The Black Hat Briefings in Las Vegas started today.
DEFCON 31 starts tomorrow, though it seems like Friday is when things pick up.
Despite the recent, and much appreciated, shout-out from Borepatch, I’m feeling kind of ambivalent about trying to keep up with DEFCON this year.
My recent trip (write-up coming in the next few days, promise) blew a pretty big hole in my schedule. I haven’t had any time to do prep work for DEFCON/Black Hat. And I have a whole bunch of things I want to do, and so little time to do them in.
I also rely heavily on Twitter for links to presentations. And the current state of Twitter makes that almost impossible.
It also feels like DEFCON has moved past me. It used to feel like a gathering of one of my tribes. Now it feels like…something else. I note that DEFCON admission is now $460. And you don’t get free admission, or even a discount, if you go to Black Hat.
Still, tradition is tradition. So let’s see how badly I can do this.
The schedule for the Black Hat briefings is here. Per their website, “Briefings slides, whitepapers and tools (if provided by the speaker), will be posted to the Black Hat website on the day following the presentation (August 10 or 11).” They should be available under each presentation when they go up.
What looks good? Well, to start with: “A Pain in the NAS: Exploiting Cloud Connectivity to PWN Your NAS” by Noam Moshe and Sharon Brizinov.
Slides are already there.
“All Cops Are Broadcasting: Breaking TETRA After Decades in the Shadows” by Carlo Meijer, Wouter Bokslag, and Jos Wetzels has received a lot of advance media attention. But if you want to go to the source, the slides are already there.
The Tesla jailbreak (“Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla’s x86-Based Seat Heater” by Christian Werling, Niclas Kühnapfel, Hans Niklas Jacob, and Oleg Drokin) has also received advance coverage. Slides are there, along with a link to a repository containing (or that will contain) tools. I would grab the tools as fast as I could, if I were a Tesla owner interested in this. Just sayin’.
“Physical Attacks Against Smartphones” by Christopher Wade sounds interesting in that block. But so does “Small Leaks, Billions Of Dollars: Practical Cryptographic Exploits That Undermine Leading Crypto Wallets” (Nikolaos Makriyannis, Oren Yomtov, and Arik Galansky) even though I’m not a big crypto-currency person.
I’m not an Android guy, either, but “Over the Air, Under the Radar: Attacking and Securing the Pixel Modem” (Farzan Karimi, Xuan Xing, Xiling Gong, and Eugene Rodionov, all of whom are apparently part of Google’s Android Red Team) has my curiosity. On the other hand, “Shuffle Up and Deal: Analyzing the Security of Automated Card Shufflers” (Joseph Tartaro, Enrique Nissim, and Ethan Shackelford) appeals to my fascination with gambling cheats.
That takes us through today. Thursday’s briefings:
“The solution it turns out involves a little more than is covered in the oven service manual: low-level hardware attacks in the form of side-channel power analysis and fault injection, building tools to work with the TMP91 microcontroller bootloader, and finally reverse engineering and patching the firmware…”
This is an attack on…an oven. “Oven Repair (The Hardware Hacking Way)” by Colin O’Flynn.
“Houston, We Have a Problem: Analyzing the Security of Low Earth Orbit Satellites” by Johannes Willbold also sounds potentially fun.
There’s honestly nothing that jumps out at me for the rest of Thursday at Black Hat. Feel free to browse the schedule and bookmark anything that does jump out at you. Meanwhile, over at DEFCON:
“Boston Infinite Money Glitch: Hacking Transit Cards Without Ending Up In Handcuffs” by Matthew Harris, Zachary Bertocchi, Scott Campbell, and Noah Gibson . I do enjoy a good war story from time to time.
“Nuthin But A G Thang: Evolution of Cellular Networks” by Tracy Mosley also interests me, since my knowledge of cellular networks isn’t what it should be.
On Friday:
My level of interest in “Making The DEF CON 31 Badge” would be highly dependent on the badge itself.
“SpamChannel: Spoofing Emails From 2 Million+ Domains and Virtually Becoming Satan” by Marcello Salvati is relevant to my professional life, so I’ve got to pay attention to that. But “Warshopping – further dalliances in phreaking smart shopping cart wheels, RF sniffing and hardware reverse engineering” also intrigues me. I should probably bookmark both.
“A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS” is also on the DEFCON schedule, if you didn’t go to Black Hat or missed it there. Same with “Over the Air, Under the Radar: Attacking and Securing the Pixel Modem“.
“Private Keys in Public Places” by Tom Pohl. Oh, boy.
I’ll admit, this one sounds like a refreshing break: “Tracking the Worlds Dumbest Cyber-Mercenaries” by Cooper Quintin.
“J4 Gate, The Hustler Poker Cheating Scandal investigation and how Hacking helped me do it” by Scott “Duckie” Melnick. I’ve been sort of following this story, so I’d like to hear what this guy has to say.
Oddly, there’s nothing I’m really interested in the rest of the day on Saturday, though “Physical Attacks Against Smartphones” is coming to DEFCON as well.
There’s also really nothing that interests me on Sunday, up until the closing ceremonies.
As always, if there’s something I missed that you’re interested in, leave a comment. If you’re a presenter who thinks I’m giving you the short end of the stick, or you’d like to link to your presentation and tools, leave a comment.
As I said above, with Twitter broken, it is going to be very hard for me to find presentations and tools online and collect them here. I’ll do the best I can, but I won’t promise anything.