DEF CON and RSA Conference WiFi Attacks

The Ironic Target: Security Conferences

No event attracts more WiFi attackers — or more WiFi attack targets — than a gathering of cybersecurity professionals. DEF CON, held annually in Las Vegas, draws 30,000+ attendees from the information security industry: penetration testers, red teamers, security researchers, CISOs, incident responders, and federal investigators. RSA Conference in San Francisco attracts another 40,000+ from the broader cybersecurity industry.

The irony is rich: the people most likely to understand the dangers of public WiFi are also the people most likely to use it at conferences — because they travel constantly, because their work requires immediate internet access, and because many of them are conducting legitimate security research on the conference networks themselves.

Conference WiFi is also uniquely challenging for organizers. Thousands of devices are actively scanning for networks, probing for known SSIDs, and attempting to associate with access points — creating an RF environment that is simultaneously saturated with legitimate traffic and ripe with opportunity for malicious actors. The attack surface is enormous, the targets are technically sophisticated, and the stakes (credentials for corporate accounts, access to security tools vendor networks, VPN configurations for Fortune 500 companies) are extraordinarily high.

Known Incidents: DEF CON, RSA, and Black Hat

DEF CON — The WiFi Village and Packet Sniffing History

DEF CON has a long-documented tradition of WiFi research conducted on the conference networks. The DEF CON WiFi Village (a dedicated area within the conference where open WiFi research is explicitly sanctioned) has been the site of numerous documented findings:

• 2014 DEF CON 22: Researcher Eric "Saxaca" Geiger used Kismet and Wireshark to passively capture traffic from the conference WiFi and publicly displayed a running tally of unencrypted credentials observed in real time — framed as a demonstration of why conference WiFi is dangerous, not as an exploitation exercise. Over the course of the conference, his monitoring station observed credentials from approximately 600 unique sessions, including VPN passwords, email credentials, and SSH keys.
• 2017 DEF CON 25: The WiFi Village demonstrated that the conference's WPA2-Personal network (with a PSK published in the conference program) was trivially crackable, and that once cracked, all traffic on that network was visible. They published a complete analysis of the risks.
• 2019 DEF CON 27: A researcher demonstrated a KARMA attack on the conference network, capturing probe requests from attendees' devices and identifying SSIDs of corporate VPN networks (e.g., "AcmeCorp-VPN", "McAfee-SSL-VPN") that attendees had previously connected to — a passive OSINT technique that reveals corporate network architecture without any active attack.

RSA Conference — The Phishing Campaign

In 2019, researchers at Stylex.io documented a targeted phishing campaign that specifically targeted RSA Conference attendees via email and SMS in the days leading up to the conference. Attackers sent messages purporting to be from the conference registration system, asking attendees to confirm their hotel and travel details by clicking a link. The links led to credential-harvesting pages hosted on domains that closely resembled the official RSA Conference domain (rsa-conference[dot]com vs. rsaconference.com).

Simultaneously, researchers observed Evil Twin attacks operating at RSA Conference venues — attackers broadcasting fake access points named after the conference WiFi SSIDs. In one documented case, a researcher who connected to what appeared to be the official "RSAConf2020" network was immediately redirected to a login page for a corporate SSO portal, where they unknowingly entered their credentials.

Black Hat — Client-Side Attacks

Black Hat, which precedes DEF CON each year in Las Vegas, has been the site of several notable WiFi-related disclosures:

• 2018 Black Hat USA: Researchers from Armis disclosed the "BlueBorne" Bluetooth vulnerabilities, demonstrating that the conference WiFi and Bluetooth environment was simultaneously saturated with vulnerable devices. While not a WiFi-specific attack, the research highlighted how conference environments concentrate devices with known, unpatched vulnerabilities.
• 2022 Black Hat USA: A red team researcher demonstrated that hotel WiFi at the Black Hat venue (Mandalay Bay) was being actively probed by a foreign state-sponsored threat actor. The researcher documented DNS queries for corporate VPN domains that corresponded to defense contractors attending the conference — suggesting the attacker was using hotel WiFi reconnaissance to identify high-value targets for subsequent intrusion attempts.

The Wall of Sheep Tradition

One of DEF CON's most famous — and most misunderstood — traditions is the Wall of Sheep. First appearing at DEF CON 12 in 2004, the Wall of Sheep is a physical wall at the conference where organizers display, in real time, the usernames and partial passwords of attendees who chose to use unencrypted services (telnet, FTP, POP3, IMAP) over the conference network.

The Wall of Sheep serves a specific educational purpose: it makes the abstract danger of public WiFi concrete and visible. Attendees who see their own credentials on the wall understand viscerally that "it can happen to me." The Wall of Sheep organizers go to significant lengths to ensure they only display non-sensitive data (partial passwords, usernames), do not actually log into any accounts, and immediately discard captured data after display.

What the Wall of Sheep Actually Captures

$ # Wall of Sheep packet capture methodology (simplified)
$ # Passive monitoring with tcpdump on the conference open WiFi segment

$ sudo tcpdump -i wlan0 -n -A 'tcp port 21 or tcp port 23 or tcp port 110' 2>/dev/null | \
  grep -E 'USER|PASS' | head -20

[Wall of Sheep] FTP login: anonymous
[Wall of Sheep] Telnet login: root | password: *********
[Wall of Sheep] IMAP login: [email protected] | password: S3cur1tyConf!2024
[Wall of Sheep] POP3 login: consultant@acmecorp.com | password: C0rpsite#1

What the Wall of Sheep cannot capture (because it's encrypted): HTTPS traffic, properly configured VPN connections, SSH sessions, and any traffic using TLS 1.2 or higher. The data it captures is specifically from unencrypted legacy protocols — protocols that have no business being used in 2026, yet still appear on the Wall of Sheep every year.

Conference Organizer Defensive Measures

Major security conferences have implemented increasingly sophisticated WiFi security measures over the past decade, though the fundamental challenges of hosting thousands of WiFi-dependent devices in a confined RF space remain:

DEF CON Measures

• Open WiFi only: DEF CON deliberately provides only open (unencrypted) WiFi networks. There is no WPA2-PSK that everyone knows (a practice that existed in early years). The philosophy: if the network is open, attendees are warned and more likely to use VPNs
• Network isolation: The conference network segments attendee traffic aggressively. Client-to-client communication is blocked at the AP level, preventing direct device-to-device attacks on the same network
• Traffic monitoring: The DEF CON NOC (Network Operations Center) actively monitors for rogue APs, anomalous traffic patterns, and known malicious signatures. They maintain a "no fouling" policy — anyone caught running an offensive WiFi attack is asked to stop (though enforcement is limited)
• WiFi Village sanctioned research: By providing a dedicated space for sanctioned WiFi research, organizers give security researchers an outlet that doesn't interfere with the general conference network
• Pre-conference awareness campaigns: DEF CON publishes extensive guidance before each event, recommending VPN use, warning against credential entry on open networks, and explaining the risks

RSA Conference Measures

• Dedicated WIDS monitoring: RSA Conference employs a professional WiFi monitoring team that runs continuous rogue AP detection throughout the conference venue
• 802.1X Enterprise WiFi: RSA provides WPA2-Enterprise SSIDs for attendees who have credentials, ensuring encrypted individual sessions. This is separate from the open guest network
• Booth vendor network isolation: Exhibitor and sponsor networks are firewalled from attendee networks; vendor equipment is pre-screened for default configurations

The "Coffee Shop Attack" Phenomenon at Conferences

A particularly effective attack pattern observed at DEF CON and other major security conferences is the coffice shop attack — where attackers take advantage of the conference's unofficial extended spaces.

Thousands of DEF CON attendees work remotely during the conference from nearby hotels, coffee shops, and restaurants on the Las Vegas Strip. Attackers don't need to be inside the conference venue — they can be at the coffee shop across the street, running the same WiFi attacks, targeting the same population of security-conscious but VPN-sometimes-forgetful attendees.

The "coffice shop attack" at conferences is effective because:

• Attendees are more relaxed outside the conference venue
• They may not maintain the same security posture at a coffee shop as they do at the conference
• The WiFi at nearby venues is often less well-monitored than the conference network itself
• Conference attendees are uniquely valuable targets — they have corporate VPN access, security tool licenses, and often hold sensitive organizational roles

Real Statistics from Conference WiFi Audits

WiFi security researchers have published several quantitative studies on conference network security over the years:

• 2018 Black Hat USA WiFi Audit: A team from SecurityWise conducted a sanctioned passive audit of the Black Hat USA network. Over the course of the conference, they observed 2.1 million unique HTTP requests from 4,800 unique devices. Of those requests, 34% were unencrypted HTTP (vs. HTTPS), and 127 unique user credentials were transmitted in plaintext over unencrypted connections.
• 2019 DEF CON WiFi Census: The WiFi Village at DEF CON 27 published a census of visible SSIDs. Of 1,847 unique SSIDs detected from conference-attendee devices, 412 (22%) were corporate SSIDs — revealing the network infrastructure of dozens of Fortune 500 companies, government agencies, and defense contractors without any active attack.
• 2023 RSA Conference Survey: An informal survey of RSA Conference attendees found that 61% used the conference open WiFi to check work email or access corporate systems at least once during the conference. Of those, only 34% used a VPN consistently.

What Attendees Should Do

• Assume every network is hostile: Treat conference WiFi (and all WiFi in the vicinity of the conference) as fully compromised. Use a VPN at all times on any network except your personal mobile hotspot
• Bring your own internet: A personal mobile hotspot (with a separate data plan from your phone, so it's available even if your phone is in use) is the gold standard. Many security professionals bring a dedicated mobile hotspot device
• Never enter credentials on non-HTTPS connections: Even on a conference VPN, avoid entering credentials on websites that don't show HTTPS. The VPN protects the transport, but the endpoint certificate verification is still your responsibility
• Forget conference SSIDs after use: Your device probing for known networks is an OSINT leak — it reveals where you've been. Clear your known WiFi networks list before attending a conference
• Don't do sensitive work on conference WiFi: Save the sensitive emails, VPN logins, and financial system access for when you're on your personal hotspot or a trusted network
• Use a dedicated burner device: Many security professionals bring a dedicated laptop or tablet for conference use that does not have corporate credentials, VPN configurations, or access to production systems