The World's Forum for Aerospace Leadership

  • Donate
  • Press Room
  • Renew
  • View Cart
American Institute of Aeronautics and Astronautics

    The Hacker Conferences — DEFCON and Black Hat

    The Hacker Conferences — DEFCON and Black Hat

    Two of the biggest cybersecurity conferences of the year took place at the end of July: Black Hat and DEFCON. These two events occur side-by-side in Las Vegas every summer. Particularly at DEFCON, which only allows on-site registration and payments in cash, security researchers from around the world come together to show off the insecurities they have discovered in the past year. While past issues of Protocol have focused on corporate governance of cybersecurity, secure design, and involving the entire enterprise in cyber risk management, it is also important to look at not only what needs protection, but how attackers look at products and systems for weaknesses.

    Below are some highlighted presentations from Black Hat and DEFCON 2017. The presentations make clear that vulnerabilities are everywhere, from items we use every day to large systems on which society depends.



    As cars become increasingly automated and autonomous vehicles take to the streets, discovering their vulnerabilities has become a serious priority. For the second year in a row, security researchers focused on Tesla and displayed their ability to remotely control brakes, open doors, and synchronize the car’s lights with the radio. This research followed on earlier research performed by the University of Washington in 2010 and famed researchers Charlie Miller and Chris Valasek in 2015 (whose hack of a Jeep was profiled in Wired magazine). 

    Cars Hack


    Today, systems are connected to the Internet for convenience, monitoring, and additional functionality. Many of these do not at first blush appear to need or use the Internet in any obvious way. At Black Hat, researchers showed off their ability to hack a car wash and use some of its components to strike the car or trap people inside it.

    Carwash Hack





    One benefit of these conferences is the dialogue that goes on between researchers and the owners of the products they attempt to hack. This year, one group reported on 26 vulnerabilities in devices such as wireless gateways and cable boxes, and had been reporting them to Comcast and TimeWarner for several months so that they could be patched before publishing their findings. Among the dangers they discovered, one vulnerability could allow a hacker to impersonate the common “xfinitywifi” hotspot.





    For the past twelve months, no device has received greater scrutiny than the electronic voting machine. DEFCON purchased a number of voting machines of varying models and challenged hackers at the conference to break into them. They didn’t have much trouble. In promising news, DEFCON plans to make the voting machine challenge an annual event for the next four years to encourage upgrades in voting machine security before the next presidential election in 2020.

    DEFCON Image     




    One consistently overlooked technology set that is just as vulnerable as every other technology is tools used by hackers. These researchers found that many of the software programs that hackers use to gain access to victim systems are vulnerable to command and control server attacks, downloads off the user’s computer, or adding additional code to open a backdoor or potentially harm the hacker’s computer. While “hacking back” is just as illegal as hacking in the first place, this is an important and under-investigated area of research.




    Industrial Control Systems are increasingly on cybersecurity researchers’ agendas due to the potential consequences of attacks against these backbones of critical infrastructure. At Black Hat, one team showed off the ability to hack a wind turbine with unsophisticated, cheap technology.

    In summary, if it is digital, it can be hacked, and often very quickly and inexpensively. Organizations and individuals have to implement secure design when building systems or products, and they must ask questions about security and demand robust, secure design when buying products and services.