The NTIC Cyber Center Goes to DEFCON: Highlights and Key Takeaways

Last week, NTIC Cyber Center team members attended DEFCON – a four-day annual cybersecurity and hacking conference – to learn about the latest vulnerabilities, exploits, and research conducted by cybersecurity experts across the globe. The theme of this year’s DEFCON conference was “The Promise of Technology” and included a lineup of presentations and activities specifically designed to, according to conference organizers, “reflect the real costs of technology” and “strengthen those things that help us do good, and weaken the things that enable us to do bad.” In previous years, hackers and cybersecurity experts sharing their research at DEFCON participated in such unofficial contests as “Spot the Fed,” whereby attendees were encouraged to identify potential law enforcement officers and intelligence officials sent to conduct surveillance and possibly arrest subjects of interest. However, this year, the aim of the conference shifted with the goal of bringing the cybersecurity and government communities together to help solve complex technological problems all of us face as a result of our increasingly interconnected world.

One of the first presentations our team attended was titled Hacking Congress: The Enemy of My Enemy Is My Friend, conducted by former US Representative from California Jane Harman, and included current US Representatives James Langevin of Rhode Island and Ted Lieu of California along with employees of Rapid7 and IBM’s X-Force Red Team. The goal of this panel was to bridge the divide between hackers and government by emphasizing the importance of cooperation and information sharing and encouraging the cybersecurity community to drive positive change by getting involved in policy and legislation. Helping hackers and security researchers better understand the gaps that exist between government and industry can create opportunities for collaboration and improvements in processes to help safeguard our nation from potentially devastating cyber attacks. For more information about this panel, please see Dark Reading’s article Security Pros, Congress Reps Talk National Cybersecurity at DEFCON.

Another talk we attended was Are Your Child’s Records at Risk? The Current State of School Infosec, a 45-minute presentation conducted by an 18-year-old hacker who shared his experiences finding multiple vulnerabilities in two student data management platforms. These vulnerabilities exposed five million records of student data that included grades, immunization records, passwords, cafeteria balances, special education information, schedules, and student photos. According to the presenter, these vulnerabilities impacted over 5,000 schools nationwide. He also outlined the challenges he faced when disclosing these security issues to his school and the software companies responsible for developing the platforms. Despite his attempts to practice responsible disclosure, the teenage hacker said his messages to the companies were ignored and his persistent attempts to direct his school’s attention to the issue ultimately resulted in a two-day suspension. Eventually, he was able to convince at least one of the companies to address the issue, noting that shortly after he got their attention, the company in question posted a job opening for a new chief information security officer. He reminded the audience that even though companies claim to protect their customers’ data, it doesn’t always mean that they take the necessary steps to do so. He also encouraged organizations to reward security researchers who responsibly disclose vulnerabilities and participate in “bug bounty programs” to help strengthen their defenses. For more information about this presentation, please see WIRED’s article This Teen Hacker Found Bugs in School Software That Exposed Millions of Records.

Two DEFCON presentations raised awareness of more dystopian concerns as they shed light on emerging technologies that could be used to monetize brain waves and weaponize audio frequencies to cause physical and psychological harm to humans. In the presentation titled Hacking Your Thoughts – Batman Forever Meets Black Mirror, National Science Foundation Research Fellow Katherine Pratt explored the dark side of brain-computer interface (BCI) devices and highlighted privacy concerns and ethical dilemmas that this technology could present in the not-too-distant future. She emphasized that, although neurally-controlled devices can be used to improve the quality of life for people with disabilities, they also open the door to potential abuse by corporations and government entities. In a world where organizations can extract information directly from the human brain and use visual and auditory stimuli to elicit specific neural responses, the question arises, “Who owns your thoughts?” In a separate presentation titled Sound Effects: Exploring Acoustic Cyber-Weapons, Matt Wixey of PwC UK assessed the capability of several consumer-grade audio devices to produce sound at frequencies known to cause a range of detrimental issues in humans including temporary or permanent hearing damage, nausea, fatigue, and adverse psychological effects. Since ethical considerations prevent researchers from fully understanding the potential impacts of human exposure to these frequencies, Wixey and his team used existing research on weaponized sound to supplement their study, identify potential attack scenarios, and test current consumer electronics to determine the feasibility of this type of attack. Both presentations provided the audience with an interesting look into future implications of these rapidly emerging technologies.

In addition to the many presentations and panels, DEFCON also provided attendees with hands-on hacking and skill-building opportunities with their many “Villages.” Conference-goers could try their hand at picking padlocks at the Lockpick Village, learn about medical device hacking in the Biohacking Village, explore the inner-workings of a Tesla vehicle in the Car Hacking Village, and identify software and hardware vulnerabilities that could impact election outcomes in the Voting Machine Hacking Village.

Hacked voting machines at DEFCON's Voting Machine Hacking Village

Overall, this year’s DEFCON was well-organized, provided a lot of great information about the threats we face in cyberspace, and helped bring together unlikely allies in an effort to better secure the world we live in now and the one we hope for in the future.

The NTIC is governed by a privacy, civil rights, and civil liberties protection policy to promote conduct that complies with applicable federal, state, and local laws. The NTIC does not seek or retain any information about individuals or organizations solely on the basis of their religious, political or social views or activities; their participation in a particular noncriminal organization or lawful event; or their race, ethnicities, citizenships, places of origin, ages, disabilities, genders, or sexual orientations. No information is gathered or collected by the NTIC in violation of federal or state laws or regulations.