Reporter’s Notebook: From cars to security badges, if you build it, they will hack it at Defcon, the annual meeting of cybersecurity pros.
Jeeps and Teslas have made headlines over the past month for their vulnerability to hackers, and you can bet the finer points of breaching car software were featured at the annual Defcon cybersecurity gathering that ended Sunday.
While disconcerting, these attacks were practically old news at the conference in Las Vegas, where for 23 years, those electronic tinkerers known as hackers have come together to learn from one another.
From copying the corporate security badges so many of us wear to stealing files by pretending to be a portable USB thumb drive, hackers seem especially threatening to anyone’s business these days. In addition to the Jeeps and Teslas, medical devices joined the ranks of hackable devices last week when the Food and Drug Administration warned that the Hospira Symbiq, a device for pumping medicine into the body, could be hacked.
It’s clear the reason we have to worry about vulnerabilities in these big ticket items is that we connect them to the Internet now.
Certainly professional cyberdefenders — people who work in corporate IT departments, who research flaws at think tanks and universities, or who hunt down computer bugs to make systems safer — are all in attendance. They call themselves “white hats,” after the clothes law-abiding good guys usually wore in Western-genre films.
The opposite, known as “black-hats,” are often considered the more dangerous of the two. They use their skills more questionably. The Black Hat conference held here in the week prior typically involves more inside-baseball of the cybersecurity industry, whereas Defcon gets more attention from a curious outside world.
Even high-ranking officials from the US government have attended Defcon, including representatives from Congress and various agencies like the National Security Agency. That practice fell out of style, however, after former government contractor Edward Snowden disclosed massive hacking efforts on behalf of NSA spying programs.
Regardless of how they see themselves, everyone here is confronting the fact that valuable systems and information are not safe.
For the love of unauthorized access
If you’re not a hacker yourself, you might be picturing Neo from the Matrix, crawling through the code on your computer, dodging anti-virus software like bullets. In reality, hackers at Defcon look like regular, slightly nerdy people. The only reason they stand out in Las Vegas is, in their jeans and T-shirts, they aren’t as dressed-to-the-nines as everyone else here on luxurious vacations.
If you look closer, there are some giveaways about the subversive hacker culture: There’s a certain amount of hair dye, electronic music and the occasional lock-picking kit (or twelve) hanging from a belt loop. Also, there were so many backpacks.
And one doesn’t need to be a programmer to understand the essence of what goes on here. Hackers are merely students of unauthorized access, in whatever form that takes.
All the conceivable forms of a break-in were on display at Defcon. In one enormous conference room, people sat at tables and focused on picking physical locks and discretely opening “tamper-proof” packaging materials, as well as soldering circuit boards to rejigger computer hardware.
In the same room, a friendly, bearded man demonstrated a device that can impersonate a security badge after bumping up against the original and copying its signal.
Hiding behind a screen
Speakers giving super technical advice for hacking can be found around every corner. For someone who isn’t a computer programmer, these sessions are practically nonsensical, with names like “Backdooring GIT” and “One device to pwn them all.” But they point to the intense creativity on display here.
GIT is a program for software development teams to coordinate their efforts, and putting backdoors into it could allow someone to disrupt software as it’s being created. To be “pwned” is to be breached, and the device on display at this talk delivered on its threat, downloading files by pretending to be a USB device.
But technical prowess is not the only skill revered at Defcon. One celebrated room honors the age old practice of smooth-talking. Called the “social engineering village,” this is where speakers tell the secrets of con artists.
Instead of relying on technical hacking skills, social engineers rely on their understanding of human psychology to find what might make someone freely give up vital information.