DEF CON 27 - What can we break today?

1 October 2019

This year, DEF CON was held across three venues in Las Vegas, where Arthur Van Der Merwe, our Security and Compliance expert, rubbed shoulders with around 30,000 hackers whilst attending workshops, community villages and insightful talks.

Cloud Security, Car Hacking and Biohacking

This year saw many iconic villages like Cloud Security, Car Hacking and Biohacking once again zoom in on vulnerabilities present within connected devices, such as pacemakers. The sessions revealed new and interesting techniques to break into devices that we use every day. While there is no doubt that some of the techniques learned at this conference could be used for malicious activities, every offensive method comes with a range of defensive techniques.

The Artificial Intelligence (AI) Village came together to discuss the use and misuse of AI in computer security. The session highlighted how AI techniques are being rapidly deployed in common technologies particularly in payment systems, which inevitably opens up more possibilities for cyber-attacks. Undoubtedly, the misuse of this technology could potentially cause major havoc if under the control of an attacker.

In the Car Hacking Village participants were taught how to take advantage of simulated connected cars to gain control over them in an open and collaborative space. Today, cars are connected to the internet as part of our increasingly interconnected world. Workshop participants were also given all the tools needed to take command of a vehicle, to test on real-life connected cars.

Walking through the vendor stands, I spotted various characters selling equipment enabling lock picking, and a one-minute video tutorial running in a loop demonstrating how to pick a standard padlock. After watching it three times, it’s impossible to look at a lock the same way again; it’s so simple to unlock it without a key. The Lock Bypass Village at Flamingo's talks were much more technical and included analysing a hacker mindset to secured physical spaces and then applying this same mindset to more advanced devices.

Cryptography and Privacy

This year, I also attended the Cryptography and Privacy Village, which showcased a range of interesting talks looking at how data is often leaked unintentionally through Application Programming Interfaces (APIs), without the vendor realising.

Two researchers, Alex Lomas and Alan Monie, analysed a range of dating apps with their APIs looking at how these apps use the current location of a user to co-locate other active users.

This allowed the researchers to reuse the API to triangulate other users with freaky precision. Interestingly, most people in the audience shared that they had used dating apps that provided some matching capability based on the location of the users along with the proximity of other users.

The research revealed that the accuracy of the GPS data could locate a user, right down to the last centimetre. This precision not only exposes location information, it also reveals deeper insights by association, which could enable governments (for example) to track members of potentially vulnerable communities. As a very real illustration of the sensitivity of the level of insights, the researcher explained that their work was able to identify the location of members of the LGBTI community. Once the researchers realised that the data they were collecting could be used for this purpose, they immediately stopped the research, explaining that in 74 countries LGBTI relationships are classified as illegal and carry severe penalties.

Quantum Technology

Quantum technology is the next technical revolution, which will enable a higher rate of data processing utilising qubits instead of traditional binary systems. The capability to process data at a higher rate, means that an attacker has the computational power to break some of the current cryptosystems. One mechanism to protect against this impending quantum computing threat is to start developing quantum-safe cryptographical protocols using new primitives such as lattice-based cryptography.

Christian Pacquin gave an interesting talk on ‘Migrating to quantum-safe cryptography to protect against the quantum hackers’. In this session, Pacquin went beyond just creating a quantum-safe protocol; he used existing protocols integrated with current proposed quantum cryptography schemes to make conventional protocols quantum-safe.

Pacquin demonstrated the use of Secure Shell (SSH) and the integration of a lattice-based cryptography scheme with great success and negligible performance degradation. Currently, he is evaluating other quantum-safe protocols submitted to the US National Institute of Science and Technology (NIST) Post Quantum Cryptography Competition. I would suggest keeping a close eye on his work and GitHub repository for developments in this area.

The need for quantum-safe cryptography also resonated with Sarah McCarthy, who is focussing on the use of lattice cryptography for vehicle-to-vehicle communication. Sarah is a PhD student studying the use of lattice-based cryptosystems in the internet of things (IoT) environments. Identity-based encryption schemes are traditionally used with elliptic curves and finite fields. Sarah suggested using a lattice-based scheme to bind a digital identity attribute to the public and private keys for the purpose of encryption and decryption. She considered the use case of instantaneous communication required for vehicle-to-vehicle, and adapted the scheme as part of her research team, The Centre for Secure Information Technologies (SSIT). The results presented by her partners were impressive, and the use of quantum-safe cryptography is undoubtedly on the horizon, even for low-powered devices and vehicle-to-vehicle communication

The DEF CON Experience

DEF CON did not just provide illuminating talks and classes. At registration users are given a badge with a built-in microprocessor, with the first challenge of the conference being to crack the badge and complete the challenges. Walking down the busy hallways, you can tell which participants have already started the badge hacking challenge by the colours of the flickering LEDs. Some participants who live ‘the badge life’ showcase their custom-engineered series of badges like a status symbol.

After each day of talks, there are several organised ventures, from pool parties to shooting ranges. I highly recommend attending the legendary DEFCON parties, but with restraint, as they can get out of hand.

As the conference concluded, you could see Las Vegas returning to normal; no more shoulder to shoulder crowds walking through the halls of Paris and Ballys or strange mohawk hairstyles - just the typical tourist. The hackers have left, more than likely getting ready for next year, DEF CON 28.

The question is – what will they break next year?