When we travel with valuable baggage, we rely on the security of locks, especially those that are TSA-approved. But how secure are they really? In this talk, we’ll present our research on the vulnerabilities and bypasses of these locks and their embedding into the baggage, covering the most common models as well as the newer TSA008. We’ll discuss how lock picking techniques, master keys, and bypass methods can compromise the security of all TSA-approved models, potentially putting our belongings at risk.
SpeakerBio: Hector Cuevas Cruz, Bishop FoxHéctor is a Senior Managing Security Consultant at Bishop Fox with over 13 years of experience in offensive security, digital forensics, threat hunting, and incident response. Hector has presented at international conferenses such as DEFCON, SummerCon, WWHF & Ekoparty. He also leads Pwntacles, a student-driven hackerspace focused on cybersecurity research and development.
- ics Calendar file
"Ask a Hiring Manager" is an interactive group workshop designed to give job seekers and professionals direct access to seasoned hiring managers across various cybersecurity roles. Whether you're a recent graduate, transitioning from another field, or already working in security and exploring what's next, this is your chance to get unfiltered answers to the questions that matter most.
SpeakerBio: Cory WolffWith over 20 years of experience in IT, security, and development, Cory Wolff leads the offensive security practice at risk3sixty, a consulting firm based in Atlanta, GA. He holds multiple certifications, including the Offensive Security Certified Professional (OSCP) and the Certified Information Systems Security Professional (CISSP), and has a proven track record of building and breaking various technologies since his first computer in 1988.
Cory also contributes to the cybersecurity community as a core team member of Red Team Village, a platform that fosters collaboration, learning, and innovation among red teamers and security professionals.
- ics Calendar file
"Ask a Hiring Manager" is an interactive group workshop designed to give job seekers and professionals direct access to seasoned hiring managers across various cybersecurity roles. Whether you're a recent graduate, transitioning from another field, or already working in security and exploring what's next, this is your chance to get unfiltered answers to the questions that matter most.
SpeakerBio: Peter HefleyTeam and people builder for over 20 years, primarily in the offensive security space.
- ics Calendar file
"Ask a Hiring Manager" is an interactive group workshop designed to give job seekers and professionals direct access to seasoned hiring managers across various cybersecurity roles. Whether you're a recent graduate, transitioning from another field, or already working in security and exploring what's next, this is your chance to get unfiltered answers to the questions that matter most.
SpeakerBio: Troy Fridley
- ics Calendar file
Kubernetes is the de facto operating system of the cloud, and more and more organizations are running their workloads on Kubernetes. While Kubernetes offers many benefits, it also introduces new security risks, such as cluster misconfiguration, leaked credentials, cryptojacking, container escapes, and vulnerable clusters.
In this hands-on session, attendees will dive into the world of Kubernetes security by exploring powerful open source tools and practical techniques used to audit and exploit K8S clusters. You'll learn how to quickly identify misconfigurations and vulnerabilities in containerized applications running on Kubernetes, leverage those weaknesses to steal service account tokens, move laterally across the environment, and potentially take full control of the cluster. Whether you're a red teamer, bug bounty hunter, or just getting started in cloud security, this session will equip you with the skills to pwn your first Kubernetes cluster.
SpeakerBio: Lenin AlevskiLenin Alevski is a Full Stack Engineer and generalist with a lot of passion for Information Security. Currently working as a Security Engineer at Google. Lenin specializes in building and maintaining Distributed Systems, Application Security and Cloud Security in general. Lenin loves to play CTFs, contributing to open-source and writing about security and privacy on his personal blog https://www.alevsk.com.
- ics Calendar file
This talk presents a practical methodology for reverse engineering real-time embedded firmware built on ARM Cortex platforms. Using Ghidra as the primary analysis environment to facilitate collaboration. We will demonstrate how to reconstruct the core layers of an embedded system to gain deep insight into its operation. The Board Support Package (BSP) is mapped using the SVD loader plugin to associate memory-mapped registers with hardware peripherals. The Hardware Abstraction Layer (HAL) is analyzed through custom type recovery and function pattern matching to identify initialization routines and peripheral control logic. At the RTOS level, we apply Ghidra’s BSim plugin to detect task creation, scheduler logic, and inter-process communication constructs used in FreeRTOS and similar kernels. The session equips attendees with a structured approach to reversing embedded C/C++ applications, even when symbols are stripped and source code is unavailable. The goal is to enable firmware analysts, security researchers, and engineers to confidently dissect the layered architecture of constrained, real-time embedded systems.
SpeakerBio: SolaSecCaleb Davis is a founding member of SolaSec, a cybersecurity consulting firm specializing in advanced penetration testing for embedded and connected systems. Based in Dallas/Fort Worth, he holds a degree in Electrical Engineering from the University of Texas at Tyler and is a patent-holding expert with vast experience in hardware and firmware security. Caleb leads deep technical assessments across a range of high-impact industries, including medical devices, automotive, industrial control systems, ATMs and financial terminals, aerospace components, and consumer electronics. His work focuses on secure design, trusted boot processes, cryptographic implementations, and threat modeling, helping organizations integrate security throughout the development lifecycle and align with industry and regulatory standards.
- ics Calendar file
After DC32, we had one question for ourselves: How could we possibly build upon the work done with last year’s ADS-B badge? Building upon the work we talked about at 38C3, the badge became a mixture of ideas. We wanted new functions extend the badge, but also be accessible for everyone. That set our direction for this year: a radio SAO that would have multiple levels of connectivity. Join us for a behind-the-scenes look as we walk through how we were able to (ab)use hardware to receive out of band signals, creating a custom signal processing chain, and create an SAO that can be integrated into your own badge. Now that you’ve got your hands on this year’s Aerospace Village badge, join Adam and Robert as they discuss the challenges and successes the team faced while building this year’s village badge.
Speakers:Adam Batori,Robert Pafford
- ics Calendar file
You all know that PLC4TRUCKS is unintentionally accessible wirelessly (CVEs 2020-14514 and 2022-26131). In this talk we will dig into the details of the new CVE-2024-12054 and some other results on the ECU investigated. This talk is tailored to those with an automotive cybersecurity background. We found ECUs running the KWP2000 diagnostic protocol on PLC4TRUCKS, supposedly secured with their fancy seed-key exchange. But guess what? Those seeds are way more predictable than they should be. A bit of timing trickery, a classic reset attack, and boom – we're in, no peeking at the ECU's responses needed. Blind, non-contact attacks on PLC4TRUCKS? Yep, we found a way. Turns out wireless unauthorized diagnostics access isn't just limited to older equipment. These newer trailer brake controllers' diagnostic functions can be abused too. This situation highlights the need for future tractors to deploy mitigations that protect the trailer from wireless attacks because they are all reachable and even the new ones are vulnerable.
SpeakerBio: Ben GardinerBen is a Senior Cybersecurity Research Engineer at the National Motor Freight Traffic Association, Inc. (NMFTA)™ specializing in hardware and low-level software security. He has held security assurance and reversing roles at a global corporation, as well as worked in embedded software and systems engineering roles at several organizations.
Ben has conducted workshops and presentations at numerous cybersecurity events globally, including the CyberTruck Challenge, GENIVI security sessions, Hack in Paris, HackFest, escar USA and DEF CON.
Ben holds a M.Sc. Eng. in Applied Math & Stats from Queen’s University. In addition to speaking on the main stage at DEF CON, Ben is a volunteer at the DEF CON Hardware Hacking Village (DC HHV) and Car Hacking Village (CHV). He is GIAC GPEN and GICSP certified, chair of the SAE TEVEES18A1 Cybersecurity Assurance Testing TF (published J3322), a contributor to several American Trucking Associations (ATA) Technology & Maintenance Council (TMC) task forces, ISO WG11 committees, and a voting member of the SAE Vehicle Electronic Systems Security Committee.
- ics Calendar file
Jun “Ghost Hacker” Kawasaki is an MD-candidate in Brain Pathology at Niigata University and former Tendai monk who reverse-engineers human being systems by fusing neuroscience, information physics, and ancient rituals. In his DEFCON parts—drawn from his new book Ghost Hacker: How to Hack the Human Spirit—he’ll reveal the playbook for planting and propagating ideas in the human spirit. also secure your spirit and soul.
Payment Method: Credit Card, Paypal
DC 33 Engagements - Car Hacking Village, Biohacking Village, GenSec, AIxCC
SpeakerBio: Jun “Ghost Hacker” KawasakiJun “Ghost Hacker” Kawasaki is an MD-candidate in Brain Pathology at Niigata University and former Tendai monk who reverse-engineers human being systems by fusing neuroscience, information physics, and ancient rituals. In his DEFCON parts—drawn from his new book Ghost Hacker: How to Hack the Human Spirit—he’ll reveal the playbook for planting and propagating ideas in the human spirit. also secure your spirit and soul.
DC 33 Engagements - Car Hacking Village, Biohacking Village, GenSec, AIxCC
- ics Calendar file
Wi-Fi Easy Connect is a protocol introduced by the Wi-Fi Alliance as the core replacement for Wi-Fi Protected Setup (WPS). It is designed to simplify device provisioning using user-friendly methods such as QR code scanning or short-range wireless technologies like NFC and Bluetooth. In this paper, we present a comprehensive security and privacy assessment of Wi-Fi Easy Connect (version 3.0).
Our analysis uncovered several security issues, including aspects of the protocol’s design that may unintentionally expand the attack surface compared to WPS. Notably, we found that design choices intended to enhance usability can compromise security. All identified issues were disclosed to the Wi-Fi Alliance, and we incorporated their feedback regarding mitigations and risk acceptance into our evaluation.
This work underscores the critical balance between usability and security in protocol design and the dangers of prioritizing ease-of-use at the expense of robust security guarantees.
References:
George Chatzisofroniou is a computer security researcher and engineer specializing in Wi-Fi and wireless network security. He has conducted infrastructure and software security testing for Fortune 500 companies across Africa, Asia, Europe, and North America. His research has been presented at leading security conferences and has attracted media coverage for uncovering critical protocol-level vulnerabilities.
- ics Calendar file
Final words, thanks, and giveaways.
SpeakerBio: Bug Bounty Village Staff
- ics Calendar file
Join us at the Bug Bounty Village for the CTF Award Ceremony, where we celebrate the top performers of our inaugural Capture The Flag competition. During this in-person ceremony, we’ll recognize the highest-ranking participants on the leaderboard and award prizes to those present. If you’ve competed in the CTF and secured a spot on the leaderboard, make sure to attend and claim your prize! This is a unique opportunity to honor the skill and creativity of the global hacking community and to connect with fellow researchers and organizers. We look forward to seeing you there!
Speakers:Bug Bounty Village Staff,CTF.ae
- ics Calendar file
CTF.ae will perform a CTF Walkthrough Session, where they'll dive into some of the most interesting challenges from our inaugural Capture The Flag competition. In this session, we'll showcase a selection of the vulnerabilities hidden in the competition’s ecosystem — spanning web, API, and LLM assets — and demonstrate how they could be discovered and exploited. Whether you participated in the CTF or are just curious to learn, this is a great chance to see real-world techniques and creative solutions in action, explained by the creators themselves.
SpeakerBio: CTF.ae
- ics Calendar file
Come hang out with us in the village as we start Sunday morning off easy.
- ics Calendar file
High-entropy ASLR was supposed to make bypasses of ASLR on Windows virtually impossible - until now! This talk will debut nine novel bypasses of the strongest form of ASLR on Windows, which makes attacks such as brute-forcing totally infeasible. This talk showcases how mostly simple, easy-to-find ROP gadgets can be used to construct highly reliable, universal ASLR bypasses to key Windows system DLLs, allowing ROP gadgets from those DLLs to be used freely in exploits! The end result? The attack surface is greatly expanded, making it possible to do more attacks on binaries previously constrained by limited gadgets. What may have been impossible before due to insufficient ROP gadgets, now is quite possible! While this talk focuses primarily on ASLR bypass for x64, we will also briefly touch upon similar attacks for x86. As part of this talk, for the first time ever, I am also releasing and open-sourcing a new mini-tool that will generate complete, x64 ROP chains for each of these bypasses! We will see this ASLR bypass attack in action with demo. We conclude with recommendations to help remediate the problem. This talk is an in-depth technical deep dive into Windows internals and the design of this technique, but it will also be presented in an accessible way to beginners.
References:
Dr. Bramwell Brizendine has a Ph.D. in Cyber Operations and is the Director of the VERONA Lab. Bramwell has regularly spoken at DEFCON and presented at all regional editions of Black Hat (USA, Europe, Asia, MEA), as well as at Hack in the Box Amsterdam and Wild West Hackin' Fest. Bramwell received a $300,000 NSA research grant to create the SHAREM shellcode analysis framework, which brings unprecedented capabilities to shellcode analysis. He has additionally authored ShellWasp, which facilitates using Windows syscalls in shellcode, as well as two code-reuse attack frameworks, ROP ROCKET and JOP ROCKET. Bramwell has previously taught undergraduate, master's, and Ph.D. courses on software exploitation, reverse engineering, offensive security, and malware analysis. He currently teaches cybersecurity courses at the University of Alabama in Huntsville.
- ics Calendar file
For over 10 years, I've operated at every level of darknet markets - from carding forums to multi-million dollar platforms. This is the unfiltered reality they don't teach you:
I'll share never-before-seen screenshots, chat logs, and operational details that reveal why no market lasts forever. Whether you're a researcher, journalist, or just curious - this is the uncensored history of the darknet's most infamous moments.
References:
godman666 has operated in the darknet’s criminal underbelly for over a decade. Starting with carding at 16, he moved to spam operations before rising through Silk Road and Tor carding forums. He built phishing empires, sold hacking tools, and ran infrastructure for major markets—including engineering the darknet’s largest phishing operation after a fallout with Empire Market’s staff. A backend role at a top market later ended in financial sabotage (ask about Christmas 2019). Recognized in Wired’s "The Most Dangerous People on the Internet" (2022), he shifted to offshore legal warfare takedown arbitrage, Wikipedia edits, and creative compliance. DEF CON’s Darknet Market Contest? Sabotaged by a hangover.
- ics Calendar file
Every watt and bit tells a story.
The concept of "smart grids" dates back to the 1970s with automatic meters, but the term emerged with the Energy Independence and Security Act of 2007. Since 2012, the integration of smart grids and Cloud computing has been a topic at IEEE meetings. This raises key questions: How do we assess risks to physical and virtual infrastructure? What are the impacts of a breach? Where does digital forensics fit in?
Since 2017, the Cloud Forensics Workshop has introduced security professionals to core Cloud forensics concepts. The latest Smart Grid Edition explores the relationship between smart grids, Cloud computing, and digital forensics. Participants will engage in hands-on labs using open-source tools to identify indicators of compromise (IoCs), acquire forensically sound artifacts, and apply AI and automation in investigations. Registered students will download sample data before the workshop and apply their skills in a live tabletop exercise.
SpeakerBio: Kerry "Professor Kilroy" HazeltonKerry Hazelton - also known as "Professor Kilroy" - has been involved in the technology and security industry for over twenty-five years crafting his own version of "Protection Against the Dark Arts" with an extensive knowledge of information systems, data center operations, Cloud computing, digital forensics, and incident response.
Ever the security enthusiast and a sucker for movie references, combined with a deep passion for teaching and mentoring; Mr. Hazelton created the Cloud Forensics Workshop and CTF Challenge in 2017, which is a technical workshop that focuses on learning about the science of Cloud forensics and its real-world applications, followed by a Capture-the-Flag competition to gauge his students’ comprehension and critical-thinking skills by solving multiple forensic puzzles in a race against each other within the allotted amount of time.
He can be found posting his random thoughts on gaming, hacking, or life in general somewhere on the medium known as the Internet.
- ics Calendar file
This is your last chance to place a phone call from inside the soundproof booth! You know you want to!
- ics Calendar file
- ics Calendar file
With over 15 years of global experience across all domains of information security, she is a trusted leader in cybersecurity architecture, cloud adoption, DFIR, and threat intelligence. Her work emphasizes proactive defense—prioritizing prevention, early detection, and rapid response across hybrid environments. As a Principal Consultant with Quantum Mergers, she has guided highly regulated organizations through cloud deployments, DFIR engagements, and the design of advanced cybersecurity frameworks that integrate offensive and defensive strategies. Her expertise spans securing APIs, blockchain platforms, and AI/ML systems, aligning innovation with risk-based security. A member of the Forbes Business Council, she contributes strategic insights that help global enterprises build trust, scale securely, and outpace threats through intelligence-driven security. She serves as a board advisor to several organizations and is a philanthropic supporter of nonprofit initiatives focused on women’s rights and global education. A passionate advocate for equity and opportunity, she balances her professional pursuits with family time, a love for live music, the arts, her three pets, and a nomadic lifestyle that reflects her identity as a global citizen.
- ics Calendar file
This workshop provides an in-depth, hands-on experience in the creation and analysis of malicious applications, focusing on the techniques used by attackers to compromise mobile devices. Participants will learn how to manipulate Android applications using tools such as Android Studio, APKTool, Burp Suite, and Metasploit to inject payloads, bypass security mechanisms, and establish remote access. Through step-by-step demonstrations, they will explore methods for obfuscation, privilege escalation, and persistence, gaining a clear understanding of how adversaries exploit vulnerabilities in mobile environments.
Beyond offensive techniques, the workshop emphasizes defensive strategies, equipping attendees with skills to detect, analyze, and mitigate mobile threats. Using malware analysis and reverse engineering, students will learn how security professionals track, neutralize, and prevent attacks. Real-time lab exercises will reinforce these concepts, ensuring that participants leave with practical expertise applicable to ethical hacking, penetration testing, and security research. This session is ideal for cybersecurity professionals, developers, and researchers looking to deepen their knowledge of mobile security and ethical hacking methodologies.
SpeakerBio: HackeMate, Offensive Cybersecurity EngineerHackeMate is the YouTube channel where Gianpaul Custodio, a Offensive Cybersecurity Engineer, shares his expertise in ethical hacking, as well as offensive and defensive security. With over 28,000 subscribers engaged in the world of cybersecurity, he has established himself as a key figure in the community through challenges, technical analyses, and hands-on demonstrations.
Professionally, he holds Red Team certifications such as the eLearnSecurity Junior Penetration Tester (eJPT) and Web Penetration Tester (eWPT), along with Blue Team certifications like Microsoft Azure Fundamentals (AZ-900) and Microsoft Security, Compliance, and Identity Fundamentals (SC-900). He is also a Google Product Expert for Google Drive, contributing his knowledge in cloud security and optimization.
- ics Calendar file
- ics Calendar file
- ics Calendar file
One year after launch, the DEF CON Franklin returns to the Mainstage with partners from the Cyber Resilience Corps with updates on their mission to empower local communities through cyber volunteering and grassroots defense. We'll share key lessons learned from running on-the-ground volunteering programs and future plans for scaling civic cyber defense by joining forces. From helping small towns respond to ransomware to building rapid-response volunteer teams, this talk will highlight how hackers and technologists are stepping up to protect the public good—one community at a time.
References:
Speakers:Sarah Powazek,Jake Braun,Adrien OgeeSarah Powazek is the Program Director of Public Interest Cybersecurity at the UC Berkeley Center for Long-Term Cybersecurity (CLTC), where she leads flagship research on defending low-resource organizations like nonprofits, municipalities, and schools from cyber attacks. She serves as Co-Chair of the Cyber Resilience Corps and is also Senior Advisor for the Consortium of Cybersecurity Clinics, advocating for the expansion of clinical cyber education around the world. Sarah hosts the Cyber Civil Defense Summit, an annual mission-based gathering of cyber defenders to protect the nation’s most vulnerable public infrastructure. Sarah previously worked at CrowdStrike Strategic Advisory Services, and as the Program Manager of the Ransomware Task Force. In her free time, she serves as Deputy Director of DistrictCon, a hacker conference based in D.C.
SpeakerBio: Jake BraunJake Braun is the Executive Director of the Cyber Policy Initiative at the University of Chicago Harris School of Public Policy and Co-Founder of Cambridge Global Advisors, a national security consulting firm. He most recently served in The White House as acting Principal Deputy National Cyber Director. Prior to that role, Mr. Braun was appointed by The President as Senior Counselor to the Secretary of the Department of Homeland Security. Mr. Braun is the author of Democracy in Danger: How Hackers and Activists Exposed Fatal Flaws in the Election System (Rowman & Littlefield, 2019).
In addition to his role at the University of Chicago, Mr. Braun co-founded the DEF CON Voting Machine Hacking Village. In that capacity he co-authored two award-winning reports on the cyber security of our election infrastructure: the DEF CON 25 and 26 Voting Village Reports. Most recently, he partnered with DEF CON to launch “Franklin,” a program to memorialize the most innovative and impactful findings from DEF CON in the annual “Hackers’ Almanack.” “Franklin” also recruits cyber volunteers to support underresourced critical infrastructure.
SpeakerBio: Adrien OgeeAdrien spent his career in various cyber crisis response roles in Thales, the French and European Cybersecurity Agencies (ANSSI and ENISA), and the World Economic Forum. At the Institute, he oversees the provision of cybersecurity assistance to vulnerable populations. Adrien holds an MEng in telecommunication and information systems, an MSc in Global Security and has an MBA.
- ics Calendar file
Mr. Moss is an internet security expert and is the founder of Both the Black Hat Briefings and DEF CON Hacking conferences.
- ics Calendar file
Defcon.run is a beloved tradition at DEF CON, bringing together hackers for a refreshing start to the day. Originally known as the DEF CON 4x5K, the event has evolved into a distributed, community-driven experience featuring fun runs and rucks across Las Vegas. Participants can choose from various routes, ranging from simple 5Ks to more ambitious distances.
For DEF CON 33, the gathering point is "The Spot" by the North Entrance of the Las Vegas Convention Center West Hall. Here, the real wild hares gather before the sun has a chance to burn up this city of sin. The runs kick off at 06:00 Thursday through Sunday! But be there early for hype talks and shenanigans. We also have a whole new Meshtastic setup and website features we're adding. There are other runs swag drops and social meetups planned throughout the day and night as well!
Whether you're a seasoned runner or looking for something different, defcon.run offers a unique way to connect with other hackers and kick off your day. For more details and to sign up, visit defcon.run.
- ics Calendar file
This hands-on technical training dives deep into the mechanics and mitigation of signal jamming—an increasingly critical threat in both civilian and military communication systems. Attendees will explore the electromagnetic spectrum, modulation techniques, and the physical principles that enable signal jamming. We will analyze common types of jammers, their circuitry, and how they disrupt RF communications. Participants will also gain insight into detection methods, spectrum analysis, and counter-jamming strategies using SDRs and directional antennas. The course balances theory and practice, with live demonstrations and dissection of real-world jamming scenarios. Prior familiarity with RF fundamentals and basic electronics is helpful but not required. To get the most from this session, attendees are encouraged to review basic electromagnetic theory and brush up on SDR tools like GNU Radio or SDR# ahead of time. This session is ideal for cybersecurity professionals, drone operators, RF engineers, and technical hobbyists seeking to understand and combat one of the most disruptive tools in electronic warfare.
SpeakerBio: Preston Zen, 1337sheets.comPreston Zen is a OSCE3 Cybersecurity Certified maker and breaker of all things technology from custom electronics to bespoke software. Humanitarian volunteer in Ukraine since 2022 in logistics and engineering as well as one of the leading innovators of field implemented technology use cases
- ics Calendar file
Real threats leave behind real artifacts — and in this hands-on workshop, we’ll combine malware development and analysis by safely recreating and dissecting a custom malware based on Lumma Stealer, one of today’s most active malware families. This approach is designed to support adversary emulation efforts by replicating real-world TTPs in a controlled environment, while also teaching participants how to detect and analyze each technique. Whether you're on a red or purple team looking to simulate attacker behavior, or on a blue team aiming to strengthen detection capabilities, this workshop delivers practical skills grounded in real-world threats.
Speakers:Sebastian Tapia,Ricardo SanchezSebastian breaks things to understand them—and sometimes to teach others how to do it better. He’s spent years in red teaming, malware reversing, and purple team exercises—learning how attackers think, and how defenders can think better. These days, he builds labs, breaks code, and shares what he learns so others can level up, too.
SpeakerBio: Ricardo SanchezRicardo Sanchez is an accomplished cybersecurity professional with a passion for empowering others through knowledge sharing. As a Security Architect at one of Peru's leading insurance companies, he specializes in designing innovative technology strategies for threat intelligence, detection engineering, and threat hunting to combat evolving cyber threats. Committed to lifelong learning, Ricardo thrives on analyzing malware and staying at the forefront of cybersecurity advancements.
- ics Calendar file
ICS Malware is rare. Yet, ICS Malware like FrostyGoop and TRISIS, and related discoveries like COSMICENERGY, were all found on VirusTotal, so analysts still hunt for novel ICS Malware in public malware repositories. In the process, they discover all kinds of tools: research, CTFs, obfuscated nonsense code with no effects, and sometimes, malware targeting ICS/OT sites. But how do they find and filter out the benign from malicious? Or the ICS and ICS-related malware from regular IT malware?
In this talk, we will use recently discovered samples to walk through the process of hunting and analyzing potential ICS threats. We’ll show the simple queries we use to cast a net, our typical analysis process, and relevant follow-on actions like victim notification. Lastly, we’ll discuss how we decide whether a sample is ICS malware using Dragos’s ICS malware definition.
Speakers:Jimmy Wylie,Sam HansonJimmy Wylie is a malware analyst at Dragos, Inc., who searches for and analyzes threats to critical infrastructure. He was the lead analyst on PIPEDREAM, the first ICS attack ""utility belt"", and TRISIS, the first malware to target a safety instrumented system. Formerly a DoD Contractor and malware analysis instructor, he has over 14 years of experience with reverse engineering and malware analysis. In his off-time, Jimmy enjoys playing board games, solving crossword puzzles, and testing the limits of his library card. He can be found on BlueSky: @mayahustle.bsky.social
SpeakerBio: Sam Hanson, DragosSam is currently an Associate Principal Vulnerability Analyst at Dragos where he researches vulnerabilities and malware impacting OT/ICS systems. Specifically, Sam discovers 0-day vulnerabilities in industrial software and threat hunts for ICS-related malware in public data sources. Sam has analyzed notable ICS-related malware, including components of PIPEDREAM and Fuxnet. Sam has presented at several cybersecurity conferences, including Dragos’ DISC (’22 and ’23), DISC:EU ‘24, and BSides:Zurich.
- ics Calendar file
Elevator floor lockouts are often used as an additional, or the only, layer of security. This talk will focus on how to correctly incorporate elevators into your security design, and how badly set up elevators could be used to access restricted areas– including using special operating modes, tricking the controller into taking you there, and hoistway entry.
Speakers:Bobby Graydon,Ege FeyziogluBobby is involved in the planning of Physical Security Village. He enjoys anything mechanical and is currently serving as VP R&D at GGR Security Consultants. I like trains and milk.
SpeakerBio: Ege Feyzioglu, Physical Security VillageEge is a security researcher specialising in access control systems and electronics. She is currently pursuing a degree in Electrical Engineering and work part-time for GGR Security as a Security Risk Assessor
- ics Calendar file
EMMC is a common flash memory format for more complex embedded devices and the Ball Grid Array (BGA) is a popular format for EMMC modules. BGA modules can be intimidating to hardware hackers since the pins are not exposed and are instead underneath the chip. This workshop will demonstrate and allow you to practice removing EMMC modules from an inexpensive circuit board using flux and a hot air station. The module will contain a Linux operating system and a Raspberry Pi. Workshop participants will learn how to image the removed EMMC. Mount and change the Linux filesystem in order to backdoor the image and gain access, and then learn how to copy the image to a new EMMC. Participants will then learn how to attach the module to a BGA carrier board with hot air.
A basic understanding of soldering is all that is required to be successful in this workshop. An understanding of the Linux filesystem is also helpful, but not required. We will have step by step instructions and will also have a small prize for the participant who comes up with and demonstrates the most clever Linux backdoor on their Raspberry Pi.
At the end of this workshop, participants will have an understanding of: How to remove, clean and image BGA modules Basics of offline Linux filesystem hacking How to image and reattach BGA EMMC modules
SpeakerBio: Patrick "Gigstorm" Kiley, Principal Red-Team Consultant at Mandiant/GooglePatricck is a Principal Red Team Consultant at Mandiant with over 20 years of information security experience working with both US Govt and private sector employers. Patrick has spoken at DEF CON, BlackHat, Bsides and RSA. Patrick can usually be found in the Car Hacking or Aerospace village where he volunteered for several years. His passion is embedded systems security and has released research in Avionics, embedded systems and even bricked his own Tesla while trying to make it faster.
- ics Calendar file
Google's Privacy Sandbox initiative aims to provide privacy-preserving alternatives to third-party cookies by introducing new web APIs. This talk will examine potential client-side deanonymization attacks that can compromise user privacy by exploiting vulnerabilities and misconfigurations within these APIs.
I will explore the Attribution Reporting API, detailing how debugging reports can bypass privacy mechanisms like Referrer-Policy, potentially exposing sensitive user information. I will also explain how destination hijacking, in conjunction with a side-channel attack using storage limit oracles, can be used to reconstruct browsing history, demonstrating a more complex deanonymization technique.
Additionally, I will cover vulnerabilities in the Shared Storage API, illustrating how insecure cross-site worklet code can leak data stored within Shared Storage, despite the API being deliberately designed to prevent direct data access. Real-world examples and potential attack scenarios will be discussed to highlight the practical implications of these vulnerabilities.
The presentation will conclude by emphasizing the critical need for rigorous security and privacy research to ensure that Privacy Sandbox APIs effectively protect user data and achieve their intended privacy goals, given the complexity and potential for unintended consequences in their design and implementation.
SpeakerBio: Eugene "spaceraccoon" LimEugene Lim is a security researcher and white hat hacker. From Amazon to Zoom, he has helped secure applications from a range of vulnerabilities. His work has been featured at top conferences such as Black Hat, DEF CON, and industry publications like WIRED and The Register.
- ics Calendar file
- ics Calendar file
It's no secret that embedded devices are rife with security bugs just waiting to be found. However, vendors increasingly encrypt their firmware to prevent analysis by researchers, professionals, and inquisitive minds. In this talk, we examine common encryption techniques in real-world devices and how to crack the code—with or without hardware.
SpeakerBio: Craig Heffner, Senior Staff Enigneer at NetRise
- ics Calendar file
The Ham Radio Village is excited to return to DEF CON 33, offering you the opportunity "Access Everything" by gaining you access to the airwaves though free amateur radio license exams! Ham radio has a long history with ham radio operators being considered the original electronic hackers, innovating long before computers, integrated circuits, or even transistors were invented. The Ham Radio Village keeps this spirit alive by providing free ham radio license exams at DEF CON.
In today's world, wireless communication is essential. A fundamental understanding of radio technology is more important than ever. Earning your amateur radio license opens the door to the world of amateur radio, providing you with valuable knowledge of radio frequency (RF) technology. This knowledge can be applied to a wide range of other RF-related topics, including RFID credentials, Wi-Fi, and other wireless communication systems.
- ics Calendar file
We know DEF CON and Vegas can be a lot. If you're a friend of Bill W who's looking for a meeting or just a place to collect yourself, DEF CON 33 has you covered. Join us throughout the conference in the Friends of Bill W Community Space in W301.
- ics Calendar file
Ship-to-shore cranes manufactured in China have faced increased scrutiny from the United States Congress in the past year due to concerns about potential supply chain vulnerabilities, pricing practices, and the global dependence on these critical infrastructure components produced by Chinese state-owned companies.
Coast Guard Cyber Protection Teams (CPTs) have been the US government’s primary resource doing technical cybersecurity work on these cranes – to include assessment, threat hunting, and incident response operations. This talk discusses findings and recommendations from over 350 days of crane missions conducted by US Coast Guard CPTs, to include the existence of surprise cellular modems and potential attack paths.
References:
Lieutenant Commander Kenny Miltenberger currently serves as the first Commanding Officer of the 2003 Cyber Protection Team (CPT) in Alameda, CA. He is responsible for protecting the nation’s Marine Transportation System in cyberspace by conducting hunt, assess, and incident response operations. His team is the Coast Guard’s newest CPT and the only CPT geographically detached from Coast Guard Cyber Command (CGCYBER).
Kenny recently completed an assignment where he founded the Coast Guard’s Red Team and ran the Coast Guard's Blue Team (cooperative assessments). During that tour he founded CGCYBER’s educational phishing capability, led cyber Opposing Forces for a major multinational exercise, and oversaw over 100 Red and Blue Team missions during his tour. Other notable positions include his work as an engineer for the U.S. Navy’s Naval Sea Systems Command, where he was a developer on a shipboard cyber security platform.
Kenny has a BS in Electrical Engineering from the Coast Guard Academy and an MS Electrical Engineering from University of Maryland College Park.
Kenny has also worked as part-time faculty at University of Maryland, College Park, where he taught Binary Exploitation in their Cyber Masters Program. Industry certifications include OSCP, GXPN, GCPN, GREM, GPEN, GNFA, GCIH, GISP, and CISSP.
SpeakerBio: Nicholas FredericksenLieutenant Commander (LCDR) Nick Fredericksen currently serves as the first Commanding Officer of the 1790 Cyber Protection Team (CPT) in Washington, DC. He is responsible for protecting the nation’s Marine Transportation System (MTS) in cyberspace by conducting assess, hunt, and incident response operations. The 1790 CPT is the Coast Guard’s first CPT, reaching full operational status in Spring 2021.
Nick's previous assignment was Deputy of Coast Guard Cyber Command’s Maritime Cyber Readiness Branch. His primary duties included leading a team of marine safety professionals trained in cybersecurity and dedicated to raising the consistency, competency, and capabilities of cybersecurity in the MTS. This included cybersecurity incident investigations; studying the Techniques, Tactics, and Procedures of threat actors; and providing critical stakeholders awareness publications and information sharing.
Other notable assignments include conducting IT project management where he led the Coast Guard’s first service migration to a modernized, software-as-a-service managed solution.
Nick has a BS degree in Operations Research and Computer Analysis and an MS in Information Systems Management from Florida Institute of Technology.
His cybersecurity certifications include CISSP, GCIH, GICSP, GCFA, and GPEN.
- ics Calendar file
This talk pulls the curtain on the behind-the-scenes badge-making story of the second official Bug Bounty Village badge. A fascinating and intricate blend of interactive electronics, layered PCB prints, and Matrix-style LED effects, all wrapped around an engaging CTF.
SpeakerBio: Abhinav Pandagale, Founder at Hackerware.ioAbhinav's artistry comes from the times he used to sneakily paint drawings made by his sister. His hacking career began as a toddler, disassembling his toys but never put them back together. His entrepreneurial roots come from selling snacks at a school fair and making a loss of . Having learned how not to make money, he launched Hackerware.io - a boutique badgelife lab with in-house manufacturing - which has grown over the past nine years into a global presence across 19 countries. He’s often spotted at conferences around the world - hosting hardware villages or pulling off the kind of random shenanigans that earned him the Sin CON Person of the Year 2025 award.
- ics Calendar file
Modern IT systems are complex and it’s all about full-stack nowadays. To become a pentesting expert, you need to dive into full-stack exploitation and gain a lot of practical skills. That’s why I created the Full-Stack Pentesting Laboratory.
For each attack, vulnerability and technique presented in this training there is a lab exercise to help you master full-stack pentesting step by step. What’s more, when the training is over, you can take the complete lab environment home to hack again at your own pace.
I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I’ll share my experience with you. The content of this training has been carefully selected to cover the topics most frequently requested by professional penetration testers.
Note: This training was sold out at DEF CON 2024 and received very positive feedback from students. That’s why we're bringing it back to Las Vegas for DEF CON 2025.
SpeakerBio: Dawid Czagan, Founder and CEO at Silesia Security LabDawid Czagan is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security bugs in Apple, Google, Mozilla, Microsoft and many others. Due to the severity of many bugs, he received numerous awards for his findings.
Dawid Czagan shares his offensive security experience in his hands-on trainings. He delivered trainings at key industry conferences such as DEF CON (Las Vegas), Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), NorthSec (Montreal), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector (references are attached to Dawid Czagan's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions).
Dawid Czagan is the founder and CEO at Silesia Security Lab. To find out about the latest in his work, you are invited to subscribe to his newsletter (https://silesiasecuritylab.com/newsletter) and follow him on Twitter (@dawidczagan), YouTube (https://www.youtube.com/channel/UCG-sIlaM1xXmetFtEfqtOqg), and LinkedIn (https://www.linkedin.com/in/dawid-czagan-85ba3666/).
- ics Calendar file
Modern IT systems are complex and it’s all about full-stack nowadays. To become a pentesting expert, you need to dive into full-stack exploitation and gain a lot of practical skills. That’s why I created the Full-Stack Pentesting Laboratory.
For each attack, vulnerability and technique presented in this training there is a lab exercise to help you master full-stack pentesting step by step. What’s more, when the training is over, you can take the complete lab environment home to hack again at your own pace.
I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I’ll share my experience with you. The content of this training has been carefully selected to cover the topics most frequently requested by professional penetration testers.
Note: This training was sold out at DEF CON 2024 and received very positive feedback from students. That’s why we're bringing it back to Las Vegas for DEF CON 2025.
SpeakerBio: Dawid Czagan, Founder and CEO at Silesia Security LabDawid Czagan is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security bugs in Apple, Google, Mozilla, Microsoft and many others. Due to the severity of many bugs, he received numerous awards for his findings.
Dawid Czagan shares his offensive security experience in his hands-on trainings. He delivered trainings at key industry conferences such as DEF CON (Las Vegas), Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), NorthSec (Montreal), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector (references are attached to Dawid Czagan's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions).
Dawid Czagan is the founder and CEO at Silesia Security Lab. To find out about the latest in his work, you are invited to subscribe to his newsletter (https://silesiasecuritylab.com/newsletter) and follow him on Twitter (@dawidczagan), YouTube (https://www.youtube.com/channel/UCG-sIlaM1xXmetFtEfqtOqg), and LinkedIn (https://www.linkedin.com/in/dawid-czagan-85ba3666/).
- ics Calendar file
This Pac-Man themed set of challenges takes Players on a journey through learning and demonstrating hacker and information security skills to earn points. With multiple subject-matter specific challenge groups and tracks, this hacker challenge game has something for everyone. Players will only be able to turn in scavenger hunt items during Contest Area Operating Hours.
- ics Calendar file
This Pac-Man themed set of challenges takes Players on a journey through learning and demonstrating hacker and information security skills to earn points. With multiple subject-matter specific challenge groups and tracks, this hacker challenge game has something for everyone. Contest will continue operation on the Scramble.RogueSignal.io website outside of Contest Area Operating Hours until the Contest is closed.
- ics Calendar file
This Pac-Man themed set of challenges takes Players on a journey through learning and demonstrating hacker and information security skills to earn points. With multiple subject-matter specific challenge groups and tracks, this hacker challenge game has something for everyone. Contest will continue operation on the Scramble.RogueSignal.io website outside of Contest Area Operating Hours until the Contest is closed.
- ics Calendar file
This Pac-Man themed set of challenges takes Players on a journey through learning and demonstrating hacker and information security skills to earn points. With multiple subject-matter specific challenge groups and tracks, this hacker challenge game has something for everyone. Contest will continue operation on the Scramble.RogueSignal.io website outside of Contest Area Operating Hours until the Contest is closed.
- ics Calendar file
This talk explores the tension between hackers and triagers in bug bounty programs. We present real cases from both perspectives, unpacking what went wrong, how to communicate better, and how to turn confrontations into collaboration—with practical takeaways for hackers, triagers, and program managers alike.
Speakers:Richard "richeeta" Hyunho Im,Denis SmajlovićRichard Hyunho Im (@richeeta) is a senior security engineer and independent vulnerability researcher at Route Zero Security. Currently ranked among the top 25 researchers in OpenAI's bug bounty program, Richard has also received security acknowledgements from Apple (CVE-2025-24198, CVE-2025-24225, CVE-2025-30468, and CVE-2024-44235), Microsoft, Google, and the BBC. His research highlights overlooked attack surfaces, focusing on practical exploitation that challenges assumptions about everyday software security.
SpeakerBio: Denis Smajlović, Nova Information SecurityDenis Smajlović (@deni) is an OSCP-certified security engineer and Principal Security Consultant at Nova Information Security. Denis brings extensive experience managing high-profile bug bounty programs and collaborating closely with Fortune 500 companies, global tech firms, and major financial institutions. His specialty lies in bridging gaps between external researchers and internal security teams, clearly translating vulnerabilities into tangible business impacts, and fostering constructive, trust-based relationships between hackers and corporate triagers.
- ics Calendar file
This talk explores the cutting edge of combining AI with bug bounty hunting — not just for productivity, but for autonomous vulnerability discovery. We’ll dive into how I engineered a multi-tool, AI-driven agent that performs web application reconnaissance, runs targeted scans, interprets responses, and routes tasks across a sandboxed toolkit using natural language prompts.
SpeakerBio: Vanshal GaurVanshal is a security engineer and AI researcher focused on web application security and automation. He has responsibly disclosed vulnerabilities through platforms like HackerOne and Bugcrowd, and his recent work explores how artificial intelligence can scale vulnerability discovery. Vanshal has built AI-powered agents that automate recon, analyze HTTP responses, and identify real bugs across thousands of domains. He’s also worked on secure sandboxing for running hacking tools safely. At DEF CON 33, he’ll share how he built an autonomous bug bounty agent — from prompt engineering and tool orchestration to live recon and vulnerability triage. His talk blends hands-on hacking with AI, aimed at researchers who want to scale their impact with modern tooling.
- ics Calendar file
As we know, spacecraft will become prime targets in the modern cyber threat landscape, as they perform critical functions like communication, navigation, and Earth observation. While the launch of the SPARTA framework in October 2022 gave the community insight into potential threats, it didn’t address how to detect them in practical scenarios. In 2025, our research took a different approach as we didn’t just theorize about threats, we actively exploited space systems using SPARTA techniques to figure out what Indicators of Behavior (IoBs) would look like in a real-world attack scenario.
By leveraging offensive cyber techniques from SPARTA, we identified the specific patterns and behaviors that adversaries might exhibit when targeting spacecraft. These insights allowed us to systematically develop IoBs tailored to the operational constraints and unique environments of space systems. As a result, we demonstrated how Intrusion Detection Systems (IDS) for spacecraft can be designed with realistic, data-driven threat profiles.
This presentation will walk through our methodology, from exploiting space systems to crafting practical IoBs, and how these insights can directly translate to building robust IDS solutions. We’ll show how a threat-informed, hands-on approach to cybersecurity can transform theoretical knowledge into practical defenses for space infrastructure.
SpeakerBio: Brandon Bailey, The Aerospace Corporation
- ics Calendar file
Tired of legacy ICS systems? Attend this workshop to hack the next generation of Industrial Control Systems,! No more Modbus, no more standard PLC, no more Purdue model! This workshop is designed to show what the future might look like for Industrial Control Systems, with a focus on ML & AI!
We’ll bring a realistic ICS setup that features all the fancy current and future trends: SD-WAN and Zero Trust, OPC-UA, MQTT, Digital Twin, Edge devices and soft-PLCs to control a small-scale industrial process simulation. This year, we’ll also add some machine learning and LLM challenges! Will you be able to trick the ICS virtual assistant into giving you access to the production systems?
After a short introduction, we’ll get into hacking! We will walk you through a CTF-style exercise to go from 0 to full industrial process hacking! The CTF will be guided so that everyone learns something and gets a chance to get most flags!
Speakers:Arnaud Soullié,Alexandrine TORRENTSArnaud Soullié is a Senior Manager at Wavestone, a global consulting company. For 15 years, he has been performing security assessments and pentests on all types of targets. He started specializing in ICS cybersecurity 10 years ago. He has spoken at numerous security conferences on ICS topics, including: BlackHat Europe, BruCon, 4SICS, BSides Las Vegas, and DEFCON. He is also the creator of the DYODE project, an open source data diode aimed at ICS. He has taught ICS cybersecurity trainings since 2015.
SpeakerBio: Alexandrine TORRENTS, Senior Manager at WavestoneAlexandrine Torrents is a Senior Manager at Wavestone. She started as a penetration tester, and performed several cybersecurity assessments on ICS. She worked on a few ICS models to demonstrate attacks on PLCs and developed a particular tool to request Siemens PLCs. Then, she started working at securing ICS, especially in the scope of the French military law, helping companies offering a vital service to the nation to comply with security rules. Now, Alexandrine works with different industrial CISOs on their cybersecurity projects: defining secure architectures, hardening systems, implementing detection mechanisms. She is also IEC 62443 certified and still performs assessments on multiple environments.
- ics Calendar file
Did you ever wanted to hack an IoT device but did not know how to start? Having UART is nice, but does not help in many cases.
For a complete analysis of an IoT device, it is required to look at the firmware itself. In most cases this means that the firmware, data or encryption keys need to be extracted from the device memory. Many researchers are hesitant to do that as there is a high risk of destroying the device or leaving it in an inoperable state. In this workshop we will look at different flash memory types (EEPROM, SPI flash, NAND flash, eMMC flash) and how to extract the information from them.
We will show that you do not need very expensive hardware to archive your goal and that it is not as complicated as everyone believes. See which tools might be useful for your own lab!
Participants will have the opportunity to work in groups and being provided different kinds of IoT devices (e.g. smart speakers). After a tear-down, you can use different chip-off methods (e.g. Hot air, IR soldering) to remove the flash chip and read it out. Optionally, the tools re-ball and re-solder the IC will be available after the workshop. In the end, each team should have the data and a functional device again.
Bonus: If you brick the device, you can keep the parts as a souvenir or can wear them as badges.
Speakers:Dennis Giese,Braelynn LuedtkeDennis Giese is a researcher with the focus on the security and privacy of IoT devices. While being interested in physical security and lockpicking, he enjoys applied research and reverse engineering malware and all kinds of devices. His most known projects are the documentation and hacking of various vacuum robots. He calls himself a "robot collector" and his current vacuum robot army consists of over 80 different models from various vendors. He talked about his research at the Chaos Communication Congress, REcon, HITCON, NULLCON, and DEFCON.
SpeakerBio: Braelynn Luedtke, Security ResearcherBraelynn is a security consultant at Leviathan Security Group where she conducts security assessments of products for startups, Fortune 500 companies, and everything in between. She enjoys partaking in CTFs and researching the security anything that piques her curiosity. She has previously presented this research at conferences such as Chaos Communication Congress, HITCON and DEFCON.
- ics Calendar file
Gaining access isn’t always about having the perfect pretext. Sometimes, it’s about recognizing subtle shifts in the environment, reading behavioral cues, and adapting on the fly. The best social engineers, like master photographers, don’t just plan—they wait for the decisive moment and take action when the time is right.
This session unpacks a real-world infiltration where success wasn’t about meticulous scripting, but about understanding when and how to pivot in real time. By integrating principles from photography, literature, theater, and deception, we explore how presence, timing, and perception shape the art of infiltration.
SpeakerBio: Daniel Isler, Awareness & Social Engineering Consultant - Team Leader - Dreamlab TechnologiesBachelor in Arts of Representation. With certifications in Social Engineering, Red Team & OSINT. Team Leader of Fr1endly RATs, the Social Engineering unit at Dreamlab Technologies Chile. Specializing and developing techniques and methodologies for simulations of Phishing attacks, Vishing, Pretexting, Physical Intrusions and Red Team.
- ics Calendar file
Anticounterfeiting is an obscure and private world. Companies tightly hold their secrets and rely heavily on security through obscurity. But banknotes and government IDs aren’t the only targets of counterfeiting. Live events are increasingly targeted as ticket prices increase. The fast moving and dynamic nature of live events makes both counterfeiting and anticounterfeiting a more complex challenge. The limited time before the event ends is a key defense for event producers.
But with a basic mix of social engineering, arts and crafts, and keen observation most of these credentials can be defeated using DIY techniques. Even advanced measures like UV ink or holograms can be defeated or avoided with techniques you might have learned in art class. But while copying a credential seems easy enough, there are numerous mistakes that would-be counterfeiters make.
This talk will reveal 11 beginner mistakes to credential copying and how to avoid them. With physical examples of real historical credentials from NASA, NATO, the US Navy, the NFL, and more, this talk will leave you ready to fake a badge like a pro.
References:
With over two decades of experience in the event and information security industries, Russell Phillips is a leader in event access control. Russell coordinates all aspects of event access control technology and leads the Information Security team at SXSW, and has been instrumental to the operational success of one of the largest cultural events in the world. His in depth field experience in the myriad hardware, software, and human complications provides him with nuanced insights into turning policy into practice. Running among the world’s largest mobile event access control deployment provides the perfect testing ground to hone training, implementation, and incident response.
A lifelong proponent of the hacker ethos, Russell remains fascinated with all technology weird and wonderful. Mesh SDR networks and at-home pulse dialing telephony are current personal project areas.
Russell is a Certified Information Security Systems Professional and a member of Telephone Collectors International.
- ics Calendar file
Our human registration process this year will be very similar to previous years. Please be patient. All of the times listed here are approximate.
A badge is required for each human age 8 and older.
You are a human if you do not know otherwise. People that are not humans include goons, official speaker, village/community/contest/creator staff, press, black badge holders, or similar. If you are not a human, you need to register separately. If you don't know how, see an NFO goon (NFO Node, formerly known as an infobooth, is where you can get help). The remainder of this message applies only to humans.
Linecon is your optional opportunity to stand (or sit) in line for human registration to open. Doors will open for linecon on Wednesday at approximately 17:00. When human registration opens on Thursday at approximately 08:00, they start working the linecon queue, and the line will start moving quickly. (Please understand that we will begin processing the line on Thursday morning as soon as the cashiers and materials are in place; we will strive for Thursday 08:00, but actual start may be slightly earlier or later.)
Online badge purchase (aka pre-registration) has no impact on linecon. You can join the line on Wednesday (if you wish) regardless of whether you purchased a badge online or intend to pay with cash. There is only one linecon for both types of badge sales.
Please help us make this a great experience for everyone by following directions given by goons. After human registration opens, there may be one line for all of registration, or there may be two lines (one for online sales (pre-registration) and one for cash sales). This may also change over time, based on available staffing and necessary crowd control. We will strive to make it easily understandable in-person as to which line you should join.
You will be emailed a QR code to the email address provided when you bought your badge. Please guard that QR code as though it is cash -- it can only be redeemed once, and anyone can redeem it if they have it (including a photo of it). Badges are picked-up on-site -- they will not be mailed or shipped.
We can scan the QR code either from your phone's display or from a printed copy. You must have the QR code with you in order to obtain your badge. As you approach the front of the line, if you are going to show your QR code on an electronic device, please ensure that your display is set to maximum brightness.
If you pre-registered, but ultimately are unable to attend DEF CON and want to cancel your purchase, the only way to get a refund is from the original online source. We are unable to provide any refunds on-site at DEF CON. There is a fee to have your badge canceled: $34 before July 18, and $84 on and after July 18.
Online purchases are provided a receipt via email when the purchase is made.
Online purchase -- often referred to as pre-registration -- does not allow you to skip any line/queue to pick up your badge. Once you arrive on-site, you will need to join the existing line for human registration. There may or may not be a dedicated line for pre-registration badge pickup, depending on when you arrive, how long the line is, available staff, etc.
Badges will be available for purchase on-site at DEF CON. All badge sales are cash only. No checks, money orders, credit cards, etc., will be accepted. In order to keep the registration line moving as quickly as possible, please have exact change ready as you near the front of the line.
There are no refunds given for cash sales. If you have any doubt about your desire to buy a badge, please refrain from doing so.
We are unable to provide printed receipts at the time of the sale. A generic receipt for the cash sale of a badge will be made available on media.defcon.org after the conference. You are welcome to print your own copy of the receipt on plain paper.
If you attend BlackHat, it is possible to purchase a DEF CON badge with your BlackHat registration. If you did so, please get your DEF CON badge from BlackHat before they close.
BlackHat should send you an email with instructions for how to obtain your DEF CON badge. In case you missed it, you can go to the second floor, at the concierge desk, halfway down Black Hat Blvd.
Want to buy multiple badges? No problem! We're happy to sell you however many badges you want to pay for.
If you lose your badge, there is unfortunately no way for us to replace it. You'll have to buy a replacement at full price. Please don't lose your badge. :(
If you are being accompanied by a full-time caretaker (such as someone who will push your wheelchair, and will accompany you at all times), please ask to speak to a Registration Goon. Your caretaker will receive a paper badge that will permit them to accompany you everywhere you go.
If you have questions about anything regarding human registration that are not addressed here, please ask to speak to a Registration Goon.
- ics Calendar file
The “Hunting for Hackers” course provides a baseline level of knowledge designed to train cybersecurity professionals to actively defend critical computer systems. The course exposes participants to a “Think like the Adversary” mindset to actively detect sophisticated and tailored adversary attacks. This course is designed to prepare cybersecurity professionals to Hunt within their network for evidence of adversary presence not previously detected by automated enterprise security devices and software.
Rather than simply reacting to network attacks, participants of this cyber threat hunting training learn methods to interrogate systems and analyze data proactively and remotely. This empowers participants to proactively discover systems targeted by an adversary. Participants learn how to discover malicious code, and evidence of adversary presence and lateral movement within a network. Throughout the program, instructors share their experience in cybersecurity, operations, and tool development. This provides participants an appreciation of the challenges they may face in countering the cyber adversary.
Kyle Smathers is a Specialist Master at Deloitte Risk & Financial Advisory and a seasoned cybersecurity professional with a knack for problem-solving and developing capabilities. He has served as an Air Force officer and continues his service as a reservist, bringing over a decade of experience with cutting-edge cybersecurity platforms, training, and missions. His innovative contributions have gained significant recognition, earning him an invitation to contribute to the design of the Air Force's ‘Interceptor’ cyber threat hunting platform. In his free time, he is either with his family, riding his bicycle or working on a house project.
SpeakerBio: Bobby Thomas, DeloitteBobby Thomas has over 20 years of experience in cyber operations, network analysis, exploitation, and incident response. He possesses a comprehensive background in cyber network operations from planning to execution, intelligence operations, management, technical training course development and revision. Bobby currently works on Deloitte’s Advanced Cyber Training Team, Cyber Assessment Team, and Threat Hunting Team. He has his master’s degree in cyber security and multiple industry leading certifications to include: CISSP, GCFA, GNFA, GCFE, CEH, and Security+. During his off time he enjoys trying new restaurants and traveling with his family.
- ics Calendar file
The “Hunting for Hackers” course provides a baseline level of knowledge designed to train cybersecurity professionals to actively defend critical computer systems. The course exposes participants to a “Think like the Adversary” mindset to actively detect sophisticated and tailored adversary attacks. This course is designed to prepare cybersecurity professionals to Hunt within their network for evidence of adversary presence not previously detected by automated enterprise security devices and software.
Rather than simply reacting to network attacks, participants of this cyber threat hunting training learn methods to interrogate systems and analyze data proactively and remotely. This empowers participants to proactively discover systems targeted by an adversary. Participants learn how to discover malicious code, and evidence of adversary presence and lateral movement within a network. Throughout the program, instructors share their experience in cybersecurity, operations, and tool development. This provides participants an appreciation of the challenges they may face in countering the cyber adversary.
Kyle Smathers is a Specialist Master at Deloitte Risk & Financial Advisory and a seasoned cybersecurity professional with a knack for problem-solving and developing capabilities. He has served as an Air Force officer and continues his service as a reservist, bringing over a decade of experience with cutting-edge cybersecurity platforms, training, and missions. His innovative contributions have gained significant recognition, earning him an invitation to contribute to the design of the Air Force's ‘Interceptor’ cyber threat hunting platform. In his free time, he is either with his family, riding his bicycle or working on a house project.
SpeakerBio: Bobby Thomas, DeloitteBobby Thomas has over 20 years of experience in cyber operations, network analysis, exploitation, and incident response. He possesses a comprehensive background in cyber network operations from planning to execution, intelligence operations, management, technical training course development and revision. Bobby currently works on Deloitte’s Advanced Cyber Training Team, Cyber Assessment Team, and Threat Hunting Team. He has his master’s degree in cyber security and multiple industry leading certifications to include: CISSP, GCFA, GNFA, GCFE, CEH, and Security+. During his off time he enjoys trying new restaurants and traveling with his family.
- ics Calendar file
Please note: This two-day training will be offered on Saturday and Sunday (August 9-10). Participants will receive a DEF CON Human Badge with their registration
It is indeed all about the information. Information is power—and those who control it hold the reins. This course dives deep into the topic of Influence Operations (IO), teaching you how adversaries manipulate, deceive, and control the flow of information to achieve their objectives. From destabilizing governments to swaying elections and ruining careers, IO is a tool used by state and non-state actors alike. The question is, how do you defend against it?
In this fast-paced, hands-on course, we’ll break down how IO is planned, executed, and defended against. You’ll gain the skills and knowledge to not only recognize and counteract these operations but to protect yourself, your organization, and even your country from their impact.
What You'll Learn:
By the end of the course, you’ll not only have a deep understanding of how IO is executed, but you'll also walk away with practical tools to defend against these attacks. You’ll learn how to recognize the signs of manipulation, understand the motivations behind IO, and develop countermeasures to protect against them.
In a world where information is weaponized, knowing how to protect yourself is no longer optional. Whether you’re securing yourself, an organization, protecting a political campaign, or defending a nation, this course is your toolkit for navigating the complex and increasingly dangerous world of influence operations.
Speakers:Tom Cross,Greg ContiTom Cross is an entrepreneur and technology leader with three decades of experience in the hacker community. Tom attended the first DefCon in 1993 and he ran bulletin board systems and listservs in the early 1990’s that served the hacker community in the southeastern United States. He is currently an independent security consultant, Principal at Kopidion, and creator of FeedSeer, a news reader for Mastodon. Previously he was CoFounder and CTO of Drawbridge Networks, Director of Security Research at Lancope, and Manager of the IBM Internet Security Systems X-Force Advanced Research team. He has written papers on collateral damage in cyber conflict, vulnerability disclosure ethics, security issues in internet routers, encrypting open wireless networks, and protecting Wikipedia from vandalism. He has spoken at numerous security conferences, including Black Hat Briefings, Defcon, CyCon, HOPE, Source Boston, FIRST, and Security B-Sides. He has a B.S. in Computer Engineering from the Georgia Institute of Technology. He can be found on Linkedin as https://www.linkedin.com/in/tom-cross-71455/, and on Mastodon as https://ioc.exchange/@decius.
SpeakerBio: Greg Conti, Co-Founder and Principal at KopidionGreg Conti is a hacker, maker, and computer scientist. He is a nine-time DEF CON speaker, a seven-time Black Hat speaker, and has been a Black Hat Trainer for 10 years. He’s taught Adversarial Thinking techniques at West Point, Stanford University bootcamps, NSA/U.S. Cyber Command, and for private clients in the financial and cybersecurity sectors. Greg is Co-Founder and Principal at Kopidion, a cyber security training and professional services firm.
Formerly he served on the West Point faculty for 16 years, where he led their cybersecurity research and education programs. During his U.S. Army and Military Intelligence career he co-created U.S. Cyber Command’s Joint Advanced Cyberwarfare Course, deployed to Iraq as Officer-in-Charge of U.S. Cyber Command’s Expeditionary Cyber Support Element, and was the first Director of the Army Cyber Institute.
Greg is co-author of On Cyber: Towards an Operational Art for Cyber Operations, and approximately 100 articles and papers covering hacking, online privacy, usable security, cyber conflict, and security visualization. Greg holds a B.S. from West Point, an M.S. from Johns Hopkins University, and a Ph.D. from the Georgia Institute of Technology, all in computer science. His work may be found at gregconti.com (https://www.gregconti.com/), kopidion.com (https://www.kopidion.com/) and LinkedIn (https://www.linkedin.com/in/greg-conti-7a8521/).
- ics Calendar file
- ics Calendar file
Explore the basics of what CIP is, how it is used in industry, and how to get started hacking it.
SpeakerBio: Trevor FlynnIndustrial Controls Engineer and ICS security specialist
- ics Calendar file
Physical security is an important consideration when designing a comprehensive security solution. There are loads of ways to get through a door without actually attacking the lock itself, including using the egress hardware, access control hardware, and countless other techniques to gain entry. Learn how these attacks work as well as how to defend against these attacks in this talk!
Speakers:Karen Ng,Matthew CancillaKaren is a Risk Analyst at GGR Security, and is one of GGR's entry team for physical penetration tests. She has a strong interest in physical security, delivering trainings on physical security vulnerabilities to a wide range of audiences. Karen comes from a background in engineering and has extensive experience in major event logistics. She is one of the Village Leads at the Physical Security Village, and works with the rest of the PSV team to teach how to recognize and fix security exploits to the community. Graphic design is her passion.
SpeakerBio: Matthew Cancilla, Physical Security Village
- ics Calendar file
Our models identify complex intersecting patient safety incidents, including adverse effects resulting from missed chemotherapy infusions, delayed C-sections in obstetrics, diagnostic errors in emergency care, and systemic drug dispensing failures. By reframing cyber-risk through the lens of patient safety - not just IT disruption - CIPHER offers a radical new methodology for healthcare security, and a call to action for hackers, medics, and regulators alike to make invisible harm impossible to ignore.
SpeakerBio: Isabel Straw, PhDMDIsabel Straw is an Emergency Doctor and Assistant Professor in AI & Cybersecurity, with a comprehensive technical background in machine learning, threat modelling, and AI safety. She has worked for the United Nations on AI Ethics and delivered cybersecurity workshops at hackathons worldwide.
- ics Calendar file
Over the past two years, we have witnessed the emergence of a new class of attacks against LLM-powered systems known as Promptware.
Promptware refers to prompts (in the form of text, images, or audio samples) engineered to exploit LLMs at inference time to perform malicious activities within the application context.
While a growing body of research has already warned about a potential shift in the threat landscape posed to applications, Promptware has often been perceived as impractical and exotic due to the presumption that crafting such prompts requires specialized expertise in adversarial machine learning, a cluster of GPUs, and white-box access.
This talk will shatter this misconception forever.
In this talk, we introduce a new variant of Promptware called Targeted Promptware Attacks.
In these attacks, an attacker invites a victim to a Google Calendar meeting whose subject contains an indirect prompt injection.
By doing so, the attacker hijacks the application context, invokes its integrated agents, and exploits their permission to perform malicious activities.
We demonstrate 15 different exploitations of agent hijacking targeting the three most widely used Gemini for Workspace assistants: the web interface (www.gemini.google.com), the mobile application (Gemini for Mobile), and Google Assistant (which is powered by Gemini), which runs with OS permissions on Android devices.
We show that by sending a user an invitation for a meeting (or an email or sharing a Google Doc), attackers could hijack Gemini’s agents and exploit their tools to: Generate toxic content, perform spamming and phishing, delete a victim's calendar events, remotely control a victim's home appliances (connected windows, boiler, and lights), video stream a victim via Zoom, exfiltrate emails and calendar events, geolocate a victim, and launch a worm that tarets Gemini for Workspace clients.
Our demonstrations show that Promptware is capable to perform (1) inter-agent lateral movement (triggering malicious activity between different Gemini agents), and (2) inter-device lateral movement, escaping the boundaries of Gemini and leveraging applications installed on a victim's smartphone to perform malicious activities with physical outcomes (e.g., activating the boiler and lights or opening a window in a victim's apartment).
Finally, we assess the risk posed to end users using a dedicated threat analysis and risk assessment framework we developed.
Our findings indicate that 73% of the identified risks are classified as high-critical, requiring the deployment of immediate mitigations.
Speakers:Ben Nassi,Or "oryair1999" Yair,Stav CohenDr. Ben Nassi (https://www.linkedin.com/in/ben-nassi-phd-68a743115/) is a Black Hat board member (Asia and Europe), a cybersecurity expert, and a consultant. Ben specializes in AI security, side channel attacks, cyber-physical systems, and threat analysis and risk assessment. His work has been presented at top academic conferences, published in journals and Magazines, and covered by international media. Ben is a frequent speaker at Black Hat (6), RSAC (2), and DEFCON (3) events and won the 2023 Pwnie Award for the Best Crypto Attack for Video-based Cryptanalysis.
SpeakerBio: Or "oryair1999" YairOr Yair (@oryair1999) is a security research professional with seven years of experience, currently serving as the Security Research Team Lead at SafeBreach. His primary focus lies in vulnerabilities in the Windows operating system’s components, though his past work also included research of Linux kernel components and some Android components. Or's research is driven by innovation and a commitment to challenging conventional thinking. He enjoys contradicting assumptions and considers creativity as a key skill for research. Or frequently presents his vulnerability and security research discoveries internationally at top conferences he speaks at such as Black Hat, DEF CON, RSAC, SecTor, and many more.
SpeakerBio: Stav CohenStav Cohen is a Ph.D. student at the Technion – Israel Institute of Technology who investigates Cyber-Physical Systems (CPS) that integrate GenAI methodologies and feature Human-in-the-loop interactions, with a specific emphasis on their security and operational aspects. He conducts detailed analyses of GenAI models with the aim of identifying potential vulnerabilities and devising effective strategies to mitigate them. Additionally, he takes a proactive approach by exploring how GenAI methodologies can be utilized to improve both the security and operational efficiency of Cyber-Physical Systems.
- ics Calendar file
Extended Berkeley Packet Filter (eBPF) has revolutionized Linux kernel programmability, but its complex verification and JIT compilation mechanisms present a significant attack surface. This talk provides a technical deep-dive into discovering and exploiting vulnerabilities in the eBPF subsystem, with three key contributions: state-aware fuzzing methodologies specifically designed for eBPF, focusing on verifier state tracking bugs, JIT compiler flaws, and helper function validation bypasses. These techniques go beyond traditional fuzzing by incorporating knowledge of the verifier's internal state machine.
Systematic approach to weaponizing verifier bypasses into practical kernel exploits, including converting bounds calculation errors into arbitrary read/write primitives, bypassing KASLR via targeted information leaks, and achieving privilege escalation through carefully constructed memory corruption.
Security architecture of eBPF and provide concrete recommendations for hardening the subsystem against these attacks, including improvements to the verifier's state tracking, JIT compiler security, and runtime validation.
References:
Dr. Agostino "van1sh" Panico is a seasoned offensive security expert with over 15 years of experience specializing in advanced red teaming, exploit development, product security testing, and deception tactics. He is one of the few hundred globally to hold the prestigious GSE (GIAC Security Expert) certification. Driven by a passion for uncovering vulnerabilities, Agostino actively contributes to the security community as an organizer for BSides Italy, fostering collaboration and innovation.
- ics Calendar file
Whether you access the phone network over your cell phone, an SIP trunk, or via an old-school POTS line, the PSTN is an essential part of your day-to-day life and is a longstanding interest of the hacker community. Despite this interest, the regulatory and technical structures underlying this network are poorly understood, deliberately opaque, and dominated by large corporations.
This talk will demystify the network, starting with a brief overview of the history of the PSTN, followed by a deep dive into the inner functioning of the network. After this, the session will detail the regulatory structures that govern the network, and the technologies it employs. Next, the talk will continue with a practical guide detailing how anyone can form a full local exchange carrier to provide service to their community, covering the entire formation process through first-hand experience: regulatory approval, building interconnect with the PSTN, voice network design, and most importantly, user security and privacy.
With this knowledge in hand, the talk will briefly cover a range of exploits in the network, detailing how STIR/SHAKEN can be trivially bypassed, numbers can be hijacked, and how telecom fraud is monetized. The talk will conclude with a discussion of the future of the PSTN, and potential future issues.
References:
Enzo Damato is a Rice University researcher and lifelong hacker with over 7 years of experience with telecommunications, network administration, and security. He founded Rice Telecom Corporation, a facilities-based CLEC, to further research telecommunications security and robocall mitigation. Enzo has also worked extensively with mainframe systems, winning a best session award at the SHARE conference for his presentation on DIY mainframe acquisition, installation, and configuration. Following this, he has developed and is currently teaching Rice University's first course on mainframe computing. In addition, Enzo manages AS25944, an IX-peered ASN providing connectivity for his extensive personal lab.
- ics Calendar file
Four years ago, Chris found a vulnerability with a murder for hire site on the dark net. He could exploit that vulnerability to intercept the murder orders that were being placed: names, addresses, pattern of life information, photos, and, in some cases, bitcoin payments. He reached out to Carl for help, and a small team was built in secret to intercept and triage these orders. However, after their warnings to the police fell on deaf ears, they ultimately decided to warn the targets on the kill list directly. After an initial series of successes, the investigation expanded rapidly and they formed a global cooperation with the FBI and police forces around the world, resulting over 175 murder orders being disclosed, 34 arrests 28 convictions and over 180 years of prison time being sentenced. This talk will be about those years: about the dangers and threats the team had to navigate, the times of isolation when the police wouldn’t take them seriously, about raids in Romania to uncover the cyber-criminal gang running the site and the psychological impact of racing against time to try to stop people getting murdered.
References:
Carl Miller is a technologist, journalist and writer. He is the founder of the Centre for the Analysis of Social Media at Demos and the information integrity lab CASM Technology, a Visiting Fellow at the Department of War Studies, King’s College London, a Senior Fellow at the Institute for Strategic Dialogue and a Senior Research Fellow at RAND Europe. He is the author of the The Death of the Gods: The New Global Power Grab which won the Transmission Prize, and is the co-writer and host of the podcast Kill List, which reached #1 in seven countries. It was named the Guardian’s best podcast of 2024, named Podcast of the Year 2025 by the Broadcast Press Guild Awards and was nominated for an Aria and Ambie
SpeakerBio: Chris MonteiroChris is a dark web investigator, ethical hacker and systems administrator for a major company based in London.
- ics Calendar file
On Friday through Sunday, we have a non-competitive learning run, where you can go through the Kubernetes CTF scenario from a previous year. It has an available "cheat sheet" that shows you how to run through, start to finish! You can do this without the "cheat sheet" if you want a puzzle.
Each team/individual gets a Kubernetes cluster that contains a set of flags.
This is open to up to 30 teams and is available from Friday 12pm to Sunday 12pm Pacific.
We will support DEF CON players in the contest area during the following times: - Friday: 12:00-17:00 - Saturday: 10:00-17:00 - Sunday: 10:00-12:00
- ics Calendar file
This is your last chance to pickup your drives whether they're finished or not. Get here between 10:00am and 11:00am on Sunday as any drives left behind are considered donations.
- ics Calendar file
- ics Calendar file
Enigma was the infamous German encryption machines that was used in World War 2. A group of British cryptographers successfully broke the sophisticated machine, and in doing so, gave rise to modern adversarial cryptography and the Turing Machine, which would later evolve into the computer. In this workshop, we will look at how adversarial cryptography initially formed and how many of the techniques used still apply today. Additionally, many of the mathematical principles used in both the construction of the Enigma machine and its subsequent breaking are used heavily in modern encryption, which directly relate to the technology used in cryptocurrency.
Speakers:Rigo Salazar,Luke SzramowskiRigo Salazar is a Gen Z who is a Millennial in spirit with a Master’s degree in Mathematics and a Bachelor’s in Civil Engineering… for some reason. Jigsaw puzzles, puppetry, and platforming are a handful of his hobbies, but his true loves are his family, friends, and prime numbers. With boisterous whimsy and the volume to match, Rigo is so excited for his second Defcon and the opportunity to talk about cryptography.
SpeakerBio: Luke SzramowskiLuke Szramowski is a mathematical researcher, with a Bachelor's Degree in Mathematics and two Master's Degrees, one in Math, with a focus in Number Theory and another in Math with a focus in Coding Theory. In his free time, Luke works on a litany of different math problems, mainly regarding Number Theoretic conjectures and playing all different types of games. He is very excited to talk about any cryptography related questions and is looking forward to his first DEF CON.
- ics Calendar file
Purple Teaming has become a critical component of modern cybersecurity programs, but its definition and application vary widely across organizations. This presentation introduces a refined, regimented, and repeatable methodology for running Purple Team engagements, developed and battle-tested for over a decade. As the term 'Purple Team' means different things to different people— a methodology, a team of people, a program, an assessment, or even a state of mind—and as Purple Team engagements themselves come in all shapes and sizes, the speaker will begin by aligning recommended definitions and applications of common Purple Team terminology. The presentation will explain how to apply an Assumed Compromise approach to Purple Teams. Any organization can be vulnerable at any point in time. This style of Purple Team testing follows the adversary through the entire life cycle of an attack, from Initial Access to Impact, assuming vulnerabilities exist to instead focus on the visibility of security tools. This is a powerful method of identifying ways to improve detection and prevention capabilities at each layer of an organization’s defense in depth. The speaker will include real world examples and specific instructions. The presentation will conclude with broader applications of this style of Purple Team. This will include how to collect and analyze the engagement results and apply these results to drive improvement to an organization’s resilience to common threats. This talk is ideal for security professionals, both Red and Blue Team, who are looking to elevate the way they perform Purple Team engagements.
SpeakerBio: Sarah Hume, Purple Team Service Lead at Security Risk AdvisorsSarah leads the Purple Team service at Security Risk Advisors (SRA). She has led hundreds of Threat Intelligence-based Purple Team exercises for organizations in the Fortune 500 and Global 1000 over the past 7 years. Her background is in offensive security, primarily internal network, OT/ICS, and physical security penetration testing. Sarah also has experience in external network penetration testing, web application assessments, OSINT, phishing/vishing campaigns, vulnerability management, and cloud assessments. Sarah graduated Summa Cum Laude from Penn State with a B.S. in Cybersecurity. She is a Certified Red Team Operator (CRTO), Certified Information Systems Security Professional (CISSP), Google Digital Cloud Leader, AWS Certified Cloud Practitioner, and Advanced Infrastructure Hacking Certified. She lives in Philadelphia with her dog, Paxton.
- ics Calendar file
Everyone knows not to trust pickle files, but what about .onnx, .h5, or .npz? This talk explores how trusted file formats used in AI and large language model workflows can be weaponized to deliver reverse shells and stealth payloads. These attacks rely solely on the default behavior of widely used machine learning libraries and do not require exploits or unsafe configuration.
The presentation focuses on formats that are not typically seen as dangerous: ONNX, HDF5, Feather, YAML, JSON, and NPZ. These formats are commonly used across model sharing, training pipelines, and inference systems, and are automatically loaded by tools such as onnx, h5py, pyarrow, and numpy. A live demo will show a healthcare chatbot executing code silently when these formats are deserialized, with no user interaction and no alerts. This is a demonstration of how trusted data containers can become malware carriers in AI systems. Attendees will leave with a clear understanding of the risks introduced by modern ML workflows, and practical techniques for payload delivery, threat detection, and hardening against this type of tradecraft.
References:
Cyrus Parzian is an AI Red Team Lead with over a decade of experience in offensive security, red teaming, and AI risk testing. He has led AI red team assessments targeting model serialization abuse, data leakage prevention, prompt injection, and LLM jailbreak resistance. Cyrus has created standardized reporting frameworks, built payload testing infrastructure, and designed internal training focused on exploitation of AI-powered systems. He has conducted over 100 offensive operations across internal networks, cloud environments, and LLM-integrated applications. His work includes large-scale phishing campaigns, persistent C2 infrastructure, and exploitation of automation platforms like Power Automate. Cyrus shares his research on iRedTeam.ai, where he focuses on weaponizing trusted model formats and exposing blind spots in AI-driven systems. He has spoken at ArcticCon and served as organizer of Fiestacon.
- ics Calendar file
If you find something that seems to have been lost, please take that item to the nearest NFO Node. The item will enter the DEF CON Lost & Found system.
If you've lost something, the only way to check on it (or reclaim it) is by going to the Lost & Found department yourself. The Lost & Found department is in room LVCC - L2 - W238. You may also call Lost & Found at +1 (702) 477-5019.
The Lost & Found department plans to be open Thursday - Saturday, during all hours that the conference operates. On Sunday, the Lost & Found department will open with the venue at 08:00, but will close at the beginning of DEF CON 33 Closing Ceremonies (15:00). Shortly thereafter, all remaining lost items will be transferred to the LVCC. If you need to reach LVCC's Lost & Found, you may call LVCC Dispatch at +1 (702) 892-7400.
- ics Calendar file
The DEF CON Memorial Chamber serves as a sacred space within our community — a place where we pause to honor those hackers whose brilliance and dedication have elevated not just our craft, but the entire security ecosystem. Here we remember figures whose generous spirit and willingness to coordinate security fixes demonstrated that true hacking greatness lies in collaboration. We are here because DEF CON has been the beating heart of the hacker community for over three decades, growing from 100 people in 1993 to the world's largest hacker conference. As Jeff Moss envisioned, DEF CON is what we make of it, this memorial space represents our commitment to ensuring that the legacy of those we've lost continues to inspire future generations of hackers to pursue knowledge, build community, and use their gifts to make the world better.
- ics Calendar file
In this session, Tobias Diehl will demonstrate a critical vulnerability in Microsoft’s CoPilot AI, exposing how data voids can be hijacked to manipulate AI-generated responses. By exploiting CoPilot’s reliance on limited data sources, Tobias will show how attackers can inject persistent malicious content, associating it with legitimate Microsoft topics, and how AI fails to validate key terms. The presentation will cover the mechanics of key term association attacks, data void exploitation, and their real-world implications, including the risk of CoPilot delivering dangerous installation instructions for command-and-control (C2) beacons for initial access. Using a proof-of-concept from Microsoft’s Zero Day Quest event, attendees will see how the hijacking process works in practice, how threat actors can target enterprise users, and how AI systems can be tricked into guiding users toward compromised actions.
References:
SpeakerBio: Tobias "ItsSixtyNein" DiehlTobias Diehl is a security researcher and offensive security engineer with a background spanning red team operations, penetration testing, cloud security, and adversarial AI research. Over the past decade, he has worked across both private and public sectors, supporting enterprise defense teams and developing offensive tooling used to uncover high-impact vulnerabilities in modern systems. He is recognized as a Microsoft Most Valuable Researcher (MVR) for his continued contributions to vulnerability discovery and responsible disclosure across Microsoft platforms.
- ics Calendar file
A series of OSINT Challenges to teach techniques useful in various Cybersecurity related areas.
Speakers:Alex Ackerman,Lee McWhorter,Sandra Stibbards00101010
SpeakerBio: Lee McWhorterLee McWhorter, Owner & Chief Geek at McWhorter Technologies, has been involved in IT since his early days and has over 30 years of experience. He is a highly sought after professional who first learned about identifying weaknesses in computer networks, systems, and software when Internet access was achieved using a modem. Lee holds an MBA and more than 20 industry certifications in such areas as System Admin, Networking, Programming, Linux, IoT, and Cybersecurity. His roles have ranged from the server room to the board room, and he has taught for numerous universities, commercial trainers, and nonprofits. Lee works closely with the Dark Arts Village at RSAC, Red Team Village at DEFCON, Texas Cyber Summit, CompTIA, and the CompTIA Instructor Network as a Speaker, SME, and Instructor.
SpeakerBio: Sandra StibbardsSandra Stibbards opened her investigation agency, Camelot Investigations, in 1996. Currently, she maintains a private investigator license in the state of California. Sandra specializes in financial fraud investigations, competitive intelligence, counterintelligence, business and corporate espionage, physical penetration tests, online vulnerability assessments, brand protection/IP investigations, corporate due diligence, and Internet investigations. Sandra has conducted investigations internationally in five continents and clients include several Fortune 500 and international companies. Sandra has been providing training seminars and presentations on Open Source Intelligence (OSINT) internationally since 2010 to federal governments and corporations.
- ics Calendar file
Lots of us can look back on a time in our IT or cybersecurity careers and think about a select person or group of people that helped us immensely when we were younger to get on the right track. However, there are others that may not have had that opportunity to have a mentor or community instill a purpose in the world of tech. Making these communities or finding a good mentor can be a difficult task for many of us, so we wanted to host a discussion panel to discuss the various methods that we have been able to utilize.
Our major goal is to give back to the communities that helped us grow in our careers and personal lives. At our school district we’ve been very fortunate to build a culture of learning, security, and community. We’ve been able to successfully start and grow various clubs and opportunities for students to learn cool things with like minded people. In the panel we will talk about growing student helpdesk programs, eSports clubs, creating a tech savvy culture, and much more. Please come join us, bring questions, bring your experiences, and let’s help each other build up the next generation of hackers!
Speakers:Sam Comini,Navaar Johnson
- ics Calendar file
Over the past three years, passkeys have gained widespread adoption among major vendors like Apple, Google, and Microsoft, aiming to replace passwords with a more secure authentication method. However, passkeys haven't yet faced the extensive scrutiny that passwords have endured over decades. As they become central to enterprise identity, it's crucial to examine their resilience.
This presentation demonstrates how attackers can proxy WebAuthn API calls to forge passkey registration and authentication responses. We'll showcase this using a browser extension as an example, but the same technique applies to any website vulnerable to client-side script injection, such as XSS or misconfigured widgets. The extension serves merely as a controlled means to proxy credential flows and manipulate the WebAuthn process.
We'll delve into the underlying theory, present the exploit code, and provide a live demonstration of an attack that succeeds on sites relying on passkeys without enforcing attestation or metadata checks—a common scenario among vendors. If you’re relying on passkeys, this is the side of the flow you don’t usually get to see.
References:
Shourya Pratap Singh is responsible for building SquareX's security-focused extension and conducts research on countering web security risks. As a rising figure in cybersecurity, Shourya has presented his work on global stages including the DEFCON main stage, Recon Village, and Adversary Village, as well as at Black Hat Arsenal EU. He has also delivered several workshops at prestigious events such as the Texas Cyber Summit. Shourya earned his bachelor's degree from IIIT Bhubaneswar and holds a patent. His professional interests focus on strengthening the security of browser extensions and web applications.
SpeakerBio: Jonny LinJonny Lin is a frontend engineer on the extension team at SquareX, where he works on browser security challenges like data loss prevention and detecting web-based vulnerabilities. Before joining SquareX, he was a founding engineer at Velt (YC W23), building collaborative frontend infrastructure for real-time apps. He holds a computer science degree from Santa Clara University and has a strong interest in browsers and pushing the limits of what's possible on the frontend.
SpeakerBio: Daniel SeetohDaniel Seetoh currently works on the development of SquareX's browser extension and web app. With a focus on the frontend, Daniel brings a versatile skillset that augments his approach towards cybersecurity. He has earned his degrees from Nanyang Technological University, and enjoys building out products and providing value to users.
- ics Calendar file
- ics Calendar file
Let’s face it — traditional HTTP C2 is burning out. Between aging domains, TLS cert management, sandbox fingerprinting, and blue teams getting smarter at categorizing traffic and infrastructure, your “custom C2” feels less covert and more like a liability. Red teams and threat actors alike are shifting toward living off legitimate services — AWS, GitHub, Box, Notion, whatever blends in — but building solutions that are custom to a single C2 framework? Let’s stop doing that. Let’s share the fun!
C4 (Cross-Compatible Command & Control) is here to change that. It’s a modular toolkit of WASM-powered plugins that makes external C2 easy to implement, regardless of your implant's language or target OS. Whether you’re writing in C, Rust, Go, Python, C#, or something else entirely, C4 plugins can be loaded directly into your implant and run on Windows, macOS, or Linux.
But the real game-changer? C4 provides a single, centralized collection of numerous fully-documented, operationally-ready external C2 modules — not just proof-of-concepts, but production-level integrations with trusted sites that fly under the radar. No more hunting through GitHub repos, hand-rolling fragile API calls, or hacking together glue code for every new environment.
Stop reinventing external C2 and start planting some C4 in your implants!
SpeakerBio: Scott "ScottCTaylor12" Taylor, Senior Red Team Operator at Sony's Global Threat EmulationScott Taylor is a Senior Red Team Operator on Sony's Global Threat Emulation team. Scott has previously worked at the MITRE Corporation and T. Rowe Price focused on emulating adversary behaviors. While Scott has been a technical professional for a decade, only the second half was focused on offensive security. He started as a Linux system administration intern where he learned to build before later learning to break. Scott leverages his system administration background in his offensive security career where he passionately researches command and control (C2) infrastructure for red team operations. Open-source publications by Scott include custom C2 channels for popular C2 frameworks, leveraging cloud services for C2, and automating red team infrastructure deployment.
- ics Calendar file
Welcome to the world’s worst let’s-play: if you’ve ever wanted to get yourself or your friends banned from a game: Stick around. We explore how modern anti-cheat systems work, and practically show how to get banned in the most innovative and hilarious ways possible—all without launching a single real cheat.
We also dive into Hardware ID bans, and how machine ‘fingerprints’ are collected and enforced. With this knowledge at hand, we demonstrate how to remotely poison innocent machines — capturing a target’s HWID, spoofing it, and getting it burned. BIOS flashing, RAM SPD rewriting, and other fun tricks included. Join our masterclass in making yourself and others appear guilty online.
References:
Sam is a PhD research student studying at the University of Birmingham UK with an interest in attacks and defences in the Man-At-The-End-Scenario found in anti-cheat systems. He also works in teaching reverse engineering and binary analysis via game hacking. As part of this he developed an impossible to beat multiplayer video game for undergraduate students to hack as coursework. During his research he has been banned from every competitive shooter title and will happily offer this as a service for anyone who plays too much Fortnite and would like to stop.
SpeakerBio: Marius MuenchMarius Muench is an assistant professor at the University of Birmingham. His research interests cover (in-)security of embedded systems, binary & microarchitectural exploitation, and defenses. He obtained his PhD from Sorbonne University in cooperation with EURECOM and worked as a postdoctoral researcher at the Vrije Universiteit Amsterdam. He developed and maintains avatar2, a framework for analyzing embedded systems firmware, and FirmWire, an emulation and fuzzing platform for cellular basebands. Throughout his career, Marius publicly shared his findings and presented at venues such as Black Hat, Reverse.io, REcon, and Hardwear.io.
SpeakerBio: Tom Chothia, Professor in Cyber Security at School of Computer Science, University of BirminghamTom Chothia is a Professor of Cyber Security at the University of Birmingham, UK. His research involves the development of new mathematical analysis techniques, and the application of these techniques to real world cyber security problems. His past work on the security of EMV, ApplePay, banking apps, pacemakers and video game cheats have all received widespread media coverage.
- ics Calendar file
PortSwigger will present the inaugural Top 10 Vulnerability Research Awards from 2024 inside the Bug Bounty Village. In this session, PortSwigger will recognize ten outstanding researchers for their impactful vulnerability discoveries and research contributions over the past year. As most winners are unable to attend in person, the presentation will briefly introduce each winner and highlight their work. This marks the first time these awards are presented live at DEF CON, celebrating the creativity and dedication of the global security research community.
SpeakerBio: Portswigger
- ics Calendar file
Join our hands-on workshop to master TLSNotary! Dive into multi-party-TLS (not man-in-the-middle) and learn to prove and verify online data authenticity to a third-party verifier while ensuring privacy. We’ll start with small examples and build up to custom plugins to prove and verify private user data.
Bring your laptop, bring a friend, and learn together. Get ready to unlock and compose web data in innovative ways.
Speakers:AtHeartEngineer,SinuAtHeartEngineer has been building and breaking things since the 90s, nearly setting his parents’ garage on fire while learning about mains voltage. He previously lead engineering at Privacy and Scaling Explorations, a non-profit focused on building privacy-preserving technologies using programmable cryptography tools like zero-knowledge proofs, and is now exploring what is next.
SpeakerBio: Sinu, Technical Lead of TLSNotary at Privacy and Scaling ExplorationsSinu is a neutral systems maxi, a cryptography engineer, and the technical lead of TLSNotary.
- ics Calendar file
Cyber Security threats encountered in the Maritime Industry from both an Executive and Technical Perspective. The presentation is based on current events and starts with the Executive Director of The Marine Exchange of Southern California giving his side of the story followed by the technical and first-hand incident response breakdown from the Senior Systems Administrator.
Speakers:Capt. Kit Louttit,Steve WinstonCaptain Kip Louttit was appointed as the Executive Director of the Marine Exchange of Southern California in January 2013. A graduate of the United States Coast Guard Academy, he served in the United States Coast Guard (USCG) for 30 years prior to retiring with the rank of Captain. Captain Louttit’s experience includes 10 years at sea in the Atlantic and Pacific Oceans and the Bering, Mediterranean, and Caribbean Seas. He had six years in command of three different Coast Guard cutters and two years as commanding officer of USCG Integrated Support Command in San Pedro. Following retirement from the Coast Guard, Captain Louttit worked for two consulting firms on Coast Guard and Pentagon work.
SpeakerBio: Steve Winston, Mastermind MSPSenior Systems Administrator and CASP-certified cybersecurity professional with over 9 years of experience supporting a broad spectrum of IT environments. Has worked with more than 30 organizations across finance, healthcare, manufacturing, and critical infrastructure, bringing a practitioner’s perspective to enterprise defense. Specializes in securing hybrid infrastructures, implementing proactive threat mitigation strategies, and translating complex security requirements into operationally sound solutions. Combines deep systems knowledge with an adversarial mindset to challenge assumptions and close real-world security gaps.
- ics Calendar file
Offensive security is meant to improve defenses, but what happens when hostile nation-states start learning from us too? This talk explores how Russian intelligence services and advanced persistent threat (APT) groups have adopted and adapted techniques developed by Red Teamers, sometimes within weeks of public disclosure. These campaigns involve taking newly disclosed exploits, tools, and tricks to exploit modern enterprise systems, such as Microsoft 365 services, Windows features, software development systems, authentication systems, and cloud infrastructure. Throughout the talk, detection engineering and threat hunting tips shall be provided to offer attendees a technique for detecting and preventing these types of attacks.
For Red Teamers, this talks is a wake-up call: the same tools and tradecraft used to test enterprise security are increasingly turning up in real-world espionage campaigns, sometimes targeting the very governments and public services we rely on. For Blue Teamers, this talk is a reminder to pay close attention to the cutting edge of offensive tooling.
SpeakerBio: Will Thomas, Senior Threat Intel Advisor at Team CymruCurrently working as a Senior Threat Intel Advisor at Team Cymru. Previously I was a CTI Researcher and Threat Hunter at the Equinix Threat Analysis Center (ETAC). Prior to this, I worked for Cyjax, a UK-based CTI vendor. My other main commitment is as the co-author of the SANS FOR589: Cybercrime Intelligence course. I have also volunteered my spare time to being the co-founder and main organiser of the Curated Intelligence trust group and Bournemouth 2600.
- ics Calendar file
Microsoft Configuration Manager, better known as SCCM, has become my go-to target for red team operations. While multiple attack paths were uncovered recently, companies still struggle to close all security gaps. This is largely due to the solution's complexity and historical technical debt, which make it challenging to effectively address and mitigate all security vulnerabilities. Moreover, as it primarily manages computers, taking over an SCCM deployment often leads to the full compromise of the Active Directory, with less hassle than traditional attack paths.
In this talk, I'll be sharing insights gained from my research on the solution that led to the discovery of multiple 0 Day vulnerabilities, such as CVE-2024-43468, an unauthenticated SQL injection. After introducing key concepts, I'll delve into various techniques for performing reconnaissance, tips for understanding the hierarchy and tricks for bypassing certain security boundaries. The session will also cover the discovered vulnerabilities that can lead to the compromise of the deployment.
After showcasing post-exploitation techniques from database access, I'll introduce a battle-tested open-source tool that implements them. And for those interested in persistence, a technique for installing a backdoor as a legitimate servicing endpoint will be shared.
SpeakerBio: Mehdi "kalimer0x00" ElyassaI'm a red team operator working at Synacktiv, a French firm dedicated to offensive information security. With over 7 years of experience, I've started my journey on the blue team before transitioning to an offensive role. Today, I conduct adversary simulation engagements for large companies in France, as well as international organizations.
- ics Calendar file
The workshop will begin with brief presentation about cryptocurrency, exchanges, hardware wallets, hot wallets, cold wallets, and other introductory information needed to begin cryptocurrency transactions. Participants will be given a sample wallet for practice purposes only. Participants will be guided through the opening of a wallet, with a detailed discussion on public and private keys and the different types of wallets available for self custody and the different security features of wallets. The discussion will delve into hot security topics, including the importance of randomized seeds and consider a couple of case scenarios where wallets have been hacked due to a lack of security, followed by a discussion on how to prevent these types of security defects. Next, participants will create hot and a cold wallet, each with a twelve word seed. After completing set up of the cold wallet, participants will be required to simulate a lost/stolen/destroyed wallet and wipe the wallet and re-set up the wallet.
SpeakerBio: HalFinneyIsMyHomeBoy
- ics Calendar file
With billions of users worldwide, mobile messaging apps like WhatsApp and Signal have become critical for personal and professional communication. While these platforms promise security and privacy, our research uncovers two significant vulnerabilities that expose users to stealthy tracking and security degradation.
First, we reveal how delivery receipts --commonly used to confirm message delivery-- can be exploited to track a user's online status, screen activity, and device usage without their knowledge. This technique enables passive surveillance, draining a target's battery and data allowance while remaining entirely invisible to them.
Second, we demonstrate a novel attack on WhatsApp's implementation of the Signal Protocol, specifically targeting its Perfect Forward Secrecy (PFS) mechanism. By depleting a victim's stash of ephemeral encryption keys, an attacker can weaken message security, disrupt communication, and exploit flaws in the prekey refilling process.
Both attacks require nothing more than the victim's phone number and leverage fundamental design choices in these widely used platforms.
This talk will provide an in-depth analysis of these vulnerabilities, their implications, and potential mitigations -- challenging the security assumptions of modern encrypted messaging.
References: - Careless Whisper: Exploiting End-to-End Leakage in Mobile Instant Messengers, Gabriel K. Gegenhuber, Maximilian Günther, Markus Maier, Aljosha Judmayer, Florian Holzbauer, Philipp É. Frenzel, Johanna Ullrich; link - Prekey Pogo: Investigating Security and Privacy Issues in WhatsApp's Handshake Mechanism, USENIX WOOT 2025, Gabriel K. Gegenhuber, Philipp É. Frenzel, Maximilian Günther, Aljosha Judmayer; link
Speakers:Gabriel Gegenhuber,Maximilian GüntherGabriel is a PhD candidate at the University of Vienna, Austria. He received a bachelor's degree in Software & Information Engineering and a master's degree in Software Engineering & Internet Computing at the TU Wien. Gabriel is conducting research in the area of cellular and mobile networks. This includes Internet measurement technologies, traffic classification systems (e.g., deep packet inspection) and technical measures that are used to detect net neutrality and privacy violations. Furthermore, he's working on improving the MobileAtlas measurement platform for cellular networks.
SpeakerBio: Maximilian GüntherMax Guenther is master student at University of Vienna. He is a cybersecurity nerd and part-time full stack engineer at Intigriti. Previously, he was security analyst at Austrian Power Grid and security researcher at the Austrian Armed Forces.
- ics Calendar file
Ever wondered what it’s like to be the Villian? Have a propensity for chaos and a penchant for mischief? Seize the opportunity to unleash your inner “bad guy” in a legal and controlled environment. This class, led by Adversary for Hire, Jason E. Street, will teach you how to think and attack like an adversary.
You will learn advanced intelligence gathering techniques and explore non-traditional tactics from one of the most twisted minds in the industry. Using real-world examples along with hands-on practical training, Jayson’s approach highlights the human side of cyber compromise. He will introduce you to the Security Awareness Engagement methodology, which he uses in the field to reveal real-world threats without negative impacts to targets. This methodology employs practical simulations of social engineering attacks.
In addition to simulating remote attacks like phishing and vishing, students will learn how to craft and deploy physical attack payloads with the Hak5 Bash Bunny. Each student will receive a Bash Bunny to take home and use in their new life as a simulated adversary.
This class focuses on the paramount threat to any person or organization: other humans. It provides in-depth understanding of each element in a social engineering attack and where social engineering falls on the kill chain. More importantly, you will leave with an in-depth understanding of how simulated adversaries and social engineering awareness can help people and organizations protect themselves. Sign up for DEF CON's most mischievous training and leave with new skills you will use for life.
Speakers:Kenny Hess,Jayson E. StreetKenny Hess is an Advanced Security Engineer at Secure Yeti. He is a trusted security consultant who has built a career around developing and testing secure, mission-critical systems for national governments, state agencies, and international corporations. Additionally, he has been able to help businesses of all sizes develop security policies and programs for classified and unclassified systems. Kenny has a B.A. in Journalism and Broadcasting and an M.S. in Telecommunications Management from Oklahoma State University. Because of this diverse educational background, he is able to connect with his clients through clear communication backed by technical expertise. When he's not desperately urging people to use a password manager, you might find him in the kitchen trying a new recipe, or at the airport lounge en route to adventure. Whether he's hacking people, systems, or ingredients, Kenny Hess is always ready to add a dash of fun to everything he does.
SpeakerBio: Jayson E. Street, Chief Adversarial Officer at Secure YetiJayson E. Street referred to in the past as: a "notorious hacker" by FOX25 Boston, "World Class Hacker" by National Geographic Breakthrough Series, and described as a "paunchy hacker" by Rolling Stone Magazine. He however prefers if people refer to him simply as a Hacker, Helper & Human.
He is the Chief Adversarial Officer at Secure Yeti and the author of the "Dissecting the hack: Series" (which is currently required reading at 5 colleges in 3 countries that he knows of). Jayson is also the DEF CON Groups Global Ambassador. He's spoken at DEF CON, DEF CON China, GRRCon, SAINTCON & at several other CONs & colleges on a variety of Information Security subjects. He was also a guest lecturer for the Beijing Institute of Technology for 10 years.
He loves to explore the world & networks as much as he can. He has successfully robbed banks, hotels, government facilities, Biochemical companies, etc. on five continents (Only successfully robbing the wrong bank in Lebanon once, all others he was supposed to)!
He is a highly carbonated speaker who has partaken of Pizza from Bulgaria to Brazil & China to The Canary Islands. He does not expect anybody to still be reading this far, but if they are please note he was proud to be chosen as one of Time's persons of the year for 2006.
- ics Calendar file
Ever wondered what it’s like to be the Villian? Have a propensity for chaos and a penchant for mischief? Seize the opportunity to unleash your inner “bad guy” in a legal and controlled environment. This class, led by Adversary for Hire, Jason E. Street, will teach you how to think and attack like an adversary.
You will learn advanced intelligence gathering techniques and explore non-traditional tactics from one of the most twisted minds in the industry. Using real-world examples along with hands-on practical training, Jayson’s approach highlights the human side of cyber compromise. He will introduce you to the Security Awareness Engagement methodology, which he uses in the field to reveal real-world threats without negative impacts to targets. This methodology employs practical simulations of social engineering attacks.
In addition to simulating remote attacks like phishing and vishing, students will learn how to craft and deploy physical attack payloads with the Hak5 Bash Bunny. Each student will receive a Bash Bunny to take home and use in their new life as a simulated adversary.
This class focuses on the paramount threat to any person or organization: other humans. It provides in-depth understanding of each element in a social engineering attack and where social engineering falls on the kill chain. More importantly, you will leave with an in-depth understanding of how simulated adversaries and social engineering awareness can help people and organizations protect themselves. Sign up for DEF CON's most mischievous training and leave with new skills you will use for life.
Speakers:Kenny Hess,Jayson E. StreetKenny Hess is an Advanced Security Engineer at Secure Yeti. He is a trusted security consultant who has built a career around developing and testing secure, mission-critical systems for national governments, state agencies, and international corporations. Additionally, he has been able to help businesses of all sizes develop security policies and programs for classified and unclassified systems. Kenny has a B.A. in Journalism and Broadcasting and an M.S. in Telecommunications Management from Oklahoma State University. Because of this diverse educational background, he is able to connect with his clients through clear communication backed by technical expertise. When he's not desperately urging people to use a password manager, you might find him in the kitchen trying a new recipe, or at the airport lounge en route to adventure. Whether he's hacking people, systems, or ingredients, Kenny Hess is always ready to add a dash of fun to everything he does.
SpeakerBio: Jayson E. Street, Chief Adversarial Officer at Secure YetiJayson E. Street referred to in the past as: a "notorious hacker" by FOX25 Boston, "World Class Hacker" by National Geographic Breakthrough Series, and described as a "paunchy hacker" by Rolling Stone Magazine. He however prefers if people refer to him simply as a Hacker, Helper & Human.
He is the Chief Adversarial Officer at Secure Yeti and the author of the "Dissecting the hack: Series" (which is currently required reading at 5 colleges in 3 countries that he knows of). Jayson is also the DEF CON Groups Global Ambassador. He's spoken at DEF CON, DEF CON China, GRRCon, SAINTCON & at several other CONs & colleges on a variety of Information Security subjects. He was also a guest lecturer for the Beijing Institute of Technology for 10 years.
He loves to explore the world & networks as much as he can. He has successfully robbed banks, hotels, government facilities, Biochemical companies, etc. on five continents (Only successfully robbing the wrong bank in Lebanon once, all others he was supposed to)!
He is a highly carbonated speaker who has partaken of Pizza from Bulgaria to Brazil & China to The Canary Islands. He does not expect anybody to still be reading this far, but if they are please note he was proud to be chosen as one of Time's persons of the year for 2006.
- ics Calendar file
The rapid proliferation of consumer IoT devices has introduced new attack vectors beyond traditional exploitation. One overlooked risk lies in firmware persistence in returned devices—an issue that could enable mass surveillance, botnet propagation, or backdoor persistence at scale. This research investigates whether major retailers properly reset IoT firmware before reselling returned products, exposing critical gaps in supply chain security.
In this experiment, commercial IoT devices are purchased, modified with custom firmware embedding a simple callback, and then returned to the store. The devices are later repurchased and analyzed to determine if retailers performed proper firmware resets or if malicious code remained intact. Findings from this research reveal inconsistencies in retailer sanitization policies, with some major retailers failing to properly wipe and reflash firmware before resale. This talk will demonstrate examples of persistent firmware modifications, discuss the potential for IoT-based supply chain attacks, and propose real-world mitigation strategies for manufacturers, retailers, and consumers.
Attendees will leave with a deeper understanding of how IoT firmware sanitization failures create a new class of attack vectors—and how threat actors could exploit this to build persistent IoT botnets, data-exfiltration implants, or unauthorized surveillance tools.
SpeakerBio: Matei Josephs, Senior Penetration Tester at HappeningMatei Josephs breaks things for a living - especially if they beep, blink, or pretend to be "smart". Printers, kiosks, routers, and random IoT junk live in fear when he's nearby. He's a Senior Penetration Tester at Happening, he discovered 9 CVEs and loves hacking at scale. In this talk, "Smart Devices, Dumb Resets? Testing Firmware Persistence in Commercial IoT", Matei reveals how threat actors can implant persistent backdoors in smart devices, then return them for resale through legitimate retailers. Because factory reset processes often fail to wipe firmware-level compromises, attackers can exploit the trust users place in brand-name resellers—turning returned devices into credible, persistent attack vectors.
- ics Calendar file
See who won in our village! During this time weíll present the SECVC and BOTB winners, as well as the much-coveted Dundies!
- ics Calendar file
Welcome to our last day at DEF CON!
- ics Calendar file
You may have heard tales of mainframe pentesting and exploitation before - mostly from us! Those stories often focused on the MVS/ISPF side of the IBM z/OS. But did you know that all those same tricks (and more!) can be pulled off in z/OS Unix System Services (OMVS) as well? I bet you didn't even know z/OS had a UNIX side!
Over the years we've discovered multiple unique attack paths when it comes to Unix on the mainframe. In this talk, we'll present live demos of real-world scenarios we've encountered during mainframe penetration tests. These examples will showcase what can happen with poor file hygiene leading to database compromises, inadequate file permissions enabling privilege escalation, lack of ESM resource understanding allowing for privileged command execution, and how dataset protection won't save you from these attacks. We'll also be demonstrating what can happen when we overflow the buffer in an APF authorized dataset.
Attendees will learn how to test these controls themselves using freely available open-source tools and how to (partially) detect these attacks. While privesc in UNIX isn't game over for your mainframe, it's pretty close. By the end, it will be clear that simply granting superuser access to Unix can be just as dangerous, if not more so, than giving access to TSO on the mainframe.
SpeakerBio: Philip "Soldier of FORTRAN" YoungPhilip Young, aka Soldier of FORTRAN, Director of Mainframe Penetration Testing Services at NetSPI is an oldschool hacker. He started out on with an Amiga 500 and a modem and never looked back, cutting his teeth on Datapac (the Canadian X.25 network) he eventually grew to searching the internet for interesting things. Later in his career he started taking a serious look at mainframe cybersecurity and realized how far behind mainframes had fallen when compared to their more open system (Windows/Linux). At that point he made it his lifes mission to raise awareness and produce tooling to aid in the testing of these critical resources to help keep them safe. Since then he has given talks around the world at places like BlackHat, DEFCON, RSA, has taught multiple workshops and was even under investigation by the Swedish secret police. In addition he has released countless opensources tools to pentest mainframes.
- ics Calendar file
Come stop by for our first offical event where we will have custom stickers for VX Underground, Skyhopper, and more!
- ics Calendar file
Inspired by the cult following of the Nintendo Power Glove, this talk explores an unconventional use as a presentation remote. Using a generic ESP32 dev board and basic C code, it becomes a Bluetooth keyboard controlling presentations with ease. In fact, I will deliver this talk using the same Power Glove.
In this beginner-friendly talk, I'll share my experience ""hacking"" the Nintendo Entertainment System (NES) accessory. I'll cover:
Attendees will learn how to replicate this project and add pizzazz to their presentations. I'll release the code, so you can spice up your own talks. Maybe you'll even use the Power Glove to pop a shell on a remote machine in your next Proof of Concept.
Note: This is a personal project developed independently and is not affiliated with or endorsed by Microsoft, Nintendo, or any other employer.
SpeakerBio: Parsia "CryptoGangsta" Hakimian, Offensive Security Engineer at MicrosoftParsia is an offensive security "engineer" at Microsoft. While not a full-time hunter, he has learned a great deal from hunts and the bug bounty community. He spends most of his time reading code and experimenting with static and dynamic analysis -- but wishing he was gaming.
Parsia has previously presented at DEF CON's main venue and the AppSec Village. When not breaking (or fixing) things, he plays videogames, D&D, spends time with family outside - and, as his wife jokes, "subjects himself to the tax and immigration systems of US and Canada".
- ics Calendar file
The world of securing OT/ICS is changing FAST!
And we are not prepared.
Prior to the Colonial Pipeline incident in 2021, we focused on protecting against state adversaries.
Afterwards, we shifted to focusing on protecting against ransomware operators and hacktivists.
Now in 2025, we see more alignment between state adversaries, ransomware operators and hacktivists.
A significant shift in the landscape we are not ready for.
Advanced capabilities and tools in the hands of every day attackers with intermediate to no skill?
Are we prepared today for what's coming?
No.
But we can be.
And we'll talk about how.
SpeakerBio: Mike Holcomb, FlourMike Holcomb is the Fellow of Cybersecurity and the ICS/OT Cybersecurity Global Lead for Fluor, one of the world’s largest engineering, procurement, and construction companies. His current role provides him with the opportunity to work in securing some of the world’s largest ICS/OT environments, from power plants and commuter rail to manufacturing facilities and refineries. As part of his community efforts, Michael founded the BSidesICS/OT and BSides Greenville conferences along with the UpstateSC ISSA Chapter. He has his Masters degree in ICS/OT cybersecurity from the SANS Technology Institute. Additionally, he maintains cyber security and ICS/OT certifications such as the GRID, CISSP, GICSP, ISA 62443, and more.
He posts regularly on LinkedIn and YouTube to help others learn more about securing ICS/OT and critical infrastructure.
- ics Calendar file
Production halted. SCADA alarms blaring. The CEO demands answers. Your theoretical cyberattack? It just became reality. Point-in-time penetration tests are fundamentally inadequate against today's advanced persistent threats. This talk outlines a framework to build an intelligence-led, integrated attack and crisis simulation program, not just a reactive security strategy.
Drawing from our extensive experience (including hundreds of red team engagements for some of the world's largest organizations, with anonymized real-world case studies), we will unveil TotalTest – a revolutionary, metrics-driven framework that transforms breach simulations from isolated exercises into a continuous, strategic program for unparalleled organizational resilience.
SpeakerBio: Nebu Varghese, FTI Consulting LLP - Senior Director, EMEA Offensive Security LeaderNebu Varghese is a Senior Director in FTI Consulting’s Cybersecurity practice and is based in London. Mr. Varghese has more than 13 years of multi-functional cybersecurity experience, blending deep technical expertise with strong academic credentials. He has led global teams and complex matters across 28 countries, in sectors including Financial Services, Private Equity, TMT, Manufacturing, and Critical National Infrastructure. Mr. Varghese specialises in executing and managing the delivery of offensive security testing (ethical hacking or penetration testing) engagements for organisations across the globe. He serves on the UK National Cyber Security Centre (NCSC) Security Testing Expert Group, collaborating with industry experts to draft practical and valuable best practice guidance that informs and guides both the NCSC and the wider ICS industry.
- ics Calendar file
The implementation of Active Directory environments is, by essence, not unlike a command-and-control infrastructure allowing to centrally coordinate and control network assets. As an attacker, why not make it your own ?
As far as the C2 capabilities of Active Directory go, Group Policy Objects (GPOs) are a key functionality that can be leveraged by attackers for a surprisingly wide range of offensive actions. From enumeration, to persistence, to impactful privilege escalation in mature segmented environments, abusing GPOs amounts to abusing the C2 capabilities of Active Directory itself – a powerful attack primitive.
And yet, GPOs received comparatively little attention by the pentesting and research community. GPOs exploitation knowledge and tooling is scarce, whether because implementation may seem kind of obscure, or since exploitation can be seen as risky. Concerns that well-equipped attackers may not have to worry about.
This presentation aims at demonstrating the full extent of possibilities offered by Group Policy Objects. It will dive deep into GPOs implementation, enumeration potential and advanced exploitation techniques introduced or implemented by the speakers these last few years. It will also be accompanied by the release of two enumeration and exploitation tools developed by the speakers.
References:
Speakers:Quentin "croco_byte" Roland,Wilfried "tiyeuse" BécardQuentin Roland is a 28-year-old pentester working for a bit more than 3 years for Synacktiv, a French firm dedicated to offensive information security.
He enjoys working on Active Directory, releasing open-source exploitation tools or enhancing existing tooling. He worked on known, trendy Active Directory exploitation primitives as well as on more obscure research topics.
A fun fact about him: he actually studied law and used to work as a lawyer, before turning to penetration testing.
SpeakerBio: Wilfried "tiyeuse" BécardWilfried Bécard is a hacker and researcher working at Synacktiv. With a particular interest in Active Directory and Azure exploitation, his passion lies in uncovering new techniques to enhance cybersecurity in these areas. Constantly experimenting, testing, and collaborating with the security community, he aims at continuously improve his knowledge in these fields.
- ics Calendar file
Dealers are a vital part of the automotive industry – intentionally separate entities from the manufacturers, but highly interconnected. Most dealers use platforms built by the manufacturers that can be used to order cars, view/store customer information, and manage their day-to-day operations. Earlier this year, new vulnerabilities were discovered in a top automaker’s dealer platform that enabled the creation of a national admin account. This level of access, a privilege reserved for a select few corporate users, opened the door to a wide range of fun exploits.
Want to start a car? Forget VINs – all you needed was someone’s name. Access to the enrollment systems made it possible to reassign ownership of cars and access remote control functionality.
Want to find out who owns that sleek ride next to you? A quick glance at the VIN on the windshield was all you needed to pull down the owner’s personal information using the customer lookup tool.
Want to impersonate the owner of a dealership to gain full access to everything? A user impersonation function was uncovered that made this possible - negating all the two-factor authentication systems.
All of this and much more was made possible through API flaws in a centralized dealer system. A system used by more than 1,000 dealers in the USA that you didn’t even know existed. A system that you would never have thought would be the unexpected connection to your car. We break down the full exploit from recon to initial access, from viewing PII to the satisfying roar of an engine coming to life.
Speakers:Eaton Zveare,Roshan PiyushEaton is a senior security research engineer at Traceable by Harness. As a member of the ASPEN Labs team, he has contributed to the security of some of the world's largest organizations by finding and responsibly disclosing many critical vulnerabilities. He is best known for his high-profile security disclosures in the automotive space: 1, 2, 3.
SpeakerBio: Roshan Piyush, Security Research at Traceable by HarnessRoshan Piyush leads Security Research at Traceable by Harness, where he also oversees Aspen Labs — Harness's dedicated initiative for advancing modern application and API security. He is at the forefront of developing next-generation security platforms that deliver deep protection across the software lifecycle, from code to runtime.
With over a decade of experience in cybersecurity and a recent focus on API security, Roshan researches cutting-edge detection and prevention techniques across CI/CD pipelines, software supply chains, runtime environments, and cloud-native architectures. His work powers enterprise-grade security solutions that help organizations stay ahead of evolving threats.
An active contributor to the open-source security community, Roshan has been involved with projects like OWASP crAPI and Coraza WAF. He frequently shares his insights through technical talks, tools, and collaborations, helping drive progress across the broader AppSec ecosystem.
- ics Calendar file
IoT devices are ubiquitous, yet their security remains a critical concern. This talk explores over 50 real-world vulnerability cases in the IoT ecosystem, exposing systemic issues such as vendor-embedded backdoors, predictable credentials, and exploitable configuration consoles. We’ll dissect vulnerabilities like CVE-2024-48271 (CVSS 9.8) and CVE-2025-1143, favored by APT groups and scammers, that enable remote code execution and global device control. Drawing from our extensive research, we’ll reveal how even beginners can compromise critical infrastructure like ATMs and water treatment facilities by targeting poorly secured devices. Additionally, we’ll share the frustrating reality of reporting vulnerabilities to manufacturers, CNAs, and CERTs—stories of ignored reports, year-long delays, and denials despite severe risks. Attendees will gain actionable insights into vulnerability discovery, secure development practices, and responsible disclosure, empowering hackers, developers, and manufacturers to strengthen IoT security.
SpeakerBio: Kai-Ching "Keniver" Wang, Senior Security Researcher at CHT SecurityKai-Ching Wang (Keniver) is a Senior Security Researcher at CHT Security. He specializes in red team assessments and comprehensive security reviews, with a current focus on hacking IoT devices and cloud-native infrastructure. He has presented his research on the security of cloud-connected IoT camera systems at conferences such as SECCON in Japan and HITCON in Taiwan.
- ics Calendar file
DCs are organizations’ core. A successful DoS attack against them can break authentication and paralyze operations.
Following our LdapNightmare release, the first public DoS exploit for CVE-2024-49113, we found two new DoS-style attack surfaces on DCs: new critical DoS vulnerabilities, and creating a botnet harnessing public DCs for DDoS. Our goal: create the Win-DoS epidemic - infect DCs with Win-DoS and make them infect others, forming Win-DDoS.
Building on LDAPNightmare, we explored client-side targeting, often exposing weaker code. By turning DCs into LDAP clients via NetLogon RPC, using LDAP referrals, we redirected them to chosen domains/ports, matching our goals.
Moreover, we knew DDoS was powerful, but aimed to replicate its effect from a single machine. We focused on RPC servers - abundant in Windows with wide attack surfaces, especially those not requiring authentication. By abusing security gaps in RPC bindings, we hit the same RPC server relentlessly from one system, far surpassing standard concurrency limits! and WOW, found vulns crashing any Windows: servers and endpoints alike!
We present “Win-DoS Epidemic” - DoS tools exploiting four new Win-DoS and one Win-DDoS zero-click vulns! Crash any Windows endpoint/server, including DCs, or launch a botnet using public DCs for DDoS. The epidemic has begun
References:
Speakers:Or "oryair1999" Yair,Shahak MoragOr Yair (@oryair1999) is a security research professional with seven years of experience, currently serving as the Security Research Team Lead at SafeBreach. His primary focus lies in vulnerabilities in the Windows operating system’s components, though his past work also included research of Linux kernel components and some Android components. Or's research is driven by innovation and a commitment to challenging conventional thinking. He enjoys contradicting assumptions and considers creativity as a key skill for research. Or frequently presents his vulnerability and security research discoveries internationally at top conferences he speaks at such as Black Hat, DEF CON, RSAC, SecTor, and many more.
SpeakerBio: Shahak MoragShahak, Currently serving as the Research Lead at SafeBreach, with over seven years of experience in security research. My background includes extensive expertise in Linux kernel and embedded systems, with more than one year of focused research on Windows platforms.
- ics Calendar file
This training is a hands-on, immersive course designed to teach participants the art of crafting evasive Windows payloads while navigating and bypassing modern Endpoint Detection and Response (EDR) systems. Through a blend of theory and practical exercises, attendees will gain a deep understanding of payload development, focusing on techniques that enhance stealth, modularity, and effectiveness in offensive operations.
Key topics include payload formats, memory-resident execution, process injection, and advanced evasion strategies. Participants will explore the use of living off the land binaries (LOLBins), design modular implants with secure communication, and develop packers to obfuscate payloads and evade detection. By the end of the course, students will possess the knowledge and skills to craft realistic initial access vectors and deploy sophisticated payloads capable of evading modern defensive controls.
Speakers:Rey "Privesc" Bango,Kevin ClarkRey "Privesc" Bango is a Principal Cloud Advocate at Microsoft and a Security Consultant specializing in red teaming at BC Security. At Microsoft, he focuses on empowering organizations to leverage transformative technologies such as Artificial Intelligence and Machine Learning, prioritizing trust, security, and responsible use. He is an experienced trainer and speaker, presenting and teaching at cybersecurity conferences, including Black Hat and DEF CON. His work continues to bridge the gap between cutting-edge technological advancements and the critical need for secure, ethical implementation in today's world.
SpeakerBio: Kevin Clark, Red Team Instructor at BC SecurityKevin Clark is a Security Consultant with TrustedSec and a Red Team Instructor with BC Security, with a diverse background in software development, penetration testing, and offensive security operations. Kevin specializes in initial access techniques and Active Directory exploitation. He has contributed to open-source projects such as PowerShell Empire and developed custom security toolkits, including Badrats and Ek47. A skilled trainer and speaker, Kevin has delivered talks and conducted training sessions all over the country at cybersecurity conferences, including Black Hat and DEF CON, and authors a cybersecurity blog at https://henpeebin.com/kevin/blog.
- ics Calendar file
This training is a hands-on, immersive course designed to teach participants the art of crafting evasive Windows payloads while navigating and bypassing modern Endpoint Detection and Response (EDR) systems. Through a blend of theory and practical exercises, attendees will gain a deep understanding of payload development, focusing on techniques that enhance stealth, modularity, and effectiveness in offensive operations.
Key topics include payload formats, memory-resident execution, process injection, and advanced evasion strategies. Participants will explore the use of living off the land binaries (LOLBins), design modular implants with secure communication, and develop packers to obfuscate payloads and evade detection. By the end of the course, students will possess the knowledge and skills to craft realistic initial access vectors and deploy sophisticated payloads capable of evading modern defensive controls.
Speakers:Rey "Privesc" Bango,Kevin ClarkRey "Privesc" Bango is a Principal Cloud Advocate at Microsoft and a Security Consultant specializing in red teaming at BC Security. At Microsoft, he focuses on empowering organizations to leverage transformative technologies such as Artificial Intelligence and Machine Learning, prioritizing trust, security, and responsible use. He is an experienced trainer and speaker, presenting and teaching at cybersecurity conferences, including Black Hat and DEF CON. His work continues to bridge the gap between cutting-edge technological advancements and the critical need for secure, ethical implementation in today's world.
SpeakerBio: Kevin Clark, Red Team Instructor at BC SecurityKevin Clark is a Security Consultant with TrustedSec and a Red Team Instructor with BC Security, with a diverse background in software development, penetration testing, and offensive security operations. Kevin specializes in initial access techniques and Active Directory exploitation. He has contributed to open-source projects such as PowerShell Empire and developed custom security toolkits, including Badrats and Ek47. A skilled trainer and speaker, Kevin has delivered talks and conducted training sessions all over the country at cybersecurity conferences, including Black Hat and DEF CON, and authors a cybersecurity blog at https://henpeebin.com/kevin/blog.
- ics Calendar file
As surveillance becomes the norm, the development of privacy enhancing technologies is crucial in protecting individuals’ data. In this presentation, I will talk about Nym, a mixnet focused on protecting the metadata during end-to-end communication. I will go over how Nym works, what core features it uses, its tokenomics system, and patterns in node behaviors that I found from scraping all existing nodes’ data from the network explorer for 30 days.
SpeakerBio: Alexis CaoAlexis graduated from Johns Hopkins University with a Bachelor of Science degree in Computer Science this May. She is passionate about privacy technologies, and she has been doing research on mixnets. In the past, she has volunteered at Physical Security Village, Red Team Village, and AppSec Village at DEFCON. In her free time, she loves doing jiujitsu and she is a blue belt.
- ics Calendar file