Fresh Insights from DEF CON 33: Our Highlights and Takeaways
Touchdown!
This year, our colleagues Sander and Frédéric represented us at DEF CON 33, hosted at the Las Vegas Convention Center. Each year, DEF CON is built around a central theme. For 2025, the theme was “Access Everywhere”, a call to make technology usable and inclusive for everyone.
Just like last year, AI was a recurring hot topic, with discussions ranging from security risks to creative abuses. But DEF CON is more than just AI. It is about pushing boundaries, breaking assumptions, and discovering clever ways systems can be bent or broken.
With dozens of talks to choose from, here are our personal highlights:
Exploring Overlooked Attack Surfaces Across Apple's Ecosystem
Siri-ously Leaky
A perfect example of out of the box thinking. This talk showed how Apple’s Siri could be abused to bypass Face ID checks. The researchers demonstrated that it was possible to gain access to hidden photos, notes, voice memos, and even ChatGPT history stored on the device.
The presentation was entertaining, clear, and surprisingly easy to follow. It was a reminder that even polished ecosystems like iOS can hide unexpected weaknesses.
One Click and Your Credit Card Is Stolen
Browser Extension Clickjacking
Marek Tóth showed how attackers can turn browser extensions, especially password managers, into a liability. His technique abuses the DOM elements injected by browser extensions. By making them invisible and overlaying them with something harmless-looking (like a cookie banner), a single click can silently trigger autofill and leak sensitive data: credit cards, logins, TOTP codes, even passkeys.
Some vendors like Dashlane, NordPass, Keeper, ProtonPass, and RoboForm have already rolled out fixes. Others, including Bitwarden, 1Password, LastPass, Enpass, iCloud Passwords, and LogMeOnce, are still open to attack.
The Desync Endgame
HTTP/1.1 Must Die!
For the fourth year in a row, James Kettle presented his ongoing research into HTTP request smuggling and desynchronization attacks. His conclusion was clear: HTTP/1.1 is fundamentally broken and filled with design flaws that attackers can exploit.
What started as a niche curiosity years ago has grown into a serious and widely recognized threat that affects major platforms and services. If anything, this series of talks has made one thing clear: the industry needs to move beyond HTTP/1.1 sooner rather than later.
Hacking an Assassination Site on the Dark Web
Kill List
Four years ago, a researcher discovered a vulnerability on a dark net murder for hire site. With the help of a small team, he intercepted orders containing personal details, photos, and bitcoin payments. When police initially dismissed their warnings, they decided to contact potential victims directly, a bold move that eventually grew into a global operation with the FBI and international law enforcement.
From our perspective, this was one of the most powerful talks at DEF CON 33. This was the research behind this Belgian newspaper article that was published a few weeks earlier.
Villages and Challenges
Hands-On Hacking
Closing Thoughts
DEF CON never fails to impress. Beyond the technical depth, it is the creativity and relentless curiosity of the community that make it special. DEF CON 33 once again showed us that security is never solved. It is an ever evolving challenge.
We are heading home with fresh insights, new ideas, and plenty of inspiration for the year ahead. If you would like to learn more about our key takeaways or discuss how these insights can benefit your organization, feel free to get in touch with us.