Frans @fransrosen and Fredrik @almroot from the Detectify team visited the 23rd annual DEF CON Hacker Conference, as usual hosted in Vegas, in beginning of August. This year was the big eye opener for car hacking with the hacking of a Tesla Model S reaching the mainstream media. On the technical side researcher Fernando Arnaboldi presented some very interesting findings on XSLT and its implications. And of course the team also made sure to have some fun during the visit and will here reveal who threw this year’s best party.

Car hacking is the new black

Car hacking seems to be the new black at DEF CON this year. Even though car hacking did make some headlines back in 2010 and 2011, this was the year it really became the main topic.

DEF CON had organized its own car hacking village with the slogan “Drive it like you hacked it”. For example it was revealed that hackers had been able to hack two of america’s most commonly used cars: a 2010 Toyota Prius and a 2010 Ford Escape.

Further it was revealed that Marc Rogers and Kevin Mahaffey have been able to hack Tesla Model S so that they could unlock, start and stop the car. They did admit that it was “very hard” to hack the Model S, but apparently possible. Tesla was not late on responding to the hack announced that they double the maximum reward in their bug bounty program to $10,000 for anyone able to find severe vulnerabilities in the Model S. Both Tesla and the hackers were clear on mentioning that all known vulnerabilities now are patched.

It will be very interesting to follow the development of the car hacking scene and we can be pretty sure that we haven’t seen anything yet.

Best technical research – XSLT for practical attacks & Abusing Adobe Reader’s JavaScript APIs

Fernando Arnaboldi (IOActive) presented interesting security research on XSLT, ranging all from information disclosure to arbitrary file access by the means of providing XML documents together with XSL.

The findings presented have implications for all major web browsers (Safari, Opera, Chrome, Internet Explorer and Firefox), as well a range of popular programming languages (Python, perl, PHP, Java, JavaScript, .NET and C++).

Another interesting research was presented by Brian Gorenc, Abdul-Aziz Hariri & Jasiel Spelman (HP’s Zero Day Initiative) on how the JavaScript API’s work in Adobe Reader. By abusing logical flaws they managed to get remote code execution.

Who threw the best party?

Last but not least, as maybe the most prestigious award, the Detectify team names “The best party of DEF CON 2015”. As it should, in Vegas, the focus easily slips to the party scene and the competition is fierce among the companies on who can throw the best party. Based on our thorough research from our team, here are the three honorable mentions that made it to the final.

  • IOActive pool party, almost the unofficial DEF CON party, was hosted at the Bally’s hotel. The event was massive and in great spirit even though the beer was not for free.
  • BSides checked its party in at the Tuscany hotel. The event was a classic pool party highlighted with cupcakes, open bar and a great crowd.
  • Facebook hosted its venue at the Surrender nightclub at the Wynn hotel. They flew in the DJs Flosstradamus, served cupcakes (seemed to be a trend this year) and of course had an open bar all night long.

As mentioned there was some stiff competition this year and after some hard discussion the team agreed that Facebook did throw the best party, with BSides as the runner up.

To summarize, DEF CON 2015 had a little bit of everything. We at Detectify are very thankful for its existence and how the conference manages to shed some light on the real hacker community and, of course, throw a lot of great parties.

Below you can see some pictures from our team’s experience at DEF CON 2015, see you again next year Vegas!

Defcon Facebook party

Cobalt playing cards

Posted by Charlie