Black Hat USA 2024, DEFCON 2024, and Mandatory Hotel Room Checks

Earlier this month, at the Mandalay Bay in Las Vegas, an annual DEFCON 2024 conference took place. According to companies like Rapid7, the Black Hat USA 2024 conference showcased a bunch of presentations across various fields including, but not limited to the following:

• The rise of AI and machine learning: in DEFCON 2024, there have been speakers sharing their expertise around how threat intelligence shapes the security strategy in Microsoft, there have been speakers speaking about LLM security and presenting practical findings situated around LLM security.
• Malware and its mitigation: Speakers from Intezer, SentinelLabs, and SentinelOne presented a project called Oxalic dubbed “Project 0xA11C” which acts as a practical methodology to reverse-engineer Rust.
• Software security and its supply chain: a speech by Danny Jenkins, the CEO & Co-Founder of ThreatLocker, has shared insights into mitigating supply chain risk, identifying backdoors and vulnerabilities, and gaining intel on hacker operations.
• New and emerging technologies: there have been speeches situated around VPN “tunnel vision” and VPN post-exploitation such as the one regarding tunnel vision to explore VPN post-exploitation techniques by Ori David that is a Senior Security Researcher at Akamai that walked people through how an attacker with control over VPN servers can cause harm to the users and the network.
• Training, human error, and cybersecurity awareness: last but not least, there have been numerous speeches regarding cybersecurity training and awareness. One that comes to mind is the talk about downgrading critical Windows components including DLLs and drivers and discovering vulnerabilities in Windows Update. This talk by Alon Leviev has introduced a tool that can take over the Windows Update capabilities.

For those who have attended, Defcon 2024 was a nice and feature-packed conference: regardless, Defcon 32 did have its downsides. One of the downsides of Defcon 2024 was the rumor that the Sin City hotel in Las Vegas has warned its attendees that the hotel “will be conducting scheduled, brief visual and non-intrusive room inspections daily beginning August 5^th.” According to sources like CyberNews, the hotel has apparently also warned its guests that rooms that have a privacy sign will also be inspected.

A Privacy Intrusion or a Security Precaution?

A couple of users have posted the letter they have received from the hotel saying that the hotel is going to search their rooms daily to protect them from the “well-known hacking convention”, which may have been a snarky joke.

According to some other users like Adam Deziri who shared his experience on X (Twitter), he was told by the receptionist that 2-3 people from security “were looking for potentially malicious objects.” There have also been talks about items being confiscated, and it remains unclear if those items were ever given back to their rightful owners.

According to other Twitter users, such behavior can be considered an example how privacy can be violated by only suspecting a thing. Some people may also believe that if someone owns a bunch of unconventional tech, such a behavior could also cause a personal risk.

While it’s feasible to believe that people attending such conferences could have malicious intent, invading the privacy of hotel guests has to have limits, too.

Possible Reasons

Such a behavior of the Defcon 2024 organizers isn‘t unfounded, though: there have been rumors that hotel rooms in Vegas have been more and more common since the Mandalay Bay Resort hotel has undergone a shooting in 2017. Given that the resort is said to be home to Black Hat USA, too, such behavior is more than understandable. After all, Las Vegas has this famous saying “What happens in Vegas, stays in Vegas”, but again, room checks on a privacy-conscious audience ought to make headlines. What do you think about such behavior? Did you attend DEFCON 2024 and what was your experience? Do you think that DEFCON 2024 room checks crossed the privacy line or do you think that such behavior is a warrant of user safety and security? Comment below, and until next time.