Lessons from ShmooCon
By Naomi Brockwell, Founder and Director of NBTV
This year marked the final ShmooCon, a beloved hacker conference based in DC that became an institution in the cybersecurity world. While DEFCON has become a household name, ShmooCon has always been a smaller, more exclusive event where tickets notoriously sell out in seconds. In true hacker fashion, snagging a ticket often involves putting your hacking skills to use.
ShmooCon was an amazing event, filled with mind-blowing talks about all the ways your technology can be manipulated—ways most people don't even realize. It’s a gathering of brilliant minds who love breaking systems apart to understand how they work, then tinkering with them to make them do something entirely unexpected.
But ShmooCon is also a place where shenanigans run wild. Attendees will happily mess with your devices, collect wireless beacons from your tech, and capture identifiers broadcasting from your phone or laptop. It’s a stark reminder of what can happen in the real world if you don’t take steps to protect yourself.
Hacker conferences like ShmooCon are a window into what’s possible—both the exciting and the adversarial (by adversarial, I mean the eye-opening talks that reveal the vulnerabilities in our tech and how they can be exploited). All of the presentations, games, villages, and booths teach us about our technology and can also show us how to be more vigilant. As this year marked ShmooCon’s 20th—and final—anniversary, it’s the perfect time to reflect on the lessons this incredible event has taught us.
Lesson #1: If you don’t need it, don’t use it.
Wi-Fi, Bluetooth, NFC: Turn these off when not in use. Seriously.
Stores, advertisers, and even governments track these signals to collect data about you. At ShmooCon, these capabilities were on full display, with tools designed to sniff out device signals.
Lesson #2: You’re connecting to rogue cell towers more often than you think.
One ShmooCon talk explored how stingrays—devices that mimic legitimate cell towers to intercept communications—can be detected and recorded using a $20 hotspot. This eye-opening demo revealed that our phones often connect to rogue towers without our knowledge, exposing sensitive information and leaving us vulnerable to surveillance.
Takeaway: We live in a world where our phones constantly seek connections, often to untrustworthy sources. If you don’t need your phone, consider turning it off or putting it in airplane mode, especially in high-risk areas. Being mindful of when and how your phone connects can significantly reduce your exposure to rogue networks.
Lesson #3: If it’s connected to the internet, it’s vulnerable.
A talk at ShmooCon highlighted how a home solar panel company became a gateway to expose highly personal details of countless users due to poor security practices in their app. It’s a reflection of the risks inherent in our increasingly connected world. Every device we hook up to the internet, from appliances to energy systems, introduces potential vulnerabilities. How well are these companies protecting us on the backend? Often, not well at all.
Takeaway: The more we digitize and connect our lives, the greater the need to understand the trade-offs. Convenience often comes at the cost of security. Be mindful of what you’re connecting to the internet, and recognize that every connection is a potential point of failure.
Lesson #4: Mesh networks are really cool.
ShmooCon showcased exciting advancements in mesh networking, with tools like Meshtastic enabling communication without relying on traditional internet infrastructure. These networks are becoming increasingly practical for emergencies, protests, or areas with poor connectivity, offering a powerful glimpse into how we can reclaim autonomy over how we connect.
Hacker conferences are the perfect testing grounds for these tools, with enthusiastic participants eager to experiment and refine the technology. Each year, the tech improves, and the sheer number of people on these networks highlights their growing viability. It’s exciting to imagine a future where mesh networks become a part of our daily lives, reducing our reliance on centralized systems that are often controlled and gate-kept.
Lesson #5: QR codes can be weaponized.
One of my favorite talks was about rattlesnakes. Kind of. But the takeaway you should be aware of is this: if you see an official-looking sign at a national park with a QR code offering more information, think twice before scanning it. QR codes can lead you to a malicious site, trick you into downloading malware, or even steal your information.
The rule of thumb? Don’t click the link, don’t download the file, don’t install the software—and don’t scan the QR code unless you absolutely trust the source. It’s a small step, but one that could save you a lot of trouble.
Lesson #6: “Standards” aren’t always what they seem.
A fascinating talk in the Lockpicking Village revealed an important truth: sometimes, “government-mandated standards” exist not because they’re secure or trustworthy, but because a company lobbied for their product to become the standard. Just because something meets an official standard doesn’t mean it’s actually safe or secure—it only means someone convinced politicians that it is.
It was also pretty eye-opening to learn about some of the “standards” currently protecting physical classified and sensitive documents. 👀
Lesson #7: Tinker, explore, and create.
One of the core themes of hacker conferences is the celebration of curiosity. Breaking things apart, learning how they work, and reassembling them in new ways leads to innovation and a better understanding of the world around us. This ethos inspires new technology, but it also fosters a creative mindset to challenge the systems we interact with every day. It even manifests in the form of delightful shenanigans:
Someone cut the strings off teabags and glued them to empty cups, making it look like everyone was drinking tea.
Signs reading “This is not a camera” were stuck to random objects—including hidden cameras.
Googly eyes added to every poster.
Small, thoughtful gestures can build connections and spark joy. How can we bring this spirit of creativity and whimsy into our everyday lives? How can we better understand the world around us? How can we challenge the status quo and think outside the box?
ShmooGon
ShmooCon may have come to an end, but its lessons will resonate far into the future. Whether it’s improving your digital hygiene, protecting your devices, or finding ways to innovate and connect securely, we can all carry these lessons forward.
Until next time, stay curious, stay vigilant, and stay secure.
Yours in privacy,
Naomi
NBTV. Because Privacy Matters.