BlackHat and DefCon 2017: What happens in Vegas doesn’t stay in Vegas!

Hacking of mobile devices is likely to be high at both conferences. After all, what do you expect from such a high concentration of ethical/unethical hackers? 

Unfortunately for attendees of the BlackHat and DefCon 2017 conferences on IT and cyber security, this could become all too true. Unlike others on wild sprees in the gambling capital of America who would dearly like to leave all the evidence behind them, these conference attendees could be leaving valuable personal or company data, if the super-hackers have their way.

Hacking of mobile devices is likely to be high at both conferences. After all, what do you expect from such a high concentration of ethical/unethical hackers? Data on those devices is a natural target, whether for reasons of fun, financial gain, or sabotage. Conference organizers would therefore do well to check that no rogue apps find their way into the official app downloads.

If this sounds like paranoia to you, don’t laugh – Our previous article on the RSA conference showed that even the RSA app was not secure, so BlackHat and DefCon administrative teams should be on the alert too. BlackHat conferences in previous years have already been opportunities for launching attacks against attendees. Even if the BlackHat conference has its own network and network operations center again this year, that may not be enough to discourage determined hackers.

For instance, last year (2016), a massive Man-in-the-Middle attack was discovered, with a malicious access point using a fake SSID to lure some 35,000 users and their mobile devices onto a rogue network. Factor in small, maneuverable drones that bring compromised network access to users, and the potential for tricking users into downloading compromised apps increases significantly.

Certain security professionals go to considerable lengths at these conferences to avoid being hacked. They use pen and paper to record information, carry cash rather than credit cards, and insist on face to face communications instead of using their mobile phones. Others stop the Wi-Fi and Bluetooth access on their mobile devices, and look for lodgings on the other side of Las Vegas, to try to stay safe. Another solution is the “burner phone”, a cheap, pre-paid mobile phone that users keep anonymous, and that they throw away after they’ve finished attending the conference(s).

Some of these defenses are not new. Have you seen Francis Ford Coppola’s movie “The Conversation” with Gene Hackman in the lead role of surveillance expert Harry Caul? You may well remember how Caul himself goes to great lengths to avoid being compromised, yet has his personal security hacked at a security conference.

Caul did not have the risk of today’s mobile apps (in 1974 when the movie was released, cell phones did not exist). But neither did he have access to effective solutions to assess the security of mobile apps, such as AppInterrogator. We think he might have approved of the way these two solutions alert users to vulnerabilities and rogue behavior in mobile apps, even if the binary code versions of the apps are all that is available for testing.

So, if you’re planning on attending one of or both the BlackHat and DefCon events, or if you just happen to be a tourist in Vegas somewhere in the vicinity, be aware that you can at least stay safe when it comes to mobile app downloads. On the other hand, don’t be shy about wrapping your credit cards in aluminum foil and leaving your laptop at home, the only way to currently be sure you’ve protected these other items, at least for the moment.