DEF CON 21 Recap
Just over two weeks ago Las Vegas was filled with hackers, security researchers, hobbyists, and cultural enthusiasts. They were all there for DEF CON, the world’s largest hacking conference. Now that everyone has had the opportunity to recover, it seems like a good time to recap some of the more interesting talks and events at DEF CON 21.
In one of the most publicized talks this year, security researchers demonstrated how a compromisedfemtocell could be used for malicious purposes. During the talk, the researchers explained how they were able to root a Verizon femtocell and use it to intercept voice calls, SMS data, and even clone a phone remotely. There are two big takeaways here. First, while a Verizon device was used in the demonstration, the other major carriers likely have similar vulnerabilities. In any case, Verizon has already issued a patch to owners of affected products. Secondly, the researchers did not release any code or tools to enable others to conduct these attacks. So anyone who wants to try essentially has to recreate all of the research on their own device.
Another highly hyped talk at this year’s DEF CON detailed results of an automotive control unit compromise. These researchers showed what could happen if an attacker was able to take control of the computer in your car. Startling actions such as disabling the brakes, jerking the steering wheel, and shutting off the engine were possible, as well as more benign attacks such as honking the horn and flashing the lights. Vehicles from Ford and Toyota were used in the research, but other manufacturers likely have the same or similar vulnerabilities. While the attacks presented required physical access to the car’s control unit, there have been previous research and presentations focused on attacking automotive systems remotely. The tools and code developed by the researchers for these attacks were released at the conference.
Consumer Device Hacking
In a talk titled “Home Invasion 2.0”, presenters showed how many different network enabled home devices could be attacked and compromised.
While attacking consumer devices is not necessarily a new idea, it does embody the hacker spirit that DEF CON is all about. Devices discussed in this talk ranged from children’s toys, to home automation devices, to toilets (Japan).
The presenters executed a number of attacks, including authentication bypass, remote spying through webcams, and remote code execution. This presentation was one of the more entertaining that I attended, and I left feeling inspired to poke at some of the devices I have laying around.
Tamper Evident Village
DEF CON is no stranger to hacker villages, places were attendees can go to get hands-on time with various tools and techniques. You will typically see villages dedicated to lock picking, wireless communication, and hardware hacking, but for the first time, DEF CON had a tamper evident village. Attendees were able to see and practice bypassing many different types of tamper evident devices. For instance, one presentation explained that padlock seals, as shown in the following image, could be bypassed by cutting the metal shackle and using a combination of salt water and electric current to sufficiently rust the metal so it could be removed without damaging the plastic component. The shackle could then be replaced with a spare after the attack had been completed.
The Tamper Evident Village at DEF CON 21 showed how devices such as this could be defeated.
This village even had kits for purchase, containing several common tamper evident devices, so attendees could develop their skills at home.
In conclusion, even after 21 years, DEF CON remains a place where anyone who identifies with the word “hacker” can go to learn, play and be a part of hacker history.