What is Blackhat?
Founded in 1997, Blackhat is an internationally recognized cybersecurity event series providing the most technical and relevant information security research. Grown from a single annual conference to the most respected information security event series internationally, these multi-day events provide the security community with the latest cutting-edge research, developments, and trends.
My friends and I were going to Las Vegas to go to Defcon for the first time, and while we were in the neighborhood, I asked jokingly the following:
Question: Can we sneak into Blackhat?
It turned out that yes, yes we can.
Step 0: Reconnaissance
My task started by investigating online to see what the badges may look like, because if this is like any other mainstream conference, we may get lucky and find pictures online on someone's social media page. After no such luck, I turned to my handy dandy search engines to see if there were any images of previous badges.
Alas! I was able to find some previous badge holders for sale on eBay for $10!
By this time, I was starting to feel like this was at least plausable, now that we have some potential look-alike badges and some idea as they what they could be. After a couple more days of reconnaissance, I had found something that was a big game-changer.
Vulnerability 1: No verification of attendance for mixers.
Thanks to LinkedIn, I was able to find an invite for a mixer with a top Cybersecurity Company! After going through the reservation process, I realized that they DO NOT VERIFY if I am actually attending Blackhat, so with that I was able to register me and my buddy to the event, and get our names 'legitimately' on the lists!
Perfect, now we wait with our previous legitimate badges and real reservations for a REAL mixer at Blackhat.
Mwuahahahaha.
Step 1: Weaponization
Now I have been known to be notoriously cheap, so thinking that we may have to appear to be wealthy, my go to place for such an outfit is always Goodwill.
After < $100 bucks later and change with some new suits and some back-up badges, the team is ready to go mingle at the Happy Hour event.
Total $ In: $80 (Suits) + $10 (Badges) = $90~
Step 2: Delivery
Time to shine. We arrive at the mixer and start mingling with all of the Cybersecurity folks and honestly, there are some really nice and amazing people there! Me and my buddy are able to just sit and hear some amazing stories about what the companies are working on, and how happy their clients are.
Now, the next phase of the plan is to see if we are able to take pictures of the legitimate badges for the year and we then make some startling discoveries...
Step 3: Exploitation
To our suprise, we found out that the Blackhat badges for 2022 were printed on paper!
Vulnerability 2: Badges printed on paper.
We worked on getting as many pictures as possible of the badge to ensure we'd be able to duplicate one if needed. The best part was that our hotel had a printer available and so with a little bit of Photoshop magic, I think that we'd be able to get ourselves a legitimate looking badge in no time.
Shoutout to the other person at the mixer who looked to be aware of what were up too! It appeared that they were doing the same thing and they are the ones to thank for the picture of the back of the badge. You know who you are kind stranger.
Step 4: Installation
Vulnerability 3: No verification of ID after entrance.
By this time, we ended up hanging out with the vendor folks for a while now, and so our faces ended up being associated with their team and we were off to go to the next restricted event, which was an exclusive party at the LevelUp lounge.
This is where our monkey-suits really paid off, as we were now able to confidently stroll into the VIP area and recieve all of the VIP perks that come with it!
Step 5: C&C / Actions on Objectives
Command & Control:
By this time, I was able to phone home and inform my loved ones what we were able to accomplish, and we seemed to have successfully hack our way (Social Engineer / Prep) into the premier cybersecurity conference in the world.
Actions on Objectives:
Now we were able to take a modest amount of free swag from security vendors, obtain beverages for a modest price (free), and ultimately have a very good pre-game for what is known as Defcon.
While this was a very fun and what appears to be a common occurrence, there were some concerns that had been raised. Unfortunately, due to the volume of people that attend the conference, there may just be a limited number of personnel to properly verify which makes it easy for one or two hackers to slip through, unnoticed.
Lessons Learned
One: The biggest lessons learned here would be to ensure you verify conference attendance for these mixers that occur. My hail mary had turned into something that could really become a repeatable process.
Two: Question "Suits" or people who are not showing identification properly, or showing ID at all.
Three: If you are charging around 3K per person, then it makes sense to print a sophisticated badge as well that aren't easily duplicated.
TODO
I have reached out to the awesome folks at Blackhat but have not received a response.