All the presentations of #Hacktivity2021 can be found on this page. We reserve the right to change the program.
The exploration of baseband security has come a long way in the past decade. Published research has exposed privacy issues in 3GPP protocols from GSM to LTE and traditional memory safety vulnerabilities in implementations of various chipset vendors. Yet, in some ways, we have only scratched the surface.
For one, almost all published memory corruption bugs have been classic TLV parsing vulnerabilities in Layer 3 GSM. For another, previous remote exploitation demonstrations looked at basebands as more code doing typical input parsing without considering the maze of hardware elements that surround them and stayed inside the baseband sandbox.
We have set out to challenge the status quo with our research into the newest iterations of Huawei’s Kirin SoCs. After Pwn2Own 2017, Huawei stopped supporting unlocked bootloaders, introduced new firmware encryption for SoC components, and invested heavily in improving code quality from the well-known baseband source leak. In fact, the latest Kirin chipsets that have been the subject of published research are from 2016.
We will cover our journey from unlocking the newest generations of Huawei devices through identifying and exploiting bootloader vulnerabilities to building a debugger and reversing new mitigation improvements of the baseband OS. We will dive into a part of the 3GPP stack that hasn’t received much attention before and present our results of reversing Huawei’s implementation and finding remotely exploitable vulnerabilities that work differently from previously documented baseband memory corruption bugs.
Finally, we will investigate the ways a baseband interacts with the rest of the SoC. We will show a handful of vulnerabilities that we have found, both in software and hardware, and explain how we exploited them to escape from the baseband and take over not only Android and the Linux kernel, but even TrustZone.
It is a well-known fact that there are computers around us, almost everywhere.
Sometimes we don’t even realize that there is a small 8-bit processor inside a tool we are using day by day.
Regardless of the size or the complexity of the processor, we expect the device to be safe.
We assume that the device takes care of our personal data, and does not allow anyone to steal or modify it.
I am going to talk about a very popular apartment intercom and door lock system, which is a good example of a vulnerability in an unexpected territory.
When I arrive home, I use my proxy card to open the door.
I did not expect that the system is so unprotected that anyone can steal all the PIN codes and proxy ID’s in 3 minutes.
It would be also easy to implement a man-in-the-middle attack, because the main board has a perfect expansion slot.
By using a simple electronic device with radio communication support, an attacker would be able to monitor specific people real time and remotely.
If you thought a few pieces of information don’t reveal anything, you are wrong! Unmask a real scammer which the police didn’t find and return lost vacation photos to a stranger. You will be amazed at what you can find out with supposedly “unimportant information” if you only put the pieces of the puzzle together correctly using OSINT (Open Source INTelligence) techniques. This presentation gives you two (three) examples (with live demo) on how one piece of data can be enriched to lead you to the target. Learn which tools OSINT specialists use. Spoiler alert: it’s not Google.
Trusted Execution Environments (TEE’s) are used in a large number of devices − ranging from smartphones to automotive infotainment systems − to securely store private data, cryptographical artefacts and encrypt/decrypt data on the fly.
Different vendors are using different solutions for a Trusted Execution Environment, e.g. an external coprocessor like Googles Titan M, an on-SoC processor like Apples SEP or a “virtual” processor like the ARM TrustZone. This talk is all about penetration testing vendor specific trustlets of the ARM TrustZone.
You will not only learn how a TEE works but also where and how it is used in real life. Followed by a deep dive on how a trustlet could be technically tested − from emulation to reverse engineering − you can also expect a great example of what could possibly go wrong: Because ”trusted” is not automatically “secure”.
IoT vulnerability research usually involves both static and dynamic analysis of the target device. To aid in this task, researchers typically perform some sort of emulation to enumerate the filesystem as well as run the respective binaries. Luckily, there are tools like QEMU and/or Buildroot to guide our path on the way, but this does not mean the way is smooth.
Our main goal was to create a framework and documentation suitable for MIPS (LE/BE) device research, which can be used in a Dockerized environment to set up as many emulated IoT devices as desired. The goal was to create the least amount of pain and effort to set up the emulation infrastructure. This means, you will have a target MIPS architecture virtual machine running natively with all the binaries, full network stack, debugging tools, and other useful tools. Let the pwning begin!
With the public disclosure of the ProxyLogon vulnerability earlier this year, multiple attackers got a unique opportunity to gain foothold on unpatched Exchange servers in the wild. This led to a discovery of a threat actor we dubbed GhostEmperor, which used a sophisticated malware and rootkit as part of its infection chain. This actor has proven to represent a cluster of more capable and advanced culprits operating under the Chinese-speaking nexus of cyber espionage. In this talk, we are going to profile it and its toolset, describing the advanced measures it used while controlling high profile organizational Exchange servers.
Adversaries have been continuously improving their malware to be stealthier and more resilient on both the victim’s host as well as on the network. Examples of these innovations on the latter include Fast Flux networks, Domain Generation Algorithms and Domain Fronting among other techniques. Unfortunately, open source tools for threat emulation currently have limited support for such advanced features, leaving redteams with easy to detect C2 communications. We present C2Centipede, a proxy tool that provides these features to HTTP reverse shell tools (like Metasploit or Empire) to be stealthier on the network by dynamically and transparently modifying the trojan’s C2 communication routing and beaconing strategies, with the aim of evading some of the blueteam’s detection strategies.
The security of the products we use depends strongly on the developers. Even IT security products are vulnerable – what about consumer and industrial products, where the developers are not trained security professionals?
The BOSCH Group develops many products, and their security is an essential part of our quality promise. We have in place processes for secure product development that include threat and risk assessment, design for security, as well as security testing and monitoring. We are confident that our final products meet the state of the art. At the same time, preventing a mistake is much better than finding and correcting it later.
The presentation is about a recent CTF game we organized internally to promote product cybersecurity among our developers. We talk about challenges and solutions to address our large developer community, to bring the concept of cybersecurity into our daily work.
The recent evolution of malware attack includes more and more data exfiltration. Then the attacker has to face several critical issues than can trigger alert and block the exfiltration :
– I1. Data may be analyzed so semantic detection (keywords) can be enforced
– I2. Encrypting data before exfiltration is likely to be detected by a simple entropy profile test (however it is rarely in place)
– I3. Encryption means a secret key that can be recovered during statuc or dynamic analysis of the malware or the process performing the data exfiltration
– I4. All outbound traffic may encrypted automatically and this encryption it out-of-control for this attacker (this is the case in military networks for instance)
This talk intends to show how an attacker could exfiltrate sensitive data while bypassing all these issues by using different innovative malicious cryptography techniques. These techniques may also be considered by malware designers to make malware/ransomware techniques evolve in a more critical way.
Browser extensions are installed anywhere, they serve as an integral part of our day-to-day web routine, from AdBlockers to Auto-Translators. But – do we know what is running inside of them? Do we know what goes deep-down inside their communication routines? How do they use their internal API’s? And how do their different JS execution contexts work?
In this session, I will explore these unique internal extension API’s, hidden attack-surfaces and show how these concepts can be broken & exploited using new ways! I start showing how an attacker can “jump” from one low-permissions chrome-app/extension to another, hence elevating its permissions. Then, I will show how to gain full “browser-persistency” inside extensions’ background-scripts context.
Chaining it all together, I show how attacker, starting from low permissions chrome-app, gains a fully-armed “extension-rootkit”, a persistent JS-malware running inside of a “good” extension, along with C&C features, JS injection techniques to any tab/origin, obfuscation-techniques and more. Eventually, I will present a generic technique, targeting all chrome-users, for taking over any previously installed chrome extension and implant an “extension-rootkit” in it.
CSS “keyloggers” are quite a controversial topic, a lot of security professionals glance over it and claim that there is absolutely no practical use in real circumstances. I tumbled across an article this year (2021) stating the same, calling it BS and fear mongering. I really do not like when we belittle possible attack scenarios. So I took a look at the reasons why this is “unusable” to according to some. To my surprise some (most?) of the “large problems” are quickly fixable. I do not consider myself a full-blown security researcher to any stretch of the imagination, but the tool I’ll release during this talk is simple and it works. I honestly think that downplaying such problems is the reason why a lot of sites miss CSP header configuration on CSS and images, thus leaving the possibility to be exploited with CSS.
Mobile adware industry keeps getting bigger and bigger, yet few security researchers study these kinds of threats. As there’s a very fine line between a junior developer and malicious one, catching the criminals red handed is a difficult task in the case of ad fraud. The presentation will start with the motivator for creating such adware for various actors. Big money can attract a lot of shady individuals, often with tragic economic results. Clients that just want to push their product to real humans end up scratching their heads not knowing that the ones viewing their are just a bunch of code hacked together by a script kiddie. I will cover the largely undocumented techniques that are used by modern actors to commit ad fraud on a massive scale with an emphasis on mobile adware. By masquerading inside mostly legitimate apps, isolating the bad code can be quite a challenge even for seasoned Android reversers. Hopefully I’ll be able to shed some light on this and improve the detection ecosystem.
So you work at an organization that has spent a decent amount of money, energy and effort putting effective cyber controls in place – but you STILL get exposed to new attacks, and it seems like you will never be on top of them?
In our presentation we look at how vulnerabilities from unexpected places can come from unexpected places – from 3rd parties, suppliers and outsources down to your own engineering and development teams – and what can you do to detect, deny, and contain them.
Cloud Computing industry is constantly growing, as more and more companies are migrating their workloads to the public cloud providers. The number of breaches seems also to be higher than ever; according to the survey conducted by Sophos, 70% of organizations suffered at least one public cloud security breach (2019). One of the root causes is that public cloud environments are very different from what we used to see on premise. How to address these new security challenges? During this presentation we are going to focus on detective controls; to be more specific – Log Management and Security Monitoring. There are several native logging and monitoring solutions from the cloud providers, such as AWS CloudTrail and CloudWatch, Azure Monitor and GCP Cloud Logging. We are going to discover features of these solutions and finally – see how a skilled attacker could evade monitoring on AWS Cloud by using a few tricks (some counter-techniques for the Blue Teams included!).
Serverless technology eliminates the need for development teams to provision servers, and it also results in some security threats being passed to the cloud provider. This frees up developers to concentrate on building logic and producing value quickly. But cloud functions still execute code. If the software is written poorly, it can lead to a cloud disaster.
How can developers ensure that their code is secure enough? They can scan for common vulnerabilities and exposures (CVEs) in open-source code. They can even scan their Infrastructure-as-Code (IaC) tool to identify insecure configurations. But what about custom code? At many organizations, the application security team struggles to keep up with the speed of development in a serverless environment. Traditional testing tools not only provide very limited coverage, but also slow development cycles unacceptably. Serverless code contains a mixture of cloud configurations and application programming interfaces (API) calls. As a result, legacy solutions lack the context that is necessary in a serverless environment, and the consequence is a lack of observability and slower response times.
Fortunately, it does not have to be this way. Organizations can leverage robust security during serverless development, automatically—if it is done properly. In this talk, we will discuss common risks in serverless environments. We will then cover existing testing methodologies and why they do not work well for serverless. Finally, we will present a new, completely frictionless way of testing serverless applications automatically—with no scripts, no tests, and no delays.
The Diffie–Hellman–(Merkle) key exchange is one of the oldest and the most widely used methods to securely exchange cryptographic keys. The method is adopted by the most popular cryptographic protocols. A significant part of servers using these protocols still support the ephemeral version (DHE) of the method as it supplies forward secrecy, unlike the same age RSA key exchange. DHE is used even though the elliptic-curve based variant of the method (ECDHE) supplies the same security level using smaller keys and needing less computation. Depending on the key sizes, the used cryptographic protocol, and the server application, only some, or some ten kilobytes bandwidth is sufficient to consume a whole CPU core on a server without loading the client at all. I will demo how to do that with any server that implements TLS, SSH, OpenVPN, or IPsec cryptographic protocol by forging handshakes messages and how to minimize the risk this technique poses.
Penetration Testing is an authorized, systematic, and in-depth evaluation process of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Large corporations and companies tend to organize their own, internal Penetration Testing teams in order to properly assess their environment. However, Penetration Tests management in such organizations is burdened with multiple problems, like:
• Scoping problems.
• Divergent goals across different teams.
• Retest management.
• Vulnerability tracking
• And many others.
The goal of this presentation is to share authors’ experience and view on the Penetration Testing management in large organizations. Multiple problems are highlighted in the presentation, together with a possible directions towards their solving. It may provide an useful insight to not only those, who are organizing internal Penetration Testing teams, but also to people of other positions.
I will present some real cases of vulnerabilities (mostly, caused by design flaws) in microservice applications and practical tips (including open-source checklist) on how to provide microservice applications security architecture assessment present. That information could be interesting for bug hunters to find sophisticated vulnerabilities as well as application security architects to secure their applications.
Hackers have been mislabeled and treated as criminals due to socially constructed beliefs that have been pushed out by the public. In return, we face prosecution when doing our job and trying to keep the world safe from attackers. Current legislation has destroyed many lives of hackers who did not exploit and stayed within scope. In return, 1 out of 4 hackers don’t submit vulnerabilities due to the ongoing fear of prosecution. This talk dives into the socially constructed beliefs that the world has towards hackers and how increasing public awareness is needed to change their mindset to update out-of-date legislation.
In this talk, I would like to explain why mobile app security testing is also essential even if you application doesn’t deal in financial directly and walk you through some of the common mistake.
DNS is often a bit overlooked in cybersec world, but it is used in almost every malicious campaign. During the course of the session we will aim to cover: – How DNS is used in various phases of the intrusion kill chain – The technical mechanisms behind DNS as command and control (C&C) channel, data exfiltration, infiltration and more – How DNS is used in real attacks – we will walk through recent and most interesting examples of malware and APT attacks.
The geolocation data is part of our everyday life but security aspects of geolocation-based civilian services got into focus just recently because e.g. failure of self-driving/autonomous vehicles, drones may affect human life. A security layer is available at GPS (US), GLONASS (RU), BeiDou (CN) but just for military services. The big advantage of GALILEO (EU) is that security layer is also available for civilian services (it uses asymmetric key cryptography as well, not just symmetric key cryptography): everyone can verify e-signatures (integrity and authenticity) of geolocation data and time in OSNMA (Open Service Navigation Message Authentication) elements, so it makes spoofing attacks harder. This may be an important improvement for providing more secure services such as geofencing-based identity and access management systems, contact tracing (COVID-19, illegal immigrants) or even fighting against fake news by applying protected geolocation data and time into images (JPEG/Exif).
In this talk, I will demonstrate how you can build your own custom detection controls for your organisation at scale using cloud native services and open source NSM tools such as for pennies compared to commercial solutions. I will talk about how we can leverage serverless to build our own automation to detect malicious events across multiple accounts and I will also talk about how we can leverage lesser known cloud native services such as traffic mirroring and open source NSM’s to build a robust threat detection system which can detect known and unknown threats within your cloud environment. I will address how we have built custom detection controls for detecting critical misconfigurations and complex threats such as C2 beaconing, network intrusion and mass data extraction.
During our vulnerability research, we broke the defenses of some of the most popular open-source web applications. We realized that many code vulnerabilities we discovered share a common theme. In this presentation, we want to express this common denominator as a simple, abstract methodology that seems to have gone unnoticed in the industry. Developers and security researchers can apply this pattern to find and prevent similar vulnerabilities in any project of any size, language, or environment. To turn our theoretical pattern into an entertaining presentation, we explain and demo related vulnerabilities that we discovered in applications such as Magento2, WordPress, and Zimbra.
After almost two years of hacking on Google’s bug bounty program, I have found some weird, unexpected, and dare-to-say-it interesting security vulnerabilities. I will share 4 of these stories with you, from the initial ideas to the actual POC videos I have sent to Google. I’ll capture the key takeaways of these bugs, so you can avoid making the same mistakes when developing your applications. We will play with Google Assistant, the 2020 classic Google Classroom, and many (2) other products. I have never talked about these bugs publicly before, so prepare for some epic exclusivity. And yes, I will even tell you the bounty amounts.
Monitoring Systems are interesting targets of hackers. These systems store sensitive information and they have access to multiple systems.
There are smaller and bigger vulnerabilities and sometimes these vulnerabilities can be chained together to achieve a bigger goal.
In this speech, I will demonstrate a Chained Remote Code Execution vulnerability in a Pandora FMS system.
Machine learning has proven its value in many industries. Yet, due to fast implementations, most real-world ML systems affecting our lives are catastrophically insecure. The state of ML security today is similar to computer security in the 90s.
To show the whole picture, this presentation will connect many signals from governments, academia, and industry in their efforts to secure AI systems. The talk is based on the research that covers the past 10 years of progress in adversarial machine learning.
While the field of adversarial ML is primarily driven by academia, the talk will also focus on the industry and cover the rising number of real-world vulnerabilities in AI systems, emerging ML security tools and frameworks, and the growth of AI red teams.
Actually, Many company manage many many security solutions like IPS, WAF, F/W, APT, Anti-virus. and that solutions make much detection logs(Maybe Numerous TB per day). It is so difficult to find really dangerous attacker in huge logs like sea. For this, SIEM appears and recently use machine learning. But, Do you have enough indicators to analysis using machine learing?
Do you like baseball or football? In every sports mechanism, important actions of players be made “numeric” through various techniques. and Through this, you can find who is best player even if you didn’t watch all the games. This allows us to get ideas. If we can make “numeric” all tha dectection logs, it is sure we’ll find notable player(attacker).
I want to introduce how to identify notable attacker used transform data to numeric and analysis techniques. The purpose of this lecture is to help in charge of security and SOC understand what an how to do in order to do a better job.