DEF CON Wall of Sheep: Conference WiFi Attacks

Origins of the Wall of Sheep

Since 2002, DEF CON - the world's largest hacker convention held annually in Las Vegas - has featured an installation called the Wall of Sheep. It is exactly what it sounds like: a large display showing the usernames and partially redacted passwords of conference attendees who transmitted credentials in cleartext over the conference network.

The Wall of Sheep was created by a team of volunteers who wanted to demonstrate a simple but powerful point: if you use insecure protocols on an untrusted network, your credentials are visible to anyone who cares to look. The display serves as a real-time, public illustration of passive network monitoring.

The concept is straightforward. The Wall of Sheep team connects monitoring equipment to the DEF CON conference network. They run packet capture tools that filter for authentication protocols transmitting credentials in cleartext. When they find one, the username and a partially masked password appear on the big screen for thousands of attendees to see.

How It Works

The technical setup behind the Wall of Sheep involves passive network monitoring - no active attacks, no man-in-the-middle interception, no rogue access points. The team captures traffic that is already being broadcast on the shared conference network.

graph TD
    subgraph "Wall of Sheep Capture Process"
        A[DEF CON Conference WiFi] --> B[Passive Network Tap]
        B --> C[Packet Capture Engine]
        C --> D[Protocol Parser]
        D --> E{Cleartext Credentials Found?}
        E -->|Yes| F[Extract Username]
        F --> G[Partially Redact Password]
        G --> H[Display on Wall of Sheep Screen]
        E -->|No| I[Discard Packet]
    end
    subgraph "Protocols Monitored"
        J[FTP - Port 21]
        K[HTTP Basic Auth]
        L[POP3 - Port 110]
        M[IMAP - Port 143]
        N[Telnet - Port 23]
        O[SMTP - Port 25]
    end

The Wall of Sheep capture process - entirely passive monitoring of cleartext protocols

On an open WiFi network (which the DEF CON conference network traditionally is), all traffic is broadcast in the clear. Any device on the same network can capture every packet sent by every other device. This is not a vulnerability in the network - it is how open WiFi works. Encryption between the device and the access point only exists on password-protected networks using WPA2 or WPA3.

The Wall of Sheep team uses standard tools - primarily tcpdump and custom scripts that parse captured packets for known authentication protocol patterns. When a match is found, the credential data is extracted, the password is partially redacted (typically showing only the first and last characters with asterisks in between), and the entry is added to the display.

What Gets Caught

The protocols that most commonly appear on the Wall of Sheep are those that transmit authentication credentials without encryption.

FTP (File Transfer Protocol) sends usernames and passwords in plaintext. It has been superseded by SFTP and SCP for decades, but remains in use for legacy systems, automated scripts, and embedded devices. An FTP login captured on the Wire looks like: USER administrator followed by PASS secretpassword - completely readable.

HTTP Basic Authentication transmits credentials encoded in Base64, which is a reversible encoding (not encryption). The Authorization header contains the username and password in a format that can be decoded instantly. Any website using HTTP (not HTTPS) with basic auth is fully exposed.

POP3 and IMAP email protocols, when configured without TLS, transmit email credentials in cleartext. Some older email clients and mobile configurations still use unencrypted connections to mail servers. Each login is visible on the wire.

Telnet transmits everything - including passwords - as plaintext ASCII characters. Each keystroke is sent as a separate packet. Monitoring a telnet session reveals not just the password but every command the user types.

The Irony Factor

The deepest irony of the Wall of Sheep is its location. DEF CON is attended primarily by security professionals, hackers, researchers, and technology enthusiasts - people who should know better than to transmit cleartext credentials on an open network at a hacker convention.

graph TD
    subgraph "Who Gets Caught"
        A[Security Researchers] --> E[Wall of Sheep]
        B[Penetration Testers] --> E
        C[IT Administrators] --> E
        D[Software Developers] --> E
    end
    subgraph "Common Reasons"
        F[Forgot to Enable VPN]
        G[Legacy Script Running Unnoticed]
        H[Misconfigured Email Client]
        I[Automated Background Process]
        J[Quick Check Without Thinking]
    end

Even security professionals get caught - the Wall of Sheep demonstrates that knowledge alone does not prevent mistakes

Yet every year, credentials appear on the wall. The reasons vary. Some attendees forget to enable their VPN before connecting. Others have background processes - automated scripts, email clients, backup tools - that connect using insecure protocols without the user's awareness. Some simply do not think about it in the moment, connecting quickly to check something without considering the network environment.

This irony is precisely the point. If security professionals at a security conference can make these mistakes, what chance does a typical corporate user have on hotel WiFi or a coffee shop network? The Wall of Sheep demonstrates that security awareness without security habits is insufficient.

The Educational Mission

The Wall of Sheep team consistently emphasizes that their goal is education, not shaming. The display partially redacts passwords to prevent actual credential theft. The team does not store captured credentials beyond what is needed for the display. They do not use captured information for any purpose beyond the demonstration.

The installation includes explanatory materials about why cleartext protocols are dangerous, how to configure secure alternatives, and what VPN solutions are available. Volunteers are available to help attendees configure their devices securely. The message is constructive: "You are exposed. Here is how to fix it."

The Wall of Sheep has been credited with driving adoption of encrypted protocols within the security community. Seeing your own username on the big screen in front of thousands of your peers is a powerful motivator to check your email client configuration and enable your VPN.

The Modern Decline

The Wall of Sheep has become less dramatic in recent years, and that is actually good news. The widespread adoption of HTTPS, encrypted email protocols (IMAPS, POP3S, SMTPS), and the deprecation of FTP in favor of SFTP has dramatically reduced the number of cleartext credentials available for capture.

In the early 2000s, the wall would fill rapidly with dozens of entries within the first hour of the conference. By the early 2020s, entries were fewer and often came from legacy devices or misconfigured automated processes rather than intentional user activity.

This trend reflects a genuine improvement in baseline internet security. The push by browser vendors to flag HTTP sites as "Not Secure," the free availability of TLS certificates through Let's Encrypt (launched 2016), and the default encryption of most email services have collectively reduced the cleartext attack surface.

However, the Wall of Sheep still finds credentials. Legacy systems persist. Internal tools often use unencrypted protocols. IoT devices frequently communicate without encryption. The attack surface has shrunk, but it has not disappeared.

DEF CON Network Security

The DEF CON conference network itself is intentionally hostile. The conference network operations team (the "Goons" who manage DEF CON infrastructure) provides network access with the explicit understanding that attendees are responsible for their own security. The network is not segmented for user protection. Attendees are expected to use VPNs and encrypted protocols.

This philosophy extends beyond the Wall of Sheep. Numerous attendees run their own monitoring and attack tools on the conference network. Rogue access points, ARP spoofing, DNS hijacking, and other network attacks are commonplace. The DEF CON network is, by design, one of the most hostile network environments in the world.

This creates a unique learning environment. Attendees who forget their VPN or use insecure protocols get immediate, visible feedback. The consequences at DEF CON are embarrassment. The consequences on a hotel network in a foreign country could be financial or professional.

Lessons for Everyone

The Wall of Sheep teaches lessons that apply far beyond DEF CON. Any open WiFi network - at a coffee shop, hotel, airport, or conference center - presents the same risks. The protocols that get caught at DEF CON are the same protocols running on devices worldwide.

Use a VPN on any network you do not control. Verify that your email client uses encrypted connections (TLS/SSL). Disable FTP and telnet in favor of SFTP and SSH. Check that automated scripts and backup tools use encrypted protocols. And assume that any open WiFi network is being monitored - because at DEF CON, it definitely is, and elsewhere, it might be.

The BLEShark Nano's WiFi scanning capabilities let you observe the wireless environment around you, identifying open networks and the traffic they carry. For authorized security assessments, this visibility into the wireless environment demonstrates whether employees or devices are connecting to insecure networks - the same kind of monitoring that powers the Wall of Sheep, applied to your own organization's security posture.