skip to main content

DEF CON 28 Hacking Conference

SPEAKERS

SPEAKERS



DEF CON official presentations will be pre-recorded, each full day of talks will be pre-released online at midnight PDT (GMT -7) the day they are scheduled for, as a torrent on media.defcon.org and on our official YouTube. The dates and times below are special live streamed Q&A sessions for each talk, as well as additional fireside lounges and panels. These sessions will be streamed on Twitch at https://www.twitch.tv/defconorg. All discussions and attendee to speaker participation will be on the DEF CON Safe Mode Discord Server at: https://discord.com/channels/708208267699945503/733079621402099732

Lateral Movement and Privilege Escalation in GCP; Compromise any Organization Without Dropping an Implant

Live 30 min Q&A on Sunday, August 9th at 16:30 on the DEF CON Twitch
Demo, Tool, Exploit

Dylan Ayrey Security Engineer

Allison Donovan Security Engineer

Google Cloud’s security model in many ways is quite different from AWS. Spark jobs, Cloud Functions, Jupyter Notebooks, and more default to having administrative capabilities over cloud API's. Instead of defaulting to no capabilities, permissions are granted to default identities. One default permission these identities have is called actAs, which allows a service by default to assume the identity of every service account in its project; many of which typically have role bindings into other projects and across an organization's resources.

This means by default many API's and identities can compromise large swaths of an organization by moving laterally by impersonating or gaining access to other identities. This can all be done without dropping a single implant on a machine.

In this talk we'll demonstrate several techniques to perform identity compromise via the ActAs permission, privilege escalation, lateral movement, and widespread project compromise in Google Cloud. As well as release tools for exploitation.

Next we'll show what detection capabilities are possible in the Google Cloud ecosystem, by showing Stackdriver logs that correspond with our exploitation techniques, and showing limitations in what's available. We'll also release tools and queries that can be used for detection . As well as insight to how we have attempted to tackle this problem at scale.

Lastly we'll go over remediation efforts you can take as a Google Cloud customer, and show how difficult it can be to secure yourself against these attacks. We will release tools that can be used to harden your organization, and walk through user stories and anecdotes of what this process looks at scale within our organization.

Dylan Ayrey
I'm a Senior Security. I've been heavily involved in the open source community for a few years, and I've been doing my best to bring security practices into the cloud/devsecops world

Allison Donovan
Allison Donovan is a security researcher who specializes in cloud-based platforms and services. She was previously employed as a Senior Infrastructure Security Engineer at Cruise, where she secured cloud-based environments at scale, and previously worked at Microsoft on mobile application security and site reliability engineering.

Back to top

Finding and Exploiting Bugs in Multiplayer Game Engines

Live 30 min Q&A on Friday, August 7th at 14:30 on the DEF CON Twitch
Demo, Tool, Exploit

Jack Baker

Unreal Engine 4 and Unity3D dominate the multiplayer gaming landscape. They're also complicated pieces of software written in C and C++. In this talk, Jack will share the results of months of bug hunting in multiplayer game networking protocols. Be prepared for memory disclosures, speedhacks, and WONTFIX vulnerabilities.

Jack Baker
Jack Baker is a professional reverse engineer and amateur video game hacker. Jack is most known for having the same name as a Resident Evil villain.

Back to top

DNSSECTION: A practical attack on DNSSEC Zone Walking

Live 30 min Q&A on Thursday, August 6th at 11:30 on the DEF CON Twitch
Demo, Exploit

Hadrien Barral Hacker

Rémi Géraud-Stewart Hacker

Domain Name System (DNS) is an ubiquitous and essential component of the Internet. It performs translations between identifiers and resources (mostly domain names and computers, but not only), yet remains often invisible to the user. But DNS is not harmless: although not intended to be a general purpose database, it has been extended to incorporate additional types of information. Including information that should not be there.

In this talk we show how to exploit DNSSEC zone walking to perform advanced recon operations, on a real case, namely to obtain client private information from a large European cloud provider. This constitutes the first practical zone walking attack at such a scale.

Using this exploit we collected a substantial amount of private information, enough to share some interesting statistics. By the end of this talk, you will have everything you need to know to perform similar attacks -- and resist them.

Hadrien Barral
Hadrien Barral is an R&D engineer, focusing on security and high-assurance software. He enjoys hacking on exotic hardware.

Rémi Géraud-Stewart
Rémi Géraud-Stewart is a cryptologist and security expert with École Normale Supérieure in Paris, focusing on intrusion and cyberwarfare.

Back to top

Shrek, Juggs, and Toxic Trolls: a BADASS discussion about Online Sexuality and Hacktivism.

Live, Friday, August 7th at 21:00 on the DEF CON Twitch

Katelyn Bowden CEO and Founder (Intro speaker and panel moderator)

Rachel Lamp COO

Allie Barnes CTO

Kate Venable Head of Legal

Marleigh Farlow CMO

Tim Doomsday CISO

In this panel discussion, the BADASS army team will be talking about the intersection between security and sex, the problem of online exploitation and harassment, and what needs to be done to address these issues. After an introduction to the org and the culture of NOn Consensual Pornography, The panel will be a free form conversation with audience participation, covering a wide variety of topics related to NCP and online sexual abuse.

BADASS is a nonprofit org dedicated to fighting image based abuse. Founded in 2017 by victims of NCP, it has grown to be one of the major organizations trying to prevent online exploitation.

Back to top

A Hacker’s Guide to Reducing Side-Channel Attack Surfaces Using Deep-Learning

Live 30 min Q&A on Friday, August 7th at 17:30 on the DEF CON Twitch
Demo, Tool, Exploit

Elie Bursztein Google

in recent years, deep-learning based side-channel attacks have been proven to be very effective and opened the door to automated implementation techniques. Building on this line of work, this talk explores how to take the approach a step further and showcases how to leverage the recent advance in AI explainability to quickly assess which parts of the implementation is responsible for the information. Through a concrete set by step example, we will showcase the promise of this approach, its limitations, and how it can be used today.

Elie Bursztein
Elie Bursztein leads Google' security & anti-abuse research team. He has authored over fifty research papers in the field for which he was awarded 8 best papers awards and multiple industry distinctions including the Black Hat pwnie award. Born in Paris, he received a Ph.D. from ENS-cachan in 2008 before working at Stanford University and ultimately joining Google in 2011.

@elie

Back to top

Spectra—New Wireless Escalation Targets

Live 30 min Q&A on Friday, August 7th at 10:30 on the DEF CON Twitch
Demo, Tool, Exploit

Jiska Classen Secure Mobile Networking Lab

Francesco Gringoli University of Brescia

Wireless coexistence enables high-performance communication on platforms with a small form factor despite overlapping frequency bands. On-chip coexistence is essential to combine wireless technologies, and manufacturers implement various proprietary solutions. This presentation demonstrates multiple attacks on two coexistence features of Broadcom and Cypress Wi-Fi/Bluetooth combo chips. Various popular devices that were released over a decade are affected, such as the Google Nexus 5 and iPhone 6, but also the newest iPhone 11 and Samsung Galaxy S20.

On the analyzed chips, Wi-Fi and Bluetooth run on separate processing cores, but various information leaks and even code execution become possible through their coexistence interfaces. As these escalations concern an internal chip interface, the operating system cannot prevent them. However, coexistence exploitation widens the possibilities to escalate into drivers and the operating system on top.

Jiska Classen
jiska likes to break things, and Francesco loves reverse engineering. They both have a history in binary patching on Broadcom chips. While jiska focuses on the Bluetooth side of this project, Francesco is the Wi-Fi specialist.

@naehrdine

Francesco Gringoli


Back to top

D0 N0 H4RM: A Healthcare Security Conversation

Live, Friday, August 7th at 20:00 on the DEF CON Twitch

Christian “quaddi” Dameff MD Physician & Medical Director of Security at The University of California San Diego

Jeff “r3plicant” Tully MD Anesthesiologist at The University of California Davis

Jessica Wilkerson Cyber Policy Advisor, FDA

Veronica Schmitt Assistant Professor, Noroff University

Ash Luft Software Engineer Starfish Medical

Vidya Murthy Vice President Operations, MedCrypt

It is certainly a time of discovery- though the truths revealed by the COVID-19 crisis can be bitter and bleak. At a time when all attention is focused on the ERs and ICUs that make up the battle’s front lines, it is easy to cast aside old warnings to focus solely on the clinical war. But the need for safety and security only increases in the face of a pandemic- and healthcare cybersecurity is no different. From testing to ventilators, every facet of our response to COVID-19 depends on trustworthy and reliable technology.

D0 No H4rm- DEF CON’s continuing conversation on healthcare returns for another up close (but not too close) and personal dialogue between hackers at the top of their fields- from the halls of the FDA to the cutting edge of medical devices security research for an all-encompassing look at what we need to focus on in the age of COVID. Moderated by physician hackers quaddi and r3plicant, this perennially packed event aims to recruit the talent, ingenuity, and vision of the DEF CON family for the challenges we face both now and after the immediate crisis passes.

Christian “quaddi” Dameff MD
Christian (quaddi) Dameff MD is an Assistant Professor of Emergency Medicine, Biomedical Informatics, and Computer Science (Affiliate) at the University of California San Diego. He is also a hacker, former open capture the flag champion, and prior DEF CON/RSA/Blackhat/HIMSS speaker. Published works include topics such as therapeutic hypothermia after cardiac arrest, novel drug targets for myocardial infarction patients, and other Emergency Medicine related works with an emphasis on CPR optimization. Published security research topics including hacking critical healthcare infrastructure, medical devices and the effects of malware on patient care. This is his sixteenth DEF CON.

@CDameffMD

Jeff “r3plicant” Tully MD
Jeff (r3plicant) Tully is an anesthesiologist, pediatrician and security researcher with an interest in understanding the ever-growing intersections between healthcare and technology.

@JeffTullyMD

Jessica Wilkerson
Jessica Wilkerson is a Cyber Policy Advisor with the All Hazards Readiness, Response, and Cybersecurity (ARC) team in the Center for Devices and Radiological Health (CDRH) within the Food and Drug Administration (FDA). As part of ARC, she examines issues and develops policy related to the safety and effectiveness of connected medical devices. Previously, she worked as the Cybersecurity Research Director for the Linux Foundation, and spent over five years as a congressional staffer with the House Committee on Energy and Commerce, covering cybersecurity issues in the telecommunications, commercial, energy, and health sectors. As part of that work, she examined issues related to coordinated vulnerability disclosure, software supply-chain transparency, legacy technology risks, and cybersecurity governance models, among others. She has a background in mathematics and computer science. She received a B.A. in Policy Studies and minors in Computer Science and Mathematics from Syracuse University, and is currently pursuing a J.D. from the Catholic University of America’s Columbus School of Law."

Veronica Schmitt
Veronica started her forensic career in 2008. She is currently an Assistant Professor at Noroff University, where she has been given her own Minions to plan her world domination.. Veronica serves as part of the WoSEC board of directors, and the board of directors of DFIRLABS that specializes in the investigation of complex incidents. Veronica holds a Master in Science at Rhodes University in Information Security with specialisation in the forensic analysis of malware. Veronica has also received training overseas in cybercrime investigation and digital forensics from the US Department of Homeland Security, the International Association of Computer Investigative Specialists, and the SANS Institute.

She is also an Independent Security researcher currently working with Medtronic which is one of the largest Medical Device Manufacturers. She prides herself in keeping patients safe as this is something which is near to her heart. She is also a cyborg sporting an embedded medical device herself. She also has spoken extensively internationally, including at the SANS DFIR Summit, and DEF CON Villages. She also is a DEF CON Goon and she is the founder of DC2751.

Her particular research interests include research into security vulnerabilities in medical devices forming part of the Internet of Things, and how these could be exploited by malicious attackers, as well as what types of forensic artefacts could be identified from any attacks. She is extremely passionate about protecting people whose lives depend on these medical devices, and her passion saw her becoming a member of the security research group, I am the Cavalry. At her core Veronica is a forensicator and in love with every bit, byte and nibble of knowledge she has obtained.

@P01z0n_P1x13

Ash Luft
Ash Luft is an Embedded Software Engineer with a background in Computer Science, Biochemistry, and Electrical Engineering. With industry experience in Software and Biomedical Device Development, Ash specializes in designing for and implementing safety, security, and privacy in Clinical IoT and Medical Devices. Ash is passionate about protecting patient outcomes while delivering cost-effective, high quality solutions.

Vidya Murthy
Vidya is fascinated by the impact of cybersecurity on the healthcare space. Beginning her career in consulting, she realized a passion for healthcare and worked for global medical device manufacturer Becton Dickinson. She has since joined MedCrypt, a company focused on bringing cybersecurity leading practices to medical device manufacturers. Vidya holds an MBA from the Wharton School.

Back to top

Demystifying Modern Windows Rootkits

Live 30 min Q&A on Thursday, August 6th at 15:30 on the DEF CON Twitch
Demo, Tool, Exploit

Bill Demirkapi Independent Security Researcher

This talk will demystify the process of writing a rootkit, moving past theory and instead walking the audience through the process of going from a driver that says "Hello World" to a driver that abuses never-before-seen hooking methods to control the user-mode network stack. Analysis includes common patterns seen in malware and the drawbacks that come with malware in kernel-mode rather than user-mode.

We'll walk through writing a rootkit from scratch, discussing how to load a rootkit, how to communicate with a rootkit, and how to hide a rootkit. With every method, we'll look into the drawbacks ranging from usability to detection vectors. The best part? We'll do this all under the radar, evading PatchGuard and anti-virus.

Bill Demirkapi
Bill is a student at the Rochester Institute of Technology with an intense passion for Windows Internals. Bill's interests include game hacking, reverse engineering malware, and exploit development. In his pursuit to make the world a better place, Bill constantly looks for the next big vulnerability following the motto "break anything and everything".

@BillDemirkapi

Back to top

Ask the EFF/Meet the EFA

Live, Saturday, August 8th at 19:00 on the DEF CON Twitch

Kurt Opsahl Deputy Executive Director & General Counsel , Electronic Frontier Foundation

Eva Galperin Director of Cybersecurity, EFF

Alexis Hancock Staff Technologist, EFF

Rory Mir Grassroots Advocacy Organizer, Electronic Frontier Alliance

Hannah Zhao Staff Attorney, EFF

Nash EFF

Emilie St-Pierre Future Ada

Abi Hassen BMLP

Elliot Cypurr Collective

Tracy Rosenberg Oakland Privacy

Join the Electronic Frontier Foundation—the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age—for a candid chat about how the law is racing to catch up with technological change and discovery.

Then meet representatives from Electronic Frontier Alliance (eff.org/fight) allied community and campus organizations from across the country. These technologists and advocates are working within their communities to educate and empower their neighbors in the fight for data privacy and digital rights.

This discussion will include updates on current EFF issues such as the government's effort to compromise free expression online, the fight to end face surveillance, updates on cases and legislation affecting security research, and discussion of EFF's technology projects empowering users with greater control of what information they share online.

Half of this session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law, surveillance and technology issues that are important to you.

Kurt Opsahl
Kurt Opsahl is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders' Rights Project, and is representing several companies who are challenging National Security Letters. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Groksterand CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal. In 2014, Opsahl was elected to the USENIX Board of Directors.

Eva Galperin
Eva Galperin is EFF's Director of Cybersecurity. Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations from SFSU. Her work is primarily focused on providing privacy and security for vulnerable populations around the world. To that end, she has applied the combination of her political science and technical background to everything from organizing EFF's Tor Relay Challenge, to writing privacy and security training materials (including Surveillance Self Defense and the Digital First Aid Kit), and publishing research on malware in Syria, Vietnam, Kazakhstan. When she is not collecting new and exotic malware, she practices aerial circus arts and learning new languages.

Alexis Hancock
Alexis works to secure the web by working on HTTPS Everywhere. She has previously been a web developer and system administrator for 7 years and a statistician in the education realm. She has earned degrees from the Rochester Institute of Technology in Media Arts and Technology (B.Sc.) and The New School in Organizational Change Management (MS). She is very passionate about encryption and tech equity for all and has been assisting activists and educators with their tech needs for almost 10 years.

Rory Mir
Rory is a Grassroots Advocacy Organizer primarily working on the Electronic Frontier Alliance. They are also a doctoral student of psychology at the City University of New York Graduate Center studying activist pedagogy. Before coming to the EFF they were active in several New York City groups including the Cypurr Collective, a member of the EFA engaging in community education on matters of cybersecurity. A long time advocate for open education and open science, they want to break down any barriers folks face to free expression, creativity, or knowledge.

Hannah Zhao
Hannah is a staff attorney at EFF focusing on criminal justice and privacy issues, and is part of the Coder's Rights Project. Prior to joining EFF, Hannah represented criminal defendants on appeal in state and federal courts in New York, Illinois, and Missouri, and also worked at the human rights NGO, Human Rights in China. While pursuing her law degree at Washington University in St. Louis, she represented indigent defendants and refugee applicants in Durban, South Africa, and studied international law at Utrecht University in the Netherlands. She also competed in, and remains involved with, the Philip C. Jessup International Moot Court Competition, including as a problem author in 2019. In college, Hannah studied Computer Science and Management at Rensselaer Polytechnic Institute. In her spare time, she likes to climb things.

Nash
nash leads EFF's grassroots, student, and community organizing efforts. As the lead coordinator of the Electronic Frontier Alliance, nash works to support the Alliance's member organizations in educating their neighbors on digital-privacy best practices, and advocating for privacy and innovation protecting policy and legislation.

Emilie St-Pierre
Emilie St-Pierre is the Security Ambassador for Future Ada, a Spokane-based non-profit advocating for diversity and inclusion in STEAM. For the past six years, she has used her experience as an offensive security professional to provide privacy and security education within her community. Through her work with Future Ada, she has established free regular workshops and one-on-one technical support to the public. Emilie's focus has been to provide these workshops and services to underrepresented members of the public.

Abi Hassen
Abi Hassen is an attorney, technologist, and co-founder of the Black Movement-Law Project (BMLP), a legal support rapid response group that grew out of the uprisings in Ferguson, Baltimore, and elsewhere. He is currently a partner at O'Neill and Hassen LLP; a law practice focused on indigent criminal defense. Prior to his current work, he was the Mass Defense Coordinator at the National Lawyers Guild. Abi has also worked as a political campaign manager and strategist, union organizer, and community organizer. Abi conducts training, speaks, and writes on topics of race, technology, (in)justice, and the law.

Elliot
Elliot is a motion artist and creative coder who works in interactive, fabrication, and large scale immersive experiences. Elliot blends visual work with an interest in mutual aid, security, and privacy online. Based in Brooklyn.

Tracy Rosenberg
Tracy Rosenberg has worked as Media Alliance's Executive Director since 2007 and coordinates Oakland Privacy, a citizens coalition that works regionally to defend the right to privacy and enhance public transparency and oversight regarding the use of surveillance techniques and equipment. OP has written use policies and impact reports for a variety of surveillance technologies, conducted research and investigations, and developed frameworks for the implementation of equipment with respect for civil rights, privacy protections, and community control. Tracy blogs on media policy and surveillance and is published frequently around the country. She currently sits on the board of the Alliance for Community Media Western Region and Common Frequency serves on the anchor committee of the Media Action Grassroots Network

Back to top

Only takes a Spark - Popping a shell on a 1000 nodes

Live 30 min Q&A on Sunday, August 9th at 11:30 on the DEF CON Twitch
Demo, Tool, Exploit

ayoul3

"Apache Spark is one of the major players if not the leader when it comes to distributed computing and processing. Want to use machine learning to build models and uncover fraud, make predictions, estimate future sales or calculate revenue ? Whip out a 200 nodes cluster on Spark and you are good to go.

This talk will show you how to get a shell on each one of these nodes! We are talking about systems that, by design, have access to almost every datastore in the company (S3, Cassandra, BigQuery, MySQL, Redshift, etc.). This is game over for most companies. I will also release a tool that will help pentesters pwn Spark clusters, execute code and even bypass authentication (CVE-2020-9480)."

ayoul3
Ayoub currently works as Lead Security at Qonto. He spent several years working as a pentester and an incident responder. He gave talks at various security conferences about Mainframe hacking. Lately, his main focus is Cloud security.

@ayoul3__

Back to top

Exploiting Key Space Vulnerabilities in the Physical World

Live 30 min Q&A on Friday, August 7th at 16:30 on the DEF CON Twitch
Demo, Tool, Exploit

Bill Graydon Principal, Research, GGR Security

Imagine being able to get together with a few of your co-workers, look at your office keys and derive a building master key. Or you may not have any working key at all: you could impression the lock, or use one of the many ways we’ll present in this talk to put together little bits of information from a lock to create a working key.

We apply information theory - the concept behind the “entropy” of a password - in an easy to understand way to show how every little bit of information about a system can be used to defeat it. The audience will be able to pull any key out of their pocket and understand how it works and how an attacker can create it covertly, and open whatever lock it is for, or even a lock it isn’t for, that shares the same system.

We’ll explain how to produce either a single final key, or a set small enough to economically brute force - and release a software tool to let anyone quickly try out all possibilities in an easy-to-visualize way.

Finally, we will discuss possible solutions to these problems and introduce vulnerabilities our research has uncovered in high-security systems like Medeco, Abloy, and Mul-T-Lock - including releasing a set of only 159 possible top level master key codes for certain large Medeco mastered systems.

Bill Graydon
Bill Graydon is a principal researcher at GGR Security, where he hacks everything from locks and alarms to critical infrastructure; this has given him some very fine-tuned skills for breaking stuff. He’s passionate about advancing the security field through research, teaching numerous courses, giving talks, and running DEF CON’s Lock Bypass Village. He’s received various degrees in computer engineering, security, and forensics and comes from a broad background of work experience in cyber security, software development, anti-money laundering, and infectious disease detection.

https://twitter.com/access_ctrl
https://github.com/bgraydon
https://www.youtube.com/channel/UCzZK3vjJL9rKNPXNoCPFO5g

Back to top

A Decade After Stuxnet's Printer Vulnerability: Printing is still the Stairway to Heaven

Live 30 min Q&A on Saturday, August 8th at 09:30 on the DEF CON Twitch
Demo, Tool, Exploit

Peleg Hadar Senior Security Researcher at SafeBreach Labs

Tomer Bar Research Team Leader at SafeBreach Labs

In 2010, Stuxnet, the most powerful malware in the world revealed itself, causing physical damage to Iranian nuclear enrichment centrifuges. In order to reach Iran's centrifuges, it exploited a vuln in the Windows Print Spooler service and gain code execution as SYSTEM. Due to the hype around this critical vuln, we (and probably everyone else) were pretty sure that this attack surface would no longer exist a decade later. We were wrong…

The first clue was that 2 out of 3 vulns which were involved in Stuxnet were not fully patched. That was the case also for the 3rd vuln used in Stuxnet, which we were able to exploit again in a different manner.

It appears that Microsoft has barely changed the code of the Print Spooler mechanism over the last 20 years.

We investigated the Print Spooler mechanism of Windows 10 Insider and found two 0-day vulns providing LPE and DoS (First one can also be used as a new persistence technique)

Peleg Hadar
Peleg Hadar (@peleghd) is a security researcher, having 8+ years of unique experience in the sec field. Currently doing research @SafeBreach Labs, previously serving in various sec positions @IDF. His experience involved security from many angles: starting with network research, and now mostly software research. Peleg likes to investigate mostly Microsoft Windows components.

@peleghd

Tomer Bar
Tomer Bar is a security researcher and a research team leader with 15+ years of unique experience in the sec field. Currently leading the research team of SafeBreach Labs. His experience involved vulnerability research, malware analysis, etc.

Back to top

Domain Fronting is Dead, Long Live Domain Fronting: Using TLS 1.3 to evade censors, bypass network defenses, and blend in with the noise

Live 30 min Q&A on Thursday, August 6th at 16:30 on the DEF CON Twitch
Demo, Tool

Erik Hunstad CTO, SIXGEN

Domain fronting, the technique of circumventing internet censorship and monitoring by obfuscating the domain of an HTTPS connection was killed by major cloud providers in April of 2018. However, with the arrival of TLS 1.3, new technologies enable a new kind of domain fronting. This time, network monitoring and internet censorship tools are able to be fooled on multiple levels. This talk will give an overview of what domain fronting is, how it used to work, how TLS 1.3 enables a new form of domain fronting, and what it looks like to network monitoring. You can circumvent censorship and monitoring today without modifying your tools using an open source TCP and UDP pluggable transport tool that will be released alongside this talk.

Erik Hunstad
Erik Hunstad is a security expert and researcher who realized the power of programming and security when he coded an algorithm to reduce the search space of possible Master Lock combinations in RAPTOR. Erik is the CTO and Adversary Emulation Lead at SIXGEN where he specializes in deploying the latest offensive security techniques against customers. He previously worked for the Department of Defense.

@SixGenInc

Back to top

Evil Printer: How to Hack Windows Machines with Printing Protocol

Live 30 min Q&A on Sunday, August 9th at 09:30 on the DEF CON Twitch
Demo, Exploit

Zhipeng Huo Senior Researcher, Tencent Security Xuanwu Lab

Chuanda Ding Senior Researcher, Tencent Security Xuanwu Lab

Printer Spooler service, one of the important services in Microsoft Windows, has existed for more than 25 years. It runs at highest privilege level, unsandboxed, does networking, and dynamically loads third-party binaries. What could possibly go wrong?

In this talk, we will walk you through an incredibly fun bug we have discovered in printer spooler service. It can be exploited both locally and remotely, escapes sandbox, executes arbitrary code, and also elevates to SYSTEM. While Microsoft managed to develop the most restrictive sandbox for Microsoft Edge, this bug easily goes through it like it's a sieve.

We will talk in detail the implementation of this ancient service, the method we used to discover and exploit the bug, and also throw in some tips and tricks for logic bugs in between.

Zhipeng Huo
Zhipeng Huo is a senior security researcher on Windows and macOS platform security at Tencent Security Xuanwu Lab. He reported Microsoft Edge sandbox escape bugs in 2017, 2018, and 2020. He was a speaker at Black Hat Europe 2018.

@R3dF09

Chuanda Ding
Chuanda Ding is a senior security researcher on Windows platform security. He leads EcoSec team at Tencent Security Xuanwu Lab. He was a speaker at Black Hat Europe 2018, DEF CON China 2018, CanSecWest 2017, CanSecWest 2016, and QCon Beijing 2016.

@FlowerCode_

Back to top

Don't Be Silly - It's Only a Lightbulb

Live 30 min Q&A on Friday, August 7th at 15:30 on the DEF CON Twitch
Demo, Exploit

Eyal Itkin Vulnerability Researcher at Check Point Software Technologies

A few years ago, a team of academic researchers showed how they can take over and control smart lightbulbs, and how this in turn allows them to create a chain reaction that can spread throughout a modern city. Their research brought up an interesting question: aside from triggering a blackout (and maybe a few epilepsy seizures), could these lightbulbs pose a serious risk to our network security? Could attackers somehow bridge the gap between the physical IoT network (the lightbulbs) and even more appealing targets, such as the computer network in our homes, offices or even our smart cities?

We’re here to tell you the answer is: Yes.

Join us as we take a deep dive into the world of ZigBee IoT devices. Continuing from where the previous research left off, we go right to the core: the smart hub that acts as a bridge between the IP network and the ZigBee network. And let me tell you this, this harsh embedded environment is surely not on our side. With a maximal message size of less than 128 bytes, complex state machines and various strict timing constraints, this challenge is going to be tough.

After a long journey, we finally made it. By masquerading as a legitimate ZigBee lightbulb, we were able to exploit vulnerabilities we found in the bridge, which enabled us to infiltrate the lucrative IP network using a remote over-the-air ZigBee exploit.

Eyal Itkin
Eyal Itkin is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Software Technologies. Eyal has an extensive background in security research, that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking RDP or FAX, he loves bouldering, swimming, and thinking about the next target for his research.

@EyalItkin

Back to top

Applied Ca$h Eviction through ATM Exploitation

Live 30 min Q&A on Saturday, August 8th at 12:30 on the DEF CON Twitch
Demo, Exploit

Trey Keown Security Researcher, Red Balloon Security

Brenda So Security Researcher, Red Balloon Security

ATMs are networked computers that dispense cash, so naturally they’re uniquely interesting devices to examine. We all remember ATM jackpotting from a decade ago. Unfortunately, it doesn’t look like ATM security has improved for some common models since then.

We present our reverse engineering process for working with an ATM and modifying its firmware. For this, we became our own "bank" by creating software that's able to speak the obscure protocols used by ATMs. For working with the device software at a low level, we restored JTAG access, defeated code signing, and developed custom debugging tools. We then leveraged this research to discover two 0-day network-based attacks, which we will demonstrate live. The first vulnerability takes advantage of the ATM’s remote administration interface, which can lead to arbitrary code execution and total device compromise. The second vulnerability is in the OEM’s implementation of a common middleware for ATM peripherals. This allows for command injection and jackpotting of ATMs over the network.

The high barrier to entry for even legally opening up one of these devices has left a lot of attack surface area unchecked. Through this talk, we want to shed light on the state of ATM security and encourage the security community to continue to challenge ATM vendors to do better.

Trey Keown
Trey is a security researcher at Red Balloon Security focusing on securing embedded devices and firmware reverse-engineering automation. He is the co-creator of an ATM CTF challenge which has taken place at Re:con, CSAW, Hushcon, Summercon, and the IoT Village at DEF CON 27. He has also been a speaker at Hushcon West and CSAW.

@TreyKeown

Brenda So
Brenda is a security researcher at Red Balloon Security. She earned her Bachelors in Electrical Engineering at The Cooper Union. She has spoken about reverse engineering at Hushcon West and CSAW. She has also organized the ATM CTF challenge at major conferences such as Recon and Defcon. When not messing around with ATMs, she is brewing a nice gallon of beer at her homebrew setup.

@Sosogun3

Back to top

Reverse Engineering the Tesla Battery Management System for Moar Powerrr!

Live 30 min Q&A on Saturday, August 8th at 16:30 on the DEF CON Twitch
Demo

Patrick Kiley Principal Security Consultant - Rapid7

Tesla released the P85D in 2014. At that time the vehicle came with "insane mode" acceleration with a 0-60 time of 3.2 seconds. Later in July of 2015, Tesla announced "Ludicrous mode" that cut the 0-60 time down to 2.8 seconds. This upgrade was offered both new and as a hardware and firmware change to the existing fleet of P85D vehicles. Since then, Tesla has released newer ludicrous vehicles. What makes the P85D upgrade unique was how the process required changes to the vehicle's Battery Management System(BMS). The 'BMS' handles power requests from the drive units of the car. I was able to reverse engineer this upgrade process by examining the CAN bus messages, CAN bus UDS routines and various firmware files that I extracted from a car. I also decrypted and decompiled Python source code used for diagnostics to determine that the process involved replacing the contactors and fuse with higher current versions as well as modifying the current sensing high voltage "shunt" inside the battery pack. I then performed this process on an actual donor P85D. I bricked the car in the process, forcing me to pay to have it towed to another state so I could troubleshoot. I came to understand that the BMS is the deciding module that allows the drive units to have only as much power as the BMS allows. The car is fixed and is faster.

Patrick Kiley
Patrick Kiley has over 17 years of information security experience working with both private sector employers and the Department of Energy/National Nuclear Security Administration (NNSA). While he was with the NNSA he built the NNSA’s SOC and spent several years working for emergency teams. Kiley has performed research in Avionics security and Internet connected transportation platforms. Kiley has experience in hardware hacking, IoT, Autonomous Vehicles and CAN bus.

Back to top

Getting Shells on z/OS with Surrogat Chains

Live 30 min Q&A on Saturday, August 8th at 17:30 on the DEF CON Twitch
Tool

Jake Labelle Security Consultant - F-Secure

z/OS allows a user to submit a job as another user without a password with the surrogat class. However, z/OS systems often have hundreds of thousands of users and have been running for decades. This means that it is very likely that from a low priv user there is a surrogat chain that will give you special (z/OS' root).

RACF (z/OS' Security), does not allow users to view the security of resources to which they do not have access. This means that manually enumerating a chain required you to submit a reverse shell each time you wanted to move up the chain. This will take a long time with 200k users.

Gator (my tool), submits a batch job that will call a REXX program which will output the user's privs and the current surrogat chain of that user. It will then list all of that user’s surrogat privs, and call the same batch job as before, but running as those users.

Gator also provides a macro that will generate a CATSO (similar to a meterpreter shell), for any of the users in the surrogat chain.

Gator can also be exported to a GraphVis python program, which will display the users information and chain as a network of nodes.

Jake Labelle
Jake Labelle graduated from Southampton University with a MEng in Computer Science. He currently works at F-Secure in Basingstoke as a Security Consultant.

He discovered z/OS this year in January, and now can not stop dabbling. He has created a number of security labs in z/OS and is currently scripting everything in REXX. If he had a choice between a windows host and an emulated z/OS host on his laptop, it would not be a competition.

He is currently ecstatic that Hercules, a mainframe emulator, can be compiled for arm and ran on a Raspberry Pi. There is also an open source mainframe (http://wotho.ethz.ch/tk4-/). I'm probably carrying my portable open source mainframe with me right now.

https://github.com/southamptonjake

Back to top

Bypassing Biometric Systems with 3D Printing and Enhanced Grease Attacks

Live 30 min Q&A on Saturday, August 8th at 15:30 on the DEF CON Twitch
Demo

Yamila Levalle Researcher at Dreamlab Technologies

Due to the well-known vulnerabilities in traditional authentication methods through users, passwords and tokens; biometric systems began to be widely implemented in millions of devices with the aim of having a more practical authentication system for users and -supposedly- more robust in terms of security.

Security researchers were not far behind and started to analyze the security of these biometric controls. In recent years, different techniques have been presented to bypass the authentication of, for example, the smartphones that began to implement these systems.

What is new in this talk? avoiding focusing on a particular device, we have gone deeper studying the operation of the sensors implemented in different biometric systems (Optical, Capacitive, Ultrasonic, Facial, etc.) and consequently, we discovered new techniques to bypass them. Through this talk, we will show how to fool biometric sensors by the enhanced grease attacks and, even better, the techniques to succeed at bypassing these controls using 3D printing.

Yamila Levalle
Yamila Vanesa Levalle is an Information Systems Engineer, Security Researcher and Offensive Security Professional with more than 15 years of experience in the InfoSec area.

Yamila currently works as Security Researcher and Consultant at Dreamlab Technologies where she specializes in offensive techniques, conducts researches, gives trainings and write papers and blog posts. She is an international security conferences speaker and has presented her researches at important events such as BlackHat Arsenal Vegas, PHDays Moscow, Northsec Montreal, AusCERT Australia, 8.8 Security Conference Vegas, SCSD Fribourg, Ekoparty Ekolabs, OWASP Latam Tour and others. She has taught ethical hacking courses for women, CTF courses for beginners and several information security trainings.

Back to top

When TLS Hacks You

Live 30 min Q&A on Friday, August 7th at 13:30 on the DEF CON Twitch
Demo, Tool, Exploit

Joshua Maddux Security Engineer, Latacora

Lots of people try to attack the security of TLS. But what if we use TLS to attack other things? It's a huge standard, and it turns out that features intended to make TLS fast have also made it useful as an attack vector.

Among other things, these features provide a lot of flexibility for Server-Side Request Forgery (SSRF). While past work using HTTPS URLs in SSRF has relied upon platform-specific bugs such as SNI injection, we can go further. In this talk, I present a novel, cross-platform way of leveraging TLS to target internal services.

Uniquely, these attacks are more effective the more comprehensively a platform supports modern TLS, so won't go away with library upgrades. It is also unlikely that the TLS spec will change overnight at the whim of a random security researcher. Instead, we need to walk through scenarios and dispel common assumptions so the audience can know what to look out for. Of course, the best way to do so is with demos!

Joshua Maddux
Joshua Maddux started out as a software engineer. After a few years, having introduced his share of bugs to the world, he started hunting for vulnerabilities in his own code and elsewhere. At PKC Security he gained additional experience in software development and white-box penetration testing, and gave his first ever conference talk at Blackhat USA on a series of systemic SSRF vulnerabilities in sites supporting Apple Pay. Now on the Appsec team at Latacora, he helps advise startups in building secure products. Aside from work for clients, Joshua is also active in the bug bounty world. His past research has led to security updates in Java, Netflix, Gitlab, United Airlines, Zapier, and others.

@joshmdx

Back to top

Pwn2Own Qualcomm compute DSP for fun and profit

Live 30 min Q&A on Friday, August 7th at 11:30 on the DEF CON Twitch
Demo, Exploit

Slava Makkaveev Security Researcher, Check Point

Qualcomm Snapdragon SoC integrates multiple subsystems, each one is customized for a particular application domain. Compute digital-signal processor (cDSP) is a subsystem which allows a mobile device to process simple sets of data with high performance on low power. In the talk we will show that this little studied proprietary subsystem has many security problems that open the door to malicious Android applications for PE and DoS attacks of the device.

For security reasons, the cDSP is licensed for programming by OEMs and by a limited number of third-party software vendors. The code running on DSP is signed by Qualcomm. However, we will demonstrate how an Android application can bypass Qualcomm’s signature and execute privileged code on DSP, and what further security issues this can lead to.

Hexagon SDK is the official way for the vendors to prepare DSP related code. We discovered serious bugs in the SDK that have led to the hundreds of hidden vulnerabilities in the Qualcomm-owned and vendors’ code. The truth is that almost all DSP executable libraries embedded in Qualcomm-based smartphones are vulnerable to attacks due to issues in the Hexagon SDK. We are going to highlight the auto generated security holes in the DSP software and then exploit them.

Slava Makkaveev
Slava Makkaveev is a Security Researcher at Check Point. Holds a PhD in Computer Science. Slava has found himself in the security field more than ten years ago and since that gained vast experience in reverse engineering and vulnerability research. Recently Slava has taken a particularly strong interest in mobile platforms and firmware security.

Back to top

Abusing P2P to Hack 3 Million Cameras: Ain't Nobody Got Time for NAT

Live 30 min Q&A on Saturday, August 8th at 14:30 on the DEF CON Twitch
Demo, Tool, Exploit

Paul Marrapese Security Researcher

To a hacker, making a bug-ridden IoT device directly accessible to the Internet sounds like an insanely bad idea. But what's *truly* insane is that millions of IoT devices are shipping with features that expose them to the Internet the moment they come online, even in the presence of NAT and firewalls. P2P, or “peer-to-peer”, is a convenience feature designed to make the lives of users easier, but has the nasty side effect of making attackers’ lives easier as well.

Come for the story of how supply chain vulnerabilities in modern IP cameras, baby monitors, and even alarm systems are putting millions at risk for eavesdropping and remote compromise. We'll talk about the hoards of IoT devices that exist outside of Shodan's reach and the botnet-like infrastructure they rely on. Learn how to find P2P networks and how to exploit them to jump firewalls, steal camera passwords over the Internet, and correlate devices to physical addresses. We'll demonstrate how to snoop on someone's video simply by using your own camera – and how someone may be snooping on your video, too.

Paul Marrapese
Paul Marrapese (OSCP) is a security researcher from San Jose, CA. His work has resulted in the discovery of critical vulnerabilities affecting millions of IoT devices around the world, and has been featured on Krebs on Security, Forbes, Wired, ZDNet, and several security podcasts. Paul specializes in offensive security as part of the red team at a large enterprise cloud company. His interests include reverse engineering, music production, photography, and recently software-defined radio. Rumor has it that he makes a mean batch of cold-brew coffee.

@PaulMarrapese

Back to top

Hacking the Hybrid Cloud

Live 30 min Q&A on Thursday, August 6th at 12:30 on the DEF CON Twitch
30 minutes

Sean Metcalf CTO, Trimarc

Most companies have moved into the cloud and on-premises applications and systems remain. This configuration is reasonably referred to as "hybrid"; in the cloud and not at the same time. Hybrid cloud requires integration and communication between the remaining on-prem infrastructure and the new(er) cloud services.

This talk describes several scenarios that appear to subvert typical security and protections which involve federation configuration, Identity Access Management (IAM), and interaction between SaaS and IaaS in the Microsoft Cloud.

Sean Metcalf
Sean Metcalf is founder and CTO at Trimarc (www.TrimarcSecurity.com), a professional services company which focuses on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory & Microsoft Cloud attack and defense at security conferences such as Black Hat, BSides, DEF CON, and DerbyCon. He currently provides security consulting services to customers and posts interesting Active Directory security information on his blog, ADSecurity.org.

@Pyrotek3

Back to top

Room for Escape: Scribbling Outside the Lines of Template Security

Live 30 min Q&A on Thursday, August 6th at 10:30 on the DEF CON Twitch
Demo, Exploit

Oleksandr Mirosh

Alvaro Munoz

Now more than ever, digital communication and collaboration are essential to the modern human experience. Shared digital content is everywhere and Content Management Systems (CMS) play a crucial role allowing users to design, create, modify and visualize dynamic content. In our research we discovered multiple ways to achieve Remote Code Execution (RCE) on CMS platforms through which an attacker can take full control of the resources your organization relies on.

Using a Microsoft SharePoint server as our main CMS attack surface, we combined flaws in its implementation and design with framework and language specific features to find six unique RCE vulnerabilities. In addition, we discovered ways to escape template sandboxes of the most popular Java Template engines and achieved RCE in many products including: Atlassian Confluence, Alfresco, Liferay, Crafter CMS, XWiki, Apache OfBiz, and more. We will analyze how these products and frameworks implement security controls and review the various techniques that we used to bypass them. We will describe all the vulnerabilities we uncovered in detail and show working demos of the most interesting attacks. Finally, we will present our general review methodologies for systems with dynamic content templates and provide practical recommendations to better protect them.

Oleksandr Mirosh
Oleksandr Mirosh, Software Security Researcher, Micro Focus Fortify Oleksandr Mirosh has over 12 years of computer security experience, including vulnerability research, penetration testing, reverse engineering, fuzzing, developing exploits and consulting. He is working for Fortify Software Security Research team in Micro Focus investigating and analyzing new threats, vulnerabilities, security weaknesses, new techniques of exploiting security issues and development vulnerability detection, protection and remediation rules.

@olekmirosh

Alvaro Munoz
Alvaro Muñoz (@pwntester) works as Staff Security Researcher with GitHub Security Lab. His research focuses on different programming languages and web application frameworks searching for vulnerabilities or unsafe uses of APIs. Before joining the research field, he worked as an Application Security Consultant helping enterprises to deploy their application security programs. Muñoz has presented at many Security conferences including Defcon, RSA, AppSecEU, Protect, DISCCON, etc and holds several InfoSec certifications, including OSCP, GWAPT and CISSP, and is a proud member of int3pids CTF team.

@pwntester

Back to top

Hacking Traffic Lights

Live 30 min Q&A on Thursday, August 6th at 13:30 on the DEF CON Twitch
30 minutes

Wesley Neelen Hacker & co-founder at Zolder

Rik van Duijn Hacker & co-founder at Zolder

New systems are connected to the internet every day to make our lives easier or more comfortable. We are starting to see connected traffic and smart traffic lights innovations to improve traffic flow, safety and comfort. With smart systems entering and controlling our physical world, ethical hacking such systems to find possible ways of manipulation becomes even more important to society.

In the Netherlands there are some public innovations where traffic light systems are being connected to smartphone apps. We have looked at these innovations to see if these systems could be manipulated and how manipulation could benefit an attacker. Specifically, we found a way in two different platforms, that allows us to successfully fake a continuous flow of bicyclists that turns the cyclist traffic light instantly green or decreases the time to green.

More than 10 municipalities in the Netherlands connected a part of their cyclist traffic lights to the affected platforms. It was possible to perform these hacks from any remote location, which allows someone to remotely influence the traffic at scale. The hack results in turning the cyclists lights to green, while other lights on the intersection will turn to red.

The regular security systems that make sure lights are not turned green simultaneously stays intact. There are similar projects that turn the car traffic lights green for ambulances or trucks. If an attacker succeeds to exploit these projects with a similar attack, he could remotely influence the car traffic lights directly.

Wesley Neelen
Wesley has about 7 years’ experience in the offensive security area working as a penetration tester. Next to his work assessing the security of infrastructures, he spends time researching trends within IT security and on developing defensive measures. Wesley likes to actively assess the security of home automation, internet of things and 'smart' innovations. One of the vulnerabilities discovered by Wesley, is a remote command execution (RCE) vulnerability in the Fibaro home center appliance. The vulnerability allowed to remotely obtain root access on the Fibaro device whenever the web interface is reachable. Also, he discovered vulnerabilities within a smartwatch cloud that disclosed the location history of about 300.000 of its users.

@wesleyneelen

Rik van Duijn
Rik is a security researcher with 7+ years of experience as a penetration tester. Nowadays Rik focusses on malware research and defense. His hobbies include cooking, bouldering and long walks on the beach. Rik has presented at SHA2017, (whiskey|fristi)leaks, DefCon BlueTeam Village and Tweakers Security/DEV Meetups.

@rikvduijn

Back to top

Hacking the Supply Chain – The Ripple20 Vulnerabilities Haunt Hundreds of Millions of Critical Devices

Live 30 min Q&A on Thursday, August 6th at 14:30 on the DEF CON Twitch
Exploit

Shlomi Oberman CEO, JSOF

Moshe Kol Security Researcher

Ariel Schön Security Researcher, JSOF

This is the story of how we found and exploited a series of critical vulnerabilities (later named Ripple20) affecting tens or hundreds of millions of IoT devices across all IoT sector conceivable - industrial controllers, power grids, medical, home, networking, transportation, enterprise, retail, defense, and a myriad of other types of IoT devices, manufactured and deployed by the largest American and international vendors in these fields.

These vulnerabilities were found in a TCP/IP software library located at the very beginning of a complex supply chain and have lurked undetected for at least 10 years, likely much more. Over the past two decades this library has spread around the world by means of direct use as well as indirectly, through ""second hand"" use, rebranding, collaborations, acquisitions and repackaging, having been embedded and configurated in a range of different ways. Many of the vendors indirectly selling and using this library were not aware of their using it. Now that they know, the patch propagation dynamics are very complex and may not be possible in some cases.

This library is a little known, but widely used, embedded library developed by Treck Inc.known for its high reliability, performance, and configurability. Its features make it suitable for real-time operating system usage and low-power devices.

Despite being used by many large, security-aware vendors, these vulnerabilities lay dormant and undiscovered - while actors of all types could have discovered these vulnerabilities by finding one of several bugs in any of the components, exposing hundreds of others immediately. This would provide a field day of affected devices for the picking.

In this presentation, we will discuss one of the vulnerabilities in technical depth, demonstrating an RCE exploit on a vulnerable device. We will explain how the vulnerabilities became so widespread, and what we still don’t know. We will speculate as to why these vulnerabilities survived for so long and show why some vendors are worse affected than others.

Shlomi Oberman
Shlomi Oberman is an experienced security researcher and leader with over a decade of experience in security research and product security. In the past few years his interest has been helping secure Software - while it is being written and after it has shipped. Shlomi is a veteran of the IDF Intelligence Corps and has many years of experience in the private sector working with companies who are leaders in their field. He has spoken internationally and his research has been presented in industry conferences such as CodeBlue Tokyo and Hack-In-The-Box as well as other conferences. He is also an experienced teacher, training researchers and engineers in Embedded Exploitation and Secure Coding, as well as an organizer of local community cyber-security events. Shlomi has the unique advantage of a broad technical understanding of the Security Field as well as deep knowledge of the attacker’s mindset, which is extremely useful when securing software.

Moshe Kol
Moshe is a wickedly talented security researcher, currently finishing his Computer Science studies at the Hebrew University of Jerusalem. He has many years of networking and security research experience working for the MOD where he honed his skills originally developed at home – as he was led by sheer curiosity into the world of reverse engineering and security research.

Ariel Schön
Ariel Schön is an experienced security researcher with unique experience in embedded and IoT security as well as vulnerability research.

Ariel is a veteran of the IDF Intelligence Corps, where he served in research and management positions. Currently, he is consuming caffeine and doing security research at JSOF.

Back to top

Whispers Among the Stars: Perpetrating (and Preventing) Satellite Eavesdropping Attacks

Live 30 min Q&A on Saturday, August 8th at 10:30 on the DEF CON Twitch
Demo, Tool, Exploit

James Pavur DPhil Student, Oxford University

Space is changing. The number of satellites in orbit will increase from around 2,000 today to more than 15,000 by 2030. This briefing provides a practical look at the considerations an attacker may take when targeting satellite broadband communications networks. Using $300 of widely available home television equipment I show that it is possible to intercept deeply sensitive data transmitted on satellite links by some of the world's largest organizations.

The talk follows a series of case studies looking at satellite communications affecting three domains: air, land, and sea. From home satellite broadband customers, to wind farms, to oil tankers and aircraft, I show how satellite eavesdroppers can threaten privacy and communications security. Beyond eavesdropping, I also discuss how, under certain conditions, this inexpensive hardware can be used to hijack active sessions over the satellite link.

The talk concludes by presenting new open source tools we have developed to help researchers seeking to improve satellite communications security and individual satellite customers looking to encrypt their traffic.

The talk assumes no background in satellite communications or cryptography but will be most interesting to researchers interested in tackling further unsolved security challenges in outer space.

James Pavur
James Pavur is a Rhodes Scholar at Oxford University working on a DPhil in Cyber Security. His academic research is primarily on the threats to satellite systems with a focus on satellite communications and trustworthy spaceflight operations. Prior to Oxford, he majored in Science, Technology and International Affairs (STIA) at Georgetown University where he graduated with the School of Foreign Service Dean’s Medal (highest cumulative GPA) in 2017.

He has held numerous internships and professional positions related to information security. This included acting as Director of Information Security for Students of Georgetown Inc. (The Corp), a student run non-profit with more than 300 employees. He has also assisted with computer crimes investigations as an intern with the United States Postal Service Office of the Inspector General, worked on embedded systems reverse-engineering as an intern at Booz Allen Hamilton, and even pentested air-conditioners for the Public Buildings Services while working for Telos Corporation.

Outside of computers, James enjoys flying kites and collecting rare and interesting teas.

@JamesPavur

Back to top

Detecting Fake 4G Base Stations in Real Time

Live 30 min Q&A on Friday, August 7th at 12:30 on the DEF CON Twitch
Demo, Tool

Cooper Quintin Senior Security Researcher, EFF

4G based IMSI catchers such as the Hailstorm are becoming more popular with governments and law enforcement around the world, as well as spies, and even criminals. Until now IMSI catcher detection has focused on 2G IMSI catchers such as the Stingray which are quickly falling out of favor.

In this talk we will tell you how 4G IMSI Catchers might work to the best of our knowledge, and what they can and can't do. We demonstrate a brand new software project to detect fake 4G base stations, with open source software and relatively cheap hardware. And finally we will present a comprehensive plan to dramatically limit the capabilities of IMSI catchers (with the long term goal of making them useless once and for all).

Cooper Quintin
Cooper is a security researcher and Senior Staff Technologist with the EFF threat lab. He has worked on projects such as Privacy Badger and Canary Watch. With his colleagues at threat lab he has helped discover state sponsored malware and nation state actors such as Dark Caracal and Operation Manul. He has also performed security trainings for activists, non profit workers and ordinary folks around the world. He also was a co-founder of the Hackbloc hacktivist collective and published several issues of the DIY hacker zine "Hack This Zine." In his spare time he enjoys playing music and playing with his kid and imagining a better future.

Back to top

Bytes In Disguise

Live 30 min Q&A on Sunday, August 9th at 10:30 on the DEF CON Twitch
Demo, Tool, Exploit

Mickey Shkatov

Jesse Michael

Non-Volatile Memory. EVERY computer has it, from the chip that stores your BIOS to the controller that runs your laptop trackpad and even your new fancy USB-C monitor. These small nooks of storage can be (ab)used by anyone to store data or code without causing any side effects and none would be the wiser. We will show you more than one example of how this is possible and walk through everything you need to know to do it, too.

In this talk, we will describe how to hide persistence in these obscure memory chips using simple tools that we are releasing as open source. We will show multiple ways to accomplish this without detection. On the defensive front, we’ll discuss what can be done to detect and lock down systems.

Mickey Shkatov
Mickey has been doing security research for almost a decade, one of his specialties is simplifying complex concepts and finding security flaws in unlikely places. He has seen some crazy things and lived to tell about them at security conferences all over the world, his past talks range from web pentesting to black badges and from hacking cars to BIOS firmware.

@HackingThings

Jesse Michael
Jesse Michael is an experienced security researcher focused on vulnerability detection and mitigation who has worked at all layers of modern computing environments from exploiting worldwide corporate network infrastructure down to hunting vulnerabilities inside processors at the hardware design level. His primary areas of expertise include reverse engineering embedded firmware and exploit development. He has also presented research at DEF CON, Black Hat, PacSec, Hackito Ergo Sum, Ekoparty, and BSides Portland.

@JesseMichael

Back to top

How we recovered $XXX,000 in Bitcoin from an encrypted zip file

Live 30 min Q&A on Saturday, August 8th at 13:30 on the DEF CON Twitch
Tool

Michael Stay CTO, Pyrofex Corp.

About six months ago, a Russian guy contacted me on LinkedIn with an intriguing offer. He had hundreds of thousands of dollars in Bitcoin keys locked in a zip file, and he couldn't remember the password. Could I break into it for him? He found my name by reading an old cryptanalysis paper I wrote nearly 20 years ago. In that attack, I needed five files to break into a zip archive. This one only had two files in it. Was it possible? How much would it cost? We had to modify my old attack with some new cryptanalytic techniques and rent a GPU farm, but we pulled it off. Come hear how.

Michael Stay
Mike Stay was a reverse engineer and cryptanalyst in the 1990s, worked for six years on Google's security team, and is currently the CTO of Pyrofex Corp.

@metaweta

Back to top

Practical VoIP/UC Hacking Using Mr.SIP: SIP-Based Audit & Attack Tool

Live 30 min Q&A on Sunday, August 9th at 15:30 on the DEF CON Twitch
Demo, Tool

Ismail Melih Tas Senior Expert in Offensive Security (PhD), Private Bank

Kubilay Ahmet Kucuk Senior Security Researcher (PhD), University of Oxford

In this talk, we will introduce the most comprehensive offensive VoIP security tool ever developed, Mr.SIP (comprehensive version). We will make a live attack demonstration using Mr.SIP in our security laboratory. Furthermore, we will also introduce novel SIP-based attacks using the vulnerabilities we found in the SIP retransmission mechanism and reflection logic.

Mr.SIP is developed to assist security experts and system administrators who want to perform security tests for VoIP systems and to measure and evaluate security risks. It quickly discovers all VoIP components and services in a network topology along with the vendor, brand, and version information, detects current vulnerabilities, configuration errors. It provides an environment to assist in performing advanced attacks to simulate abuse of detected vulnerabilities. It detects SIP components and existing users on the network, intervenes, filters and manipulates call information, develops DoS attacks, breaks user passwords, and can test the server system by sending irregular messages.

Status-controlled call flow and ability to bypass anomaly systems stand out as Mr.SIP’s unique aspects. It also has strengths and competencies in terms of advanced fake IP address generation, fuzzing, password cracker, interactive inter-module attack kit, and MiTM features.

Ismail Melih Tas
Melih Tas received B.Sc., M.Sc., and Ph.D. degrees in Computer Science & Engineering. He is working as Principal Penetration Tester in a private bank since 2015 in Istanbul, Turkey. He worked as multiple times award-winning entrepreneur and security expert in a private cybersecurity R&D company between 2010 and 2015 where he worked on funded projects. Previous to them, he also worked in a global troubleshooting center where he found the root causes of telecommunication security incidents and frauds and designed measures to prevent them from happening again. He wrote the National VoIP/UC Security Standard Draft by cooperating with Turkish Standards Institute. He is the author of open-source projects Mr.SIP: SIP-Based Audit and Attack Tool and SIP-DD: SIP-Based DDoS Defense Tool. He holds an OSCP certificate. He is an active speaker in hacker conferences including Black Hat Arsenal, Offzone and Nopcon. He likes to do bug bounty hunting in his spare time. His research interests include the design and analysis of both offensive and defensive security mechanisms in the fields of VoIP Security, Network Security, and Web/Mobile Application Security.

@artinscience

Kubilay Ahmet Kucuk
Kubilay Ahmet Kucuk is a DPhil (Ph.D.) candidate at the University of Oxford. His research interests include the problem of secure remote computation, and architectures with TPM, TEEs, ARM TZ, seL4. With a focus on SGX, he received Ph.D. studentship from Intel and completed the AppTRE (Trustworthy Remote Entity) project in Prof. Andrew Martin's group. Before Oxford, he was a research assistant for five years at ETH Zürich, in D-MAVT Simulation Group. He led the software engineering in two CTI/Innosuisse funded projects in Industry 4.0 domain. These projects, the Face-gear Drive and the Next-Generation Virtual Feeder resulted in software products alive in the industry other than the journals.

Back to top

Beyond Root: Custom Firmware for Embedded Mobile Chipsets

Live 30 min Q&A on Sunday, August 9th at 14:30 on the DEF CON Twitch
Demo, Tool, Exploit

Christopher Wade Security Consultant at Pen Test Partners

Rooting a smartphone is often considered the ultimate method to allow a user to take complete control of their device. Despite this, many smartphones contain hardware which is closed off to any modification. This talk aims to show how this hardware can be reverse engineered in order to bypass its protections and further expand its functionality.

Using proprietary NFC Controllers as an example, we will cover analysis of the protocols used by the chips, how the firmware protections could be broken, and how custom firmware could be developed and deployed to the phone with no hardware modifications. This will include methodologies for analyzing weaknesses in firmware update protocols, leveraging the Unicorn CPU Emulator to bypass debugging restrictions, and techniques for reverse engineering the hardware capabilities of an unknown chip in order to implement custom features. This will end with demonstration of a smartphone with passive NFC sniffing capabilities and expanded tag emulation functionality.

Christopher Wade
Chris is a seasoned security researcher and consultant. His main focuses are in reverse engineering hardware, fingerprinting USB vulnerabilities and playing with Software Defined Radios, with his key strength lying in firmware analysis, which he utilizes as part of the hardware testing team at Pen Test Partners.

Back to top

Office Drama on macOS

Live 30 min Q&A on Friday, August 7th at 18:30 on the DEF CON Twitch
Demo, Exploit

Patrick Wardle Principal Security Researcher

On the Windows platform, macro-based Office attacks are well understood (and frankly are rather old news). However on macOS, though such attacks are growing in popularity and are quite en vogue, they have received far less attention from the research and security community.

In this talk, we will begin by analyzing recent documents that contain macro-based attacks targeting Apple's desktop OS, highlighting the macOS-specific exploit code and payloads. Though sophisticated APT groups are behind several of these attacks, (luckily) these malicious documents and their payloads are constrained by recent application and OS-level security mechanisms.

However, things could be far worse! To illustrate this claim, we'll detail the creation of a powerful exploit chain, that begins with CVE-2019-1457, leveraged a new sandbox escape and ended with a full bypass of Apple's stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no other user interaction was required in order to persistently infect even a fully-patched macOS Catalina system!

To end the talk, we'll discuss various prevention and detection mechanisms that could thwart each stage of the exploit chain, as well as that aim to generically provide protection against future attacks!

Patrick Wardle
Patrick Wardle is the Principal Security Researcher at Jamf and founder of Objective-See. Having worked at NASA and the NSA, as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware and writing free open-source security tools to protect Mac users.

@Jamf

Back to top

Discovering Hidden Properties to Attack Node.js ecosystem

Live 30 min Q&A on Thursday, August 6th at 09:30 on the DEF CON Twitch
Tool

Feng Xiao security researcher at Georgia Tech

Node.js is widely used for developing both server-side and desktop applications. It provides a cross-platform execution environment for JavaScript programs. Due to the increasing popularity, the security of Node.js is critical to web servers and desktop clients.

We present a novel attack method against the Node.js platform, called hidden property abusing (HPA). The new attack leverages the widely-used data exchanging feature of JavaScript to tamper critical program states of Node.js programs, like server-side applications. HPA entitles remote attackers to launch serious attacks, such as stealing confidential data, bypassing security checks, and launching denial of service attacks. To help developers detect the HPA issues of their Node.js applications, we develop a tool, named LYNX, that utilizes hybrid program analysis to automatically reveal HPA vulnerabilities and even synthesize exploits. We apply LYNX on a set of widely-used Node.js programs and identify 13 previously unknown vulnerabilities. LYNX successfully generates 10 severe exploits. We have reported all of our findings to the Node.js community. At the time of paper writing, we have received the confirmation of 12 vulnerabilities and got 12 CVEs assigned. Moreover, we collaborated with an authoritative public vulnerability database to help them use a new vulnerability notion and description in related security issues.

The talk consists of four parts. First, we will introduce recent offensive research on Node.js. Second, we will introduce HPA by demonstrating an exploit on a widely-used web framework. Third, we will explain how to leverage program analysis techniques to automatically detect and exploit HPA. In the end, we will have a comprehensive evaluation which discusses how we identified 13 HPA 0days with the help of our detection method.

Feng Xiao
Feng Xiao is a security researcher at Georgia Tech. His research interests include software/system security. He has published three papers on top security venues such as DEFCON, IEEE S&P, and CCS.

https://fxiao.me/

Back to top

Don't Ruck Us Again - The Exploit Returns

Live 30 min Q&A on Saturday, August 8th at 11:30 on the DEF CON Twitch
Tool, Exploit

Gal Zror Research team leader in Aleph Research

"From the researchers who brought to you ""Don't Ruck Us Too Hard"" comes a brand new follow-up research. This summer! We will show that all of Ruckus Wireless ""ZoneDirector"" and the ""Unleashed"" devices are still vulnerable.

This follow-up research includes six new vulnerabilities, such as command injection, information leakage, credentials overwrite, and stack overflow and XSS. With these vulnerabilities, we were able to achieve two new and different pre-auth RCEs. Combined with the first research, that is five entirely different RCEs in total. We also found that Ruckus did not fix some of the vulnerabilities from the first research correctly, and they are still exploitable by using a very neat payload :).

Other cool stuff about this research:
We will share a new Ghidra script we used to map the critical sections in the webserver binary that were later found vulnerable. We managed to fingerprinted Universities and Organizations that were vulnerable from the internet. BlackHat uses Ruckus Wireless for Wi-Fi solutions."

Gal Zror
Gal Zror is a research team leader in Aleph Research group at HCL AppScan, based in Herzliya Israel. Gal has extensive experience with vulnerability research and specialized in embedded systems and protocols. Gal is also an amateur boxer and a tiki culture enthusiast.

@waveburst

Back to top