DEFCON 23 was my favorite DEFCON experience so far. There were a lot of great talks and fun after-hours events. Below is a list of talks that I attended, for posterity’s sake.
Stagefright: Scary Code in the Heart of Android – Joshua J. Drake. This talk explained the Android exploits that arise because Android pre-processes incoming messages. For example, texting a malicious image leads Android to retrieve and load the payload before the user even sees a notification. This should make the user interface feel faster, but it comes at a price.
Bruce Schneier Q&A – Bruce Schneier. I <3 Bruce. He’s just so clear and intelligent. I hope we make him head of cyber security for the U.S.
Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars – Samy Kamkar. Samy is one of my favorite security researchers—I highly recommend his talks. This talk was funny and informative.
How to Hack a Tesla Model S – Marc Rogers and Kevin Mahaffey. Tesla did an amazing job of securing their vehicle—especially considering how connected it is.
How to hack your way out of home detention – AmmonRa. Neat idea. Fake the messages from your ankle bracelet while you cloak your existing one with a Faraday cage. You could get someone else in trouble by making them appear outside their confinement zone too.
Tell me who you are and I will tell you your lock pattern – Marte Løge. Turns out, people are predictable. And lock codes maybe aren’t all that secure.
I Will Kill You – Chris Rock. My favorite talk at DEFCON 23. Our birth and death record-keeping needs some modernization.
When IoT attacks: hacking a Linux-powered rifle – Runa A. Sandvik & Michael Auger. Sad to see an Austin-based company taken down, but come on—an internet-enabled rifle? you knew this was coming.
Remote exploitation of an unaltered passenger vehicle – Charlie Miller and Chris Valasek. Dr. Miller and Chris Valasek are always entertaining. Their presentation style is unlike any others—they either rehearse a ton or they have great chemistry and complementary personalities. This continued their work hacking Jeeps. At the time of the talk, their exploits had been fixed so all is well… for now.
Hacking Electric Skateboards: Vehicle Research For Mortals – Mike Ryan & Richo Healey. The timing on this was awesome! This came right after the “hack a Jeep” talk and the humility of the presenters (“vehicle research for mortals”) was great. Basically, if you build an internet- or bluetooth-enabled device, you will get hacked.
The Bieber Project: Ad Tech 101, Fake Fans and Adventures in Buying Internet Traffic – Mark Ryan Talabis. Online ads baffle me. I think it is really hard to connect ads to revenue, with an underlying belief that ads are not a wise use of capital. The presenter showed a Chinese ad fraud system called jingling that spawns a ton of threads and programmatically clicks links; while running jingling you accumulate tokens that you spend to get others to click on your links. Some people claim to make an extra $50/day (or far more) just by participating. Brilliant!
REpsych: Psychological Warfare in Reverse Engineering – Chris Domas. I missed the first half, but what I gathered is that Chris Domas was able to figure out how to create binaries that form images when viewed in a disassembler like IDA. He showed a silly malware that dynamically found images on your computer and made binaries that match the images—he joked that he would stop probing any malware that could present his portrait.