom and the pandemic go together like cookies and milk, or security researchers and decades-old technology. It turns out that Zoom’s instant messaging is built on XMPP, which one researcher figured out how to abuse in a number of ways. Spoof message sender? Easy. Intercept all messages to and from a target? Yawn. The real prize was using this attack to obtain remote code execution on a target’s computer.


13. Spoofing Tracking Devices

Keeping track of people and stuff is a breeze when you attach location-reporting tags to them. But can these systems be abused? Of course they can. Researchers showed how they were able to manipulate ultra wide-band real-time location systems (UWB RTLS) to trick disease contact tracing and industrial safety technologies.


14. Cyberwar in Ukraine

Russia’s invasion of Ukraine and ongoing war in the region was the subject of several Black Hat presentations. Researchers from ESET, a security company based in neighboring Slovakia, walked attendees through a timeline of attacks on Ukraine’s power grid. The most recent used the Industroyer2 malware that, if successful, could have knocked out power to 2 million residents. 

Interestingly, Industroyer2 used “wiper” malware to render infected machines unusable, slowing recovery efforts. Tom Hegel and Juan Andres Guerrero-Saade, both researchers from SentinelOne, pointed out that this was unusual as wipers meant the attacker has to give up access to the infected machines. They analyzed the observable cyberattacks in Ukraine and stressed that it’s difficult to draw conclusions, since what’s detectable is likely only a small part of what’s actually happening.

Keep reading PCMag for all of our coverage of Black Hat 2022 and previous years as well.

Kim Key, Neil J. Rubenking, and Rob Pegoraro contributed to this story.

SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2022-03-24T14:57:33.000000Z”,”last_published_at”:”2022-03-24T14:57:28.000000Z”,”created_at”:null,”updated_at”:”2022-03-24T14:57:33.000000Z”})” x-show=”showEmailSignUp()” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs” readability=”31.423799582463″>

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Facebook Comments Box

Hits: 0