DEF CON Safe Mode Highlights

DEF CON, a major annual event in the world of cybersecurity, was held just last week. This year, the organizers decided to go virtual, calling the event “DEF CON Safe Mode”. 

There were a number of great talks and panels at the conference, and while some of them were quite technical, many also focused on topics likely to be of interest to a wide audience. 

In what follows, we’ll offer some curated highlights from DEF CON Safe Mode that you may want to check out, along with links to the full video recordings of these talks and panel discussions.

IoT security

The Internet of Things (IoT) refers to the ever-growing mass of networked devices around the world — devices which are often poorly secured, and which can provide attackers with an entry point onto an otherwise secure network.

This year’s DEF CON featured several interesting talks that shed light on issues around IoT security.

Hacking traffic lights in Holland

Dutch security experts Wesley Neelen and Rik van Duijn presented a research project that explored potential weaknesses in smartphone-connected traffic light systems in the Netherlands. What they found was disturbing: a vulnerability that could allow remote attackers to manipulate the system and disrupt traffic at scale.

How to hack 3 million cameras

Paul Marrapese gave a presentation that demonstrated how a common “convenience” feature incorporated into countless IoT devices around the world — including IP cameras, baby monitors, and alarm systems — can be abused by attackers. The vulnerability, according to Marrapese, threatens the security and privacy of millions.

Not “just” a light bulb

Eyal Itkin talked about the risk posed by smart light bulbs, which security researchers have known to be vulnerable for years. Itkin’s work, however, demonstrates that these connected devices — increasingly popular in homes, offices, and even smart cities — are not only vulnerable in and of themselves, but can also be used by attackers to pivot to and compromise sensitive computer networks.

Security and the healthcare sector

We’ve talked before about the cybersecurity threat to hospitals and medical facilities — and noted that the healthcare sector as a whole seems frighteningly unprepared to deal with the growing problem that they face.

This year’s DEF CON (perhaps appropriately, in the midst of a pandemic) featured some interesting talks and panel discussions about the topic:

D0 N0 H4RM

D0 N0 H4RM is DEF CON’s recurring panel discussion about cybersecurity and healthcare. This year’s panel, moderated by physician hackers Christian “quaddi” Dameff MD and Jeff “r3plicant” Tully MD, covered a number of topics, including some special considerations brought on by COVID-19. The panel was made up of Jessica Wilkerson, Cyber Policy Advisor at the U.S. Food and Drug Administration (FDA);  Veronica Schmitt, Assistant Professor at Noroff University; Ash Luft, an embedded software engineer; and Vidya Murthy of MedCrypt, a company focused on improving security in medical devices.

Patient safety in a digital world

Jen Goldsack and Dena Mendelsohn explored the oft-neglected security and privacy considerations around the use of digital technologies in medicine — and argued that such considerations need to be included in the risk-benefit analysis used to make patient care decisions. 

Cybersecurity and democracy

With the November 2020 U.S. presidential election looming, many Americans as well as international observers are thinking about election security issues.

This year’s DEF CON featured several speakers who addressed the topic:

Information warfare and the November elections

Ben Dubow discussed the role of information warfare in subverting democracy, presenting research done on campaigns in both Poland and Taiwan. Dubow also talked about what this research can tell us about the upcoming U.S. elections in November.

Hacking Democracy II

Amélie Koran moderated a panel discussion entitled “Hacking Democracy II: On Securing an Election Under Times of Uncertainty and Upheaval”, featuring Kimber Dowsett, Director of Security Engineering at Truss, a software infrastructure company that works with public and private sector organizations; Casey John Ellis, founder and CTO of the crowdsourced security platform Bugcrowd; Jack Cable, an Election Security Technical Advisor at the U.S. Cybersecurity and Infrastructure Security Agency; and Tod Beardsley, Director of Research at the cybersecurity company Rapid7. The group continued a February discussion about election security, reflecting on the changes to the threat landscape in light of the COVID-19 pandemic and other recent events.

Macro mischief on Macs

One talk likely to be of special interest to Mac users was delivered by Patrick Wardle, an Apple security expert who works as Principal Security Researcher at Jamf, and who founded the Objective by the Sea macOS security conference. Wardle’s technical presentation, entitled “Office Drama on macOS”, discussed macro-based attacks on Mac users (that is, attacks that rely on malicious embedded code in Microsoft Office documents). Macro-based attacks are a familiar threat to Windows platforms, but in recent years have started to become more prevalent on the macOS side of things as well — highlighting the way in which the Mac security landscape continues to evolve.

Additional talks and panels

DEF CON Safe Mode featured many more excellent speakers and panels. For a full listing of speakers and topics, visit the DEF CON website or browse conference videos on the DEF CON YouTube channel.