Even in the wake of this year's NSA revelations, a homemade surveillance device that sniffs out pieces of data from your various computing devices, even when they're not online, is disturbing.
Brendan O'Connor, who runs a security firm and is finishing a law degree, has created such a device, dubbed CreepyDOL (DOL stands for Distributed Object Locator; "Creepy" is self-explanatory). The device cost $57 to make and consists of a Raspberry Pi computer, a USB hub, two WiFi connections, an SD card and USB power inside an nondescript black case.
Computers and phones act as tracking devices and leak information constantly, according to O'Connor. When plugged in, CreepyDOL detects nearby phones and computers and uses them to track people's location and patterns, figuring out who they are, where they go and what they do online.
To demonstrate the device without breaking any laws, O'Connor showed his own information as sniffed out by one of the devices. Using a gaming engine and Open Street Maps, he hovered over his dot on a map. It brought up his name, e-mail address, a photo, the dating website he used, details about his devices and the locations he visited in town.
In a worst-case scenario, as imagined by O'Connor, a miscreant could plug in one of the devices under any Starbucks near a capital building to pick up the scent of a state senator and wait for them to do something compromising.
"You find somebody with power and exploit them," said O'Connor.
The creation is remarkable for how simple it is. It's likely others have similar knowledge and setups that exploit the same security flaws in applications, websites, devices and networks.
The most frightening targets highlighted at the conference were the opposite of personal.
Critical infrastructure such as oil and gas pipelines or water treatment plants are potential targets for hackers. Many industries are controlled with supervisory control and data acquisition, or SCADA, systems.
The systems are older, installed at a time when people weren't concerned about cyberattacks, and connect to the Internet over an unsecured network protocol.
The reason the systems are online in the first place is so that they're easier to monitor. Some, like oil pipelines, are often in remote locations.
Multiple demonstrations at the conferences showed just how simple it is to hack energy systems.
Researchers Brian Meixell and Eric Forner staged a mock hack of an oil well using pumps and a liquid container filled with teal liquid. They got into the system, turned the pumps on and off and overflowed the containers by feeding the system false data. If it happened on an actual oil well, the hack could result in an environmental catastrophe, according to the researchers.
It's possible to shut down an entire industrial facility from 40 miles away using a radio transmitter, according to researchers Carlos Penagos and Lucas Apa. They demonstrated injecting fake measurements, causing the device that received them to behave differently. For example, someone could trigger a water tank to overflow by faking an abnormally high temperature.
The industries and U.S. government are aware that industrial systems are vulnerable, but their remoteness and age make upgrading difficult and expensive. There is no built-in system for releasing software patches, like there is with personal computers.