Editorial – The FNG goes to DEFCON 25

by on Oct.08, 2017, under Editorial/Opinion, Hacking in the News, Miscellaneous, Site News

Defcon 25 Title Image

Yes, it’s faded. I took this pic from a projection standing about 50ft away.

Good fortune has smiled upon me.  My company offered to send me to DEFCON 25, flight and hotel paid.  In this article, I’ll talk about DEFCON 25, the sights, the sounds, and my experiences of a hardware geek gone to the world-renowned hacker mecca. If you have ever wanted to go to DEFCON but aren’t quite sure what to expect, I have provided a summary of the trip as well as an important “FNG TIPS” list of things you want to be aware of before you leave.

History (well, my history anyways…)

Many years ago, when I was neck deep in learning about computers, Linux, and hardware in general, I was engaged with a sadly now dormant computer group in San Antonio.  During that time, my interest in hardware and computers came into being with force and I made lots of connections with new friends, employers, and had valuable experiences that I still treasure.  In the time I was with the computer group, I heard of this thing called DEFCON which was described as the worldwide hacker conference and that anyone that was even remotely interested in computer security, hardware, or other related things should attend DEFCON at least once in their life.  Since then, I had always been interested in going, but I never had the money to do so.    It has always been an item on the ethereal “bucket list” of things to do before I die.

Roll the dice, spin the wheel…

Around the beginning of this year, I changed employment. Amidst the typical “FNG” (F*ckin New Guy) stuff like learning the new job and integrating with the group I was assigned, I started hearing of rumors of the company was sending select people from DEFCON.  I had never heard of a company sponsoring a trip like this for anyone before so for this it was new territory.  DEFCON was not related to our company’s product outside of Internet access (we’re not an ISP), so it seemed a bit unusual that the company would just offer to send people.  As the con grew closer, my supervisor made an announcement to let them know by the end of the day if there was interest in going to Vegas.  I figured that the worst I’d get was a solid and stern “No”, so I gambled and told the supervisor an hour later that I was very interested.  I got a moment to tell them briefly about the computer club, this website, and my interests in hardware and that going to DEFCON would really mean something to me.

The next day, my supervisor came into my office and closed the door, then their face lit up and excitedly proclaimed, “Pack your bags! You’re going to DEFCON!

Caesar's Palace

Caesar’s Palace

Danger Will Robinson! Danger!

Once I got the confirmation that I was going and itineraries and reservations were set, I talked to our company’s security officer.  They informed me that it was critically important to consider many of the modern conveniences as hostile.  Bear in mind, when you go to DEFCON, you are truly walking into the lion’s den.  By its very nature, DEFCON is a collection of the entire spectrum of people in the computer/IT field.  You have people from all walks of computer life, from the most professional engineers, to the complete n00bs.  You have people that are professional hackers, to people that will hack into systems just for the lulz.  You have white hat hackers (the good hackers that disclose vulnerabilities and generally try to fix things) and you have black hat hackers (the people that try to break things, or break into things).  As such, when you go to DEFCON, you have to prepare for it.

The Security Officer issued me a “burner phone” and a “burner laptop”, both of which would be low-level reformatted when I got back to ensure that I hadn’t picked up anything from attending.  If you decide to go to DEFCON, you will want to pick up a cheap pre-paid phone for keeping in touch with people.  The laptop was more for if I needed to get online while I was there, with the caveat that I would not be able to use (or trust) WiFi Internet, anywhere in Las Vegas.  I even went so far to spin up an AWS VPN instance in California for the explicit purpose of securing my communications while at DEFCON.  They also went through and gave me a list of other items I needed to be aware of while in Vegas:

FNG Tips

  • When planning to go to DEFCON, be aware that the entire event is predominantly cash.  Cash is King!
  • If you choose to disregard the above, you won’t be able to get in without buying your admission badge as they only take cash.
  • Vendors may or may not accept credit.  Vendors will always accept cash.
  • If you must travel with a credit card, get one that does not have the NFC symbol on it (Looks like the wifi symbol, but on its side)
  • Don’t trust ANY Wi-Fi access points.  You can never know when you’re being pineappled.
  • Bring a phone that isn’t associated with your “normal” life, and make sure to select a plan and phone that offers USB tethering.  It’s called a “burner” because you must factory reset “burn” it when you get back.
  • Bring a computer that you can reformat when you come back home.  A Mac or Linux laptop will be your best bet.  Don’t bring a windows machine.  Just… don’t.  This machine is also your “burner” computer.  It too must be reformatted when you get home.
  • Build an AWS VPN in Ten Minutes with this tutorial. You will want to use the N. California region since it’s closest to Vegas. Install OpenVPN on your laptop and USB tether your phone to test it.
  • You want to use some method of secured messaging.  I highly recommend setting up Signal before you leave as it supports encryption and vetting of people you contact to ensure your messages stay private.  Signal is available for IOS and Android.

The Security Officer explained that while it was highly unlikely that I’d be compromised, the possibility of compromise is something that must be understood and guarded against. The burner phone by itself might not be able to defend against someone deciding to spoof an entire 4G cell site tower, but phone + VPN would minimize that threat.  Keeping my wits about me and maintaining a good security posture would serve to be my best defense.

The below image is the “infamous” Wall of Sheep.  In the Wireless Village, people have set up devices that listen to wifi networks looking for anything that resembles user credentials.  If the listener detects something, the username/email address and the first few letters of the password are printed on the screen.  This is to drive home the point that just because the wireless is encrypted, it doesn’t necessarily mean that your communication is.  This is also meant to drive the point home that if you’re not using secure protocols for your services, you really need to.

The infamous wall of sheep

The infamous wall of sheep

But, enough of the scary prep stuff…

Day 0 (Arrival)

After a rather uneventful flight, I arrived in Las Vegas Airport.  Just as the rumors had foretold, there were slot machines awaiting right off the gate.  Unfortunately, I had a late night flight, so I proceeded straight to baggage claim and got my luggage.  Pretty uneventful.  Mind you, I had never been to Vegas before so once the plane touched down, everything was a new experience.  I was wanting to see the main drag of Vegas, the “Strip”, but unfortunately, the cards were not in my favor.  I met a taxi driver from outside the terminal and he took me straight to the hotel.  During the drive, I saw the large ferris wheel, called The High Roller which was right next to the hotel.  Check-in was generally uneventful, and I was on my way with room key in hand to meet my roommate (company scheduled double occupancy, I didn’t pay so I didn’t mind. ).  I came into bed, crashed out and thusly ended day 0.

The Linq at Las Vegas

The Linq at Las Vegas

Day 1 (Pre-Start Start)

My roommate woke me up at 6:00AM and we walked across the street to Caesar’s Palace.  We walked for what felt like miles where we were met with one of the longest single-file lines I have ever seen.  (Seriously, I’ve been to Comic-Con.  The line for Chuck Norris photo ops were tiny compared to this.)  We were in place about 6:30, and even though the line moved at a decent clip, it was still about 8:30 before we got out.  Right after getting our badges ($260 remember, we paid cash!), we made a beeline for the swag room.  The room in of itself was rather impressive, brandishing several different varieties of apparel and items branded with DEFCON or DEFCON 25 logos and other items.  I made out with a handful of shirts and knick-knacks, including two shotglasses and pins.  After that, my roommate and I parted ways and I proceeded to a couple of talks, then moesyed about .

One of the conferences I attended was talking about web-based vulnerabilities in travel devices and proved how one simple unfiltered input can result in the complete pwn/compromise/destruction of a device.  The researcher presenting this topic found this vulnerability by fuzzing the admin UI of a travel router and found that an unfiltered semicolon resulted in a remote code execution vulnerability.  This vulnerability was then turned into access elevation via using busybox to start a telnet server with full root privileges.  After that, it was game over as the researcher was able to make the telnet daemon persist across reboots, and then ultimately lead to the device’s demise.  The researcher mentioned something about U-boot parameters and I instantly perked up as my work with the Seagate Dockstar had given me an insight into how U-boot works.  By reading the console text in his presentation, I determined that he had blown the firmware boot parameters away and that’s what made the device unrecoverable (unless he wanted to reflash it).

vulnerable travel routers

vulnerable travel routers

In the late afternoon, I decided to do something about dinner and it was here that things started to get interesting.  One of my coworkers flagged me down and asked about dinner plans (well more like told me to come with him to dinner, truth be told.) and before I know it, we’re on our way to a park somewhere in Las Vegas.  It ends up that my coworker had met up with an Amateur Radio group and they were going to go to the park for some DXing, BBQ and hanging out.  While not officially sanctioned by DEFCON, I felt safe enough with my coworker so off we went.   We ended up travelling out to a park that was close to the airport, which would come in handy.  First it was my coworker and I hanging around a pavilion, and people started trickling in, until finally we’re sitting at least 60 deep of HAM geeks just kicking back, drinking beer, and BBQing.  One of the HAM guys came out to make a presentation on SDR (software defined radio) and tracking the ADSB beacons from the planes nearby using a Raspberry Pi, an SDR USB dongle, and an antenna.  The afternoon progressed well into late night, and we found our way back to the hotel to close out Day 1.

PiAware in the wild

PiAware in the wild

PiAware SDR

PiAware SDR

 

Day 2 (Let’s get it on!)

After successfully surviving my first day at DEFCON and the incandescent rage of the evil day star (it’s bloody hell hot in Las Vegas!) I figured I had things somewhat figured out.  I knew how to get to the Con, and I could get to my hotel.  I had a conference at 10AM for DEFCON 101, and since this was my first time at DEFCON, I felt it was necessary to attend.  (I recommend that you attend this on your first DEFCON, it provides a lot of details and information regarding the history and operation of DEFCON.)  After the conference was over, I hightailed it over to the vendors area.

The vendors area was an absolute madhouse and it was very cramped, but at the same time it was very thrilling.  While walking around, I came across the HackerBoxes booth where I scored a DEFCON special, Hackerbox 0020.  This was a kit that had to be assembled and I wasn’t sure how I was going to assemble it.  I continued undaunted through the crowd and also picked up a Hak5 Wifi Pineapple Elite kit and a HackRF SDR from Great Scott Gadgets.  Good news, new toys.  Bad news, no way to assemble it.  I kept wandering about and ultimately made my way to the “Hardware Village”.  My excitement when I came through and got the lay of the land was palpable.  I had found my people.   Imagine a large auditorium with several booths along the outside perimeter wall, and at least half the floor space set up with long tables with soldering stations set up.  Each place had solder, a good soldering iron, several tools, and things to practice soldering on.   I found one area that was being sponsored by the Syn Shop, a Las Vegas Hackerspace.  They were kind enough to allow me to sit down and solder my badge.  These people were awesome, and I considered myself fortunate to have met them.    I ended up spending way too long there (well, not really too long as I was having fun) and helped several others with soldering a rather tricky surface-mount wireless module.  At one point, I had to dual-wield soldering irons, just to ensure the chip mounted appropriately.

SynShop - Las Vegas

SynShop – Las Vegas

After I had left, I decided to make my way to the Casino and toss a few dollars (literally, maybe $3) into a slot machine.  I have deduced that via applied testing, I am a poor gambler.

I suck at gambling

I suck at gambling

Later on, the DEFCON Night-life came into full force.  The main forward conference room was cleared out and the room was playing some hardcore dance music.  I spent a couple of hours there and then found the Drunken Hacker Karaoke on the way out.   The Karaoke singers was quite lubricated with various spirits and while they were bad (in the funny sense), they were having lots of fun with it and the atmosphere was generally jovial.  If you’ve never heard a skinny Asian kid sing Eye of the Tiger, you haven’t really lived. (He was hamming it up.)

Day 3 (Hack all the things!)

Day 3, I attended a couple more talks, and set out to mosey about and start investigating the various villages.  After my previous encounter with the Hardware Village, I wanted to see what else was out there.  I managed to make my way from the conference hall to the Lockpicking village and was able to hit that, the Car hacking village, and the IOT village all in the same ballroom.

I first encountered the Car Hacking village and was initially dumbfounded by what all I saw going on.  I am not a car guy by any stretch of my imagination, however I’m not completely ignorant to the technology in the vehicles everyone takes for granted.  The thing that stuck out to me was as of lately, car manufacturers have been transitioning away from the single-computer (ECM) method of control and sensing to a different approach using CAN-BUS (Controller Area Network – BUS) where each sensor gets its own address and can talk to other sensors and to the controller ECM.  This sounds cool, at first glance, however the Car Hacking village showed me the perils of such an “advancement”.  One of the demo setups they had was a pegboard of all of the electronics in a vehicle (no actual engine) including a driver’s instrument cluster, power door locks, power window modules, gear shift (no transmission) and a wide array of actuators.  The demo walked you through spoofing CAN-BUS messages on the network and in doing so, you could trigger alerts on the instrument cluster like ‘LOW BRAKE FLUID’, ‘SERVICE ENGINE SOON’, and could even unlock the vehicle.

Not to just be content showing a demo on a mockup, there were several actual vehicles on site that people could walk up to and plug into in order to do a practical real-world test of the security of the CAN-BUS.  There was a Ford truck, a Tesla(!), and a Chevy SUV there that people were freely having their way with (short of starting the engine, because doing that in an enclosed space is less than ideal).  They also had engineers from each of the companies that would encourage people to hack on the cars.  I got a brief moment to ask one of them why would they do this, they told me that the best way to boost the security of their vehicles was to welcome the hacking community to hack them and learn about it.  Lab simulations will only get you so far from a motivated individual with a laptop and everyone seemed to genuinely appreciate the opportunity to learn about the vulnerabilities in their vehicles.  (To their chagrin, all the vehicles were hacked to some degree, even the darling Tesla was spoofed via an RF attack to unlock the doors when hit with a SDR instead of the transponder key.)

I left the Car Hacking village and checked out the Lockpick village.  I finally got a chance to burn in the lockpick set I had bought the day before and was somewhat successful. (Lockpick increased by +1).  There were others there that made more complex locks look like child’s play, but unfortunately I was unsuccessful in cracking anything beyond a basic master lock.

I walked into the IOT village and much like the other villages, they had a handful of devices like Alexa/Echo, Nest thermostats and Dropcams, Drobo NAS, Google Home, and a wide variety of other IOT devices available and associated to a wireless LAN.  They also had a large fleet of hackers with laptops that were hammering away at the devices trying to find various vulnerabilities.  I’d find out later that most of the devices presented were compromised or were able to be spoofed (the device thought it was receiving a legitimate command from the related service provider, but instead it was receiving a message from the hacker targeting it.)  There were people there that were attacking things over the network and over RF as I saw several people using HackRF units to try and spoof messages via Zigbee/Zwave trying to gain access to the IOT devices themselves.

Day 4 (Hanging out)

By Day 4, I had already seen all the things I wanted to see and at this point was just walking around.  I ended up spending the last day of DEFCON hanging out with a couple of really good friends I hadn’t seen in a while.  Being that my experience for that day wasn’t DEFCON specific, this entry will be short.

Day 5 (Off in to the wild blue yonder… or were we?)

The final day, time to pack out.  I had gathered all my newly gotten treasures and packed into my bag.  I was somewhat concerned about getting through security, however my concerns were abated when I saw a guy in front of me who was carrying what appeared to be a highly directional wireless antenna that wouldn’t fit into his carry-on bag, and some other equipment.  Of course, my backpack triggered an alert that required additional screening, but it wasn’t for the reasons I had initially guessed. The TSA agent that screened my bag was actually very patient and a pleasure to work with (ha, imaging having to write “TSA” and “pleasure” to describe an experience with them, but seriously I have found that most of them aren’t the blue-shirted gestapo that most people think they are.).  The reason the backpack got flagged was because of a metal spudger that came as a giveaway with the Hackerbox.  Halfway through packing, I thought I had lost it and could not find it in my bag or the luggage.  Well, the X-ray found it and of course they had to figure it out.  The agent held it up and said that it looked like a boxcutter, but since it didn’t have any sharp edges and couldn’t be used to cut anyone, it was ok to keep.  The agent didn’t think twice about the HAK5 kit, or the HackRF SDR, or the pile of random electronics bits I had.  I put everything back in and headed to the gate.

Boarding was uneventful albeit packed and as we pulled away, I settled in to a nice flight home.  As we started taxiing to the runway, we noticed that the plane was turning around a bit too early.  It was about this time that the pilot came over the PA and said that we had to turn back to redistribute the weight on the aircraft given that the temperature was too hot to take off safely.  Apparently this is a somewhat common thing that happens in the Desert states.  We were fortunate that all that was needed was to redistribute some luggage and we were again on our way.  I found out later that several flights were delayed later because of the high heat so we were lucky to leave.

Post-Mortem

Despite all the (very justified) paranoia of going to DEFCON, and my limited experience with Las Vegas, I would not hesitate to go again.  It was a fantastic experience and if you’re even slightly computer inclined, you’ll find something that interests you, and you may find something new to explore during the event.  I would highly recommend attending at least once as it is a life changing experience.  You don’t need to be a gambler to find things to do at DEFCON and you don’t need to blow crazy amounts of money to have a great time.  That being said, you definitely want to take some precautions to ensure you’re guarded against potential attacks.  Remember, although DEFCON does welcome people of all paths to the events, not everyone there is on the good side and just like any public place, there are some that come to DEFCON with malicious intent.

Happy hacking!

FIRESTORM_v1

 

 

 

:, ,

Leave a Reply