Dispatches From the Desert: DEF CON Day One

Welcome to day three of Dispatches from the Desert! This week, Immersive’s Container 7 team is in the desert city of Las Vegas, sharing daily highlights from two of the world's largest security events: Black Hat and DEF CON. 

Catch up with the previous blogs here:

• Dispatches from the Desert: Black Hat day one
• Dispatches from the Desert: Black Hat day two

Kev Breen: Senior Director, Cyber Threat Research

Stepping into the DEF CON venue, there’s a stark contrast to Black Hat, which had a very corporate feel to its venue, talks, and business hall. Walking through the doors of the Las Vegas Convention Center into DEF CON is like stepping out of a library and into a very lively party.

Gone are the banners filled with corporate messaging and sales pitches. Instead, there’s a dystopian, cyberpunk feel to the aesthetics projected on the walls and screens. Everything is more casual, friendly, and welcoming. Bright LEDs and screens flash from the multitude of badges around people’s necks: #badgelife is very much a part of DEF CON. 

There’s a vendor hall at DEF CON, but it doesn’t sell products or services to organizations. It sells hardware, books, and physical security tools that cater to the individual hacker mindset. There are no sales pitches here from Hak5 to the Hacker Warehouse and No Starch Press. These are tools that have risen from and are for the hacker community.

That said, it’s not all fun, parties, and badges. At its heart, DEF CON is still about imparting knowledge to hackers, new and old. The main track talks dive into new research, exploits, and techniques. There’s a definite focus on the offensive side of cybersecurity. 

OPC UA and IoT vulnerabilities 

In the morning sessions, I attended a talk by Tom Tervoort called “No VPN Needed? Cryptographic Attacks Against the OPC UA Protocol”. 

OPC UA is a protocol used in the operational technology (OT) space. It allows standard communication between multiple devices and vendors, such as PLCs and HMIs. The protocol isn’t new – it’s been in use for almost 15 years, but this talk showed that it's possible to bypass or break the crypto for devices using this protocol and open them up to abuse. 

Another standout session for me was by Sigusr Polke’s “Emulating Embedded Linux Devices at Scale with Light-Touch Firmware Rehosting”. 

Attacks against IoT devices have been increasing as more and more become connected to the internet, from SOHO routers to smart fridges and kettles. The research skills required to review these internet-connected devices, find their vulnerabilities, and disclose them before threat actors can abuse them are still very niche. 

As Mikko Hyppönen’s law states, “if it’s smart, it’s vulnerable”. This is true, and why technical sessions like Emulating Linux Devices and the IoT and Embedded Device Villages are so important. They help encourage the discovery and development of those skills.

Hardware hacking and DIY quantum devices

DEF CON’s villages are also a staple of the conference. These villages have their own talks and demos, leaning heavily into the practical side. 

I spent time in the Hardware Hacking Village, looking at routers and other IoT devices ripped open with patch cables hooked up to their UART terminals, and showcasing how to gain access to the underlying OS running on these devices. 

The Quantum Village had sessions on building a DIY quantum device in your garage, trying to lower the barrier of entry to a new field that will be increasingly important to cryptography over the next decade. The OT Village was also filled with PLCs, HMIs, and displays, and groups of people at desks and laptops, trying to hack into these systems.

Rob Reeves: Principal Cyber Security Engineer

This morning, I went to see the open presentation from Jeff Moss, aka Dark Tangent (again), who stated plainly that DEF CON is a hacker conference and Black Hat is an infosec conference, and they’re two different things. 

The atmosphere and nature of the talks and activities are about curiosity for curiosity’s sake – the desire to pull apart technology and see what’s ticking inside. The claims of vendors and sales representatives aren’t what matters here.

Jeff then had a fireside chat with General Paul Nakasone (retd.), former Commander of US Cyber Command and Director of the National Security Agency (NSA). The conversation was fascinating and reinforced the challenges faced by the West, both in terms of the AI arms race and adversaries’ aggressive cyberspace actions. 

They also discussed what makes the hacker community so strong and the importance of human collaboration and connection, and even had time to take an alcoholic jello shot each. Glorious.

Live social engineering

My favorite activity of the day was spending time in the Social Engineering Village, where teams performed live engineering. They called targets to attempt to elicit information that could be used by an attacker, while also meeting additional objectives (such as asking what their favorite dinosaur was). 

As someone who has been a commercial red teamer, but not always a great social engineer (I’ve never been good at lying to people – it’s a real skill that takes time and practice to develop), it was a pleasure to watch participants practice their craft. A big shout-out to Chris Kirsch for luring me in!

Gaz Lockwood: Principal Cyber Security Engineer

This is my first DEF CON, and I feel much more at home with the pace and demographic of the conference. The talks are noticeably more technical and agnostic.

My favorite talk of the day was the presentation of a new technique: Recursive Request Exploitation (RRE). It’s a fresh web attack technique that flips the usual “one request, one response” mindset on its head. 

Instead of hammering away with isolated payloads, RRE chains requests together in a recursive loop, where the output or side effect of one call is fed directly into the next. This creates a self-reinforcing sequence that can bypass stateful controls, slip past authentication, or abuse multi-step workflows that weren’t meant to be accessed directly.

The attack exploits the fact that many web apps implicitly trust the order and context of requests. When you manipulate that sequence recursively, you can get the system to do things it shouldn’t. 

Automating RRE attacks 

Doing this manually can be laborious, but a new tool has been released to automate this process.

‍rre-burp is a Burp Suite extension purpose-built to automate RRE attacks. It handles the tedious orchestration, firing off ordered requests and managing the dependencies between them, so you can focus on crafting the exploit logic rather than clicking through endless sequences by hand.

In short, RRE is a new class of web exploitation, and rre-burp turns it from theory into a repeatable, weaponized workflow. I’m looking forward to taking part in the defensive CTF tomorrow!

Ben Hopkins: Cyber Threat Intelligence Researcher

Echoing what the others have said above, I felt a completely different atmosphere going into DEF CON after Black Hat. I was surrounded by people wearing rucksacks full of Wi-Fi hacking gear and antennas, and laden with dozens of light-up badges around their necks. There was definitely a less corporate feel, even in the vendor hall where I bought one or two books.

When it came to talks, I filled my boots as there was much more variety at DEF CON. Given my interest in cybercrime, cryptocurrency, and the underlying technology that allows the cryptocurrency to work, I started my day with a talk focusing on a decade-old puzzle. 

It involved cracking layers and layers of cryptographic algorithms and puzzles, using complex mathematical computations such as combinatorics. The reward was a single Bitcoin, which at the time was worth $400. 

I heard from the individual who completed the puzzle (and earned over $70,000 worth of Bitcoin) about the process they took. I learned why brainwallets are insecure, which is the method for storing Bitcoin in your head by memorizing a 12-word seed, which then unlocks a private key to access the wallet. 

I also learned how Hashcat can be optimized with GPU acceleration to crack SHA5256 hashes and break private key encryption, all for the small price of $50 per computation and three minutes of your time.

One of my colleagues, Ben McCarthy, is really interested in quantum computing, so I told him I’d go to a few quantum computing talks. Sadly, upon entering the Quantum Village, I was disheartened to see that the speaker wasn’t using a microphone and that the beginner home lab he recommended would cost thousands of dollars to get off the ground. To boot, they’d also run out of light-up quantum badges – sorry, Ben!

Weaponizing hacktivist groups

The final talk of the day got me thinking about what I was told yesterday about the rise of aggressive, hacktivist threat actors in operational technology. 

This talk was about a hacktivist group called Killnet. The group started as a denial-of-service provider who would DDoS anyone, including their own government (the Russian government). 

This changed in 2022 when Russia invaded Ukraine. Killnet publicly declared for Russia, and the Russian government supplied money to support this hacktivist group in its efforts. Further supporting Killnet was Solaris, one of the preeminent Russian markets selling controlled substances – evidence later came out that the threat actors themselves purchased from the website. 

The group was eventually dismantled, but the main learning I took away from this talk was how a government can easily support and weaponize its citizens in times of war and then claim plausible deniability when it’s convenient. 

They turned Killnet from a state-sponsored hacktivist group into a state-tolerated nuisance. When Solaris was taken offline, the money tap from the Russian government stopped, and Killnet was hung out to dry.

‍

‍That wraps up day three! If you’re an Immersive customer and weren’t able to make it out to Black Hat or DEF CON, keep an eye out. When we return, we’ll take some of the more interesting and novel tools and techniques we’ve seen here and turn them into practical labs. 

‍