kn0ck0ut (Matt)
Matt Miller (kn0ck0ut) is an ethical hacker, Master's student in Data Science, and serial entrepreneur who likes breaking things to figure out how they work. With a background in application security and solo-founding multiple startups, he recently dove deep into wireless security research, combining data science methodologies with hands-on hacking. Over the past year, he's conducted extensive Bluetooth warwalking across multiple cities, collecting hundreds of thousands of device observations using custom Raspberry Pi rigs. His research applies statistical analysis to real-world security failures, revealing both exploitation opportunities and surveillance risks in urban wireless environments. He believes in making complex security concepts accessible while showing the practical consequences of wireless misconfigurations.
Session
The most exploitable attack surface in modern businesses might not be their network perimeter, it's the Bluetooth-enabled receipt printer broadcasting without authentication. This talk demonstrates how trivially easy it is to hijack commercial Bluetooth devices using only a smartphone, then scales that threat to reveal city-wide surveillance implications through systematic warwalking research.
I'll demonstrate live exploitation of devices I've compromised in the wild: receipt printers, Samsung TVs, and commercial IoT devices, all requiring zero technical knowledge to attack. Then I'll show how I scaled this from opportunistic hacking to systematic research using a $100 Raspberry Pi rig running Kismet with GPS tracking, collecting over 100,000 device observations across San Francisco, Nashville, NYC, and Las Vegas.
The privacy implications are severe: 60-65% of Bluetooth devices broadcast persistent identifiers enabling long-term tracking as people move through cities. I'll present data-driven analysis showing how static MAC addresses combined with GPS logs create a surveillance infrastructure accessible to anyone with basic Python skills. Hotel door locks broadcast room numbers in plaintext. Air purifiers send 50 packets per minute for no legitimate reason. The gap between "possible to secure" and "secured in practice" is enormous.
Attendees will see live demonstrations including a receipt printer available for audience hijacking attempts, real-time Kismet data collection from conference attendees' devices, and Python analysis scripts running against live data. I'll share open-source tools for conducting this research and provide actionable defensive recommendations for manufacturers, businesses, and individuals.
This presentation combines accessible exploitation demonstrations with rigorous data science to show that if I can build city-scale surveillance infrastructure without Bluetooth expertise, anyone can.