DEF CON 27 (2019) Report Version 1a (2019-08-11) POC: Steve Holden, [email protected], www.technewsradio.com, @technewsradio ​ ​ ​ ​ ​ LICENSE: Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) ​ ​ These are my own personal notes taken at DEF CON 27 (held in 2019). This includes notes from talks I attended in person (marked with a *), but also my analysis as time permitted of key information from select slides posted to: https://media.defcon.org Starting in 2017, DEF CON stopped providing Presentations CD with session material. See the ​ DEF CON Media Server for a complete archive of material from the beginning of DEF CON 1. Updated notes will be periodically posted as time permits. Corrections, suggestions, comments, etc are welcome. I also have similar reports (1- total) from DEF CON 18, 19, 20, 21, 22, 23, 24, 25, & 26. These notes will include links to external sites. Most of the sites have been validated, but there could be some issues. Use your best judgement. A complete list of sessions and speakers can be found on the official HTML version of the DEF CON program: https://www.defcon.org/html/defcon-27/dc-27-schedule.html. A complete list of speakers and session abstracts are here: ​ https://www.defcon.org/html/defcon-27/dc-27-speakers.html. ​ Document organization: Sessions (organized by date/time); Workshops; Demo Labs; Vendors; Training Options; and News Coverage (all the way at the end of the document). Thursday, August 08, 2019: 101 Sessions (did not attend any of these): ● Exploiting Windows Exploit Mitigation for ROP Exploits - Omer Yair ○ https://defcon.org/html/defcon-27/dc-27-speakers.html#Yair ● Breaking Google Home: Exploit It with SQLite (Magellan) - Wenxiang Qian, YuXiang Li, HuiYu Wu ○ https://defcon.org/html/defcon-27/dc-27-speakers.html#Qian ● Are Quantum Computers Really A Threat To Cryptography? A Practical Overview Of Current State-Of-The-Art Techniques With Some Interesting Surprises - Andreas Baumhof ○ https://defcon.org/html/defcon-27/dc-27-speakers.html#Baumhof ● Intro to Embedded Hacking -- How you too can find a decade old bug in widely deployed devices. [REDACTED] Deskphones, a case study. - Philippe Laulheret ○ https://defcon.org/html/defcon-27/dc-27-speakers.html#Laulheret ○ Slides and demo video are on the Media Server ● Web2Own: Attacking Desktop Apps From Web Security’s Perspective - Junyu Zhou, Ce Qin, Jianing Wang ● DEF CON 101 Panel - Highwiz, Nikita, Will, n00bz, Shaggy, SecBarbie, Tottenkoph Friday, August 9, 2019: Behind the Scenes of the DEF CON 27 Badge - Joe Grand (Kingpin) ● Slides are on the Media Server: ○ https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON -27-Joe-Grand-Badge.pdf ○ https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON -27-Joe-Grand-The-DEFCON-27-Badge.pdf ● Link to speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Grand ​ Hacking Congress: The Enemy Of My Enemy Is My Friend - Former Rep. Jane Harman, Rep. James Langevin, Jen Ellis, Cris Thomas, Rep. Ted Lieu ● Link to speakers https://defcon.org/html/defcon-27/dc-27-speakers.html#Harman ​ ● No slides on the Media Server Behind the Scenes: The Industry of Social Media Manipulation Driven by Malware - Olivier Bilodeau, Masarah Paquet-Clouston ● Link to the speakers https://defcon.org/html/defcon-27/dc-27-speakers.html#Bilodeau ​ ● Slides are on the Media Server https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Ma sarah-Paquet-Clouston-Olivier-Bilodeau-The-Industry-of-Social-Media-Manipulation-Driven-by-Malware .pdf *Duplicating Restricted Mechanical Keys - Bill Graydon, Robert Graydon ● More info on the presenters: https://defcon.org/html/defcon-27/dc-27-speakers.html#Graydon ​ ● Good overview of how keys work and how they are traditionally copied and originally created ● “Restricted Key” - have additional “keyways” sometimes horizontal (and most key copy places don’t have the machines to cut these) ● Interesting review of SCHLAGE logs and how they make 5 pin and 6 pin (including details on master keys) ● Review of 3D printing options ● They have built a scripting language and a database for capturing keyways and then making new keys using 3D printing ● Review of USPS keys and how they were “copied” in LA by thieves ● Stolen locks can be reverse engineered to build keys that can be used on locks using the same “keyways” (including determining the master key) ● Reviewed of current vendors of locks (Master, Medeco) ● Some keyways can be purchased just for a specific facility (examination of just taking a photo of the lock and then reverse engineering the key) ● Deep dive in Medeco family of keys/locks (most Hacker spaces have the machines necessary to copy these keys. ● Some keys have two parts -- MUL-T-LOCK ● Review of a tool they bought on eBay for $100 ● Getting some of these keys made is by presenting a “card” from the manufacturer. These can be forged very easy. ● Videos https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Bill -Graydon-Demo-Videos/ ● Slides https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Bill -Graydon-Restricted-Keys.pdf *Don’t Red-Team AI Like a Chump - Ariel Herbert-Voss ● More info about the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Herbert-Voss ​ ● Slides are on the Media Server ● Review of how to make AI tactics (Tesla) ● Review of AI systems (data comes into a black box (model) and the output is a prediction ● Model = recognize pixels to determine if there is a boat in an image ● What can be “broken” - Data (poison - supply chain attack), Model (need to know the type) ● Can you spoof the prediction? (confidence levels) ● Deep dive on how to fool an AI-powered video surveillance (good set of slides) ● Red Team AI means to “test” AI for vulnerabilities (Adversarial ML attacks) ● There was a recent attack on a virus detection system that compromised the “data supply chain” The Tor Censorship Arms Race: The Next Chapter - Roger Dingledine ● More details on the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Dingledine ​ ● Slides are on the media server All the 4G Modules Could Be Hacked - Xiao Hui Hui, Ye Zhang, Zheng Huang ● More details on the speakers: https://defcon.org/html/defcon-27/dc-27-speakers.html#XiaoHuiHui ​ ● Slides are on the media server Evil eBPF In-Depth: Practical Abuses of an In-Kernel Bytecode Runtime - Jeff Dileo ● More details on the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Dileo ​ ● Slides and extras are on the Media Server. Process Injection Techniques - Gotta Catch Them All - Itzik Kotler, Amit Klein ● More details on the speaker - https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Kotler ​ ● Slides and extras are on the Media Server. *Phreaking Elevators - WillC ● More details on the speaker: https://www.defcon.org/html/defcon-27/dc-27-speakers.html#WillC ​ ● Slides are on the Media Server. ● Speaker is a ‘high voltage’ expert and has been going to a lot of hacking conference ● There is a HOPE talk about elevators (see) ● Elevator phones (who has used them) ● Disclaimer ● Push the button - dials a number ● They connect: POTS, VoIP, Cellphone ● Most are POTS (ADA/ASME17) ● Some phones will dial 911, maintenance elevator, OpenCNAM (elevator phone list has been posted) ● Social engineering - getting the phone number you dialing from (and then you could call them back) ● Getting to independent service (restricted floors) ● How to program an elevator: ○ Site ID 2 ○ Hangup *# or *0 0 ○ Maybe connection to a PBX or other line concentrators ○ Most locations and elevators are unique ○ An elevator could have is own PBX (if you don’t get a full phone # you are probably on a PBX) ● Some elevators also connect into an emergency concentrator like those on a wall and there are also intercom system. ● There are also Fire Fighters Phone (if you put a connector in, an alert is going to be sent) ● A lot of these elevators have manuals ● Some demos (you can do programming via key pad, switches, remote, code) ● There is a default elevator phone passwords ● www.datagenetics.com/blog/september32012/index.html ● 900 # calling is charging $2.55 a minute (if you had a number you could rack up some faud calls) ● Elevator numbers should be monitored: logging, alerting, etc. Infiltrating Corporate Intranet Like NSA _Pre-auth RCE on Leading SSL VPNs Orange - Tsai, Meh Chang ● more info about the speakers: https://defcon.org/html/defcon-27/dc-27-speakers.html#Tsai ​ ● Slides and videos are on the Media Server. API-Induced SSRF: How Apple Pay Scattered Vulnerabilities Across the Web - Joshua Maddux ● more info about the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Maddux ​ ● Slides and video is on the Media Server. HackPac: Hacking Pointer Authentication in iOS User Space - Xiaolong Bai, Min (Spark) Zheng ● more info about the speaker: https://defcon.org/html/defcon-27/dc-27-speakers.html#Bai. ​ ​ ● Slides are not on the Media Server (as of 8/9/2019) HVACking: Understand the Difference Between Security and Reality! - Douglas McKee, Mark Bereza ● more info about the speakers: https://defcon.org/html/defcon-27/dc-27-speakers.html#McKee ​ ● Slides are on the media server *No Mas—How One Side-Channel Flaw Opens Atm, Pharmacies and Government Secrets Up to Attack - phar ● more info about the speakers: https://defcon.org/html/defcon-27/dc-27-speakers.html#phar ​ ● Review of latest in electronic lock design and overview of the technology