Part of my role has always been to create and present workshops, talks and labs at our conferences, such as Cisco LIVE! It’s an enjoyable challenge, finding new and interesting ways to engage with attendees.
Our developer zone, DEVNET, aims to provide a ‘sales-light’ environment, focused on hands-on learning and emerging development trends.
The Problem
Cybercrime and the persona of the “malicious hacker” are now more commonplace in the public eye than ever, with ransomware and IoT botnets affecting critical infrastructure such as healthcare and power transmission.
With more and more home and office gadgets we rely upon being internet-connected, I wanted a very interactive way to highlight the current state of IoT security, and to highlight how enterprises can improve their defenses using Cisco’s security portfolio: all without making it a sales pitch.
The Inspiration
I was lucky enough to attend my first DEFCON in 2017, one of the largest hacking conferences in the world, held every August in Las Vegas.
As well as awesome talks, meeting cool people, and gaining first hand experience hacking voting machines: I was really impressed with the level of interactivity throughout the conference and all its “villages”.
IoT devices, car control systems, front door locks and connected grid equipment, everything was presented in a hands-on manner, giving hackers a fun new challenge, or the ability to hone their skills in a safe environment.
The level of engagement in these challenges, the adrenaline of the hack, and the mental high that came with succeeding was visible on the face of every participant.
A Completely Novel Approach
It was time to bring a little of the DEFCON spirit into Cisco LIVE! and let the attendees perform these hacks for themselves, their very own 15 minutes of playing the “bad guy”.
And so the “Blackhat Whitehat Security Challenge” was born!
(and yes, the name probably needs a makeover!).
The Demo
The demo has four tasks. Before starting, the attendee is given background information in the form of ‘existing reconnaissance’, an incomplete infrastructure diagram, an explanation of the challenge and finally, where to find the tools they will be using.
As the attendee progresses, a starting clue and a reminder of the tools available to them is provided for each task.
1
Task One…
…First, the attendee must hack their way onto the WiFi network by sniffing the handshake of an existing client and brute forcing the password. Once on the network, the WiFi lights above the monitor turn green, giving immediate visual feedback to the aspiring hacker.
2
Next Up…
…The WiFi is isolated from the wired network, emulating guest style networks in hotel or corporate settings. The attendee must use a vulnerability in the router to access the device and disable the isolation. The router turns green, onto the next challenge.
3
A Camera…
…Protects the safe, challenge three involves using a backdoor to access the recordings on the camera, revealing an ‘employee’ accessing the safe and revealing the code. The camera LED’s turn green.
4
Safe code in hand…
…The attendee needs to use a final exploit to DoS the camera off the network (well, they wouldn’t want to get caught accessing the safe would they!) The safe turns green once the camera is disabled.
Making a dash for the safe completes the “blackhat” side of the challenge, with attendees claiming their prize, a DEVNET branded black fedora!
5
Well, that wasn’t very hard was it?
The attendee is then shown, to the “Whitehat” section, powered by the wonderful people in our security business unit.
The demo feeds all traffic created by our hackers through to Cisco next generation firewalls, allowing us to show the attendees in real time how the devices would have detected and mitigated all of the real-world attacks and exploits they have just performed.
It was really encouraging to hear the questions from our attendees and see the level of interest in the firewall demos following the hands on challenge! — Whitehat Team.
It would be wrong of me not to use this point to give a huge thank you to the Security business unit for their time and effort! Not only in making the white hat side of the booth a massive success, but also in working with me to design the flow of the whole challenge, with members of the Cisco Talos team even providing suggestions for the IoT hardware and exploits that would be suitable.
Outcome and Feedback
I wanted a very interactive way to highlight the current state of IoT security, and to highlight how enterprises can improve their defenses using Cisco’s security portfolio: all without making it a sales pitch.
I think we more than achieved the initial aim. The booth was bright and visual, easily identifiable from across the conference hall.
The audience surrounding the challengers were a constant addition to the booth and attracted even more attendees.
The offer of “real hacking tools, against real devices” in a curated fashion seemed to hit the perfect level of challenge vs time vs prerequisite knowledge. It was definitely an experience few had the opportunity to try before, and never at a conference.
Such was the uniqueness of the challenge, a common theme of questions from bystanders emerged..
“What do I need to know before I try this?”
“Will it be impossible if i’m not a hacker?”
“What if I don’t know XYZ”.
It was really satisfying to be able to say “no experience necessary”, mean it, and watch as the curated tools, guides and hints allowed each attendee to successfully defeat the challenge and claim their prize!
This “ease” also perfectly highlights why IoT security is an area that needs serious industry focus!
Challenges Faced
As you can imagine, there were a number of technical challenges in creating a booth like this, I’ll be keeping this post more high level, look out for the second part in this series for the nitty gritty technical details, including code for the lighting controllers and automating the challenge itself.
User Experience
As with anything, user experience will make or break usability. A huge number of tweaks and changes to the challenge documentation, based on real user testing and feedback contributed to the success.
- A large list of tools available caused user hesitancy to click through to the next page (for fear of losing their reference page). We resolved this by simplifying the welcome page, instead moving relevant tool information into each task page.
- Users don’t often read everything, especially when there is a tempting “next” button below the content. Warning boxes (red background) in the markdown were used just before decision points to force the user to check their status. The physical LED strips on each device were also tied into the instruction text to provide checkpoints for the user.
Real Hacking Tools vs Zero Experience
A lot of time and effort went into wrapping real hacking tools and exploit code in order to make them a lot more usable for our audience.
A challenge of this level, for example, expected an attendee to choose the right tool from our curated toolbox and provide simple parameters, such as IPs, SSIDs or MAC addresses. The other X arguments needed for a given tool were automatically provided by our wrappers.
Equally, a lot of tools require setup, such as wireless hacking tools needing the wireless card to be in a certain mode. Commands to ensure this was the case were run silently in the background, focusing the user on just the “attack” in each case.
Don’t overload your proctors
Proctors or booth staff can’t be expected to learn and understand the intricacies of a booth such as this, they usually have many other roles and jobs within the event.
A lot of time and effort was placed into fully automating the booth, with each desk resetting itself, ready for the next attendee when necessary. This included re-configuring the devices, as well as cleaning up the workstation state. A fine example of some of the Network automation concepts on display elsewhere in the DEVNET zone!
See the technical followup article for more information on these topics.
Future Improvements
There’s always room for improvement, here are some ideas i’m toying with for the next revision of our challenge!
- I’d like to support different difficulty levels, this could either be more tasks for the higher difficulties, less support from the wrapper scripts and documentation, or a mixture of both.
- I’d like a longer (time duration) version of the challenge to be able to teach penetration testing methodologies, with more emphasis on target discovery, reconnaissance; etc.
- As a bit of a software defined radio (SDR) geek, I’d like to get an IoT lock or other radio frequency devices integrated into the challenge.
- Virtualized — How could you provide this type of experience without the overhead of shipping the equipment and reducing the related setup and tear down time: Would this reduce the level of interest in the challenge?
Conclusion (TL;DR)
Provide a real challenge to your attendees, with the sales message as a realization rather than a forced presentation: Your attendees (and sales teams) will thank you for it!
On execution, double and triple check and refine your documentation from real user feedback.
Automate where you can to ensure less stress and reduce potential for failure onsite.
Don’t expect your proctors to care or understand the challenge as deeply as you, they have their own conference responsibilities.
Build something you are passionate about, it will show in everything you do!
Where to next? Find me at Cisco Live Melbourne! We are bringing surprises for you there, too.
Where can I get one those fancy hats?
Good stuff, Matt!
You rock, Matt. Always an opening helping me with events! See you in Copenhagen!