Imploding Barrels and Other Highlights From Hackfest DefCon

As this year’s DefCon draws to a close, here’s a compendium of some of the con’s highlights.
Image may contain Human Person Game and Gambling
A lock-picking workshop in the Tamper Village.Ryan Young for WIRED

Visiting Las Vegas can feel a bit like being a metal sphere in a pinball machine—you’re tossed from bright lights to blaring shows and back again until you eventually (hopefully) emerge out a hole at your home airport. When you visit Vegas with a swarm of hackers and security researchers, the dizziness gets amped up tenfold and can be laced with a dose of dark mischief.

This year marked the 23rd DefCon, the hacker conference that began as an informal gathering for hackers to meet in person and party in the desert. Since its beginning, it has grown from fewer than 100 attendees to reportedly more than 20,000 all of them jammed into two hotels this year—Paris and Ballys—to learn the latest hacks and swap techniques.

WIRED covered a number of talks from the conference over the last two weeks—including hacks of Chrysler Jeeps and Teslas, electronic skateboards, sniper rifles and Brinks safes. But as this year’s event draws to a close, here’s a compendium of some of the con’s other highlights:

Barrel of Unfun

Jason Larsen is one of the country’s top SCADA hackers and has been researching and designing proof-of-concept attacks against critical infrastructure for years, first for the Idaho National Laboratory and now for IOActive, a global security consultancy. He has a special interest in digital-to-physical attacks—ones that, like Stuxnet, use malicious code to cause physical destruction to equipment. This year in DefCon’s ICS Village, focusing on hacks of industrial control systems, he directed his destructive talents at a 55-gallon barrel, which he imploded with code that simultaneously vaccuum-packed the target and increased its temperature, resulting in a powerful boom! that reverberated through the room. An attack like this could be used to cause a chemical spill in a plant. If done to multiple tanks or barrels in a facility, it could also result in unsafe chemicals mixing for a combustible and toxic chain reaction. Here’s a gif of the momentous event.

The crushed barrel was later auctioned off for charity.

Seen: Tesla Asks to Get Hacked

Tesla wasn’t just a good sport about appearing on stage with the two researchers who hacked its Model S, the company brought a Tesla to the DefCon car-hacking village, enticing others to have-at-it as well, while touting its expanded bug bounty program. The program used to focus only on bugs found in the company’s web site, but now Tesla is also offering payment—up to $10,000—for software bugs found in its cars. [Caveat: Only cars that you own or are authorized to hack are eligible for testing.]

Heard: Help Us, Hackers, You’re Our Only Hope

DHS Deputy Secretary Alejandro Mayorkas appeared at DefCon to recruit hackers for the government, telling the audience that embedding backdoors in encryption products and systems is a bad idea. Raucous applause ensued.

He also dared the hackers to hack his mobile phone: “I challenge you all to make my phone ring during my remarks. If you do, you’ll get a free job at the government.” The phone didn’t ring, but who knows what other trick hackers silently did to it.

Iron Man Takes on Clickjacking

Dan Kaminsky, cofounder and chief scientist of White Ops, declared war on clickjacking—attacks that involve using malicious code and techniques to cause web site visitors to click on something other than what they think they’re clicking on, such as a concealed link on the page. The attack is done by placing invisible iframes over a legitimate page so you can’t see the top layer of content you’re actually clicking on. One of the most famous examples of clickjacking tricked people into changing the security settings for the Adobe Flash player on their computers, allowing Flash animations to enable their microphone and webcam. But clickjacking can also be used to perpetrate fraud by tricking you into buying products or donating money you don’t intend to donate. Kaminsky’s solution to counter the nefarious activity? Ironframes, a technique he likens to the popular party game Jenga: “We take the layer from the bottom, and put it on top…so the only thing that could be rendered is what should be rendered.”

Seen: Vulcan Salute

This year’s con coincided with the Star Trek convention, which was being held down the road at DefCon’s old haunt, the Rio. To show respect, hacker and badge designer Ryan Clarke, aka LostBoY, led the hackers in a Vulcan salute to William Shatner.

Shatner beamed back some geek love.

Heard: Flying Sideways

“But were you able to make it fly sideways?”—the most common refrain offered in response to hacking claims.

As in: “I just hacked a Jeep to remotely kill the motor as it speeds down a highway!”

Response: “But were you able to make it fly sideways?”

The comment, of course, is a hacker bow to security researcher Chris Roberts, who was illogically accused by the FBI this year of hacking a plane to make it fly sideways.

Seen: Radioactive Badges

DefCon’s badges are a highlight of the event each year. This year’s Uber badge, designed by Ryan Clarke, paid respect to physicist Richard Feynman and the dawn of the nuclear age, which Feynman helped launch. Uber badges are given to the winners of DefCon contests each year and entitle the recipient to a lifetime of free admission to the con. This year’s badge took the form of a triangle in honor of the government’s codename for its first nuclear test detonation: Trinity. Oh, and it was also radioactive. Each badge contained a Uranium marble in one corner, a crystal skull embedded with a small vial of tritium in another, and a tiny remnant of radioactive material said to have been recovered from the desert site in New Mexico where the Trinity test occurred. Geiger counter not included.

The Uber Badge. The Uber Badge. Ryan Clarke

Heard: Hacker Holler

Katie Moussouris, Hacker One’s chief policy officer, sang “History of Vuln Disclosure: The Musical” for this year’s inaugural Drunk Hacker History contest. Oh, and she won the contest.

Robocall Killer

As part of the FTC’s efforts to kill robocalls once and for all, the agency trotted out the two finalists of its “Robocalls: Humanity Strikes Back” challenge, aimed at finding a technological solution to stop unwanted calls. Among the finalists is Robokiller, an app to end robocalls on mobile phones and landlines.

Created by Bryan Moyles and Ethan Garr, it relies on call forwarding, which works universally across all carriers and doesn’t rely on a third party to implement, the way the worthless “Do Not Call” registry does. The latter doesn’t work because the people making robocalls don’t care about adhering to laws and opt-out requests. The app bypasses this and gives you a way to block calls automatically. It filters out robocalls so that only legitimate calls reach your number. All calls show up in a mobile phone’s call log as usual. But if the robokiller determines it’s a robocall, the call will go into a trash bin, allowing you to sift through the bin to just the filter’s effectiveness.

And since many robocalls are spoofed—making it difficult to simply block known robocall numbers—the app doesn’t just rely on blacklists to screen out known rogue numbers, but uses audio analysis to distinguish human voices from electronic ones to weed out robocall voicemail messages. Each voicemail message is still preserved in a trash folder so you can check that no wanted calls were mistakenly filtered, such as a recorded call from a school or doctor’s office. If the robokiller catches legitimate calls, you can whitelist the number to receive future calls from the number.

The creators expect the app to be available for Andriod and iOS phones this week.

There is one downside to all of this. All of your calls get filtered through Robokiller’s system, which means it has a log of all calls you receive to your mobile phone and landline—a gold mine for government agencies or anyone else who might want to seize it with a subpoena and don’t want to fight two different carriers (for your landline and your mobile line) to obtain it. There’s also the risk that Robokiller could decide at some point to change its privacy policy and sell or otherwise provide your call data to other parties.

Seen: Stingrays

IMSI catchers (sometimes called stingrays)—rogue devices for intercepting your mobile phone traffic—tend to be legion at DefCon and this year was no different. Detecting them can sometimes be difficult, or, as simple as this:

Post DefCon Checklist

Finally, to end our DefCon coverage this year, we turn to security researcher Jonathan Zdziarski, who offered this apt summary on Twitter: