Kiwicon is New Zealand’s largest InfoSec conference, and brings together professionals, students and hobbyists to discuss various aspects of security. This was my first time attending Kiwicon or a tech related conference in general, so I had no idea what to expect. With over 2100 attendees and 30 talks across both Friday and Saturday, there was a lot to see, hear and do and I had a great time. I decided to write this post about my personal Kiwicon highlights as a way to recap a very busy couple of days.
Pre Kiwicon Training – Bluetooth Hacking
I could probably write a blog post solely on this training session alone, but decided it would fit better as part of this wider Kiwicon post. On the Wednesday before Kiwicon I attended a training session titled Bluetooth Low Energy Hacking 101. As the name might suggest, this day was a crash course in hacking Bluetooth Low Energy devices to remotely control them using an external laptop. By sniffing the packets sent between a Bluetooth device and its paired phone, we were able to analyze these packets in Wireshark to discover the handle and UUID values of various commands. After finding these values we could then connect to the bluetooth devices and send read and write commands to gain information or alter properties of the devices themselves. Although it was difficult to identify which specific bluetooth device we were connecting to (imagine being in a small room with 10 of the same devices), it was still an interesting session where I learned a lot about how bluetooth works and how it can be exploited. As more devices become bluetooth enabled, these types of attacks could become more frequent. Bluetooth and IoT security is something I am personally interested in, and something I am likely to study in the future.
With over 30 presentations, each day was jam packed with talks on various InfoSec related topics. I didn’t attend every talk as I participated in other things around the con (see the CTF section below) but the ones I did attend were all very interesting.
Personal highlights for me were:
Apathy and Arsenic: a Victorian Era lesson on fighting the surveillance state
This talk discussed the rise and fall of Arsenic in Victorian era London, and compared it to our current privacy situation. The slow movement away from the use of Arsenic as people became more aware of its dangers has parallels with the increasing awareness of the need for data privacy today. With exposure around data breaches increasing, people are beginning to be less tolerant of companies who handle our personal data poorly. The talk was a hopeful message on how society is coming to value privacy and how this movement can be sustained for the future.
This quick talk was about all about hacking Ducati motorcycles. From a live demo on how to work the ignition on without a proper key, to firmware extraction and unlocking more of the engines horsepower it was amazing to see how much of a modern motorcycle could be exploited. It was my first time seeing a vehicle hacked despite the stories I have read and the speakers skill and passion were incredible. As computers are now in almost everything we use, it’s sobering to think that almost nothing is truly secure.
ScRooters – disrupting the electric scooter market
An extremely topical talk given the sudden popularity of electronic scooters in New Zealand, this talk was about exploiting the GPS, API and physical components of e-scooters. Unsurprisingly, some companies have a better security posture than others but it was still shockingly easy for GPS information to be accessed or a scooter’s lock to be over ridden. Similar to the Ducati talk above, this talk was particularly interesting to me as it involved hacking something other than ‘traditional’ computer systems I have been attacking in the OSCP labs.
Capture The Flag Challenge
For most of the second day, I decided to join a friend and participate in the Kiwicon CTF challenge. The challenge was incredibly well made, with users participating in a M.U.D style game where you explored a world and story whilst attempting various challenges along the way. The flag challenges were more like puzzles than they were vulnerable machines, with no ‘traditional’ exploits required. For example, one flag was located in the cookies of a web application after finding the user credentials as a comment in the pages source code. There was no real reason or logic to finding this flag other than looking around as much as possible and stumbling into the cookie info. Because of this, we found ourselves stuck on a few challenges which prevented us from progressing further in the story. Although we weren’t able to do as well as we had hoped, our final placing of 23rd out of 57 teams is still a respectable effort.
This is more in the physical security realm, but lock picking is still relevant to wider information security and also happens to be quite a lot of fun. I learned how to pick a set of handcuffs, as well as the basics of picking a typical lock. As you’d expect at a hacker conference like Kiwicon, there were some people who were masters at lock picking and watching them so quickly pick various locks was a spectacle in itself.
Kiwicon was a great experience overall. I was able to meet new people, learn new things and get a feel for what the security community is like. Most of all, it was something different that I had never experienced before. I’m looking forward to attending similar conventions in the future, and would highly recommend them to anyone who hasn’t been to one before.