Despite the rumors and fearmongering that takes place online about DEF CON — the world’s largest hacker convention — the overall experience and message my teammates and I walked away with was positive and democratic. The theme of this year’s DEF CON 27 was the “Promise of Technology.” A welcome message from the event’s founder, known as The Dark Tangent, reflected on the higher purpose of technology and how it might impact society. He wrote, “Transparent, auditable, and reproducible algorithms would be the norm, not the exception. Prediction algorithms would help enlighten us, not take us down dark rabbit holes and divide us.”
Nefarious Activity Still Abounds – But with Purpose
This doesn’t mean that potentially nefarious activity doesn’t occur at the conference. Without the hackers, rule breakers and those that ask “what if?” when it comes to technology, these vulnerabilities and bugs would likely never be discovered in the first place. There are “villages” spread throughout the conference centers that host live demos and hands-on learning opportunities related to lockpicking, car hacking, voting machine hacking, wireless device hacking and many others.
I spent some time in the lockpicking and lock bypass villages, learning about the inner workings of high-security locks and methods of bypassing physical security measures – sometimes with a simple piece of metal or a wire coat hanger. While I don’t plan on dismantling a stranger’s lock any time soon, the experience offered a way to engage in this nefarious “artform” from a learning perspective.
In the Biohacking Village, medical equipment manufacturers had assorted devices, from insulin pumps to ventilators and patient health monitors, on display for attendees to try and exploit — and they did.
The most elementary exploitation observed? Someone changed the password on the iPad used to interface with some of the equipment, preventing access by anyone – in the real world this would include doctors and other healthcare professionals. Surely this could be fixed in a few minutes, or by connecting another iPad, but in the health care world sometimes a few minutes can mean the difference between life and death.
Fortunately, visitors to the Biohacking Village were required to sign a version of the Hippocratic Oath specifically addressing connected medical devices, accompanied with instructions on what to do if a vulnerability is discovered. It provided a little bit of reassurance that issues discovered at the conference would likely be remedied, or at least brought to the public’s attention.
Hacking for the Greater Good
This idea of “hacking for the greater good” was echoed by former congresswoman Jane Harman and current congressmen James Langevin and Ted Lieu, who were guest speakers at DEF CON. Their goal at the conference was to recruit hackers and cybersecurity experts from across the country to speak up to their local, state and federal representatives to voice their concerns on cybersecurity issues and to offer themselves as subject matter experts when dealing with these complex issues.
Rep. Lieu also announced the ENCRYPT Act at DEF CON, which “preempts state and local government encryption laws to ensure a uniform, national policy for the interstate issue of encryption technology.” On a similar front, a panel discussion dealt with the topic of creating a way to help hackers anonymously submit bugs to the government.
What’s a Conference About Hacking Without a Good Scare?
Despite all the warm, fluffy feelings we began to develop surrounding the overall intent of the conference, my colleagues and fellow threat mitigation experts did have a bit of a scare. We turned off Bluetooth and Wi-Fi and updated all of our devices at home before we left in order to assuage potential hacking attempts from any number of the other 25,000 hackers in attendance. Although we originally planned on keeping our phones on Airplane mode while in the conference, eventually we browsed the internet, made calls, and sent messages like normal.
Suddenly, my colleague’s phone shut down and a light on the battery pack they were using went haywire. At that moment a wave of panic set in. They forgot to turn off the Bluetooth on their Apple Watch. Were they hacked!? Was this sense of security all a ruse? Did their cell phone automatically connect to some kind of device imitating a cell tower that was now installing malware on their phone and stealing all their personal data?! Is this battery pack more than a battery!?
Thankfully, the answer to all of those questions was no. For the last several hours, we had walked back and forth between venues in 105-degree heat causing their iPhone shut off because it was overheated. And the battery pack? They had accidentally turned on the emergency LED flashlight. Despite all the positivity that can come from hacking, we both still had a healthy awareness – if not fear – that it could happen to us if we weren’t careful.
Can You Ever Be Too Careful? – Apparently Not
All paranoia aside, one of the scariest pieces of research unveiled at DEF CON was related to the advice readily espoused online and during the event, which is to disable Bluetooth and Wi-Fi connectivity. Although we understood the privacy and security concerns associated with Wi-Fi, we didn’t quite grasp what was at stake when it came to Bluetooth, especially when it comes to speakers or headphones. What harm could be done?
Well, according to a presentation by PwC’s Cyber Security Research Lead Matt Wixey, many modern gadgets and devices possess vulnerabilities that would allow them to become localized acoustic cyber-weapons. During his presentation, Wixey said the repurposed devices could be used to cause permanent hearing damage, adverse psychological effects and even physical effects ranging from headaches to tinnitus, or worse to the person wearing them.
If the thought of Bluetooth hacking isn’t jarring enough, here are just a few of the other hacking highlights from the conference that stuck with me well after the final session.
- Hacking a police radar gun to make it appear that you are always traveling exactly the speed limit even when you are not doing so
- Exploiting license plate recognition databases, resulting in tens of thousands of dollars in illegitimate fines
- How cell phone location data makes its way from carriers to the black market
- How your IT managed service provider (MSP) may be your weakest link in cybersecurity
Perhaps the most interesting parts of DEF CON were the Skytalks. With the tagline and to the point instructions of, “No recording, no photographs, no bull****,” Skytalks are off the record so all we can say about information learned is that we attended sessions broadly focused on drop shipping, public utilities and cyberwarfare. These were extremely eye-opening, but since we can’t say anything about the presentations, we’ll share interesting podcast episodes about these topics in case you want to learn more.
- PLANET MONEY, Episode 724: Cat Scam, https://www.npr.org/sections/money/2016/09/14/493810206/episode-724-cat-scam
- REPLY ALL, #117 The World’s Most Expensive Free Watch, https://gimletmedia.com/shows/reply-all/dvhe3l
- DARKNET DIARIES #30 Shamoon, https://darknetdiaries.com/episode/30/
At the end of the day, the biggest takeaway from three days of hacking, cyberwarfare, physical security and social engineering discussions is to follow best practices, be aware of risks and vulnerabilities, and employ people who are curious and will continue to ask “what if?” when it comes to information security, IT security and physical security issues that relate to your business. When in doubt, our team is comprised of folks who ask that question every single day. Here at Hillard Heintze, one of our biggest steps in that direction was becoming ISO/IEC 27001:2013-certified, which helps us protect our clients’ sensitive information.