The phrase I saw and heard over and over again while talking to other journalists and security researchers about the Def Con hacker convention was “hostile environment.” Not physically hostile; the attendees and staff were extremely nice. The hostility was digital. The hackers and security researchers are there to present vulnerabilities within the systems we rely on. But there’s a tinge of mischief that permeates the event. Because of that, everyone that attends is fair game for hacking. That meant taking certain precautions that I wouldn’t regularly take while covering an event. And, since it would be my first time covering Def Con (or any hacker conference for that matter), I felt especially vulnerable. Everyone loves to haze the n00bs; that’s just human nature. So here is how I prepared for, attended and (I’m pretty sure) survived Def Con 23.
Saturday, August 1st:
It’s the Saturday before Def Con and after chatting with security researchers and getting a very helpful email from Violet Blue, I’ve learned that no matter what, I should get a burner phone. I feel like I’m in The Wire, but without all the killing and awesome dialogue. The phone shouldn’t have my personal information or any of my usual accounts. Also, all wireless communications (WiFi, Bluetooth, NFC) should be shut off.
The recent Android vulnerability disclosures don’t leave me with much confidence in those devices. So I decide to go the route of security through obscurity with the BlackBerry Q10. I also figure that I need to take notes and grab a cheap (and old) Samsung Chromebook I have lying around the house.
Sunday, August 2nd:
I secure wipe both devices. I think. The BlackBerry’s Security Wipe takes forever so I assume it’s doing a pretty good job at deleting all my personal information and main BlackBerry account. The Chromebook’s Powerwash feature finishes pretty quickly and I’m fairly positive it’s not overwriting my data with zeros. I’m already getting lazy about security.
Then I find out I can’t do an OTA update of the Blackberry. It’s important to keep all your devices up-to-date because vulnerability patches reside in those fancy updates you get that also drop new features. I finally figure out that I need to download a BlackBerry app onto my Mac and update the phone via USB. This ruins my plan to keep these burner devices from connecting to my work machines and adding an extra layer of security to my personal and work accounts. But it’s late Sunday night and I uncheck the box that syncs data between the phone and the computer and go for it.
When both devices are ready, I create burner Gmail and Twitter accounts. The Q10 also gets a burner BlackBerry account. I think I’m ready.
In addition to securing my devices, I also need to protect my credit cards and work gear while it’s back in the room. Wickr is nice enough to give me two Faraday sleeves to keep my cards and iPhone in while back in my room. But I still need to buy stuff while on the show floor. I’ve already been warned to bring cash to Vegas and that I should treat all the ATMs near Def Con as compromised. Still, not having my ID or credit cards with me while walking around Vegas seems like a bad idea. So I stop by a travel store and pick up an RFID-blocking wallet. I’m feeling pretty good about my wallet choice. Later on, not so much.
Thursday, August 6th:
Before I leave the house to catch my flight, I turn off WiFi on all my devices. While Vegas is definitely a hostile environment, it’s good to remember that hackers will also be flying to Def Con and hanging out in the airport. I’ve decided that everyone is a hacker. Even the really nice old couple that talked to me on the plane. Especially them, with their awesome stories socially engineering me to tell them what I do. I know your game!
After landing in Vegas, I immediately go to my room and shut down my iPhone and MacBook Air. The iPhone goes in a Faraday sleeve — the MacBook I just shove in my suitcase under my clothes. Even though I’m staying two miles from Bally’s, where Def Con is being held, I know attendees are staying in the same hotel so no free hotel WiFi for me.
Friday, August 7th:
When I wake up, I tether my MacBook to my MiFi and check in with Engadget home base. I assure them all via Slack that I have not been hacked (they don’t believe me) while I get ready to head to the convention for the day. Then I get the following iMessage from my wife’s account:
My wife has never sent me a message like this and I start to panic. Has my iCloud account been hacked? Has her account been hacked? She’s gonna be super pissed if her account gets hacked. I log in to iCloud and check her phone’s location. Okay, it’s where it’s supposed to be. I unplug my computer from the MiFi and shut it down. I call her and ask, “Did you send me a message that just said ‘Hi Robbie’?” She starts to giggle and says yes.
I feel like I’m being overly paranoid — then I find out later that there are folks spoofing cell towers. So maybe I’m just the right amount of paranoid. I also learn from an attendee whose job it is to build enclosures that keep items safe from wireless intrusion that my fancy RFID-blocking wallet isn’t very good. The words “shit design” are actually uttered. I also noticed during a presentation that a less-than-scrupulous attendee was peeping my keyboard whenever I typed my password. Yeah, I’m adequately paranoid and I change my password.
Saturday, August 8th:
I’ve been unable to get a strong mobile connection with my Verizon MiFi since Friday night. I have no idea why. I do know that tethering my BlackBerry Q10 with T-Mobile works fine. Later in the day, I wander into a talk about spoofing GSM towers, which amplifies my concern about the cell-tower spoofing I heard about the night before.
(Disclaimer: Verizon has acquired AOL, Engadget’s parent company. However, Engadget maintains full editorial control, and Verizon will have to pry it from our cold, dead hands.)
Still, I’ve started tethering my Chromebook to my BlackBerry during sessions. Both devices are burners and I’m connecting directly to the towers (I hope), so I’m feeling pretty safe. Okay not really, but this is why I have these burner accounts. If they get hacked, it’s not that big of a deal.
Sunday, August 9th:
My hotel has free breakfast. I don’t feel like lugging my gear just to grab some complimentary scrambled eggs and lukewarm home-style potatoes. I also don’t feel comfortable leaving all my gear in my room. I’ve declined all housekeeping attempts because I don’t want anyone in my room. An open door is an invitation. So I attach a piece of tape to the door and doorjamb as I leave for food. When I return, the tape is still in place and hasn’t been broken. I’m currently at paranoia level: Howard Hughes.
Today I learn the word “juicejacked.” It’s when someone uses free device charging as a ruse to capture data off a phone. Wall of Sheep has placed a charging station for iOS and Android in its space and people actually used it. Most attendees know not to plug random thumb drives they find lying around into their computers. Apparently, a couple of them forgot that the charging port on their phone is also a data port. I’ll never plug my phone into one of those charging stations at the airport ever again.
Tomorrow, I’ll wipe the Chromebook and BlackBerry before they get access to any home or work wireless network and change all the passwords of accounts I accessed while at the conference. It’s like a shower after a marathon. It was a great experience, but now you just want to get some of the ickiness off of yourself and rest.
As I get ready to board my delayed flight back home, a woman calls her bank and reads off her date of birth and the last four digits of her social security number. A family sits down and they immediately plug their iPad into one of the charging stations. They are having difficulty signing into the airport’s free WiFi. I’m using my computer, but still tethering to the MiFi (Verizon seems to be working at the airport) and while I’ve placed my SIM back in my iPhone, Bluetooth and WiFi are still turned off.
This isn’t my new normal. I’ve taken extreme precautions because of the environment. But, back in the regular world where we’re not surrounded by hackers, there’s very little stopping nefarious folks from exploiting the vulnerabilities found in our everyday technology. The exploits disclosed at the event are shared with the offending companies before being made public. While the hostile digital environment of the event can be taxing, the people I met were incredibly nice and, like most of us, want a more secure world. The reality is that everyone is a target during Def Con so fewer of us will be a target the rest of the time.