I-Hacked Staff Hacks 2006 Defcon Hacker Convention -------------------------------------------------- Written by Hevnsnt Friday, 18 August 2006 What happens when you place 6,000 of the worlds best hackers in one hotel? Stuff gets hacked, normally the hotel's stuff. This year, Surbo and I wanted to change that -- and this is the story of how we did it. We made the sacrifice to put our lives on hold and go to Las Vegas (yeah it was rough) to mingle with the worlds best hackers. As we got there and checked in we were given the lowlyest of badges, the "General Population" badges -- referred to as the "Human Class". Don't get me wrong, Joe Grand (of GrandIdeaStudios.com) did a great job on the badges, but did I-hacked staff deserve the plain "Human" class badges? We certainly didn't think so, later we will discuss how Joe's design ultimately led to the compromising of Defcon. After we had received our badges, we made a short trip back up to the room to do a little modding to the badges. After 10 minutes of pulling apart official I-Hacked Throwies and soldering we had modded our badges to stand out from the crowd. Happy but not satisfied, we strutted our stuff among the crowd as quite possibly the first to "mod" their badges. As we explored the convention center we found our way (passed some velvet rope) to a hallway that was protected by a guard. Without any discussion between us, we both knew that we wanted passed the guard. As nonchalantly as possible we struck up a conversation between the two of us and tried to walk passed the guard as though we were meant to be there. Politely yet firmly the guard told us: "Red Badges Only" and told us to leave. As I had been to a 'Con before, I knew that "Red Badges" meant one thing, and one thing only. Goons. The holy grail fear of any Defcon goer, the goons are the elite of the defcon staff. We wondered what wonderful things they had down that hallway, surely they had gigabit connections, imported beer filled swimming pools, and rainbows made of skittles. We had to get back there to find out. We decided it was time to figure out exactly what the other color badges looked like. Surbo put on his social engineering hat and asked the registration desk: "What are the red badges for?" The goon who at the time was wearing a red badge replied smugly "You have obviously never been to a con before." While surbo's job was to pull information from the registration guy, my job was to get a close inspection of the badge. At this stage we were still gathering information, an important step in any hack. Gather as much information on your target as possible, then take your time and have a beer. Speaking of beer it was time to hit the strip, we packed up and walked down to the main strip. We toured a lot of the different bars around, but because it was a thursday night nothing was really happening. This was not my first trip to vegas, but I still wanted to see all the street shows again. As surbo and I walked up and down the strip we stopped to see the Treasure Island show (pirates kick ass), some guy who was doing incredible artwork with spray paint, and some really crazy bands performing in each one of the casinos we ducked into to grab a beer along the way. Anyway, enough about vegas, lets get on to the hack already. The next day (friday) was the beginning of Defcon and the crowd was among us. The amount of people that showed up for this years defcon was absolutely staggering. I don't know the official number but I do know that it was well over 6,000. We had had a night to discuss what we thought about the badge. We had already scanned our badges with our favorite RFID Scanner (APSX RW-310) and could not find any trace of signal. Our program manual stated that Joe Grand would be giving a talk about the badges the next morning -- maybe he would talk about the differences of ours vs. the other color badges. [Defcon14-Badges.jpg] All the different colors available During Joe's talk he started discussing the process of creating the badges. He mentioned that the cost per badge had to stay below $5, so it became apparent that there probably wasn't any embedded RFID in the other colored badges. Then he finally talked on how he created the different colors, he simply used a colored solder mask to create the different badges. BINGO. Thanks Joe! The only difference between my badge (white) and a Goon badge is the Red color. On the way out of the speech, I looked at surbo and I could tell he was thinking the same thing I was... Lets go visit the spray paint artist on the street. Later that afternoon, we left our hotel and defcon festivities behind to go see the guy who would change our defcon experience for exchange of nothing more than a I-Hacked throwie that he could place on his lamp. I showed him a picture of the red badge that we would like to emulate, and he mixed and matched his colors to get it perfect. [paint-it.jpg] Um, I would like it Red Please. Simply put, it came out perfect. As far as anyone was concerned we were now official Defcon goons. We only had him paint the front of the badge red (and left the back white) so that we could later prove to the security staff how weak their security measures where.. This later turned out to be a bad decision. (but I wont get into that just yet) =p Later on that night at the private parties (as goons, we didn't have any trouble just walking in now) when anyone asked if we were goons we would just nod our head yes and switch topics. We didn't want to blow our cover just yet. We were in the penthouse suite, partying with the guys who put on defcon -- we introduced ourselves to as many people as we could to get a few names to drop if needed. Saturday: Completely hung over, my only goal for that entire day was to see Dan Kaminsky's talk on net neutrality. As we finally made our way down to see his talk, we found the room to be completely full. No one else was being let in. Surbo had noticed the day before that the Goon HQ was a skybox overlooking the particular conference room where Dan was giving his talk. Being as though I really wanted to see this presentation, we made the call... It was time to try out our goon badges. As we made our way down the hallway, we passed the guard with out any incident. In fact she even stopped a few other people who tried to surf in with us. (Sorry guys, apparently you need a Red Badge to get past her =) We were now past the guard, finally in "Goon-Land". We tried door 1, Locked. We tried Door 2, Locked... Arrgh Out of desperation, Surbo knocked on door number two. A few seconds one of the largest goons I have ever seen opened the door and asked what we wanted. Surbo said "XXXXXX told us to come up here to watch Dan, to give up some seats. (XXXXX's name has been removed to protect him, lets just say it was one of the names we snarfed from the party the night before) Without hesitation, he opened the door and took us out to the balcony. Now unless you were there you can't imagine the tension. We are completely surrounded by goons, in their room, with fake goon badges. I snapped a few pictures as proof from there as discreetly as possible, but they turned out horrible. None of the other goons were taking pictures so I figured I should lay low with that. During Dan's talk, a goon walked out on the balcony with a huge juicy steak. We hadn't eaten yet, and damn that thing looked good. As soon as the talk was over I asked the goon "Where did you get the steak?" and he looked at me a little weird and said "The Refrigerator" and then walked me into the kitchen and showed me exactly where.. =) Fast forward to later that night. The badges opened up more than physical doors. We were now invited to the best party of the 'con (Ninja Party absolutely rocks) where I had a few too many drinks. After bouncing between Ninja, the White Ball, and the pirate party (all of which I continued to drink) surbo decided to leave me to my own fruition. (Mistake #1) Well my liquid courage had set in, so I figured that I would go tell the goon squad exactly what I felt about their physical security and identification methods. I stumbled right passed the security guard, and at no time did I question what I was about to do. (Mistake #2) Ready for mistake #3? I threw open the door to Goon HQ, and was presented with a room full of goons (Seriously it was somewhere around 4am, and there was probably 15 goons in there) and sitting in a chair right in front of me was the head of security, Priest. (Which btw if you have never seen him, is a big dude) Undaunted, I began my speech about how I was able to bypass all of their security methods using a can of spray paint. Lets just say, that this probably wasn't one of my shining moments. Sure, I had proven that I could bust their security. I had proven that when it really comes down to it, I have a sack of fortitude, and I had proven that after all that beer I really need a second opinion on things. =) Priest was incredibly cool, and although he confiscated my badge he told me to get a hold of him in the morning. Sunday morning I found Priest; and after a stern warning about next year he told me. "Good job, you hacked defcon. You made it past our security. For that, I am going to get you another badge, another WHITE badge" I of course appreciated this, but I asked for my original badge back, I mean it meant so much to me. He told me that it had already been destroyed, but I like to think that he has it hanging up as a memento of Defcon14. [IMG_4409-1.jpg] Fare well Badge, thanks for all the fun. Sure this wasnt the most "Elite" of hacks out there, but it really goes to show how something as simple as spray paint can be used to circumvent some of the most sophisticated security forces. I hope you liked the story, and I can't wait for DC15.