skip to main content

DEF CON Hacking Conference

Demo Labs Schedule

DEF CON’s first DEMO LABS is a wide-open area filled with DEF CON community members sharing their personal, open-source tech projects. Presenters will rotate in and out every few hours. It’s like a poster-board session with more electronics, or like a very friendly, low-stakes ‘Shark Tank’ done cafeteria style.






Demo Lab Descriptions

PortaPack H1 Portable SDR

Jared Boone, ShareBrained Technology

The PortaPack H1 turns a HackRF One software-defined radio into a portable, open-source radio research platform, consisting of an LCD screen, micro SD slot, audio interface, and controls. It's capable of signal monitoring, capture, and analysis, and fits in one hand.

Detailed Explanation of Tool:

The PortaPack H1 attaches to a HackRF One software-defined radio, and adds an LCD with touchscreen, audio interface, user controls, micro SD card, and a RTC battery. It utilizes the dual ARM Cortex-M processors on the HackRF One to provide a lightweight but capable radio research platform. Because of resource constraints, it was not possible to provide a complete operating system, so ChibiOS was utilized, with good results. Even with these constraints, this portable device can monitor, analyze, and record many types of narrowband radio signals. Since the design is open-source, developers can build on the existing software to support many other types of signals and applications.

Jared Boone is an open-source hardware hacker, obsessed with the privacy and security of radio technology. He runs ShareBrained Technology, where his projects sometimes turn into products.

MozDef: The Mozilla Defense Platform

Jeff Bryner Security Researcher

MozDef is an open source SIEM overlay for Elastic Search that enables real-time alerting, investigations, incident response and automated defense in a modern, extensible fashion.

Jeff Bryner is best known to DEF CON from the kinectasploit presentations combining metasploit, nmap, nessus, etc with a 3D, real-time, gesture-based interface. With MozDef he's doing the same, but for defense.

SpeedPhishing Framework (SPF)

Adam Compton Penetration Tester

SpeedPhishing Framework (SPF) is a new tool which can assist penetration testers in quickly/automatically deploying phishing exercises in minimal time. The tool, when provided minimal input (such as just a domain name), can automatically search for potential targets, deploy multiple phishing websites, craft and send phishing emails to the targets, record the results, generate a basic report, among performing other more advanced tasks.

Adam Compton has a background in software design/development and information security. He currently works as a penetration tester and has over 20 years of infosec experience, 15 years as a penetration tester. He has worked in both the government and private sectors for a variety of customers ranging from domestic and international governments, multinational corporations, and smaller local business.

Emanate Like a Boss: Generalized Covert Data Exfiltration with Funtenna

Ang Cui Chief Scientist, Red Balloon Security, Inc.

Funtenna is a software-only technique which causes intentional compromising emanation in a wide spectrum of modern computing hardware for the purpose of covert, reliable data exfiltration through secured and air-gapped networks. We present a generalized Funtenna technique that reliably encodes and emanates arbitrary data across wide portions of the electromagnetic spectrum, ranging from the subacoustic to RF and beyond.

The Funtenna technique is hardware agnostic, can operate within nearly all modern computer systems and embedded devices, and is specifically intended to operate within hardware not designed to act as RF transmitters.

We believe that Funtenna is an advancement of current state-of-the-art covert wireless exfiltration technologies. Specifically, Funtenna offers comparable exfiltration capabilities to RF-based retroreflectors, but can be realized without the need for physical implantation and illumination.

We first present a brief survey of the history of compromising emanation research, followed by a discussion of the theoretical mechanisms of Funtenna and intentionally induced compromising emanation in general. Lastly, we demonstrate implementations of Funtenna as small software implants within several ubiquitous embedded devices such as VoIP phones and printers, and in common computer peripherals such as hard disks, console ports, network interface cards and more.

Ang Cui is the Chief Scientist of Red Balloon Security, Inc. with a Ph.D. from Columbia University. He has focused on developing new technologies to defend embedded systems against exploitation. During the course of his research, Ang has also uncovered a number of serious vulnerabilities within ubiquitous embedded devices like Cisco routers, HP printers and Cisco IP phones. Ang is also the author of FRAK and the inventor of Software Symbiote technology. Ang has received numerous awards on his research and is the recipient of the Symantec Graduate Fellowship.


Eric Evenchick freelance embedded systems developer

CANtact is an open source CAN to USB tool that integrates with the SocketCAN utilities on Linux. It provides a low cost way to connect to in-vehicle networks on modern automobiles.

This talk will present the hardware tool, and software tools that assist with working on in-vehicle networks. Some of these are custom development around CANtact, and other are existing open source utilities (ie, Wireshark and Kayak).

Eric Evenchick is a freelance embedded systems developer. While studying electrical engineering at the University of Waterloo, he worked with the University of Waterloo Alternative Fuels Team to design and build a hydrogen electric vehicle for the EcoCAR Advanced Vehicle Technology Competition. Eric has also worked on automotive firmware at Tesla Motors, and is a contributor for

Badge Jeopardy

Fuzzbizz Badge Hacker

Hacker Jeopardy on Windows makes Richard Stallman cry. Fix that by running it on your Defcon badge!

Required: Parallax-based DC badge

Fuzzbizz started showing up to Defcon as a total noob five years ago. He just moved to California from Ireland and has somehow managed to get roped into cofounding an infosec company. Hopefully he doesn't fuck it up.

HamShield: A wideband VHF/UHF FM transceiver for your Arduino

Casey Halverson

The HamShield turns your Arduino into a VHF/UHF FM voice and data transceiver for the following frequencies:
136-170MHz, 200-260MHz, 400-520 MHz.

No need to worry about SDR and processing, as this is already taken care of on the chip level. The HamShield library provides easy voice and data capability and controls every aspect of the radio. New radio technologies and creations can be written in minutes using the Arduino IDE. The radio is plumbed into the Arduino, as well as a standard mobile headset jack. You can even plug it into your computer and control it with your Chrome browser. Multithreaded text messaging over APRS, anyone?

Casey Halverson is an Amateur Radio operator, earning his license when he was 14 years old. After working years with Arduino hardware, he dreamed of one day combining the rapid prototyping capabilities of the Arduino environment with Amateur Radio. Casey is also a Chrome developer, bringing the first Arduino IDE and programmer to the Chromebook (Chromeduino). When he is not hacking with hardware, he dabbles in security, from exposing the Nissan LEAF's third party data leakage to WiFi picture frames.

The ShadyShield: Software-Defined Telephony for Arduino

Karl Koscher Researcher

The ShadyShield is an Arduino-compatible telephone interface for all of your old-school phone phreaking needs. The ShadyShield provides the raw analog audio, but what you do with that is up to you. We provide sample code implementing a 300 bps modem in software on the AVR, but the applications of the ShadyShield are only limited by your imagination. Want to build an auto-dialer? That’s easy. Want to implement a BBS in a small, discreet form factor? The ShadyShield provides extra RAM via the SPI bus and a microSD connector for mass storage. Need a dumb dial-up terminal in a pinch? The ShadyShield has an RCA jack for NTSC/PAL output. We’ll have some sample applications on display, plus a few surprises.

Karl Koscher is a postdoctoral researcher at the University of California San Diego where he specializes in embedded systems security. In 2011, he and his collaborators were the first to demonstrate a complete remote compromise of a car over cellular, Bluetooth, and other channels. In addition to breaking systems, he also works on creating tools and technologies to enable developers to automatically find (and fix) potential security vulnerabilities in their embedded systems. Since earning his ham license at DEFCON 22, he has become interested in many aspects of communication systems.

Digital Disease Tracking Web App

Efrain Ortiz

Dave Ewall

The tool is a an application that visualizes endpoint events into a timeline inspired by an epidemiological SIR graph. By plotting events over time by machine by event color type, its possible to spot patterns that the average endpoint security product misses. This free open source app is currently designed for one vendors endpoint security data, but is open to upgrading for other endpoint security products.

The Digital Disease Tracking Web App was developed as a after hours collaboration between Dave Ewall and Efrain Ortiz. Efrain Ortiz works at a large internet security company and Dave Ewall runs his own company.

The Deck

Dr. Phil (Polstra) Professor Bloomsburg University of Pennsylvania

The Deck is a version of Linux for the BeagleBone and similiar boards. The Deck is also the name of devices running The Deck used for pentesting. There are a number of addons to The Deck including: The 4Deck: Forensics USB Write blocking AirDeck: Flying hacking drone MeshDeck: Command and control multiple devices with 802.15.4 networks USBDeck: HID and Mass Storage attacks.

Phil was born at an early age. He cleaned out his savings at age 8 in order to buy a TI99-4A computer for the sum of $450. Two years later he learned 6502 assembly and has been hacking computers and electronics ever since.

Dr. Phil currently works as a professor at Bloomsburg University of Pennsylvania. His research focus over the last few years has been on the use of microcontrollers and small embedded computers for forensics and pentesting. Phil has developed a custom pentesting Linux distro and related hardware to allow an inexpensive army of remote pentesting drones to be built using the BeagleBone Black computer boards. This work is described in detail in Phil's book "Hacking and Penetration Testing With Low Power Devices" (Syngress, 2015).

Prior to entering academia, Phil held several high level positions at well-known US companies. He holds a couple of the usual certs one might expect for someone in his position. When not working, he likes to spend time with his family, fly, hack electronics, and has been known to build airplanes.

SWATtack – Smartwatch Attack Tool

Michael T. Raggo Director, Security Research, MobileIron, Inc

Security concerns about corporate data on smartwatches wasn’t a topical concern until the release of the Apple Watch, yet wearables and smartwatches have been around for years. Our research and subsequent tool, SWATtack, brings to light the existing vulnerabilities of these devices when paired to a corporate-enabled mobile device. SWATtack incorporates our research of identified and reported vulnerabilities surrounding smartwatches and automates attack methods for accessing these devices, and pilfering data from them. From this we hope to raise security awareness surrounding these devices to ensure that when they are used in numerous practical methods, that they are used in a secure and effective manner.

Michael T. Raggo, Director, Security Research, MobileIron, Inc. applies over 20 years of security technology experience to the technical delivery of Mobile Security Solutions. Mr. Raggo’s technology experience includes mobile device security, penetration testing, wireless security assessments, compliance assessments, incident response and forensics, security research, and is a former security trainer. His publications include books for Syngress titled “Data Hiding” and McGraw Hill as a contributing author for “Information Security the Complete Reference 2nd Edition”, as well as multiple magazine and online articles. He is also a participating member of the PCI Mobile Task Force. Mr. Raggo has presented on various security topics at numerous conferences around the world (Black Hat, DEF CON, SANS, Gartner, DoD Cyber Crime, OWASP, InfoSec, etc.) and has even briefed the Pentagon and FBI.


Idan Revivo Mobile Malware Researcher, Check Point

CuckooDroid: an automated malware analysis framework based on the popular Cuckoo sandbox and several other open source projects. It features both static and dynamic APK inspection. Also, it provides techniques to prevent VM-detection, encryption key extraction, SSL inspection, API call trace, basic behavioral signatures and many other features. The framework is highly customizable and extensive - leveraging the power of the large, established Cuckoo community.

Idan is a mobile malware researcher at Check Point. He specializes in Android internals and sandboxing techniques. This includes automated static and dynamic malware analysis. He has a diverse security background which includes vulnerability analysis and electronic warfare providing him with a broad and unique perspective on the cyber arena. Although he mainly works with Android, Idan is an Apple enthusiast. Idan holds a bachelor's degree in Software Engineering, specializing in Mobile Systems.

Fiber Optic Tapping

Josh Ruppe

When you think of someone performing a standard man in the middle attack, what do you picture in your head? A network tap on copper cables? Someone using a WiFi Pineapple? Well what if the data being intercepted is leaving your home or coffee shop? Would you feel safer if your data was inside an optical fiber? You shouldn't. Fiber optics are just as susceptible to tapping as any other method of communication. In my demo lab, I will show you how fiber optic tapping works, how to conceal a tapping setup and how to defend against such an attack.

Tool Details: The tool I am using is known as a "Fiber Optic Clip-On Coupler". It is used by technicians to access talk fibers for testing purposes. However, it can also be used to "tap" the fiber without the need of a terminated end. The tool allows you to safely bend the fiber which in turn causes light to leak out through the fiber optic cladding. This enables complete and often undetected theft of data through a process not surprisingly known as "bending".

Josh Ruppe has been working in information security for a little over a decade, and is currently working as a Security Engineer in Atlanta, GA. Josh's primary focus is on penetration testing, but also dabbles in web application security, cryptography and reverse engineering.

Twitter: @josh_ruppe


Nick Skelsey Systems Programmer

Ombuds resists censorship by storing public statement's in Bitcoin's block chain. It is meant to be used along side existing social media platforms to protect and distribute statements created by bloggers, activists and dissidents living under oppressive regimes. But if you are just worried that Twitter might delete your shitpost, you can use Ombuds to store it forever on the block chain.

Nick is a 2015 graduate from the School of Engineering and Applied Science at U.Va. He has worked at Distil Networks, and the Tom Tom Founders Festival as a front-end and backed web developer. He calls himself a systems programmer.


Takehiro Takahashi Security Researcher

Sphinx is a highly scalable open source security monitoring tool that offers real-time auditing and analysis of host activities. It works by having clients forward various types of event logs including process execution with cryptographic signature (MD5 hash), network activity, dll/driver loading, as well as miscellaneous system events to a Sphinx server where each event is recorded and analyzed.

With Sphinx, you can quickly find an answer to questions like:

  • can we get a list of every event that happened on machine X between date Y and date Z?
  • can we graphically trace what happened on my computer in the last 10 minutes because I feel there's something weird going on?
  • who has run a piece of malware whose existence cannot be detect by our existing Anti-Virus product on our network?
  • give me a list of program executions as well as dll loads whose reputation is questionable or bad.
  • are there Office application making outbound connection to China?
  • are there any dlls injected into explorer.exe whose digital signature does not belong to Microsoft?

You can build both simple and complex queries to search for threats. These queries can be run recurringly, and send alerts whenever there's a hit.

Tool details:

Sphinx works by having clients forward various types of event logs including process execution history with program's digital fingerprint (MD5 hash), network activity, dll/driver loading, as well as miscellaneous system events to a Sphinx server where each event is recorded and analyzed. These events are primarily generated through Sysmon, Microsoft's Sysinternal tool, and delivered to the server using nxlog, a robust open source log management tool.

On the server side, Sphinx receives the incoming data using Logstash, a popular log management tool with horizontal scalability. Logstash loads several plug-ins (including Sphinx's own Logstash plug-in) in order to normalize the data for analysis. The Sphinx plugin is primarily responsible for adding reputation information for events with MD5 hash. Sphinx uses the following sources to build its reputation table:

National Software Reference Library (NSRL), a project of the National Institute of Standards and Technology (NIST) which maintains a repository of known software, file profiles and file signatures for use by law enforcement and other organizations involved with computer forensic investigations. VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners.

VirusShare, a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code.

Finally, normalized data is stored in an Elasticsearch server. Elasticsearch is a highly scalable, open-source full-text search engine based on Apache Lucene. Users can use Sphinx's web UI to build/run queries, and detect threats. The web front end is also capable of graphically browsing program execution history or create an alert using saved queries. For example, you can have an alert set to trigger whenever Sphinx sees a program execution whose reputation is 'Harmful' OR 'Potentially Harmful' OR 'Unknown'.

Takehiro Takahashi is an individual security researcher, and formerly a vulnerability researcher at IBM X-Force, and a senior security engineer at large enterprise where he designed and developed scalable monitoring and automation tools for malware threats.

Haka - An open source security oriented language

Mehdi Talbi Security Researcher, Stormshield

Haka is an open source security oriented language that allows to specify and apply security policies on live captured traffic. The scope of this language is twofold. First of all, Haka is featured with a grammar allowing to specify network protocols and their underlying state machine. The specification covers text-based protocols (e.g. http) as well as binary-based protocols (e.g. dns). Secondly, Haka enables the specification of fined-grained security rules allowing end-users to filter unwanted packets and report malicious activities. Haka enables on the fly packet modification which allows to setup complex mitigation scenarios in case of attack detection. The main goal of Haka is to abstract low-level and complex tasks such as memory management and stream reassembly to non-developer experts. Haka aims to provide a simple and quick way to express security controls on existing, specific (e.g. scada) or new protocols (e.g. protocols over http).

Mehdi Talbi, PhD, is a security researcher at Stormshield where he contributes to the Haka open source project. His main interests are vulnerability exploitation techniques, reverse engineering, intrusion detection and network forensics. He has published more than 10 peer-reviewed papers in computer security conferences (ICICS, ARES), journals (Journal in Computer Virology) and magazines (MISC).

QARK - Android Exploitation and Static Code Analysis Tool

Tony Trummer Penetration Tester, LinkedIn

Tushar Dalvi Senior Information Security Engineer, LinkedIn

QARK is an automated scanning and exploitation framework, for Android applications. It is designed to locate vulnerabilities and provide dynamically generated, Proof-of-Concept exploitation code, customized for the specific application being tested.

It can be used in a scriptable fashion, for integration into existing SDLC processes, or interactively, by security auditors, with the need to assess a fully built application, as it has the flexibility to work on either raw source code or previously built APKs. It even creates nice findings reports to keep your pointy-haired boss, client or compliance wonks happy.

QARK currently includes checks for improper TLS implementations, insecure Inter-Process Communications, insecure WebView configurations and several other common security vulnerabilities.

Additionally, QARK can serve as your Android security testing Swiss army knife. It includes a manual testing APK allowing you to configure various testing scenarios without having to write all the nasty Java yourself.

Most importantly, QARK has been designed to encourage a community-based approach to application security, by eliciting contributions from the open-source community, allowing for all Android app developers and testers to share in a common body of knowledge for securing their applications.

So, stop by for a demonstration or further details, find a 0-day in your Android app and learn how you can contribute to, and benefit from, QARK. Hurry before we get too drunk!

Tony has been working in the IT industry for nearly 20 years and has been focused on application security for the last 5 years. He is currently an in-house penetration tester for LinkedIn, running point on their mobile security initiatives and has been recognized in the Android Security Acknowledgements. When he’s not hacking, he enjoys thinking about astrophysics, playing devil’s advocate and has been known to dust his skateboard off from time-to-time.

Tushar Dalvi is a security enthusiast, and currently works as a Senior Information Security Engineer at LinkedIn. He specializes in the area of application security, with a strong focus on vulnerability research and assessment of mobile applications. Previously, Tushar has worked as a security consultant at Foundstone Professional Services (McAfee) and as a Senior developer at ACI Worldwide.


Ankur Tyagi (7h3rAm) Malware Research Engineer, Qualys Inc

Rudra aims to provide a developer-friendly framework for exhaustive analysis of pcap files (later versions will support more filetypes). It provides features to scan pcaps and generates reports that include pcap's structural properties, entropy visualization, compression ratio, theoretical minsize, etc. These help to know type of data embedded in network flows and when combined with flow stats like protocol, Yara and shellcode matches eventually help an analyst to quickly decide if a test file deserves further investigation.

Ankur is working with Qualys Inc. as a Malware Research Engineer. On the Internet, he goes by the handle 7h3rAm and usually blogs here:


Georgia Weidman Founder, Bulb Security LLC

Shevirah (formerly the Smartphone Pentest Framework) is a provider of testing tools for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions. Shevirah allows security teams and consultants to integrate mobility into their risk management and penetration testing programs.

Georgia Weidman is a penetration tester, security researcher, and trainer. She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured in print and on television internationally. She has provided training at conferences such as Blackhat USA, Brucon, and Security Zone to excellent reviews. Georgia founded Bulb Security LLC, a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security culminating in the release of the open source project the Smartphone Pentest Framework (SPF). Georgia is a member of the spring 2015 cohort at the Mach37 cyber accelerator, founding Shevirah Inc. to create product solutions for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions. She is the author of Penetration Testing: A Hands-on Introduction to Hacking from No Starch Press.

SecBee - An automated ZigBee security scanner

Tobias Zillner Senior IS Auditor, Cognosec

The tool demonstrated will be a ZigBee security testing tool. It is basically a kind of ZigBee vulnerability scanner. So developers and security testers can check the actual product implementation for ZigBee specific vulnerabilities.

Currently it supports command injection, scan for enabled join, sniff network keys in plaintext and encrypted with the ZigBee default key and a return to factory device reset.

A complete device takeover feature is under development. The final goal is to test for the correct application and implementation of every ZigBee security service.

Tobias works as Senior IS Auditor at Cognosec in Vienna. He conducts information systems audits in order to assess compliance to relevant internal and external requirements and to provide a customer’s management with an independent opinion regarding the effectiveness and efficiency of IT systems. Furthermore, Tobias evaluates and assures security of Information Technology by performing webapplication and web service penetration tests, source code analysis as well as network and infrastructure penetration tests. He has a Bachelor degree in Computer and Media Security, a Master degree in IT Security and a Master degree in Information Systems Management. Tobias’ expertise also applies to the IT Governance, Risk and Compliance domains. He also holds a wide range of certifications like CISSP, CISA, QSA, CEH, ITIL or COBIT.