Vegas hotel room checks raise privacy, safety concerns at Def Con, Black Hat

The October 2017 mass shooting in Las Vegas involving a guest at the Mandalay Bay Resort and Casino led to new policies at Caesars Entertainment hotels, one of which includes disregarding guests’ Do Not Disturb signs and checking the room once every 24 hours — a policy attendees at Def Con 26 and Black Hat USA 2018 felt the full brunt of during their events last week.

Caesars Entertainment issued a statement, claiming, “The checks involve only a visual review of the bedroom, bathroom and additional sitting area (if any) to ensure there are no issues which require further attention. Drawers, suitcases, and other personal items are not inspected by our security officers who are clearly identifiable to guests.”

If that were true and you could tolerate that form of security theater and privacy invasion, then that might be the end of the story. Except Black Hat and Def Con attendees who stayed at the Mandalay Bay, Luxor, Caesars Palace, Flamingo, Aria, Cromwell, Tuscany, Linq, Planet Hollywood, or Mirage said hotel security officers showed nothing to verify their identify, actually did more than a visual inspection (such as by photographing and filming rooms), went so far as to confiscate items, and some claim they even riffled through their bags.

Hotel security reports from conference attendees

While it is worth noting that hotel security denied confiscating anything, there were reports of hotel security officers confiscating soldering irons and lockpicks. Ars Technica was told that some conference attendees “have audio and video recordings of two of the Caesars security staff photographing and video recording our private rooms. What was the most troublesome about all of this was the fact the security staff had made mention during the search that they intended to share the photos that they were taking on Snapchat.”

Numerous people reported that hotel security felt no need to authenticate that they were indeed hotel staff. Apparently, they weren’t required to show ID or allow the guest to call the front desk for proof that they were who they said they were. Some women said they were “terrified” because anyone could claim to be security.

If you think that unlikely, then look no further than what happened to Maddie Stone, a reverse engineer at Google, who had a man with a walkie-talkie just walk into her room while she was getting dressed.

Instead of being reasonable about proving who they were, hotel security reportedly screamed at Katie Moussouris, CEO of Luta Security. Regarding room checks, she claimed that privacy is the main concern of men, while it is about safety for women.

While some compared the hotel’s security theater to that at airports, Moussouris said, “TSA is not creating a process that forces women alone to accept strange men into her room, without a protocol to verify their identity. TSA doesn’t increase my chances of being raped & killed.”

In theory, after hotel security’s wellness check visually verified that everything was fine in the room, they would then make a call from the phone the in the room and input an all-is-well code. Some hackers figured out what extension to dial and the code to input to keep hotel officers out of their rooms.

After hotel guests had Do Not Disturb signs swapped out for ones that included fine print about the hotel’s “right to enter this room daily” even if the Do Not Disturb sign was on the door, Beau Woods, co-founder of I Am The Cavalry, added a do-not-consent-to-search note to his hotel room door. Should hotel guests feel so threatened that they opt to set up surveillance such as capturing video when motion detection is triggered? Woods wasn’t the only one.

Hearing now that some attendees at DEF CON had placed video cameras in their rooms, caught security guards randomly searching through things, taking video and photos, talking about putting it on Snapchat.

— Sean Gallagher, @ USENIX Security (@thepacketrat) August 14, 2018

Def Con tweeted about seeking answers from Caesars about the room search policy, adding that attendees’ concerns were shared with Caesars Entertainment.

“We expect a venue where our attendees are secure in their persons and effects, and a security policy that is codified, predictable and verifiable,” they added.

Def Con 26 was the first time the conference offered a hotline, so it was no doubt a surprise when calls came in to report hotel security staff behavior.

Def Con head of SecOps offers to resign

Meanwhile, Marc Rogers, head of SecOps for Def Con, offered to resign because he was unaware of Ceasars’ statement about the room searches. Had he known, he would have informed attendees via the Def Con transparency report.

While it is doubtful anyone would want Rogers to resign, he wrote:

I do not support or endorse these room searches or how they are executed. I sympathize with the challenge these hotels are facing but believe they need to take a harder look at the efficiency, impact and long term cost of this strategy.

We MUST NOT let our hotels become like our airports. If we do, then the terrorists win.

Jeff Moss, aka The Dark Tangent, added:

The hotel has put us in a bad position by not explaining the process or scope of their new policy. What we were told in advance was not what happened during con. That is super frustrating for all the Goons because in all other aspects the hotel has been great to work with.

Time to change conference locations?

Yet some folks said they aren’t going back to the conferences if they are held in Las Vegas. While the conferences have been in Vegas and there are longstanding agreements with Caesars, things change and perhaps it is time for Black Hat and Def Con to be held in a different location. There are plenty of cities with multiple hotels that could handle the crowd. Find a location that doesn’t so blatantly disrespect privacy – something that most conference attendees are passionate about – and doesn’t potentially put women in an environment where she might get screamed at by security personnel for trying to protect herself from violence.

Def Con is supposed to be held at Paris Bally’s Hotel and Casino next year, although the Def Con Twitter account added:

After the meeting with @elonmusk we are seriously considering #DEFCON Mars in 2028.

— DEF CON preparing for DEF CON 27 (@defcon) August 14, 2018