Full Report
At New Zealand's Kawaiican cybersecurity convention, organizers hacked together a way for attendees to track CO2 levels throughout the venue—even before they arrived.
Analysis Summary
# Main Topic
Proactive implementation of a custom, real-time Carbon Dioxide ($\text{CO}_2$) monitoring system by organizers of the Kawaiicon cybersecurity convention in New Zealand to mitigate health risks, specifically "con crud" and airborne pathogen transmission, by providing transparent air quality data to attendees.
## Key Points
- The system was implemented to combat potential spread of "con crud," Covid-19, influenza, RSV, and measles during the event.
- $\text{CO}_2$ levels are utilized as a proxy indicator for assessing ventilation quality and the potential concentration of airborne pathogens in indoor spaces.
- Organizers were constrained by the venue's existing infrastructure, specifically the Michael Fowler Centre's older HVAC system utilizing standard MERV-8 filters.
- Attendees could access a public online dashboard displaying live readings, daily highs/lows, and historical $\text{CO}_2$ trends for various areas.
- The project was described as embodying the "true spirit of hacking" by being a self-reliant technical solution for a public health monitoring gap.
## Threat Actors
- No malicious threat actors were identified. The context describes a defensive, security-focused technical implementation by **Kawaiicon Organizers**.
- **External Validation:** Jeff Moss (Founder of Defcon and Black Hat) praised the initiative.
## TTPs
- **Information Gathering/Reconnaissance:** Monitoring $\text{CO}_2$ gathered data that served as an approximation for airborne pathogen tracking.
- **Improvised Tooling/Hacking:** Adapting and deploying DIY hardware solutions for environmental monitoring.
- **Hardware Deployed:** 13 **RGB Matrix Portal Room $\text{CO}_2$ Monitors**, adapted from an Adafruit Industries DIY project.
- **Deployment Strategy:** Monitors were strategically placed throughout the venue, including session rooms, the front desk, daycare, Kuracon, and in stereo pairs in high-ceiling areas like the Main Auditorium to account for acoustics/air mixing.
- **Data Presentation:** Deployment of an internet-accessible dashboard for public consumption of environmental metrics.
- **Collaboration:** Tested monitoring data in collaboration with public health researchers from the University of Otago.
## Affected Systems
- **Venue:** Michael Fowler Centre, New Zealand.
- **HVAC Limitation:** Venue's existing system used standard MERV-8 filters.
- **Monitoring System:** A fleet of 13 Adafruit-derived $\text{CO}_2$ monitors connected to a custom dashboard.
- **Source Repository:** Configuration and build specifications were made available on a **GitHub repository** (URL provided in source, but not listed here as a malicious IoC).
## Mitigations
- **Environmental Monitoring:** Deploying real-time $\text{CO}_2$ sensors to track air quality metrics.
- **Public Transparency:** Sharing live environmental data with attendees to allow them to make risk-based decisions regarding room occupancy.
- **DIY Solution Deployment:** Utilizing maker culture/hacking skills to deploy cost-effective, customized environmental monitoring hardware when commercial solutions were inaccessible or inadequate.
## Conclusion
The Kawaiicon initiative serves as a model for security and event organizers facing public health challenges by leveraging technical expertise to create proprietary environmental monitoring tools. This proactive approach, focusing on transparent $\text{CO}_2$ data as a proxy for air quality and pathogen risk, demonstrates an effective, hacktivist-style defense against common indoor health threats during large gatherings. Future events facing similar constraints should consider adapting similar hardware and data sharing strategies.