LAS VEGAS--All these years I’ve outsmarted the Defcon hackers with one simple rule: Carry no computer into the Defcon melee. Just a pen and paper to record to notate events is all that's needed—which are kinda hard to hack unless the notes are wrestled away or lost (which has been known to happen after too many Vegas parties).
But this was my first year with my new iPhone, and boy, was I reminded about how much of a computer these smart phones have become.
It happened after I went on the air with a local Las Vegas radio station on a show called “The Usual Suspects.”
The broadcast was being hosted live from a skybox looking down over the Defcon gaming area. Host SMAction (Scott Miller), GiD (no real name available) and R0d3nt (Andrew Strutt) asked about my impressions of Black Hat (see previous blog), government pay for hacking talent, and so on. And I asked whether or not they should be cleaning the microphone between uses. (They put the mic right up to your lips, man).
Once downstairs in the gaming area, two of my pals (one from Air Force, one formerly Army and Homeland Security) asked if my iPhone was sending a wireless signal. Bluetooth was off. Accept no new networks was on (so no network could connect to my phone without me requesting the connection). But I hadn’t thought about how the iPhone is always looking for a wireless signal to connect to the Internet.
We turned Wi-Fi off, no harm done. But after leaving my friends and heading toward the Hacker Jeopardy game, a gray highlighted message appeared on my iPhone screen that read, “Do you want to know your location? Yes Cancel.”
Clicking cancel just made the message come back. Like a DoS (denial of service), it kept interrupting important texts with my friends. (“Where’s the parties?” “Delchi mixing, Top of the Riv [short for Riviera, the hotel venue for Defcon].” “What are u doing?” “303 party in Skybox!” “Where r you now?”)
For help, I stopped three Defcon Goons in the hall and showed them the message that kept looping. Goons are the big hacker guys in red t-shirts with radios and other gear who make sure some order is followed (for example preventing stampedes and throwing out Dateline reporters who appear undercover after being warned ahead of time about Defcon media rules).
The three Goons determined the DoS to be a direct attack on the phone’s GPS (global positioning system used for getting maps), which was also sending out a signal. Once they clicked that off, the messages stopped. Thanks, Goons.
The experience has forever embedded in me that phones really are computers. And they’re promiscuous at that—constantly reaching out to other networks and devices hoping to connect.
Phones aren’t all that is reaching out. So, too, are the chips and magnetic stripes on passports, driver’s licenses and banking/credit cards. So now I am shopping for a wallet that blocks RFID readers from doing passby downloads off all the cards I carry with me.
At least at the conference, the hacks are done for sport, no identities are really stolen, and when user passwords to phones and such are caught, they’re pasted up on the Defcon wall of shame in a way that will not overly-expose the victims. Only part of a user name and password captured by hackers appears on the wall of shame (the rest is xxxd out). So the wall posts just enough for the victim to know it was his/her password and username that was intercepted, but not enough for anyone to use the data to gain access.
Looking forward to next year, hackers. Hopefully by then I’ll be more prepared.