One of our team members was at a party immediately after the “Collateral Murder” release. There they had the privilege of overhearing some ‘curious’ conversations by known personas. Said personas still had all their mobile devices with them during their travels. That made every device in the room an obvious and valid intelligence target.
According to the Twittersphere, bringing burners for BSides/BlackHat/Defcon is overkill. With one particularly notable exception here. The above anecdote showcases that proximity to persons of interest is enough to be targeted.
Follow the target: At public events, a valid threat model may be determined by considering your proximity to other subjects of interest. Start by asking yourselves the 5 W’s questions.
Who attends these Vegas conferences in August?
- Real-life social engineers
- Red teamers engaged in breaking into organizations
- Researchers that develop offensive tools pertaining to OCO and EW
- Researchers that watch criminal and state actors and their (cyber) operations
- Criminals
- Private teams
- Foreign and domestic intelligence officers (who are involved in some or all of the above)
These respective “industries” are dynamic places. However, there tends to be some consistency over time with respect to the various players involved. All of these groups are valid collection and recruitment targets for foreign and domestic intelligence teams. It’s not often when such a large and diverse group of potential people of interest congregates in one location to cross-contaminate each other. It happens on a global scale at least once a year. In Las Vegas. During BSides/BlackHat/DEFCON.
The various collection teams will have to figure out who is an attractive target. For this they rely on previously finished intelligence AND real-time intelligence collection …while at the event. Here we can differentiate between passive mapping of devices that appear to travel together and active targeting of groups of devices.
It’s a near certainty that your Vegas devices will end up in various social graphs & link analysis charts as mapped out by different teams. How high are the chances of your device getting actively targeted, at which point E2EE security would become irrelevant? For one, it may depend on where your device was purchased or what kind of SIM (country, region, carrier etc) and OS patch level that your device is running.
Remember, the technology market is a rich and exciting place, and the SEIM market doesn’t have a monopoly on AI/ML automation and orchestration.
Yes, low level system attacks can be performed at scale. Note: This could make for a very interesting reporting exercise, roughly as hard to pull off as the Bloomberg Super Micro story.
Also keep in mind that zero-days are cheap money for state-sponsored teams. There’s just a handful of days to collect and act on thousands of targets. Perhaps more importantly, only a small subset of attendees are able to detect a baseband compromise of their iOS or Android device. Those who can detect anomalies are more likely to simply set fire to their burner on their way out of Vegas.
Running an effective burner ring is easier said than done. It requires fresh devices AND fresh accounts. For those who have run them, closed loop networks are simply not conducive for normie business. There’s no using your previously-known Signal number on the same device that’s otherwise running fresh accounts. Amongst a litany of other issues, if anyone in the new network messes up, the entire ring is burned and all accounts are cross-linked.
Ultimately there’s little difference between having your device targeted on purpose or by accident. Burners are a pain, but well worth it for some events and places. Las Vegas in August is one of them.
Happy Summercon!
Dan & Roel & lots of OSINT 😉