DEF CON 24 Roundup: 2016 Hacker Conference

August 08, 2016 by Kate Smith

A roundup of the top stories from this year's DEF CON Hacking Convention in Las Vegas.

A roundup of stories and updates from this year's DEF CON hacking convention in Las Vegas, which was held in Las Vegas, August 4-7.

Over 22,000 people attended this year's DEF CON. Cyber security experts and hackers alike came to the event to congregate with their peers and share information on the latest in the industry.

Here are a few highlights, in case you missed them:


Hackable BLE Door Locks

Anthony Rose, an electrical engineer, and Ben Ramsey, a professional information security expert, presented "Picking Bluetooth Low Energy Locks from a Quarter Mile Away".

The duo investigated 16 different BLE lock products and found issues with the security of 12 of them. That is to say, they picked 12 different BLE locks—from nearly half a mile away and using minimal equipment. 

On top of proving the vulnerabilities of these locking mechanisms, the presentation also introduced open source hacking tools that could be used to hack both vanilla Bluetooth and BLE locks.

Before you become too outraged at Rose and Ramsey's goals in this presentation, you should be aware that they contacted 14 of the 16 companies that produced the locks regarding the vulnerabilities they found. According to the hackers, these companies declined to change their systems, even when faced with proof that they were easily breached.


Example of a BLE lock. Image courtesy of August (one of the four locks that Rose and Ramsey could not hack).


Other Village Talks (broken up into multiple "Village" segments, e.g., "IoT") from this year's event included updates on the FCC's cybersecurity activities, automated dorking, lessons from last year's Ashley Madison hack, cryptography in Python, reverse engineering RF drones, and introductions to various hacking tools and systems.

"Mayhem" Supercomputer Competes with Humans

For the unfamiliar, the Cyber Grand Challenge (or CGC) is a yearly competition hosted at DEF CON by DARPA, first hosted in 2013. Of course, "Capture the Flag" means something different to hackers than it does to most people. In hacking, each team is given a network that is full of weaknesses. They must simultaneously patch their network to defend it from attack while also developing breaches for the opposing team's network.

In addition, some games also include "Jeopardy-style" rules, where the teams must solve a series of puzzle-like tasks—each unlocking the next—to earn points.

Mayhem is a supercomputer developed by the Pittsburgh-based team, ForAllSecure.


Mayhem. Image courtesy of ForAllSecure.


In this year's CGC, Mayhem defeated its machine opponents. Part of the team's reward for this victory (along with $2 million) was an invitation to pit Mayhem against humans at DEF CON's annual Capture the Flag competition.

On August 5th-7th, Mayhem went up against some of the best competitive hacking teams in the country. The result? Mayhem got 15th place out of 15 entrants. 

While supercomputers still have a long way to go before they can defeat human opponents, Mayhem does give life to the idea that competent, self-patching security systems are on the horizon.

r00tz Asylum

Another yearly event held within DEF CON is the r00tz Asylum. This is a group of rooms dedicated to teaching hacking, hardware engineering, encryption, etc., but focusing on a very particular demographic: kids.


Image courtesy of r00tz Asylum.


According to its website, the Asylum typically caters to kids between the ages 8 and 16.

Beyond giving kids the tools and skills to do their own hacking, r00tz also educates them about the role cybersecurity plays in their lives and in the world at large. 

Another point worth bringing up is that r00tz has an explicit goal of teaching hacking skills as a tool "for good". One of last year's talks, for example, was titled "White Hat Hacking" wherein "white hat" refers to ethical or socially responsible activity.

Along these lines, the program has involved the kids in "bug bounties" wherein companies pay for the discovery and reportage of weaknesses in their security systems.

As a note, this year was Apple's first taking part in the "bug bounty" industry:


As usual, DEF CON 2016 had a slew of workshops on the convention floor.

As an example, here's a demonstration of an attendee hacking a Raspberry Pi using a Black Magic Probe: