Black Hat USA 2024, DEF CON 32 attendees treated like children – or criminals – with invasive hotel room checks


Resorts World Las Vegas, a popular hotel for Black Hat USA and DEF CON 2024 conference attendees, has mud on its face after it was revealed earlier this week that all hotel guests will be subjected to invasive and mandatory room checks. Cybernews, also at Black Hat this week, has the details and an official response from the hotel defending its position.

As throngs of cybersecurity folk and hackers – both black hat, white hat, and everything in between – descend on Las Vegas this August for two of the largest and most notorious security conferences in the industry, one small post has gotten the attention, and ire, of hundreds of thousands of attendees.

In a bold move, the Sin City hotel presented a pre-emptive letter to select guests on check-in warning that it “will be conducting scheduled, brief visual and non-intrusive room inspections daily beginning Monday, August 5th.”

ADVERTISEMENT

Pre-convention activities started for Black Hat on Saturday, August 3rd, which runs through August 8th, overlapping with DEF CON, whose final event day is August 11th.

“As you may or may not know, a well-known hacking convention will be held in Las Vegas during your stay,” the letter attempted to explain to the security professionals already in town for the two events, which have been held in Nevada's gambling oasis during August, since their inception in the 1990s.

Resorts World
Resorts World Las Vegas by Hilton. Image by Walter Cicchetti | Shutterstock

The real big kicker is that the hard copy memo also warns guests that “Rooms with a privacy sign will be included as part of the inspection process.”

“We remain committed to our guests' safety and understand the utmost importance of cybersecurity,” the letter continued, signed by Resorts World Director of Hotel Operations Prescott Yee.

Dr. Wesley McGrew, a senior Cybersecurity Fellow at federal security solutions consulting firm @martinfederal, posted a copy of the document on his X account on Sunday to alert fellow Black Hat and DEF CON attendees.

“@ResortssssWorldLV is going to search our rooms daily to protect us from the “well-known hacking convention,” wrote McGrew, who happens to be presenting a talk, workshop, and DJ set at DEF CON this year.

ADVERTISEMENT

By Tuesday, McGrew’s post had 677.7K views, including hundreds of comments, saves, and retweets, almost all of them denouncing the Hilton-branded luxury hotel for its new policy.

Some attendees, angry they had only found out about the room inspections from the post on X (formerly known as Twitter), said they had checked into the hotel but were never provided with the warning memo.

X user @adamdeziri was one of those hotel guests. In an X exchange with McGrew on Sunday, he described his experience at the front desk and during one of the ‘mandatory inspections.’

“There was a lady from the staff and 2 or 3 people from security. I went to the reception to ask for more explanations (they forgot to warn me during the checkin), the person told me that they were looking for potentially malicious objects (he gave the example of a router),” he wrote.

Deziri also stated that when inquiring about a list of "potentially malicious" objects, the staff “first denied the existence of a list then after telling them that I saw it they said they refuse to communicate it. They also refuse to say if they return the confiscated items.”

What happens in Vegas…

Located on the strip, Resorts World boasts 3,500 guest rooms over 66 floors across three separate hotels – the Conrad, Hilton, and Crockfords a drop in the bucket for the 60,000 conference attendees expected to show up this week.

ADVERTISEMENT

However, as a former Black Hat attendee and naturally born female, I couldn’t help but have a visceral reaction to the announcement, as did hundreds of users on X (and on Reddit), whether they were booked at the hotel or not.

To imagine a hotel staff member – who I can bet Lucky 7’s is completely unaware of the difference between nefarious hacker paraphernalia and cybersecurity swag (lock pic sets anyone?) – could key card my door open, come into my hotel room unannounced, rifle through my belongings, and then confiscate said ‘dangerous materials’ is incredulous, to say the least.

And yes, the Resorts World letter clearly states that security will come into your hotel room even if your ‘Do Not Disturb’ privacy tag – the universal symbol for 'Please, Get Lost' – has been hung outside your door.

It’s frightening, violating, and un-American, and I think you get the drift. Furthermore, it appears I am definitely not the only attendee appalled by the Resorts World missive. Here are some of the more tame comments under McGrew’s post.

“This is really concerning. This is an excellent example when privacy is violated on account of a suspicion. Perhaps one could argue that a daily "brief visual and non-intrusive room inspection" poses more of a personal security risk than a cybersecurity event. What if someone owns unconventional tech?” posted former insider and threat actor @ExodusGhost (also a regular contributor here at Cybernews).

Resorts World room check comments2
Image by Cybernews.

“Think it's about time to move the cons from Vegas to a more non intrusive place. I'm all for cyber security, but treating full grown adults like they're children, or prisoners, is kinda... A real bad precedent to set.” – @gentoo_python.

“How nice of them to protect their guests by... *checks notes* invading the privacy of every single guest?” – @agathanonymous

“Translation: Our security staff will be eagerly walking in on showering female guests at will.” – @RomanValentinus

“Would they even know whatever 'it' was if they saw it? I'd be making something out coathangers with 7-segment displays.” – @IrreverentDave2

ADVERTISEMENT

Could Resorts World have a point?

Ok, Ok, I’ll take a step back and admit, in a post 9/11 world full of terror threats and mass shootings, I can understand the reasoning: In 2017, a mass shooting at another popular Las Vegas hotel (the Mandalay Bay Resort, home to the Black Hat convention) took place. A deranged shooter hid out for days before opening fire on a crowd of approximately 22,000 there to see country music star Jason Aldean, killing 59 people and wounding 500 more.

And, it appears Resorts World is not the only hotel to require guests submit to random room checks in the name of public safety.

Some more seasoned attendees, unsurprised by the room checks, say multiple hotels on the Vegas strip put them in place after the 2017 shooting.

Las Vegas View
Image by Hanna Tor | Shutterstock

The conundrum is why the sudden need to zero-in on the infosec community this year, whose weapon of choice is the oh-so terrifying computer, not a bomb or automatic assault rifle?

“Room checks in Vegas are common since the shootings. FYI, Disney does them on all of their properties and has for very long time. First time though I've ever seen it blamed on Defcon," @BlueTeamJK posted.

“I always assume anything I leave in my hotel room may be gone when I return. They should be assumed totally insecure. It's just good opsec,” the post said.

Still, one X user couldn't help but comically point out that an actual gun show (Western Trails Gun and Knife Show) is taking place later this week at the Alexis Park Resort on August 10th and 11th.

The least hotel brass could do is to blame the room checks on security prep for that convention, they noted.

ADVERTISEMENT

Speaking of the Alexis Park Resort, how about this throwback post from 2001 which reminds staff to report things at DEF CON such as “farm animals” and “dismembered bodies,” but that “underage possession of alcohol” and general “debauchery” were to be ignored?

Others on social media noted that the new Resorts World ‘invasion of privacy’ rule could also be a corporate knee-jerk reaction to last year’s massive MGM and Caesars ransomware hack, which happened to take place just weeks after Black Hat and DEF CON 2023.

In fact, six months ago, DEF CON founder and organizer Jeff Moss aka ‘The Dark Tangent’ announced on its official event forum (and on Reddit) that the conference had been unexpectedly booted from Caesar’s without explanation – leaving many to believe that after paying a $15 million ransom to the ALPHV/BlackCat gang to keep its operations running (unlike MGM who struggled for weeks), Caesars did not want to take any chances continuing to host the shadowy hacker convention.

Luckily organizers were able to find another last-minute venue for its 30,000 attendees, with The Dark Tangent happily announcing in February that the DEF CON 2024 was officially “Un-Canceled.”

“DEF CON 32 will still be August 8-11 2024, but now held at the Las Vegas Convention Center (LVCC) with workshops and training at the Sahara,” Moss posted about the debacle.

DEF CON Caesars post
Image by Cybernews.

Resorts World defends its policy

In response to this article, which was published on the first day of Black Hat, a representative for the hotel reached out to Cybernews, providing us with an official statement on the matter.

ADVERTISEMENT

Cybernews has also requested the hotel provide a list of items that hotel staff has been instructed to confiscate from guest rooms. and is awaiting a response.

“Resorts World Las Vegas is dedicated at all times to ensuring a safe, secure, and comfortable environment for all of our valued guests,” the statement begins.

Resorts World said the latest policy was established “in light of recent events in Las Vegas, and the increasing ransomware threats to casinos and hotels on the Strip,” reiterating those on social media who believed the new policy was triggered by last year’s cyberattacks on the Las Vegas MGM Resorts and Caesar Entertainment.

The company further explained that the inspections were standard practice for many of Las Vegas’ premiere hotels, “particularly during periods of increased foreseeable risk, where vigilance is critical.”

“These inspections are a precautionary measure intended to enhance our on-site security presence (both physical security and cybersecurity), maintain the integrity of our property’s services, and safeguard our guests, business partners, and staff against potential cyberattack threats,” Resorts World said.

Resorts World devices comment

To note, the 2023 ransomware attacks, which cost MGM upwards of $100 million when all was said and done, were jointly carried out by two known Russian-associated ransomware groups, ALPHV/BlackCat and its affiliate Scattered Spider, not the result of conference attendees.

Last month, a 17-year old hacker suspected of being involved in the MGM attacks was arrested by UK authorities in a joint operation with the FBI.

And in June, a 22-year old UK national and alleged member of the Scattered Spider gang was arrested in Spain.

“As always, our staff conducts these periodic safety inspections with the highest respect for our guests' privacy and convenience, following strict protocols to ensure minimal disruption to their stay,” Resorts World concluded its statement.

Rooms prices for the week up until August 10th are listed on the Resorts World Las Vegas website starting at $599 per night, with the hotel being sold out until the 11th. Besides Las Vegas, the Resorts World brand has three other stand-alone hotel/casino entertainment complexes, including in New York City and the Bahamas.

The company did not say if room checks were mandatory at those locations.