HackTheBay 3.0

TALK STRUCTURE & TIMELINE (45 MINUTES)

This presentation delivers comprehensive coverage of Bluetooth exploitation, moving from accessible demonstrations through systematic data collection to large-scale privacy implications with detailed technical methodology.

PART 1: PRACTICAL EXPLOITATION (12-15 MINUTES)

I'll demonstrate real-world Bluetooth hijacking using only commodity hardware with expanded audience interaction:

• Receipt Printer Takeover: I'll bring an Epson TM-M30II thermal printer and demonstrate the complete connection process step-by-step. I'll share the story of how I discovered and exploited an unsecured café printer using only the free iOS Epson TM Utility app to print messages claiming to be from "time travelers from 2036," which convinced local high school employees they'd made contact with the future. The printer will be live in the room with time for 2-3 audience members to attempt connections during the presentation. This attack requires zero technical knowledge, just opening your phone's Bluetooth menu and downloading an app.

• Samsung TV Hijacking: I'll walk through my two-stage attack progression in detail: (1) Audio-only takeover using smartphone Bluetooth pairing (demonstrated at a smoothie bar), showing the actual pairing interface, and (2) Full video control combining Flipper Zero IR commands (universal Samsung remote) with same-network Wi-Fi access (demonstrated at a Chicago bar). I'll demonstrate the Flipper Zero IR commands live if the venue has a Samsung TV. The vulnerability: manufacturer default settings with no authentication. In Chicago, simply asking the bartender for WiFi password gave me complete control of all their Samsung displays.

• Extended Device Tour: Detailed demonstrations of additional vulnerable devices including ProSmart bed bases at Mattress Firm, commercial speakers, hotel door locks broadcasting room numbers in plaintext, and smart home devices, all with specific exploitation scenarios and video footage where available.

PART 2: SCALING RESEARCH WITH KISMET (15-18 MINUTES)

How I moved from opportunistic hacking to systematic research with technical depth:

• Hardware Deep Dive: Raspberry Pi 4 + GPS dongle + battery (~$100 total). I'll show the actual physical rig and walk through the complete setup: auto-connects to phone hotspot, establishes Tailscale VPN for remote access, syncs Kismet logs to home server via rsync. I travel with this constantly and will explain why each component matters for scalable data collection.

• Kismet Configuration: I'll share my actual Kismet config files, explain what data fields I'm capturing (device names, MAC addresses, manufacturer data, signal strength/RSSI, timestamps, GPS coordinates) and discuss storage requirements and data management at scale.

• Dataset Overview: ~100,000+ device observations across San Francisco, Nashville, NYC, Las Vegas.

• Extended Live Analysis Session: I'll have the rig running during the talk, collecting data from the conference room. I'll SSH in and execute multiple Python analysis scripts live, showing my complete data pipeline from raw Kismet logs to actionable intelligence. Expect to see real-time enumeration of Flipper Zeros, smart watches, meshtastic nodes, and whatever else attendees are carrying. I'll demonstrate querying patterns across cities and show visualization of tracking patterns.

• Cross-City Comparisons: Detailed statistics comparing device security posture across San Francisco vs Nashville vs NYC vs Las Vegas, discussing how geographic and demographic factors influence what devices are present and how they're configured.

PART 3: PRIVACY IMPLICATIONS & TRACKING (10-12 MINUTES)

Data-driven privacy implications with concrete examples:

• Key Statistics: 7-8% devices broadcast human-readable names, 60-65% have persistent identifiers enabling tracking, 99% are Bluetooth Low Energy (IoT dominance), 1,300 devices detected in a 1/4-mile suburban walk.

• Tracking Demonstration: I'll show actual examples of tracking specific devices across multiple days and locations using GPS-tagged data (anonymized), explaining how correlation attacks work in practice.
Hotel Lock Analysis: Detailed discussion of Bluetooth door locks broadcasting room numbers in plaintext and the privacy implications for hotel guests who don't realize their room location is being broadcast to anyone nearby.

• Surveillance Infrastructure: Static MAC addresses + GPS logs = anyone with $100 and basic Python skills can track people moving through cities. I'll discuss how retailers could use this technology, compare it to existing WiFi tracking infrastructure, and explain why Bluetooth tracking is actually more problematic due to its ubiquity and constant broadcasting.

• Statistical Deep Dive: I'll present my data science methodology, show visualizations of device density patterns, and discuss temporal patterns (time of day, day of week variations).

• Wasteful Broadcasting: Some devices transmit absurdly: Molekule air purifiers send 50 packets/minute (38,000 in 12 hours), Pura fragrance diffusers constantly broadcasting. No legitimate reason for this frequency.

PART 4: DEFENSIVE MEASURES & CALL TO ACTION (5-6 MINUTES)

• Manufacturers: Specific technical standards they should adopt (default-secure configs, require authentication, rotate MAC addresses), with examples of companies doing it right vs wrong.

• Enterprise Security: How businesses should audit their Bluetooth attack surface, specific tools for continuous monitoring, disable discoverability on commercial devices.

• Individual Actions: Practical steps attendees can take today to audit their own devices, discussion of iOS/Android privacy controls, understand what your devices broadcast.

• Policy Discussion: Should there be regulations around Bluetooth device security? What would effective regulation look like?

Core Problem: If I can do this without Bluetooth expertise, anyone can.

Q&A (Remaining Time)

TECHNICAL DETAILS FOR REVIEWERS

• Tools & Code: Open-source Python scripts for Kismet log analysis (available via GitHub), Kismet REST API for real-time data access, FastAPI backend for querying cross-city statistics, integration with WiGLE database (4.5 billion Bluetooth devices mapped globally).

• What Makes This Different: Most Bluetooth talks focus on protocol vulnerabilities or specific CVEs. This demonstrates: (1) How trivially low the barrier to entry is (smartphone + curiosity), (2) Surveillance implications at scale, (3) Data science applied to security research, (4) The gap between "possible to secure" and "secured in practice."

• Interactive Elements: Receipt printer in room available for audience connection attempts (2-3 participants during talk), live Kismet session showing real-time device enumeration from conference attendees, multiple Python analysis scripts executed live against conference data, open-source tools shared for attendees to replicate research.

• Audience Takeaways: Practical exploitation techniques requiring minimal technical knowledge, understanding of systematic warwalking methodology with detailed technical implementation, open-source tools to conduct this research in their own cities, privacy implications of always-broadcasting IoT devices with concrete tracking examples, actionable defensive measures for individuals and organizations.

FORMAT NOTES

This 45-minute format allows comprehensive coverage of both practical exploitation and research methodology. Real-world exploitation stories create immediate engagement, extended live technical demonstrations show research depth and reproducibility, and detailed privacy implications provide the "why this matters" hook with concrete examples. Live demos include fallback screenshots if connectivity fails.

NEW CONTENT FOR HACKTHEBAY

This is active, ongoing research with continuous data collection. The HackTheBay presentation will feature:

• Latest multi-city comparative analysis including recently completed Las Vegas high-density environment data
• Most current statistics from expanded dataset (growth from initial research to 100,000+ observations)
• New exploitable device classes discovered through ongoing warwalking
• Refined privacy pattern analysis showing geographic differences in device security posture
• Updated defensive recommendations based on latest findings
• Extended technical methodology section covering data pipeline architecture and analysis techniques

Core demonstrations and methodology provide consistent framework, but specific statistics, device examples, privacy implications, and technical depth will reflect the current state of research at presentation time.

RESPONSIBLE DISCLOSURE NOTE

All exploitation demonstrations use devices I own or have explicit permission to access. No unauthorized access to third-party systems will be demonstrated. The research methodology and tools are shared for educational purposes to raise awareness of systemic security issues and encourage better manufacturer defaults. The goal is to demonstrate how accessible these vulnerabilities are to drive positive change in device security practices.