What is Blackhat?
Founded in 1997, Blackhat is an internationally recognized cybersecurity event series providing the most technical and relevant information security research. Grown from a single annual conference to the most respected information security event series internationally, these multi-day events provide the security community with the latest cutting-edge research, developments, and trends.
My friends and I were going to Las Vegas to go to Defcon for the first time, and while we were in the neighborhood, I asked jokingly the following:
Question: Can we sneak into Blackhat?
It turned out that yes, yes we can.
Step 0: Reconnaissance
My task started by investigating online to see what the badges may look like, because if this is like any other mainstream conference, we may get lucky and find pictures online on someone's social media page. After no such luck, I turned to my handy dandy search engines to see if there were any images of previous badges.
Alas! I was able to find some previous badge holders for sale on eBay for $10!
By this time, I was starting to feel like this was at least plausable, now that we have some potential look-alike badges and some idea as they what they could be. After a couple more days of reconnaissance, I had found something that was a big game-changer.
Vulnerability 1: No verification of attendance for mixers.
Thanks to LinkedIn, I was able to find an invite for a mixer with a top Cybersecurity Company! After going through the reservation process, I realized that they DO NOT VERIFY if I am actually attending Blackhat, so with that I was able to register me and my buddy to the event, and get our names 'legitimately' on the lists!
Perfect, now we wait with our previous legitimate badges and real reservations for a REAL mixer at Blackhat.
Step 1: Weaponization
Now I have been known to be notoriously cheap, so thinking that we may have to appear to be wealthy, my go to place for such an outfit is always Goodwill.
After < $100 bucks later and change with some new suits and some back-up badges, the team is ready to go mingle at the Happy Hour event.
Total $ In: $80 (Suits) + $10 (Badges) = $90~
Step 2: Delivery
Time to shine. We arrive at the mixer and start mingling with all of the Cybersecurity folks and honestly, there are some really nice and amazing people there! Me and my buddy are able to just sit and hear some amazing stories about what the companies are working on, and how happy their clients are.
Now, the next phase of the plan is to see if we are able to take pictures of the legitimate badges for the year and we then make some startling discoveries...
Step 3: Exploitation
To our suprise, we found out that the Blackhat badges for 2022 were printed on paper!
Vulnerability 2: Badges printed on paper.
We worked on getting as many pictures as possible of the badge to ensure we'd be able to duplicate one if needed. The best part was that our hotel had a printer available and so with a little bit of Photoshop magic, I think that we'd be able to get ourselves a legitimate looking badge in no time.
Shoutout to the other person at the mixer who looked to be aware of what were up too! It appeared that they were doing the same thing and they are the ones to thank for the picture of the back of the badge. You know who you are kind stranger.