Hackers in Vegas Is Over

Hey Kaitlyn, Joseph here with my first post-DEF CON report (a subscribers-only podcast is coming too, including on-the-ground interviews with people doing all sorts of wild and exciting hacking). You'll see why below, but I think the golden age of hackers in Vegas is over. Many of the city's businesses were on edge about thirty thousand hackers coming into town this year. The vibe is very, very different. The full piece follows below.

Walking through the hallways of Las Vegas casinos, sitting in the city’s taxis, and speaking to the staff of various businesses, there was a distinct feeling throughout this year’s DEF CON hacking conference: paranoia. 

Resorts World, one of the hotels housing a chunk of this year’s hackers, searched rooms daily looking for specific “hacking tools.” Drivers of the Vegas Loop, which ferried attendees to and from the Las Vegas Convention Center, were told by their employer to not bring their personal devices to work in case they got hacked. And casinos kicking DEF CON out after years of hosting the conference sent a clear message: we don’t want you here anymore.

I have covered hacking for ten years and attended the DEF CON and Black Hat security conferences many times; not as many as some veterans I spoke to who have gone to eighteen or even twenty DEF CONs, but enough to feel a definite shift this year. Hackers were no longer seen as a novelty coming into town. They were seen as a threat to peoples’ peace and livelihoods. 

“This was my 13th year at DEF CON and I have never had anything remotely like this happen before,” one attendee, who said security searched their room at the Hilton in Resorts World, told me. I granted multiple people in this article anonymity so they could speak openly about their experience at DEF CON without professional or personal repercussions, but I verified that they did stay at hotels during the conference. “They would not take no for an answer,” the person said, referring to hotel security.

The increased hostility to DEF CON attendees from the wider city brings up a key question: is the golden age of hackers coming to Vegas every summer over? And is it time for DEF CON to pack up for another city?

After I arrived at my room in Resorts World on Wednesday, I looked around for any signs of what the hotel had planned during DEF CON (disclosure: as a speaker at the conference, DEF CON covered my hotel; 404 Media paid for my flights and ground transportation). On the chest of drawers underneath the television was a piece of paper with Resorts World letterhead. “As you may or may not know, a well-known hacking convention will be held in Las Vegas during your stay,” it read. “We remain committed to our guests’ safety and understand the utmost importance of cybersecurity, as well. In an effort to increase the safety of our guests, we will be conducting scheduled, brief visual and non-intrusive room inspections daily beginning Monday, August 5.”

I turned on the television to catch up on some Olympics news, and saw a variation of the same message again. I couldn’t watch anything until I clicked the “acknowledge” button on the pop-up.

Image: 404 Media.

Hotel security was looking for an array of what they described as “hacking tools,” according to photos of a handout taken by software engineer Thibaud Lopez Schneider and later sent to me. That included Flipper Zeroes, WiFi Pineapples, and sets of lockpicks. That handout also showed the searches specifically targeted people who had booked rooms in the DEF CON block of the hotel, although the searches don't appear to be exclusive to those rooms.

I personally did not see or notice hotel security searching my room. I decided to hide a set of tools and an electronic lock security researcher Dennis Giese had given me to help verify his research into vulnerabilities in products made by a company called Digilock, just in case hotel security didn’t take kindly to them. As an aside, representatives for Digilock sent Giese a cease and desist about his research which delayed the talk to Sunday, he told me. After several meetings with lawyers from the EFF and back and forth with the company, the talk went ahead and Digilock dropped their demand, Giese told me as we stood in the lobby of the Conrad at Resorts World.

But multiple people I spoke to during and after the conference did have run-ins with hotel security.

“I was asleep when they knocked. They knocked again, I ignored it,” one attendee told me. Security tried to enter the room, but this attendee had the dead locks on the door enabled, they said. The attendee said he told them to go away.“They refused, [I] told them I was not in the condition to have anyone in my room. They reiterated they are required to enter the room. I gave in. They came into my room, walked the entirety of the room looking around,” the attendee said.

Another person recorded videos of hotel security entering their room. The first, recorded Aug. 8 according to the timestamp, shows two members of hotel staff in red shirts enter the room and split up, with one going into the bathroom and the other into the bedroom. At least one of the guards appears to be armed with a weapon, the video shows. The security staff look around the room and then leave in under a minute.

In a second video filmed on Aug. 10, two other security guards look at a collection of cables and equipment on the guest's table, point their phones at it, and then leave.

Image: 404 Media.

The person who filmed those videos told me they were being “treated like a criminal” for attending DEF CON. “The whole experience felt cheap, like pure security theater. I felt unwelcome and treated with hostility,” they said. As a second aside, on Thursday the Nevada Gaming Control Board filed a disciplinary complaint against Resorts World for allegedly accommodating illegal bookmaking and organized crime figures. Nothing to do with DEF CON to be clear. But there's an interesting tension between Resorts World clamping down on hackers, while allegedly facilitating gambling crimes too.

Another person I spoke to said their room was searched briefly. Another complained to Resorts World and was refunded two valet charges from their stay, according to an email thread they forwarded to me. “I deeply regret that your room was entered and searched without your permission, and that you were approached by staff who did not properly identify themselves. Your privacy and comfort are of utmost importance to us,” an email from Resorts World reads. “Oh wow, $70 dollar comp for valet parking for invasion of my privacy, going through my luggage and personal items and profiling and harassment by your staff..I appreciate the apology, but the comp is completely unprofessional and insulting,” the attendee replied.

That feeling of unwelcomeness came from some other hotel guests too. The person who filmed the videos said at one point someone stopped to ask about his DEF CON badge. “When I mentioned that I was attending a security conference, they immediately became defensive and said, 'you're the reason my room is being searched in the morning, waking me up.'”

“Whether the person was joking or not, the interaction left me with an uneasy feeling that people were looking negatively upon those of us attending, which was an alienating experience,” the attendee told me.

DEF CON attendees were ushered away from other parts of the casinos, according to text messages I saw. In one conversation, a DEF CON attendee said they were asked to leave a casino floor by the pit boss because they were wearing the conference’s very distinctive electronic badge, which comes with glowing lights and this year runs a full GameBoy emulator. The casino staff cited other breaches at hotels as the reason for wanting them to take the badge off, that attendee said. 

Image: 404 Media.

That is the driving force behind the cloud of paranoia at DEF CON this year: The city’s collective memory is still very much focused on two massive ransomware attacks last year. In those attacks, hackers targeted both Caesars and MGM Resorts and locked down company machines. Caesars paid around $15 million to the hackers to have the resort’s systems unlocked. MGM, meanwhile, refused. Chaos ran through its casino’s floors. As my colleague Jason Koebler saw when he went to Vegas in the immediate aftermath, gambling machines no longer worked. ATMs couldn’t dispense cash. Sports book terminals were out of order. The impact stretched across multiple casinos, including the Bellagio, Aria, MGM Grand, NoMad, and Mandalay Bay In all, MGM has said the attack cost them $110 million.

There is no evidence that those attacks involved any hackers on-the-ground who physically accessed Caesar or MGM systems. Instead, hackers broadly known in the cybersecurity community as Scattered Spider phoned MGM tech support, and said they were an employee that had forgotten their password. After a password reset, they were in. But even that hacking-from-a-distance doesn’t mean casinos or more companies aren’t worried about thirty thousand hackers coming into town for DEF CON.

I took the Vegas Loop, the tunnel made by Elon Musk’s Boring Company which workers drive Teslas through, to and from DEF CON a few times. Two drivers (the cars are not autonomous) told me their employer had urged them to not carry their personal devices while working because of the hacking conference. Cleaners at Resorts World were told to do something similar, with the documents about what hacking tools to look for also saying “enabling airplane mode on your personal device, including your smartwatches, to disable your WiFi, Bluetooth, & cell service is suggested.”

One driver said the Vegas Loop suggested workers do not bring electronics to the shift out of an “abundance of caution.” Another said they were instructed to leave devices inside lockers at the facility where workers pick up the Teslas vehicles for their shift.

The Boring Company did not respond to a request for comment.

Images: 404 Media.

The Vegas Loop took me to DEF CON’s home for the year, the Las Vegas Convention Center. DEF CON’s organizers said they “scrambled” to find a new venue after Caesars cut ties with the conference. “After a great 25 year relationship Caesars abruptly terminated their contract with DEF CON, leaving us with no venue for DC 32, and just about seven months to Con!” DEF CON’s organizers wrote on social media in February. “We don’t know why Caesars canceled us, they won’t say beyond it being a strategy change and it is not related to anything that DEF CON or our community has done. The parting is confusing, but amicable.”

For what it’s worth, I personally thought the new venue was great as an attendee and second time DEF CON speaker. The conference center had clearly marked rooms that were easy to navigate to, while still having plenty of space to move or sit in the spacious corridors or halls. The event was better for it. 

But being punted out of Caesars still led to a “feeling of ‘we weren’t welcome’” from the hotels that previously hosted DEF CON, one attendee called Sam said. He asked me to only use his first name. “I think people were on edge because Caesars canceling the contract with DEF CON forcing them to move made it feel as though the hotels were against us,” he told me. Sam said people discussed what other cities DEF CON should move to. The person who filmed the videos said they also discussed DEF CON moving to another city. They said Denver is “perfect.”

Caesars did not respond to a request for comment. DEF CON did not respond to a series of questions, including whether the conference has a confirmed venue for next year.

As the conference wrapped up, one person contacted me on Signal to say they knew people who had items confiscated by hotel security. In the same series of messages they sent photos they claimed they took of a machine belonging to Caesars that someone managed to hack.

“It's just sad to see these types of things can still be done, especially on machines that random people interact with,” they said. In a follow-up message they clarified they were talking about the machines and their security being “crappy.” Among some attendees, there seemed to be a cognitive dissonance between complaining about people having hacking tools taken from them, and then clear evidence that casino systems had been interfered with. 

This DEF CON felt like a throwback to when hackers were seen as the bogeyman in the 1980s and 90s. Since then, hackers have garnered a better image, with more people understanding many hackers are interested in breaking things to improve them, not to cause destruction. The ransomware attacks threw that image back twenty years, and probably made it even worse. Ransomware now is associated with hacking hospitals, disrupting people's lives, and in Vegas, hamstringing casinos, the city’s biggest draw for tourism. 

Jayson Street, a long time physical penetration tester and who said he has attended DEF CON for twenty years, told me that DEF CON is his family. He spoke about the various tribes of hackers who focus on different disciplines all coming together under one roof or space. And many people I spoke to were having a great time this year. Some venues in Vegas may of course continue to host DEF CON, be that the Las Vegas Convention Center or somewhere else. Tens of thousands of people will probably keep flocking to the conference that brings so many of them together. But even then, the cloud of paranoia is unlikely to lift any time soon. The city does not want to be held hostage again.