Trying to hack IoT products. Image: Daniel Oberhaus

​72 Hours of Pwnage: A Paranoid N00b Goes to Def Con

At Def Con 24, I saw the future of the internet, and it's increasingly centralized.

|
Aug 18 2016, 1:30pm

Trying to hack IoT products. Image: Daniel Oberhaus

I have now seen a bleary eyed John McAfee pose for selfies with hacker fan boys at a strip club in Las Vegas. I have seen grown men earnestly duel with foam swords. I have learned how to pick uncrackable locks. I have seen hackers go broke at the roulette table while another hacker gave a presentation explaining how to steal $20,000 from an ATM just down the hall. I have eaten an unconscionable amount of lukewarm buffet food. I almost heard a guy explain how to remotely commandeer a jetliner in detail. I still haven't seen a single hacker wearing a ski mask. I have seen dozens of software engineers pay $50 to get turned into a cyborg, and I now know how dildos, the government, and our monitors are spying on us. I have seen thousands of people pwn and get pwned.

At Def Con 24, I have seen the future.

***

Def Con began in 1993 as a going away party for a one of the founders of a Canadian hacking network called Platinum Net. The guest of honor ended up not even showing up to his party in Las Vegas, but the handful of hackers that did turn out enjoyed the shindig so much that they decided to host it again the following year. Now in its 24th year, the Def Con of yore has ballooned from an insular hacker hangout to the hacking and infosec event of the year, attracting over 20,000 hackers, computer scientists, federal agents, and IT professionals from all around the globe to the Bally's Hotel on the Las Vegas strip.

By the time I arrived in Vegas Thursday afternoon, the convention was already well underway.

The highlight of the evening was the DARPA Cyber Grand Challenge, which pitted supercomputers against one another in a cybersecurity exercise called Capture the Flag, which required the computers to detect and patch software vulnerabilities without human input. Despite the amazing technology being demonstrated in the competition, I opted not to attend the event because it was hard to imagine anything that could be more boring than watching computers compute. Based on feedback from attendees who were at the Cyber Grand Challenge, I made the right decision—and besides, I had money to lose in the Bally's slots that night.

Need some easy security tips to share with your parents? Check out the Motherboard Guide to Not Getting Hacked

While literally throwing my cash into a hole at a roulette table, a non-conference attendee who was also playing spotted my badge. She told me she had seen the Def Con badges all over the place and wanted to know what the convention was about. When I told her it was a hacker convention, she grew visibly perturbed.

Image: Daniel Oberhaus

"Aren't those the people who break into computers?"

"Yes—also phones, cars, airplanes, and human bodies."

"I thought that stuff was illegal."

"Sometimes."

"..."


"You'll be fine, as long as you don't use the WiFi anywhere around here."

***

Friday morning at the convention began bright and early, a far from ideal arrangement for anyone as hungover as myself. Before heading to the convention, I logged on to the hotel WiFi network to check my email. I was connected instantly and began setting up my VPN when it dawned on me: the hotel's WiFi network was password enabled and I hadn't been asked to enter a password. Fuck.

I immediately disconnected from the network and nervously sat staring at my computer. I had seen dozens of Def Con attendees around my hotel, and one of them had set up a fake mirror network that impersonated the hotel's WiFi network—something known as an Evil Twin attack. Logging on to public and hotel WiFi is already risky because almost all of these networks don't use a WPA security protocol, meaning all the information sent over these networks is sent in plaintext—which is why I was going to use a VPN to encrypt my internet traffic.

When I received my press credentials for the convention, they came with a warning that all WiFi networks at the convention and in nearby hotels should be considered "extremely hostile," which was to be expected at a hacker convention. But I had slipped up and let my guard down while configuring my VPN. Had I been online long enough to be compromised? Who was watching and what had they seen?

I could feel my paranoia growing as I left for the convention.

All the talks I wanted to see began in the afternoon so I spent my morning wandering the packed Bally's hallways and checking out the various Def Con villages and hacking competitions. Each village is dedicated to learning about and practicing a different type of hacking, such as: car hacking, compromising the Internet of Things, lock picking, or social engineering.

Despite the variety of their themes, each village looked remarkably similar on the inside: dozens of hackers and software engineers cloistered around tables typing furiously away on their computer in the low lighting while bass heavy electronica played in the background. Occasionally there would be informal talks on subject matters related to the village's theme, but for the most part these rooms were practical spaces, dedicated to exposing vulnerabilities in IoT products or teaching their villagers the art of data duplication, as the case may be.

On the 26th floor of the hotel I found the biohacking village, where dozens of attendees were lined up to get turned into a cyborg. For $50, Amal Graafstra of Dangerous Things (the same guy who made an implant-activated smart gun in his garage) was injecting RFID chips into attendees' hands, which they could then program to do things like unlock their front door or open links on their phone when they waved their hand in front of it.

An attendee gets an RFID chip implant at the biohacking village. Image: Daniel Oberhaus.

I felt sufficiently nauseated after watching dozens of people get poked by a large gauge needle, so I headed downstairs to go to my first talk of the day on the topic of remote controlling commercial airliners. Def Con has become infamous for hosting talks on subjects that are probably best kept secret (like decrypting Adobe e-books or how to get free subway rides for life) and given the description for the talk, which promised to show how easy it is to execute these airline exploits in real life, this seemed like it might shape up to be one of those.

As I stood in line for the presentation, I began Googling the speaker, a man named Sebastian Westerhold, who is the CEO of an electronics company called KF5OBS. Shortly after I found out that Westerhold is currently suing the Little Rock, Arkansas city government for encrypting police broadcasts and had been arrested in March for posing as a police officer while selling alcohol to minors, the line I was in began to break up—the talk had been canceled without explanation.

Jennifer Granick gives a presentation at Def Con 24. Image: Daniel Oberhaus

I finished the afternoon by listening to Jennifer Granick, director of Civil Liberties at the Stanford Center for Internet and Society, discuss the state of the internet utopia envisioned in the net's early days (not great). Shortly after I popped over to watch Weston Hecker demonstrate how to pull $20,000 out of an ATM, which was less exciting than it sounds. Although Hecker's demonstration was impressive on a practical level, like many of the talks at Def Con his explanation of the ATM exploit was layered in technical jargon that is all but unintelligible to the layperson. Afterwards I returned to my hotel to get ready for a party being hosted at the Hustler strip club by none other than antivirus pioneer and former Libertarian presidential candidate John McAfee.

By the time I arrived at the Hustler Club, the party was in full swing and McAfee was on the roof about to give a toast to the creator of Demonsaw, an information sharing app with end-to-end encryption meant to "free us from the oppression of governments and corporations," for whom the gathering was being held. McAfee boomed a few words of congratulations to Demonsaw's founder from inside a selfie-hungry mob of hacker fanboys before handing the mic over to the founder, who mainly just led a bunch of chants that used "Fuck the NSA" as the central rhyme scheme.

I had no idea what Demonsaw was before arriving at the party and after the speeches I was none the wiser—but like most of the attendees I didn't really care too much about the software. I was there to drink free beer on McAfee's tab and watch hackers ogle a former software giant who is still somehow relevant. After about an hour and a half of this, the party was clearly dying down and began to feel quite a bit like one of the Def Con villages, albeit one with far fewer computers and far more topless women: the same thudding bass rhythms, the same ambient lighting, the same social awkwardness.

I put my half empty beer on a nearby table and headed for the exit.

***

Saturday began by listening to Hunter Scott explain how he used a simple Python script to win Papa Roach vinyl and thousands of other oddities on Twitter. This was subsequently followed by a trip to the contest area, where I was able to watch attendees line up to try to defuse a bomb that was set up in a large wooden crate off to the side (the success record in this venture was distressingly low), expose IoT device vulnerabilities, and mess with a smart car. Afterwards I went to the vendor area, where the abundance of cheap hacking tools finally made me realize just how screwed we are when it comes to cybersecurity.

Attendees practice car hacking. Image: Daniel Oberhaus

Inside the vendor area, which is basically a hacker arms bazaar, Def Con attendees could buy any number of tools which could be used to ruin a n00b's day. In addition to the normal Def Con swag, there were innumerable lock pick sets for sale for under $20, a bevy of nefarious how-to guides, keylogging USB sticks (around $50), and Pineapple WiFi routers which will let users mimic a public WiFi network and read all unencrypted internet traffic passing through the network (a device which could be yours for the low, low price of $100).

Most of these devices were bought to be used for mostly legitimate reasons by pentesters, who attempt to expose network vulnerabilities for companies, but that doesn't mean that customers weren't also looking to have a little fun with them at the conference. Based on a quick glance at the WiFi networks available around Def Con, the Pineapple routers were clearly a popular item this year. If you were one of the unfortunate attendees who forgot to turn off their WiFi or were brazen enough to think they could hold their own in the Wild West that is Def Con's public network, odds are one of these Pineapples (or a fake cell tower) was used to mess with, or seriously exploit, your computer or phone.

After browsing the hacker goodies for sale, I visited the never-ending party that is Queer Con, which has grown so large during its 15 year existence that the organizers had rented out an entire floor of the hotel to host Queer Con attendees this year. On my way out I stopped by the packet hacking village to check out the Wall of Sheep, a scrolling compendium of shame that lists the logins and domain IP addresses of people at the conference who had been using an unencrypted network to get online. It's meant as a friendly reminder to not make it so easy for people to pwn you (if you're not practicing safe interneting at Def Con, there's no way you're being safe about your online habits at home), but if your name ends up on the display, it's hard not to be paranoid about who else may have been watching.

Practicing bomb defusal. Image: Daniel Oberhaus

***

Early Sunday morning, a few hours before I was going to begin my slog through the Mojave Desert back to Phoenix, my computer kicked the bucket. One minute I was filing stories from my hotel room and the next the device was totally unresponsive.

Had I finally been pwned?

After running some diagnostics, I was able to determine that my computer had not been compromised—or if it had, it wasn't what caused the system to shut down. My computer was just crappy and kind of old.

Still, I wasn't able to shake the feeling of paranoia until I was barreling eastward on the I-15 and watching the towers of Vegas recede in my rear view mirror. But if I had learned anything from spending three days moving in one of the most hostile digital landscapes in the world, it was that lulling yourself into a sense of total security while online is exactly the sort of mentality that malicious hackers rely upon for their craft. Just because I had left the belly of the beast did not mean I was safe—if anything, Def Con was just a condensed version of everyday life on the 'net.

In this mindset I couldn't help but think about the talk given by Jennifer Granick on Friday on the subject of slouching toward the internet utopia. For Granick, the utopian dream of the internet (as spelled out in the hacker manifesto or Declaration of Independence of Cyberspace) has all but disappeared in favor of increasing surveillance, censorship and centralized control by both corporations and governments.

Image: Daniel Oberhaus

As she pointed out during the talk, internet users have ceded control to centralized institutions out of fear—fear that any one of the 20,000 people at Def Con might compromise their system, fear that applications might not work right if they're not backed by a stringent, tamper-free user agreement, fear that the person on the other side of the monitor might not be who they say they are. It is ultimately a fear of other people, as well as a fear of freedom and its excesses.

But what Def Con demonstrates each year is that this is a false bargain: for every promise of security from a centralized institution, there will always be individuals capable of circumventing that system. This is why the term "hacker" still inspires fear in people—but only in those who refuse to understand the ethos.

At Def Con, you're just as likely to get pwned by some asshole with a Pineapple router as you are to see hackers fixing the flaws in the same devices that you use every day at home. Both activities are equally as likely to be illegal, but which side of this dichotomy affects you more is ultimately up to you—there are no guaranteed protections, but there are also no limits. Hackers are often lawbreakers, sure, but as Granick noted, one need only look back at the history of this country to see that it was the lawbreakers that have always pushed society to evolve.

That's the thing about those damn kids: they're all alike.