What a security researcher learned from monitoring traffic at Defcon

He spent thousands on a data-collecting monstrosity to figure out why people considered the security conference's network dangerous.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
4 min read

Spicer has walked around Black Hat and Defcon collecting web activity for the last three years.

Mike Spicer

The first time I saw Mike Spicer, I spotted him from a mile away. He was hard to miss as he threaded his way through the crowd at the 2017 Black Hat hacking conference in Las Vegas with 35 pounds of gear on his back.

I'm also sure the 36-year-old security researcher saw me too. Or at least my network traffic. Because the hardware on Spicer's back was a surveillance tool nicknamed the "Wi-Fi Cactus." 

The Wi-Fi Cactus, which Spicer wears like a backpack, is made up of 25 Hak5 Pineapples, devices made to monitor, intercept and manipulate network traffic. The entire kit is the size of Spicer's upper body and is wrapped in green lights. Antennas stick out like the spikes on a cactus, which is how it got half of its name. In four days, Spicer collected 427 gigabytes of people's network traffic at a rate of about eight gigabytes an hour. 

20 times Hollywood got hacking right (and oh so wrong)

See all photos

"It became a monster for collecting data," Spicer said in an interview prior to this year's Defcon, which started on Thursday, Aug. 8. "Last year, I had so much data I didn't have enough storage devices and I was actually losing data."  

For three years, Spicer, the chief technology officer at MerchGo, an e-commerce company, has monitored traffic at security conferences with the Cactus. He spent more than $2,700 building and upgrading the machine.

If I'd been on the Wi-Fi network at all during my time around Black Hat and Defcon, Spicer could have seen my activity. My data would have joined a pool of data from thousands of attendees over the last three years, which now totals more than one terabyte of network traffic.

Spicer analyzed all that data and presented his findings at Defcon this year, discovering insecure apps that leak personal information and attempted attacks that can be easily avoided.

He initially wanted to track network traffic at Black Hat and Defcon after hearing about potential threats over Wi-Fi at the hacker conferences.

"I was first curious because everyone always says that Defcon is the most dangerous network in the world," Spicer said. "I wanted to know how it is dangerous because people love to run around and spread FUD" -- fear, uncertainty and doubt -- "but don't explain the risks."

Most of the attempted attacks were low-hanging fruit: known techniques that people familiar with cybersecurity could prevent. At Defcon, he found hundreds of Wi-Fi networks set up to trick people into connecting, using names of common connections such as the network IDs for Starbucks and airlines. 

Devices often automatically connect to networks they've connected to in the past, usually for your convenience. Hackers know this, and can set up their own access points with the same names to trick devices. It's a pretty simple attack to guard against if you use a VPN or keep your Wi-Fi off.

Watch this: How to master the art of deception like a hacker

Spicer's Wi-Fi Cactus found plenty of fake access points, including 17 different SSIDs with the lyrics of Rick Astley's "Never Gonna Give You Up." (SSIDs are network names.) While that might've been amusing, Spicer said he found traffic that was a cause for concern, specifically coming from apps. 

You can protect yourself from Wi-Fi monitoring by sticking to websites using HTTPS, a form of website security, but there isn't much you can do with the websites and servers that apps visit. He found weather apps that were sending location data without encryption, which could have allowed him to track where people were, Spicer said. 

"If they were sending that data over clear text, and that person's connected to an open Wi-Fi network, you're essentially giving up your location," Spicer said.

Enlarge Image

The Wi-Fi Cactus is a 35 lbs surveillance machine that monitors web activities surrounding it.

Defcon China

Over the last three years, his Wi-Fi Cactus has seen familiar faces: Each time it logs network traffic, it records the MAC address associated with the devices it's monitoring. (MAC addresses identify devices to a network.) He's brought the Cactus to different security conferences, in places like Washington DC and China. There's a small handful of devices that he's run into more than once since 2016, even if their owners don't know it.

"This is the same group of people I'm seeing at different conferences," Spicer said. "If you used the same device, I know you were here."

The Cactus has morphed over the years, with Spicer slimming it down from its original 60 pounds. Still, it's become a "pain to travel with" and this year's Defcon could mark its last run. 

Spicer's next project is something he's calling the Wi-Fi Kraken, a toned-down version of the Cactus that picks up more wireless signals. This one would be a battery-powered PC with 14 radios, hidden in a case.

"I wanted to go a little more concealed route with this one," Spicer said. "You could go set it somewhere and it looks like it can be conference equipment."

I won't be able to spot this Wi-Fi tracking machine out of the crowd anymore. But something tells me my network traffic will still be in clear sight.