DEF CON 33: Hacking Highlights and What’s Next for Cybersecurity

August 20, 2025

Cybersecurity

The cybersecurity community has just wrapped another groundbreaking DEF CON conference. DEF CON 33, which ran August 7–10, 2025 in Las Vegas, delivered an urgent wake-up call for security professionals worldwide. This year’s premier hacker conference showcased cutting-edge exploits and defensive innovations that illuminate the emerging threats and the powerful solutions rising to counter them. From hardcore nation-state hacking revelations to tongue-in-cheek demos, DEF CON 33 empowered attendees with strategic insights that will shape the future of cybersecurity.

AI in Cybersecurity: Emerging Threats and Defenses

Artificial Intelligence was front-and-center at DEF CON 33, confirming that AI now serves as both a weapon and a target in cybersecurity.

Talks showed how attackers are abusing AI systems and how defenders are harnessing AI to turn the tables. One standout revelation: researchers found a way to achieve remote code execution just by loading a machine learning model that was supposedly in a “safe” format. A talk by Alibaba Cloud’s security team entitled “Safe Harbor or Hostile Waters: Unveiling the Hidden Perils of the TorchScript Engine in PyTorch” uncovered vulnerabilities in PyTorch’s model loading (TorchScript), defeating the usual safety checks and earning a CVE for a serious code execution flaw. In other words, even AI model files themselves can hide malware.

On the flip side, defenders are embracing AI to hunt threats. One talk demonstrated using an LLM to identify malware behavior and extract Indicators of Compromise in real-time, essentially automating parts of incident response. A panel of experts stressed that we’re just moving past the hype into real deployments of AI for defense. In fact, 68% of security professionals believe that within two years they’ll be using generative AI as part of their job.

DEF CON workshops showcased fine-tuning AI assistants for secure coding, as well as a session on hacking AI itself. For example, hijacking the trust of coding assistants like GitHub Copilot to inject malicious commands (imagine an AI quietly suggesting backdoor code with Microsoft’s stamp of authority). The message was clear: AI represents a new battleground of AI-driven attacks (from automated bug-hunting bots to AI-powered phishing) but also AI-driven defense (AI that spots anomalies attackers miss). As one speaker joked, “Skynet’s not here yet – but we’re definitely in the AI arms race of cyber.”

Cloud Security and Zero Trust Challenges

If you thought migrating to cloud and Zero Trust architecture would solve all security woes, DEF CON 33 was a reality check. Researchers from AmberWolf Security dropped a bombshell in their “Zero Trust, Total Bust – Breaking into thousands of cloud-based VPNs with one bug” session by revealing critical flaws in several leading Zero Trust Network Access (ZTNA) products. Their talk demonstrated authentication bypasses and user impersonation exploits affecting top vendors like Zscaler, Netskope, and Check Point’s Perimeter 81. In plain terms, a single bug could let attackers bypass Zero Trust portals and access internal resources as any user. So much for “always verify, never trust” – this research posed a blunt question: how much trust can you place in your Zero Trust vendor? The takeaway for executives is that new tech isn’t magic; even zero-trust solutions need scrutiny, pen-testing, and vendor transparency about vulnerabilities.

Cloud supply chain risks were another hot topic. One eye-opening presentation showed that hundreds of abandoned Amazon S3 buckets are lurking out there, waiting to be hijacked. Researchers from WatchTowr actually went and re-registered 150+ defunct S3 bucket namesthat had belonged to organizations – and within two months those buckets received over 8 million requests from unsuspecting systems pulling software updates, VM images, and more. The implications are huge: an attacker who scoops up an abandoned cloud storage bucket could suddenly be pushing out malicious updates or stealing data under the radar. The team warned this is an industry-wide supply chain blind spot. In fact, they expanded their hunt to thousands of such buckets (5,000+) used in both corporate and open-source software. The lesson: Cloud hygiene and asset management matter– something as simple as an old storage bucket or forgotten subdomain can become the backdoor to your kingdom.

Everything is Hackable: Cars, Gadgets, and Infrastructure

One DEF CON motto has always been “If it’s built, it can be hacked.” This year’s talks proved everything is fair game – from cars and buses to satellites and smart toilets (probably). The Automotive and Internet of Things (IoT) hacks at DEF CON 33 were especially jaw-dropping, reminding us that as physical devices get smarter and more connected, they become prime targets. Here are a few highlights that had attendees equal parts amazed and alarmed:

Remote Car Takeover via API

A researcher exposed how API flaws in a major automaker’s dealer management platform allowed the creation of a national admin account, effectively giving them remote control over any connected car sold by over 1,000 dealerships. By exploiting a poorly secured backend, the hacker could unlock or start vehicles across the country. This wasn’t just a theoretical talk; it was demonstrated that “being able to remotely take over your car was only the tip of the iceberg” once admin access to the dealer system was gained. It’s a spooky look at supply-chain vulnerability in the auto industry (and a great reason to double-check who has access to your car’s connected services).

Hacking a City Bus from Free Wi-Fi

Public transit got its turn in the hacker hotseat. In a talk titled “Smart Bus, Smart Hacking,” a team showed how they went from a bus’s free passenger Wi-Fi to deep control of the bus’s internal network. By exploiting the onboard router and poorly secured interfaces, they managed to manipulate the communication between the bus’s critical systems. The hackers could eavesdrop on or even alter data to the Advanced Driver Assistance and transit management systems – think messing with GPS readouts, announcement displays, or sensitive passenger info. They even found backdoors in “cybersecurity-certified” vehicle hardware that could potentially compromise entire fleets. For anyone in critical infrastructure or transportation: consider this a case study in why segmentation and robust auth matter, even on a bus!

Malicious PNG Can Pwn Your Car

Who knew image files could be the key to your engine? One presenter revealed a novel exploit where a crafted PNG image file acted as a backdoor for a car’s head unit (infotainment system). By doing hardcore hardware reverse-engineering, he discovered a custom real-time OS in thousands of cars, rife with bugs. The coup de grâce: he used a seemingly innocent image to trigger those bugs and gained control of the head unit. It’s a classic example of an unexpected attack vector – and a reminder that even a car’s radio or media player isn’t out of reach for hackers. Next time your car’s system wants to “update via USB” or load an image, maybe think twice.

EV Chargers and Truck Trailers – New Frontiers

Electric vehicle infrastructure and even heavy trucking didn’t escape DEF CON’s offensive security blitz. Researchers demonstrated attacks on the widely used EV charging protocol that could potentially “brick” charging stations or vehicles by exploiting the underlying power-line communication standards. Meanwhile, a talk ominously titled “Blind Trailer Shouting” showed that tanker trailers and trucks have wireless databus systems (PLC4TRUCKS) that are vulnerable. By abusing a weak seed-key authentication, hackers could remotely execute commands on trailer brake/diagnostic ECUs without even physical contact. It’s like a horror story for the supply chain: imagine bad actors causing havoc with freight or public utilities by hacking vehicles in transit. These findings underscore that IoT and Operational Tech (OT) in transportation are ripe targets, and security can’t be an afterthought.

And it’s not just vehicles. Smart locks, safes, routers – you name it. One talk called “Gateways to Chaos” revealed that those old 4G/LTE wireless hotspots and routers many people use are full of pre-auth RCE bugs and even allow SMS spying. Another demo involved a $20 device trick to intercept cell tower simulators (Stingrays) and record cellular traffic. The cheeky talk “So Long, and Thanks for All the Phish” reminded that human error still looms large, but even phishing is getting more high-tech (one speaker showed off browser extension clickjacking that can steal your saved credit cards in one click).

The bottom line: “smart” devices and legacy tech alike are all part of the attack surface now. If it has an interface – web, wireless, or otherwise – assume it can be broken. Defenders will need equal parts creativity and paranoia to secure this ever-expanding IoT/OT universe.

Critical Infrastructure and Nation-State Ops

DEF CON often gives a peek behind the curtain of nation-state cyber operations, and this year was no exception. In the realm of critical infrastructure and APT (Advanced Persistent Threat) attacks, the conference delivered both bad news and a sliver of hope.

On the bad-news front: we learned that some adversaries have been very busy. One talk dissected China’s five-plus-year campaign to penetrate global perimeter defenses. Over half a decade, Chinese state-sponsored groups have systematically targeted firewalls, VPN appliances, and other edge devices – basically everything protecting corporate and government networks. The presenters outlined how these attackers patiently discovered zero-days and left backdoors, often staying undetected for years. It’s a sobering reminder that well-resourced adversaries play the long game. Likewise, another researcher chronicled the Russian censorship apparatus (“TSPU”) and how it can be repurposed for repression and cyberattacks in the future – a glimpse into how nation-states might weaponize their own infrastructure.

Yet, knowledge is power. By illuminating these tactics, DEF CON speakers armed defenders with insight on what to look for at the network’s edge. For instance, an Industrial Control Systems (ICS) security talk showed cryptographic attacks against the OPC UA protocol – a common standard in factories and power plants. They cheekily titled it “No VPN Needed?” because the flaws could let an attacker masquerade as a trusted client or server without the usual network protections. For critical infrastructure operators, it was a wake-up call to harden those systems and not rely on VPNs alone for ICS remote access.

Similarly, there was chatter about maritime and aviation hacking: a talk on global shipping pointed out how vulnerable ports and ships’ comms can be, and another on voice cloning air traffic control communications demonstrated the risk of spoofed messages in airports. These aren’t just hacker hypotheticals – they hint at the next wave of nation-state or terrorist cyber threats targeting the physical world through digital means.

The good news? The defenders are getting smarter and more organized, too. DEF CON 33 wasn’t all about doom; it highlighted a blue team revolution underway. The Blue Team Village was buzzing this year with incident responders, threat hunters, and industrial defenders swapping war stories and defensive tactics. One clear theme emerged: collective defense and knowledge-sharing are our ace in the hole. When hundreds of defenders collaborate – whether at DEF CON or in online communities – the attackers’ long-held advantages start to dwindle. Indeed, the conference even saw new open-source tools unveiled, like an advanced threat hunting framework (“Garuda”) for automating detection, and techniques for mastering Apple’s endpoint security to catch Mac malware. It’s heartening to see that as attackers innovate, the blue team is innovating right back. As one attendee put it, the balance is starting to shift: “The attackers may have gotten a head start, but the defenders are catching up fast.”

Cybercrime Insights: Ransomware, Dark Web, and the Human Element

Of course, DEF CON wouldn’t be complete without delving into the underworld of cybercrime. This year we got unprecedented insights straight from the source. In perhaps the most talked-about session for the offense/infosec crowd, an ex-member of the REvil ransomware gang (the folks behind the Kaseya attack) gave an inside look at how that notorious operation went down. During the talk, the speaker described the tooling, initial access tricks, and even the gang’s biggest mistakes during the Kaseya supply-chain ransomware incident. For executives, hearing directly “from the hacker’s mouth” underscored how organized and business-like ransomware crews have become. The key lesson: assume breach and plan incident response because these criminals are professional, but they are also human. They make OPSEC mistakes that can be exploited (indeed, several REvil members have been caught in stings).

Another chilling yet fascinating briefing was “Kill List: Hacking an Assassination Site on the Dark Web.” Yes, that’s as James Bond as it sounds. A researcher recounted discovering a darknet site where users could allegedly crowdfund hits on individuals (pretty grim) and then hacking into the site’s backend database. They revealed how they unmasked some of the users and administrators, effectively turning the tables on would-be killers. It was a stark reminder that even criminals are not safe from cyberattacks – and that cybersecurity can literally save lives in unexpected ways. On a similar note, a veteran of darknet markets shared a survival story of operating in those murky waters, offering advice on how cybercriminals evade law enforcement and how investigators might catch them.

Finally, the human element in cybersecurity got plenty of love. Social engineering and OPSEC blunders were recurring themes. Journalist Micah Lee’s talk “We are currently clean on OPSEC: The Signalgate Saga” had the crowd in stitches and groaning at the same time. He recounted how a group of high-profile individuals (including some government officials) thought their Signal group chat was secure – until a journalist was invited in and the whole thing blew up in their faces. Without spilling all the beans here, let’s just say it involved lies to Congress and a lot of digital sleuthing. The moral: even with end-to-end encryption, bad operational security can bring you down. Humans remain the weakest link, whether it’s falling for phishing (one talk titled “So Long, and Thanks for All the Phish” discussed advanced phishing in a post-2FA world) or forgetting that an encrypted messenger doesn’t protect against an insider invite. The best cybersecurity strategy still includes user education and a healthy dose of skepticism.

Conclusion: Defenders, Assemble!

Leaving DEF CON 33, cybersecurity professionals can embrace both realistic concern and genuine optimism. The concern is well-founded. The conference made it clear that attackers are expanding their reach across cloud, AI, critical infrastructure, and every gadget we bring online. If something contains software, someone at DEF CON has probably found a way to compromise it. The exploits showcased this year are a warning to all of us in cybersecurity and leadership: the threat landscape keeps evolving, and fast. Whether it’s an AI model that can attack you when you load it, or a “zero trust” solution that turns out to have zero trustworthiness, we have to stay on our toes.

But there is reason for optimism as well. DEF CON also highlighted the growing power of the defensive community and the ingenuity of researchers who are hell-bent on finding these problems before the bad guys do. The energy in the Blue Team sessions and the record collaboration we saw signal a fundamental shift. As one recap noted, “This wasn’t just another conference. It was a glimpse into the future… where defenders finally have the tools and community to turn the tables on attackers.” The fact that many of the exploits discussed came with coordinated disclosures, patches, or mitigation guidance is a huge positive. We’re catching issues earlier and sharing knowledge wider.

Executives, take note: cybersecurity is a team sport, and you want this hacker community on your side. Encourage your teams to engage with research, attend events (maybe even DEF CON, if they’re brave!), and foster the kind of knowledge-sharing that was on display in Vegas. The future threats – from AI abuse to supply-chain subversion – are formidable, but not insurmountable if we prepare now. “Access Everywhere” was this year’s DEF CON theme, and it applies here: let’s make security knowledge accessible everywhere and break down the silos.

Until DEF CON 34, keep (ethically) hacking away at those problems, keep learning, and, above all, stay curious and paranoid in equal measure. The hackers may never stop finding creative ways in, but together the security community is making sure tomorrow’s headlines will be about attacks foiled and breaches averted. In the battle of red versus blue, DEF CON 33 showed that the gap is closing – and that makes all the difference for the road ahead.

And P.S. – DEF CON wasn’t all doom and gloom. Someone broke Pokémon Go’s anti-cheat mechanism just for fun, and another gave a master class in counterfeiting conference badges. The hacker spirit is alive and well – a little mischievous, a lot ingenious, and ultimately driving the industry forward.

Niko Zivanovich is Cybersecurity Regional Practice Leader, West for Pellera.