GrrCON is a Cyber Security Conference based in Grand Rapids Michigan. Every year, it is hosted in the Devos Center. For the past three years, I have attended to help aid in my Professional Development as well as to keep in touch with the Cyber Security in the industry. GrrCON is spread over two days, and is broken up into three different sections every year. The first section are vendors and recruiters. Vendors typically come in, hoping to sell you and your company on their product or tool. I typically take a stroll through this section to see how the markets changing over time. Ive seen quite a few companies come and go through this section of the event. The other half of this section is the recruiters. This year we had the Army, as well as the FBI who were major recruiters this event. This half of the convention is honestly a really good place to network with peers and other companies. It allows for you to see whats in the market and give you ideas of other ares to look and apply to.
The second section to this convention is what is called villages. This year, there was the Car Hacking Village, Lock Picking Village, Integrated Control Systems Village, Hak4Kidz Village, and a Dungeon and Dragons Village. Each of the villages typically contain some kind of hands on lab for you to work with a professional in the field and get some experience, with the kinds of things they do. The final section consists of hour to hour and a half long seminars running back to back all day, where a vendor or a organization gives you either A) a demonstration of an exploit and how they discovered it, or B) they give you a run down on a service or process that may improve your work flow. This year, I only attended one seminar, which was a demonstration of a Denial of Service for the new 2025 ford broncos, where they could de-authenticate your paired Phone as Key and prevent you from getting into the car, forcing you to factory reset the device. In the seminar we discussed the magnitude of scale on this particular vulnerability, and how it wasn’t Ford who was at fault for the vulnerability, but actually Texas Instruments (TI), for deploying Bluetooth chips with vulnerable firmware. After disclosing the vulnerability to TI they reported back that the stored inventory of chips was roughly 8M dollars worth, that had to be put on hold, and brought back into the shop for firmware updates. This number also excludes the number of devices that were already in devices like vehicles, cell phones, smart watches, and medical equipment.
Besides the one seminar I attended this year, I spent a great deal of my time going through each of the villages village and competed in a number of challenges. Often villages will even hold competitions where you can show your skills off to others and compete for a prize. To give an example of some of the competitions you could compete in last year, I competed In the lock picking competition and placed second place! In this particular competition you were tasked with picking a trigger lock off of a toy water gun, while wearing beer googles. Once you have the trigger lock removed from the toy gun, you must accurately shoot the person in front of you with the water gun. This year, I spent a great deal of my time competing in Capture the Flags (CTF). I competed in three instances of a CTF, including Endpoint Threat Detection and Remediate (placing 7th), Cloud Native Security (placing 4th), and AI enhanced detection and remediation (placing 8th). This was a great experience overall, as I was able to really test my skills and see where I’m at in comparison to others. I think that for something that I only do occasionally in my day to day job, I played very competitively and stayed ahead of the ball for the most part.