"Anything man makes, man can break: Cybersecurity through the eyes of a Hacker" - Marc Rogers

everything I've seen in 20 years of running the security team at DEFCON which as you can imagine has been crazy right every possible insane thing you can imagine has happened and some things you probably can't imagine - so I've been hacking since the 80s member of the British hacking group agents of a hostile power fact I was one of the founders member of the CBC's ninja strike force I organized hope and hope to K early I was the only joint staff member between hope and DEFCON which was challenging and I'm not the head of network security DEFCON because there is actually a separate network team I'm the head of security which we hit a lot more [ __ ]

hey my first Def Con was the plaza which was around DEFCON 6 and I walked in and the elevators to the Plaza Hotel opened and inside the elevators were the satellite dishes from the roof of the hotel riding up and down and I thought these are my people I went upstairs and they've been remodeling the hotel and they had these new smoke alarms installed and they'd been putting a mark on the ceiling and someone pulled one down and they were working out what to do with it so they caught the elevator threw it in the elevator and press down it goes down and then pulls every single smoke alarm off a ceiling all the way around the

hotel you can hear the Pops as they're coming down we had to escort Jeff Moss out of the hotel in a phalanx of people around him but Jeff muscles the founder of Def Con because the hotel wanted hit speak to him the FBI wanted to speak to him the police wanted to speak to him and I'm sure quite a few other people on the speech that was my first Def Con you probably know my hacks more than you know me so I hacked a ton of mobile phones I used to work for Vodafone spent 10 years I had developed the first mobile phone exploit on an old Nokia feature phone and I hacked Google glass

not long after it came out that's actually one of the ones I'm most proud of I developed an image that if you looked at it with Google glass at hacked glass I immediately wrote to Neil Stevenson and told him I've done snow crash

touch ID I gone into a race with Starbuck from CCC the race was who could hack touch ID first he had a four or five hour lead because of time zones I hacked it within 12 hours and bypassed it to be fair it's one of those classic if I have seen far it's because I've stood on the shoulders of giants I leveraged research done by a very very bright Japanese researcher who had worked out how to build imitation fingerprints using molds based out of edged PCB boards and I essentially copy the same technique the only bits I had it was I lifted a fingerprint off of a glass duplicated it used the mold created it and owned it and then when

they brought out the updated version which was I think the 6s I hacked that after four hours improvement oh the Tesla Model S that was fun so I hacked it's actually two years for for Chris and Charlie did theirs but I spent two years working with Tesla trying to get them to fix the bugs but and our game faces a little bit with some other stuff because all the bugs were ranked as medium or low they didn't see them as important now the reality is the way we classify bugs is bad and we have to think about this because I can take a bunch of low bucks and if each bug gives me an inch and I can use enough of them

I can take a mile and what happened with the case of the Tesla was I was able to leverage a bunch of very low rated bugs and then drive alongs car with my iPhone he wasn't impressed he fired a CIL face ID almost I couldn't I can break facial recognition on Android I can break it on Microsoft and I'm this close to breaking it Apple is actually super friendly about this they've been talking to me and and they're built a really good system but I know it can be broken because I believe anything man makes man can break and that's something that all of you hackers also now and finally I've been doing a lot of other car stuff and tire pressure

measurement systems is one of my player is at the moment and did you know military vehicles have a tire pressure measurement system that will also inflate cars we also inflate the tires you can spoof the signal to tell it that the tyre is deflated none of the signal is encoded it has a simple 32 bit up to a 128-bit ID sold you know the frequency in you can transmit you can replay and if you transit as I see nothing going on here and and if you try to keep transmitting it you can end up with a military vehicle with really big tires they don't like that and I'll also say visit for another talk but everything is

going to change from 2020 I've been working deep with a bunch of automotive industry bodies and on a few other expert areas and between everybody who's been working on this the car is goods the more automotive as you know it it's going to fundamentally change which just means the game's all-star game so yeah 20 years of hacking DEFCON I've seen a lot recruitment by the mob they threw a party they hired the bellagio top floor of it threw a party known by Def Con staffers the hookers and blow party and they invited all of the young hackers they could find to come to this party basically so that he'd get compromised on and unfortunately some people went we

tried to spread the word like don't go you're an idiot but a few people went that that was a thing fake ATMs that's fake ATM that was found in in Def Con it stopped working after a while no idea why hacked hotel locks Oh God last year some of you may know I resigned last year because of this I was told I'm not allowed to resign I was told by my entire department that if I resigned they would resign and but the challenge there was not only were the security people in the hotel going into rooms which was bad but they had implemented the most insane lock system using RFID they're taken my fare cards the

originally using Mifare classic which is broken and rather than bothering to just spend the extra 20 cents per card to move to the Mifare plus standard which is more secure they decided we'll do away with keys completely so all the data blocks on the car are over and instead they generate a hash using the room number check out information and a random nonce from the hotels and I now have I believe enough cards I've got about two and a half thousand don't ask me how I go on and I'm going to build a rainbow table and let you have a look I don't think what we can find out but the problem it doesn't just affect

what the Caesars Hotels it affects the whole vase I stayed at MGM a few months ago same deal and what this means is while it's difficult to make a new card I hate to get into a room that you're not part of because you have to know how to make the hash copying a card you can copy any card with the proxmark in less than a second because there's nothing stopping you and so rooms were getting burglarized because people were copying made skis accessing rooms and burglarizing so when you hear about the confiscated soldering irons and things like that no that wasn't security that was the thieves and we have to solve that so more fun

yeah and obviously almost every kind of hack you imagine every year I spend time trying to stop someone from going to jail because they heard some it really cooler to organ decided to play it probably the one of the saddest was couple goes to the Vegas couple gets married in Vegas on their honeymoon night husband decides to show off his skills and hacks a an ATM in the middle of the casino floor the casino floor which is the most surveilled piece of land in the world and gets picked up within minutes and he gets taken in and they're deciding whether or not prosecutors they call me and I my job is to talk them down make

sure he doesn't get prosecuted because I like to see hackers go to jail but then they took they say well we're going to trespass you at least and they turned to his wife and say but we're not going to trespass you you can stay if you want and she sat there for a minute and genuinely thought about it I don't blame her well yeah so slides have gone a bit weird and but the public today is really aware of cyber security right way more than they ever were before part of that's because of the stuff we see on TV part of that's because the amount of breaches we have but we have a really long way to go

because there's so much misinformation floating around and there's so much misconception it doesn't necessarily help and the reality is if we want to solve these problems we as a community can solve this problems but we need to arm the rest of the citizens with the tools to do this because we can't scale they're not often enough of us to solve these problems but if we can take people and arm them with at least the basic tools to solve the basic problems then we can focus on the complicated problems and the way we do that is we teach people to think like hackers and that doesn't mean teaching to be super technical it means teaching them

to be inquisitive I mean teaching them to challenge things it means teaching them to think outside the box and I think it's a 100 percent doable but and I'll get to in a minute there's a big challenge there and that's educational so this is just insane right the most simple hacks are the ones that bring everything down every breach you hear about right it's simple it's a phishing attack it's someone left a USB stick it's someone inserted something into a network we're not talking about apts we're not talking about cyber weapons we're talking about stupidity and yet company after company fall to this black hat three years ago fell to USB sticks when I say black I mean

attendees a black cap some guy shows up throws a bunch of your speed sticks down in black hat and you think black hat okay this is a pretty savvy audience right now they plugged them all into their laptops the next day the guy shows up and he redistributes the more USB sticks this time containing all the files he exfiltrated from the other people's laptops and I'm not allowed to say how many federal agents got caught out bad this what happens in Vegas doesn't necessarily stay in Vegas what happens in Vegas sometimes causes an international incident don't don't ask me about area 51 and balloons you cannot really read this very much but what this is is a storm of

deals what happened last year was some smartass decided to use DEFCON as cover to do a heist and so what they did was they got modified mobile devices I believed they were Nexus 5 but in the hundreds of the shorts I didn't get a close look and they tipped off the FBI that dethkones badge makers were issuing badges that would do deals and then they were dealing the backhaul for some of the slot machines because even though it's illegal for slot machines to have a wireless backhaul they're supposed to be wide some of them do because they have to move them around and so they were knocking these slot machines off the network and then man in the middling

them so they could put fake vouchers or replay vouchers through and just keep running and make money meanwhile the FBI and the hotel security of running around with these big yellow flukes and of course every time they see a guy looking like an official with a big yellow detection thing they put the phone in the pocket and no one catches it I grabbed Kristen Padgett and we went downstairs with the laptop running a bun to picked up the biggest antennas we could find in the vendor area and we sat in the bar and drank beer and captured this and not only did we capture all of the dof packets but we also caught them logging into their s3 buckets and a few

other things don't mess with my family

[Applause] things are moving faster all the time it used to be that you would see vulnerabilities come out and sit around for years not much happen with them but criminals have worked out how to monetize stuff and the monetization is accelerating things you see in in malware world like banking Trojans where organizations them set themselves up like enterprises and they turn money back into R&D and they churn out new pieces of malware all the time well it's anything with hardware and the good example here is the key fob relay attack how many of you are familiar with it ok so the key fob you use to gain access your car is just a radio device it

doesn't really have any special security other than the fact that has a rolling code to authenticate if you put a repeater between your key fob which can be in your bedroom and your car which can be in a car park a few hundred meters away you can regulate the connection and your car opens and they drive off they're now seeing 10 20 percent of vehicle thefts in San Francisco as a direct result of key fob attacks because it's easy and here's where it gets kept it was theorized in 2010 theorized but not even a proper prototype built and then unicorn team built their first demo I think in 2012 and then they build another demo in 2013

that cost $20 to make that's the $20 version within six months of that you can go onto various dark websites you can go onto google and you can buy these devices for $100 a shot so that's three years from theory to production and use by active criminals hey we're behind the curve and somehow we have to get ahead of the curve I wanted to put up a picture of what the media thinks of hackers like there are just some people here who really just aren't hackers sorry I have a bit of a beef with Julian Assange I've known him for years he's an [ __ ] sorry anyway but this is what the media think we are and that's a problem

because as long as they think we're like this you'll never get big enterprises or governments to really truly trust us I work in in the US and I work with the US government and I work with all sorts of folks I even work with my own government the UK government through the US government because I can't work with the UK government because I'm a hacker and they don't trust me somehow we have to destroy this image that we are a bunch of [ __ ] and Rick people realize that we can actually help solve problems because until we do that we can't help solve some of the other bigger problems and I'm incredibly proud to be speaking

here because Israel is one of the few countries I have seen that gets it and that consistently turns out jaw-droppingly good cybersecurity professionals with the exception of Gaddy

[Applause] this is why I did mr. robot really a cat5 from a jumbo jet into a Ferrari into a laptop what really what parent they did it I can't watch CSI cyber because I throw things at the TV that's why I got into mr. robot because I wanted to make sure the hacks on the TV didn't make me break things and my wife fully endorsed it because she's tired of me breaking things and punching all of the stuff and and mr. robot I see what they do is nothing special the issue us a script and instead of saying and they do this and this happens they leave a hole they say we would like this to happen

and I'm not the only expert there are a team of experts and we all get together and talk about stuff and we theorize what the best way is to deal with this stuff and we come up with the best hacks and they don't always like it because that's always really complicated so for example they wanted Elliott to steal a Zipcar at one point and you won't see it in the show because they didn't make the cut because they didn't like my idea and so for those of you don't know was it guys it's a basically a rental bike car like those horrible scooters you see lying around everywhere you go up with a RFID card press it up against the windscreen

it dials back with a modem and validates whether or not you're allowed to get into the car that then unlocks the car you get in the keys to the car chained to the steering column so you just press Start and drive off okay so they wanted us to hack into the company and get bypass the firewall and add in an account and make an infinite card I wanted to put a brick through the window and get in the car [Laughter]

that's hacking hacking is smart and hacking is lazy information warfare is probably the thing that scares me the most because everything's changed all these bucks that we have written off for decades as information are now potentially critical whether it leaks a piece of information that could be used or whether it allows you to put information up somewhere it's potentially a problem if I've gone to a car company five years ago and said I have a bug that lets me put up a smiley face on your dashboard they'd laugh at me and say won't fix well take a look at that it is not hard and this gentleman can confirm that to display that kind of

information of an infotainment system in any kind of transport system including airplanes then you imagine if I put that on every airplane in the United States simultaneously dude haven't you been banned from enough and boys but just with an informational lowres bug you could ground the entire US commercial airline fleet that means we that means we really need to start thinking about what is context mean in this stuff the other problem is the way many of these companies are addressing fake news and my eye on you the way companies the way companies are addressing this stuff though it's not gonna work right Twitter sort of started going in the right direction with their shadow banning which they now deny exists

preventing the propagation of some of this stuff is one of the right ways to handle it deleting it is the best way to handle it but ok you know I understand there are potential issues there but if you have harmful misinformation you need to do something about it and Facebook's response to say well we believe it's part of the conversation we're going to leave it but put a warning on it is absolutely the wrong thing to do because putting a warning on something has never stopped it from being distributed in fact if you put a warning on it I'm a hundred times more likely to look at it education this is the really important thing when I moved to America I was

stunned I live in San Francisco I moved originally to Silicon Valley I started a company none of the schools in Silicon Valley offer computing classes none the schools outside Google don't have laptops what this is insane we have children who are graduating from schools who are not prepared for the world they're moving into and they're going to be the victims of tomorrow and here's Oakland it's completely avoidable and this is dumb like why and at the same time these kids if we educate them are the army who can take down the disinformation because they're way more connected and way more switched on to online material than we'll ever hope to be I watched my 11 year old daughter

sitting on the sofa with three devices simultaneously playing roblox on one talking to a friend on another and abusing other people on our and it's like either understand the context switching they're born with it there its inherent we need to harness it and the other thing is if we want to keep young hacker kids out of jail we need to find them we need to train them and when it's harness them right now there was a 16 year old kid in America who is facing 16 felonies for sending phishing emails to his school to change his grades that cannot keep happening it's ridiculous Owen I'm sorry I want to mention they're not Karen I believe that children just

by caucus can be the immunity of the internet system so conclusion our democracy really has been hacked and in many ways we've let it I think we've seen a lot of this stuff go on and we haven't taken any action I mean hacking back is one thing and but but the voting machines are not the problem it's great they bring them to DEFCON and they analyze them and they find vulnerabilities and they make them run doom and silly stuff like that right that's great love to see it that we get five congressmen at DEFCON every year that's fantastic we get all sorts of people from every kind of part of the government you can imagine that

great but those aren't the problems affecting things it's disinformation that's polarizing people and giving them the wrong idea about the world and politicians and policies that's the problem and somehow we have to suppress that and stop foreign nations from being able to inject their propaganda into our systems and until we start focusing on that we're not going to stop the problem and as as I mentioned we need to rethink how we classify threats our and as a last thing the 90s would really like their vulnerabilities back please thank you [Music]

thank you so much mark would you would you be willing to take a few questions from our audience absolutely okay just one thing questions about crazy [ __ ] that happened to Def Con come with a price buy me an alcohol alone tell you everything you don't even have to buy the alcohol you can join us at the after-party where we have beers and as you can see so a mark let's take some questions from the audience anybody has a question mark your choice I

actually had this very conversation a week ago I had a very interesting presentation it was me a climate change expert who's trying to fix New Orleans and a professor of biology and we're talking about availability of information and he believes firmly that certain piece of information should be restricted and not passed out I believe as a hacker that knowledge is power and I believe also that sunlight is the best disinfectant the sheer fact that these things can cause harm is because there are problems that they affect bringing them out into the light it's one of the reasons why I fought with many others for Responsible and then coordinated disclosure throughout the 90s it's the only way you will get these things fixed

is to make them known and so I think I think it's perfectly okay for that stuff to be out there huh because fake news is a different harm like a vulnerability or a tool that exploits of vulnerability is exploiting a specific floor that can be fixed fake news the floor is an ISO layer 8 problem it's a problem between the keyboard and the seat and that's much harder to fix I'm not a psychologist I only play one on TV I'm not going to sit down and counsel every person in the world now we absolutely do have to think along those lines and come up with a way to teach people to recognise fake news and

to challenge what they see totally agree but until we do that thus next safest course is to castrate it stop it from spreading maybe delete it if it's bad enough if it's a lie why should it be allowed to propagate if it's a disjointed perspective then maybe there's a different conversation to be had but I don't claim that it's an easy solution if it was an easy solution with a fixer no comment and if any of you remember the end of season 2 the femtocell I still have it at home it really upset the FBI because it worked

hey Christian Padgett lives a few miles away from me so we sort of get together and try to take over the world

so my usual rate my usual rate for administrative support is $15.00 an hour I know the guys who wrote it if you ping me the question I can certainly forward on some I don't use colleague and the reason I Carly is convenient it's nice it's got a lot of tools in one place however I build custom builds with the right tools for the right project so for example I have mobile phones with partial Carly builds on them that look like ordinary phones but have some of the Carly tools they will go through any security check you can take him into secure locations and still do stuff Carly on the other hand if you walk into

a lot of places - Carly you're gonna get spotted so I do it slightly differently and so I can't answer you immediately but happy to help you get the answer one

[Music]

so that's why we developed responsible disclosure and coordinated disclosure to put pressure on the companies to fix tough and brutally honest I didn't start out white I started out as a black cap and some of the vulnerabilities I found I didn't want fixed my favorite vulnerability this is going to date me and maybe date anyone who understands it does anyone know what hosts are equiv is on a UNIX box Soho started quit was a configuration file that says any system in that file can login with root privileges without a password what I discovered and this was long before dank Minsky was that you could modify bind and allow it to send out whatever address he wanted and so I spoofed my IP

address to always be the hash symbol what's the first entry in any config file I had root on the Internet and it lasted for a few years but yeah back then blackhat didn't bring you money and all it brought you was a path that led to prison and I got married I got children and so I changed and but back to your answer you have to put pressure and there are organizations that will help you put pressure be familiar with the e FF Electronic Frontier Foundation Eva from the FF was our first opening speaker today Eva from the FF is here if you find her torture she's phenomenal the FF as an organization I consult them before every

major hack I did and they helped me go after the companies they shield me from the company's lawyers because many times they try to sue you and they guide me in the path to get the best resolution I absolutely support that recommendation speak to the FF speak to other organizations that can help you do responsible disclosure coordinated disclosure the difference between we support the difference between responsible disclosure and coordinators closures responsible disclosure was assigning a defined time line giving a company control over when you're going to drop the band hammer on them if they didn't fix it well that doesn't work because you don't know how long it's gonna take to fix some things you might assign a time with

30 days but it might take the 90 coordinated disclosure means you engage with them and establish a process to set a time that they can work with Katy Missouri was one of the authors on the disclosure I so highly recommend reading it Katy is phenomenal there's some really good stuff there I also invite everyone in this room if you have any problems with research if you want any advice reach out to me I always want to help you guys are my community you're my family and I want to help thank you so much

thank you so much