def con conference

Bing Wen / (Licensed)

The best and scariest hacks out of Def Con 2019

In addition to bluetooth butt plugs, Def Con hackers took on voting machines, iPhone cables and Google Home, among others for the 2019 convention.


Brooke Sjoberg


Posted on Aug 16, 2019   Updated on May 20, 2021, 6:20 am CDT

Since 1992, hackers have met each summer in Las Vegas, Nevada to talk shop about the state of technology security and the implications of the future’s possibilities at Def Con. Over the years, Def Con grew to become a full-fledged and thriving convention.

The event has served as something of a warning sign of things to come. Researchers, privacy advocates, and hackers have gathered to discuss and present the scarier side of technology’s capabilities, and to clue consumers into realizing what the devices they own can do. Of course, given the increasingly low bar the everyday tech news cycle sets, the stranger these demonstrations are, the more attention they get.

This year has been no exception. Here are the best hacks from Def Con 2019.

1) Insecure sex toys

A hacker who goes by the name “smea” gave a talk during Def Con, where he detailed how he hacked a butt plug with Bluetooth connectivity capabilities. The device, a Lovense Hush, has a companion app that is easily hacked, smea told Gizmodo.

According to Gizmodo, Smea’s talk focused on how hackable sex toys could lead to sexual harassment and security risks. Smea said he heard a friend talking about Bluetooth-enabled butt plugs, and became interested in the privacy safety of the devices. He quickly discovered that the capability allows a hacker to compromise the security of the toy’s associated app, which is where personal information can be stored and the toy can be controlled.

“One of the things I brought up during the conference was that gaining access to the sex toy might allow you to bypass some safety features and that could cause physical harm, assuming those safety features were implemented in software,” Smea told Gizmodo. “I don’t think that’s really necessarily possible with these [buttplugs], but you have other devices that have motors that are meant to rotate parts of the toy and stuff like that. If those have safety features implemented in software that could be a real problem.”

2) The OMG Cable

One developer at Def Con is showing off (as well as selling) a USB Lightning cable engineered to allow remote access to a Mac unbeknownst to its owner. The modification allows access to the computer when it is connected to a phone by what is being called the OMG Cable.

Forbes reports the developer of OMG Cables (who goes by @_MG_ on Twitter) is already selling these cables to anyone who can track them down. The cables operate as you’d expect a charging cable to, but contain a “wireless implant” which their developer claims he can access from a distance of about 300 feet–about the length of a football field.

However, when the cable is formatted to act as a web client to nearby wireless internet networks, distance is taken out of the equation. MG told Forbes that the lightning cable’s user interface is so innocuous that no one would be able to know what was happening until it’s too late.

“It looks like a legitimate cable and works just like one,” MG told Forbes. “Not even your computer will notice a difference. Until I, as an attacker, wirelessly take control of the cable.” Feels like a good time to stock up on Apple Store-only cables and refrain from borrowing any.

3) Hacking into Google Home

Researchers revealed onstage at Def Con exactly how they compromised a Google Home. Threatpost reports that these researchers exploited the Magellan vulnerability, a hole in the device’s firmware which allows for remotely implemented code to grant access to code executions, leaking program memory or causing crashes.

In this case, a Google Home was prompted with a false update which allowed the researchers to load malicious software to the device and effectively render it a privacy danger to consumers.

According to Threatpost, the Magellan vulnerability has not been used to exploit Google Home devices outside of this instance.

4) A very expensive vanity license plate

The word “null” has long wreaked havoc on computer systems. Many times, bad software see “null” as meaning…well, nothing. It’s a value-less word and so the system sees nothing. Usually, that could be really frustrating for a user–but one Def Con hacker thought he could use the error to his advantage. Presenter Joseph Tartaro (who also goes by Droogie) explained in his talk that he got a vanity license plate that read “NULL” in hopes of avoiding parking tickets. If the system couldn’t read his license plate, maybe he could get away with all kinds of traffic violations.

Instead, the opposite happened: Tartaro received $12,049 in traffic fines, some of them from places he’s never been. The explanation of why is complicated, but suffice it to say that the NULL license plate didn’t make Tartaro invisible to the system, it simply broke the system and then penalized him for it. Basically, if someone was ever cited for something and the officer failed to include their license plate in the citation, the system would go ahead and do it for him, registering it as–you guessed it–null.

Tartaro wasn’t the only one at Def Con who wanted to exploit license plate reader technology. Fashion hacker Kate Rose wants her clothes to be seen as much as possible—including by automatic license plate readers (ALPRs) used by law enforcement.

Her clothing, a line of dresses, T-shirts, pencil skirts, and crop tops featuring license plate designs are meant to fill the databases created by ALPRs with so many false plates that their data sets are unusable, according to The Parallax. Hopefully, her experiment is more successful.


Share this article
*First Published: Aug 16, 2019, 6:30 am CDT