2016 Defcon Experience

written by Chris Griesemer

Once again I braved Defcon, the largest hacking convention held annually in Las Vegas with more than 16,000 attendees. The convention has grown so much, they now utilize convention rooms from two casinos: Balley’s and Paris Casino. Defcon has always been a great source to see the newest hacking techniques, and I encourage all IT professionals to go at least once.

Defcon Events and Villages

Since this was my 7th time to attend, I know what areas I like to see. One of my first stops is the lock picking village where people learn and test their skills at picking locks. Another favorite is Capture the Flag, a social engineering contest where volunteers step into a glass booth where we, the audience, can hear them but they can’t hear us as they try to call businesses on the phone and see what type of information they can get. The particular session I viewed had a gentleman in the booth convincing a CISCO technical support employee to tell him how they outsource janitorial services, where this employee was located and got her to type in a website he gave her. Keep in mind CISCO is a huge networking company that specializes in security hardware. It is surprising that even CISCO is susceptible to these hackers. After that, I went on to see the new car hacking village where two cars, dashboards completely torn apart, were on display so people could see how one could hack into a car computer and take over some of its functions, like braking.

Vulnerabilities for Your Keyboard and Mouse

One of the sessions I attended was by a security company called Bastille; their presentation was about how keyboards and mice are also susceptible to vulnerabilities and hacking. Certain keyboards and mice transmit data back and forth from the small transmitter plugged into a USB port and the actual keyboard or mouse. They explained how a radio device could intercept the signal of certain wireless keyboards. This allows the hacker to capture keystrokes of their victim but also inject keystrokes into the computer without the victim knowing about it. Injecting keystrokes is dangerous enough but they also determined scripts could be injected opening up the possibility for malware and viruses to be transmitted to a computer from hundreds of feet away.

Bastille determined this could be done because these keyboard companies were not encrypting the signal between the keyboard and the base transmitter that was plugged into the USB port. The same type of vulnerability could also affect certain mice. Using the same type of radio receiver, a hacker could gain access to the signal being transmitted by the mouse. Capturing the mouse signal was not as important as having the ability to also inject scripts into a victim’s computer from hundreds of feet away.

Mitigate Risk

So all of this is interesting but how the heck do you make sure this never happens to you? The best way to mitigate this risk is by going to Bastille’s website. They created a page that shows all the devices they have discovered to be targeted by this hack https://www.bastille.net/affected-devices Click here to read a previous year's recap. If you have any questions, please don’t hesitate to email or call Chris Griesemer 417-881-0145.