Insights and highlights from DEF CON 32

TL; DR

• Event Dates: August 8-11, 2024, in Las Vegas.
• PTP Presentations:
  • Windows Hello: Our Ceri Coburn (with Outsider Security’s Dirk-Jan Mollema) revealed vulnerabilities in biometric authentication.
  • Maritime Security: Paul Brownridge discussed vulnerabilities in maritime systems and regulations.
  • GPS Spoofing: Ken Munro highlighted the impact of GPS time manipulation on various systems.
  • Maritime Attacks: Andrew Tierney examined potential remote hacks on ships and thoroughly discreted claims that the MV Dali was hacked before it collided with the Francis Scott Key bridge.
  • Aviation Security: Ken Munro shared challenges in disclosing vulnerabilities in aviation electronic flight bags.
• Workshops: Hands-on sessions learning to pilot large ships in constrained harbours, also teaching aviation security.
• Exercise: Engaged with peers, supported the DEFCON run with nearly 300 runners over the 4 days
• Industry meetups: hosted the auto, aviation, and maritime industries for networking sessions

Introduction

If you are in the cybersecurity world, you know DEF CON is a big deal, and DEF CON 32 was no exception. Held from August 8-11, 2024, in Las Vegas, this year’s conference brought together hackers, researchers, and tech enthusiasts from all over the globe. The focus this year? The intersection of the digital and physical worlds. It was a whirlwind of talks, workshops, and networking, and we’re excited to share our experiences with you.

Our involvement

We had a blast at DEF CON 32. We presented several talks, led hands-on immersive experiences, and engaged with the DEF CON community. Below, you will find a recap of what we were up to, along with some highlights from the event.

Our presentations

Talk 1: “Abusing Windows Hello Without a Severed Hand” by our Ceri Coburn (with Outsider Security’s Dirk-Jan Mollema)

Summary:

Our Ceri Coburn (with Outsider Security’s Dirk-Jan Mollema) captivated the DEF CON audience with their deep dive into the vulnerabilities lurking within Windows Hello, Microsoft’s biometric authentication system. They showcased how attackers can bypass biometric protections without ever needing the actual biometric data—a revelation that left many attendees astounded. Their presentation was a powerful reminder of the risks associated with even the most trusted security systems.

Technical Insights:

During their session, they dissected the techniques used to bypass Trusted Platform Module (TPM) protections and steal Primary Refresh Tokens (PRTs). The live demo was particularly impactful, vividly illustrating how these vulnerabilities could be exploited in real-world scenarios. By highlighting these risks, they underscored the importance of strengthening security measures around biometric authentication systems to prevent potential breaches.

Can you spot Ceri at the Windows Hello talk with a packed-out crowd?:

Talk 2: “I am Still the Captain Now!” by Paul Brownridge

Summary:

Paul took us back to the high seas with his talk on maritime cybersecurity. He revisited the infamous MV Dali incident, debunking myths and explored how MV Dail incident could have been a cyber event. He also touched on new maritime cyber regulations and what they mean for operators.

Technical Insights:

The talk highlighted the vulnerabilities in maritime systems and the challenges of complying with emerging standards like IACS UR E26 & 27. The emphasis was on practical steps that can be taken to secure vessels against potential cyber threats.

Paul smiling for the camera before his talk:

Talk 3: “GPS Spoofing: It’s About Time, Not Just Position” by Ken Munro

Summary:

Ken Munro’s session offered a deep dive into the lesser known but critical aspects of GPS spoofing, focusing not just on its ability to disrupt location data but also its impact on time synchronization. He shared compelling real-world examples that demonstrated how time spoofing could wreak havoc on systems far beyond navigation, including essential communication networks. The session highlighted the often-overlooked risks associated with GPS time manipulation, showing how even small disruptions could lead to significant operational challenges.

Technical Insights:

In his technical analysis, Ken discussed how manipulating GPS time signals could invalidate digital certificates, which are crucial for secure communications and data integrity. This kind of disruption has the potential to ground entire fleets by rendering navigation and communication systems unreliable. He also explored the broader implications for navigation aids, emphasizing that GPS time spoofing isn’t just a theoretical threat—it could have widespread and severe consequences across various industries. Ken’s session underscored the critical need for robust defenses against GPS time manipulation to maintain operational integrity and security.

Talk 4: “A Hole in One: Pwning a Cruise Ship from a Golf Simulator” by Andrew Tierney

Was the MV Dali Hacked? Unpacking the Incident

Andrew explored the critical question: Was the MV Dali hacked? While modern container ships like the MV Dali are engineered to be highly resilient, particularly against remote interference with key systems like propulsion and steering, the story isn’t so straightforward. The incident that led to the MV Dali’s allision with a bridge was triggered by a complete power loss, known as a “blackout.” But could such a blackout be triggered remotely? And what would be the consequences?

Andrew delved into the complexities of these scenarios, explaining how even though direct manipulation of steering and propulsion might be nearly impossible, other systems—such as the ship’s power supply—could still be vulnerable to remote attacks. This vulnerability could lead to catastrophic outcomes, as seen with the MV Dali.

Operational Impact: The Voyage Data Recorder Example

Beyond the immediate risks of a blackout, Andrew discusses the broader operational impact of disabling certain non-critical systems. One such system is the Voyage Data Recorder (VDR), often referred to as the “black box” of a ship. While a non-functioning VDR won’t prevent a ship from sailing, it could lead to the vessel being detained during an inspection by Port State Control. The financial implications of even a single day of detention can be significant, especially if a systemic vulnerability allows an attacker to incapacitate every VDR across an entire fleet.

This discussion highlights the importance of securing all aspects of maritime operations, not just the most critical systems, to prevent both immediate and long-term disruptions.

Andrew’s talk was absolutely packed, not even standing room left!:

Talk 5: “Aviation Cybersecurity: The Highs and Lows of Vulnerability Disclosure” by Ken Munro

Summary:

In this talk, Ken Munro took the audience through the challenging yet crucial process of vulnerability disclosure in the aviation industry, with a focus on Electronic Flight Bags (EFBs). He shared both the successes and frustrations encountered along the way, particularly when dealing with major industry players.

Technical Insights:

Ken highlighted a positive experience with Boeing, where a vulnerability in the OPT performance application was promptly addressed after being reported. However, he also shared a story about the journey of getting Airbus to acknowledge and fix a similar issue in their Navblue EFB app, which was initially classified as a ‘product improvement.’ The vulnerability was finally fixed after three years, following the intervention of a regulator.

Ken looking for the patch from Airbus to fix the security issue on their Navblue EFB app:

Hands-on workshops and activities

Workshops by PTP: We didn’t just talk at DEF CON—we got our hands dirty, too. Our team facilitated several hands-on impressive experiences on maritime cybersecurity at MarSec hosted by the ICS Village, where participants got a crash course in securing shipboard systems against cyber threats. And took to the skies at the Aerospace Village with an A320 experience. Testing skills against the challenges of tampered EFBs.

Networking and community engagement

DEFCON.run

One of the best things about DEF CON is the sense of community. We spent a lot of time mingling with other security pros, swapping stories, and picking up new ideas.

One of the community activities we held was the DEFCON.run which had a great turnout at the early hour of 6am. Thank you to all those who attended, hope you had as good a time as we did.

There was even a renewal of wedding vows for two of the runners, officiated by @AgentX who we now know is a fully licensed Buddhist priest.

Networking events

We ran several invitation only networking events at DEF CON 32:

• Thursday, August 8: Automotive-focused event at the Cosmopolitan Hotel
• Friday, August 9: DEFCON.run gathering at Double Down Saloon
• Friday, August 9: Aerospace-focused event at the Cosmopolitan Hotel
• Saturday – maritime gathering
• Sunday, August 11: PTP DEF CON after-party at the Cosmopolitan Hotel
• We also had the first US Cyber House Party on Friday night!

Feedback

We got some fantastic feedback from our talks, immersive experiences, and community events, which is always great to hear. The topics we chose to focus on for our talks resonated with many in the audience, and we are already thinking about how we can expand on these ideas in the future.