Turn someone else's phone into an audio/video bug. Check.
Use Dropbox as a backdoor into corporate networks. Check.
Suck information out of pacemakers. Check.
The Black Hat conference convening in Las Vegas next week offers hacker tools for all of those plus more.
Intended to provide good-guy researchers with tools to test the security of networks and devices, the free tools distributed at the conference can also be used by the bad guys to break into networks, steal data and thwart defenses designed to expose malware halt attacks.
Over the course of two days white-hat hackers from consultancies, universities and vendors will present more than 100 briefings on vulnerabilities and exploits they have discovered, and in many cases releasing tools that would be useful to hackers.
Many of the specific exploits they expose in specific commercial products have been reported to the vendors and been patched already, but other tools can be more widely applied.
Here are some of the hacker tips promised as part of the Black Hat briefing agenda:
= A tool called BREACH will be released that pulls encrypted secrets from HTTPS streams. During the same session, speakers from Salesforce.com and Square will use BREACH to demonstrate an exploit against "a major enterprise product" that retrieves session identifiers, CSRF tokens, email addresses and the like in under 30 seconds from an HTTPS channel.
= An attack tool that its authors say can defeat commercial products designed to mitigate DDoS attacks will be made freely available. Proof that it works will be supplied by testing results against specific products as implemented on Web sites known to employ them. Bloodspear Research Group will present a new DDoS defense that thwarts BloodSpear's own attack tool.
= A tool to automate information gathering that can be used to make spear phishing messages more convincing by mimicking how individuals interact with others, with whom they interact and the vocabulary and phrasing they use. This tool from researchers at Trustwave's Spider Labs grabs the data from publicly available sites using both APIs and screen scraping. It then analyzes the data to show frequency of use of verbs, adjectives and nouns, average sentence length, hobbies, networks of friends and upcoming trips planned by target individuals.
= Bluebox will explain how to exploit a vulnerability that tricks the Android mobile operating system into accepting malicious applications hiding behind the signatures of legitimate, cryptographically-verified apps. While patches have been written to address the problem, deploying them depends largely on device manufacturers and service providers, so when and if they will be patched is up in the air.
= Michael Shaulov and Daniel Brodie of Lacoon Mobile Security will show how to bypass mobile malware-detection and mobile device management features such as encryption to install surveillance tools that gather text messages, email location information as well as hijack the phone to record what's being said in its vicinity.
Sign up for Computerworld eNewsletters.