DEF CON 27 (2019) Report Version 1a (2019-08-11)

POC: Steve Holden, [email protected], www.technewsradio.com, @technewsradio ​ ​ ​ ​ ​ LICENSE: Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) ​ ​

These are my own personal notes taken at DEF CON 27 (held in 2019). This includes notes from talks I attended in person (marked with a *), but also my analysis as time permitted of key information from select slides posted to: https://media.defcon.org Starting in 2017, DEF CON stopped providing Presentations CD with session material. See the ​ DEF CON Media Server for a complete archive of material from the beginning of DEF CON 1. Updated notes will be periodically posted as time permits. Corrections, suggestions, comments, etc are welcome. I also have similar reports (1- total) from DEF CON 18, 19, 20, 21, 22, 23, 24, 25, & 26. These notes will include links to external sites. Most of the sites have been validated, but there could be some issues. Use your best judgement. A complete list of sessions and speakers can be found on the official HTML version of the DEF CON program: https://www.defcon.org/html/defcon-27/dc-27-schedule.html. A complete list of speakers and session abstracts are here: ​ https://www.defcon.org/html/defcon-27/dc-27-speakers.html. ​

Document organization: Sessions (organized by date/time); Workshops; Demo Labs; Vendors; Training Options; and News Coverage (all the way at the end of the document).

Thursday, August 08, 2019:

101 Sessions (did not attend any of these):

● Exploiting Windows Exploit Mitigation for ROP Exploits - Omer Yair ○ https://defcon.org/html/defcon-27/dc-27-speakers.html#Yair ● Breaking Google Home: Exploit It with SQLite (Magellan) - Wenxiang Qian, YuXiang Li, HuiYu Wu ○ https://defcon.org/html/defcon-27/dc-27-speakers.html#Qian ● Are Quantum Computers Really A Threat To Cryptography? A Practical Overview Of Current State-Of-The-Art Techniques With Some Interesting Surprises - Andreas Baumhof ○ https://defcon.org/html/defcon-27/dc-27-speakers.html#Baumhof ● Intro to Embedded Hacking -- How you too can find a decade old bug in widely deployed devices. [REDACTED] Deskphones, a case study. - Philippe Laulheret ○ https://defcon.org/html/defcon-27/dc-27-speakers.html#Laulheret ○ Slides and demo video are on the Media Server ● Web2Own: Attacking Desktop Apps From Web Security’s Perspective - Junyu Zhou, Ce Qin, Jianing Wang ● DEF CON 101 Panel - Highwiz, Nikita, Will, n00bz, Shaggy, SecBarbie, Tottenkoph

Friday, August 9, 2019:

Behind the Scenes of the DEF CON 27 Badge - Joe Grand (Kingpin) ● Slides are on the Media Server: ○ https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON -27-Joe-Grand-Badge.pdf ○ https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON -27-Joe-Grand-The-DEFCON-27-Badge.pdf ● Link to speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Grand ​ Hacking Congress: The Enemy Of My Enemy Is My Friend - Former Rep. Jane Harman, Rep. James Langevin, Jen Ellis, Cris Thomas, Rep. Ted Lieu ● Link to speakers https://defcon.org/html/defcon-27/dc-27-speakers.html#Harman ​ ● No slides on the Media Server

Behind the Scenes: The Industry of Social Media Manipulation Driven by Malware - Olivier Bilodeau, Masarah Paquet-Clouston ● Link to the speakers https://defcon.org/html/defcon-27/dc-27-speakers.html#Bilodeau ​ ● Slides are on the Media Server https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Ma sarah-Paquet-Clouston-Olivier-Bilodeau-The-Industry-of-Social-Media-Manipulation-Driven-by-Malware .pdf

*Duplicating Restricted Mechanical Keys - Bill Graydon, Robert Graydon ● More info on the presenters: https://defcon.org/html/defcon-27/dc-27-speakers.html#Graydon ​ ● Good overview of how keys work and how they are traditionally copied and originally created ● “Restricted Key” - have additional “keyways” sometimes horizontal (and most key copy places don’t have the machines to cut these) ● Interesting review of SCHLAGE logs and how they make 5 pin and 6 pin (including details on master keys) ● Review of 3D printing options ● They have built a scripting language and a database for capturing keyways and then making new keys using 3D printing ● Review of USPS keys and how they were “copied” in LA by thieves ● Stolen locks can be reverse engineered to build keys that can be used on locks using the same “keyways” (including determining the master key) ● Reviewed of current vendors of locks (Master, Medeco) ● Some keyways can be purchased just for a specific facility (examination of just taking a photo of the lock and then reverse engineering the key) ● Deep dive in Medeco family of keys/locks (most Hacker spaces have the machines necessary to copy these keys. ● Some keys have two parts -- MUL-T-LOCK ● Review of a tool they bought on eBay for $100 ● Getting some of these keys made is by presenting a “card” from the manufacturer. These can be forged very easy. ● Videos https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Bill -Graydon-Demo-Videos/ ● Slides https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Bill -Graydon-Restricted-Keys.pdf *Don’t Red-Team AI Like a Chump - Ariel Herbert-Voss ● More info about the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Herbert-Voss ​ ● Slides are on the Media Server ● Review of how to make AI tactics (Tesla) ● Review of AI systems (data comes into a black box (model) and the output is a prediction ● Model = recognize pixels to determine if there is a boat in an image ● What can be “broken” - Data (poison - supply chain attack), Model (need to know the type) ● Can you spoof the prediction? (confidence levels) ● Deep dive on how to fool an AI-powered video surveillance (good set of slides) ● Red Team AI means to “test” AI for vulnerabilities (Adversarial ML attacks) ● There was a recent attack on a virus detection system that compromised the “data supply chain”

The Tor Censorship Arms Race: The Next Chapter - Roger Dingledine ● More details on the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Dingledine ​ ● Slides are on the media server

All the 4G Modules Could Be Hacked - Xiao Hui Hui, Ye Zhang, Zheng Huang ● More details on the speakers: https://defcon.org/html/defcon-27/dc-27-speakers.html#XiaoHuiHui ​ ● Slides are on the media server

Evil eBPF In-Depth: Practical Abuses of an In-Kernel Bytecode Runtime - Jeff Dileo ● More details on the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Dileo ​ ● Slides and extras are on the Media Server.

Process Injection Techniques - Gotta Catch Them All - Itzik Kotler, Amit Klein ● More details on the speaker - https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Kotler ​ ● Slides and extras are on the Media Server.

*Phreaking Elevators - WillC ● More details on the speaker: https://www.defcon.org/html/defcon-27/dc-27-speakers.html#WillC ​ ● Slides are on the Media Server. ● Speaker is a ‘high voltage’ expert and has been going to a lot of hacking conference ● There is a HOPE talk about elevators (see) ● Elevator phones (who has used them) ● Disclaimer ● Push the button - dials a number ● They connect: POTS, VoIP, Cellphone ● Most are POTS (ADA/ASME17) ● Some phones will dial 911, maintenance elevator, OpenCNAM (elevator phone list has been posted) ● Social engineering - getting the phone number you dialing from (and then you could call them back) ● Getting to independent service (restricted floors) ● How to program an elevator: ○ Site ID 2 ○ Hangup *# or *0 0 ○ Maybe connection to a PBX or other line concentrators ○ Most locations and elevators are unique ○ An elevator could have is own PBX (if you don’t get a full phone # you are probably on a PBX) ● Some elevators also connect into an emergency concentrator like those on a wall and there are also intercom system. ● There are also Fire Fighters Phone (if you put a connector in, an alert is going to be sent) ● A lot of these elevators have manuals ● Some demos (you can do programming via key pad, switches, remote, code) ● There is a default elevator phone passwords ● www.datagenetics.com/blog/september32012/index.html ● 900 # calling is charging $2.55 a minute (if you had a number you could rack up some faud calls) ● Elevator numbers should be monitored: logging, alerting, etc.

Infiltrating Corporate Intranet Like NSA _Pre-auth RCE on Leading SSL VPNs Orange - Tsai, Meh Chang ● more info about the speakers: https://defcon.org/html/defcon-27/dc-27-speakers.html#Tsai ​ ● Slides and videos are on the Media Server.

API-Induced SSRF: How Apple Pay Scattered Vulnerabilities Across the Web - Joshua Maddux ● more info about the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Maddux ​ ● Slides and video is on the Media Server.

HackPac: Hacking Pointer Authentication in iOS User Space - Xiaolong Bai, Min (Spark) Zheng ● more info about the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Bai. ​ ​ ● Slides are not on the Media Server (as of 8/9/2019)

HVACking: Understand the Difference Between Security and Reality! - Douglas McKee, Mark Bereza ● more info about the speakers: https://defcon.org/html/defcon-27/dc-27-speakers.html#McKee ​ ● Slides are on the media server

*No Mas—How One Side-Channel Flaw Opens Atm, Pharmacies and Government Secrets Up to Attack - phar ● more info about the speakers: https://defcon.org/html/defcon-27/dc-27-speakers.html#phar ​ ● Review of latest in electronic lock design and overview of the technology ● Look at a lock from Cyberlock (taken apart and electrical analysis) ● External power sources are good attack vectors ● These designs are being used for “lock boxes” ● Review of doing electronic power side channel attack ● There is also a Generation 2 flaw doesn’t have a side channel attack (that effected for Generation 1) but there is an external timing attack that resets it to factory default ● X0 series of locks analysis/research - different methodologies - new X-10 ● GSA letter (kind of funny) ● Closer look at the X07 and then looked at X08 and X09 (looked at the schematics and opened them up to see what they look like) ● Once the device is taken apart he was successfully able to get combo ● Not practical because of physical security ● There has been some interaction with the GOVERNMENT ● Everyone is asking him to do NDAs ● The company Kaba hasn’t been very excited about this research ● GSA said that further research on the X-10 is not needed as what errors he has found (in the design) are also in the X-10

More Keys Than A Piano: Finding Secrets In Publicly Exposed Ebs Volumes xBen “benmap” - Morris ● more info about the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Morris ​ ● Slides are on the Media Server.

Harnessing Weapons of Mac Destruction - Patrick Wardle ● more info about the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Wardle ​ ● Slides are on the Media Server.

*Are Your Child’s Records at Risk? The Current State of School Infosec - Bill Demirkapi ● more info about the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Demirkapi ​ ● Just turned 18 and has been doing web application system (3 years of research) ● Follett Student Information System (aka Aspen) [many schools in MA and RI] ● Also looked at Blackboard Community Engagement (notifications) [10x the number of schools than Follett] ● Review of his research - XSS Filter Bypass (in Aspen), Improper Access Control (based on the Spring Framework Objects in Aspen), External XML Entity Inclusion (XXE) (in Aspen) [payloads could be sent in XML] ● Because of Improper Access Control you could basically read and write any of the key student fields including weighted GPA ● Other flaw was that Blackboard had Django setup in debug mode on some of the subdomains. So there was a lot of info in the error messages including Jenkins API Token + 27 Apple Apple Provision + database credentials ● Blackboard also has a bunch of SQL Injection issues. ● Slides are not on the Media Server. ● Reviewed how he did disclosures (a lot of issues, got suspended, etc) How Deep Learning Is Revolutionizing Side-Channel Cryptanalysis - Elie Bursztein, Jean Michel Picod ● more info about the speakers: https://defcon.org/html/defcon-27/dc-27-speakers.html#Bursztein ​ ● Slides are not on the media server but are posted https://elie.net/talk/a-hackerguide-to-deep-learning-based-side-channel-attacks/

Practical Key Search Attacks Against Modern Symmetric Ciphers - Daniel “ufurnace” Crowley, Daniel Pagan ● more info about the speakers: https://defcon.org/html/defcon-27/dc-27-speakers.html#Crowley ​ ● Slides are not on the Media Server

*MOSE: Using Configuration Management for Evil - Jayson Grace ● more info about the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Grace ​ ● Slides are on the Media Server. ● Review of CM tools ● How CM tools can be used for “evil” ● Releasing a new tool called MOSE (puppet and chef support) ● Post exploitation (PE) is his favorite part of doing penetration testing and these tools are geared at making PE better ● Some stories of getting into systems via Docker to Jenkins to Puppet (got in to 100s of systems) ● Getting control of a CM Tool can lead to many other exploits (scheduled persistence) ● MOSE (Master of SErvers) - Sandia Labs (previous employer) [MOSE sits in front of CM Tools, reduces learning curve] ● Review of how to use the tool/workflow/CONOP

Change the World, cDc Style: Cow tips from the first 35 years - Joseph Menn, Peiter Mudge Zatko, Chris Dildog Rioux, Deth Vegetable, Omega ● more info about the speakers https://defcon.org/html/defcon-27/dc-27-speakers.html#Menn ​ ● Slides are on the Media Server.

100 Seconds of Solitude: Defeating Cisco Trust Anchor With FPGA Bitstream Shenanigans - Jatin Kataria, Rick Housley, Ang Cui Relaying ● more info about the speakers https://defcon.org/html/defcon-27/dc-27-speakers.html#Kataria ​ ● Slides are not on the Media Server.

Credentials Has Never Been Easier: How to Easily Bypass the Latest NTLM Relay Mitigations - Marina Simakov, Yaron Zinar ● more info about the speakers: https://defcon.org/html/defcon-27/dc-27-speakers.html#Simakov ​ ● Slides are on the Media Server. Please Inject Me, a x64 Code Injection - Alon Weinberg ● more info about the speakers https://defcon.org/html/defcon-27/dc-27-speakers.html#Weinberg ​ ● Slides are on the Media Server.

*I Know What You Did Last Summer: 3 Years of Wireless Monitoring at DEF CON - d4rkm4tter (Mike Spicer) ● more info about the speaker https://defcon.org/html/defcon-27/dc-27-speakers.html#d4rkm4tter ​ ● Slides and a video are on the Media Server. ● Fan of kismet (tool) ● Background on wardriving (starting 2000 and then there was a bunch of research in 2015, 2016, 2017+) ● 2015 -- Collected data on 2 channels ● 2016 - 12 sensors monitoring 48 radios ● 2017 - 25 Hak5 covering 50 totals channels … major collection ● Def Con wireless is the most dangerous network in the world - connected world (IoT - more WIFI devices) -- and all these dangerous applications (API) - VPN/proxy ● 2018-2019 -- 1.1 TB (also captured at new locations) ● Review of current network tools - you got the data what are you going to do with it? ○ Networkminer, Wireshark, Kismet WebUI, Kismet DB, PCAPinator (Python 3 tool) ● PCAPinator tool released (on GITHUB) [runs a bunch of tsharks] ○ https://www.wireshark.org/docs/man-pages/tshark.html ○ Demo video (makes processing 5) ● Good review of what happened at DEF CON last year (wigle.net) -- SSID tracking ● MAC address over time (per conference visit) ● There are wireless attacks going on (Deauthentication) - these are randomizing MAC address. ○ Also KRACKS (not easy to confirm by just doing passive monitoring) ○ PINEAPPLE ○ Man-In-The-Middle ○ SSID manipulation ● Leaked info ○ Wall of Sheep (funny stuff) ○ Api.met.no (leaking information that was in in the clear) ○ Accu-weather (also leaking info) ○ Dellsupportcenter (Windows) leaked info ● DNS is not encrypted ○ SLACK subdomains (easy to see projects that might not want to be public?) ● LTE* research ● Suggestion ○ Do not do auto-connect ○ Use a VPN

Surveillance Detection Scout - Your Lookout on Autopilot - Truman Kain ● more info about the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Kain ​ ● Slides and a video demo are on the Media Server. The JOP ROCKET: A Supremely Wicked Tool for JOP Gadget Discovery, or What to Do If ROP Is Too Easy - Dr. Bramwell Brizendine, Dr. Joshua Stroschien ● more info about the speakers: https://defcon.org/html/defcon-27/dc-27-speakers.html#Brizendine ​ Poking the S in SD cards - Nicolas Oberli ● more info about the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Oberli ​ ● Slides and video demo are available on the Media Server.

Can You Track Me Now? Why The Phone Companies Are Such A Privacy Disaster - U.S. Senator Ron Wyden ● more info about the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Wyden ​ ● Slides are not available on the Media Server. ● White Hat Hackers make the country safer. ● Backdoors for encryption (will leave America less safe) ●

Breaking The Back End! It Is Not Always A Bug. Sometimes, It Is Just Bad Design! - Gregory Pickett ● more info about the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Pickett ​ ● Slides and video are on the media server.

Re: What’s up Johnny?—Covert Content Attacks on Email End-toEnd Encryption - Jens Müller ● more info about the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#M%C2%B8ller ​ Saturday, August 10, 2019

Weaponizing Hypervisors to Fight and Beat Car and Medical Devices Attacks - Ali Islam, Dan Regalado (DanuX) ● More info about the speakers https://defcon.org/html/defcon-27/dc-27-speakers.html#Islam ​ ● Slides are not on the Media Server

Rise of the Hypebots: Scripting Streetwear - finalphoenix ● more info about the speaker https://defcon.org/html/defcon-27/dc-27-speakers.html#finalphoenix ​ ● Videos and slides are on the media server ● Recommended: ○ Add entropy into your system does not mean introducing unreliability ○ Measure unpredictability and use that data to limit bots ○ Encrypt everything *Information Security in the Public Interest - Bruce Schneier ● more info about the speaker: https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Schneier ​ ● No slides / just a talk ● Going dark problem (going on for years) ● A lot of politics - law enforcement ● Key Escrow ● Vulnerability Findings ● Making “better” backdoors ● Surveillance capitalism ● Obfuscation ● Tech vs. Human culture (two worlds?) -- going on since 1959 ● Technology (no liability for software, male dominated, Libertarian ethos of Silicon Valley, moves fast, democratic, Internet is embedded in all over our lives, our infrastructure) → effecting the “real” world (physical, financial) ● Do you have a choice: Internet, smart phone, email? ● Policies (Airlines, Healthcare, National Security, etc…) ● Internet Security is now even more important (can’t get the tech wrong) ● We need public sector technologists (politicians don’t know enough - lobbyist will provide what only benefits them) ● These are at the staff level not the actual politician ● What he is looking for: FORD FOUNDATION has a definition ● Policy discussions - U.S. made only cell phones (what would it costs) ● Can we create a secure system with secure hardware? ● We are responsible for the world created by technology. ● We still have a lot of power - it is still our attention ● Robots, Drones, Healthcare, etc. - have technology and policy issues needing more in tech to be helping politics ● Government vs. Commercial (who is control of your technology) ● Last century - policy was really made at the “economic” level

EDR Is Coming; Hide Yo Sh!t - Michael Leibowitz, Topher Timzen ● more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Leibowitz ​ ● Slides are on the media server

Your Car is My Car - Jmaxxz ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Jmaxxz ​ ● Slides are on the media server

*HAKC THE POLICE - Bill Swearingen ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Swearingen ​ ● “Zombies Ahead “ + Hacker Space + DEFCON Parties ● 15 years of DEF CON (give more back) -- from KC -- HA/KC/ER ● Slides at https://bit.ly/23police ​ ● Lesson Learned - Don’t admit to a national media outlet that you created something and sold something at is a Federal offense. ● Question -- What is radar? How can I avoid speed tickets? ● Doppler Effect of sound waves (RADAR) - sent, reflected, and received ● Radar measures speed (microwave / RF) ● Some of the advanced radar devices can track multiple cars and tell you what lane you are in. ● Review of the bands of radar gun frequences (X, K (most), and Ka) -- Ku (Europe) = Ka ● Hot Wheels has a radar gun that is “modifiable” ● Demo: Moving at him and he gets a 0 mph, and then sets speed and shoots the speed at the radar gun (111 mph) ● He has calculated what it takes to send a microwave GHz - 65 miles per hour ● Can’t go 65 mile per hour in a school zone … Google Map’s API will tell you the speed limit (so you can change automatically your “speed”) ● Review of the hardware prototype … about $700 ● But … it is a FCC Federal Offense = $50,000 (you can’t advertise them or sell them or use them) ● What other legal countermeasures: RADAR detectors are really good (within 2 miles) ● Laser speed detector? ● Light spectrum is regulated by the FDA (Class 1 Laser - 904nm (Invisible IR) - like a laser pointer ● Laser measures distance (Speed = Distance/Time) ● Review of laser jamming laws (illegal in California) ● Review of how laser guns work (good set of slides) - measure every 5 ms ● So we can send a signal back at 4 ms (or every 1 ms send a pulse) -- this creates an ERROR message on the laser gun (some of countermeasures to these countermeasures) ● We can determine what laser gun is targeting you by its signal # per time (there are some commercial products available) ● Tool: Cotcha (previously released), now has NotchaCotcha (Laser Jammer) [won’t stop the high end laser guns]

Hacking Your Thoughts - Batman Forever meets Black Mirror - Katherine Pratt/GattaKat ● For more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Pratt ​ ● Slides are on the Media Server

Meticulously Modern Mobile Manipulations - Leon Jacobs ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Jacobs ​ ● Slides are on the Media Server

How You Can Buy AT&T, T-Mobile, and Sprint Real-Time Location Data on the Black Market - Joseph Cox ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Cox ​ ● Slides are on the Media Server Defeating Bluetooth Low Energy 5 PRNG for Fun and Jamming - Damien Cauquil (virtualabs) ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Cauquil ​ ● Slides and video is on the Media Server

*Why You Should Fear Your “mundane” Office Equipment - Daniel Romero, Mario Rivas ● For more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Romero ​ ● Slides are on the Media Server ● Focus on medium-size enterprise printers (main vendors) ● Big attack vector (corporate network, not upgraded very often, shadow IT, etc.) ● HP says their printers are the “most secure” ● Attack surface overview along with their methodology for search ● Tools: Sulley Fuzzer, BooFuzz (now have Fuzzowski (new) -- Python3 based) ● Included a Demo of Fuzzowski ● Review of their hardware secure bypass with physical access (easy to swap out complete firmware and embedded software). ● Documented and demoed a host of web-based application vulnerabilities ● Also determined a bunch of hidden functionalities like very specific logs that leak a lot of information. ● Complete review of all their CVE research (tools, approach, challenges, etc)

Zombie Ant Farm: Practical Tips for Playing Hide and Seek with Linux EDRs - Dimitry Snezhkov ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Snezhkov ● Slides are on the Media Server

RACE - Minimal Rights and ACE for Active Directory Dominance - Nikhil Mittal ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Mittal ​ ● Slides are on the Media Server

GSM: We Can Hear Everyone Now! - Campbell Murray, Eoin Buckley, James Kulikowski ● For more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Murray ​ ● Slides are on the Media Server

*Tag-side attacks against NFC - Christopher Wade ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Wade ​ ● Slides are on the Media Server ● Review of what NFC does (payment, access, etc) ● ISO-14443 (13.56 MHz) ● Overview of the protocol and how these are implemented including detail on encryption, and authentication (Crypto-1) ● Created a passive sniffer ● Wanted to also create the smallest/simplest NFC tag (several slides review all the details) ● Looks at the crypto issues and how they can be attacked ● Demo

SSO Wars: The Token Menace - Alvaro Muñoz, Oleksandr Mirosh ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Munoz ​ ● Slides are on the Media Server

SELECT code_execution FROM * USING SQLite; -- Gaining code execution using a malicious SQLite database - Omer Gull ● For more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Gull ​ ● Slides and demo video are on the Media Server

*I’m on your phone, listening - Attacking VoIP Configuration Interfaces - Stephan Huber, Philipp Roskosch ● For more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Huber ​ ● Slides are on the Media Server ● There are a lot of phones, and the phones have Web APIs ● Network segmentation is not always setup right and phones are Internet accessible ● May of the base OSes are Linux-based ● Focus on attacking the web server first and then move to Exacting Firmware for attacking via emulation ● Slide 19 has a list of tools they use ● There is potential for creating a Denial Of Service (DoS) … nmap can kill MiTel phone for 30 minutes, there is a “curl” command on Cisco 7821 that causes the phone to reboot (5 mintues of DoS) ● Akuvox R50 will allow you to dump all their configuration files and there is a way to decrypt the system admin password (it is also in the firmware in the clear) ● They listed a bunch of phone companies that I’ve never heard of (total of 33 reviewed) ● Good demo on changing an Admin password to what the attacker wanted ● Review of some of the services on some phones including telnet with older crypto like DES ● Many of these services are running as ROOT ● Command injection was found on many phones (diagnostic) ● Good list of recommendations for deployment and developers ● Some of the “new” VoIP phones are moving to Android (which could be good but … research is still TBD)

Zero bugs found? Hold my Beer AFL! How To Improve Coverage Guided Fuzzing and Find New 0days in Tough Targets - Maksim Shudrak ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Shudrak ​ ● Slides are on the Media Server Next Generation Process Emulation with Binee - Kyle Gwinnup, John Holowczak ● For more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Gwinnup ​ ● Slides and video are on the Media Server

Get Off the Kernel if You Can’t Drive - Jesse Michael, Mickey Shkatov ● For more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Michael ​ ● Slides are on the Media Server

*Reverse-Engineering 4g Hotspots for Fun, Bugs and Net Financial Loss - g richter ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#g%20richter ​ ● Slides are on the Media Server ● Overview of the talk (two routers are examined) ● 5G is coming (more of these devices coming) ● There aren’t many businesses building these (the insides could all be very similar) ● They are embedded computers and finding issues is pretty easy ● Review of how TCP/UDP/IP connect to APNs ● There are a bunch of services - web interface (RCE via TCP/UDP and RCE via SMS/SMS if you know the phone) ● Can you get SHELL on the router (what can you do really? … USB root via physical access?) … reboot wipes out access ● Review of his hacking methodology ● ZTE MF9210 (China) -- end of life, cheap, common software (same bugs in 9220, etc) ○ Review of hardware ○ Test pins ○ Micro-USB connection ○ There are a bunch of known-knowns (do your open source research) ○ Default passwords ○ Basic Linux architecture ○ A lot of basic troubleshooting features are still on the device ○ Some iptable rules but some services are still exposed ○ Review of many of his attacks and findings in the slides ● Netgear Nighthawk M1 (new) ○ Russian high-end antenna and heat sync community ○ There bug bounty program is “hard” - costs are low ○ Review of the hardware (USB C, etc.) ○ No open source info - there is a thread on a Russian site ○ Everything looks encrypted ○ Small network profile ○ Based on Sierra Wireless technologies ○ Test ports are actually JTAGs … with no docs it is not a great attack vector ○ AT shell on USB is very limited (telnet 192.168.1.1 5510) ○ Encryption ended up with XOR and AES in ECB (using generic Sierra Wireless file structure) ■ There is a script he wrote to decrypt ■ Once decrypted he has a massive file listing BOOT, LINUX, ANDROID ○ Some bugs: ■ Command injection example ■ Introspection.html (gives you all the parameters) ■ CSRF Bypass -- NetgearStrings.js (with secToken) ■ You could chain these (guess admin password) ■ Reported Feb but not sure when they fix (if at all) ○ There is a bunch of “unofficial Qualcomm tools” to research ○ https://ptp.sh/dc27-4g

State of DNS Rebinding - Attack & Prevention Techniques and the Singularity of Origin - Gerald Doussot, Roger Meyer ● For more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Doussot ​ ● Slides are on the Media Server

.NET Malware Threats: Internals And Reversing - Alexandre Borges ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Borgess ​ ​ ● Slides are on the Media Server

Reverse Engineering 17+ Cars in Less Than 10 Minutes - Brent Stone ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Stone ​ ● Slides and demo video are on the Media Server

*NOC NOC. Who’s there? All. All who? All the things you wanted to know about the DEF CON NOC and we won’t tell you about - The DEF CON NOC ● For more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#NOC ​ ● Slides are not on the Media Server ● Trust no one network ● Last one was DC19 ● Review of all the team members ● Using Aruba for network wifi ○ Our customers (Wired and Wireless - 30K attendees) ○ Back in the day (Get started on Sunday and have it ready on Thursday) ■ NOC Setup / MDF / IF Connections / Firewall … etc. ○ This year they started the Thursday before last ○ Pre-Con Wireless walk through - Site Visit, RF Predictive Planning ( https://www.ekahau.com/products/ekahau-site-survey/overview/ ), Drop Map, … ​ ○ RF tools / Console cables ○ Aruba 7210, 7005 as the big boy ○ DefCon-Open vs. DefCon (2.4-GHz vs. 5 GHz) - with and without encryption ○ WiFi Reg - opens up a week before ○ New stuff: WIFI Stands, Chromebook Profile, better Linux instructions, Android App ○ Challenges: patching, cable runs, drop quantities, PoE, AP mounting, room changes ○ PEAP is secure (TLS is session by session), feature WPA3, OWE (new technology) ○ IPv6? - No … secured? Need to upgrade all their hardware to do it securely. ○ 802.11R (roaming) -- off -- but it has some security issues ○ Management frame - off - but it doesn’t have good support on clients ○ How much attacking is going on? Spoofing a casino network. PGP hijack. Upstream provider issues. Speaker presentation demos. Attacking other companies get EGRESS blocked. Ping 8.8.8.8. WIFI spoofing attack. Clone the “Defcon” network (not a good idea … they can find you). ● Planning is 8 months out. Where is the next Def Con going to be? That can drive decision making. ● Review of the network ● Legends of NOC: cover the grill! - things have changed (more professional now, better hardware)

Confessions of a Nespresso Money Mule: Free Stuff & Triangulation Fraud - Nina Kollars (Kitty Hegemon) ● For more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Kollars ​ ● Slides are on the Media Server

Vacuum Cleaning Security: Pinky and the Brain Edition - jiska, clou (Fabian Ullrich) 1 ● For more info about the speakers ● Slides are on the Media Server

Unpacking Pkgs: A Look Inside Macos Installer Packages And Common Security Flaws - Andy Grant ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Grant ​ ● Slides and videos are on the Media Server

Go NULL Yourself or: How I Learned to Start Worrying While Getting Fined for Other’s Auto Infractions - droogie ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#droogie ​ ● Slides are on the Media Server

Apache Solr Injection - Michael Stepankin ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Stepankin ● Slides are on the Media Server

Sunday, August 11, 2019

*Backdooring Hardware Devices By Injecting Malicious Payloads On Microcontrollers - Sheila Ayelen Berta

● For more info about the speakers ● Slides and videos are on the Media Server ● Review of differences between processors and microprocessors and microcontrollers ● Review of current backdoor hacks from the last year ● Raspberry PI (microprocessor) vs. Arduino Uno (microcontroller) ● Microcontrollers are very “job” perspective ● Review of history of microcontrollers ● Review of where microcontrollers are being used ● All microcontroller need to be programming (assembly or C) -> HEX FILE -> manufacturer installer -> microcontroller ● TOOL MPLAB X IDE -> microchip programmer hardware (tools from vendor) ● These tools can be used to get code off of existing microcontroller ● Review of how to do a memory dump and then you can read the program memory ● Review of how re-program (including how to re-adjust the checksums to avoid errors) ● Example of injecting into a car’s ECU (microcontroller) - video - outcome was bad for the car ● Review of attack #2 (timer based functions) ● Working on a tool to be released sooner ● Review of attack #3 (stack focus)

Adventures In Smart Buttplug Penetration (testing) - smea ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#smea ​ ● Slides are on the Media Server

Hacking WebAssembly Games with Binary Instrumentation - Jack Baker ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Baker ​ ● Slides and demo video are on the Media Server

Your Secret Files Are Mine: Bug Finding And Exploit Techniques On File Transfer App Of All Top Android Vendors - Xiangqian Zhang, Huiming Liu ● For more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Zhang ​ ● Slides are on the Media Server

The ABC of Next-Gen Shellcoding -- Hadrien Barral, Rémi GéraudStewart, Georges-Axel Jaloyan ● For more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Barral ​ ● Slides and videos are on the Media Server

*SDR Against Smart TVs: URL and Channel Injection Attacks - Pedro Cabrera Camara ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-schedule.html ​ ● Slides and videos are on the Media Server ● Review of Hybrid Broadcast Broadband Television (history - make TV interactive for advertising) ● Review of Distribution Network (including remote input) ● Review of DVB-T (specification - some difference between countries) ● Hardware can be built-in or added via USB card ● Some history on previous TV hijacking attacks & SMART TV attacks ● Review of attack #1 (DVB-T Channel Hijacking) -- play a ‘bad’ video file into the ffmpeg to display the bad content (video demo) ● Review of attack #2 (TV antenna facility attack) -- how is it distributed? Like a residential building (with TV splitters, and TV amplifier) ● Review of attack #3 (how to do miniaturization and figure out drone deployment method). Need something that is under 300 grams … demo video posted on media server ● Review of attack #3 (Web interfaces - both the web browser on the TV and the web server on the TV) - tool review (4 shells) - track what you are watching (demo video) ● Review of attack #4 (social engineering attacks) - I have been upgraded, can you tell me what your WIFI password is? (demo video) ● Review of attack #5 (turn the TV into a bitcoin miner) (demo video) ● Review of attack #6 (hook user browser - metasploit) ● These types of attacks can be applied to GPS, mobile networks

Exploiting Qualcomm WLAN and Modem Over The Air - Xiling Gong, Peter Pi ● For more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Gong ​ ● Slides and videos are on the Media Server

Say Cheese - How I Ransomwared Your DSLR Camera - Eyal Itkin ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Itkin ​ ● Slides and videos are on the Media Server

*I’m In Your Cloud... Pwning Your Azure Environment - Dirk-jan Mollema ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Mollema ​ ● Slides are on the Media Server ● Review of Azure AD (cloud active directory) - Office 365 ● Compare Azure AD to Active Directory (they are actually really different set of technologies) ● Interacting with Azure AD (reviewed in several slides) - several PowerShell modules ● Look into the APIs as the best set of reference material (but there are several places to look) ● Review of the architecture (Azure vs. Azure AD vs Office 365) - roles (admins) - new roles were announced last week (need some more research) ● There are “applications” in Azure AD (review of the concept in several slides) including: 3rd party applications, internal apps from Microsoft (Office 365) ● Application privileges (can including delegated) (covered in several slides) ● Review of couple examples of vulnerabilities (logs are not as good as you’d expect) ● Review of authentication options including phone call with a # (recorded # in voice mail) ● Review of how to Azure AD connect (to your on-premise AD) - updates, sync, application level accounts ● Need to look into how you configure this connection (passwords, sync, privileges, etc) ● Azure DevOps (tool) - pipelines (review of adconnectdump tool that he wrote - using the DevOps tool from Microsoft) - review of privilege escalation (on several slides and video demo)

Malproxying: Leave Your Malware at Home Hila Cohen, Amit Waisel ● For more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Cohen ​ ● Slides and video demos are on the Media Server

HTTP Desync Attacks: Smashing into the Cell Next Door- albinowax ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#albinowax ​ ● Slides and demo videos are on the Media Server Help Me, Vulnerabilities. You’re My Only Hope - Jacob Baines ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Baines ​ ● Slides are on the Media Server

[ MI CASA-SU CASA ] My 192.168.1.1 is Your 192.168.1.1 - Elliott Thompson ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Thompson ● Slides and videos are on the Media Server

*Sound Effects: Exploring Acoustic Cyber-weapons - Matt Wixey ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Wixey ​ ● Slides are on the Media Server ● Starts off with background of malware (Stuxnet, Conflicker, medical implants, vehicles, etc) ● Harm is not usually directly on humans (flashing GIFs, etc) ● Review of sound as a weapon (what dB can hurt you and at to what degree) ● Review of what you can hear (person to person, high (HFN) vs. low (LFN)) - Ultrasound ● Perceptions (big thresholds) - conscious vs. subconscious ● Review of HFN and LFN effects on humans (many slides) ● References on issues with previous research and caveats related to previous research ● There are some standards on what a human should be exposed to HFN and LFN (but it doesn’t take into consideration on age, sex, race, etc) ● Review of the concept of “weighting” (read the slides for details) ● Some research on HFN could be used as covert communications channels (data exfil) ● You could disrupt echolocation devices with HFN (drones, cars, etc) ● FAQ - Brown Note, Paranormal experiences, US Embassy in Cuba ● The concept of propagation is key for understanding current research ● Built an experiment to have malware play sounds at levels that would have physical effect ● Review of attack scenarios and the types of devices uses (see slides) ● Test environment (see slides) ● Review of what the malware did (see slides) ● They also tested the levels with headphones ● Could have tested but didn’t HTML5 (autoplay settings would need to be modified) ● Could you embed it into an existing audio ● Could you attack via voice mail or phone calls? [QUESTION] ● Review of measurements - checked to see if devices HEAT up plus several other key areas ● Results (see slides for devices that could reach the level where there is a threat) ● Smart speaker burned out (10 minute test and then is damaged at 2 minutes and at 6 minutes damaged) ● Headphones were vulnerably for HFN and LFN attacks ● Slide on countermeasures (suggestions on how to mitigate - see slide) ● You can create a HFN/LFN monitoring of environments ● There is a Windows SoundAlert software that is going to be released to GITHUB Owning The Clout (aka Cloud) Through ServerSide Request Forgery - Ben Sadeghipour, Cody Brocious (Daeken) ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Sadeghipour ​ ● Slides are on the Media Server

Want Strong Isolation? Just Reset Your Processor - Anish Athalye ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Athalye ​ ● Slides are on the Media Server

Firmware Slap: Automating Discovery of Exploitable Vulnerabilities in Firmware - Christopher Roberts ● For more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Roberts ​ ● Slides and videos are on the Media Server

Cheating in eSports: How to Cheat at Virtual Cycling Using USB Hacks - Brad Dixon ● For more info about the speakers https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Dixon ​ ● Slides are on the Media Server

*The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum - Bernhard Mueller, Daniel Luca ● For more info about the speaker https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Mueller ​ ● Slides are on the Media Server ● Smart contracts (4 tools - 3 new - all open source) ● Review of Ethereum (block chain network - distributed state machine: there accounts (up and down), transaction, have to follow rules ● Differences between Bitcoin - smart contractors, small programs, can’t be changed, immutable, instructions cost gas (paid in currency), there is a gas limit across the Ethereum ● Review of symbolic execution ● Demos (on how contracts work) ● Doing these attacks on Mainnet there are protections in place - Frontrunning Bot ● Tool review: Karl (mass scanner) and Theo (exploitation framework) [both focused on finding weak contracts]

Workshops

A complete list of workshops (instructor, topics, abstracts, etc) can be found online at: https://defcon.org/html/defcon-27/dc-27-workshops.html. The materials used in these workshops should be ​ posted (if available) in: https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20workshops/. ​ ​

1. Breaking and Pwning Docker Containers and Kubernetes Clusters 2. Modern Debugging^HWarfare with WinDbg Preview 3. Advanced Wireless Exploitation for Red Team and Blue Team 4. Pwning Serverless Applications 5. Reverse Engineering Android Apps 6. Purple Team CTF 7. Exploit Development for Beginners 8. Understanding and Analyzing Weaponized Carrier Files 9. Introduction to Cryptographic Attacks 10. Hack to Basics - x86 Windows Based Buffer Overflows, an introduction to buffer overflows. 11. An Introduction to Deploying Red Team Infrastructure 12. Hacking Wifi 13. Attacking Layer 2 Network Protocols 14. Functional Programming for the Blue Team 15. Finding Vulnerabilities at Ecosystem-Scale 16. Malware Triage - Analyzing The Modern Malware Delivery Chain 17. Mind the Gap Between Attacking Windows and Mac: Breaking In and Out of Protected MacOS environments 18. Hacking Wi-Fi for Beginners 19. Learning to Hack Bluetooth Low Energy with BLE CTF 20. Hacking the Android APK 21. Introduction to Reverse Engineering With Ghidra 22. Hands on Adversarial Machine Learning 23. Advanced Custom Network Protocol Fuzzing 24. Hacking Medical Devices 25. From EK to DEK: Analyzing Document Exploit Kits 26. Introduction to Sandbox Evasion and AMSI Bypasses 27. Defending environments and hunting malware with osquery 28. Constructing Kerberos Attacks with Delegation Primitives 29. Evil Mainframe Jr: Mainframe hacking from recon to privesc 30. Advanced Wireless Attacks Against Enterprise Networks 31. Hacking ICS: From Open Source Tools to Custom Scripts 32. Red Teaming Techniques for Electronic Physical Security Systems 33. Pentesting ICS 102 34. scapy_dojo_v_1 35. Writing custom backdoor payloads using C# 36. Analysis 101 for Hackers and Incident Responders

Demo Labs

There are a good number of demos provided at DEFCON that may be of interest to follow-up with in the future if their research matches your interests: ● https://defcon.org/html/defcon-27/dc-27-demolabs.html

A some of the highlights:

1. Antennas for Surveillance applications 2. Burpsuite Team Server for Collaborative Web App Testing 3. Chaos Drive, because USB is still too trustworthy 4. CIRCO: Cisco Implant Raspberry Controlled Operations 5. Burp Plugin: Cyber Security Transformation Chef (CSTC) 6. Go Reverse Engineering Tool Kit 7. Hachi: An Intelligent threat mapper 8. Browser extension to hunt low hanging fruits (Hacking by just browsing) 9. Rewanth Cool 10. Let's Map Your Network 11. Memhunter - Automated hunting of memory resident malware at scale 12. OSfooler-NG: Next Generation of OS fingerprinting fooler 13. OWASP Amass 14. PcapXray 15. PhanTap (Phantom Tap) 16. Phishing Simulation 17. PivotSuite: Hack The Hidden Network - A Network Pivoting Toolkit 18. QiLing 19. Shadow Workers: Backdooring with Service Workers 20. oFrida - Dynamic Analysis Tool for Mobile Apps with Cloud Backend 21. Srujan: Safer Networks for Smart Homes 22. USB-Bootkit – New Bookit via USB Interface in Supply Chain Attacks 23. Vulmap: Online Local Vulnerability Scanners Project 24. WiFi Kraken – Scalable Wireless Monitoring 25. Zigbee Hacking: Smarter Home Invasion with ZigDiggity

Vendors

A complete list of vendors can be found here: https://www.defcon.org/html/defcon-27/dc-27-vendors.html. ​ ​

Some highlights: ● https://www.defcononline.com/ ● https://toool.us/equipment.html ● https://www.torproject.org/ ● http://www.sparrowslockpicks.com/ ● https://www.simplewifi.com/ ● https://securitysnobs.com/ ● http://www.rapid7.com/ ● https://scamstuff.com ● http://nuand.com/bladeRF ● https://www.owasp.org/ ● https://netool.io/ ● https://shop.hak5.org/ ● https://hackerwarehouse.com/ ● https://www.attify-store.com/

Future Training Options

● The Hacker Dojo 10 Year Anniversary (hackerdojo.com/HD10) is from Oct 5-6, 2019 from 11am to 6pm ​ ​ in Santa Clara, California. ● University of Advanced Technology (UAT.EDU) offer's degrees in Computer and Information Systems ​ ​ Manager & Research Scientist, Software QA Engineer, System Administration, Web Administrator, etc. ● Hardware Security Conference & Training in The Hague, Netherlands is September 23-27, 2019 (hardwear.io/netherlands-2019) ​ ​ ● ShellCon.io will be at the Crown Plaza in San Pedro, California from Oct 11-12, 2019 www.shellcon.io ​ Post DEF CON News Coverage

● https://www.wired.com/story/atm-lock-hack-electric-leaks/ ● https://hothardware.com/news/teen-hacker-discovers-bugs-in-education-software ● https://fortune.com/2019/08/10/america-needs-paper-based-ballots-for-the-2020-election-cyber-saturday/ ● https://www.wired.com/story/gsm-decrypt-calls/ ● https://www.cnet.com/news/that-4g-hotspot-could-be-a-hotbed-for-hackers/ ● https://www.wired.com/story/teen-hacker-school-software-blackboard-follett/ ● https://www.wired.com/story/darpa-voting-machine-defcon-voting-village-hackers/ ● https://www.cnet.com/news/status-quo-on-voting-machine-security-represents-danger-to-democracy-senator-warns/ ● https://www.wired.com/story/elevator-phone-phreaking-defcon/ ● https://www.techradar.com/in/news/your-smart-speaker-could-be-transformed-into-an-acoustic-cyber-weapon-by-hackers ● https://threatpost.com/hack-of-a-canon-eos-80d-dslr/147214/ ● https://www.livemint.com/technology/tech-news/zte-4g-hotspots-gateways-to-malicious-websites-report-1565593177062.html ● https://www.digitaltrends.com/cars/tesla-model-s-surveillance-detection-scout/ ● https://www.zdnet.com/article/this-is-how-ransomware-could-infect-your-digital-camera/ ● https://the-parallax.com/2019/08/12/defcon-biohackers-johnny-mnemonic-pegleg/ ● https://www.wired.com/story/acoustic-cyberweapons-defcon/ ● https://www.wired.com/story/smart-tv-drone-hack/