How To Get Hacked At Defcon

The security experts, federal agents and various computer miscreants who arrived in droves at the Rio Hotel this past weekend didn’t come to Las Vegas to gamble. But in another sense, that’s exactly what they were doing there, whether they liked it or not.

Attending Defcon, one of the most pronounced hacker gatherings in the world, has frequently been likened to dropping yourself into a digital war zone. You wouldn’t know it from walking in though. Under the regal glow of casino lights, it appears a friendly gathering of brilliant, sometimes notorious, computer punks and mischief makers. But the second you boot up your laptop, cell phone or other device, you’d best be prepared for war.

Like sharpshooters waiting for hapless victims to wander into their crosshairs, some of the hacker elite at Defcon are ready and willing to steal your passwords, bank account information, passport IDs and whatever other data you’ve foolishly left unprotected, if you give them the chance. For example, just connect to the event’s public Wi-Fi network and bang — you’re deep in the Wild West of one’s and zero’s, smack dab in the middle of a merciless digital shoot-out.

It’s a frontier that even seasoned hackers know to be wary of, or outright avoid, because even when taking precautions, there are plenty of ways you can get hacked at DEFCON. Here are a few of our favorites from over the years:

In 2007, the United States joined other governments around the world in putting Radio-frequency identification chips (RFID) into passports. And while there’s plenty of debate over the morality and legality of using microchips to track citizens across national borders, the more pressing issue here is that RFID, in a word, sucks.

Using $250 worth of equipment, a hacker can intercept and copy data from the passive chips present on passports and other forms of identification. At Defcon 2009, that’s exactly what happened: An RFID reader, which requires a two to three foot distance from the chip, was said to have caught a few people off guard during the conference. Chris Paget, the “ethical hacker” who exposed the technology’s flaws, says that the range can theoretically be extended to half a mile.

There are a couple of ways to protect yourself, and none of them are good: You can either get a carrying case that has metallic shielding (though this might not work if the reader’s signal is strong enough) or destroy/disable the chip inside your passport (probably illegal, and could land you in jail). Either way, you should probably read up on RFID, as it’s sure to be a major point of contention in the privacy debates that will inevitably occur in the near future.

Staying off the Wi-Fi at Defcon is par for the course. But if you’re well and truly paranoid (and Defcon is the place where paranoia is vindicated), it’s probably best to shut off your phone too. Here, Chris Paget again shows his wizardry by demonstrating how calls made on GSM phones (AT&T, T-Mobile, etc) can be intercepted and re-routed by using software to spoof the signal of a GSM base station. That basically means that a hacker can trick all the GSM phones within range into thinking that their computer is a cell tower.

Even better: It can fly.

This year, both Defcon and its sister conference Black Hat were shown demonstrations of an aerial drone that can intercept calls from above. Loaded with 32 GB of storage for recording phone conversations and text messages, it can also break the encryptions of nearby Wi-Fi networks. Look out below.

At DEFCON 2009, someone thought it would be a good idea to put a fake ATM inside a building filled with a couple thousand security professionals. The machine had been placed in one of the casino’s surveillance blind spots and loaded with a PC programmed to steal bank account info instead of dispense cash. Needless to say, it wasn’t long before someone noticed and had the machine removed from the premises. No one admitted to getting fooled, but honestly, who would?

If you’re one of the makers of any number of Farmville cloned games, you may have had the dubious distinction of getting hacked by a little girl at this year’s Defcon, all without even having to walk through the door. The hacker named CyFi, a 10 year old computer security prodigy, unveiled her first ‘zero-day’ — a security flaw that is exploited before the software’s developers have even discovered it.

CyFi said she was “bored” with waiting long periods of time for crops and other items to grow in these games, so she thought to modify the system clock on her device. Most of these games can detect dramatic time changes to root out “cheating,” but she discovered that by disabling Wi-Fi and advancing time in small increments, the game would be unable to detect it. This was by no means a novel discovery (similar games have fallen to this trick in the past) but it stands as a problem for a large number of mobile games that rely on microtransactions of real money for virtual items.

CyFi may look helpless, but she’s already a tempered cyberwarrior-in-the-making. In her brief lifetime she’s already had her identity stolen twice, and is the co-founder of Defcon Kids, the juvenile off-shoot that runs parallel to the main conference.

If you’re going to Defcon as press, take heed: Hackers don’t take kindly to members of the media trying to “catch” them saying or doing something that might be construed as admission to a crime. In fact, Defcon has a very strict “DO NOT TAKE PHOTOS OR VIDEO OF THE ATTENDEES” rule for this very reason, and require all press to declare themselves and show their credentials before entering. (Regular attendees, however, pay for their badges in cash and needn’t give over any personal information when registering)

That didn’t stop NBC Dateline reporter Michelle Madigan, who in 2007 tried to sneak into Defcon without credentials and armed with a hidden camera. Not long after Defcon staffers found out who she was, she was publicly outed when a game of “Find the Undercover Reporter” was announced. Cue the mob of nerds chasing her into the parking lot with video cameras.

Getting hacked can be fun, too. The ‘Ninja’ badge game uses custom circuitboard badges to ‘fight’ other attendees through a network of Android-powered base stations set up throughout the conference. The badges were first introduced in 2010 for a special Ninja Badge party where attendees completed quests and hacked each other for virtual goods — similar to those online ‘Mafia Wars’-style Flash and Facebook games, but using hardware and limited by physical location.

Have you gotten hacked at Defcon or elsewhere? Let us know some of your all-time favorite cracks and digital pranks below.