Tucked away behind the main hall at the Def Con hacker conference in Las Vegas was a room with a plexiglass box set on a stage, multiple pairs of handcuffs, lockpicks, and an array of lasers — plus an audience of about 100 sitting in rows of chairs, looking at me.
It’s the scene for a contest organizers call “Mission SE: Impossible.” The scenario was this: I had tried to break into a building, but I got caught. My phone was confiscated, and I was cuffed and placed in a holding cell. I had 15 minutes to escape, during which I had to get out of the hand and foot cuffs, pick a series of locks, negotiate a grid of security lasers, and interpret a series of human facial expressions as they flicked over a screen in a rapid-fire test. The contest attracts a crowd of hackers who cheer and scream along as dramatic techno plays in the background.
It’s part of a demonstration run by a consulting company that tests the security of company's systems through social engineering, a term that refers to exploiting systems like customer support operators by using charm and verbal trickery. Social engineering is a big part of hacking, as illustrated by reporter Mat Honan’s epic hacking and in the show Mr. Robot; Kevin Mitnick, once dubbed “the most dangerous hacker in the world,” is infamous for his social engineering prowess.
Lockpicking is also a staple at Def Con and hacker gatherings everywhere. Picking a lock is a lot like breaking software: It requires precision, the right tools, and a lot of patience. And, just like software, lock manufacturers are always trying to make their locks harder to pick, giving hackers even more motivation to hone their lock picking skills. At Def Con, there’s an entire section of the conference dedicated to lockpicking, where noobs like myself can go and learn the finer points of cracking a lock from seasoned experts.
I had a bit of lockpicking experience, so I decided to volunteer for the challenge. I was led out of the room to a backstage area where I waited with the other contestants. We were given a packet with some basic instructions on how to break out of handcuffs, some tips for identifying facial expressions, and told to study. “I hope you are googling how to pick locks right now,” my editor texted me.
When it was my turn to compete, an organizer entered the holding room, handed me a thin piece of metal, put me in handcuffs, and led me down a packed hallway while other Def Con attendees gawked.
I was placed in the room, and the clock started. The first thing I did was pull the piece of metal, also called a shim, out of my shirt pocket. The key to slipping out of handcuffs, as I learned from committing a WikiHow article to memory, is to slide the shim between the locking mechanism and the teeth, cinch the handcuffs slightly tighter, and then pull them apart. I was able to escape from the handcuffs placed around my wrists pretty easily. The cuff attached to my ankle and the chair was even easier. My fear of being humiliated while trapped, handcuffed, in a box in front of about 100 hackers was gone.
Up next was picking a simple door lock. The basic principle of lockpicking is using one metal tool to apply tension to the lock, and using a second piece of metal to move the pins into the correct place. Done. Next, I was shown facial expressions on a laptop, each displayed for 1/16th of a second, and asked to interpret their emotions. The logic here was that if I could quickly differentiate between someone subtly expressing contempt or surprise, I might have a better chance at socially engineering my way out of this building. I did pretty well on that one, scoring 71 percent, and moved on to the lasers. Easy: I used baby powder to reveal the gaps in the array, and slid underneath undetected.
I was making great time, and just had two more locks to pick, but this is where my luck ran out. I started picking the second lock, and after comparing it to the first lock, I knew I was screwed. This lock couldn’t be picked by an ametur like myself, so I called on my lifeline — a member of the audience who volunteered to help if I got stuck on a lock. As if appearing out of thin air, a man sporting a white beard, bright green T-shirt and cargo shorts came to my aid. He went to work on the second lock, and was almost instantly flummoxed. “This is a well-made lock!” he exclaimed. Fuck. The clock was approaching 15 minutes, and I took the over the reigns from my bearded savior, attempting to pick the last two locks myself. In the end, I failed to make it out of the building.
The skills tested by the contest obviously don’t perfectly translate to real-world secret agent status, but Def Con — now in its 25th year — is all about circumventing system rules in a safe environment where (ideally) no one gets hurt. Elsewhere at the convention, hackers were picking apart around 30 voting machines purchased off eBay, something that the makers of those machines would potentially consider illegal. But what better way to understand a system than to take it apart?
