Conference:  Defcon 31

Authors: Josep Pi Rodriguez Principal Security Consultant at IOActive

2023-08-01

We conducted a research to assess the current security of NFC payment readers that are present in most of the major ATM brands, portable point of sales, gas stations, vending machines, transportation and other kind of point of sales in the US, Europe and worldwide. In particular, we found code execution vulnerabilities exploitable through NFC when handling a special application protocol data unit (APDU) that affect most NFC payment vendors. The vulnerabilities affect baremetal firmware devices and Android/Linux devices as well. After waiting more than 1 year and a half once we disclosed it to all the affected vendors, we are ready to disclose all the technical details to the public. This research was covered in the media by wired.com but without the technical details that we can share now https://www.wired.com/story/atm-hack-nfc-bugs-point-of-sale/ Some of the affected vendors are: IDtech https://idtechproducts.com/ Ingenico https://www.ingenico.com/ Verifone https://www.verifone.com/ CPI https://www.cranepi.com/ BBPOS https://www.bbpos.com/ Wiseasy https://www.wiseasy.com/ Nexgo https://www.nexgoglobal.com/ In this presentation we will describe the vulnerabilities and also demo how the readers can be compromised, using a special Android app we created, by just tapping an Android phone to the reader. We will discuss the consequences such as financial impact in reader’s users/owners and card data stealing once the firmware is compromised. Also, we will show how to compromise the host that is connected to the reader through USB by manipulating the reader’s firmware, chaining stack buffer overflow vulnerabilities in the SDK provided by the vendor that is running in the host machine. Finally, since one of the affected vendors (IDtech) is present in most ATM brands in the world, the talk will cover different scenarios of how possible can be jackpotting ATMs just tapping a smartphone into the reader of the ATM. We have many years of experience jackpotting all brands of ATMs in multiple different ways and we will show how this is technically possible.

Conference:  Black Hat USA 2022

Authors:

2022-08-10

Rooting modern Android devices using kernel bugs from an unprivileged process without any hardcoded offsets/addresses and with almost a 100% success rate is exceptionally rare. After reporting the in-the-wild CVE-2020-0069 in Mediatek's Command Queue device driver, we conducted a security review on ImgTec's PowerVR GPU device driver during which we discovered and reported several such rare vulnerabilities (e.g. GPU CVE-2021-39815). In total, we discovered 35+ exploitable bugs.This talk will primarily focus on GPU hacking. There have been many vulnerability reports about other GPUs like Mali and Adreno in the last few years, but Google only received a single report about ImgTec's PowerVR GPU. It appears that the security risks of ImgTec's PowerVR GPUs have been underexplored so far, even though ImgTec may have the largest GPU market share in the Android ecosystem as many affordable, popular devices ship with ImgTec's GPUs. In addition to Android devices, many Chromebooks also use PowerVR GPUs. This makes the discovered vulnerabilities and exploits truly cross-platform, plus 10 more OEMs are affected.In general, kernel memory management for CPUs and GPUs is complex, making it easy to produce unwanted or undefined outcomes. We will discuss the design & implementation of GPU driver technologies such as kernel APIs, memory management, kernel object lifetime, and the implementations of the OpenCL internal libraries.We will also highlight the latest SELinux policy for limiting unprivileged interaction with ImgTec's PowerVR GPUs on devices, and how to achieve a stable bypass. We will discuss the details of the exploit and show a demo rooting a well-known PowerVR device.

Conference:  OWASP 20th Anniversary Event

Authors: Jan Seredynski

2021-09-24

The presentation discusses the importance of application integrity in cybersecurity and the potential risks of not implementing it. It also provides some do-it-yourself tips for developers to ensure application integrity.

• Application integrity is about verifying that the user is running on the original version of the app and that no resources have been changed.
• Without application integrity, apps can be redistributed for free with built-in cheats or modified assets.
• Developers can implement application integrity by checking for bundle ID, verifying the signature of the app, and checking for a debuggable state.
• Clean code and obfuscation can also help prevent IP theft and make it harder for attackers to understand the code.

Conference:  Defcon 29

Authors:

2021-08-01

All I wanted was a camera to monitor my pumpkin patch for pests, what I found was a wireless security camera that spoke with an accent and asked to speak with my fax machine. Join me as I engage in a signals analysis of the Amiccom 1080p Outdoor Security Camera and hack the signal to reverse engineer the audio tones used to communicate and configure this inexpensive outdoor camera. This journey takes us through spectrum-analysis, APK decompiling, tone generation in Android and the use of Ghidra for when things REALLY get hairy. REFERENCES: - JADX: Dex to Java Decompiler - https://github.com/skylot/jadx - Efficiency: Reverse Engineering with ghidra - http://wapiflapi.github.io/2019/10/10/efficiency-reverse-engineering-with-ghidra.html - Guide to JNI (Java Native Interface) - https://www.baeldung.com/jni - JDSP - Digital Signal Processing in Java - https://psambit9791.github.io/jDSP/transforms.html - Understanding FFT output - https://stackoverflow.com/questions/6740545/understanding-fft-output - Spectral Selection and Editing - Audacity Manual - https://manual.audacityteam.org/man/spectral_selection.html - Edit>Labelled Audio>everything greyed out - https://forum.audacityteam.org/viewtopic.php?t=100856 - Get a spectrum of frequencies from WAV/RIFF using linux command line - https://stackoverflow.com/questions/21756237/get-a-spectrum-of-frequencies-from-wav-riff-using-linux-command-line - How to interpret output of FFT and extract frequency information - https://stackoverflow.com/questions/21977748/how-to-interpret-output-of-fft-and-extract-frequency-information?rq=1 - Calculate Frequency from sound input using FFT - https://stackoverflow.com/questions/16060134/calculate-frequency-from-sound-input-using-fft?rq=1 - Intorduction - Window Size - https://support.ircam.fr/docs/AudioSculpt/3.0/co/Window%20Size.html - Android: Sine Wave Generation - https://stackoverflow.com/questions/11436472/android-sine-wave-generation - Android Generate tone of a specific frequency - https://riptutorial.com/android/example/28432/generate-tone-of-a-specific-frequency - Android Tone Generator - https://gist.github.com/slightfoot/6330866 - Android: Audiotrack to play sine wave generates buzzing noise - https://stackoverflow.com/questions/23174228/android-audiotrack-to-play-sine-wave-generates-buzzing-noise

Conference:  BlackHat USA 2019

Authors:

2019-08-08

The presentation discusses hidden interfaces in graphic drivers and how they can be exploited for attacks. It also introduces an automatic measure to detect these interfaces.

• Hidden interfaces in graphic drivers can be exploited for attacks
• Automatic measure introduced to detect these interfaces
• Shared memory can be used to map user space hardware into kernel
• Process sideband power function can be a target for hidden interfaces

Conference:  Defcon 27

Authors:

2019-08-01

Runtime analysis is a powerful technique for improving mobile application testing and can be used by various disciplines, including hackers, malware reversers, and DevOps professionals.

• Runtime analysis is more than just hooking and sizzle pinning bypasses.
• It enables us to improve testing and not rely on old tooling that may not work on non-jailbroken devices.
• We can build more tools and extend our arsenal without needing root access.
• Anyone can use runtime analysis, and it's applicable to many involved in mobile application pipelines.
• We can use runtime analysis to catch data being shipped off somewhere and understand what apps are doing.
• We can integrate runtime analysis into Jenkins pipelines to automate testing and assert certain features.