DEF CON 30

Navigation

Content

CTF Creators Contest Submission

Sponsors

All content is in person only.
Unless otherwise specified, all other times of the content are:
- Friday August 12, 2022: 10:00 - 18:00 PST
- Saturday August 13, 2022: 10:00 - 18:00 PST
- Sunday August 14, 2022: 10:00 - 14:00 PST

Content	Partner	Time
Hackable Book Signing	Ted Harrington	3:30 - 4:00pm PT Saturday, August 13th
Location: IoT Village Alliance Ballroom Get a free signed copy of the #1bestseller Hackable and meet the author!
Hands on Hacking Labs:	Loudmouth Security	All Day
IoT Hacking 101 is a set of quick, hands-on labs developed to teach the tools techniques for discovering and exploiting some of the common weaknesses found in loT devices today. Whether you're a pentester that has never hacked loT devices or even someone that has never hacked anything (!), these self-guided labs will walk you through all the steps in order to successfully pwn loT.
IoTV: Capture The Flag	Loudmouth Security	All Day
The IoT Village CTF has over 30+ devices and challenges to find and exploit vulnerabilities in real IoT devices. Players, or teams up to 6 people, can register and compete against one another to win great prizes!. With an overall focus on real-life consequences, this year's CTF is the newest and best IoT Village CTF yet! The challenges will require creative thinking, knowledge in networking, and competency in exploit development to claim the top prize. Prizes will be awarded to the top 3 teams/players at the end of the event.
Hack the Box CTF Challenge	Hack the Box	All Day
Dive into hacking challenges with HTB at the IoT Village DEFCON 30 CTF. “House Edge” is a themed CTF challenge that aims to have the players travel through a mission inside a space casino with the final goal of accessing a safe box to retrieve its contents. Each challenge is a standalone and does not require to have solved any other challenges. That said, the content is structured in a specific order that helps facilitate the scenario, which at a high level can be broken down into the following side-tasks of the mission: Gain access to the main security system to avoid being identified Steal RFID credentials of the reads in the open areas to gain access to restricted areas Disable the additional motion sensors in the restricted areas to avoid triggering an alarm Open a safe box and retrieve its contents.
Sixgen Challenge	Sixgen	All Day
A handcrafted IoT challenge that will put your skills to the test. Be prepared to hack devices over bluetooth low energy, break into Wi-Fi networks, and exploit binaries. If you avoid the deadly sharks and laser beams you may be able to access smart locks, conduct electronic warfare, and fly drones.
Hacking Product Security Interviews	Zoox	11:00am and 11:30am PT Friday, August 12th
Cybersecurity is a complex, multi-faceted field and pursuing a career in it requires the acquisition of a number of different skill sets. Product Security interviews can be particularly challenging due to the expectation that candidates possess both hacking AND software engineering intuition and skills. Zoox will take a software engineering perspective and unpack this topic in an interactive talk. They focus on big-picture as well as tactical insights that will help you invest your time when preparing for your dream Product Security job. Join Zoox at 11:00am and 11:30am PT Friday, August 12th!
BURP Suite, Forensics Tools & 0-day Exploit Development	Ken Pyle	10:00am - 2:00pm PT Saturday, August 13th
These exercises from Cybir's Ken Pyle will show how simple security flaws and exposures become critical, world wide exposures in systems like the Emergency Alert System and network infrastructure from Cisco & Dell. Recreate some of the most impactful kill chains ever, learn new IOT / appsec skills, enumerate a supply chain network with a text editor, and "live off the land" with a few simple free tools like BURP SUITE. Join Ken from 10:00am - 2:00pm PT on Saturday, August 13th!
Hands on Hardware Hacking – eMMC to Root	Rapid7	All Day
Hardware hacking with Rapid7! Rapid7 guided exercises will lead you through the hands-on hardware hacking process to gain root level access to embedded IoT technology. This series of exercises will cover multiple steps including embedded multimedia controller (eMMC) interaction, making binary images copies of flash, interaction with read only squash files systems to unpack and repack systems, and altering startup files systems within the devices’ file system to allow you to eventually gain root level access over SSH.
Revolutionary Lab Experience	INE	All Day
Dive into our browser-based lab platform and experience 2,000+ real-world engineered labs covering everything from the basics to expert-level skills. Explore INE’s newest learning path, Penetration Testing Student v2, with all new dynamic labs in a sandbox-style playground for risk-free practice.. When cyber threats emerge, learn to combat them as they’re unfolding in INE’s Cyber Vulnerabilities Training Library, a rapidly deployed hands-on lab environment featuring some of the industry’s biggest challenges like Log4j, Spring4Shell, WannaCry Ransomeware, and more! Crush your training goals and get ready to nail your next project — all you need to do is press play!

CTF Creators Contest

Got a cool new exploit on an IoT device and don’t know what to do with it? The CTF Creators Contest is just the thing! Show us your research, put the device in the CTF and see if others can pop it. Oh, and did we mention the great prizes (See below)?

When:

Starting Friday July 1st, until August 12th, 4pm PDT

What:

Submit a detailed write-up of ORIGINAL research. Use the disclosure template provided. Submissions must include:

Completed submission template
Any PoC scripts used for exploit
Copy of vulnerable device firmware

GPG Key Submission Template

All submissions must be GPG encrypted with the following key:

Key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: User-ID:	Village Idiot Labs 
Comment: Created:	2022-07-04 10:09 AM
Comment: Expires:	2024-07-04 12:00 PM
Comment: Type:	3,072-bit RSA (secret key available)
Comment: Usage:	Signing, Encryption, Certifying User-IDs
Comment: Fingerprint:	CC03E4E490E4F4CD14BFA1ACFA7634C3CAFF9478

mQGNBGLC9JkBDAC0v9YJymxTjcUNApTjp/Xbp5yVoaMpKPqU9pxrHN6iyT740diT
Qaf4O1J4MopYBKn4BWXkwMTUeUJk9xf+lZR4JoS9bhDVwHQnSwGobyMDUeMRZH1c
SAFDTp+iICKKT6TTU6RIu29X8QUNfuHwgZr6Whao410/lik3UgW8cNT4dYKqSZ7g
m/EiEUC78Wbj471sGlAWj7JNlN+F+0mM6Wx4F8jBydLd8GT5JrviE8nZmFMidUt7
lqU8fwk9eLf6oBTQ/SVnC1hRzlSe/SjY9RqWV9OtkcfSIDFjE+gm1hqYvaM8gs2M
bY+0++0ZRPdK0aJbsHZ4N5XHglkIaf/6ms34VHgKErx/9J3fdSw5M86k6+nz+ZB8
h9Z8vfV09uVo1/6AseL34FLm+DYjCCBDOQB1bhF9Y4lVy8juwpm8ZQ6yu1F4Zxdk
BmBGxxW073fDvb+ugvLTfj0v6PiIXr8udLWicWpTHHTGIXqbX+U8pAh1igiULaze
L8RoG9x1rQETTwcAEQEAAbQtVmlsbGFnZSBJZGlvdCBMYWJzIDxjdGZAdmlsbGFn
ZWlkaW90bGFicy5vcmc+iQHUBBMBCAA+FiEEzAPk5JDk9M0Uv6Gs+nY0w8r/lHgF
AmLC9JkCGwMFCQPD0mcFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ+nY0w8r/
lHjzXAv/X5xY19+AnSx1uCynWRJbgXffLLtBKzvb+Lthhj+xwAy94tY3GAecbpP8
13WYuEDmP3iS9mzmQ15paxxkXoR7ZUZoCmqSqdG46zYcaILO24Elpgdh/hJROiFj
SR6sLthFCFAyknTNd6+8+dXJwybtxUHcYzMKQkpSI6TkrZK4/Q4p/iYYBSsl90Df
q4vkF2QY5sN3f54ch9ula5wA6eQuAFDEHf6jPGGoSgxT7QjhZv8poUS6fXM4AKa2
gQfrIfGB4tCylNK12W6jSp/he9kNRvBj1Wk6AwDBRvhtH0uSBnUJTRhLvtpTNDoR
GiWQz3tx4vPpa7TS5Q+rR2kkuNA/JslDUGPFCdISRcykxFcdNPH03Grfex6EmPZe
g72mNHTaujgjF2oSaLc3SIPXMJ5XUXn9h/ziy0ndDZzqy/R8y16I4C9zoFgqRdXz
4gcz73SzwcJJIcmOKgZGYnbPOsVOxngZd5yR8dKf05TdGb0jsEUnIDr+ip3vPeW6
9p3BLrEOuQGNBGLC9JkBDACfdvlKtwRrJLpq27DSsc4j1DZZ38HDnZzoJMtuVcev
BTb8OHz/XrRIOQcAOFlLB+cov2xDjcSXmQmhtXesbV2m87Nm5FsEcd/we7Cd49p6
RmqbaU2aSn4X6CmoDObB46sRlvSgOTARpeXDuquhLHYapUqmKvg1aRiDK73IT2LP
r0BNtNn6jnA51QnYXDzyRbsnNU4qHXazboAN0519rueFd6JAOHsUTYFyfRxBRXDC
b3EOFwh1x/yW8cDAXklewB/vsEvHDaQmL2nBtszXPJtLv/jwWng9hLNouW5JqbIX
vIn9izn7pkNsuwyQBoevCT8OkZIZHYxo1tQapxcDxTyZAaZMkkvjCm/82BKfSUFI
xiQf1oxi+BajVyO/Ozh57D8nDYUMy6lJLfZtCKjw4pfyJ3/uiLjsFXUD9LB92dME
y6zWHot1yB9iVXLkq21KZpWuyJc6qaiB0FGhlAFOJ4Dh0s0Et6rFdH0uu9XmWEI6
3o6oU2vpp1tiYZuldAWTK1cAEQEAAYkBvAQYAQgAJhYhBMwD5OSQ5PTNFL+hrPp2
NMPK/5R4BQJiwvSZAhsMBQkDw9JnAAoJEPp2NMPK/5R4YsoL/2yBbxRwwxNJCuHi
5Pgeur/GBN+gu4zLO7t1t7JgT9ObKiIeXpDAqANp906C+WxxspQTK+4Qsr8N6ivG
PbzZ9iN9n2HjmNJe7aqZzW59+e9vki334RzK/+tupjRa7nPVB7Kqb628+jiFGy8B
O0Dr3W6e54AdLj6lwtREzsNT+hzQ3LpW0bPsGrEP7r3j14Cu4B85BQpERxAYolw6
OepNJbz1s0U8te0iJzpKcAUU84/cMZR1C1fTmzdNjJbfSpgYVPjKyGZaNhLo+OTO
TE35JCs5ApTMxeewQyD6YVGJYf+psxMtCrS7aEq6AdfiIFIlm1iTq5CLlZSzCQhz
KsaMiDcXNVdtOye1K0DUkKBLvQJndP9KRQAeCuzuE1upYUMY9pnkA9qB8+zjjamA
8Ti4+tNKRk7Xch1v2fvUX5HBcUZ5MMNLzxmkaFhw8CdMXoP+BTO1rusmxwvhHmVA
/PWBXRMhks/yprj0o6LiPvnHa7K5UkKp4CZABj/FAb10czlBuA==
=lknE

-----END PGP PUBLIC KEY BLOCK-----

Where:

[email protected]

At DEF CON:

Show up to IoT Village with your device before August 12th at 4pm PDT. You must bring:

Device, pre-configured for the exploit
Reset script to revert the device back to exploitable condition
The device must support DHCP
- *Except any devices that are attacked over Bluetooth or Zigbee interfaces

After DEF CON:

Devices can be picked up after the CTF on Sunday August 14th, 1pm local time (PDT)

Scoring:

Entries will be assigned an initial score, based on the following:

CVSS 3.1 base score X 100
- If the attack includes a chain of exploits, CVSS scoring should be done on the full chain
Discretionary modifier of 0 - 2X base score, based on:
- Type of device (unique, rare, difficult to source devices will score higher)
- Exploit method
- Perceived level of difficulty

After being entered into the CTF, scores will be decremented by the number of times it is exploited by CTF players.

-50 pts for each exploit by teams in the CTF.

Final scores will be released at the end of CTF, on Sunday August 14th. Results will be released via Twitter and in-person in IoT Village.

Prizes:

Winner of the CTF Creator Challenge will receive free entry into DEF CON 31 2nd & 3rd place will receive $180 and $90 Amazon gift cards, respectively.

1st Place

Free Entry into DEF CON 31

2nd Place

$180 Amazon Gift Card

3rd Place

$90 Amazon Gift Card

In partnership with:

Sponsors

Microsoft

With Microsoft, you can achieve digital transformation for the intelligent cloud and intelligent edge. Securely managing this digital estate requires a holistic approach that protects identities, networks, data, apps, infrastructure, and all of its endpoints. This has made Microsoft a leader in all of these domains - including the visibility and protection of the Internet of Things (IoT) and business critical industrial control systems (ICS/OT) and it provides a complete integrated end-to-end solution for the protection of your entire digital environment, wherever it resides.

INE

INE is the world’s leading provider of hands-on, role-based technical training, maniacally focused on developing experts in the areas of cyber security, networking, cloud, data science, et al. We’re experts in making you an expert. The INE Starter Pass is 100% free and grants access to not only numerous snippets of all of our course categories but also a full, introductory security learning path, Penetration Testing Student (PTS). PTS comes with slides, videos and unlimited time in our virtual labs to prepare you for eLearnSecurity’s Junior Penetration Tester (eJPT) certification exam (not included). You’ve got nothing to lose and a life-changing career move to gain!

CUJO AI

CUJO AI is the global leader of cutting-edge cybersecurity and network intelligence solutions that enables network operators globally to improve the digital life protection of their customers in and outside the home. By pioneering AI-powered cybersecurity and empowering a growing ecosystem of OEM partners, CUJO AI is at the forefront of supplying protection to billions of network service subscribers around the world. Mobile and fixed network operators use CUJO A's holistic capabilities to improve their customer value proposition, monetize their networks, and reduce operating complexity and costs.

HACK THE BOX

Hack The Box is a massive, online cybersecurity training platform, allowing individuals, companies, universities and all kinds of organizations around the world to level up their hacking skills.

Check out House Edge, the Hack the Box custom CTF challenges in the IoT Village DEF CON CTF.

Nozomi Networks

Nozomi Networks is the leader in OT and IoT security and visibility. We accelerate digital transformation by unifying cybersecurity visibility for the largest critical infrastructure, energy, manufacturing, mining, transportation, building automation and other OT sites around the world.

Rapid7

Partnering with Rapid7 gives you solutions you can count on, seamless controls, and the strategic guidance you need to stay ahead of attacks. The Insight Platform also helps unite your teams so you can stop putting out fires and focus on the threats that matter. Security, IT, and DevOps now have easy access to vulnerability management, application security, detection and response, external threat intelligence, orchestration and automation, and more.

Sixgen

Sixgen provides world-class cybersecurity services and products to protect government organizations and commercial industries. Their highly skilled operators conduct research and assessments based on real-world threats. They emulate global adversaries and malicious actors to report detailed and actionable findings on critical assets and infrastructures. Using innovative processes, tools, and advanced techniques, they predict and overcome cybersecurity vulnerabilities. Sixgen prioritizes security best practice, customer requirements and privacy, and overall mission impact.

Zoox

Zoox was founded to make personal transportation safer, cleaner, and more enjoyable—for everyone. To achieve that goal, the team created a whole new form of transportation.