Hacking Tesla, Tractors, and the Hotel Elevator: Ten Observations from the DEF CON hacker conference in Las Vegas
Fresh off the plane from attending the DEF CON 29 hacker conference held at Paris and Bally’s hotels in Las Vegas, Nevada, I am back with a fresh perspective on just how vulnerable we all are when it comes to cyber risk. And it’s even worse than we realize.
I braved the 115 degree heat and entered the den of the hackers, and I have put together a list of the top ten things I observed about our collective preparedness as it relates to land, sea, and air, and what risks are on the horizon.
- Hackers are a very diverse group who seem to share one thing in common: using creative problem-solving to find vulnerabilities in systems. There were undoubtedly cybercriminals in attendance at the conference – one of the reasons that the FBI, NSA, and CIA have been known to show up, particularly if a black hat hacker (the bad ones who break into things for criminal reasons) will be on stage delivering a rousing demo of how they successfully took down a company. Yet for every black hat hacker, there are untold numbers of genuinely good white hat hackers, security researchers, and tech geeks who simply love a good challenge and love to talk ones and zeroes.
- Due to the aforementioned presence of cybercriminals, I wisely chose to stay off the hotel Wi-Fi and the cellular network. Public networks are unsecure even under normal circumstances. Put a bunch of hackers in a room and watch how quickly rogue / fake wireless access points start appearing to mimic the real hotel wireless network to trick users into connecting. Cellular networks can also be spoofed by setting up fake base stations with stronger signals than the nearest legitimate cell tower, enabling unauthorized access even to encrypted calls. Sound unrealistic? This technique was actually demonstrated back in 2010.
- The elevators in the hotel had display screens which were usually used to showcase ads for restaurants, concerts, and events. During the hacker conference, the elevator displays simply read “Disk read error” and various other technical messages and computer code. Do you want to be in an elevator when it gets hacked?
- You can be whoever you want at a hacker conference. Some attendees are well known by (and only known by) their online handles. Jeff Moss, who founded the DEF CON conference twenty-nine years ago, goes by the handle Dark Tangent.
- The Land: Even farm equipment can be hacked. At DEF CON 29, a security researcher with the handle “Sick Codes” demonstrated vulnerabilities in John Deere systems used to monitor industrial farm equipment. The speaker’s group reported being successful in getting the private key for John Deere’s Single Sign On system and for gaining full access. As even farm equipment increasingly relies upon technology, the risk is very real that tractors in the field can be taken over remotely and excessive chemicals released into fields undetected.
- The Air: Satellites and space vehicles can be hacked. At past DEF CON conferences, hackers have successfully taken over real satellites and used them to take photos.
- The Sea: In our current COVID-19 environment of supply chain troubles, our reliance upon cross-border shipments became evident. Hacking shipping containers with ransomware or even temporarily redirecting their coordinates for a mere few minutes can have drastic consequences on global supply chains.
- The Internet of Things (IoT) is still just as unsecure as ever. There are arguments for and against creating a legislative “right to repair” that would enable consumers to try to fix their own devices rather than having to bring them to a dedicated Apple Store or other specific manufacturer. There are some very interesting policy decisions at play when balancing the needs of consumers with the security risks that arise if companies are forced to disclose sensitive technical details about how their devices operate. In July 2021, President Biden issued an Executive Order on the right to repair.
- Just about anything can be hacked, as various demos at the DEF CON conference revealed. Medical devices, IoT devices, and even cars are all targets for hackers. One talk at DEF CON demonstrated a compromise of the Tesla Model X keyless entry system. Do you want to be riding in a self-driving vehicle at the moment someone remotely takes over control of the car?
- Last but not least, the only thing which seems to be hotter than Vegas nowadays is the world of cryptocurrency and blockchain, and both were on full display at DEF CON 29, with wonderful discissions of the interplay between security and privacy as the regulatory landscape continues to take shape. CSS provides compliance support to investment advisers who are active in the cryptocurrency and blockchain space, and I found it particularly exciting to tour the Blockchain Village at the conference. I expect that we will be seeing much more focus on blockchain technologies on the horizon, as well as a complex regulatory landscape to help our clients navigate in the years to come.
The cyber threats out there are unfortunately all too real, but they are not insurmountable. With the right approach and partners in place, the peak of cyber preparedness is something we should all continue to climb towards.
I, for one, will be taking the stairs.
For more information on CSS’s Cybersecurity Services and Solutions, email us at firstname.lastname@example.org