From Windows Hello to Satellites: 4 significant vulnerabilities disclosed at the recent Black Hat security conference in Las Vegas

The Black Hat conference once again brought together the sharpest minds in cybersecurity, and this year’s briefings did not disappoint. Researchers took to the stage to expose vulnerabilities that affect everything from the computers on our desks to the technology in orbit. This year’s talks highlighted a few critical points of failure, revealing a more complex and interconnected web of threats than ever before.

Windows Hello biometric flaw

One of the more unsettling revelations came from researchers Tillmann Osswald and Dr. Baptiste David, who reportedly demonstrated a flaw in Windows Hello for Business. This isn’t the standard facial or fingerprint login you might use at home, but the more robust, enterprise-grade version. The researchers showed that with local administrator access, an attacker could bypass the biometric authentication entirely.

Their method involved manipulating the way Windows Hello stores and verifies biometric data. By gaining administrative privileges, a hacker could add their own biometric data – their own face or fingerprint – to the system’s database, effectively tricking the system into thinking they were the legitimate user. While Microsoft has pushed out a feature called Enhanced Sign-in Security to address this, the fix isn’t a silver bullet, as it’s not supported on all devices, leaving many organizations exposed to this clever spoofing attack.

Video Call vulnerabilities

Shifting gears to something most of us use daily – video calls. Adam Crosser from Praetorian Security dropped a bombshell on how apps like Zoom and Microsoft Teams can become unwitting tunnels for attacks. These platforms punch through firewalls with ease, thanks to their need for smooth, real-time connections.

Crosser explained that hackers can grab auth credentials from a call and use a tech called TURN to route sneaky traffic. His team built a proof-of-concept tool, TURNt, that masquerades as a legit meeting invite but downloads malware in the background. 

Why these apps? They’re trusted and ubiquitous, often set up with split tunneling that lets call data bypass VPN scrutiny. Zoom acted fast, patching the issue right before the conference, but Teams hasn’t yet. Crosser, as reported by PCMag, suggested this opens doors for newbie researchers to dig deeper, but for everyday folks, it means double-checking invites and maybe avoiding clicks on unfamiliar meeting links.

Satellite software gaps

Now, let’s crank up the scale to orbital heights. Milenko Starcik and Andrzej Olchawa from VisionSpace Technologies revealed scary gaps in software running satellites and ground stations. They poked at popular systems like Yamcs, which are used by NASA and Airbus, and found five critical flaws that let them seize control.

In a demo, they altered a satellite’s orbit without the operator noticing on their screen. Then there’s OpenC3 Cosmos with seven bugs, including remote code execution, and NASA’s Core Flight System Aquila packing four doozies like denial-of-service crashes. Even the CryptoLib encryption tool, common in space tech, had seven issues, two severe enough to let fake messages reset keys or halt onboard systems, as highlighted by The Register. The duo, however, reported these issues, and the patches are already out.

AI agent prompt injections

Lastly, the rise of AI agents brought its own set of headaches, as Zenity researchers showed with their AgentFlayer attacks. These zero-click and one-click prompt injections let bad actors slip malicious instructions into popular setups like ChatGPT, Microsoft Copilot Studio, Cursor tied to Jira, Salesforce Einstein, Google Gemini, and even GitLab’s Duo. 

Attackers could craft a document or email with hidden prompts that trick the AI into hunting for API keys in connected drives or CRMs, then leaking them out, all without the user lifting a finger. OpenAI and Microsoft rolled out fixes post-notification, but as CSO Online detailed, the natural language backbone of these agents makes full-proofing tough.

These Black Hat reveals pack a punch, showing vulnerabilities span from your desk to deep space. They push companies like Microsoft and Zoom to tighten up, while reminding us to stay vigilant – maybe enable that extra security layer or question that odd invite. In the end, events like this keep the good guys ahead, one disclosure at a time.