skip to main content

Talks

Back to top

Mobile Mesh RF Network Exploitation: Getting the Tea from goTenna

Friday at 10:00 in LVCC - L1 - HW1-11-02 (Track 2)
45 minutes | Tool 🛠, Demo 💻, Exploit 🪲

Erwin Karincic

Woody

False sense of security in devices that guarantee security is worse than no security at all. One device used by personnel who require communication security is goTenna Pro radio that creates an "off-the-grid" encrypted mobile mesh network.This network does not require any traditional cellular or satellite infrastructure and they may be found locally in your community. The datasheet says it is using AES-256 encryption. Has anyone bothered to verify that it is being implemented in the most secure manner? We examined this device and found that it was possible to fingerprint and track every off-the-grid message regardless of encryption. We also identified vulnerabilities that result in interception and decryption of the most secure encryption algorithm AES-256 as well as injection of messages into the existing mesh network. We don’t just trust what datasheets say, we verify it for you. We will explain our testing methodologies and demonstrate exploitation in a live demo. We will discuss the operational implications of these vulnerabilities and safe ways of using these devices that decrease the chance of a compromise. The tools developed as part of this research will be released open-source to inform what was possible to inspire future research against similar devices. We will discuss how we worked with goTenna to remedy these issues.

Erwin Karincic

Erwin is an experienced security researcher specializing in both hardware and software reverse engineering, binary analysis, and exploit development across a range of processor architectures. He has notable experience in implementing complex Radio Frequency (RF) waveforms using Software Defined Radios (SDRs) for cybersecurity applications, complemented by his proficiency in designing, simulating, and fabricating antennas tailored for such applications. His past work includes extensive TCP/IP networking experience, designing worldwide secure communication systems. Erwin holds a number of prestigious certifications, including OSCP, OSCE, OSWE, OSEE, and CCIE Enterprise Infrastructure.

Twitter (@tb69rr)

Woody

Woody thinks Linux is a member of the Charlie Brown gang who can lift heavy things but not always spell them. He has had some success with RF exploits in the past with the first ever goTenna exploit talk in the RF wireless village as well as the first attack against Ford Raptor key fobs with RaptorCaptor exploit. Woody’s unique background, familiar to some, gives him a creative aspect to the impact of goTenna Pro research in the physical and RF world. Woody is also a staff member in the RFHacker Sanctuary, a member of Security Tribe, and has appeared on a few episodes of Hak5 describing novel device attacks.

Back to top

Where’s the Money: Defeating ATM Disk Encryption

Friday at 10:00 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Exploit 🪲

Matt Burch Independent Vulnerability Researcher

Holding upwards of $400,000, ATMs continue to be a target of opportunity and have seen over a 600% increase in crime in just the last few years. During this time, I led security research with another colleague into the enterprise ATM industry resulting in the discovery of 6 zero-day vulnerabilities affecting Diebold Nixdorf’s Vynamic Security Suite (VSS), the most prolific ATM security solution in the market. 10 minutes or less is all that a malicious actor would need to gain full control of any system running VSS via offline code injection and decryption of the primary Windows OS. Diebold Nixdorf is one of three major North American enterprise class ATM manufacturers with a global presence in the financial, casino/gaming, and point-of-sale markets. Similar attack surfaces are currently being used in the wild and impact millions of systems across the globe. Furthermore, VSS is known to be present throughout the US gaming industry, including most of the ATM/cash-out systems across Vegas.

In this session, I will publicly disclose this research, review the discovery process, and dive into the technical intricacies of each vulnerability. The Full Disk Encryption module of VSS conducts a complex integrity validation process to ensure a trusted system state, performed as a layered approach during system initialization. Examination of the workflow will highlight various deficiencies that I will demonstrate through PoC exploitation.

Each vulnerability presented in this session has been observed to have a recursive impact across all major versions of VSS and represents a systemic ongoing risk. We will explore the root-cause, vendor remediation steps, and short-comings thereof – perpetuating the attack narrative. In conclusion, proper mitigation techniques and procedures will be covered, providing valuable insights into defending against potential compromise.

  • Vynamic Security Suite - Vynamic Security Hard Disk Encryption Secure Sensitive Consumer Data: link
  • SEC Consult - Manipulation of pre-boot authentication in CryptWare CryptoPro Secure Disk for Bitlocker: link
  • Diebold Nixdorf - EULA for Vynamic Security Suite 3.0: link
  • Diebold Nixdorf - Product Legal Terms Website: link
  • CryptWare Website: link
  • Secure Disk for BitLocker Website: link
  • CPSD Website: link
  • O'Reilly - Essential System Administration, 3rd Edition by Æleen Frisch: link
  • Flowblok's Blog - Shell Startup Scripts: link
  • Red Hat Customer Portal - Enhancing Security with the Kernel Integrity Subsystem: link
  • OpenSUSE Wiki - SDB:Ima evm: link
  • ATMIA - ATM Operator Training: link
  • 3SI Systems - Stop Criminals from Cashing in at the ATM: link
  • Diebold Nixdorf - Vynamic Security Intrusion Protection Product Card: link
  • Diebold Nixdorf - DN Product Card - Vynamic Security Hard Disk Encryption: link
  • Everi - Everi to Showcase "Digital Neighborhood" Connecting Guest Loyalty, Cash Access Experiences, and Casino Solutions Made Possible by Industry-Leading Financial Technology Portfolio at 2019 Global Gaming Expo: link
  • GlobeNewswire - NRT Accelerates Growth through Acquisition of Casino ATM Portfolio: link
  • Northox - How does the TPM perform integrity measurements on a system?: link

Matt Burch

Matt Burch is an independent vulnerability researcher with 20 years of experience in the information security industry and 15 years of focus in adversarial testing and simulation. He specializes in ATM, IoT, mobile application, and IP based vulnerability research. With this diverse background, he has successfully identified unique deficiencies in high-security products – awarding him numerous CVE accreditations.

Twitter (@emptynebuli)

Back to top

Securing CCTV Cameras Against Blind Spots

Friday at 10:00 in LVCC - L1 - HW1-11-04 (Track 4)
20 minutes

Jacob Shams Ph.D. Researcher at Cyber@Ben-Gurion University

In recent years, CCTV footage has been integrated in systems to observe areas and detect traversing malicious actors (e.g., criminals, terrorists). However, this footage has "blind spots", areas where objects are detected with lower confidence due to their angle/distance from the camera.

In this talk, we investigate a novel side effect of object detection in CCTV footage; location-based confidence weakness.

We demonstrate that a pedestrian's position (distance, angle, height) in footage impacts an object detector's confidence.

We analyze this phenomenon in four lighting conditions (lab, morning, afternoon, night) using five object detectors (YOLOv3, Faster R-CNN, SSD, DiffusionDet, RTMDet).

We then demonstrate this in footage of pedestrian traffic from three locations (Broadway, Shibuya Crossing, Castro Street), showing they contain "blind spots" where pedestrians are detected with low confidence. This persists across various locations, object detectors, and times of day. A malicious actor could take advantage of this to avoid detection.

We propose TipToe, a novel evasion attack leveraging "blind spots" to construct a minimum confidence path between two points in a CCTV-recorded area. We demonstrate its performance on footage of Broadway, Shibuya Crossing, and Castro Street, observed by YOLOv3, Faster R-CNN, SSD, DiffusionDet, and RTMDet.

TipToe reduces max/average confidence by 0.10 and 0.16, respectively, on paths in Shibuya Crossing observed by YOLOv3, with similar performance for other locations and object detectors.

  1. Artificial intelligence in medicine: A comprehensive survey of medical doctor’s perspectives in Portugal link, (Accessed 09-10-2023).
  2. The impact of artificial intelligence along the insurance value chain and on the insurability of risks - The Geneva Papers on Risk and Insurance - Issues and Practice link, (Accessed 09-10-2023).
  3. R. Chopra and G. D. Sharma, “Application of artificial intelligence in stock market forecasting: A critique, review, and research agenda,” Journal of Risk and Financial Management, vol. 14, no. 11, 2021.link
  4. [B. B. Elallid, N. Benamar, A. S. Hafid, T. Rachidi, and N. Mrani, “A comprehensive survey on the application of deep and reinforcement learning approaches in autonomous driving,” Journal of King Saud University - Computer and Information Sciences, vol. 34, no. 9, pp. 7366–7390, 2022. (Online). Available: link
  5. I. J. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio, “Generative adversarial networks,” 2014.
  6. I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” 2015.
  7. A. Kurakin, I. Goodfellow, and S. Bengio, “Adversarial examples in the physical world,” 2017.
  8. A. Chakraborty, M. Alam, V. Dey, A. Chattopadhyay, and D. Mukhopadhyay, “Adversarial attacks and defences: A survey,” 2018.
  9. A. Athalye, L. Engstrom, A. Ilyas, and K. Kwok, “Synthesizing robust adversarial examples,” 2018.
  10. M. Sharif, S. Bhagavatula, L. Bauer, and M. K. Reiter, “Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’16. New York, NY, USA: Association for Computing Machinery, 2016, p. 1528–1540. (Online). Available: link
  11. Z. Zhou, D. Tang, X. Wang, W. Han, X. Liu, and K. Zhang, “Invisible mask: Practical attacks on face recognition with infrared,” 2018.
  12. S. Komkov and A. Petiushko, “AdvHat: Real-world adversarial attack on ArcFace face ID system,” in 2020 25th International Conference on Pattern Recognition (ICPR). IEEE, jan 2021. (Online). Available: link
  13. B. Yin, W. Wang, T. Yao, J. Guo, Z. Kong, S. Ding, J. Li, and C. Liu, “Adv-makeup: A new imperceptible and transferable attack on face recognition,” in Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence, IJCAI-21, Z.- H. Zhou, Ed. International Joint Conferences on Artificial Intelligence Organization, 8 2021, pp. 1252–1258, main Track. (Online). Available: link
  14. A. Zolfi, S. Avidan, Y. Elovici, and A. Shabtai, “Adversarial mask: Real-world universal adversarial attack on face recognition model,” 2022.
  15. C. Sitawarin, A. N. Bhagoji, A. Mosenia, M. Chiang, and P. Mittal, “Darts: Deceiving autonomous cars with toxic signs,” 2018.
  16. Y. Zhao, H. Zhu, R. Liang, Q. Shen, S. Zhang, and K. Chen, “Seeing isn’t believing: Towards more robust adversarial attack against real world object detectors,”Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019. (Online). Available: link
  17. G. Lovisotto, H. Turner, I. Sluganovic, M. Strohmeier, and I. Martinovic, “SLAP: Improving physical adversarial examples with Short-Lived adversarial perturbations,” in 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, Aug. 2021, pp. 1865–1882. (Online). Available: link
  18. T. Sato, J. Shen, N. Wang, Y. Jia, X. Lin, and Q. A. Chen, “Dirty road can attack: Security of deep learning based automated lane centering under Physical-World attack,” in 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, Aug. 2021, pp. 3309–3326. (Online). Available: link
  19. W. Wang, Y. Yao, X. Liu, X. Li, P. Hao, and T. Zhu, “I can see the light: Attacks on autonomous vehicles using invisible lights,” in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’21. New York, NY, USA: Association for Computing Machinery, 2021, p. 1930–1944. (Online). Available: link
  20. S.-T. Chen, C. Cornelius, J. Martin, and D. H. Chau, “ShapeShifter: Robust physical adversarial attack on faster r-CNN object detector,” in Machine Learning and Knowledge Discovery in Databases. Springer International Publishing, 2019, pp. 52–68. (Online). Available: link
  21. K. Eykholt, I. Evtimov, E. Fernandes, B. Li, A. Rahmati, C. Xiao, A. Prakash, T. Kohno, and D. Song, “Robust physical-world attacks on deep learning models,” 2018.
  22. S. Thys, W. V. Ranst, and T. Goedemé, “Fooling automated surveillance cameras: adversarial patches to attack person detection,” 2019.
  23. Z. Wu, S.-N. Lim, L. Davis, and T. Goldstein, “Making an invisibility cloak: Real world adversarial attacks on object detectors,” 2020.
  24. R. M. Oza, A. Geisen, and T. Wang, “Traffic sign detection and recognition using deep learning,” in 2021 4th International Conference on Artificial Intelligence for Industries (AI4I), 2021, pp. 16–20.

Jacob Shams

Jacob Shams is a Ph.D. student at Ben-Gurion University of the Negev (BGU). His work addresses the security of AI models and systems, model extraction attacks, deep neural network (DNN) watermarking, and robustness of computer vision (CV) models.

Jacob is a Ph.D. researcher at Cyber@Ben-Gurion University (CBG) and is working on multiple research projects in the area of AI security. Jacob holds a B.Sc. in Software Engineering from BGU and an M.Sc. in Software and Information Systems Engineering from BGU.

Back to top

Behind Enemy Lines: Going undercover to breach the LockBit Ransomware Operation

Friday at 10:00 in LVCC - L3 - W322-W327 (Warstories Track)
45 minutes

Jon DiMaggio Chief Security Strategist at Analyst1

Delve into the clandestine world of the LockBit ransomware gang! In this revealing presentation, I will recount my two-year journey spent infiltrating the inner ranks of the LockBit crime syndicate. Learn about the strategies employed to earn the trust of key individuals within the syndicate, including the gang's leader, LockBitSupp.

You will see firsthand accounts of these exchanges, and I will detail the intricacies of my relationship with LockBit's leadership and its network of affiliate hackers. You will also gain insight into the unintended consequences of my actions, including how my perceived breach of their infrastructure impacted the syndicate's operations. More importantly, I will share how I assisted in unmasking the real-world person behind the mask of LockBitSupp.

Join me as I illustrate the pivotal role of human intelligence in tandem with cyber threat intelligence to combat ransomware threats. This talk offers a compelling narrative of real-world efforts to thwart ransomware activities and safeguard organizations from LockBit ransomware attacks.

  • 60 min (full episode): 4/14/2024: Scattered Spider; Knife; Tasmanian Tiger - CBS News
  • 60 Min Overtime (additional footage from my interview about LockBit): Infiltrating ransomware gangs on the dark web - CBS News
  • Ransomware Diaries
  • Ransomware Diaries: Volume 1 | Analyst1
  • Ransomware Diaries V. 2: A Ransomware Hacker Origin Story (analyst1.com)
  • Ransomware Diaries V. 3: LockBit's Secrets (analyst1.com)
  • Ransomware Diaries Volume 5: Unmasking LockBit (analyst1.com)

Jon DiMaggio

Jon DiMaggio is the chief security strategist at Analyst1 and has over 16 years of experience hunting, researching, and writing about advanced cyber threats. In 2022, Jon's authored his first book, "The Art of Cyberwarfare," which earned him the prestigious SANS Difference Makers Award, solidifying his status as a thought leader in the industry. The following year, SANs recognized his work once again, awarding his most notable research, "The Ransomware Diaries," detailing his operation to infiltrate the real-world humans behind the LockBit criminal operation. Jon’s other notable achievements include his appearance on 60 Minutes, where he discussed his undercover operations infiltrating some of the world top ransomware gangs. Jon’s research has been featured in The New York Times, Wired, Bloomberg, Fox, CNN, Reuters, and other news organizations.

Twitter (@Jon__DiMaggio)

Back to top

Spies and Bytes: Victory in the Digital Age

Friday at 10:30 in LVCC - L1 - HW1-11-01 (Track 1)
45 minutes

General Paul M. Nakasone Founding Director at Vanderbilt’s Institute of National Security

Join General Paul M. Nakasone, U.S. Army (Retired), for a deep dive into the realities of modern cyber warfare at DefCon. With critical stories from his extensive career, General Nakasone will expose the details of national security in the digital era.

The longest-serving leader of both the National Security Agency and U.S. Cyber Command, General Nakasone has been on the frontlines of America's cyber defense. He will share firsthand accounts of defending against nation-state hackers, securing critical infrastructure during global crises, and the strategies that kept adversaries at bay.

This talk will examine the evolving nature of conflict, where the battlefield extends into cyberspace and unique partnerships must be built to offer agility and resilience. General Nakasone will discuss the persistent threats posed by sophisticated hackers and the innovative defenses employed to counteract them. He’ll delve into the importance of intelligence sharing, international alliances, and transparency in operations.

Looking ahead, General Nakasone will present a forward-thinking vision for the future of warfare. He’ll highlight the necessity for adaptive cyber strategies, resilient defenses, and the cultivation of new leadership to address emerging threats.

General Paul M. Nakasone

Paul M. Nakasone, General, U.S. Army (Retired), is the founding director of Vanderbilt’s Institute of National Security. With over three decades of distinguished service in the Army, his career began at the end of the Cold War and included pivotal moments such as being at the Pentagon on 9-11, deploying to combat zones in Iraq and Afghanistan, and spearheading cyber operations. His service spanned the Trump and Biden administrations, culminating as the Director of the National Security Agency and Commander of U.S. Cyber Command. Over nearly six years, he led the largest element of the US Intelligence Community and the Defense Department’s cyber forces through three national elections, a global pandemic, and escalating threats to the homeland.

Throughout his career, General Nakasone has been a transformative leader, adept at navigating complex challenges. He implemented a persistent strategy in deploying cyber forces to combat nation-state hackers and expanded cooperation with international, interagency, and private sector partners to enhance insights into national adversaries. His efforts to increase operational transparency have significantly bolstered public trust in both the Agency and Command.

He remains deeply committed to fostering national service and leadership development.

Back to top

Defeating magic by magic:Using ALPC security features to compromise RPC services

Friday at 10:30 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes

WangJunJie Zhang Senior Security Researcher at Hillstone Network Security Research Institute

YiSheng He

Advanced Local Procedure Call (ALPC) is an Inter Process Communication method in the Windows kernel. In the past few years, Windows ALPC and RPC vulnerabilities have emerged in an endless stream. These vulnerabilities are mainly based on TOCTOU file operations, memory corruption vulnerabilities in RPC services and ALPC syscalls in ntoskrnl.

Windows kernel provides a variety of security measures to ensure that the data and context accepted by the ALPC and RPC servers are safe. We noticed the attack surface in the security mechanism of the ALPC kernel, and we found a security flaw in this mechanism (magic) and successfully obtained the system privilege from unauthorized users (defeating magic by magic).

In this talk, we will first overview the communication mechanism of ALPC and RPC services. We will discuss the details of ALPC and RPC in the marshal/unmarshal process that has not been disclosed before. We'll also talk about the kernel security mechanism in ALPC syscalls. Then we will analyze some historical bugs in ALPC and RPC, and disclose the details of the vulnerability we found, discussing how we bypassed the security mechanism through a small security flaw in security mechanisms. Later we'll discuss the exploitation, you will learn about the multiple ways. Finally, We'll make conclusions and share our opinions on this attack surface, including some tips and opinions on how to find these kinds of bugs.

  1. A view into ALPC-RPC by Clement Rouault and Thomas Imbert Hack.lu 2017
  2. Exploiting Errors in Windows Error Reporting - Gal De Leon
  3. Windows Internals, Part 2, 7th Edition

WangJunJie Zhang

WangJunJie Zhang is a senior security researcher of Hillstone Network Security Research Institute. His work involved exploit development and bug hunting. He is currently focusing on windows components and kernel security and he has reported many vulnerabilities to Microsoft and RedHat and got acknowledgements. He was also listed on Microsoft Most Valuable Researcher from 2020 to 2023. He was also the speaker of CansecWest 2023 and HITBSecConf Amsterdam 2023 conference.

Twitter (@hillstone_lab)

YiSheng He

YiSheng He is a member of OWASP, (ISC)², CSA and other organizations. He is the organizer of the DCG86020 event. He has obtained various international professional certifications such as CISSP, CCSK, CISA, and participated in many open source security projects. He obtained a large number of CVE numbers and received acknowledgements from Microsoft, Apple and other companies. He also participated in many CTF competitions and won good ranking. His research interests include AIoT and WEB security. He was also the speaker of CansecWest 2023 and HITBSecConf Amsterdam 2023 conference.

Back to top

No Symbols When Reversing? No Problem: Bring Your Own

Friday at 11:00 in LVCC - L1 - HW1-11-03 (Track 3)
20 minutes | Tool 🛠

Max "Libra" Kersten

We all know it all too well: that ominous feeling when opening an unknown file in your favorite analysis tool, only to be greeted with hundreds or thousands of unknown functions, none of which are matched by your existing function signatures, nor any of your helper scripts. This makes the analysis a painfully slow and tedious process. Additionally, it sometimes means that the required analysis time exceeds the available time, and another file is chosen to be reversed instead. Especially when dealing with malware, this is an undesired scenario, as it would create a blind spot from a blue team’s perspective.

The goal of this talk is to share a tried and tested method on how to deal with thousands of unknown functions in a given file, significantly decreasing the time spent on the analysis. The example throughout the talk is the Golang based qBit family, but is applicable to any kind of binary. While this talk focuses on using Ghidra, given its free and open-source nature, it is equally possible with other industry standard tools. The focus will be on scripts, as well as the creation and usage of FunctionID and BSim databases. By combining these, you will be able to create your own symbols, and bring them anywhere you go, for any language of choice.

While the symbols are portable, an aggregation of them scales very well over any number of analysts. As such, this methodology works well for individual researchers, but when scaling it for a team of researchers, the outcome will be greater than the sum of its parts.

This talk will use (malicious) Golang binaries as examples and provide a large dataset of symbols for this language. The scripts, as well as FunctionID and BSim databases, mentioned in this talk will all be made publicly available at the time of this talk.

In no particular order:

  • Automate .fidb generation with headless Ghidra: link
  • Understanding static and dynamic compilation and linking: link
  • How symbols work: link
  • BSim answers from the Ghidra team: link
  • Feeding Gophers to Ghidra (a blog I wrote for my employer about my research into Golang internals): link
  • A blog I wrote summarising my Golang reversing journey for my employer: link
  • The open-source scripts on GitHub: link
  • A talk I gave about the Golang internals at HackInTheBox Amsterdam 2023: link
  • Ghidra’s FunctionID codebase: link
  • Hex-Ray’s IDA Pro’s F.L.I.R.T. explained: link
  • BSim’s GhidraDoc explanation and tutorial: link

Max "Libra" Kersten

Max Kersten is a malware analyst, blogger, and speaker who aims to make malware analysis more approachable for those who are starting. In 2019, Max graduated cum laude with a bachelor's in IT & Cyber Security, during which Max also worked as an Android malware analyst. Currently, Max works as a malware analyst at Trellix, where he analyses APT malware and creates open-source tooling to aid such research. Over the past few years, Max spoke at international conferences, such as DEFCON, Black Hat (USA, EU, MEA, Asia), Botconf, Confidence-Conference, HackYeahPL, and HackFestCA. Additionally, he gave guest lectures and workshops for DEFCON, Botconf, several universities, and private entities.

LinkedIn
Mastodon (@libra@infosec.exchange)
Twitter (@Libranalysis)
Website

Back to top

The XZ Backdoor Story: The Undercover Operation That Set the Internet on Fire

Friday at 11:00 in LVCC - L3 - W322-W327 (Warstories Track)
45 minutes | Demo 💻

Thomas Roccia Senior Security Researcher at Microsoft

On Fri, 29 Mar 2024, at exactly 08:51:26, OSS security received a message from Andres Freund, a software engineer at Microsoft, stating he had discovered a backdoor in upstream xz/liblzma that could compromise SSH servers. The open-source project XZ, specifically the liblzma library, has been compromised by a mysterious maintainer named Jia Tan, putting the entire internet at risk. Fortunately, this discovery helped us avoid the worst.

But what happened? How long has this rogue maintainer been part of the project? Who is Jia Tan? Was he involved in other projects? How does the backdoor work? And what should we learn from this?

These are questions we will attempt to answer. First, we will discuss the discovery, which is so riddled with coincidences and chance that it's hard not to think about all the ones we've missed. Then, we'll examine the process itself, from gaining trust within the project to deploying the backdoor, dissecting the operating methods and the main protagonists. We will also dive into the technical details, explaining how the backdoor is deployed and how it can be exploited.

The XZ backdoor is not just an incredible undercover operation but also a gigantic puzzle to solve. Beyond the technical background, there is a story to tell here, to capitalize on what went wrong and what we could improve.

  • OSS Security Andres Freund Email: link
  • My work on the XZ Backdoor: link
  • Second tweet of the XZ Backdoor: link
  • Additional works related to my presentation:
    • Gynvael Coldwind: link
    • link by @thesamesam@social.treehouse.systems
    • link by @eb@social.coop
    • link by @wiz_io
    • link by smx
    • link by Kaspersky
    • link by @bl4sty

Thomas Roccia

Thomas Roccia is working as a Senior Security Researcher at Microsoft and works on malware research, generative AI and threat intelligence. In addition to his work at Microsoft, Thomas also runs SecurityBreak, an online platform where he showcases his latest projects and research findings.

Thomas has travelled the world to manage critical outbreaks and has been on the front lines of some of the most well-known threats. He has tracked cybercrime and nation-state campaigns and has worked closely with law enforcement agencies.

In addition to his professional work, Thomas is a regular speaker at security conferences and is committed to contributing to the open-source community through various projects. He runs the Unprotect Project, an open malware evasion techniques database, since 2015. He is also the author of the book Visual Threat Intelligence, an illustrated guide for threat researchers. Thomas's work has been quoted by multiple media outlets around the world.

LinkedIn
Past Presentations
Twitter (@fr0gger_)
Website

Back to top

Atomic Honeypot: A MySQL Honeypot That Drops Shells

Friday at 11:30 in LVCC - L1 - HW1-11-01 (Track 1)
30 minutes | Demo 💻, Exploit 🪲, Tool 🛠

Alexander Rubin Principal Security Engineer, leading RDS Red Team at Amazon Web Services (AWS)

Martin Rakhmanov Senior Security Engineer, RDS Red Team at Amazon Web Services (AWS)

Meet an attacking MySQL honepot which can “Attack the attackers”. In 2023 we have found a CVE (CVE-2023-21980) in MySQL that allows a rogue MySQL “server” to attack a client connecting to it; attack meaning RCE on the client side. Since then we were thinking on how to use it for good. One obvious application is to create a honeypot which will attack the attackers. In 2024 we have found another RCE in mysqldump utility (CVE-2024-21096), so we have created a rogue MySQL server and weaponized it with a chain of 3 vulnerabilities: 1/ arbitrary file read 2/ RCE from 2023 (CVE-2023- 21980) 3/ the new RCE (CVE-2024-21096). With this atomic honeypot we were able to discover 2 new attacks against MySQL server. Using arbitrary file read vulnerability in MySQL we were able to download and analyze the attackers' code and then execute an “attack against attackers” using a chain of exploits.

CVE-2023-21980 CVE-2024-21096

Alexander Rubin

Alexander is a Principal Security Engineer at Amazon Web Services (AWS), leading RDS Red Team. Alexander was working as MySQL principal consultant/architect for over 15 years, started with MySQL AB in 2006 (company behind MySQL database), Sun Microsystems, Oracle and then Percona. His security pentest/red teaming interest started with playing CTFs and performing opensource security research. Alexander is managing RDS (relational database as a service) Red Team at Amazon Web Services.

Martin Rakhmanov

Martin is a Senior Security Engineer at Amazon Web Services (AWS) RDS Red Team. Prior to that, Martin spent 17 years doing security research of databases and other targets, including servers, desktop applications and hardware. Martin found more than 30 CVEs across various databases and other products.

Back to top

Listen to the whispers: web timing attacks that actually work

Friday at 11:30 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Tool 🛠, Demo 💻, Exploit 🪲

James "albinowax" Kettle Director of Research at PortSwigger

Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them.

In this session, I'll unleash novel attack concepts to coax out server secrets including masked misconfigurations, blind data-structure injection, hidden routes to forbidden areas, and a vast expanse of invisible attack-surface.

This is not a theoretical threat; every technique will be illustrated with multiple real-world case studies on diverse targets. Unprecedented advances have made these attacks both accurate and efficient; in the space of ten seconds you can now reliably detect a sub-millisecond differential with no prior configuration or 'lab conditions' required. In other words, I'm going to share timing attacks you can actually use.

To help, I'll equip you with a suite of battle-tested open-source tools enabling both hands-free automated exploitation, and custom attack scripting. I'll also share a little CTF to help you hone your new skillset.

Want to take things further? I'll help you transform your own attack ideas from theory to reality, by sharing a methodology refined through testing countless concepts on thousands of websites. We've neglected this omnipresent and incredibly powerful side-channel for too long.

James "albinowax" Kettle

James 'albinowax' Kettle is the Director of Research at PortSwigger, the makers of Burp Suite. He's best known for his HTTP Desync Attacks research, which popularised HTTP Request Smuggling. James has extensive experience cultivating novel attack techniques, including web cache poisoning, browser-powered desync attacks, server-side template injection, and password reset poisoning. James is also the author of multiple popular open-source tools including Param Miner, Turbo Intruder, and HTTP Request Smuggler. He is a frequent speaker at numerous prestigious venues including both Black Hat USA and EU, OWASP AppSec USA and EU, and DEF CON.

Mastodon (@albinowax@infosec.exchange)
Twitter (@albinowax)
Website

Back to top

High Intensity Deconstruction: Chronicles of a Cryptographic Heist

Friday at 11:30 in LVCC - L1 - HW1-11-04 (Track 4)
75 minutes | Demo 💻, Exploit 🪲

Babak Javadi Co-Founder at Red Team Alliance Founder at The CORE Group

Aaron Levy Lead of Security Engineering at Clover

Nick Draffen Product Security Architect

Introduced in 2011, HID Global’s iCLASS SE solution is one of the world’s most widely-deployed Electronic Physical Access Control platforms. HID's iCLASS SE Readers are ubiquitous in electronic physical access control and used in most government agencies and Fortune 500 companies. The readers can be easily seen and identified in almost every form of mainstream media. Almost 13 years after iCLASS SE’s introduction, ground-breaking research and technical exploits will be disclosed publicly for the first time.

In this talk, we detail the process by which we reverse engineered the complex hardware and software chain of trust securing HID’s iCLASS SE platform.

Over a seven-year research period, we analyzed hardware, firmware, and software elements the ecosystem, uncovering an unfortunate series of pitfalls and implementation defects. These flaws culminated in an attack chain that allowed for the recovery of sensitive cryptographic key material from secure elements, which have received CC EAL 5+ accreditation. This chain resulted in revealing some cryptographic keys to the kingdom.

Finally, we provide comprehensive guidance on technical and operational mitigations for end customers to identify practical risks and reduce impact.

Inspirational (research done on previous generation system)

  • Heart of Darkness - Milosch Meriac link
  • Dismantling iClass and iClass Elite - Garcia, de Koning Gans, Verdult, & Meriac link

Babak Javadi

Babak Javadi is the Founder of The CORE Group and Co-Founder of the Red Team Alliance, a covert entry training and certification body. As a professional red teamer with over a decade of field experience, Babak’s expertise includes a wide range of disciplines, from high security mechanical cylinders to alarm systems and physical access control platforms. Babak’s community contributions include the co-founding of The Open Organisation of Lockpickers (TOOOL) where he served on the Board of Directors for over 13 years.

Twitter (@babakjavadi)

Aaron Levy

Aaron Levy is an independent security researcher that was credited in the discovery of CVE-2018-10897 and CVE-2019-11630. In his day job, he leads Security Engineering for Clover, a Payments and Point of Sale company that is a subsidiary of Fiserv.

Nick Draffen

Nick Draffen is a Product Security Architect, focusing on the protection of laboratory instruments and their software. Outside of work, he dives into research, reverse engineering, and hardware hacking, leveraging his technical expertise to both build and break things. He is a member of the Security Tribe and volunteers with the RF Village, creating and overseeing challenges for the RF CTF at various security conferences. Always eager to lend a helping hand, he is known for his ability to pull just the right tool from his extensive bag of tricks.

Twitter (@tcprst)

Back to top

Fireside Chat with DNSA Anne Neuberger

Friday at 12:00 in LVCC - L1 - HW1-11-01 (Track 1)
45 minutes

Anne Neuberger Deputy National Security Advisor for Cyber and Emerging Tech

Jeff "The Dark Tangent" Moss DEF CON Communications

This fireside chat will feature an in depth conversation between DNSA Neuberger and Dark Tangent on a variety of cybersecurity and emerging technology topics such as artificial intelligence and quantum computing. DNSA Neuberger has served in a variety of senior intelligence and cybersecurity roles within the National Security Agency, including Director of NSA’s cybersecurity organization and Deputy Director of NSA’s intelligence operations. She has also held multiple positions at the Department of Defense and the private sector, and now leads development of the Biden Administration’s policies on cybersecurity and emerging technologies from the White House. She and DT will delve into the latest and most pressing issues in these domains that concern the White House and how hackers can influence tech-related discussions to improve policy and operational outcomes.

Anne Neuberger

As the Deputy National Security Advisor for Cyber and Emerging Tech, I serve as an advisor to the President on matters related to cybersecurity, digital innovation, and emerging technologies. I coordinate the interagency response to cyber threats and engage with allies and partners on cyber cooperation. With over 25 years of experience in the government and private sector, I try to bring a unique perspective and experience to this work, which is primarily around advancing US national security interests, enhancing cyber resilience, and fostering innovation and collaboration between the private and public sectors.

Prior to joining the White House, I led the establishment of the NSA's Cybersecurity Directorate, bringing together thousands of intelligence analysts, cybersecurity professionals, cryptographers, researchers, and technologists. I previously led NSA’s global intelligence operations, and served as a White House Fellow. I care deeply about public service, inspired by the gifts this country has provided my family and so many other refugee and immigrant families.

Jeff "The Dark Tangent" Moss

Mastodon (@thedarktangent@defcon.social)
Twitter (@thedarktangent)

Back to top

On Your Ocean's 11 Team, I'm the AI Guy (technically Girl)

Friday at 12:00 in LVCC - L1 - HW1-11-02 (Track 2)
45 minutes | Demo 💻

Harriet Farlow CEO at Mileva Security Labs

One of the best parts of DEF CON is the glitz and glam of Vegas, the gambling capital of the world. Many have explored hacking casinos (on and off stage). Unfortunately, it’s just not like it is portrayed in the Oceans franchise.. in real life there’s much less action, no George Clooney, and it’s a lot harder to pull off a successful heist.

Fortunately I’m not your typical hacker, I’m an AI hacker. I use adversarial machine learning techniques to disrupt, deceive and disclose information from Artificial Intelligence systems.

I chose my target carefully: Canberra Casino. It’s the best casino in my city.. It’s also the only casino but that’s not the point. The casino industry is at an interesting inflection point. Many large casinos have already adopted AI for surveillance and gameplay monitoring, smaller casinos are starting to make the transition, and there’s only a couple of companies in the world that provide this software. It’s ripe for exploitation.

In this talk I’m going to show you how I bypassed Casino Canberra's AI systems - facial recognition, surveillance systems and gameplay monitoring. AI Security is the new cyber security threat, and attacks on AI systems could have broad implications including misdiagnoses in medical imaging, navigation errors in autonomous vehicles.. and successful casino heists.

  1. Standing Committee of the One Hundred Year Study of Artificial Intelligence. Gathering Strength,Gathering Storms: The One Hundred Year Study on Artificial Intelligence (AI100) 2021 Study Panel Report | One Hundred Year Study on Artificial Intelligence (AI100). Technical report, September 2021.
  2. Eva A. M. van Dis, Johan Bollen, Willem Zuidema, Robert van Rooij, and Claudi L. Bockting. ChatGPT: five priorities for research. Nature, 614(7947):224–226, February 2023. Bandiera abtest: a Cg type: Comment Number: 7947 Publisher: Nature Publishing Group Subject term: Com-puter science, Research management, Publishing, Machine learning.
  3. Mingfu Xue, Chengxiang Yuan, Heyi Wu, Yushu Zhang, and Weiqiang Liu. Machine Learn-ing Security: Threats, Countermeasures, and Evaluations. IEEE Access, 8:74720–74742, 2020.Conference Name: IEEE Access.
  4. NSCAI. The National Security Commission on Artificial Intelligence.
  5. Elisa Bertino, Murat Kantarcioglu, Cuneyt Gurcan Akcora, Sagar Samtani, Sudip Mittal, and Maanak Gupta. AI for Security and Security for AI. In Proceedings of the Eleventh ACM Confer-ence on Data and Application Security and Privacy, CODASPY ’21, pages 333–334, New York, NY, USA, April 2021. Association for Computing Machinery.
  6. Battista Biggio and Fabio Roli. Wild patterns: Ten years after the rise of adversarial machine learning. Pattern Recognition, 84:317–331, December 2018.
  7. Ian Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and Harnessing Adversarial Examples. In International Conference on Learning Representations, 2015.
  8. Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. Intriguing properties of neural networks, February 2014. arXiv:1312.6199 [cs].
  9. Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter. Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, pages 1528–1540, New York, NY, USA, October 2016. Association for Computing Machinery.
  10. Tom Brown, Dandelion Mane, Aurko Roy, Martin Abadi, and Justin Gilmer. Adversarial Patch. 2017.
  11. US Marines Defeat DARPA Robot by Hiding Under a Cardboard Box | Extremetech.
  12. Walter David, Paolo Pappalepore, Alexandra Stefanova, and Brindusa Andreea Sarbu. AI-Powered Lethal Autonomous Weapon Systems in Defence Transformation. Impact and Chal-lenges. In Jan Mazal, Adriano Fagiolini, and Petr Vasik, editors, Modelling and Simulation for Autonomous Systems, Lecture Notes in Computer Science, pages 337–350, Cham, 2020. Springer International Publishing.
  13. C Wise and J Plested. Developing Imperceptible Adversarial Patches to Camouflage Military Assets From Computer Vision Enabled Technologies, May 2022. arXiv:2202.08892 cs..
  14. Anish Athalye, Nicholas Carlini, and David Wagner. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples. In Proceedings of the 35th International Conference on Machine Learning, pages 274–283. PMLR, July 2018. ISSN: 2640-3498.
  15. Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rahmati, Chaowei Xiao, Atul Prakash, Tadayoshi Kohno, and Dawn Song. Robust Physical-World Attacks on Deep Learning Visual Classification. In 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 1625–1634, Salt Lake City, UT, USA, June 2018. IEEE.
  16. Ram Shankar Siva Kumar, Magnus Nystr ̈om, John Lambert, Andrew Marshall, Mario Goertzel, Andi Comissoneru, Matt Swann, and Sharon Xia. Adversarial Machine Learning-Industry Perspectives. In 2020 IEEE Security and Privacy Workshops (SPW), pages 69–75, May 2020.

Harriet Farlow

Harriet Farlow is the CEO of AI Security company Mileva Security Labs, a PhD Candidate in Machine Learning Security, and creative mind behind the YouTube channel HarrietHacks. She missed the boat on computer hacking so now she hacks AI and Machine Learning models instead. Her career has spanned consulting, academia, a start-up and Government, but don’t judge her for that one. She also has a Bachelor in Physics and a Master in Cyber Security. She calls Australia home but has lived in the UK and the US. Her ultimate hack was in founding her own AI Security company but if Skynet takes over she will deny everything and pretend the AI stood for Artificial Insemination, like her Mum thinks it does. (Sorry Mum but I’m not really a Medical Doctor).

LinkedIn
YouTube
www.harriethacks.com/
www.mileva.com.au/about-us

Back to top

Veilid Dev and Community Meetup

Friday at 12:00 in LVCC - L3 - W322-W327 (Warstories Track)
75 minutes

The_Gibson

The_Gibson

Back to top

Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities for Initial Access

Friday at 12:30 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes

Nick Frichette Staff Security Researcher at Datadog

In this talk we will explore vulnerabilities in Amazon Web Services (AWS) products which allowed us to gain access to cloud environments.

Traditionally, adversaries have abused misconfigurations and leaked credentials to gain access to AWS workloads. Things like exposed long-lived access keys and exploiting the privileges of virtual machines have allowed adversaries to breach cloud resources. However, these mistakes are on the customer side of the shared responsibility model. In this session, we will cover vulnerabilities in AWS services that have been fixed and that previously allowed us to access cloud resources.

We will start with an exploration of how Identity and Access Management (IAM) roles establish trust with AWS services and cover the mechanisms that prevent an adversary from assuming roles in other AWS accounts. We’ll then demonstrate a vulnerability that bypassed those protections. We’ll cover a real world example of a confused deputy vulnerability we found in AWS AppSync that allowed us to hijack IAM roles in other accounts.

Next, we'll highlight potential misconfigurations involving IAM roles leveraging sts:AssumeRoleWithWebIdentity. These misconfigurations cloud permit unauthorized global access to these roles without the need for authentication, affecting services like Amazon Cognito, GitHub Actions, and more.

Finally, we’ll cover a vulnerability we found in AWS Amplify that exposed customer IAM roles associated with the service to takeover, allowing anyone the ability to gain a foothold in that victim account. We’ll also discuss how security practitioners can secure their environments, even against a zero-day like one we’ll demonstrate.

Join us to learn how attackers search for and exploit vulnerabilities in AWS services to gain access to cloud environments.

Nick Frichette

Nick Frichette is a Staff Security Researcher at Datadog, where he specializes in offensive AWS security. He is known for finding multiple zero-day vulnerabilities in AWS services and regularly publishing on new attack techniques. In addition to his research, Nick is the creator and primary contributor to Hacking the Cloud, an open source encyclopedia of offensive security capabilities for cloud environments. He is also a part of the AWS Community Builder Program, where he develops content on AWS security.

Mastodon (@frichetten@fosstodon.org)
Twitter (@Frichette_n)
Website

Back to top

If Existing Cyber Vulnerabilities Magically Disappeared Overnight, What Would Be Next?

Friday at 13:00 in LVCC - L1 - HW1-11-01 (Track 1)
45 minutes

Dr. Stefanie Tompkins Director at Defense Advanced Research Projects Agency (DARPA)

Dr. Renee Wegrzyn First Director at Advanced Research Projects Agency for Health (ARPA-H)

Peiter “Mudge” Zatko Chief Information Officer at DARPA

The DEF CON community challenges the status quo, bringing a diversity of perspectives and ideas to identify hidden problems and solutions. While DARPA lays claim to the origin of the ARPANET/internet, vast communities of people with different interests created its novel components. The DARPA Cyber Grand Challenge helped launch the field of vulnerability detection and remediation and numerous DARPA Cyber Fast Track program performers continue to contribute to DEF CON.

What if current vulnerabilities all magically disappeared overnight and critical infrastructure were “safe and secure” for the time being. What would come next?

In this talk, Dr. Stefanie Tompkins will discuss the value of the hacker community and many of the contributions that have come from it, as well as the growth and synergy of the two communities. She’ll also explore the question of what comes next.

For a deeper dive into the real-world impacts of DARPA cyber technologies, Dr. Renee Wegrzyn, the inaugural director of the Advanced Research Projects Agency for Health (ARPA-H), will join Stefanie and a moderator. They will discuss efforts that impact DEF CON areas of interest and inform ARPA-H work, from Cyber Fast Track to current work focused on securing and defending hospitals and the health tech ecosystem from cyberattacks.

Dr. Stefanie Tompkins

Dr. Stefanie Tompkins is the director of the Defense Advanced Research Projects Agency (DARPA). Prior to this assignment, she was the vice president for research and technology transfer at Colorado School of Mines.

Tompkins has spent much of her professional life leading scientists and engineers in developing new technology capabilities. She began her industry career as a senior scientist and later assistant vice-president and line manager at Science Applications International Corporation, where she spent 10 years conducting and managing research projects in planetary mapping, geology, and imaging spectroscopy. As a program manager in DARPA’s Strategic Technology Office, she created and managed programs in ubiquitous GPS-free navigation as well as in optical component manufacturing. Tompkins has also served as the deputy director of DARPA’s Strategic Technology Office, director of DARPA’s Defense Sciences Office – the agency’s most exploratory office in identifying and accelerating breakthrough technologies for national security – as well as the acting DARPA deputy director.

Tompkins received a Bachelor of Arts degree in geology and geophysics from Princeton University and Master of Science and Doctor of Philosophy degrees in geology from Brown University. She has also served as a military intelligence officer in the U.S. Army.

LinkedIn

Dr. Renee Wegrzyn

Dr. Renee Wegrzyn is the first director of the Advanced Research Projects Agency for Health (ARPA-H). Bringing a wealth of experience from both the private sector and groundbreaking institutions like DARPA and IARPA, her leadership and vision continue to push the boundaries of health research and development. Dr. Wegrzyn's illustrious career has earned her numerous accolades, including the prestigious Superior Public Service Medal for her contributions at DARPA. She holds a Ph.D. and a bachelor's degree in applied biology from the Georgia Institute of Technology, and she further honed her expertise as an Alexander von Humboldt Fellow in Heidelberg, Germany.

LinkedIn

Peiter “Mudge” Zatko

Peiter “Mudge” Zatko is a distinguished scientist and cybersecurity expert with a career spanning significant roles in both public and private sectors. He returned to DARPA as the agency’s chief information officer in 2024. He previously was a program manager in both the Strategic Technology Office (STO) and Information Innovation Office (I2O). During his tenure in STO, Mudge was pivotal in developing DARPA’s Cyber Analytic Framework, which set a new standard in cybersecurity strategy. He later transitioned to I2O, where he continued to shape DARPA’s cyber initiatives.

Following his impactful career at DARPA, Mudge held key positions in industry, notably serving as corporate vice president of R&D at Motorola Mobility, deputy director at Google’s Advanced Technology and Projects division, and head of security and IT at fintech leader Stripe. Later, Mudge joined the executive team at Twitter, where he oversaw IT, infosec, global platform moderation and services, and corporate security/physical infrastructure.

Most recently, Mudge returned to the public sector as a Senior Government Executive and Senior Executive Service member, reporting to Director Jen Easterly at the Cybersecurity and Infrastructure Security Agency under the Department of Homeland Security.

Mudge holds a distinguished record of leadership and innovation in cybersecurity and technology, contributing significantly to both national security and private sector advancements.

Back to top

Sshamble: Unexpected Exposures in the Secure Shell

Friday at 13:00 in LVCC - L1 - HW1-11-02 (Track 2)
45 minutes | Demo 💻, Exploit 🪲, Tool 🛠

HD Moore CEO and Co-Founder at runZero

Rob King Director of Security Research at runZero

The Secure Shell (SSH) has evolved from a remote shell service to a standardized secure transport that is second only to Transport Layer Security (TLS) in terms of exposure and popularity. SSH is no longer just for POSIX operating systems; SSH services can be found in everything from network devices, to source code forges, to Windows-based file transfer tools. While OpenSSH is still the most prominent implementation, it's now just one of dozens, and these include a handful of libraries that drive a wide range of applications. This presentation digs deep into SSH, the lesser-known implementations, many of the surprising security issues found along the way, and how to exploit them. As part of this talk, we will release an open source tool, dubbed "sshamble", that assists with research and security testing of SSH services.

HD Moore

HD has focused on vulnerability research, network discovery, and software development since the 1990s. He is most recognized for creating Metasploit and is a passionate advocate for open-source software and vulnerability disclosure. HD serves as the CEO and co-founder of runZero, a provider of cutting-edge cyber asset attack surface management (CAASM) software and cloud services. Prior to founding runZero, he held leadership positions at Atredis Partners, Rapid7, and BreakingPoint. HD's professional journey began with exploring telephone networks, developing exploits for the Department of Defense, and breaking into financial institutions. When he's not working, he enjoys hacking on weird Go projects, building janky electronics, running in circles, and playing single-player RPGs.

Rob King

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.

Back to top

Defeating EDR Evading Malware with Memory Forensics

Friday at 13:00 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes | Demo 💻, Tool 🛠

Andrew Case Director of Research at Volexity

Austin Sellers Detection Engineer at Volexity

Golden Richard Professor of Computer Science and Engineering and Associate Director for Cybersecurity at Center for Computation and Technology (CCT) at LSU

David McDonald Volcano team at Volexity

Gustavo Moreira Senior Security Engineer at Volexity

Endpoint detection and response (EDR) software has gained significant market share due to its ability to examine system state for signs of malware and attacker activity well beyond what traditional anti-virus software is capable of detecting. This deep inspection capability of EDRs has led to an arms race with malware developers who want to evade EDRs while still achieving desired goals, such as code injection, lateral movement, and credential theft. This monitoring and evasion occurs in the lowest levels of hardware and software, including call stack frames, exception handlers, system calls, and manipulation of native instructions. Given this reality, EDRs are limited in how much lower they can operate to maintain an advantage. The success of EDR bypasses has led to their use in many high-profile attacks and by prolific ransomware groups.

In this talk, we discuss our research effort that led to the development of new memory forensics techniques for the detection of the bypasses that malware uses to evade EDRs. This includes bypass techniques, such as direct and indirect system calls, module overwriting, malicious exceptions handlers, and abuse of debug registers. Our developed capabilities were created as new plugins to the Volatility memory analysis framework, version 3, and will be released after the talk.

  1. “Operation Dragon Castling: APT group targeting betting companies,” link, 2023.
  2. “Defeating Guloader Anti-Analysis Technique,” link, 2023.
  3. “A Deep Dive Into ALPHV/BlackCat Ransomware,” link, 2024.
  4. “APT Operation Skeleton Key,” link, 2023.
  5. “LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility,” link, 2024.19
  6. “BlueBravo Uses Ambassador Lure to Deploy,” link, 2024.
  7. “UNMASKING THE DARK ART OF VECTORED EXCEPTION HANDLING: BYPASSING XDR AND EDR IN THE EVOLVING CYBER THREAT LANDSCAPE,” link, 2023.
  8. “Dirty Vanity: A New Approach to Code injection & EDR by-pass,” link, 2022.
  9. Volexity, “Surge Collect Pro,” link, 2022.
  10. “capstone,” link, 2024.
  11. “Silencing cylance: A case study in modern edrs,” link, 2019.
  12. “Av/edr evasion — malware development p — 3,” link, 2023.
  13. “A practical guide to bypassing userland api hooking,” link, 2022.
  14. A. Case, A. Ali-Gombe, M. Sun, R. Maggio, M. Firoz-Ul-Amin, M. Jalalzai, and G. G. R. III, “HookTracer: A System for Automated and Accessible API Hooks Analysis,” Proceedings of the 18th Annual Digital Forensics Research Conference (DFRWS), 2019.
  15. F. Block, “Windows memory forensics: Identification of (malicious) modifications in memory-mapped image files,” Forensic Science International: Digital Investigation, 2023. (Online). Available: link
  16. F. Block and A. Dewald, “Windows memory forensics: Detecting (un)intentionally hidden injected code by examining page table entries,” Digital Investigation, vol. 29, pp. S3–S12, 07 2019.
  17. “CCob,” link, 2024.
  18. “Lets Create An EDR. . . And Bypass It! Part 1,” link, 2020.
  19. “r77 rootkit,” link, 2024.
  20. “Deep Vanity,” link, 2022. 20
  21. “Peruns-Fart,” link, 2023.
  22. “FREEZE – A PAYLOAD TOOLKIT FOR BYPASSING EDRS USING SUSPENDED PROCESSES,” link, 2023.
  23. “Process Cloning,” link, 2023.
  24. “APT Group Chimera,” link, 2022.
  25. “Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR,” link, 2019.
  26. “Hell’s Gate,” link, 2020.
  27. “Halo’s Gate,” link, 2021.
  28. “Tartarus Gate,” link, 2021.
  29. “Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams,” link, 2020.
  30. “SysWhispers2,” link, 2022.
  31. “An Introduction into Stack Spoofing,” link, 2023.
  32. “SilentMoonwalk: Implementing a dynamic Call Stack Spoofer,” link, 2022.
  33. “Spoofing Call Stacks To Confuse EDRs,” link, 2022.
  34. “Behind the Mask: Spoofing Call Stacks Dynamically with Timers,” link, 2022.
  35. “HellHall,” link, 2023.
  36. link, 2008.
  37. “Defeating Guloader Anti-Analysis Technique,” link, 2022.21
  38. “GULoader Campaigns: A Deep Dive Analysis of a highly evasive Shellcode based loader,” link, 2023.
  39. “Gh0stRat Anti-Debugging : Nested SEH (try - catch) to Decrypt and Load its Payload,” link, 2021.
  40. “Syscalls via Vectored Exception Handling,” link, 2024.
  41. “Bypassing AV/EDR Hooks via Vectored Syscall - POC,” link, 2022.
  42. “MutationGate,” link, 2024.
  43. Cymulate Research, “BlindSide,” link, 2023.
  44. “In-Process Patchless AMSI Bypass,” link, 2022.
  45. “PatchlessCLR,” link, 2022.
  46. “Dumping the VEH in Windows 10,” link, 2020.
  47. “Detecting anomalous Vectored Exception Handlers on Windows,” link, 2022.
  48. “SetUnhandledExceptionFilter,” link, 2024.

Andrew Case

Andrew Case is the Director of Research at Volexity and has significant experience in incident response handling and malware analysis. He has conducted numerous large-scale investigations that span enterprises and industries. Case is a core developer of the Volatility memory analysis framework, and a co-author of the highly popular and technical forensics analysis book "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory."

Austin Sellers

Austin Sellers is a Detection Engineer at Volexity where he focuses on automating large scale memory analysis and threat detection techniques. He has significant experience in developing memory analysis datasets that allow for automated verification and testing of kernel and userland memory forensics techniques.

Golden Richard

Golden G. Richard III is a cybersecurity researcher and teacher and a Fellow of the American Academy of Forensic Sciences. He has over 40 years of practical experience in computer systems and computer security and is a devoted advocate for applied cybersecurity education. He is currently Professor of Computer Science and Engineering and Associate Director for Cybersecurity at the Center for Computation and Technology (CCT) at LSU. He also supports NSA's CAE-CO internship program, teaching memory forensics, vulnerability analysis, and other topics to cleared interns. His primary research interests are memory forensics, digital forensics, malware analysis, reverse engineering, and operating systems. Dr. Richard earned his BS in Computer Science from the University of New Orleans and MS and PhD in Computer Science from The Ohio State University.

David McDonald

David McDonald is a researcher and software engineer with 3 years of digital forensics R&D experience. His passion for this field began with his involvement in the University of New Orleans CTF team, as well as through his time as a Systems Programming teaching assistant. After over two years of digital forensics research and development on Cellebrite's computer forensics team, he joined Volexity's Volcano team, where he now works to develop next-generation memory analysis solutions.

Gustavo Moreira

Gustavo Moreira is a Senior Security Engineer at Volexity. He has significant experience in reverse engineering, incident response handling, embedded systems development and security, Windows and Linux internals, and automation of large scale malware analysis.

Back to top

Digital Emblems: When markings are required under international law, but you don’t have a rattle-can handy

Friday at 13:30 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes

Bill Woodcock Executive Director at Packet Clearing House

There are physical markings that are required under hundreds of different international laws, some governing transport of goods across national borders, some offering humanitarian protections on the battlefield, some seeking to protect the environment or genetic diversity… What they all have in common is that they’re currently represented by visual marks applied to objects. Many of these processes are undergoing “digitalization,” and becoming machine-readable, or electronically-signaled. A standards effort currently underway in the IETF seeks to create a common global marking protocol which would allow open-standards-based devices to scan, cryptographically validate, and display the digital versions of these marks. This session will relate the state of the standards effort, the scope of markings that have been considered thus far, and seek input on security or privacy vulnerabilities which may exist in the proposed standard.

Bill Woodcock

Bill Woodcock is the executive director of Packet Clearing House, the intergovernmental treaty organization that supports the operation of critical Internet infrastructure, including Internet exchange points and the core of the domain name system. Since entering the Internet industry in 1985, Bill has helped establish more than three hundred Internet exchange points. In 1989, Bill developed the anycast routing technique that now protects the domain name system. In 1998 he was one of the principal drivers of California 17538.4, the world’s first anti-spam legislation. Bill was principal author of the Multicast DNS and Operator Requirements of Infrastructure Management Methods IETF drafts. In 2002 he co-founded INOC-DBA, the security-coordination hotline system that interconnects the network operations centers of more than three thousand Internet Service Providers and Security Operations Centers around the world. And in 2007, Bill was one of the two international liaisons deployed by NSP-Sec to the Estonian CERT during the Russian cyber-attack. In 2011, Bill authored the first survey of Internet interconnection agreements, as input to the OECD’s analysis of the Internet economy. Bill served on the Global Commission on the Stability of Cyberspace and on the Commission on Caribbean Communications Resilience. He's on the board of directors of the M3AA Foundation, and was on the board of the American Registry for Internet Numbers for fifteen years. Now, Bill’s work focuses principally on the security and economic stability of critical Internet infrastructure.

Back to top

Xiaomi The Money - Our Toronto Pwn2Own Exploit and Behind The Scenes Story

Friday at 13:30 in LVCC - L3 - W322-W327 (Warstories Track)
45 minutes | Exploit 🪲

Ken Gannon Principal Security Consultant at NCC Group

Ilyes Beghdadi Senior Application Security Engineer at Census Labs

At Pwn2Own Toronto 2023, NCC Group was one of the two teams that compromised the Xiaomi 13 Pro. The exploit chain involved using a malicious HTML hyperlink and uploading a potentially malicious application to the Xiaomi app store.

However, this talk is not just about the technical details of the exploit. While researching the final exploit, NCC Group discovered how an exploit could work in one region of the world, but not in other regions, and how the researchers had to travel to Canada for a day just to test if the exploit would work in Canada. This talk also discusses just how far Xiaomi is willing to go to make sure their device isn't hacked at Pwn2Own, and why only two teams were able to successfully compromise the device during the competition.

Ken Gannon

Ken is a Principal Security Consultant at NCC Group who specializes in mobile security and doing security research on mobile devices. He occasionally complains about Xiaomi and other phone manufacturers.

Twitter (@yogehi)
yogehi.github.io

Ilyes Beghdadi

Ilyes is a Senior Application Security Engineer at Census Labs. At the time of the Pwn2Own research and entry, he was a Security Consultant at NCC Group who worked on reverse engineering Android malware.

Twitter (@040xZx)

Back to top

DEF CON Unplugged: Cocktails & Cyber with Jeff & Jen

Friday at 14:00 in LVCC - L1 - HW1-11-01 (Track 1)
45 minutes

Jen Easterly Director at Cybersecurity and Infrastructure Security Agency (CISA)

Join DEF CON Founder Jeff Moss for an Ask Me Anything with CISA Director Jen Easterly. REAL WORLD DEF CON: Where hackers stop being polite and start getting real.

Jen Easterly

Jen Easterly is the Director of the Cybersecurity and Infrastructure Security Agency (CISA). She was nominated by President Biden in April 2021 and unanimously confirmed by the Senate on July 12, 2021. Before coming to CISA, Jen was Head of Firm Resilience at Morgan Stanley. A two-time recipient of the Bronze Star, Jen retired from the U.S. Army after more than 20 years, including deployments in Haiti, the Balkans, Iraq, and Afghanistan. Responsible for standing up the Army’s first cyber battalion, she was also instrumental in the creation of United States Cyber Command. A graduate of West Point, Jen holds a master’s degree from the University of Oxford, where she studied as a Rhodes Scholar. She is the recipient of numerous honors, including the George C. Marshall Award in Ethical Leadership and the National Defense University Admiral Grace Hopper Award. She is a proud Mom, a mental health advocate, a Rubik’s Cube enthusiast, and an aspiring electric guitarist.

CISA.gov
LinkedIn
Twitter (@CISAGov)
Twitter (@CISAJen)

Back to top

Optical Espionage: Using Lasers to Hear Keystrokes Through Glass Windows

Friday at 14:00 in LVCC - L1 - HW1-11-02 (Track 2)
45 minutes | Demo 💻, Exploit 🪲, Tool 🛠

samy kamkar

Sashay away from this talk with the knowledge to perform state-of-the-art espionage, no technical background required.

In the realm of privilege escalation and data exfiltration, the physical world quietly screams secrets. We'll demystify the fascinating physics behind signals and how various forms of energy--infrared, visible, and ultraviolet light, radio, ultrasound, audible sound, mechanical vibration, and temperature--can be interpreted as waves that unintentionally leak information, even in air-gapped (non-networked) systems. We'll observe how air is in fact not an effective gap or barrier as radio, light, sound, and vibration excitedly travel through it. We'll explore how all electrical signals radiate electromagnetism (light or radio) that can be intercepted and how we can reverse this process, producing electromagnetism to inject desired electrical signals into our target.

We'll delve into historical and seminal side-channel/TEMPEST attacks from our friends at the NSA, KGB, and past DEF CON pioneers. You'll learn about the essential electrical and optical components combined for cutting-edge eavesdropping, including what our target is typing from a distance.

While others believe they're obtaining noise, we will extract signal, and you'll leave this talk hearing the world in a new light.

  • [1985] Electromagnetic radiation from video display units - Wim van Eck
  • Bunnie link
  • DEFCON 17: Sniff Keystrokes With Lasers/Voltmeters - Andrea Barisani, Daniele Bianco
  • DEF CON 23 - Colin Flynn - Dont Whisper my Chips: Sidechannel and Glitching for Fun and Profit
  • DEF CON 24 - Marc Newlin - MouseJack: Injecting Keystrokes into Wireless Mice
  • DEF CON 25 - Matt Wixey - See no evil, hear no evil: Hacking invisibly & silently with light & sound
  • DEF CON 31 - Video Based Cryptanalysis Extracting Keys from Power LEDs - Ben Nassi, Ofek Vayner
  • Georgi Gerganov - kbd-audio link
  • Lest We Remember: Cold Boot Attacks on Encryption Keys - Halderman et al link
  • RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis - Daniel Genkin, Adi Shamir, Eran Tromer link

samy kamkar

Samy Kamkar is a security researcher, sometimes known for creating The MySpace Worm, the fastest spreading (non-biological) virus of all time. As a teenager, this led to a raid by the Secret Service and a court-ordered ban from computers, the Internet, and MySpace. After years of virtuous, upstanding behavior and a legal technological reinstatement, he now attempts to develop and illustrate terrifying vulnerabilities with playfulness, where his exploits have been branded:

“Controversial” -The Wall Street Journal

“Horrific” -The New York Times

“Now I want to fill my USB ports up with cement” -Gizmodo

Samy's open source software, hardware, and research highlight insecurities and privacy implications in everyday technologies. From NAT Slipstreaming and Evercookies, which bypass firewalls by simply visiting a web page and produce virtually immutable respawning cookies, to RollJam and SkyJack, a cryptography-agnostic radio-based car exploitation device and drones that wirelessly hijack and autonomously control swarms of other drones within wireless distance.

His work has been cited by the NSA, triggered hearings on Capitol Hill, and is the basis for security advancements across nearly all major web browsers, smartphones, and vehicles.

Github
Twitter (@samykamkar)
samy.pl

Back to top

The Way To Android Root: Exploiting Your GPU On Smartphone

Friday at 14:00 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes | Demo 💻, Exploit 🪲

Xiling Gong Security Researcher, Android Red Team at Google

Eugene Rodionov Technical Leader, Android Red Team at Google

Xuan Xing Manager, Android Red Team at Google

GPU security is a vital area of mobile security highlighted both by public security research as well as by in-the-wild attacks. Due to the high complexity of the GPU software/firmware along with a widely available attack surface, issues in GPU provide strong exploitation primitives for local privilege escalation attacks by the code running in unprivileged context.

In this talk, we will focus our research on the Qualcomm Adreno GPU, which is a very popular GPU implementation in mobile devices. We will do a deep dive into Adreno GPU kernel module implementation focusing on the most recent GPU versions, reveal its complex and new attack surfaces, and discuss vulnerabilities we discovered in this component.

In total we identified 9+ exploitable vulnerabilities in Adreno GPU driver leading to kernel code execution and affecting Qualcomm-based devices using the latest GPU models. We will demonstrate the exploitation of one of the race condition issues on a fully-patched widely used Android device to obtain root privileges from zero-permission application with 100% success rate.

Android kernel mitigations such as CFI and W^X create significant hurdles for exploiting vulnerabilities in kernel to achieve code execution. Also race condition usually means unstable, low success rate. We'll explain how we overcome these challenges with a novel, generic exploit method that leverages GPU features to achieve arbitrary physical memory read/write. This technique bypasses key mitigations (CFI, W^X) and has broader implications for kernel heap buffer overflows. We will cover the technical details of the exploitation, and especially the novel generic exploit method.

We will also discuss the action items that the vendors could take to minimize the impact of this exploit method, as well as general methods to improve the overall security status of the GPU.

Xiling Gong

Xiling Gong is a Security Researcher at Google on the Android Red Team. Xiling focuses on finding and exploiting vulnerabilities in the low-level components of the Android platform and Pixel devices. Xiling has been a speaker at CanSecWest 2018, Black Hat USA 2019, Def Con 27, Black Hat Asia 2021 and Black Hat USA 2023, Def Con 31.

Eugene Rodionov

Eugene Rodionov, PhD, is the technical leader of the Android Red Team at Google. In his current position, Eugene focuses on finding and exploiting vulnerabilities in the low-level components of the Android platform and Pixel devices. Prior to that, Rodionov performed offensive security research on UEFI firmware for Client Platforms at Intel, and ran internal research projects and performed in-depth analysis of complex threats at ESET. His fields of interest include reverse engineering, vulnerability analysis, firmware security and anti-rootkit technologies. Rodionov is a co-author of the "Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats" book and has spoken at security conferences such as Black Hat, REcon, ZeroNights, and CARO.

Xuan Xing

Xuan Xing is the manager of the Android Red Team at Google. For the past years, Xuan focused on finding security vulnerabilities in various low level components of Android/Pixel devices. He is passionate about software fuzzing for security research. In Black Hat USA 2022 Xuan presented the "Google Reimagined a Phone. It was Our Job to Red Team and Secure it" talking about Pixel ABL security auditing.

Back to top

Breaching AWS Accounts Through Shadow Resources

Friday at 14:30 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Demo 💻, Exploit 🪲, Tool 🛠

Yakir Kadkoda Lead Security Researcher, Team Nautilus at Aqua

Michael Katchinskiy

Ofek Itach Senior Security Researcher at Aqua

The cloud seems complex, but it's what happens behind the scenes that really complicates things. Some services utilize others as resources as part of their logic/operation. Interestingly enough, it turns out that this could lead to catastrophic results if done unsafely.

This talk will present six critical vulnerabilities that we found in AWS, along with the stories and methodologies behind them. These vulnerabilities, which were all promptly acknowledged and fixed by AWS, could allow external attackers to breach almost any AWS account. The vulnerabilities range from remote code execution, which could lead to full account takeover, to information disclosure, potentially exposing sensitive data, or causing denial of service. The session will share our story of discovery, how we were able to identify commonalities among them, and how we developed a method to uncover more vulnerabilities and enhance the impact by using common techniques leading to privilege escalation. We will then detail our approach for mapping service external resources and release our Open-Source tool to research service internal API calls. We will also present a method to check if accounts have been vulnerable to this vector in the past.

We will conclude our talk with the lessons learned during this research and our future line of research. We will highlight new areas that cloud researchers need to explore when hunting for cloud vulnerabilities and highlight best practices for developers to use in complex environments.

Yakir Kadkoda

Yakir Kadkoda is a Lead Security Researcher at Aqua's research team, Team Nautilus. He combines his expertise in vulnerability research with a focus on discovering and analyzing new security threats and attack vectors in cloud native environments, supply chain security, and CI/CD processes. Prior to joining Aqua, Yakir worked as a red teamer. Yakir has shared his cybersecurity insights at major industry events like Black Hat and RSA.

LinkedIn
Twitter (@YakirKad)
www.aquasec.com/authors/yakir-kadkoda/

Michael Katchinskiy

Michael Katchinskiy is a Security Researcher and a Computer Science student at the Technion. His work focuses on researching and analyzing new attack vectors in cloud-native environments, specializing in Kubernetes and integrating CNAPP data to detect and prevent attacks.

Ofek Itach

Ofek Itach is a Senior Security Researcher at Aqua, specializing in cloud research. His work centers on identifying and analyzing attack vectors in cloud environments, enhancing security measures for cloud platforms and cloud environments.

Back to top

Joe and Bruno's Guide to Hacking Time: Regenerating Passwords from RoboForm's Password Generator

Friday at 14:30 in LVCC - L3 - W322-W327 (Warstories Track)
45 minutes | Demo 💻, Exploit 🪲, Tool 🛠

Joe "Kingpin" Grand

Bruno Krauss

Imagine if you could go back in time to precompute all passwords that could have been generated by an off-the-shelf password generator? With RoboForm versions prior to June 2015, you can!

In Joe and Bruno's Guide to Hacking Time, Joe and Bruno share their story, process, and experiences of reverse engineering RoboForm, finding a weakness in the randomness of the password generation routine, and creating a wrapper to generate all possible passwords that could have been generated within a specific time frame. Their work, using Cheat Engine, Ghidra, x64dbg, and custom code, was done specifically to help someone recover over $3 million of Bitcoin locked in a software wallet, but the attack could be exploited against any account or system protected by a password generated by RoboForm before their 7.9.14 release when this problem was fixed.

  • Kung Fury, link
  • Cheat Engine
  • Ghidra
  • x64dbg

Joe "Kingpin" Grand

Joe Grand, also known as Kingpin, is a computer engineer, hardware hacker, teacher, daddy, honorary doctor, occasional YouTuber, creator of the first electronic badges for DEFCON, member of L0pht Heavy Industries, and former technological juvenile delinquent.

LinkTree
Twitter (@joegrand)
YouTube

Bruno Krauss

Bruno Krauss is a software engineer and Bitcoin enthusiast. He demonstrated his knack for password cracking at the age of 13 by bypassing his secondary school's IT security to mine BTC on their PCs and now specializes in cryptocurrency recovery.

LinkedIn

Back to top

DC101 Panel

Friday at 15:00 in LVCC - L1 - HW1-11-01 (Track 1)
60 minutes

Back to top

Abusing Windows Hello Without a Severed Hand

Friday at 15:00 in LVCC - L1 - HW1-11-02 (Track 2)
45 minutes | Demo 💻, Tool 🛠

Ceri Coburn Red Team Operator and Offensive Security Dev at Pen Test Partners

Dirk-jan Mollema Security Researcher at Outsider Security

Windows Hello is touted by Microsoft as the modern de facto authentication scheme on Windows platforms, supporting authentication and encryption backed by biometrics. In a world that is quickly accelerating towards a passwordless existence, what new threats do we face in this complex landscape? We will take a deep dive into the inner working of Windows Hello. Via the release of a new tool, it will be demonstrated how an attacker on a fully compromised Windows host can leverage secrets backed by Windows Hello biometrics without needing the biometric data that protects them. We will also show how the hardware protections of Windows Hello and its accompanying Primary Refresh Tokens can be defeated, making it possible to use Windows Hello for identity persistency and PRT stealing, in some cases even without Administrator access on the host.

Ceri Coburn

After a 20 year career within the software development space, Ceri was looking for a new challenge and moved into pen testing back in 2019. During that time he has created and contributed to several open source offensive tools such as Rubeus, BOFNET and SweetPotato and on the odd occasion contributed to projects on the defensive side too. After speaking at DEF CON 31 for the first-time last year, he is now back for more. He currently works as a red team operator and offensive security dev at Pen Test Partners.

Twitter (@_ethicalchaos_)
ethicalchaos.dev/

Dirk-jan Mollema

Dirk-jan Mollema is a hacker and researcher of Active Directory and Microsoft Entra (Azure AD) security. In 2022 he started his own company, Outsider Security, where he performs penetration tests and reviews of enterprise networks and cloud environments. He blogs at dirkjanm.io, where he publishes his research, and shares updates on the many open source security tools he has written over the years. He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat and has been awarded as one of Microsoft's Most Valuable Researchers multiple times.

Back to top

Android App Usage and Cell Tower Location: Private. Sensitive. Available to Anyone?

Friday at 15:00 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes | Demo 💻, Exploit 🪲

Ryan Johnson Senior Director, R&D at Quokka

Do you consider the list of mobile apps you use and the frequency at which you use them private information? What about the GPS coordinates of the cell towers to which your smartphone connects? The Android framework restricts third-party apps from freely obtaining this information – unless the user explicitly grants the app access. Android is a diverse ecosystem that comes with many benefits, but device vendors can still unintentionally expose app usage and device location in a variety of ways. We uncover privacy leaks of both types of data, where pre-loaded vendor software exposes app usage and location to co-located software. We also explore various local exposures of this data, where it is leaked to resources that do not require any special permissions or privileges to access.

We discovered these leakages across several major vendors, including Samsung, Nokia, Transsion brands (i.e., Tecno, Infinix, and Itel), and additional vendors that utilize a pre-installed Qualcomm app for performance monitoring. We cover each of these exposures in detail. App usage reveals the subset of the apps that the user actually interacts with, which can be collected, combined with location data, and analyzed for advertising, profiling, and establishing user pattern-of-life.

  1. link
  2. link
  3. link
  4. link
  5. link
  6. link
  7. link
  8. link
  9. link
  10. link
  11. link
  12. link
  13. link
  14. link
  15. link
  16. link
  17. link
  18. link
  19. link
  20. link
  21. link
  22. link
  23. link
  24. link
  25. link

Ryan Johnson

Dr. Ryan Johnson is a Senior Director, R&D at Quokka (formerly Kryptowire). His research interests are static and dynamic analysis of Android apps and reverse engineering. He is a co-founder of Quokka and has presented at DEF CON, Black Hat (USA, Asia, & MEA), IT-Defense, and @Hack. His research in Android security has been assigned dozens of CVEs and is responsible for discovering the Adups spyware that affected millions of Android smartphones.

LinkedIn

Back to top

Taming the Beast: Inside the Llama 3 Red Team Process

Friday at 15:30 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes

Aaron "dyn" Grattafiori Lead, AI Red Teaming at Meta

Ivan Evtimov Red Teaming Research Scientist, Gen AI Trust & Safety at Meta

Joanna Bitton Software Engineer, GenAI Trust & Safety at Meta

Maya Pavlova Software Engineer, GenAI Trust & Safety at Meta

In this presentation, the core AI Red Team at Meta will take you on a journey through the story of Red Teaming the Llama 3 Large Language Model. This talk is perfect for anyone eager to delve into the complexity of advanced model Red Teaming and safety, as well as how to perform their own research to find new attacks should attend this talk. We’ll begin by exploring what AI Red Teaming is truly about, before exploring Meta’s process and approaches on the topic. The team will detail our methodology for discovering new risks within complex AI capabilities, how emergent capabilities may breed emergent risks, what types of attacks we’re looking to perform across different model capabilities and how or why the attacks even work. Moreover, we’ll explore insights into which lessons from decades of security expertise can – and cannot – be applied as we venture into a new era of AI trust and safety.

The team will then move on to how we used automation to scale attacks up, our novel approach to multi-turn adversarial AI agents and the systems we built to benchmark safety across a set of different high-risk areas. We also plan to discuss advanced cyber-attacks (both human and automated), Meta’s open benchmark CyberSecEvals and touch on Red Teaming for national security threats presented by state-of-the-art models. For each of these areas we’ll touch on various assessment and measurement challenges, ending on where we see the AI Red Teaming industry gaps, as well as where AI Safety is heading at a rapid pace.

Aaron "dyn" Grattafiori

Aaron “dyn” Grattafiori is currently a lead for AI Red Teaming at Meta, leading the fight against the machines. Previously he spent over six years leading the “cyber” Red Team at Meta performing full-scale Operations against a wide array of objectives from insider threats and edge device compromises to simulated supply chain attacks, ransomware, custom rootkits and malware. Before working at Meta, Aaron was a Principal Consultant at NCC Group for many years working on application security assessments for leading software companies across web, mobile, cryptography, virtualization, containers as well as network security assessments. Aaron has spoken on a wide range of topics at security conferences such as BlackHat, DEF CON, Enigma, Toorcon, Source Seattle, Red Team Summit and more. When not hacking the LLM gibson, Aaron can be found on the slopes, the garage working on an old car or hiking the front range in Colorado.

Ivan Evtimov

Currently a red teaming research scientist at Meta Gen AI Trust & Safety. Ivan has been the tech lead for red teaming Llama 3, Code Llama, AudioBox, Seamless and participated as a red teamer in many other model and product releases. Ivan has also carried out AI research on cybersecurity safety, robustness to spurious correlations, and fairness in AI systems. Before Meta, Ivan was a member of the Computer Security and Privacy Lab and the Tech Policy Lab at the University of Washington, carrying out research on adversarial machine learning. He has also been spotted on a bike in the general vicinity of New York City.

Joanna Bitton

Currently a software engineer on Meta’s GenAI Trust & Safety, Joanna has been the lead for automation, safety and red teaming across many internal projects at Meta. An original member of the Facebook AI Red Team, she has worked on critical Responsible AI issues for over five years. She is also the author of AugLy, a data augmentation library for audio, image, text, and video to bypass classifiers and perform other attacks with over 5k GitHub stars. Joanna takes red teaming to heart, and can neither confirm nor deny she was raised on a submarine.

Maya Pavlova

Currently a software engineer on Meta’s GenAI Trust & Safety, Maya Pavlova’s main work these days has been on understanding how to bridge the gap between manual red teaming processes and automated solutions. Maya originally entered this world from the safety testing lens, previously working on scaling Responsible AI’s fairness evaluation platforms, she has now pivoted to the interesting problem of how to automate AI red teaming attacks to build robust adversarial stress testing platforms.

Back to top

Social Engineering Like you’re Picard

Friday at 15:30 in LVCC - L3 - W322-W327 (Warstories Track)
45 minutes | Demo 💻

Jayson E. Street

AI is transforming social engineering. Using tools like ChatGPT, Gemini, and Copilot, attackers can make phishing and vishing attacks nearly impossible to distinguish from legitimate Interactions. This presentation will demonstrate how virtually anyone with a pulse can now use AI to craft sophisticated phishing sites and conduct vishing operations with unprecedented subtlety and effectiveness. These next-generation techniques are transforming the landscape of social engineering.

You will learn how to replicate these advanced techniques to elevate your own social-engineering game. You will learn how criminals can manipulate AI tools to simulate real-world attacks and gain a deeper insight into their tactics. You’ll learn how to use A.I. to enhance how you attack now & ways for it to supplement skills you don’t currently have.

You will learn how to leverage these techniques to transform an organization’s, traditional, “security awareness” mentality into a “situational awareness” mindset. Using real-world examples, we demonstrate turning potential threats into teachable moments.

This session is essential for anyone looking to harness the power of AI in hacking and Red Teaming. We offer practical skills to engage employees and enhance your approach to social engineering both offensively and defensively. And yes, we do this with a certain theme in mind as I ENGAGE the audience as we boldly go where no Hackers have gone before!

  1. link
  2. link
  3. link
  4. link
  5. link
  6. link
  7. link
  8. link
  9. link
  10. link
  11. link
  12. link
  13. link
  14. link

Jayson E. Street

Jayson E. Street referred to in the past as:

A "notorious hacker" by FOX25 Boston, "World Class Hacker" by National Geographic Breakthrough Series and described as a "paunchy hacker" by Rolling Stone Magazine. He however prefers if people refer to him simply as a Hacker, Helper & Human.

He's a Simulated Adversary for hire. The author of the "Dissecting the hack: Series" ( Which has been taught in colleges and Jayson also appears in college text books as well). Also, the DEF CON Groups Global Ambassador. He's spoken at DEF CON, DEF CON China, GRRCon, DerbyCon and at several other 'CONs & colleges on a variety of Information Security subjects. He was also a guest lecturer for the Beijing Institute of Technology for 10 years.

He loves to explore the world & networks as much as he can. He has successfully robbed banks, hotels, government facilities, Biochemical companies, etc. on five continents (Only successfully robbing the wrong bank in Lebanon once all others he was supposed to)!

Jayson is a highly carbonated speaker who has partaken of Pizza from Bulgaria to Brazil & China to The Canary Islands. He does not expect anybody to still be reading this far but if they are please note he was proud to be chosen as one of Time's persons of the year for 2006.

HackerAdventures.world
Twitter (@jaysonstreet)
Website

Back to top

Making the DEF CON 32 Badge

Friday at 16:00 in LVCC - L1 - HW1-11-01 (Track 1)
60 minutes

Mar Williams

Mar Williams

Back to top

Eradicating Hepatitis C With BioTerrorism

Friday at 16:00 in LVCC - L1 - HW1-11-02 (Track 2)
45 minutes | Demo 💻, Tool 🛠

Mixæl Swan Laufer Chief Spokesperson at Four Thieves Vinegar Collective

A quarter of a million people die from Hepatitis C every year. Fifty million people are currently infected, and a million more are infected each year. But for the first time in history there is a cure (not just a treatment) for a virus, and it is for Hepatitis C. Take one 400mg pill of Sofosbuvir every day for twelve weeks, and you will be free of the virus. The catch? Those pills are one thousand US dollars apiece because the molecule is the "Intellectual Property" of Gilead Pharmaceuticals, and they refuse to share. So if you have $84,000 USD, Hep C is not your problem. But for everyone else, The Four Thieves Vinegar Collective has developed a way to make the entire course of treatment for $300 USD. This methodology also applies to other diseases. Like any science, the method of manufacture of drugs can be replicated, and we are going to give you all the necessary tools and show you the process top-to-bottom. Watch it happen live, participate, and learn to do it yourself: Use our digital research assistant to help you navigate the scientific literature, feed your medicine of choice into ChemHacktica to get a chemical synthesis pathway, put that procedure into the Recipe Press to generate code for the new version of the MicroLab to run, and watch the medicine form in the reaction chamber. Finally come on stage, press some tablets, and make your own thousand-dollar pill for four dollars in materials. The feds say saving a life this way is bioterrorism. We say: So Be It.

Mixæl Swan Laufer

Mixæl Swan Laufer worked in mathematics and high energy physics until he decided to use his background in science to tackle problems of global health and human rights. He now is the chief spokesperson for the Four Thieves Vinegar Collective which works to make it possible for people to manufacture their own medications and medical devices at home by creating public access to tools, ideas, and information.

Twitter (@MichaelSLaufer)
fourthievesvinegar.org

Back to top

Outlook Unleashing RCE Chaos: CVE-2024-30103 & CVE-2024-38021

Friday at 16:00 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes | Demo 💻, Exploit 🪲, Tool 🛠

Michael Gorelik Founder at Morphisec

Arnold Osipov Distinguished Malware Researcher at Morphisec

Did you ever receive an empty email and immediately think it might be a reconnaissance attack? What if opening such an email in your Outlook client could trigger remote code execution through an invisible form? Yes, all forms are COM objects, and CVE-2024-21378 has flung open the gates to Outlook RCE chaos.

In our session, "Outlook Unleashing RCE Chaos: CVE-2024-30103" we'll dive into how this seemingly innocuous vulnerability can lead to mayhem. This vulnerability paved the way for us to discover a series of new remote code execution vulnerabilities in Outlook, including CVE-2024-30103. But we’re not stopping there.

Additionally, we'll uncover other vulnerabilities that can cause NTLM leaks from your domain-joined devices.

So, how did we get here? Join us as we construct an evolution timeline of this attack surface. From the origins of these exploits to their current incarnations, we'll cover it all. And because we believe in building a safer digital world, we'll conclude with specific, actionable recommendations on how to minimize these threats.

  1. link
  2. link
  3. link
  4. link
  5. link
  6. link

Michael Gorelik

Michael has amassed over twenty years of experience in the cybersecurity industry, with a decade at Morphisec where he pioneered Moving Target Defense within Endpoint Security. Prior to founding Morphisec, he collaborated on numerous security projects with Deutsche Telekom and Ben-Gurion University laboratories. His expertise spans roles as a reverser, malware researcher, penetration tester, and vulnerability researcher. Michael holds more than seven patents and a Master of Science degree in Computer Science from Ben-Gurion University, Israel. He has worked with the FBI on several significant cybersecurity cases and identified critical privilege escalation exploits in various endpoint security vendors. Michael is a seasoned speaker at industry conferences and led his team to uncover one of the largest supply chain attacks, the CCleaner incident.

Github
LinkedIn
Twitter (@smgoreli)

Arnold Osipov

Arnold is a distinguished malware researcher at Morphisec, renowned for discovering new categories of malware, including the Jupyter and Chaos info stealers among others. His groundbreaking work has significantly advanced understanding and mitigation of emerging malware threats. Arnold has presented his findings at various BSides events throughout Europe, establishing himself as a knowledgeable and engaging speaker. His research continues to push the boundaries of cybersecurity, enhancing both Morphisec’s capabilities and the broader security landscape.

LinkedIn
Twitter (@osipov_ar)

Back to top

Leveraging private APNs for mobile network traffic analysis

Friday at 16:30 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Demo 💻

Aapo Oksman Founder at Juurin Oy

Knowing where and how your mobile and IoT devices communicate on the Internet is essential for ensuring privacy and security.

In the past, it has been easy to follow their communication through a WIFI connection that you control. However, your devices are becoming more locked down and utilize mobile networks such as 4G and 5G for communication. As the devices communicate directly through mobile network base stations operated by Internet Service Providers (ISPs), tampering with or even monitoring their communication is outside your reach.

While it is possible to set up a private base station, it requires expensive components and is hard to operate. However, many ISPs have begun offering private Access Point Names (APNs) to allow you to have a private network inside the ISP infrastructure.

This talk will show how you can affordably leverage ISP-operated mobile networks and their private APN services to control your mobile devices' network traffic. This technique lets you inspect, filter, and tamper with your mobile devices' IP traffic for offensive and defensive cyber security needs, such as penetration testing IoT devices or monitoring mobile device endpoints for malicious traffic.

  • link
  • Janne Taponen - Economizing Mobile Network Warfare: Budget-Friendly Baseband Fuzzing - T2 2024 Conference
  • XiaoHuiHui - All the 4G Modules Could Be Hacked - DEF CON 27 Conference link

Aapo Oksman

Aapo Oksman is an entrepreneur and the Founder of Juurin Oy, a boutique company focusing on technical IoT cybersecurity. His background is in electrical engineering, embedded devices, and test automation. Combining his background with a hacking hobby led to a cybersecurity career focusing on industrial IoT.

Bug Bounties and security research keep Aapo motivated and learning. His work in PKI and TLS has resulted in multiple CVEs from vendors like Microsoft, Google, Apple, and Samsung. At DEF CON 31, Aapo released a TLS hacking tool, certmitm, that has proven its worth in finding insecure TLS implementations with new vulnerabilities found constantly.

Outside work and research, Aapo's passion is in the community. He organizes local security meetups and coaches the Finnish national youth CTF team in the yearly European Cybersecurity Challenge competition.

LinkedIn

Back to top

Why are you still, using my server for your internet access.

Friday at 16:30 in LVCC - L3 - W322-W327 (Warstories Track)
45 minutes

Thomas Boejstrup Johansen

Pawning countries at top level domain by just buying one specific domain name ‘wpad.tld’, come hear about this more the 25+ years old issue and the research from running eight different wpad.tld domains for more than one year that turn into more the 1+ billion DNS request and more then 600+GB of Apache log data with leaked information from the clients.

This is the story about how easy it is to just buying one domain and then many hundreds of thousands of Internet clients will get auto pwned without knowing it and start sending traffic to this man-in-the-middle setup there is bypassing encryption and can change content with the ability to get the clients to download harmful content and execute it.

The talk will explain the technical behind this issue and showcase why and how clients will be trick into this Man-in-the-middle trap.

  1. Description of wpad and the function, include listing the security issue. link
  2. Navigator Proxy Auto-Config File Format from March 1996 link
  3. INTERNET-DRAFT 1999 for Web Proxy Auto-Discovery Protocol link
  4. Microsoft Security Bulletin MS99-054 Critical Vulnerability from 1999 link
  5. Description of the wpad PAC javascript format. link
  6. Pentesting tool with function as a WPAD Proxy Server to capture credentials from clients. link
  7. WPAD Name Collision Vulnerability link
  8. WPAD Vulnerability link link
  9. ICANN - Root Cause Analysis - wpad.domain.name link
  10. Windows proxy settings ultimate guide part – WPAD/PAC configuration file

Thomas Boejstrup Johansen

Thomas Boejstrup Johansen aka Tooms has been in professional IT for more than 25+ years, where the first 11+ years were as a system administrator for a large Danish company and the last 14+ years as a security specialist with the work in the field of Reverse Engineering Malware, Incident Response and Forensics but also physical redteam engagements and pentesting for customers.

The last many years have been mainly as lead senior forensics investigator and incident response on many incidents including some more well known major incidents like the incident in 2021 there got known around the world as Microsoft Exchange Hafnium vulnerability.

LinkedIn
Twitter (@ToomsDK)

Back to top

Bricked & Abandoned: How To Keep The IoT From Becoming An Internet of Trash

Friday at 17:00 in LVCC - L1 - HW1-11-01 (Track 1)
45 minutes

Paul Roberts Founder at Secure Repairs Publisher and Editor in Chief at The Security Ledger

Chris Wysopal CTO at Veracode

Cory Doctorow Author

Tarah Wheeler Founder and CEO at Red Queen Dynamics Senior Fellow in Global Cyber Policy at Council on Foreign Relations

Dennis Giese

In a world where technology and software are intertwined with our daily lives more than ever, a silent threat grows in the shadows.

End-of-life devices—abandoned by manufacturers - power our homes, hospitals, businesses and critical infrastructure. From the depths of the cyber underground, malicious software from cybercriminal and nation-state actors is seizing these forgotten devices and conscripting them into botnets and other malicious infrastructure.

For example, Black Lotus Labs revealed a chilling trend: 40,000 small office home office (SOHO) routers compromised and enrolled in the sinister 'Faceless' botnet - now powered by devices you own and thought were safe.

And it's not just routers. Critical medical devices, essential security hardware—smart home appliances. No gadget is safe. And, with the Internet of Things set to double in the next decade, billions of vulnerable devices marketed and sold to connect us risk robbing, dividing and defeating us in the years to come: a process one expert has termed “enshittification.”

After years of warnings from the cybersecurity community, alarms are finally sounding in the halls of power. But more is needed: a clarion call to reset, to redefine ownership and security in an age of smart, connected devices before it's too late.

In this panel you’ll be enlisted to join the fight. You’ll hear from experts working at the forefront of a fight to challenge the status quo and seek solutions to safeguard our digital futures.Are you ready to stand up for your right to a secure, connected world? The battle for control, for transparency- for a sustainable and resilient digital future begins now!

Paul Roberts

Paul Roberts is the publisher and Editor in Chief of The Security Ledger and the founder of Secure Repairs (securepairs.org) a coalition of cybersecurity and IT pros who support the right to repair.

Twitter (@paulfroberts)
Website

Chris Wysopal

Chris Wysopal is the CTO of Veracode, a provider of application security testing technology. Chris began his career as a vulnerability researcher at the renowned hacker think tank, L0pht. In 1998, Chris and 6 of his L0pht colleagues testified before the U.S. Senate on matters of U.S. government cybersecurity.

Twitter (@WeldPond)
Twitter (@veracode)

Cory Doctorow

Cory Doctorow is a science fiction author, activist and journalist. He is the author of many books, most recently THE BEZZLE and THE LOST CAUSE. In 2020, he was inducted into the Canadian Science Fiction and Fantasy Hall of Fame.

Mastodon (@doctorow@mamot.fr)
Medium (@doctorow)
Tumblr (@mostlysignssomeportents)
Twitter (@doctorow)
Website

Tarah Wheeler

Tarah Wheeler is the founder and CEO of Red Queen Dynamics; a Senior Fellow in Global Cyber Policy at the Council on Foreign Relations; and a well-known speaker and writer on topics that include cyberwarfare, security best practices, future trends and more.

Twitter (@tarah)
Website

Dennis Giese

Dennis Giese is a researcher with the focus on the security and privacy of IoT devices. While being interested in physical security and lockpicking, he enjoys applied research and reverse engineering malware and all kinds of devices. His most known projects are the documentation and hacking of various vacuum robots. He calls himself a "robot collector" and his current vacuum robot army consists of over 60 different models from various vendors. He talked about his research at the Chaos Communication Congress, REcon BRX, NULLCON, and DEFCON.

Twitter (@dgi_DE)
Website

Back to top

One for all and all for WHAD: wireless shenanigans made easy !

Friday at 17:00 in LVCC - L1 - HW1-11-02 (Track 2)
45 minutes | Demo 💻, Tool 🛠

Damien Cauquil Security Engineer at Quarkslab

Romain Cayre Assistant Professor, Software and System Security (S3) Group at EURECOM

A lot of security research have recently focused on various wireless communication protocols, targeting smartphones, wireless mice and keyboards and even cars. In order to demonstrate these attacks, researchers developed dedicated tools that for most of them include some specialized firmware of their own but also rely on various unique custom host/device communication protocols. These tools work great but are strongly tied to some specific hardware that at some point will not be available anymore, or require hackers to buy more hardware to carry on to have fun with. Why not making these tools compatible with more hardware ? And why researchers always have to create their own host/device protocol when it comes to using a dedicated hardware ? Why not having one flexible protocol and related tools to rule them all ?

We will present in this talk WHAD, a framework that provides an extensible host/device communication protocol, dedicated protocol stacks and way more for hackers who love having fun with wireless protocols. WHAD makes interoperability possible between tools by allowing different hardware devices to be used if they provide the required capabilities, giving the opportunity to create advanced tools without having to care about the hardware and its firmware in most of the cases!

  • [Atlas 2012] Atlas. SubGHz or Bust, 2012. Available at link.
  • [Blu 2019] Bluetooth SIG. Bluetooth Core Specification, 2019.
  • [Cauquil 2016] Damien Cauquil. BtleJuice: The Bluetooth Smart MiTM framework. In DEF CON, volume 24, 2016.
  • [Cauquil 2017b] Damien Cauquil. Sniffing BTLE with the Micro:Bit. PoC or GTFO, vol. 17, pages 13–20, 2017.
  • [Cauquil 2017c] Damien Cauquil. Weaponizing the BBC Micro:Bit. In DEF CON, volume 25, 2017. Available at link.
  • [Cauquil 2018] Damien Cauquil. You’d better secure your BLE devices or we’ll kick your butts ! In DEF CON, volume 26, 2018. Available at link.
  • [Cauquil 2019] Damien Cauquil. Defeating Bluetooth Low Energy 5 PRNG for fun and jamming. In DEF CON, volume 27, 2019. Available at link.
  • [Cayre 2019a] Romain Cayre, Vincent Nicomette, Guillaume Auriol, Eric Alata, Mohamed Kaâniche and Geraldine Marconato. Mirage: towards a Metasploit-like framework for IoT. In 2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE), Berlin, Germany, October 2019.
  • [Cayre 2021b] Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette, Mohamed Kaâniche and Géraldine Marconato. InjectaBLE: Injecting malicious traffic into established Bluetooth Low Energy connections. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2021), Taipei (virtual), Taiwan, June 2021.
  • [Cayre 2021c] Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette, Mohamed Kaâniche and Géraldine Marconato. WazaBee: attacking Zigbee networks by diverting Bluetooth Low Energy chips. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2021), Taipei (virtual), Taiwan, June 2021.
  • [Cayre 2021d] Romain Cayre, Géraldine Marconato, Florent Galtier, Mohamed Kaâniche, Vincent Nicomette and Guillaume Auriol. Cross-protocol attacks: weaponizing a smartphone by diverting its Bluetooth controller. In 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Abu Dhabi, United Arab Emirates, June 2021.
  • [Cayre 2021e] Romain Cayre, Damien Cauquil and Aurélien Francillon. ESPwn32: hacking with ESP32 system-on-chips.In 17th IEEE Workshop on Offensive Technologies (WOOT 2023), co-located with IEEE S&P 2023, San Francisco, United States, May 2023.
  • [Goodspeed 2011a] Travis Goodspeed. Promiscuity is the nRF24L01+’s Duty. Available at link, 2011.
  • [IEE 2020] IEEE Standard for Low-Rate Wireless Networks. IEEE Std 802.15.4 2020 (Revision of IEEE Std 802.15.4-2015), pages 1–800, 2020.
  • [Jasek 2016] Sławomir Jasek. Gattacking Bluetooth Smart Devices. In BlackHat USA, 2016. Available at link.
  • [LOG 2019] LogiTacker GitHub Repository, 2019. Available at link
  • [LoR 2017] LoRa Alliance, Inc. LoRaWan Specification, 2017.
  • [Newlin 2016a] Marc Newlin. MouseJack : White Paper. In DEF CON, volume 24, 2016. Available at link.
  • [Olawumi 2014] Olayemi Olawumi, Keijo Haataja, Mikko Asikainen, Niko Vidgren and Pekka Toivanen. Three practical attacks against ZigBee security: Attack scenario definitions, practical experiments, countermeasures, and lessons learned. In 2014 14th International Conference on Hybrid Intelligent Systems, pages 199–206, 2014.
  • [Qasim Khan 2019] Sultan Qasim Khan. Sniffle: A sniffer for Bluetooth 5 (LE), 2019. Available at link.
  • [Ryan 2013a] Mike Ryan. Bluetooth: With Low Energy Comes Low Security. In 7th USENIX Workshop on Offensive Technologies (WOOT 13), Washington, D.C., August 2013. USENIX Association.
  • [Vidgren 2013a] N. Vidgren, K. Haataja, J. L. Patiño-Andres, J. J. Ramírez-Sanchis and P. Toivanen. Security Threats in ZigBee-Enabled Systems: Vulnerability Evaluation, Practical Experiments, Countermeasures, and Lessons Learned. In 2013 46th Hawaii International Conference on System Sciences, pages 5132–5138, 2013.
  • [Wright 2009] Joshua Wright. KillerBee: Practical ZigBee Exploitation Framework, 2009. Available at link.
  • [Zillner 2015] T. Zillner. ZigBee Exploited: The good , the bad and the ugly. In BlackHat, 2015.

Damien Cauquil

Damien Cauquil is security engineer at Quarkslab, France. He loves electronics, embedded devices, wireless protocols and to hack all of these not especially in that order. He authored several Bluetooth Low Energy tools like Btlejuice and Btlejack, discovered a way to hack into an existing Bluetooth Low Energy connection that has later been improved by his co-speaker Romain Cayre, and other tools on a lot of different topics that tickle his mind but not always related to security or wireless protocols.

mamot.fr/@virtualabs
quarkslab.com

Romain Cayre

Romain Cayre is assistant professor in Software and System Security (S3) group at EURECOM, France. He works on topics related to wireless security, IoT security and embedded systems security. He loves hacking embedded wireless stacks and playing with wireless protocols. In the past, he worked on several research projects related to wireless hacking, like WazaBee (a cross-protocol pivoting attack allowing to receive and transmit arbitrary 802.15.4 packets from a diverted BLE transceiver), InjectaBLE (an attack allowing to inject arbitrary packets into an ongoing Bluetooth Low Energy connection by leveraging a race condition in the Link Layer clock drift compensation mechanism), and OASIS (a defensive framework allowing to generate an embedded detection software and inject it into Bluetooth Low Energy controllers).

He is also the main developer of Mirage, an offensive framework for wireless communication protocols (and a draft to the new framework WHAD !)

Mastodon (@rcayre@infosec.exchange)
Twitter (@CayreRomain)
Website

Back to top

Breaking Secure Web Gateways (SWG) for Fun and Profit

Friday at 17:00 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes | Demo 💻, Exploit 🪲, Tool 🛠

Vivek Ramachandran Founder at SquareX

Jeswin Mathai Chief Architect at SquareX

Secure Web Gateways (SWGs) are cloud-based SSL-intercepting proxies and an important component of enterprise Secure Access Service Edge (SASE) or Security Service Edge (SSE) solutions. SWGs ensure secure web access for enterprise users by doing malware protection, threat prevention, URL filtering, and content inspection of sensitive data, among other critical security measures.

Our research indicates that in today's world of complex web applications and protocols, SWGs often fail to deliver on their promise. We will demonstrate a new class of attacks: “Last Mile Reassembly Attacks,” which, as of this writing, can bypass every SWG in the Gartner Magic Quadrant for SASE and SSE - this includes the largest public market cybersecurity companies in the world. Additionally, we will release an open-source attack toolkit for researchers and red teams to test these attacks on their security solutions and better understand their security exposure.

We aim for our talk to compel SWG vendors to rethink cloud-based client-side web attack detection models, and for enterprises to rethink how they look at securing their users against web threats.

Secure Web Gateway Basics: link SSL Interception and Attacks: link

Vivek Ramachandran

Vivek Ramachandran is a security researcher, book author, speaker-trainer, and serial entrepreneur with over two decades of experience in offensive cybersecurity. He is currently the founder of SquareX, building a browser-native security product focused on detecting, mitigating, and threat-hunting web attacks against enterprise users and consumers. Prior to that, he was the founder of Pentester Academy (acquired in 2021), which has trained thousands of customers from government agencies, Fortune 500 companies, and enterprises from over 140+ countries. Before that, Vivek’s company built an 802.11ac monitoring product sold exclusively to defense agencies. Vivek discovered the Caffe Latte attack, broke WEP Cloaking, conceptualized enterprise Wi-Fi Backdoors, and created Chellam (Wi-Fi Firewall), WiMonitor Enterprise (802.11ac monitoring), Chigula (Wi-Fi traffic analysis via SQL), Deceptacon (IoT Honeypots), among others. He is the author of multiple five-star-rated books in offensive cybersecurity, which have sold thousands of copies worldwide and have been translated into multiple languages. He has been a speaker/trainer at top security conferences such as Blackhat USA, Europe and Abu Dhabi, DEFCON, Nullcon, Brucon, HITB, Hacktivity, and others. Vivek’s work in cybersecurity has been covered in Forbes, TechCrunch, and other popular media outlets. In a past life, he was one of the programmers of the 802.1x protocol and Port Security in Cisco’s 6500 Catalyst series of switches. He was also one of the winners of the Microsoft Security Shootout contest held in India among a reported 65,000 participants. He has also published multiple research papers in the field of DDoS, ARP Spoofing Detection, and Anomaly-based Intrusion Detection Systems. In 2021, he was awarded an honorary title of Regional Director of Cybersecurity by Microsoft for a period of three years, and in 2024 he joined the BlackHat Arsenal Review Board.

LinkedIn
Twitter (@vivekramac)

Jeswin Mathai

Jeswin Mathai serves as the Chief Architect at SquareX, where he leads the design and implementation of the company's infrastructure. Before joining SquareX, he was part of Pentester Academy (acquired by INE) where he was responsible for managing the whole lab platform that was used by thousands of customers from government agencies, Fortune 500 companies, and enterprises from over 140+ countries. A seasoned speaker and researcher, Jeswin has showcased his work at prestigious international stages such as DEFCON China, RootCon, Blackhat Arsenal, and Demo Labs at DEFCON. He has also imparted his knowledge globally, training in-classroom sessions at Black Hat US, Asia, HITB, RootCon, and OWASP NZ Day. Jeswin is also the creator of popular open-source projects such as AWSGoat, AzureGoat, and PAToolkit. He holds a Bachelor's degree from IIIT Bhubaneswar, where he led the InfoSec Society. In association with CDAC and ISEA, he spearheaded security audits of government portals and orchestrated cybersecurity workshops for government officials. Jeswin's professional interests are focused on advancing the fields of Cloud Security, Container Security, and Browser Security.

Back to top

Exploiting Bluetooth - from your car to the bank account$$

Friday at 17:30 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Exploit 🪲, Tool 🛠

Vladyslav Zubkov Bug Bounty Hunter

Martin Strohmeier Senior Scientist at Cyber Defence Campus

Over the past decade, infotainment systems have experienced a growth in functionality, broader adoption, and central incorporation into vehicle architecture. Due to the ever-growing role of wireless protocols such as Bluetooth and a known lack of patches alongside the difficulty of patch installation, this poses a new attack surface and a genuine threat to the users. Meanwhile, the tools and methodologies required for testing are scattered across the Internet, absent and need a rigorous setup.

In this talk, we share a comprehensive framework BlueToolkit to test and replay Bluetooth Classic vulnerabilities. Additionally, we release new exploits and a privilege escalation attack vector.

We show how we used the toolkit to find 64 new vulnerabilities in 22 modern cars and the Garmin Flight Stream flight management system used in several aircraft types. Our work equips hackers with insights and necessary information on novel vulnerabilities that could be used to steal information from target cars, establish MitM position or escalate privileges to hijack victims’ accounts and MFA codes stealthily.

Overall, we show vulnerabilities in cars, aircraft and smartphones. We believe our research will be beneficial in finding new vulnerabilities and making Bluetooth research more accessible and reproducible.

References:

  • BlueToolkit - Bluetooth Classic vulnerability testing framework link (all exploits will be uploaded after 9th of August)
  • MapAccountHijack - Tool that allows hijacking services by exploiting widely used Bluetooth Classic functionality link - link (accessible after 9th of August)
  • D. Antonioli and M. Payer. On the insecurity of vehicles against protocol-level bluetooth threats. In 2022 IEEE Security and Privacy Workshops (SPW), pages 353–362, Los Alamitos, CA, USA, May 2022. IEEE Computer Society.
  • Cross-Sectional Analysis of the Bluetooth Stack of Modern Cars - (The link will be updated)
  • Wenjian Xu. Stealthily Access Your Android Phones: Bypass The Bluetooth Authentication. link, 2020.
  • Tyler Tucker, Hunter Searle, Kevin Butler, and Patrick Traynor. Blue’s clues: Practical discovery of non-discoverable bluetooth devices. In 2023 IEEE Symposium on Security and Privacy (SP), pages 3098–3112, 2023.
  • Maximilian von Tschirschnitz, Ludwig Peuckert, Fabian Franzen, and Jens Grossklags. Method confusion attack on bluetooth pairing. In 2021 IEEE Symposium on Security and Privacy (SP), pages 1332–1347, 2021.
  • Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation of Bluetooth BR/EDR. In USENIX Security Symposium (SEC), August 2019

Vladyslav Zubkov

Vladyslav Zubkov (aka yso and schwytz) is a bug bounty hunter. He is consistently among the top hackers at live hacking events organized by Meta, Intel, Louis Vuitton, Intigriti and YesWeHack. His interests include vulnerability research, application security, red teaming, bug bounty hunting, developing tools and proactively securing systems.

Twitter (@0a_yso)

Martin Strohmeier

Martin Strohmeier is a Senior Scientist at the Swiss Cyber Defence Campus, where he is responsible for vulnerability research programmes into aircraft, satellites and cars. His work was published in all major systems security conferences, totalling more than 100 publications to date. He has also spoken previously at the DEFCON Aerospace Village and co-organized CTFs there.

Twitter (@masorx)

Back to top

Stranger in a Changed Land

Friday at 17:30 in LVCC - L3 - W322-W327 (Warstories Track)
20 minutes

Tony Sager Senior VP & Chief Evangelist at Center for Internet Security (CIS)

What's it like to spend a career as a cyberdefender for the DoD and the nation, but homed inside of an intelligence agency? In this talk, I'll offer a historical and personal perspective based on 35 years at the National Security Agency as a vulnerability analyst for the defense, from junior analyst to executive manager. The common element across my career was the search for vulnerabilities in the name of defense - finding them, making sense of them, leading organizations to find them, and then translating that knowledge into action to prevent or manage them. I'll share lessons learned as cyberdefense evolved from a focus on mathematics and cryptography to systems and software; and from government security to a global internet. And we'll focus on the mission, technical, and cultural interplay of cyberdefense and offense/intelligence as it played out at NSA. War stories, culture clashes, bureaucratic mazes? Of course! But in the end, better security for all.

Communications Security, Computer Security, Information Security, Information Assurance, Defensive Information Operations, and several more - I'm very lucky to have ridden the World-Wide Wave we now call cybersecurity.

And I am very proud to have spent 35 years in Federal Service at the National Security Agency as part of the Information Assurance mission. The common element across my career was the search for vulnerabilities in the name of defense - finding vulnerabilities, making sense of them, leading organizations to find them, and then translating that knowledge into action to prevent or manage them.

That final challenge consumed the last third of my government career. How can we translate what we learn through product testing, Red Teams, Blue Teams, systems analysis, etc. into operational guidance, best practices, requirements, training, and security improvements? How can we bridge the gap between telling people what they are doing wrong, and helping them do what's right? This led to projects like the release of NSA Security Guides to the public (www.nsa.gov), involvement in open standards for security automation and information sharing, and an activity now known as the Critical Security Controls.

Since retirement in 2012, I have been able to continue to serve the cause of cyber defense through our work at the non-profit Center for Internet Security, and the Council on CyberSecurity before that. And I am very active in more volunteer cybersecurity causes than I can recall.

Tony Sager

Tony is currently Senior VP & Chief Evangelist for the Center for Internet Security (CIS), leading a wide variety of strategic, partnership, and outreach activities. He led the work which later became known as the CIS Critical Security Controls – an independent, volunteer-developed, cyber defense best practices program which is used throughout the industry. Tony has led numerous other activities to develop, share, scale, and sustain effective defensive cyber practices for worldwide adoption.

In addition to his duties at CIS, Tony is a volunteer in numerous cyber community service activities: inaugural member of the DHS/CISA Cyber Safety Review Board; Advisor to the Minnesota Cyber Security Summit; Advisory Boards for several local schools and colleges; formerly a member of the National Academy of Sciences Cyber Resilience Forum; and service on numerous national-level study groups and advisory panels.

Tony retired from the National Security Agency in 2012 after 34 years as a mathematician, computer scientist, and executive manager. As one of the Agency’s first Software Vulnerability Analysts, he helped create and led two premier NSA cyber defense organizations (the System and Network Attack Center, and the Vulnerability Analysis and Operations Group). In 2001, he led the release of NSA security guidance to the public and expanded NSA’s role in the development of open standards for security.

In 2023, Tony was inducted into the Cybersecurity Hall of Fame.

Back to top

DEF CON Franklin Project

Friday at 18:00 in LVCC - L1 - HW1-11-04 (Track 4)
20 minutes

Jacob H Braun Acting Principal Deputy National Cyber Director at Office of the National Cyber Director (ONCD)

DEF CON Franklin will infuse research from the hacker community into national security and foreign policy debates. We aim to lift up groundbreaking work happening across villages and deliver this critical research to key policymakers across the globe. Aside from policy work, Franklin will empower individual members of the community to volunteer directly with under-resourced critical infrastructure that support our world.

Jacob H Braun

Jake Braun served in the White House as Acting Principal Deputy National Cyber Director from May 2023 to July 2024. Prior to joining the White House Office of the National Cyber Director, he was appointed by President Joseph Biden as Senior Counselor to the Secretary of Homeland Security. Braun is also a lecturer at the University of Chicago’s Harris School of Public Policy Studies and Chairman of the Cyber Policy Initiative there.

From 2009 to 2011, Braun served as White House Liaison to the U.S. Department of Homeland Security. Braun is also co-founder of the DEF CON Voting Machine Hacking Village (Voting Village) hacker conference."

Back to top

The Pwnie Awards

Saturday at 10:00 in LVCC - L1 - HW1-11-01 (Track 1)
45 minutes

The Pwnies are an annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community. Every year, members of the infosec community nominate the best research and exploits they’ve seen. The Pwnie Award nominations are judged by a panel of respected security researchers and former pwnie award recipients – the closest to a jury of peers a hacker is likely to ever get. At this event DEF CON attendees will get a first person look at some of the most groundbreaking research and hacks in the cyber security community of the past year, and the winners get some well deserved recognition from the broader community for the great work they’ve done.

Back to top

Laundering Money

Saturday at 10:00 in LVCC - L1 - HW1-11-02 (Track 2)
20 minutes

Michael Orlitzky

CSC ServiceWorks is a large vendor of pay-to-play laundry machines in apartments and condomiums. Most are Speed Queens, but newer CSC-branded machines use an app for payment and have custom circuitry inside. Many however accept quarters as well. We show that, when all else fails, you can always physically bypass the coin slot to run the machines for free.

  1. link
  2. link
  3. link
  4. link
  5. link
  6. link
  7. link
  8. link
  9. link
  10. link
  11. link
  12. link
  13. link
  14. link
  15. link
  16. link
  17. link
  18. link
  19. link
  20. link
  21. link

Michael Orlitzky

Michael is a programmer, linux developer, network administrator, security consultant, lockpicker, bike messenger, and mathematician from Baltimore. The only thing he hates more than computers is computers inside of other things.

michael.orlitzky.com/

Back to top

Mutual authentication is optional

Saturday at 10:00 in LVCC - L1 - HW1-11-03 (Track 3)
20 minutes | Demo 💻

Xavier Zhang

Physical access control systems are often exploited in a number of ways. It could be weaknesses found within the credential itself, the antiquated communication protocol, the hardware itself, or the firmware it is running. But more often than not, it is a combination of factors that allow a variety of attacks from multiple dimensions. Some are extremely trivial and require little to no skill to perform, whereas some attacks require a bit more setup and knowledge of how the underlying technology works. We will go into detail on how these systems work, why verifying mutual authentication is important for physical access control systems and the exploits that can be accomplished, as well as ways to mitigate these exploits to make your facility more secure. This talk will include interactive demos involving official HID readers and hardware, proxmark3, and the flipper zero.

Xavier Zhang

Xavier Zhang is a physical security consultant and security researcher working with RFID enabled technologies and physical access control systems. He is the author of numerous pieces of documentation in Iceman’s proxmark3 repo such as the HID credential downgrade guide and an avid bug hunter in the proxmark3 community. ‍ Aside of physical security consulting, Xavier loves everything to do with DRM and reverse engineering how various forms of DRM are implemented in RFID tags. Currently Xavier is working on decoding the DRM used in a license violating closed source app based on the proxmark3 source, and all of the RFID tags it uses to help keep open source, open source.

Back to top

Reverse Engineering MicroPython Frozen Modules: Data Structures, Reconstruction, and Reading Bytecode

Saturday at 10:00 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes | Demo 💻, Tool 🛠

Wesley McGrew Senior Cybersecurity Fellow at MartinFederal

MicroPython is a firmware environment for quickly developing and deploying software onto microcontroller systems. It is used in a variety of industrial and scientific applications, as well as (most importantly) in some DEF CON #badgelife projects. It's easy to learn and use for rapid prototyping.

For hackers interested in reverse engineering compiled or obfuscated MicroPython code, there are some obstacles. MicroPython is an implementation of CPython, not a port, so it has its own compiled bytecode language that existing reverse engineering tools aren't designed to parse. Also, modules can be "frozen", compiled directly into the microcontroller firmware, and may be difficult to locate and parse when microcontroller firmware is extracted and analyzed.

In this talk, Wesley will walk the audience through the process of identifying "frozen"/compiled modules in a firmware image without debug symbols using the Ghidra disassembler. The relevant module, string, object, and raw code data structures will be detailed, so that everything required to rebuild a non-frozen module can recovered. Once a compiled module is reconstructed, Wesley will present a detailed example of reading and understanding MicroPython compiled bytecode, for the purpose of reverse engineering the purpose and implementation of the module.

  • Micropython source code
  • Official documentation, including:
    • .mpy files: link
    • Micropython internals: link
  • "Securing a MicroPython System" link
  • The collected Raspberry Pi Pico documentation for my test environment link
  • Andrew Leech - "Profiling Pathogens with (micro) Python" link
  • Kevin McAleer - "Securing Passwords with MicroPython" link
  • C. Spindler - "MicroPython used in industrial applications" link
  • "MicroPython and the European Space Agency" link

Wesley McGrew

Dr. Wesley McGrew directs research, development, and offensive cyber operations as Senior Cybersecurity Fellow for MartinFederal. He has presented on topics of penetration testing and malware analysis at DEF CON and Black Hat USA and taught a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley has a Ph.D. in Computer Science from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems.

Mastodon (@mcgrew@defcon.social)
MixCloud
Twitter (@McGrewSecurity)

Back to top

CULT OF THE DEAD COW & Friends Present: Prime Cuts from Hacker History - 40 Years of 31337

Saturday at 10:00 in LVCC - L3 - W322-W327 (Warstories Track)
105 minutes

Deth Veggie

Walter J. Scheirer

Patrick “Lord Digital” Kroupa

John Threat

Emmanuel Goldstein

X

TommydCat

The year is 1984… Ronald Reagan is President, it is a “New Mourning in America.” In Texas, a small cabal of malcontents meet in an abandoned slaughterhouse, decorated with heavy metal band posters, satanic iconography, and, most ominously, the skull of a DEAD COW… As pirated copies of speedmetal and punk music play in the background, these erstwhile revolutionaries speak of their disillusion with The Way Things Are, and their obsession with their new computers. All over America, teens were waking to not just the typical dissatisfaction of adolescence, but the awareness that via these new modes of communication and interaction, they could meet like-minded others, have some illicit fun, and maybe, just maybe, change the goddamn world.

1984 wasn’t the beginning of hacking, but brought perhaps the first real blossoming of the culture. The spread of the personal computer, and the modem, brought the birth of not just cDc, but the Legion of Doom, and 2600 Magazine. 1985 would bring Phrack Magazine, and a true explosion in the written culture, with t-files becoming the currency of the Truly Elite. In this session, members of cDc, 2600, LoD, MoD, and r00t will talk about what made them hackers and phreaks, swap stories, and answer questions posed by Prof. Walter Scheirer of the University of Notre Dame and audience Q&A.

Deth Veggie

cDc Minister of Propaganda, Archaeologist, Gadabout. Cultee since 1990, r00t since 1995, K-rad since birth.

Bsky

Walter J. Scheirer

Dennis O. Doughty Collegiate Professor of Engineering at the University of Notre Dame. Author of A History of Fake Things on the Internet (Stanford University Press, 2023)

Patrick “Lord Digital” Kroupa

Member Legion of Doom (LoD) & cDc, Co-founder Mindvox

John Threat

world renowned hacker, futurist, security advisor, artist, professor, and writer/director. Wired Magazine Cover, 60 Minutes, MoD, 8lgm, & r00t

Emmanuel Goldstein

Editor & Publisher 2600 Magazine, HOPE Conference coordinator, host of WBAI's "Off The Hook”

X

Hacker/Vulnerability Archivist, r00t, creator of one of the earliest and longest running vulnerability databases in the World.

TommydCat

Technology Generalist and Oldskool Denizen of the Computer Underground, from the 80s onward, TdC’s ridden the wave from the days of dumping G-PHilez on AEs to dumping DBs in S3s.

Back to top

Gotta Cache ‘em all: bending the rules of web cache exploitation

Saturday at 10:30 in LVCC - L1 - HW1-11-02 (Track 2)
45 minutes | Demo 💻, Exploit 🪲, Tool 🛠

Martin Doyhenard Security Researcher at Portswigger

In recent years, web cache attacks have become a popular way to steal sensitive data, deface websites, and deliver exploits. We've also seen parser inconsistencies causing critical vulnerabilities like HTTP Request Smuggling. This raises the question: what happens if we attack web caches' URL-parsers?

In this session, I'll introduce two powerful new techniques that exploit RFC ambiguities to bypass the limitations of web cache deception and poisoning attacks.

First, I'll introduce Static Path Deception, a novel technique to completely compromise the confidentiality of an application. I’ll illustrate this with a case study showing how such a breach can be replicated in environments like Nginx behind Cloudflare.

Next, I'll present Cache Key Confusion, and show how to exploit URL parsing inconsistencies in major platforms, including Microsoft Azure Cloud. I’ll then show how to achieve arbitrary cache poisoning and full denial of service.

Finally, I'll reveal how to supercharge these vulnerabilities with a live demo that blends Cache Key Confusion with a “non-exploitable” open redirect to execute arbitrary JS code for complete site takeover.

Attendees will depart armed with a set of innovative techniques, along with a definitive methodology to find and exploit these and other URL or HTTP discrepancies.

Web Cache Deception Attack - Omer Gil link

This is the first time Web Cache Deception attacks were introduced and worked as a starting point for my research.

Web Cache Entanglement: Novel Pathways to Poisoning - James Kettle link

This research worked as an inspiration to develop the cache poisoning techniques. I also used this paper to outline the state of the art in web cache exploitation and create a different approach using parser discrepancies.

Cached and confused: Web cache deception in the wild - Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda and William Robertson. link

The web cache deception techniques using delimiters for path confusion were inspired by the 2020 USENIX presentation “Cached and confused: Web cache deception in the wild”. In that presentation, they briefly describe some variations of path confusion using four encoded characters. Although the objective of their paper was to show a large-scale study of web cache deception vulnerabilities in the wild, it also introduced the use of delimiters for path confusion. In my presentation I'll expand on this concept, providing a methodology to find all the delimiters used by a URL parser and explaining how to use them in new exploitation techniques.

ChatGPT Account Takeover - Wildcard Web Cache Deception - Harel Security Research link

Also, during the time this research was being conducted, a vulnerability using a single variation of one of the techniques (Static Path Confusion) was published as a write up.

Martin Doyhenard

Martin Doyhenard is a Security Researcher at Portswigger, known for exploiting HTTP servers and web applications. Over the past few years he has presented his findings in multiple top security conferences including BlackHat, DEFCON, RSA, EkoParty, Hack in The Box and Troopers.

His latest work includes discovering HTTP Response Smuggling techniques and exploiting SAP’s Inter-Process Communication service - compromising more than 200 thousand companies in the world.He’s also passionate about low level reverse engineering and testing his skills in online CTFs.

Twitter (@tincho_508)

Back to top

Smishing Smackdown: Unraveling the Threads of USPS Smishing and Fighting Back

Saturday at 10:30 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes

S1nn3r

It's the holiday season and all through the air,

Messages arrive, not with joy, but despair.

A sinister plot unfolds, a digital dance,

Smishing scammers striking, a threat to enhance.

This past holiday season saw a dramatic rise in SMS phishing (smishing) messages, specifically targeting people pretending to be the USPS. Almost everyone in the United States received one of these messages using a kit sold by the ‘Smishing Triad’. While many of us knew these were scams many more did not, including someone close to me.

I knew I had to do something about it once I started receiving these texts myself. With my focus in web application testing, I immediately took interest in these smishing kits and how I could exploit them. After a thorough review, some collaboration with other researchers, and a little reverse engineering I was able to find two vulnerabilities in the scammer’s kits allowing me to login to the admin panels.

Using this I have been able to recover over 390k distinct credit cards that the scammers had gathered using over 40 admin panels and well over 900 unique domains. Along with this was info on the scammers themselves like login IPs, usernames, and some cracked passwords they use.

This talk will cover the technical details of how I reverse engineered this kit, found these vulnerabilities, and collected the victim and admin data for each of these sites.

My Blog:

link link

S1nn3r

S1nn3r is a recent college graduate. He holds the OSCP, GCIH, eCPPT, Sec+, and some more alphabet soup. He has interned with multiple DoD agencies and now will work in the private sector doing red teaming. During his internships he has worked in exploit development, red teaming, and threat analysis. During his time at school, he has been elected president of the Cybersecurity Club, led multiple CTF teams, organized CTFs, discovered a CVE, and has been awarded over $10k from bug bounty programs.

Twitter (@S1n1st3rSecuri1)
blog.smithsecurity.biz/

Back to top

The Rise and Fall of Binary Exploitation

Saturday at 11:00 in LVCC - L1 - HW1-11-01 (Track 1)
45 minutes

Stephen Sims Fellow Instructor at SANS Institute

For the past 20+ years binary exploitation has been seen as the ultimate challenge and prize, when exploiting large applications and operating systems. During this period, the question of "How much longer will we be able to do this?" has been asked countless times, and with good reason. Memory safety and corruption issues with low-level languages have been an enormous challenge for OS and application developers. There are certainly efforts to move to "safer" languages such as Rust, but those languages need to mature a bit longer before they're able to stand up to the capabilities of a language like C++.

Thanks to exploit mitigations and memory protections, a large number of these vulnerabilities are not exploitable. There are the mature mitigations, such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), and then newer ones such as Control-flow Enforcement Technology (CET) and Virtualization Based Security (VBS). A large number of these mitigations are not enabled by default on the Windows OS, due to the fact that many need to be tested to ensure they do not break production applications. In this presentation, we will take a technical dive into the state of binary exploitation and the effectiveness of the many available mitigations, by looking at the way they're enforced.

Stephen Sims

Stephen Sims is an experienced vulnerability researcher and exploit developer, having discovered and privately disclosed many vulnerabilities affecting well-known browsers and OS kernels. He is co-author of the popular Gray Hat Hacking book series through McGraw-Hill, now in its 6th edition. He is a Fellow Instructor with the SANS Institute and author of some of their most advanced content covering exploit development and other offensive operations and security related topics. Stephen also runs the Off By One Security channel on YouTube, where he teaches offensive-related material, bringing on a wide variety of experts on to provide free training to the community.

Twitter (@Steph3nSims)
YouTube

Back to top

SHIM me what you got - Manipulating Shim and Office for Code Injection

Saturday at 11:00 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes | Demo 💻, Tool 🛠

Ron Ben-Yizhak Security Researcher at Deep Instinct

David Shandalov Security Researcher at Deep Instinct

This talk brings back from the dead an attack surface that security vendors believed they had addressed a long time ago.

We will introduce a novel and stealthy technique to apply malicious shims on a process that does not require registry modification or SDB files and leaves no traces on the disk.

The reverse engineering of the shim infrastructure will be shown while focusing on undocumented API and the kernel driver of the infrastructure.

The various operations offered by the infrastructure will be analyzed from an offensive point of view, and the course we took to achieve this unique technique will be presented.

In addition, we will unveil an attack surface research that resulted in a noteworthy attack that manipulates 2 different OS components into performing DLL injection and privilege escalation.

Researching the undocumented RPC interfaces of the service OfficeClickToRun.exe uncovered a method that can inject a DLL into another process running as “NT AUTHORITY\SYSTEM”, which achieves privilege escalation. For this to work, specific conditions had to be met.

The conditions we tailored will be displayed as we abuse the Opportunistic Lock and App Compatibility (shim) mechanisms.

  1. link
  2. link
  3. link
  4. link

Ron Ben-Yizhak

Ron Ben-Yizhak is a security researcher at Deep Instinct.

He is responsible for research of malware campaigns, attack surfaces and vectors and evasion techniques.

His findings are used for developing new analysis, detection, and mitigation capabilities.

Ron joined Deep Instinct in 2019 after serving as a security researcher and forensics specialist in one of the IDF's elite cyber units.

LinkedIn
Twitter (@RonB_Y)

David Shandalov

David Shandalov works as a security researcher at Deep Instinct.

His role involves researching and identifying new cyber threats and vulnerabilities, and developing tools for threat detection and analysis.

David began his journey in cybersecurity as a Malware Researcher at Checkpoint and, prior to that, served in the IDF's intelligence corps.

Outside of research, David enjoys flying and is currently working on obtaining his Private Pilot License.

LinkedIn
Twitter (@DavidShandalov)

Back to top

QuickShell: Sharing is caring about an RCE attack chain on Quick Share

Saturday at 11:30 in LVCC - L1 - HW1-11-02 (Track 2)
45 minutes | Demo 💻, Exploit 🪲, Tool 🛠

Or Yair Security Research Team Lead at SafeBreach

Shmuel Cohen Senior Security Researcher at SafeBreach

Quick Share (formerly Nearby Share) has enabled file sharing on Android for 4 years and expanded to Windows a year ago.

Google's promotion of Quick Share for preinstallation on Windows, alongside the limited recent research, ignited our curiosity about its safety, leading to an investigation that uncovered more than we had imagined.

We studied its Protobuf-based protocol using hooks, built tools to communicate with Quick Share devices, and a fuzzer that found non-exploitable crashes in the Windows app. We then diverted to search for logical vulnerabilities, and boy oh boy, we regretted we hadn’t done it sooner.

We found 10 vulnerabilities both in Windows & Android allowing us to remotely write files into devices without approval, force the Windows app to crash in additional ways, redirect its traffic to our WiFi AP, traverse paths to the user’s folder, and more. However, we desired the holy grail, an RCE. Thus, we returned to the drawing board, where we realized that the RCE is already in our possession in a form of a complex chain.

In this talk, we’ll introduce QuickShell - An RCE attack chain on Windows combining 5 out of 10 vulnerabilities in Quick Share. We’ll provide an overview about Quick Share’s protocol, present our fuzzer, the found vulnerabilities, a new HTTPS MITM technique, and finally the RCE chain.

Reference link

Or Yair

Or Yair is a security research professional with six years of experience, currently serving as the Security Research Team Lead at SafeBreach. His primary focus lies in vulnerabilities in the Windows operating system’s components, though his past work also included research of Linux kernel components and some Android components. Or has already presented his vulnerability and security research discoveries internationally at conferences he spoke at such as Black Hat USA 2023, Black Hat Asia 2024, Black Hat Europe 2022, SecTor 2023, RSAC 2023, Security Fest 2023, CONFidence 2023 & 2024 and more

LinkedIn
Twitter (@oryair1999)
Website

Shmuel Cohen

Shmuel Cohen is a cybersecurity professional, who has a diverse background. After he pursued a Bachelor of Science degree in Computer Science, he had the privilege of working at CheckPoint, where he spent 1.5 years developing software and another 1.5 years working as a malware security researcher. As his interest grew in vulnerability research, he decided to join SafeBreach, where he has been able to focus his energies on exploring and addressing vulnerabilities in cybersecurity. Shmuel has previously spoken at BlackHat USA 2023, twice at Black Hat Asia 2024, and twice at CONFidence 2024.

LinkedIn
Twitter (@BinWalker)

Back to top

Sudos and Sudon’ts - Peering inside Sudo for Windows

Saturday at 11:30 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Exploit 🪲

Michael "mtu" Torres Senior Security Engineer, Network Infrastructure Security at Google

In February 2024, Microsoft announced the release of Sudo for Windows for Windows 11 Insider Preview[1]. Like the Unix sudo utility, it provides a method for users to run commands with elevated permissions. This talk will share the results of an analysis of Sudo for Windows, starting with a summary of the information provided by Microsoft. From there, we will explore the architecture used to coordinate the elevation of the specified process, the ALPC service used to communicate between elevated and non-elevated processes, how Rust interoperates with Windows APIs, and the path resolution process for files and relative paths. As part of that journey, we will discuss a few discovered security issues.

This presentation will be valuable to anyone with an interest in Windows reverse engineering or Rust memory safety. A conceptual understanding of Windows Inter-Process Communication (IPC) and heap allocation may make parts of the talk more approachable, but the main ideas will be accessible to anyone with a high-level understanding of process memory layout (stack vs heap).

  1. link
  2. link
  3. link
  4. link
  5. link
  6. link
  7. link

Michael "mtu" Torres

mtu, otherwise known as Michael Torres, is a Senior Security Engineer in the Network Infrastructure Security team at Google, where his primary focus is on Operational Technology systems. Michael is also a Staff Sergeant in the United States Marine Corps Reserve, where he has been responsible for planning and conducting both offensive and defensive cyber operations. He is passionate about sharing knowledge to benefit others, and is an active volunteer for VetSec (veteransec.org), a charity focused on helping military veterans have successful careers in cybersecurity.

Github
blog.sectorr.dev

Back to top

Disenshittify or die! How hackers can seize the means of computation and build a new, good internet that is hardened against our asshole bosses' insatiable horniness for enshittification.

Saturday at 12:00 in LVCC - L1 - HW1-11-01 (Track 1)
45 minutes

Cory Doctorow Author

The enshittification of the internet wasn't inevitable. The old, good internet gave way to the enshitternet because we let our bosses enshittify it. We took away the constraints of competition, regulation, interop and tech worker power, and so when our bosses yanked on the big enshittification lever in the c-suite, it started to budge further and further, toward total enshittification. A new, good internet is possible - and necessary - and it needs you.

Cory Doctorow

Cory Doctorow is a science fiction author, activist and journalist. He is the author of many books, most recently THE BEZZLE and THE LOST CAUSE. In 2020, he was inducted into the Canadian Science Fiction and Fantasy Hall of Fame.

Mastodon (@doctorow@mamot.fr)
Medium (@doctorow)
Tumblr (@mostlysignssomeportents)
Twitter (@doctorow)
Website

Back to top

Grand Theft Actions: Abusing Self-Hosted GitHub Runners at Scale

Saturday at 12:00 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes | Demo 💻, Tool 🛠

Adnan Khan Red Team Security Engineer

John Stawinski

GitHub Actions is quickly becoming the de facto CI/CD provider for open-source projects, startups, and enterprises. At the same time, GitHub’s security model is full of insecure defaults. This makes it easy for their customers to expose themselves to critical attacks from the public internet. The end result? A systemic vulnerability class that won’t go away.

During our research, we identified GitHub Actions misconfigurations at scale that would allow threat actors to backdoor major open-source projects. An example of this is our attack on PyTorch, a prominent ML framework used by companies and researchers around the world.

Through this attack, we could contribute code directly to the main branch of the PyTorch repository, upload malicious releases, backdoor other PyTorch projects, and more. These attacks began by compromising self-hosted runners, which are machines that execute jobs in a GitHub Actions workflow. From there, we leveraged misconfigurations and GitHub “features” to elevate our privileges within GitHub Actions workflows.

Our research campaign included dozens of reports, over $250,000 in bug bounties, and endless war stories. Tune in for a deep dive into the TTPs that allow turning a trivial runner compromise into a full supply chain attack.

  1. link
  2. link
  3. link

Adnan Khan

Adnan is a Red Team Security Engineer and researcher who has recently been focusing on supply chain and CI/CD attacks. He has identified, demonstrated, and reported vulnerabilities impacting GitHub repositories belonging to organizations like Microsoft, Nvidia, GitHub, Google, and more. Additionally, he has spoken at conferences such as ShmooCon 2023 and BSides SF 2023 on the topic of GitHub Actions security.

LinkedIn
adnanthekhan.com

John Stawinski

John is an offensive security engineer, vulnerability researcher, and writer, specializing in Red Team operations and CICD security. John established himself as a member of the broader security community in 2023 through a series of CI/CD attacks on prominent open-source repositories. Embracing a nomadic lifestyle, John thrives on adventure sports and welcomes new experiences.

LinkedIn
Website

Back to top

automobiles, alcohol, blood, sweat, and creative reversing of an obfuscated Car-Modding tool

Saturday at 12:00 in LVCC - L3 - W322-W327 (Warstories Track)
45 minutes | Demo 💻, Tool 🛠

atlas

reversing can feel uber powerful... like you hold God's honest truth within your hands... most humans don't understand what you can see and comprehend.

until someone tries to hide the truth from you... limit your knowledge... keep you from your glorious purpose!

obfuscated code can be a real downer.

this talk focuses on the story of how i took on an interesting obfuscated target (an automotive modder's tool with ability to flash firmware and tweak engines), in fun and exciting ways.

we'll discuss several problems with obfuscated code, an approach i took (and tooling), playing in the guts of machine code, and customizations to binary analysis tools that came out of the journey...

there will be much hex, disassembly, green on black, total carnage.

you will walk away with powerful ideas and new tools to help you in your pursuit of truth. you will be entertained, enriched, educated, and hopefully inspired. instead of thinking that "atlas is smart" my goal is you feeling, and being, more powerful.

come with Vivisect installed to follow along!

atlas

atlas is a doer of things. with nearly 20 years of experience binary reverse-engineering, exploiting, and bringing friends along, he's as likely to talk about RF signals as to discuss converting machine language bits into assembly instructions, intermediate languages, and decompilers. driven by the "truth", and desire to write tools to make finding truth easier, his talks always engage, embrace, and baffle.

Twitter (@at1as)

Back to top

The Secret Life of a Rogue Device - Lost IT Assets on the Public Marketplace

Saturday at 12:30 in LVCC - L1 - HW1-11-02 (Track 2)
45 minutes

Matthew "mandatory" Bryant Red Team Lead at Snapchat

An ex-employee's work laptop, a secret hardware prototype, the company backup server, and classified government computers. What do these things have in common? They should never end up on the public market. Ask any IT department and they'll tell you that "it happens", but how serious is the problem and what's really at stake? This talk explores the interesting journey of a research project to learn the surprising answers to these questions.

Along the way we'll scrape over 150 million images from online listings in Western and Eastern second hand markets, hack together an OCR cluster out of old iPhones, reverse engineer well-obfuscated Chinese apps, and converse with secretive underground groups of collectors.

Matthew "mandatory" Bryant

mandatory (Mathew Bryant) is a passionate hacker currently leading the red team effort at Snapchat. In his personal time he’s published a variety of tools such as XSS Hunter, CursedChrome, and tarnish. His security research has been recognized in publications such as Forbes, The Washington Post, CBS News, Techcrunch, and The Huffington Post. He has previously presented at DEF CON, Blackhat, RSA, Kiwicon, Derbycon, and Grrcon. Previous gigs include Google, Uber, and Bishop Fox.

Twitter (@IAmMandatory)
thehackerblog.com

Back to top

AMD Sinkclose: Universal Ring -2 Privilege Escalation

Saturday at 12:30 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Demo 💻, Exploit 🪲, Tool 🛠

Enrique Nissim Principal Security Consultant at IOActive

Krzysztof Okupski Associate Principal Security Consultant at IOActive

System Management Mode (SMM) is one of the most powerful execution modes in the x86 architecture and code at this level is invisible to the Hypervisor and OS-level protections, including anti-cheat engines and anti-virus systems. While the BIOS ecosystem's complexity has led to a multitude of vulnerabilities in firmware over time, vendors are now making strides in delivering patches with greater speed and efficiency. Unfortunately, these efforts are not enough in the presence of a CPU vulnerability.

When researching the AMD processor, our team noticed a flaw in one of the critical components required for securing SMM. This silicon-level issue appears to have remained undetected for nearly two decades.

This presentation starts by providing an introduction to SMM and the security mechanisms that the AMD processor provides to support it. Subsequently, it delves into the CPU design flaw and the complete methodology and engineering used to create a universal ring -2 privilege escalation exploit.

Enrique Nissim

Enrique Nissim is a security engineer with over a decade of professional experience working on vulnerability research. As a Principal Security Consultant at IOActive, he is mainly involved in projects requiring a deep understanding of operating systems, CPU architectures, embedded firmware and software development. Over his career, Enrique has delivered multiple presentations at several leading events including Black Hat USA, CansecWest, Ekoparty, ZeroNights and Hardwear.io.

Twitter (@kiqueNissim)

Krzysztof Okupski

Krzysztof Okupski is an Associate Principal Security Consultant with IOActive where he specialises in embedded security. While he enjoys hacking various targets, he is particularly interested in the nitty-gritty details of platform security where small misconfigurations can lead to critical issues.

Twitter (@exminium)

Back to top

Fireside Chat with Jay Healey and National Cyber Director Harry Coker, Jr.

Saturday at 13:00 in LVCC - L1 - HW1-11-01 (Track 1)
45 minutes

Harry Coker, Jr. National Cyber Director at White House Office of the National Cyber Director (ONCD)

Jay Healey

The world increasingly appreciates how much we rely on space systems for our personal, economic, and national security needs. However, the nation-state cyber threat to government and commercial systems continues to grow at a time when the current landscape of cybersecurity policies and frameworks aren’t readily applicable for space systems.

In this fireside chat, ONCD will have the opportunity to introduce our 2nd National Cyber Director to the research community and discuss some of his priorities, such as space cybersecurity. We will discuss how the White House has been working to tackle hard problems and challenges. In the instance of space cybersecurity, ONCD has been collaborating with federal space operators and the space industry to develop policy solutions, including by answering a tasking from the Vice President to develop minimum cybersecurity requirements for U.S. space systems.

Harry Coker, Jr.

Harry Coker, Jr. was confirmed by the Senate on December 12, 2023 as the second National Cyber Director in the White House Office of the National Cyber Director. Director Coker is a retired Central Intelligence Agency (CIA) senior executive and career Naval Officer, is a graduate of the US Naval Academy, the Naval Postgraduate School, and Georgetown University Law Center.

Previously, Coker served as Executive Director of the National Security Agency (NSACoker’s service to the Nation and NSA was recognized with the awarding of the National Intelligence Distinguished Service Medal, the NSA Director’s Distinguished Service Medal, and the IC EEOD Outstanding Leadership Award.

During the first seventeen years of his service with the CIA, Coker was assigned to leadership positions in the Directorate of Digital Innovation; the Directorate of Science & Technology; and the Director’s Area. Key assignments included service as Director of the Open Source Enterprise, which is responsible for leveraging publicly available information; and as Deputy Director of CIA’s Office of Public Affairs. Coker’s leadership and contributions earned him the Presidential Rank Award and CIA’s prestigious Don Cryer Award for Diversity & Inclusion.

Jay Healey

Back to top

OH-MY-DC: Abusing OIDC all the way to your cloud

Saturday at 13:00 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes | Demo 💻, Tool 🛠

Aviad Hahami Palo Alto Networks

As DevOps and developers are slowly shifting away from storing long-lived static credentials to the more secure, still kinda-new, OIDC alternative - the underlying logic, mechanisms and implementations tend to feel like complicated magic and are mostly overlooked.

In this talk, we'll begin by recapping what OIDC is, who are the interacting entities when OIDC is used, and how OIDC is taking place to securely access one's cloud using CI/CD flows.

Once covered, we will be able to alternate our point-of-view between the entities in play and demonstrate potential vulnerabilities in various setups.

Starting with the user PoV, we will show what "under-configurations" look like, and continue by demonstrating how new OIDC configuration options can actually be misconfigurations that can result with a compromise.

We will then see another attack vector where leaking an OIDC token from a single repository in an organization can allow an attacker to abuse under-configurations and access private clouds.

After that, we will shift our PoV to be of the Identity Provider (IdP) so that we can look into what happens if an IdP is misconfigured, and disclose a real-world security vulnerability found in one of the most popular CI vendors that allowed us to access any of their customers' cloud environments.

I'll refer to this talk by the Tinder Security team link where they show how they could "claim" in the name of other identities due to under-configured WIFs.

Aviad Hahami

Security researcher and experienced software engineer with a great passion for algorithms (graph-theory specifically), security research (vulnerability research, bug bounties), chaos engineering (YES!), frontends, backends, web services, systems architecture, infras, clouds(making them rain), and more :)

Today, researching at Palo Alto Networks.

Oh yea I also DJ

Twitter (@_0xffd)

Back to top

Inside the FBI’s Secret Encrypted Phone Company ‘Anom’

Saturday at 13:00 in LVCC - L3 - W322-W327 (Warstories Track)
45 minutes

Joseph Cox Investigative Journalist Co-Founder at 404 Media

In 2018, a secure communications app called Anom started to gain popularity among organized criminals. Soon, top tier drug traffickers were using it all over the world. Because they thought their messages were secure, smugglers and hitmen coordinated high stakes crimes across the platform. But Anom had a secret: it was secretly run by the FBI.

For years Joseph Cox has investigated the inside story of Anom, speaking to people who coded the app, those who sold it, criminals who chatted across it, and the FBI agents who surreptitiously managed it. This new talk, building on details from his recent book DARK WIRE, will include never-before-published technical details on how the Anom network functioned, how the backdoor itself worked, and how Anom grew to such a size that the FBI started to lose control of its own creation.

It will also reflect on how police have entered a new phase of compromising entire encrypted phone networks, with little to no debate from the public, and provide critical insight on what really happens when authorities introduce a backdoor into a telecommunications product.

DARK WIRE: The Incredible True Story of the Largest Sting Operation Ever, June 4th, 2024: link

Joseph Cox

Joseph Cox is an investigative journalist and author of DARK WIRE, the inside story of how the FBI secretly ran its own encrypted phone company called Anom to wiretap the world. He produced a series of exclusive articles on Anom for VICE’s Motherboard, and is now a co-founder of 404 Media.

Bsky
Mastodon (@josephcox@infosec.exchange)
Twitter (@josephfcox)

Back to top

NTLM - The Last Ride

Saturday at 13:30 in LVCC - L1 - HW1-11-02 (Track 2)
45 minutes | Exploit 🪲

Jim Rush

Tomais Williamson

Microsoft is planning to kill off NTLM (New Technology Lan Manager) authentication in Windows 11 and above. Let's speedrun coercing hashes out of a few more things before it fades into obscurity over the next twenty five years or so.

There will be a deep dive on several new bugs we disclosed to Microsoft (including bypassing a fix to an existing CVE), some interesting and useful techniques, combining techniques from multiple bug classes resulting in some unexpected discoveries and some absolutely cooked bugs. We’ll also uncover some defaults that simply shouldn't exist in sensible libraries or applications as well as some glaring gaps in some of the Microsoft NTLM related security controls.

  1. link
  2. link
  3. link
  4. link
  5. Varonis Threat Labs discovered a new Outlook exploit and three new ways to access NTLM v2 hashed passwords. link

Jim Rush

I'm a former software developer who has somehow ended up hacking things for a living, which is infinitely more fun as most of you know. I'm an active security researcher with several CVEs, including Blackboard, Moodle, Nuget, MS-Office and Kramer products.

LinkedIn

Tomais Williamson

I'm an enthusiastic hacker who enjoys CTFs and have competed at an international level in the ICC CTF as well as being part of the CursedCTF 2024 winning team. I'm also an active security researcher with a bunch of CVEs and countless other bugs for a bunch of 'solved problems' in security.

Back to top

Behind Enemy Lines: Engaging and Disrupting Ransomware Web Panels

Saturday at 13:30 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Exploit 🪲

Vangelis Stykas Chief Technology Officer at Atropos

Ransomware groups have become notably proficient at wreaking havoc across various sectors , but we can turn the tables. However, a less explored avenue in the fight against these digital adversaries lies in the proactive offense against their web panels. In this presentation, I will delve into the strategies and methodologies for infiltrating and commandeering the web panels used by ransomware groups to manage their malicious operations or the APIs used during their initial exfiltration of data.

I will demonstrate how to leverage these vulnerabilities to gain unauthorized access to the ransomware groups' web panels. This access not only disrupts their operations but also opens a window to gather intelligence and potentially identify the operators behind those APTs. Let’s explore the frontiers of cyber offense, targeting the very command and control (C2) centers ransomware groups rely on, turning the tables in our ongoing battle against cyber threats,it’s our turn to wreak havoc.

Vangelis Stykas

Vangelis began as a developer from Greece. Six years ago he realized that only his dog didn’t have an API, so he decided to steer his focus towards security.

That led him to pursue a PhD in Web Application Security with an extra focus on machine learning. He’s still actively pursuing it.

He currently applies his skills as a Chief Technology Officer at Atropos, and during his free time, Vangelis is helping start-ups secure themselves on the internet and get a leg up in security terms.

His love of a simplistic approach to hacking by exploiting vulnerable APIs led him to publish research regarding API controlling ships, smart locks, IP cameras, car alarms, EV chargers, and many other IoT devices. Since our lives are nowadays extremely cyber-dependent, his goal is to convince all companies to never neglect their API security as rush-to-market mentality is almost certain to lead to catastrophic security failure.

LinkedIn
Twitter (@evstykas)
stykas.com

Back to top

SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level

Saturday at 14:00 in LVCC - L1 - HW1-11-01 (Track 1)
45 minutes | Demo 💻, Exploit 🪲

Paul Gerste Vulnerability Researcher, R&D team at Sonar

SQL injections seem to be a solved problem; databases even have built-in support for prepared statements, leaving no room for injections. In this session, we will go a level deeper: instead of attacking the query syntax, we will explore smuggling attacks against database wire protocols, through which remote, unauthenticated attackers can inject entire (No)SQL statements into an application's database connection.

Using vulnerable database driver libraries as case studies, we will bring the concept of HTTP request smuggling to binary protocols. By corrupting the boundaries between protocol messages, we desynchronize an application and its database, allowing the insertion of malicious messages that lead to authentication bypasses, data leakage, and remote code execution.

To put our findings into context, we will explore the real-world applicability of this new concept by comparing how robust various languages and frameworks are against these attacks. We will also discuss how smuggling attacks are not specific to database wire protocols but affect all kinds of binary protocols, from databases over message queues to caching. We will end the session with inspirations for future research to explore the topic further.

Paul Gerste

Paul Gerste is a vulnerability researcher on Sonar's R&D team. He has a proven talent for finding security issues, demonstrated by his two successful Pwn2Own participations and discoveries in popular applications like Proton Mail, Visual Studio Code, and Rocket.Chat. When Paul is not at work, he enjoys playing CTFs with team FluxFingers and organizing Hack.lu CTF.

Mastodon (@pspaul@infosec.exchange)
Twitter (@pspaul95)

Back to top

Discovering and exploiting local attacks against the 1Password MacOS desktop application

Saturday at 14:00 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes | Demo 💻, Exploit 🪲, Tool 🛠

Jeffrey Hofmann Senior Offensive Security Engineer

Colby Morgan Leads, Pentest Team at Robinhood

Password managers are routinely granted a massive level of trust from users, by nature of managing some of their most sensitive credentials. For any noteworthy password manager, the encryption standards for user data are well understood and highly scrutinized. What is less understood is the attack surface of the software itself. This presentation explores the local security of the 1Password MacOS desktop application and answers the question of “how safe are my passwords if my computer is infected or otherwise compromised?”.

This talk will cover the outcome of our research into 1Password, presenting several different attacks to dump local 1Password vaults. This includes describing multiple application vulnerabilities and security weaknesses we identified in the 1Password MacOS desktop application, as well as discussing the inherent limitations in its usage of IPC mechanisms and open source software. Additionally, we will discuss novel vulnerabilities found in Google Chrome that aided our exploitation of the 1Password browser extension.

DarthNull’s work around decrypting 1Password vaults: link

Jeffrey Hofmann

Jeffrey Hofmann is a Senior Offensive Security Engineer with a history of vulnerability research and exploit development. He recreated NSO’s 0 click iOS exploit FORCEDENTRY and discovered pre-auth RCEs in the MDM KACE SMA.

Twitter (@jeffssh)
Website

Colby Morgan

Colby Morgan is a Staff Offensive Security Engineer with extensive application and infrastructure security experience. Colby currently leads the pentest team at Robinhood.

Back to top

Hacking Millions of Modems (and Investigating Who Hacked My Modem)

Saturday at 14:00 in LVCC - L3 - W322-W327 (Warstories Track)
45 minutes | Demo 💻

Sam Curry Founder at Palisade

On December 25th, 2021, I discovered that my modem had been hacked after a strange IP address replayed my traffic. I began researching who they were, how it happened, and eventually discovered a vulnerability which allowed me to passively monitor, change configurations, and execute commands on millions of devices. This talk details 3 years of intermittent web research on ISP security and how broadband equipment is becoming scarily centralized.

  1. N. Mavrakis, "Vulnerabilities of ISPs," in IEEE Potentials, vol. 22, no. 4, pp. 9-15, Oct.-Nov. 2003, doi: 10.1109/MP.2003.1238687
  2. I Hunt TR-069 Admins: Pwning ISPs Like a Boss (Shahar Tal, August 2014, link)
  3. TR-069 Wikipedia link
  4. Cox Communications VDP link

Sam Curry

Sam Curry is a web security researcher, bug bounty hunter, and the founder of Palisade, a security consultancy.

Twitter (@samwcyo)

Back to top

Troll Trapping Through TAS Tools - Exposing Speedrunning Cheaters

Saturday at 14:30 in LVCC - L1 - HW1-11-02 (Track 2)
45 minutes | Demo 💻, Tool 🛠

Allan "dwangoAC" Cecil Founder and Leader at TASBot Online Community

Trolls cheating in video games by passing Tool-Assisted Speedruns off as human effort break leaderboards and stifle speedrunners. Why do they do it when they could make a cool game hack or TAS to show off their work, and how do you trap these trolls? The answer is to use their own tools against them, often with popcorn bucket worthy results like taking down Guinness World Records. From a TASVideos member taking on 1980's Dragster cheat Todd Rogers, a passing mention of Billy Mitchell, and the TASBot team investigating Super Mario Maker shenanigans, this talk covers several notable cheating incidents and concludes with a systematic takedown of a troll that chilled the Diablo speedrunning community for more than a decade.

This talk includes several investigations I have been a part of in some capacity and will ultimately include additional references in the coming months; I've broken the references out by game, presented in Markdown format like the rest of this document:

Dragster

Super Mario Maker

Diablo

Allan "dwangoAC" Cecil

dwangoAC (Allan Cecil) is the founder and leader of the TASBot online community and Senior Ambassador on staff of TASVideos.org. He is a published journal author, patent holder, and unflappable presenter with talks at DEF CON, GeekPwn, Thotcon, May Contain Hackers, and other hacker conferences. dwangoAC uses his combined hacking interests for good at charity events like Games Done Quick to entertain viewers with never-before-seen glitches in games, with event content he's led raising more than $1.5m for various charities.

Discord.gg/TASBot
TAS.Bot
Twitch
YouTube

Back to top

ACE up the Sleeve: From getting JTAG on the iPhone 15 to hacking into Apple's new USB-C Controller

Saturday at 14:30 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Demo 💻, Tool 🛠

Thomas "stacksmashing" Roth

With the iPhone 15 & iPhone 15 Pro Apple switched their iPhone to USB-C - and introduced a new proprietary USB-C controller: The ACE3.

But the ACE3 does more than just handle USB power delivery: It's a full microcontroller running a full USB stack connected to some of the internal busses of the device, and we even managed to access JTAG on the iPhone 15 through it. It also provides access to UART, the internal SPMI bus, etc. Previous variants of the ACE, namely the ACE2 found in MacBooks, could easily be dumped and analyzed using SWD - and even be persistently backdoored through a software vulnerability we found.

On the ACE3 however, Apple upped their game: Firmware updates are personalized, debug interfaces seem to be disabled, and the external flash is validated and does not contain all the firmware. However using a combination of reverse-engineering, RF side-channel analysis and electro-magnetic fault-injection it was possible to gain code-execution on the ACE3 - allowing dumping of the ROM, and analysis of the functionality.

This talk will show how to use a combination of hardware, firmware, reverse-engineering, side-channel analysis and fault-injection to gain code-execution on a completely custom chip, enabling further security research on an under-explored but security relevant part of Apple devices.

  • AsahiLinux USB-PD Documentaiton - link
  • AsahiLinux macvdmtool - link
  • ACE Controller Secrets (for ACE/ACE2) - link
  • Marc Zyngier's Central Scrutinizer - link

Thomas "stacksmashing" Roth

Thomas Roth aka stacksmashing is a security researcher mostly focused on hardware and firmware. His work includes hardware attacks on processors, microcontrollers and cryptocurrency wallets, building cheap JTAG tooling for the iPhone, and attacking a wide variety of embedded devices. He also runs a YouTube channel called stacksmashing about security, reverse engineering and hardware hacking.

Twitter (@ghidraninja)
YouTube

Back to top

Exploiting the Unexploitable: Insights from the Kibana Bug Bounty

Saturday at 15:00 in LVCC - L1 - HW1-11-01 (Track 1)
45 minutes | Demo 💻, Tool 🛠

Mikhail Shcherbakov

aWe explore case studies of exploiting vulnerabilities in modern JavaScript and TypeScript applications, drawing on experiences from participating in the Kibana Bug Bounty Program. It's not uncommon to encounter a vulnerability that appears unexploitable at first glance, or to be told by a triage team that the behavior is "by design." So, what options does a security researcher have in such situations? And what primitives can be utilized to construct an exploitation chain with significant impact?

Our study involves breaking out of properly isolated containers in scenarios where there is RCE-by-design. We will examine several Prototype Pollutions that crash an application in less than one second after exploitation and explore how these vulnerabilities can ultimately lead to critical RCEs. Furthermore, we introduce new primitives and gadgets that enable the achievement of RCE from Prototype Pollutions previously deemed unexploitable beyond DoS attacks.

By highlighting these methods, the talk aims to equip attendees with advanced techniques for exploiting complex vulnerability chains in JavaScript applications, as well as recommendations for proper defense and mitigations against them.

  1. Mikhail Shcherbakov, Musard Balliu and Cristian-Alexandru Staicu "Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js"
  2. "Collection of Server-Side Prototype Pollution gadgets" link
  3. Olivier Arteau "JavaScript prototype pollution attack in NodeJS"
  4. Nir Chako "Attacking Kubernetes Clusters Through Your Network Plumbing" link

Mikhail Shcherbakov

Mikhail Shcherbakov came to security from enterprise app development. The tendency is to push it as far as you can… He is now doing a Ph.D. in Language-Based Security after 10+ years of experience in the industry. He participated in Microsoft, GitHub, and open-source bug bounty programs, found vulnerabilities in popular products, and helped to fix them. Before starting a Ph.D. program, he focused on .NET and web security, gave talks at conferences, organized IT meetups, and got the Microsoft MVP Award in 2016 – 2018. Mikhail is an author of commercial static analysis tools and continues research in program analysis.

Twitter (@yu5k3)

Back to top

Measuring the Tor Network

Saturday at 15:00 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes | Tool 🛠

Silvia Puglisi Lead, Network Health at Tor Project

Roger Dingledine Co-Founder and Original Developer at Tor Project

Millions of people around the world use Tor every day to protect themselves from surveillance and censorship. While the Tor Browser and its protocol are widely known, the backbone of the Tor ecosystem, its extensive network of volunteer relays, is often subject to speculation and misinformation. The Tor Project is dedicated to supporting this network and fostering a vibrant, diverse community of relay operators.

This talk will focus on our efforts to maintain a healthy network and community, and detect and mitigate attacks -- all with the help of metrics and analysis of usage patterns. By illustrating how we collect safe-enough metrics for an anonymity network, we will offer insights into how we identify unusual activity and other noteworthy events on the network. We will also discuss our ongoing strategies for addressing current and future network health challenges.

If you are interested in understanding the inner workings of the Tor network and its relay community and how we keep this vital ecosystem running, this talk is for you.

  1. Network Health Team wiki: link
  2. Two blog posts on Tor network health: link link
  3. Collector (where we archive all network data sets): link
  4. Paper by Rob Jansen et al. on incentives schemes for relays on the Tor network, "Recruiting New Tor Relays with BRAIDS": link
  5. Broader blog post about research papers on incentive for Tor relays: link
  6. Research paper by NRL proposing how to measure relay performance in a way that resists attempts to lie about relay speed: link
  7. Our plan to change how we collect, store and serve Tor network data (discussion from our bug tracker): link
  8. Performance measurements over the Tor Network: link
  9. Onionperf is the tool we use to measure performances from different locations across the globe: link
  10. The number of relays on the network by relay flags: link
  11. Documentation about reproducible metrics: link

Silvia Puglisi

Silvia Puglisi is a Systems Engineer and Privacy Researcher based in Barcelona, EU. She currently leads the network health team at the Tor Project, focusing on maintaining the stability, performance, and security of the Tor network. Silvia is also an O'Reilly author and previously worked at Google for several years. She was part of the Information Security Group at the Department of Telematics Engineering, Universitat Politècnica de Catalunya (UPC), where she earned her Ph.D. Additionally, she has served as an adjunct professor at the Universitat Oberta de Catalunya (UOC).

Mastodon (@nopressure@mastodon.social)
Mastodon (@torproject@mastodon.social)
Twitter (@torproject)

Roger Dingledine

Roger Dingledine is co-founder and original developer of the Tor Project, a nonprofit that develops free and open source software to protect people from tracking, censorship, and surveillance online. Roger works with journalists and activists on many continents to help them understand and defend against the threats they face, and he is a lead researcher in the online anonymity field. EFF picked him for a Pioneer Award, and Foreign Policy magazine chose him as one of its top 100 global thinkers.

Twitter (@RogerDingledine)

Back to top

A Shadow Librarian in Broad Daylight: Fighting back against ever encroaching capitalism

Saturday at 15:00 in LVCC - L3 - W322-W327 (Warstories Track)
45 minutes

Daniel Messer

The public library is under attack. Calls for book banning are at an all time high. Some states have passed laws that hold librarians legally accountable for offering "unacceptable" materials to minors. But before this fire started, another one was already burning. In an era of digital content, from eBooks to streaming movies, public libraries have been forced to accept draconian terms of service at the expense of their patrons and to the benefit of corporations. Grossly inflated eBook prices and licensing, unobtainable materials that went out of print due to artificial scarcity, exorbitant fees for access to academic research; these are just a few of the myriad of ways that libraries have been forced to bow before capitalism, all because of a desire to serve the public. But we can fight back...

And no one says we need to fight fairly.

I’d like to tell you some real life stories of a public librarian with a quasi-legal, dark grey skillset. And I’d love to share some ideas about what you can do to help others. If I can do this, you can. And anyone can be a shadow librarian.

  1. Bodó, Balázs, Dániel Antal, and Zoltán Puha. “Can Scholarly Pirate Libraries Bridge the Knowledge Access Gap? An Empirical Study on the Structural Conditions of Book Piracy in Global and European Academia.” Edited by Sergi Lozano. PLOS ONE 15, no. 12 (December 3, 2020): e0242509. link.
  2. Böök, Mikael. “Herding the Wind,” 2020. link.
  3. Brown, Elizabeth Nolon. “You Can’t Stop Pirate Libraries.” Reason, 2022. link.
  4. Complutense, Francisco Segado-Bo, Juan Martín-Quevedo, and Juan-José Prieto-Gutiérrez. “Jumping over the Paywall: Strategies and Motivations for Scholarly Piracy and Other Alternatives.” Accessed January 4, 2024. link.
  5. Gardner, Gabriel J, Stephen R McLaughlin, and Andrew D Asher. “Shadow Libraries and You: Sci-Hub Usage and the Future of ILL.” ACRL 2017, Baltimore, Maryland, March 22 - 25, 2017. [Conference Paper], 2017. link.
  6. Yesberg, Helen. “Libraries, Piracy and the Grey Area In-Between: Free Digital Media during the COVID-19 Pandemic.” Reinvention: An International Journal of Undergraduate Research 15, no. 1 (April 29, 2022). link.

Daniel Messer

Dan is a systems librarian and SQL hacker living in Alvaton and Louisville, Kentucky. After almost 30 years of library work, he’s cultivated a broad background in public library circulation methodology, library technology and automation, training and instruction, and library databases. A shadow librarian for ten years, he’s provided cataloguing and scanning for various shadow libraries and online digital collections. And he’s called upon his work in shadow libraries to help patrons as a traditional public librarian.

Beyond the library, he’s an author, podcaster, musician, and coder.

Mastodon (@cyberpunklibrarian@hackers.town)
Website

Back to top

HookChain: A new perspective for Bypassing EDR Solutions

Saturday at 15:30 in LVCC - L1 - HW1-11-02 (Track 2)
45 minutes | Demo 💻, Exploit 🪲, Tool 🛠

Helvio Carvalho Junior CEO at Sec4US

In the current digital security ecosystem, where threats evolve rapidly and with complexity, companies developing Endpoint Detection and Response (EDR) solutions are in constant search for innovations that not only keep up but also anticipate emerging attack vectors. In this context, this article introduces the HookChain, a look from another perspective at widely known techniques, which when combined, provide an additional layer of sophisticated evasion against traditional EDR systems.

Through a precise combination of IAT Hooking techniques, dynamic SSN resolution, and indirect system calls, HookChain redirects the execution flow of Windows subsystems in a way that remains invisible to the vigilant eyes of EDRs that only act on Ntdll.dll, without requiring changes to the source code of the applications and malwares involved.

This work not only challenges current conventions in cybersecurity but also sheds light on a promising path for future protection strategies, leveraging the understanding that continuous evolution is key to the effectiveness of digital security.

By developing and exploring the HookChain technique, this study significantly contributes to the body of knowledge in endpoint security, stimulating the development of more robust and adaptive solutions that can effectively address the ever-changing dynamics of digital threats. This work aspires to inspire deep reflection and advancement in the research and development of security technologies that are always several steps ahead of adversaries.

Helvio Carvalho Junior

Helvio is the CEO of Sec4US, a leading company in Cyber Security, and stands out as a renowned researcher in the field. He made history by being the first in Latin America to achieve the prestigious OSCE3 certification, a milestone that reflects his deep knowledge and technical skill. With over 23 years of experience across various segments of Information Technology, Helvio currently focuses on research in bypass techniques for Endpoint Detection and Antivirus solutions, as well as specializing in offensive information security (RedTeam). His passion for creating exploits and malware is well-known and significantly contributes to the advancement of cybersecurity.

LinkedIn
sec4us.com.br/
www.helviojunior.com.br/

Back to top

Unsaflok: Hacking millions of hotel locks

Saturday at 15:30 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Demo 💻, Exploit 🪲

Lennert Wouters Security Researcher, Computer Security and Industrial Cryptography (COSIC) at KU Leuven University

Ian Carroll Founder at Seats.aero Independent Security Researcher

Electronic hotel locks have been in use for over three decades, and have become an integral part of the hospitality sector. Las Vegas has over 150.000 hotel rooms, many of which use an RFID based electronic lock for access control. Most hotel guests rely on these locks to safeguard personal belongings and to protect their personal safety. However, some of these long-deployed locks have never been publicly scrutinized by the research community.

This presentation covers the discovery of vulnerabilities affecting three million dormakaba Saflok locks. The Saflok system relied on a proprietary key derivation function for its MIFARE Classic cards and a proprietary encryption algorithm for the card contents. Reverse engineering the Saflok system allowed us to forge valid keycards. After reading a single, low privilege, guest card we are able to create a pair of forged key cards that allow us to deactivate the deadbolt and open any room at the property.

We reported these vulnerabilities to dormakaba in September of 2022, as part of this presentation we will discuss the responsible disclosure and mitigation processes. Additionally, we will demonstrate how you can determine if your own hotel room has been patched to help ensure your personal safety.

  1. My Arduino can beat up your hotel room lock - Onity locks - Cody Brocious - Blackhat 2012
  2. Ghost In The Locks: Owning Electronic Locks Without Leaving A Trace - Vingcard locks - Tomi Tuominen and Timo Hirvonen - HITBGSEC 2018

Lennert Wouters

Lennert Wouters is a security researcher at the Computer Security and Industrial Cryptography (COSIC) research group at the KU Leuven University in Belgium. Lennert's main research interests cover hardware security for embedded systems and physical attacks.

Twitter (@LennertWo)

Ian Carroll

Ian Carroll is an independent security research and founder of Seats.aero. Ian's main research interests involve application security, especially in the travel industry.

Twitter (@iangcarroll)
seats.aero

Back to top

Compromising an Electronic Logging Device and Creating a Truck2Truck Worm

Saturday at 16:00 in LVCC - L1 - HW1-11-01 (Track 1)
20 minutes | Demo 💻, Exploit 🪲

Jake Jepson Graduate Research Assistant, Department of Systems Engineering at Colorado State University

Rik Chatterjee Graduate Research Assistant, Department of Systems Engineering at Colorado State University

Presented by Jake Jepson and Rik Chatterjee, two Systems Engineering Master's students at Colorado State University, this talk delves into the critical security implications within the trucking industry, particularly focusing on Electronic Logging Devices (ELDs). These devices, integral to compliance with Hours of Service regulations, present unique cyber-physical threats due to their networked nature and lack of standardized security protocols.

The presentation will walk through examining potential remote exploits via wireless ELD compromise, leading to cyber physical control payloads and even wormable scenarios. Key vulnerabilities identified include insecure defaults and poor security practices shown on a commercially available ELD. These vulnerabilities not only expose truck networks to potential unauthorized control but also highlight systemic issues in device certification and security oversight.

The talk will cover their journey from acquiring and reverse engineering ELDs, discovering their common architectures and weaknesses, to demonstrating proof of concept attacks that underline the urgent need for industry-wide security reforms. Notably, Jepson will discuss his first CVE, detailing the coordinated disclosure process and subsequent manufacturer response.

This session is semi-technical, ideal for cybersecurity professionals and amateurs alike, interested in vehicle network protocols, and embedded systems security. Prior knowledge of network protocols such as CAN and J1939, along with an understanding of firmware reverse engineering, will enhance the learning experience, but is not required. Tools and techniques used include network scanners, reverse engineering platforms like Ghidra, and various wireless communication methods.

By attending this presentation, participants will not only understand the specific security flaws affecting heavy vehicles but also appreciate the broader implications for embedded systems security in transportation. This talk is a call to action for improving security practices and regulatory standards in an increasingly interconnected world.

  1. Bureau of Transportation Statistics, United States Department of Transportation. "National Transportation Statistics (NTS)." Accessed December 19, 2023. link. doi:10.21949/1503663
  2. “Economics and Industry Data.” American Trucking Associations. [Online]. Available: link
  3. Technology, Syrma Sgs. “Automotive ECU: The Core Component for Connected Cars.” Electronic Manufacturing Services - Syrma SGS Technology, 15 July 2021, link. Picture: “M156 ECU Upgrade.” DYNE Performance, link. Accessed 22 Apr. 2022.
  4. “J1939-13.” SAE International.
  5. “Moving Ahead for Progress in the 21st Century Act (MAP-21).” U.S. Department of Transportation. [Online]. Available: Moving Ahead for Progress in the 21st Century Act (MAP-21)
  6. “ELD List.” FMCSA. [Online]. Available: link
  7. link
  8. link
  9. link
  10. link

Jake Jepson

Currently, Jake serves as a graduate research assistant in the Department of Systems Engineering, working under the guidance of Dr. Jeremy Daily. His role involves collaborating with a team of skilled professionals to conduct research on cybersecurity and digital forensics within the heavy vehicle industry. Jake's academic journey has emphasized the significance of pursuing a career he is passionate about, and this position has further solidified his love for collaborative problem-solving.

Rik Chatterjee

Currently, Rik serves as a graduate research assistant in the Department of Systems Engineering at Colorado State University, working under Dr. Jeremy Daily. His role involves research on security of protocol implementations and cybersecurity in the domain of commercial heavy and medium duty vehicles. Driven by a passion for securing embedded systems, Rik's work emphasizes the importance of robust security measures in protecting critical transportation infrastructure against emerging cyber threats.

Back to top

Secrets and Shadows: Leveraging Big Data for Vulnerability Discovery at Scale

Saturday at 16:00 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes | Demo 💻

Bill Demirkapi Independent Security Researcher

When we consider the conventional approaches to vulnerability discovery, be it in software or websites, we tend to confine ourselves to a specific target or platform. In the case of software, we might reverse engineer an application's attack surfaces for untrusted input, aiming to trigger edge cases. For websites, we might enumerate a domain for related assets and seek out unpatched, less defended, or occasionally abandoned resources.

This presentation explores the untapped potential of scaling security research by leveraging unconventional data sources. We'll walk through design flaws that enable two examples: forgotten cloud assets and leaked secrets. Instead of starting with a target and finding vulnerabilities, we'll find vulnerabilities and relate them to our targets. We won't just stop at discovery. We'll also discuss the incentives that create them and how to solve the ecosystem issues as an industry.

While you can't easily scale every issue, this project has led to tens of thousands of highly significant yet seemingly trivial weaknesses in some of the world's largest organizations. Prepare to shift your perspective on vulnerability discovery, learn scalable approaches to address commonly overlooked bugs, and understand how even the simplest misconfiguration can have a devastating impact.

  • Toomey, Patrick. “Behind the Scenes of Github Token Scanning.” The GitHub Blog, 17 Oct. 2018, link.
  • Meli, Michael, et al. “How Bad Can It Git? Characterizing Secret Leakage in Public Github Repositories.” Proceedings 2019 Network and Distributed System Security Symposium, 19 Feb. 2019, link.
  • Awslabs. “Awslabs/Git-Secrets: Prevents You from Committing Secrets and Credentials into Git Repositories.” GitHub, 2015, link.
  • Rice, Zachary. “Zricethezav/Gitleaks: Scan Git Repos (or Files) for Secrets Using Regex and Entropy.” GitHub, 2018, link.
  • Ballenthin, Willi, and Moritz Raabe. “Mandiant/Flare-Floss: Flare Obfuscated String Solver - Automatically Extract Obfuscated Strings from Malware.” GitHub, 2016, link.
  • Squarcina, Marco, et al. “Can I Take Your Subdomain? Exploring Same-Site Attacks in the Modern Web.” USENIX Security Symposium, vol. 30, Aug. 2021, pp. 2917–2934.
  • MDN contributors. “Subdomain Takeovers - Web Security | MDN.” Developer.mozilla.org, 14 Oct. 2021, link.
  • “Prevent Subdomain Takeovers with Azure DNS Alias Records and Azure App Service’s Custom Domain Verification.” Learn.microsoft.com, Microsoft, 16 June 2020, link.
  • Shah, Shubham. “Eliminating Dangling Elastic IP Takeovers with Ghostbuster.” Assetnote, 13 Feb. 2022, link.
  • Claudius, Jonathan. “‘Deep Thoughts’ on Subdomain Takeover Vulnerabilities.” Claudijd.github.io, 3 Feb. 2017, link.
  • Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczyński, and Wouter Joosen. 2019. "Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation," Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS 2019). link
  • Hallam-Baker, Phillip, et al. “RFC 8659 - DNS Certification Authority Authorization (CAA) Resource Record.” Datatracker.ietf.org, IETF, Nov. 2019, link.

Bill Demirkapi

Bill is an independent security researcher with a passion for finding bugs at scale. His interests include reverse engineering and vulnerability research, ranging from low-level memory corruption to systemic flaws with catastrophic consequences. He started his journey in high school and has since published his work at internationally-recognized conferences like DEF CON and Black Hat USA. In his pursuit to make the world a better place, Bill constantly looks for the next significant vulnerability, following the motto "break anything and everything".

Twitter (@BillDemirkapi)
billdemirkapi.me

Back to top

Encrypted newspaper ads in the 19th century - The world's first worldwide secure communication system

Saturday at 16:00 in LVCC - L3 - W322-W327 (Warstories Track)
45 minutes

Elonka Dunin Crypto Expert

Klaus Schmeh Crypto Expert at Eviden

Between 1850 and 1855, the London-based newspaper The Times published over 50 encrypted advertisements apparently intended for the same recipient. As we know today, the ads in that series were meant for the sea captain Richard Collinson, who at the time was on a mission in the Canadian Arctic trying to solve a captivating mystery: What happened to the lost John Franklin expedition? While Collinson never reached his goal, he established a secure worldwide communication system, which was unique for its time.

Before his departure, Collinson's family was taught how to encrypt brief reports about what was going on at home and to publish these messages as mysterious ads in “The Times” once a month. The cipher used was a modified version of a system based on a signal-book of the Royal Navy. As the circulation of The Times stretched far beyond the UK, Collinson would have the chance to get his hands on a copy even at the remotest of ports.

Over a century later, the Collinson ads were finally broken in the 1990s. Over the last two years, the lecturers of this talk continued this work, with a goal of decrypting all of the ads and placing them in their appropriate geographic and cultural context.

  • Article in “Mental Floss” (this was written based on one of our earlier talks)

    • Ellen Gutoskey: How Victorian Explorers and Pining Lovers Used Coded Newspaper Ads to Communicate. Aug 10, 2022
    • link

  • 1992 Research paper in Cryptologia:

    • John Rabson: All are Well at Boldon a mid-Victorian Code System. Cryptologia 16(2): 127-135 (1992)

  • Book about encrypted newspaper advertisements:

    • Jean Palmer: The Agony Column Codes & Ciphers. New Generation Publishing, London 2006

  • Naval codebooks:

    • 10th edition (1847): link
    • 11th edition (1851): link
    • 12th edition (1854): link

  • Collinson’s logbooks (by his brother):

    • Thomas Bernard Collinson: Cypher Notices in the ‘Times’. In: Journal of H.M.S. Enterprise, on the Expedition in Search of Sir John Franklin's Ships by Behring Strait. 1850-55. Sampson Low, Marston, Searle, & Rivington. London: 1889 link

  • Article from the 1940s:

    • Richard J. Cyriax: The Collinson Cryptograms in "The Times". Notes and Queries 26 July, 1947: 322-323

Elonka Dunin

Elonka Dunin is a crypto expert and co-leader of a group that is working to crack the final cipher on the Kryptos sculpture at CIA Headquarters. She maintains a website of the World’s most famous unsolved codes, and bestselling author Dan Brown named his character “Nola Kaye”, a scrambled form of “Elonka”, in his novel The Lost Symbol, after her.

Elonka was a member of the Board of Directors for the National Cryptologic Museum Foundation, and General Manager and Executive Producer at Simutronics, making award-winning online and mobile games.

In 2006, Elonka published The Mammoth Book of Secret Codes and Cryptograms, and with Klaus she co-wrote the book Codebreaking: A Practical Guide, with editions in 2020 and 2023.

Facebook
Twitter (@ElonkaDunin)
cipherbrain.net
codebreaking-guide.com
elonka.com

Klaus Schmeh

Klaus Schmeh has written 15 books (mostly in German) about cryptography, as well as over 250 articles, 25 scientific papers, and 1500 blog posts. Klaus’s main fields of interest are codebreaking and the history of encryption.

Klaus is a popular speaker, known for his entertaining presentation style involving self-drawn cartoons, self-composed songs, and Lego models. He has lectured at hundreds of conferences, including the NSA Crypto History Symposium, DEF CON, and the RSA Conference.

In his day job, Klaus works as a crypto expert for the global IT security company Eviden.

Twitter (@KlausSchmeh)

Back to top

Watchers being watched: Exploiting the Surveillance System and its supply chain

Saturday at 16:30 in LVCC - L1 - HW1-11-01 (Track 1)
45 minutes | Demo 💻, Exploit 🪲

Chanin Kim Offensive Researcher at S2W Inc

Myeonghun Pak Researcher at KITRI

Myeongjin Shin Student at Chonnam National University

With the development of artificial intelligence and image processing technology, the video industry such as CCTV is developing greatly. However, CCTV video may infringe on an individual's privacy, and personal information may be leaked due to hacking or illegal video collection. As such, Surveillance System's Security issues are also increasing, the importance of the video surveillance industry is becoming more prominent.

In order to prevent hacking or illegal video collection, research on camera security is being conducted. However, there is a lack of awareness of NVR (Network Video Recorder), a device that actually watches videos recorded by cameras, and research on this is also insufficient.

We selected Hikvision and Dahua, which have a high NVR market share, as target vendors, and also selected Synology's NVR-related package, Surveillance Station, as targets. Before proceeding with vulnerability analysis, several problems occurred during the file system extraction process, but U-Boot mitigation was successfully bypassed through various methods. Afterwards, various types of vulnerabilities were discovered through analysis, and OEM verification was also conducted to increase impact. We present exploit scenarios for surveillance devices through vulnerability linkage and present supply chain security issues in the Surveillance System.

  1. link
  2. link
  3. link
  4. link
  5. link
  6. link
  7. link
  8. link
  9. link
  10. link
  11. link
  12. link
  13. link
  14. link
  15. link
  16. link

Chanin Kim

Chanin Kim has previously conducted offensive research and has experience discovering vulnerabilities in various places, including Windows, Rust, and OpenVPN. Chan In-Kim is also currently working as an Offensive Researcher at S2W Inc in Korea and is conducting various offensive research.

Twitter (@lourcode)

Myeonghun Pak

Myeonghun Pak is currently a university student and is working on offensive research. He enjoys analyzing embedded vulnerabilities.

Twitter (@mhun512)

Myeongjin Shin

Myeongjin Shin is currently a student at Chonnam National University and belong to SRC lab. He is interested in vulnerability analysis and research.

Twitter

Back to top

DEF CON Academy: Cultivating M4D SK1LLZ In the DEF CON Community

Saturday at 16:30 in LVCC - L1 - HW1-11-02 (Track 2)
45 minutes | Demo 💻

Yan "Zardus" Shoshitaishvili Associate Professor at Arizona State University

Perri Adams Special Assistant to the Director at Defense Advanced Research Projects Agency (DARPA)

DEF CON is a siren song for the hacker mind. Clever people around the world hear it and are pulled, every year, to Las Vegas. They mass by the tens of thousands, streaming through the halls of DEF CON to watch talks given by absolute legends about incredible escapades, to gaze in wonder as true wizards bend bytes to their will in the CTF room, and to dream about one day reaching to those heights themselves.

Some have the critical combination of grit, perseverance, raw talent, and (let's face it) privilege to push through to those dreams of greatness. But among even the clever and the motivated, it is rare for n00bs to rise to l33tness without support. Some find this support in inspiring classes in college. Others, among friends or mentors. But many don't find it at all, and remain in the hallways, dreaming.

Do you want to leave the hallways and hack the planet? We are hackers, educators, and learners who are creating DEF CON Academy, a concerted effort to maximize hacker potential by providing open, clear, approachable, and inclusive practical resources for budding hackers to transcend and rule cyberspace. Through extensive DEF CON event presence and year-round hacking resources, we will pro up the noobs of the world and bring the community, at scale, to the next level of skill.

Come, listen, and learn how we can help!

  1. link
  2. Connor Nelson, Yan Shoshitaishvili. DOJO: Applied Cybersecurity Education In The Browser. ACM SIGCSE 2024. link
  3. Connor Nelson, Yan Shoshitaishvili. PWN The Learning Curve: Education-First CTF Challenges. ACM SIGCSE 2024. link
  4. link
  5. link

Yan "Zardus" Shoshitaishvili

Zardus (Yan Shoshitaishvili) is an Associate Professor at Arizona State University, where he pursues passions of cybersecurity research (focusing on binary analysis and exploitation) and education. Zardus has competed in CTFs for over 15 years, hosted DEF CON CTF, and led Shellphish’s participation in the DARPA Cyber Grand Challengge.

In order to inspire students to pursue cybersecurity (and, ultimately, compete at DEF CON!), Yan created pwn.college, an open practice-makes-perfect learning platform that is revolutionizing cybersecurity education for aspiring hackers around the world.

Mastodon (@Zardus@defcon.social)
Twitter (@Zardus)
yancomm.net

Perri Adams

Ms. Perri Adams is a special assistant to the director at DARPA, where she advises stakeholders at the agency and across the U.S. government on the next generation of AI and cybersecurity technology.

Prior to this role, Adams was a program manager within DARPA’s Information Innovation Office (I2O), where, among other programs, she created the AI Cyber Challenge (AIxCC).

Adams has been an avid participant in cybersecurity CTF competitions and was one of the organizers of the DEF CON CTF. She holds a bachelor’s degree in computer science from Rensselaer Polytechnic Institute and is a proud alumna of the computer security club, RPISEC.

Twitter (@perribus)

Back to top

Breaking the Beam: Exploiting VSAT Satellite Modems from the Earth's Surface

Saturday at 16:30 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Demo 💻, Exploit 🪲

Vincent Lenders Cybersecurity Researcher and Head at Cyber-Defence Campus

Johannes Willbold PhD Student at Ruhr University Bochum

Robin Bisping Security Engineer at Cyber-Defence Campus

VSAT satellite communication systems are widely used to provide two-way data and voice communications to remote areas, including maritime environments, crisis regions, and other locations where terrestrial communication infrastructure is limited or unavailable. In this presentation, we report on our security findings from our reverse-engineering efforts to exploit VSAT satellite modems from the Earth. We will focus on the Newtec MDM2200 from iDirect as an example. First, we explain how we reverse-engineered the software stack running on the modem device to find 0-day vulnerabilities. Then, we show how we reverse-engineered the network stack to devise attacks that can be launched by injecting wireless signals through the antenna dish of a VSAT terminal. Finally, we demonstrate our software-defined radio end-to-end attacks to inject bogus firmware updates and to gain a remote root shell access on the modem. To the best of knowledge, this represents the first successful demonstration of signal injection attacks on VSAT modems using software-defined radios from the Earth, while previous attacks on VSAT systems such as the ViaSat hack in 2022 were based on exploiting the operator’s network through Internet VPN connections. Our work therefore enlarges significantly the attack surface of VSAT systems.

Our presentation at DEF CON is part of a project that has three parts.

In the first part, we focus on the inherent security issues in current VSAT system practices. This work will be appear in May at ACM WiSec 2024.

VSAsTer: Uncovering Inherent Security Issues in Current VSAT System Practices, Johannes Willbold, Moritz Schloegel, Robin Bisping, Martin Strohmeier, Thorsten Holz, Vincent Lenders, 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), Seoul, Korea, May 2024.

The second part deals with the systematic evaluation of wireless signal injection attacks using a software-defined radio. This work will appear in August at Usenix Security 2024:

Wireless Signal Injection Attacks on VSAT Satellite Modems, Robin Bisping, Johannes Willbold, Martin Strohmeier, and Vincent Lenders, 33rd USENIX Security Symposium (USENIX Security), Philadelphia PA, USA, August 2024.

The third part of the project deals with reverse-engineering of the software and network stack of satellite modems and the development of exploits that can be injected over the air through the antenna dish of a VSAT terminal from the ground. This part shall be presented at DEF CON this year.

Vincent Lenders

Vincent Lenders is a cybersecurity researcher from Switzerland where he acts as the Head of the Cyber-Defence Campus. He has a Master and PhD degree from ETH Zurich in electrical engineering. He has over 15 years of practical experience in cybersecurity with a strong focus on the security of wireless networks. He is the co-founder of the OpenSky Network and has published over 150 scientific papers and two books, and presents regularly at cybersecurity conferences including Usenix Secuirty, DEFCON, IEEE S&P, NDSS, ACM CCS.

LinkedIn
Twitter (@Vlenders)
lenders.ch

Johannes Willbold

Johannes Willbold is a PhD student at the Ruhr University Bochum and researches the software security of space and satellite systems. In 2023, he published at the IEEE S&P, and presented on venues, including Black Hat US, REcon and TyphoonCon. He organizes the yearly SpaceSec workshop (co-located with NDSS) and participated in the Hack-a-Sat 2 & 4 finals.

Robin Bisping

Robin Bisping is a security engineer and former student of ETH Zurich and the Cyber-Defence Campus, where his research focused on the security of wireless networks and satellite communication systems.

Back to top

Techniques for Creating Process Injection Attacks with Advanced Return-Oriented Programming

Saturday at 17:00 in LVCC - L1 - HW1-11-04 (Track 4)
20 minutes | Demo 💻

Bramwell Brizendine Assistant Professor at University of Alabama in Huntsville

Shiva Shashank Kusuma Computer Science Master's Student at University of Alabama in Huntsville

This talk showcases techniques for process injection using advanced return-oriented programming (ROP). Process injection via ROP introduces significant hurdles, requiring many WinAPIs to be chained together, each with complex parameters and return values. We give practical details on how to best manage this. One seemingly insurmountable challenge is in identifying the target binary, as string comparison can be extremely difficult in ROP, as needed ROP gadgets may be lacking. We unveil a unique, universal solution, giving a reliable means of string comparison via ROP, which works all the time, allowing a specific process to be pinpointed and injected into via ROP.

We created numerous patterns for different WinAPIs, allowing for as many as a dozen ways of preparing a specific WinAPI via ROP, if using an approach centered around the PUSHAD instruction. With some WinAPIs, there are zero patterns for PUSHAD, forcing us to rely upon the much lauded “sniper” approach. We document all such variations of patterns for the WinAPIs in our demonstrated process injection. This research is not intended to demo a one-off example of process injection via ROP, but to provide a methodology that can be used time and time again, providing unique templates for others to use the same WinAPIs when attempting process injection via ROP.

  1. Anonymous.(2019.) Cobalt Strike’s Process Injection: The Details. link
  2. Hosseini, Ashkan. (2017). Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques. link
  3. Klein, A., & Kotler, I. (2019). Windows process injection in 2019. Black Hat USA, 2019.
  4. Landau, Gabriel. (2021). What you need to know about Process Ghosting, a new executable image tampering attack. link
  5. Mundbrod, N., Grambow, G., Kolb, J., & Reichert, M. (2015). Context-aware process injection: enhancing process flexibility by late extension of process instances. In On the Move to Meaningful Internet Systems: OTM 2015 Conferences: Confederated International Conferences: CoopIS, ODBASE, and C&TC 2015, Rhodes, Greece, October 26-30, 2015. Proceedings (pp. 127-145). Springer International Publishing.
  6. Process Injection. MITRE ATT&CK. link
  7. Process Injection. link
  8. Unal, Ozan. (2020). Process Injection Techniques. link

Bramwell Brizendine

Dr. Bramwell Brizendine completed his Ph.D. in Cyber Operations. A security researcher, currently Bramwell is an Assistant Professor at the University of Alabama in Huntsville, and he is the founding Director of the Vulnerability and Exploitation Research for Offensive and Novel Attacks (VERONA Lab). A cybersecurity expert, Bramwell has taught numerous undergraduate, graduate, and doctoral level courses in reverse engineering, software exploitation, advanced software exploitation, malware analysis, and offensive security. Additionally, Bramwell has authored several important cybersecurity tools, including JOP ROCKET, SHAREM, ShellWasp, and ROP ROCKET, which are open source and freely available. Bramwell was a PI on a $300,000 NSA research grant to develop a shellcode analysis framework, SHAREM. Bramwell has been a speaker at many top security conferences across the globe, including different regional variations of Black Hat, DEFCON, Hack in the Box, and more.

Shiva Shashank Kusuma

Shiva Shashank Kusuma, a Computer Science Master's student at the University of Alabama in Huntsville, has a deep interest in software engineering and cybersecurity. When not at work, Shiva enjoys reading about Blockchain, Web3, and AI.

Back to top

A Treasure Trove of Failures: What History’s Greatest Heist Can Teach Us About Defense In Depth

Saturday at 17:00 in LVCC - L3 - W322-W327 (Warstories Track)
45 minutes

Pete Stegemeyer Senior Security Engineer Host at “I Can Steal That!” Podcast

What’s the real life equivalent of hacking a Gibson? Probably stealing hundreds of millions of dollars in diamonds, gold, and cash from one of the world's most formidable vaults. In 2003, a team of thieves did just that. Armed with hairspray, double sided tape, and nerves of steel, these thieves defeated layer after layer of security to pull off the haul of a lifetime.

However, as much as this is a story of skilled criminals, it is every bit as much a story of security failures and the parallels between protecting diamonds and data. In this presentation we’ll dive deep into what went right, what went wrong, and how to properly apply defense in depth to make your security program look like a hundred million bucks.

  1. Davis, J. (2009, March 12). The untold story of the World’s biggest Diamond Heist. Wired. link
  2. Selby, S. A., & Campbell, G. (2012). Flawless: Inside the largest diamond heist in history. Sterling.
  3. Stegemeyer, P. (2021). Heist: An inside look at the world’s 100 Greatest Heists, cons, and capers: From burglaries to bank jobs and everything in between. Whalen Book Works.

Pete Stegemeyer

Pete Stegemeyer is both a Senior Security Engineer and one of the world’s leading heist experts. Pete has served as a consultant for Vice, National Geographic, and was a featured expert on the History Channel’s series “History’s Greatest Heists.” He is the author of the best selling book Heist: An Inside Look at the World’s 100 Greatest Heists, Cons and Capers and hosts of the popular podcast “I Can Steal That!”

Twitter (@petestegemeyer)

Back to top

Iconv, set the charset to RCE: exploiting the glibc to hack the PHP engine

Saturday at 17:30 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Demo 💻, Exploit 🪲

Charles "cfreal" Fol Security Researcher at LEXFO / AMBIONICS

Upon its discovery, CVE-2024-2961, a very old buffer overflow in the glibc, seemed like a terrible bug. Within the prism of the PHP engine, however, the vulnerability shone, and provided both a new remote code execution vector and a few 0-days.

This talk will first walk you through the discovery of the bug and its limitations, before describing the conception of remote binary PHP exploits using this bug, and through them offer unique insight in the internal of the engine of the web language, and the difficulties one faces when exploiting it.

After this, it will reveal the impact on PHP's ecosystem, from well-known functions to unsuspected sinks, by showcasing the vulnerability on several popular libraries and applications.

Charles "cfreal" Fol

Charles Fol, also known as cfreal, is a security researcher at LEXFO / AMBIONICS. He has discovered remote code execution vulnerabilities targeting renowned CMS and frameworks such as Drupal, Magento, Symfony or Laravel, but also enjoys binary exploitation, to escalate privileges (Apache, PHP-FPM) or compromise security solutions (DataDog’s Sqreen, Fortinet SSL VPN, Watchguard). He is the creator for PHPGGC, the go-to tool to exploit PHP deserialization, and an expert in PHP internals.

Technical Blog
Twitter (@cfreal_)

Back to top

Nano-Enigma: Uncovering the Secrets Within eFuse Memories

Saturday at 17:30 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes | Demo 💻

Michal Grygarek Security Architect at Accenture

Martin Petran Embedded Systems Security Engineer at Accenture

Hayyan Ali Security Delivery Senior Analyst at Accenture

For years, eFuse-based memories were used to store sensitive information such as encryption keys, passwords, and other potentially confidential pieces of information. This practice was encouraged by several vendors who leverage such memory types for protecting the debugging interfaces using a password or for official way to store encryption keys for external flash memories.

However, with the advances in technology and threat actors’ creativity, eFuse-based memories may take a hard hit on their confidentiality assurance as their physical properties could allow for a relatively easy extraction of the stored information.

In this talk we will walk you through the journey of revealing one such data storage from decapsulating the chip itself, delayering it using common household items all the way to using advanced tools such as Scanning Electron Microscope (SEM) to read value of an encryption key and thus break the confidentiality of the encrypted flash memory.

  1. "Solving Chip Security's Weakest Link." Design & Reuse, April 1, 2023, link
  2. Laurie, Adam. "Fun with Masked ROMs - Atmel MARC4." Adams Blog, rfidiot.org, 1 Jan. 2013, link
  3. Hoover, William. "Looking Inside a 1970s PROM Chip That Could Change Computing." RightO, 19 July 2019, link
  4. Chen, Nick. "The Benefits of Antifuse OTP." Semiconductor Engineering, 19 Dec. 2016, link

Michal Grygarek

Michal has 20+ years of experience in the development of electronic systems and radio engineering. He specializes in cyber security of embedded systems, especially with relation to nanometer scale attack. His key expertise includes the methodology of decapsulation, delayering of silicon chips and their subsequent analysis using optical and electron microscopy.

ok2haz.ok2kld.cz/

Martin Petran

Martin is an embedded systems security engineer with 9+ years of professional experience working at Accenture in Prague, Czech Republic. His main areas of focus are reverse engineering, fuzzing and exploit development. Throughout his career, he has created/contributed to several open-source projects and presented at security focused conferences.

Hayyan Ali

Hayyan Ali brings over a decade of expertise in mobile communication, radio planning, and optimization to the forefront of cutting-edge technological advancements. Currently pursuing a Ph.D. at the Czech Technical University in Prague, Hayyan's research focuses on the integration of Machine Learning within mobile networks' radio interfaces. In addition to his academic pursuits, Hayyan serves as a Security Delivery Senior Analyst at Accenture, where he spearheads initiatives to fortify mobile communication infrastructures. Leveraging his extensive knowledge, he specializes in detecting vulnerabilities within radio interface protocols, conducting penetration testing on wireless interfaces in IoT devices, and deploying Machine Learning algorithms to automate pen testing processes.

Back to top

Splitting the email atom: exploiting parsers to bypass access controls

Sunday at 10:00 in LVCC - L1 - HW1-11-01 (Track 1)
45 minutes | Demo 💻, Exploit 🪲, Tool 🛠

Gareth Heyes Researcher at PortSwigger

Websites often parse users' email addresses to identify their organisation. Unfortunately, parsing emails is far from straightforward thanks to a collection of ancient RFCs that everyone knows are crazy. You can probably see where this is going…

In this session, I'll introduce techniques for crafting RFC-compliant email addresses that bypass virtually all defences leading to broken assumptions, parser discrepancies and emails being routed to wildly unexpected destinations. I'll show you how to exploit multiple applications and libraries to spoof email domains, access internal systems protected by 'Zero Trust', and bypass employee-only registration barriers.

Then I'll introduce another class of attack - harmless-looking input transformed into malicious payloads by unwitting libraries, leading to yet more misrouted emails, and blind CSS injection on a well-known target.

I'll leave you with a full methodology and toolkit to identify and exploit your own targets, plus a CTF to develop your new skillset.

Gareth Heyes

PortSwigger researcher Gareth Heyes is probably best known for smashing the AngularJS sandbox to pieces and creating super-elegant XSS vectors. He is the author of JavaScript for hackers. In his daily life at PortSwigger, Gareth can often be found creating new XSS vectors, and researching new techniques to attack web applications. He has a keen interest in hacking CSS to do wonderful, unexpected things and can often be seen experimenting with 3D pure CSS rooms, games and taking markup languages to the limit on his website. He's also the author of PortSwigger's XSS Cheat Sheet. In his spare time, he loves writing new BApp extensions such as Hackvertor.

Twitter (@garethheyes)
garethheyes.co.uk/

Back to top

AWS CloudQuarry: Digging for secrets in public AMIs

Sunday at 10:00 in LVCC - L1 - HW1-11-02 (Track 2)
45 minutes | Demo 💻, Tool 🛠

Eduard Agavriloae AWS Offensive Expert and Pentester

Matei Josephs Senior Penetration Tester

Join us as we unravel another story of public resources from AWS, digging in 3.1 million AMIs for secrets. Beyond the findings, we'll delve into the ominous connection between exfiltrated AWS access credentials from these AMIs and the heightened risk of AWS account takeover. This talk will highlight key methodologies, tools, and lessons learned, emphasizing the critical need for robust security measures in the cloud to prevent both data exposure and potential account compromise.

We started and developed this research without references of existing work. However, here are two links that can be viewed as related/previous work:

This article shows a research on a subset of public AMIs from a single region in AWS link

This research shows a similar issue where public EBS are scanned. However, this technique does not work for most public AMIs link

Eduard Agavriloae

Eduard focuses on cloud and offensive security. He’s an experienced penetration tester and in the last years he started doing novel research, writing articles, developing tools like EC2StepShell and presenting at security conferences.

LinkedIn
Twitter (@saw_your_packet)

Matei Josephs

Matei is a Senior Penetration Tester who loves exploring the internet for vulnerabilities. Matei has discovered several CVEs and has the OSCP, CRTO, eWPT and a few other certifications alongside a Master's degree in Cybercrime and Intelligence. Although his daily job requires him to conduct thorough tests across a limited scope, after work, Matei enjoys doing simple tests across the whole internet.

LinkedIn

Back to top

Windows Downdate: Downgrade Attacks Using Windows Updates

Sunday at 10:00 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Demo 💻, Exploit 🪲, Tool 🛠

Alon Leviev

Downgrade attacks force software to revert to an older, vulnerable version. In 2023, BlackLotus emerged, downgrading the boot manager to bypass Secure Boot. Microsoft addressed the threat, but was Secure Boot the only component vulnerable to downgrades?

By examining Windows Updates, we found a flaw enabling us to take full control over it and craft downgrading updates, bypassing all verification steps.

We then managed to downgrade DLLs, drivers, and even the kernel. Afterwards, the OS reported it’s fully updated, unable to install future updates, with recovery tools unable to detect issues.

We aimed higher and found that the virtualization stack is at risk too. We successfully downgraded Hyper-V’s hypervisor, Secure Kernel, and Credential Guard to expose privilege escalations.

We also discovered several ways to disable VBS, including its Credential Guard and HVCI features, despite its enforced UEFI locks. This is the first known bypass of VBS's UEFI locks.

Lastly, we found another vulnerability in a Windows Update restoration scenario, making the findings accessible to unprivileged attackers!

In this talk, we’ll introduce "Windows Downdate", a tool that takes over Windows Updates to craft downgrades and expose dozens of vulnerabilities. It makes the term “fully patched” meaningless across any Windows machine worldwide.

Alon Leviev

Alon Leviev (@_0xDeku) is self-taught security researcher with a diverse background. Alon started his professional career as a blue team operator, where he focused on the defensive side of cyber security. As his passion grew towards research, Alon joined SafeBreach as a security researcher. His main focus include operating system internals, reverse engineering, and vulnerability research. Alon spoke at various security conferences such as Black Hat EU 2023, CanSecWest 2024 and CONFidence 2024. Before joining the cyber security field, Alon was a professional Brazilian jiu-jitsu athlete, where he won several world and european titles.

LinkedIn
Twitter (@_0xDeku)

Back to top

Unlocking the Gates: Hacking a secure Industrial Remote Access Solution

Sunday at 10:00 in LVCC - L1 - HW1-11-04 (Track 4)
20 minutes | Demo 💻, Exploit 🪲

Moritz Abrell Senior IT Security Consultant and Penetration Tester at SySS GmbH

Industrial VPN gateways play a crucial role in operational technology by enabling secure remote access to systems within industrial networks. However, their importance goes hand in hand with increased security risks, as their architecture makes them lucrative targets for threat actors. Over the years, we have seen such devices being used in various industrial environments, which underlines their widespread use in critical infrastructures.

This talk is about a security analysis of a widely used industrial remote access solution. We will dive deep into and expose various vulnerabilities. This includes rooting the device, bypassing hardware-based security mechanisms such as the use of a hardware security module, and reverse engineering software and firmware. Ultimately, we will show how various identified vulnerabilities allowed us to hijack remote access sessions, creating significant security risks.

Moritz Abrell

Moritz Abrell is an experienced IT security expert who has been passionate about the field since his early days.

As a Senior IT Security Consultant and Penetration Tester for the Germany-based pentest company SySS GmbH, he specializes in the practical exploitation of vulnerabilities and advises clients on how to remediate them.

In addition, he regularly conducts security research and has a keen interest in delving deep into soft-, hard- and firmware. His research has been presented at various national and international IT security conferences such as DEFCON, BlackHat USA, HackCon, NoHat, Hacktivity, etc.

Twitter (@moritz_abrell)

Back to top

The not-so-silent type: Breaking network crypto in almost every popular Chinese keyboard app

Sunday at 10:00 in LVCC - L3 - W322-W327 (Warstories Track)
45 minutes | Demo 💻

Jeffrey Knockel Senior Research Associate at Citizen Lab

Mona Wang PhD candidate in Computer Science at Princeton University

People who don’t type Chinese might be surprised to learn that popular Chinese Input Method Editor (IME) keyboards can act as keyloggers; they transmit your keystrokes over the Internet to enable “cloud-based” support features to improve character prediction when typing.

Everyone might be surprised to learn that these keyloggers, which were already collecting everything you type into your device, were doing it insecurely.

In this talk, we will describe how we systematically exploited every single popular Chinese IME keyboard vendor’s home-rolled network encryption protocol. Namely, we show how any network eavesdropper can read the keystrokes of what users of these vendors’ keyboards are typing. The affected keyboards include the three most popular Chinese IME keyboards, Sogou IME, Baidu IME, and iFlytek IME, collectively used by almost 800 million users, as well as default and pre-installed keyboards on basically every popular Android mobile device except for Huawei’s. We also discuss how we got here, re-affirm the age-old adage, “Don’t roll your own crypto!”, and call on hackers around the world to help us move towards HTTPS everywhere in understudied app ecosystems.

link

link

Jeffrey Knockel

Jeffrey Knockel is a Senior Research Associate at the Citizen Lab. In his research, he seeks to bring transparency to censorship, surveillance, and other harmful software behavior.

jeffreyknockel.com

Mona Wang

Mona Wang is a PhD candidate in Computer Science at Princeton University specializing in network security and privacy. As an Open Technology Fellow at the Citizen Lab, she studied various proprietary encryption protocols used by popular Chinese mobile applications.

m0na.net

Back to top

Changing Global Threat Landscape with Rob Joyce and Dark Tangent

Sunday at 10:30 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes

Rob Joyce

Jeff "The Dark Tangent" Moss DEF CON Communications

Rob Joyce, former NSA and White House cyber official, will engage with Dark Tangent to analyze the evolving state of global cyber threats. Their discussion will explore the impact and potential of artificial intelligence, assessing how AI is reshaping the cybersecurity landscape and what it means for the future of global security.

Rob Joyce

Rob served over 34 years at the NSA, where he held roles including the head of Tailored Access Operations (TAO), the NSA hackers running operations to produce foreign intelligence. He spent his final years as the head of the Agency’s cybersecurity directorate. He also served on the White House National Security Council as a Special Assistant to the President and Cybersecurity Coordinator, as well as Acting Homeland Security Advisor. Throughout his career, he led operations pursuing the most sophisticated hackers and innovated technologies to protect vital national assets — including the the US classified networks and nuclear authorization codes. He remains dedicated to upholding our national security in the cyber realm.

Jeff "The Dark Tangent" Moss

Mastodon (@thedarktangent@defcon.social)
Twitter (@thedarktangent)

Back to top

(|(MaLDAPtive:¯\_(LDAP)_/¯=ObFUsc8t10n) (De-Obfuscation &:=De*te)(!c=tion))

Sunday at 11:00 in LVCC - L1 - HW1-11-01 (Track 1)
45 minutes | Demo 💻, Tool 🛠

Daniel Bohannon Principal Threat Researcher, P0 Labs team at Permiso Security

Sabajete Elezaj Senior Cyber Security Engineer at Solaris SE

LDAP is no stranger to the security spotlight. While LDAP is a protocol (Lightweight Directory Access Protocol) and Active Directory is the most popular directory services system that supports a subset of LDAP, the terms “LDAP” and “AD” are tightly coupled when discussing the execution, detection and prevention of attacks targeting directory services data.

In the last decade the widespread offensive value of querying AD data via LDAP was cemented with the release of open-source tools such as BloodHound and PingCastle. However, proper visibility of LDAP queries mostly remains a privileged asset for those organizations with deep pockets, and the commercial security tools providing this visibility are often woefully fixated on simple signature-based detections.

MaLDAPtive is the 2,000-hour (and counting) quest of offensive and defensive LDAP exploration and tool-building. This research includes mind-bending depths of obfuscation across all elements of LDAP queries (many undocumented and most never seen in the wild), all baked into an obfuscation/de-obfuscation/detection framework built upon our ground-up custom LDAP search filter tokenizer and syntax tree parser.

Come witness the release of our MaLDAPtive research and open-source framework: transforming LDAP from “lightweight” to “heavyweight.”

Daniel Bohannon

Daniel Bohannon is a Principal Threat Researcher on Permiso Security's P0 Labs team with over 14 years of information security experience, including incident response consulting at MANDIANT, security research at FireEye and threat hunting at Microsoft.

He is the author of the Invoke-Obfuscation, Invoke-CradleCrafter and Invoke-DOSfuscation open-source obfuscation frameworks and co-author of Revoke-Obfuscation and Cloud Console Cartographer.

Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology (2013) and a Bachelor of Science in Computer Science from The University of Georgia (2010).

LinkedIn
Twitter (@danielhbohannon)
Website

Sabajete Elezaj

Sabajete Elezaj is a Senior Cyber Security Engineer at Solaris SE with a background in cybersecurity extending over 6 years. Her expertise spans incident response, threat hunting and blue team operations. Her work focuses on enhancing cyber defense strategies.

Mrs. Elezaj holds a Master of Science in Information Security from the University of Tirana. She has also shared her expertise at cybersecurity conferences, including BSides Tirana.

LinkedIn
Twitter (@sabi_elezi)

Back to top

The hack, the crash and two smoking barrels. (And all the times I (almost) killed an engineer.)

Sunday at 11:00 in LVCC - L1 - HW1-11-02 (Track 2)
45 minutes | Demo 💻, Exploit 🪲, Tool 🛠

Thomas "Cr0wTom" Sermpinis Technical Director at Auxilium Pentest Labs

This is not a talk in which I will demonstrate exploit chains obtained from the underworld after signing with blood. It’s about sharing meaningful stories from said underworld. The automotive underworld of huge corporations, short deadlines and lukewarm engineers. The one where companies fight for packing more and more functionality inside your computer on wheels, without paying attention to one of the things that our life actually depends on right now, cybersecurity.

While others talk about extremely significant remote vulnerabilities, I will focus on a high-level view of architecture and design of vehicles and where security fits in these processes. I will go through a journey of exploitation, from discovering 0days, to persuading engineers for the significance of a finding, by putting him in the driving seat and engaging the breaks mid-journey.

I will conclude, trying to understand why this is happening, why this behavior towards security still exists in the automotive industry, and how a small manufacturer managed to create one of the most secure embedded systems I faced in my career. All this, with a series of demos in real targets, and a real ECU on stage.

Our ultimate goal is to help people understand the state of the industry, spark the interest which can come out of hacking a computer on wheels, and try to raise awareness with a bit of hack, a bit of crash and two smoking barrels.

  1. Koscher, K., Czeskis, A., Roesner, F., Patel, S., Kohno, T., Checkoway, S., ... & Savage, S. (2010, May). Experimental security analysis of a modern automobile. In 2010 IEEE symposium on security and privacy (pp. 447-462). IEEE.
  2. Miller, C., & Valasek, C. (2015). Remote exploitation of an unaltered passenger vehicle. Black Hat USA, 2015(S 91), 1-91.
  3. Cai, Z., Wang, A., Zhang, W., Gruffke, M., & Schweppe, H. (2019). 0-days & mitigations: roadways to exploit and secure connected BMW cars. Black Hat USA, 2019(39), 6.
  4. Tencent. Tencent Keen Security Lab: Experimental Security Assessment on Lexus Cars.
  5. link
  6. UNECE, G. W. (2021). UN Regulation No. 155—Cyber Security and Cyber Security Management System. Technical Report. United Nations.
  7. ISO. (2013). ISO 14229: Road vehicles — Unified Diagnostic Services (UDS).

Thomas "Cr0wTom" Sermpinis

Thomas Sermpinis (a.k.a. Cr0wTom) is the Technical Director of Auxilium Pentest Labs and independent security researcher with main topics of interest in the automotive, industrial control, embedded device, and cryptography sectors. During his research, he published several academic papers, 0days and tools with the ultimate goal of making the world a safer place, but also helped almost 200 OEMs and Tier 1 automotive suppliers to achieve better security and develop more secure products.

Additionally, he spoke in several highly technical security conferences, presenting his research and trying to create safer streets for drivers, passengers, pedestrians, and everyone in the street, including Zer0Con, TyphoonCon, TROOPERS, DeepSec and others.

cr0wsplace.com

Back to top

Dragon SlayingGuide: Bug Hunting In VMware Device Virtualization

Sunday at 11:00 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes

JiaQing Huang Security Researcher, TianGong Team of Legendsec at QI-ANXIN Group

Hao Zheng Security Researcher, TianGong Team of Legendsec at QI-ANXIN Group

Yue Liu Security Researcher at QI-ANXIN Group

In this presentation, we will unveil a new attack surface: Device Virtualization in VMKernel. This isan unknown territory that has not been explored by security researchers to date. During the reverse engineering of the VMware Hypervisor, we discovered 8 vulnerabilities related to device virtualization, 3 of them have been assigned CVE number (some vulnerabilities have even been successfully exploited in Tianfu Cup), and the remaining 5 of our vulnerabilities have been officially confirmed by VMware.

Firstly we will delve into the loading process of vmm, the implementation of data sharing between vmm and vmx, and VMware's UserRPC, which facilitates communication between the Hypervisor and the Host. These mechanisms are crucial in virtual device emulation.

Then We will explain security issues in various parts of the USB system, including the host controller, VUsb middleware, and VUsb backend devices, based on the vulnerabilities we have unearthed.

In the end, We will primarily discuss the similarities and differences in SCSI-related device emulation in the virtual disk system between VMware Workstation and ESXi Additionally, we will cover design flaws related to disk device emulation that we discovered in VMKernel.

  1. link
  2. link
  3. link
  4. link
  5. link
  6. link
  7. link
  8. link
  9. link
  10. link
  11. link
  12. link
  13. link
  14. link
  15. link
  16. link
  17. link conferences, including Usenix 2021, ACM CCS 2022, EuroS&P 2022, HITBSecConf2022, BlackHat Asia 2024.

JiaQing Huang

JiaQing Huang is a security researcher at TianGong Team of Legendsec at QI-ANXIN Group. He is currently focused on IoT and Virtualization security, having submitted multiple security vulnerabilities to VMware. In 2023, he and his teammate successfully escaped the Parallels Desktop at GeekCon2023.

Twitter (@S0dukuN)
Twitter (@TianGongLab)

Hao Zheng

Hao Zheng is a security researcher at TianGong Team of Legendsec at QI-ANXIN Group. His focus is on Virtualization Security, having submitted multiple security vulnerabilities to VMware. In 2023, he and his teammate successfully escaped the Parallels Desktop at GeekCon2023.

Yue Liu

Yue Liu is a Security Researcher at QI-ANXIN Group, and the team leader of QI-ANXIN TianGong Team. He and his team has found lots of bugs in Windows/Android/ChromeOS/IoT Devices and cracked multiple targets in Tianfu Cup 2019/2020, GeekPwn 2020/2021/2022, GeekCon 2023. He has published his work in various conferences, including Usenix 2021, ACM CCS 2022, EuroS&P 2022, HITBSecConf2022, BlackHat Asia 2024.

Back to top

Deception & Counter Deception – Defending Yourself in a World Full of Lies

Sunday at 11:00 in LVCC - L3 - W322-W327 (Warstories Track)
45 minutes

Tom "Decius" Cross Principal at Kopidion

Greg Conti Principal at Kopidion

The Internet was supposed to give us access to the world's information, so that people, everywhere, would be able to know the truth. But that’s not how things worked out. Instead, we have a digital deception engine of global proportions. Nothing that comes through the screen can be trusted, and even the things that are technically true have been selected, massaged, and amplified in support of someone’s messaging strategy.

Deception isn’t just about narratives - we see deception at every layer of the network stack, from spoofed electromagnetic signatures, to false flags in malware, to phony personas used to access networks and spread influence. They hide in our blindspots, exploit our biases, and fill our egos while manipulating our perceptions.

How do we decide what is real? This talk examines time-tested maxims that teach the craft of effective deception, and then inverts those offensive principles to provide defensive strategies. We’ll explore ways to counter biases, triangulate information sources, detect narratives, and how hackers can build tools that can change the game.

At their best, hackers lift their heads up above the masses to see how the world actually works, not how it purports to work, and then take action to make the world a better place. You’ll leave this talk with practical skills to do just that.

Tom "Decius" Cross

Tom Cross (aka Decius) is a security researcher known for delivering late night rants at hacker cons. In the early 1990’s, he ran BBSs and listservs for the hacker community in the southeast US. He attended the first Defcon in 1993. He is a Principal at Kopidion, and creator of FeedSeer, a news reader for Mastodon. Past security industry roles include cofounder and CTO of Drawbridge Networks, Research Director at Lancope, and Manager of IBM X-Force Advanced Research. He has spoken at numerous conferences, including Black Hat, DEF CON, Phreaknic, HOPE, and B-Sides. He has a BSCMPE from Georgia Tech.

bsky.app/profile/decius.bsky.social
ioc.exchange/@decius

Greg Conti

Greg Conti is a hacker, maker, and computer scientist. He is Principal at Kopidion, a cyber security training and professional services firm. Greg is a long-time Black Hat trainer where he co-created the Information Operations course. He will also be teaching a new course on Adversarial Thinking at DEF CON Training this year. Formerly he served on the West Point faculty for 16 years and has published approximately 100 articles and papers covering hacking, online privacy, usable security, cyber conflict, and security visualization. Greg is a graduate of West Point, Johns Hopkins, and Georgia Tech

LinkedIn
Twitter (@cyberbgone)
www.gregconti.com/

Back to top

Open sesame - or how vulnerable is your stuff in electronic lockers

Sunday at 11:30 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes | Demo 💻, Tool 🛠

Dennis Giese

Braelynn Security Consultant at Leviathan Security Group

Physical security is often overlooked in many organizational threat models. An increasing amount of physical security devices with smart components are being introduced to the market with widespread adoption. This creates an enticing attack surface for physical red teams.

Lockers and cabinets equipped with electronic smart locks can be found in many places such as offices, factories, hospitals, labs, and gyms. With remote and hybrid work increasing in popularity, shared use office setups becoming the default. Co-working spaces in offices are now commonplace with lockers being installed for employee device storage. People generally trust that their belongings will be secure in these lockers and entrust the locks with sensitive information, like their personal PIN.

Is there a more stealthy way to get into lockers that don't involve using a crowbar?

In this talk we will analyze the vulnerabilities affecting locks manufactured by the "global leader in keyless lock solutions," Digilock and Schulte-Schlagbaum AG (SAG). Both companies have been in the physical security industry for many decades. What went wrong in the development of these devices and how can these vulnerabilities be fixed? We will also discuss several other vendors operating in this space and compare findings.

We will demonstrate practical physical and side-channel attacks targeting locks that accept a standard PIN and RFID. Learn why it is poor practice to reuse the same secret PIN for lockers and safes and devices such as mobile phones and laptops (especially if they are stored inside the lockers).

Dennis Giese

Dennis Giese is a researcher with the focus on the security and privacy of IoT devices. While being interested in physical security and lockpicking, he enjoys applied research and reverse engineering malware and all kinds of devices. His most known projects are the documentation and hacking of various vacuum robots. He calls himself a "robot collector" and his current vacuum robot army consists of over 60 different models from various vendors. He talked about his research at the Chaos Communication Congress, REcon BRX, NULLCON, and DEFCON.

Twitter (@dgi_DE)
Website

Braelynn

Braelynn is a security consultant at Leviathan Security Group where she conducts security assessments of products for startups, Fortune 500 companies, and everything in between. She enjoys partaking in CTFs and researching the security anything that piques her curiosity. She has previously presented this research at conferences such as Chaos Communication Congress.

Back to top

DriverJack: Turning NTFS and Emulated Read-only Filesystems in an Infection and Persistence Vector

Sunday at 12:00 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Exploit 🪲, Tool 🛠

Alessandro Magnosi Independent Researcher at Synack RT and Cobalt Managing Consultant and R&D Lead at BSI

This article reassesses complex cyberattack tactics, focusing specifically on existing security measures and emerging weaknesses. We begin our investigation by examining initial methods of deployment in contemporary attacks, including those that focus on simulated read-only filesystems and NTFS vulnerabilities. Since the improvements made to the Windows security architecture in 2011, which include the enforcement of Driver Signature Enforcement (DSE) and Hypervisor-protected Code Integrity (HVCI), the nature of cyber threats has changed, requiring new ways to carry out attacks.

Our research presents a new method that takes advantage of previously uncovered weaknesses in emulated filesystems, allowing attackers to covertly install and maintain harmful programs. In addition, we uncover new NTFS vulnerabilities that enable attackers to conceal their presence and sustain persistence within victim systems. The study also investigates alternate methods for delivering and executing malware in usermode. In addition, we discuss several Indicators of Compromise (IOCs) to identify and detect these tactics.

  1. link
  2. link
  3. link
  4. link
  5. link
  6. link

Alessandro Magnosi

I am a Managing Consultant with more than 10 years of experience in the IT field. Currently, I am part of the Security Testing Team at BSI, which is the UK national standards body, and a Global certification, training and cybersecurity firm. On top of my normal work, I work as an independent researcher for Synack RT and Cobalt, and an independent OSS developer in my spare time.

Twitter (@klezVirus)
klezvirus.github.io

Back to top

Solving the "Lover, Stalker, Killer" Murder with strings, grep, and Perl

Sunday at 12:00 in LVCC - L3 - W322-W327 (Warstories Track)
20 minutes | Demo 💻

Anthony Kava

Cari Farver did not disappear off the face of the Earth. She was murdered in cold blood, and her killer went on to impersonate her online, for over three years. The suspect hid their tracks with VPNs, proxies, and anonymizing apps. This talk will go behind the scenes of Netflix's "Lover, Stalker, Killer" to detail the open source software and bespoke methods used to prove a no-body homicide case based almost entirely on digital evidence.

Dateline NBC, S26E1 "Scorned" (2017) Rule, Leslie. "A Tangled Web: A Cyberstalker, a Deadly Obsession, and the Twisting Path to Justice". Citadel Press, 2020. Netflix, "Lover, Stalker, Killer" (2024)

Anthony Kava

Anthony Kava is a hacker and carries a badge. Got his start breaking Apple IIs then moved, somehow, to breaking baddies. Works as a cyber crime investigator and digital forensics examiner with a penchant for infosec. Kava is a recognized Soylent drinker, scourge to software vendors, and has been portrayed by a Canadian in a Lifetime movie. Dreams in Perl. Enjoys long walks on the dark web.

LinkedIn
Website

Back to top

AIxCC Closing Ceremonies

Sunday at 12:30 in LVCC - L1 - HW1-11-01:02 (Tracks 1-2)
45 minutes

Andrew Carney Program Manager at DARPA AI Cyber Challenge (AIxCC) Program Manager at Advanced Research Projects Agency for Health (ARPA-H)

Perri Adams Special Assistant to the Director at Defense Advanced Research Projects Agency (DARPA)

DARPA and ARPA-H joined forces for the AI Cyber Challenge (AIxCC), a two-year competition aimed at revolutionizing cybersecurity through AI-driven solutions. AIxCC asks the nation’s top talent in AI and cybersecurity to develop Cyber Reasoning Systems capable of automatically finding and fixing software vulnerabilities to secure critical software. In this talk, we are excited to announce the results of the Semifinals event. We will conduct a brief examination of the AI systems developed by the top teams by analyzing their strategies, discuss key innovations and methodologies employed, and discuss the overall impact of the competition on the cybersecurity landscape. The top-ranking teams will be eligible to win one of the $2 million in semifinal prizes, as well as a spot in the Finals competition at DEF CON 33.

Andrew Carney

Andrew Carney joined ARPA-H in July 2023 from HSBC’s Cybersecurity Science and Analytics group, where he worked as a principal researcher. He has over 15 years of experience in software and hardware vulnerability research, technical education and training, and management of research and development teams.

In addition to his role as program manager with ARPA-H, Carney holds a joint program manager appointment with the Defense Advanced Research Projects Agency (DARPA) for the AI Cyber Challenge (AIxCC), a competition focused on securing software in critical infrastructure. Before HSBC, Carney was a technical advisor and contractor for the Defense Advanced Research Projects Agency (DARPA). At DARPA, he supported research efforts focused on reverse engineering, program analysis, human-machine teaming, and automated program repair. Throughout his career, Carney has been involved in competitive hacking (called Capture the Flag, or CTF) as both a player and a competition organizer. He holds a master’s degree in computer science from The Johns Hopkins University.

ARPA-H Profile

Perri Adams

Ms. Perri Adams is a special assistant to the director at DARPA, where she advises stakeholders at the agency and across the U.S. government on the next generation of AI and cybersecurity technology.

Prior to this role, Adams was a program manager within DARPA’s Information Innovation Office (I2O), where, among other programs, she created the AI Cyber Challenge (AIxCC).

Adams has been an avid participant in cybersecurity CTF competitions and was one of the organizers of the DEF CON CTF. She holds a bachelor’s degree in computer science from Rensselaer Polytechnic Institute and is a proud alumna of the computer security club, RPISEC.

Twitter (@perribus)

Back to top

Redefining V2G - How to use your vehicle as a game controller

Sunday at 12:30 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes | Demo 💻, Tool 🛠

Timm Lauser PhD Student at Darmstadt University of Applied Sciences

Jannis Hamborg PhD Student at Darmstadt University of Applied Sciences

Modern cars are a complex networks of computers put on four wheels. For security research, it is important to understand the car's internal network and exposed interfaces. But what else could you use this knowledge for? You probably guessed it from the title 🙂. So we developed a tool to turn our research car into a game controller.

In this talk, we present Vehicle-to-Game (V2G), a Python-based project that enables the usage of cars as game controllers. V2G can run either directly on a laptop or turn a Raspberry Pi Zero WH into a Bluetooth gamepad. In addition, V2G can either be used over the OBD2-diagnostic port or by directly accessing the internal CAN-busses of the car.

Our project can be a great starting point if you always wanted to tinker around with your car or want to learn about the CAN bus or diagnostic communication (UDS). To make V2G work with your car, some reverse engineering of CAN messages or diagnostic communication will be required (as well as additional hardware to connect to the CAN bus). Otherwise, if you can get this running, you can be sure that you own a more expensive game controller than your neighbors.

Tools and hardware:

  1. General introduction into the CAN-bus and UDS: link
  2. Tool for designing PCBs: link
  3. Tool for making CAN messages readable: link
  4. Hardware for accessing CAN-bus and OBD: link
  5. CAN utils: link
  6. CAN hat for Raspberry Pi: link

Used libraries:

  1. link Many thanks for providing this great library and documentation for utilizing the Raspberry Pi as a Bluetooth device!
  2. link
  3. link

Misc:

  1. Tesla DBC files: link
  2. ACSD website: link
  3. V2G Repository on GitHub (private until start of DEF CON): link

Timm Lauser

Timm Lauser received his masters degree in computers science from Karlsruhe Institute of Technology, Germany in 2020. Since then, he is a PhD student at Darmstadt University of Applied Sciences, Germany. There, he is researching in the field of automotive cyber security with a focus on communication protocols and their formal verification in the symbolic model.

Jannis Hamborg

Jannis Hamborg received his masters degree in computer science with focus on IT-security from Technical University Darmstadt, Germany in 2023. For his master thesis he researched about resilient and self-recovering reputation based networks. During the time of master he worked as assistant researcher at Darmstadt University of Applied Sciences, Germany on different topics of automotive security research. Since end of 2023, he started his PhD on the design and integration of resilient risk-driven networks with focus on internal automotive networks.

Back to top

Clash, Burn, and Exploit: Manipulate Filters to Pwn kernelCTF

Sunday at 12:30 in LVCC - L3 - W322-W327 (Warstories Track)
45 minutes | Demo 💻, Exploit 🪲

Kuan-Ting "HexRabbit" Chen Security Researcher at DEVCORE

As the successor to the iptables, nftables stands as a crucial network component within the Linux kernel, managing packet filtering and other network-related functionalities. With continuous development and changes, features designed to increase its efficiency, such as batch commit, anonymous chains/sets, and asynchronous garbage collection, have been implemented, which in turn has significantly increased its complexity and made it an attractive target for attackers in recent years.

Since the announcement of the kernelCTF bug bounty, multiple nftables 0-day vulnerabilities have been reported and patched to enhance its security. However, if not careful enough, the security patch may not only mitigate the bug but also introduce new security issues unintentionally. By researching the structural changes in the nftables codebase, we successfully uncover new vulnerabilities despite the intense competition in kernelCTF. Also, we managed to speedrun the exploitation just before Google removed nftables from LTS instance, becoming the last LTS nftables exploitation.

In this presentation, we will share three nftables vulnerabilities we discovered in a storytelling fashion. We start with a brief introduction on how nftables works under the hood to familiarize attendees with the basics. After that, we dive into nftables internals and dissect three vulnerabilities discovered during our journey, two of which involved utilizing hard-to-exploit race conditions to pwn the flag. Alongside details of the exploitation, we will also share the roller-coaster story of kernelCTF experiences, filled with dramatic highs and lows, making it a tense and exhilarating journey.

Kuan-Ting "HexRabbit" Chen

Kuan-Ting Chen, also recognized as HexRabbit, is a Security Researcher at DEVCORE and a member of the Balsn CTF team. Specializing in low-level exploitation, he is curious about how things work and enjoys the challenge of unraveling the complexities of modern computing systems.

Currently, he focused on the topic of Linux kernel exploitation, his work includes discovering multiple 0-day vulnerabilities in key Linux components like io_uring, ksmbd (an in-kernel SMB server), and the nftables submodule.

Blog
Twitter (@h3xr4bb1t)

Back to top

Your AI Assistant has a Big Mouth: A New Side-Channel Attack

Sunday at 13:00 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Demo 💻, Exploit 🪲, Tool 🛠

Yisroel Mirsky Tenure-Track Lecturer and Zuckerman Faculty Scholar, Department of Software and Information Systems Engineering at Ben-Gurion University

Roy Weiss Researcher and Master's Degree Student, Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev

Daniel Ayzenshteyn Researcher and Master's Degree Student, Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev

Guy Amit IBM Research PhD Candidate Student, Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev

AI assistants like ChatGPT are changing how we interact with technology. But what if someone could read your confidential chats? Imagine awkwardly asking your AI about a strange rash, or to edit an email, only to have that conversation exposed to someone on the net. In this talk we'll unveil a novel side-channel vulnerability in popular AI assistants and demonstrate how it can be used to read encrypted messages sent from AI Assistants.

Before our disclosure, major players like OpenAI, Microsoft, Cloudflare, Quora, and Notion were at risk. We'll reveal the technical details of this exploit and show real-world examples of intercepted conversations. This talk isn't just about the problem – learn how to identify this vulnerability in other AI assistants as well! We'll dissect network traffic, discuss attack models, and explore the far-reaching consequences of this discovery.

References:

  1. Samuel Addington. Chatgpt: Cyber security threats and countermeasures. Available at SSRN 4425678, 2023.
  2. Benjamin Harsha, Robert Morton, Jeremiah Blocki, John Springer, and Melissa Dark. Bicycle attacks con- sidered harmful: Quantifying the damage of widespread password length leakage. Computers & Security, 100:102068, 2021.
  3. John V Monaco. What are you searching for? a remote keylogging attack on search engine autocomplete. In 28th USENIX Security Symposium (USENIX Security 19), pages 959–976, 2019.

Yisroel Mirsky

Dr. Yisroel Mirsky is a tenure-track lecturer and Zuckerman Faculty Scholar in the Department of Software and Information Systems Engineering at Ben-Gurion University and the head of the Offensive AI Research Lab there. His main research interests include deepfakes, adversarial machine learning, anomaly detection, and intrusion detection. Dr. Mirsky has published his work in some of the best security venues: USENIX, CCS, NDSS, Euro S&P, Black Hat, DEFCON AI Village, RSA, CSF, AISec, etc. His research has also been featured in many well-known media outlets: Popular Science, Scientific American, Wired, The Wall Street Journal, Forbes, and BBC. Some of his works include the exposure of vulnerabilities in the US 911 emergency services and research into the threat of deepfakes in medical scans, both featured in The Washington Post.

Roy Weiss

Roy Weiss is a researcher and a master's degree student in the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev. His research interests include Cyber Security, Network Security and Deep Learning.

Daniel Ayzenshteyn

Daniel Ayzenshteyn is a researcher and master's degree student in the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev. His research interests span Network Security, Cyber Security and Network Modeling.

Guy Amit

Guy Amit works at IBM Research and is a PhD candidate student in the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev. His research interests include machine learning, adversarial learning, and IoT cyber security.

Back to top

Contest Closing Ceremonies and Awards

Sunday at 13:30 in LVCC - L1 - HW1-11-01:02 (Tracks 1-2)
75 minutes

Back to top

Incubated Machine Learning Exploits: Backdooring ML Pipelines Using Input-Handling Bugs

Sunday at 13:30 in LVCC - L1 - HW1-11-04 (Track 4)
45 minutes

Suha Sabi Hussain Security Engineer, Machine Learning Assurance Team at Trail of Bits

Machine learning (ML) pipelines are vulnerable to model backdoors that compromise the integrity of the underlying system. Although many backdoor attacks limit the attack surface to the model, ML models are not standalone objects. Instead, they are artifacts built using a wide range of tools and embedded into pipelines with many interacting components.

In this talk, we introduce incubated ML exploits in which attackers inject model backdoors into ML pipelines using input-handling bugs in ML tools. Using a language-theoretic security (LangSec) framework, we systematically exploited ML model serialization bugs in popular tools to construct backdoors. In the process, we developed malicious artifacts such as polyglot and ambiguous files using ML model files. We also contributed to Fickling, a pickle security tool tailored for ML use cases. Finally, we formulated a set of guidelines for security researchers and ML practitioners. By chaining system security issues and model vulnerabilities, incubated ML exploits emerge as a new class of exploits that highlight the importance of a holistic approach to ML security.

  1. link
  2. link
  3. link
  4. link
  5. link
  6. link
  7. link
  8. link
  9. link
  10. link
  11. link

Suha Sabi Hussain

Suha Sabi Hussain is a security engineer on the machine learning assurance team at Trail of Bits. She has worked on projects such as the Hugging Face Safetensors security audit and Fickling. She received her BS in Computer Science from Georgia Tech where she also conducted research at the Institute for Information Security and Privacy. She previously worked at the NYU Center for Cybersecurity and Vengo Labs. She’s also a member of the Hack Manhattan makerspace, a practitioner of Brazilian Jiu-Jitsu, and an appreciator of NYC restaurants.

Twitter (@suhackerr)
sshussain.me

Back to top

Bringing Down North Korea

Sunday at 13:30 in LVCC - L3 - W322-W327 (Warstories Track)
45 minutes | Demo 💻

Alejandro Caceres Owner at Hyperion Gray

In January 2021, I discovered that North Korean state-backed agents were targeting security researchers. A few people got hit, including me. They didn't get anything, but I was very frustrated by the inaction of law enforcement, intelligence agencies, and DoD. I decided I was going to see what I could do. Armed with my computer and a bunch of Takis I got to work mapping out NK's infrastructure. This talk will detail the methods and tools I used to bring down North Korea's internet for 9 days along with the architectural and other vulnerabilities I found that allowed for the attack. This presentation will cover the technical aspects of the attack, criticisms of the DoD and Intel Community, praise from the DoD and Intel Community and the implications of a small team of hackers, or just one dude, causing real-world impact. Attendees will gain insights into create methodologies for network exploitation and the ethical, practical, and resistance from the government to cyber guerrilla warfare, demonstrating the need for agile and responsive cyber capabilities in the modern world.

  1. Greenberg, Andy. "The Hacker Who Took Down North Korea's Internet." Wired. link.
  2. Greenberg, Andy. "North Korea Hacker Internet Outage." Wired. link.
  3. DEF CON 21 Talk: "Conducting massive attacks with open source distributed computing" link
  4. DEF CON 29 Talk: "WTF happened to that tool that was like Shodan but for web app vulns?" link
  5. DEF CON 21 Talk: "The Dawn of Web 3.0: Website Mapping and Vulnerability Scanning" link.
  6. The Register: link

Alejandro Caceres

Alex is the dude that took down North Korea's Internet routing for 9 days. He owns Hyperion Gray and creates a bunch of open source software.

Twitter (@_hyp3ri0n)
Website

Back to top

Abusing legacy railroad signaling systems

Sunday at 14:00 in LVCC - L1 - HW1-11-03 (Track 3)
45 minutes | Demo 💻

David Meléndez R&D Enginner and Red Team Member, Innotec Security at Accenture

Gabriela (Gabs) Garcia

In this study, we delve into the darker aspects of railway technology, revealing how easily accessible domestic hardware tools can compromise the seemingly infallible robustness of signaling systems. We demonstrate how these accessible technologies can be utilized to devise strategies that potentially threaten train circulation in Spain. Our research presents a critical analysis of the vulnerabilities present in the railway signaling systems, highlighting the ease with which these systems can be tampered with, using tools that are readily available to the general public. Through a combination of theoretical insights and practical demonstrations, we offer a comprehensive overview of the risks associated with such vulnerabilities.

Our findings aim to raise awareness among stakeholders in the railway industry, prompting a reevaluation of current security measures and encouraging the adoption of more stringent protections against such threats. This paper contributes to the ongoing discussion in the cybersecurity community, offering valuable insights into the potential risks facing modern transportation infrastructures and suggesting avenues for future research and development in railway system security.

We consider this work to be innovative on a type of system that has been present for over half a century in railway infrastructures. Therefore, the references provided are primarily about the operation of the systems and relevant news concerning them.

  1. link
  2. link
  3. link
  4. link
  5. link
  6. link
  7. link
  8. link
  9. link
  10. link
  11. link
  12. link
  13. link
  14. link

David Meléndez

David Melendez is an R&D Enginner and Red Team member at Innotec Security Part of Accenture, with over twelve years of experience in cybersecurity and hardware hacking. He has a proven track record of presenting his groundbreaking investigations at prestigious conferences around the world, including DEF CON, BLACKHAT, and ROOTEDCON.

David is also a drone creator and author of the book "Hacking with Drones," which showcases his innovative use of drones in cybersecurity research. With his passion for pushing the boundaries of technology, David is constantly seeking new ways to improve the security and functionality of embedded systems.

LinkedIn
Twitter (@TaiksonTexas)

Gabriela (Gabs) Garcia

Gabriela (Gabs) García is a university professor and mentor, Secure Software Developer and coding and cybersecurity instructor for organizations such as LinkedIn, Cyber Hunter Academy and Kschool. She teaches, whether that's in a lecture hall or over the internet, about software development, with a keen eye for secure practices. She is a speakers in several hacking CONs like DEF CON USA, ROOTEDCON etc.

Gabriela is also an active member in hacker communities such as HackMadrid%27 and Hack%27, both at home in Spain and across the world. And as an independent professional, she gets to work with a wide variety of clients, crafting custom cybersecurity solutions to fit their specific needs.

LinkedIn
Twitter (@constrainterror)

Back to top

Back to top