Steelcon 2016: How a Northern Hacker Conference Became a Must-Attend for Security Research

Last weekend, I traveled north of the Watford Gap to attend a security conference that has grown remarkably in just a few years. Steelcon, held at Sheffield Hallam University, started in 2014 with 150 delegates. It doubled to 300 in 2015, and this year hit maximum capacity with 450 attendees. Billing itself as a hacker con “with a northern edge,” the event welcomed some of the biggest names in the UK information security scene. After watching its impressive growth from afar, I finally secured a ticket and experienced it firsthand.

Why Steelcon Stands Out in Security Research

What makes Steelcon special? For one, the vibe is electric. Held in a well-lit atrium at the university, the conference is family-friendly, with a separate kids’ track teaching app development and lock picking. The Saturday timing, combined with a sunny July weekend, adds to the relaxed atmosphere. Even the badge—a toy whippet—was a challenge to source 450 of, as organizers noted. But beyond the charm, the focus on security research is what draws the crowd.

The event featured two speaking tracks, allowing me to hop between sessions. I started with Chris Truncer, whose talk on bypassing antivirus software centered on shellcode. As someone less technical, I found it dense, but the audience of researchers clearly gained insights into evading detection.

Imposter Syndrome and Human Factors in Security

Switching to track two, Dr. Jessica Barker presented her research on “imposter syndrome,” a topic I’d discussed with her at Infosecurity Europe. Her talk was less technical but deeply relevant, addressing confidence, fitting in, and convincing recruiters you’re right for the job. Barker emphasized the “desire to be liked” and advised surrounding yourself with positive people—radiators, not drains—and “doing anything that pushes you out of your comfort zone.” This session highlighted that security research isn’t just about code; it’s about people too.

Technical Talks: Memory Forensics and Banking Malware

Later, I caught Darren Martyn from Xiphos Research, who gave an “18-rated” talk (all speakers had BBFC-style ratings due to children present) on memory forensics. After lunch, Proofpoint researchers Wayne Huang and Sun Huang detailed the Northern Gold attack campaign. They explained how attackers buy WordPress credential lists to spread Qbot malware, infecting 500,000 systems and sniffing 800,000 online banking transactions. Since December 2015, they’ve used an exploit kit for Qbot. This kind of deep-dive security research is exactly what Steelcon excels at.

Car Hacking Takes Center Stage

As the talk ended, attendees filtered to track two for Scott Helme’s presentation on the Nissan Leaf. Helme, working with Troy Hunt, was reluctant to call it “hacking” since the car wasn’t built with security in mind. He found a new API framework in the mobile app that was “definitely not secure.” Using a Python script, he could locate any Leaf globally, change its charging schedule, toggle air conditioning, and repeatedly alter battery charge from 95% to 100%—potentially voiding the warranty. Helme presented this to Nissan and the Information Commissioner’s Office, but got no satisfactory response. Perhaps the surge in ethical car hacking will push regulators to act.

Finishing the day, Chris Ratcliff’s talk “Vorsprung Durch Hacknik” explored why cars are hackable. He noted that no two manufacturers are the same; every car starts from scratch, with each component having its own control point. In a striking slide, Ratcliff showed that while there have been seven iPhone models, there’s been only one BMW 5 Series. Except for Tesla—a tech company that makes cars—the auto industry is heavy on bought-in parts, causing problems when those parts fail. “Are manufacturers going to retro-fit?” he asked, predicting security will become a selling point. The frustration is that when cars can’t be upgraded, consumers must buy new ones.

Why Steelcon Matters for UK Security Research

The event ended with organizer Robin Wood declaring that despite selling out, Steelcon will stay at the same venue. A massive charitable donation was made, later doubled to around £1,500 after an after-party collection. So why does Steelcon matter? It’s an event outside London, family-friendly, with an excellent venue. It strengthens the UK information security scene. This was one of the best conferences I’ve attended in years. If tickets go on sale for 2017, I’ll be there—and I expect a surge in demand.

For more on security events, check out Infosecurity Europe 2025 or read about ethical hacking trends.