DEF CON is the largest hacking convention in the world. It takes place annually in Las Vegas, Nevada, and attracts everyone from the novice to hacktivist groups. Even nation-states attend the convention, seeking access to an assortment of both wonderful and dangerous information that is shared amongst the highly skilled attendants. The event, now in its 27th year, draws over 30,000 people to the various product showcases, presentations, talks, and security competitions.
With so many technologists in a small space, attendees can find unique and unusual devices abound. From robotic bartenders to iPhone chargers that can hack your computer, the products displayed at DEF CON are as diverse as the abilities of the attendees. Amidst the hot hustle and bustle of a city in the desert, competitions are ongoing- who can hack a voting machine? How vulnerable is your smart toaster? What are tomorrow's threats? These are questions that might be answered at DEF CON. For SIXGEN, the draw to DEF CON 27 was competition- specifically, the SOHOplessly Broken Internet of Things (IoT) Capture the Flag (CTF) event.
In preparation for the CTF event, SIXGEN team members began by identifying potential DEF CON IoT devices and sourcing them. Any IoT device that might be there was purchased and installed on the custom IoT range. Afterwards, SIXGEN operators began training. The highly skilled team built custom tools for each device’s firmware, developing and refining tools in the buildup to DEF CON. The team worked for months to build capabilities and improve outcomes on the IoT range; as the range grew, so did team proficiency.
Teamwork is the focus at SIXGEN, from planning and approach to execution. Two days were spent in Las Vegas prepping for the event, beginning with a team breakfast every morning. In the hours leading up to the IoT CTF challenge, the team could be found in the front of the line, patiently waiting for the doors to open. As the CTF event began, targets were assigned based on operator strengths by the head operator, and SIXGEN was off to the races. The hard work and preparation soon showed pay-off as Team SIXGEN established a commanding lead out of the gate.
The SOHOplessly Broken CTF drew over two hundred teams; not unlike an Olympic event. Competition was strong, with numerous professional cybersecurity experts from various governments found in the room alongside casual hackers- all working on breaking the IoT devices and finding the flags hidden inside of them. Long tables were set up, with ethernet and WiFi access readily available to all participants. SIXGEN set up on the center table closest to the Scoreboard and went to work.
The IoT range was organized into three different networks, with the goal being to break into a device and then pivot into the next network. As teams advanced, the task to compromise devices became increasingly difficult. In the first tier, there were many challenges in addition to breaching the devices themselves. Rival teams attempting to hack into the same device would cancel each other out, and in some cases, brick the IoT equipment altogether. Those successful in compromising devices would often change credentials, move the flag, or delete information altogether- eliminating the ability of other teams to successfully accomplish tasks. The team stayed focused, and continued to push forward. As SIXGEN moved further ahead of the pack, these challenges became less pressing.
By the end of day one, the team had separated itself from the pack. By day two, the distance between first and second place had grown exponentially, and on day three, SIXGEN team members pushed to close out every last challenge- breaking into every device and earning nearly every point available on the board. In the end, the SIXGEN team beat out second place by over twice as many points.
An important consideration for DEF CON challenges is context. Much of the talent that operates on that grand stage is found at DEF CON, and it is under these conditions that the competition is held. The mission from the beginning was to become number one, and the team at SIXGEN accomplished this feat. We now know where we need to be in August of 2020, and we know how to prepare and go even further. See you next year at DEF CON 28!