2019-12-02 ~ 2019-12-05
Presentations (with video): 46 (42)
Black Hat provides attendees with the latest in research, development, and trends in Information Security. Here the brightest professionals and researchers in the industry come together for a total of four days—two or four days of deeply technical hands-on Trainings, followed by two days of the latest research and vulnerability disclosures in the Briefings.
Sort by:
Most recent
Conference: BlackHat EU 2019
Authors:
2019-12-05
tldr - powered by Generative AI
The presentation discusses the Spectre vulnerability and a new variant that exploits speculative execution of subjects. The speaker explains the research process and potential mitigations.
- The starting point for the research was the work of Google and Daniel GrusinBusiek University in Amsterdam on speculative execution of subjects
- The new Spectre variant treats values as addresses to leak information
- The vulnerability is x86 specific and may not affect ARM processors
- Mitigations include serializing branches, clobbering user mode GS, and instrumenting the kernel
- The performance vs. security tradeoff is a challenge for fixing the vulnerability
Tags:
Conference: BlackHat EU 2019
Authors:
2019-12-05
tldr - powered by Generative AI
The presentation discusses the vulnerability of the LPC 1343 microcontroller and how it can be exploited using return-oriented programming.
- The LPC 1343 microcontroller has a vulnerability in its read command function due to the lack of code protection checks.
- The vulnerability can be exploited by overwriting the return address of the write command and making it jump to the read command area.
- Return-oriented programming can be used to branch the code and prevent the device from crashing.
- The vulnerability was responsibly disclosed to NXP and they updated their documentation to encourage the use of CRP level 1.
- Empty bootloaders are easy to dump and reverse-engineer, resulting in the discovery of logical attacks and vulnerabilities in widely available devices.
Tags:
Conference: BlackHat EU 2019
Authors:
2019-12-05
tldr - powered by Generative AI
The speaker discusses their project of bypassing the speed limiter on their 20-year-old car and connecting it to their custom infotainment system through reverse engineering and understanding the car's computer management system.
- The speaker bought a 90's sports car in Japan and wanted to bypass the speed limiter and connect it to their custom infotainment system
- They reverse-engineered the car's computer management system and communicated with the ECU through the xsm protocol
- The speaker turned everything into code and looked for maps to understand the engine's management system
- They discovered interesting things such as the use of read-only memory and the M flag that changes instruction decoding at runtime
- The speaker managed to bypass the speed limiter by understanding how it works and cutting all fuel injection when the car reaches 180 km/h
- The speaker emphasizes that this work was done for educational purposes and testing was done legally on racetracks and closed roads only
Tags:
Conference: BlackHat EU 2019
Authors:
2019-12-05
tldr - powered by Generative AI
The presentation discusses incidents and challenges faced by security practitioners in protecting networks and endpoints. It emphasizes the importance of diligence and collaboration in ensuring network security.
- Incidents such as web shell attacks and unencrypted endpoint monitoring pose significant threats to network security
- Security practitioners should not trust other companies to protect their networks and should double-check their own security measures
- Collaboration with partners and the use of tools such as wireless spectrum analysis can enhance network security
- The presentation aims to change the stigma surrounding the Black Hat Network and make it more accessible to users
Tags:
Conference: BlackHat EU 2019
Authors:
2019-12-05
tldr - powered by Generative AI
The presentation discusses the privacy hazards and vulnerabilities in the Continuity protocol used by Apple devices.
- Continuity protocol used by Apple devices has privacy hazards and vulnerabilities
- The protocol leaks device usage and identity, allowing adversaries to track devices
- Megrandomization can be broken, rendering it useless
- Wi-Fi analyzation is still in draft and may have issues in the real world
- Reviewing information of new protocols carefully is recommended
Tags:
Conference: BlackHat EU 2019
Authors:
2019-12-05
As we live in a world where billions of IoT devices are connected to the Internet, there are streams of news articles that depict damages caused by malware and other threats that target such devices. While there are some things that users can do to prevent such damages, consumers expect manufacturers to consider security as part of the product design in the development lifecycle.Panasonic, being a device manufacturer, is able to collect information on these threats by connecting our own devices in the development / pre-shipment phases to a honeypot that we have developed. Since its deployment, Panasonic has been able to find 179 million attack cases and 25 thousand malware samples, of which 4,800 were unique samples targeting IoT. 20% of the samples were new and hashes for them did not exist when querying Virustotal. In addition, we discovered 0-day attacks against the SMB protocol, allowing attackers to access data on compromised home appliances.We have developed a system where information being collected through the honeypot is sent to a Sandbox for automated analysis, to address our concern for having a limited number of security experts. What this system allows Panasonic to do is collect "malware targeting/exploiting Panasonic IoT devices" for quicker remediation, in addition to "popular malware" targeting a wide-range of IoT devices.In this session, we will discuss the details of this project and share some analysis of malware that have been collected. By leveraging this information, Panasonic aims to develop products that are resilient to malware. In addition, we are looking for ways to use this threat and remediation information to develop an IoT SOC.
Tags:
Conference: BlackHat EU 2019
Authors:
2019-12-05
Malware utilizes code injection techniques to either manipulate other processes (e.g. done by banking trojans) or hide its existence. With some exceptions, such as ROP gadgets, the injected code needs to be executable by the CPU (at least at some point in time).In this talk, we will cover hiding techniques that prevent executable pages (containing injected code) from being reported by current memory forensic plugins. These techniques can either be implemented by malware in order to hide its injected code (as already observed) or can, in one case, unintentionally be taken care of by the operating system through its paging mechanism. In a second step, we present an approach to reveal such pages despite the mentioned hiding techniques by examining Page Table Entries. This approach has been implemented as a plugin for the memory forensic framework Rekall, which automatically reports any memory region containing executable pages.The talk will also contain several live demonstrations, showing the successful hiding from current memory forensic plugins and the detection with our plugin.
Tags:
Conference: BlackHat EU 2019
Authors:
2019-12-05
The adoption of Fourth Generation Long Term Evolution (4G LTE)—the de facto standard for cellular telecommunication—has seen a stable growth in recent years, replacing prior generations due to its promise of improved assurances (e.g., higher bandwidth, reliable connectivity, enhanced security). On top of that, the imminent deployment of the Fifth Generation (5G) cellular network has created much enthusiasm in both industry and academia particularly due to its promise of enabling new applications such as smart vehicles and remote robotic surgery. It is, therefore, expected that 5G rollout will positively impact us from national to a more personal level by enabling applications that often improve our quality of life.
Paging is one of the many important protocols in cellular networks which enables a cellular device- not actively communicating with a base station- to respond to a phone call or an SMS, or any incoming messages for the device. The cellular paging (broadcast) protocol strives to balance between a cellular device's energy consumption and quality-of-service by allowing the device to only periodically poll for pending services in its idle, low-power state. For a given cellular device and serving network, the exact time periods when the device polls for services (called the paging occasion) are fixed by design in the 4G/5G cellular protocol.
This talk first presents how the fixed nature of paging occasions can be exploited as a side-channel by an adversary in the vicinity of a victim to associate the victim's soft-identity (e.g., phone number, Twitter handle) with its paging occasion, with only a modest cost, through an attack dubbed ToRPEDO (TRacking via Paging mEssage DistributiOn). Consequently, we demonstrate how ToRPEDO can enable an adversary to verify a victim's coarse-grained location information, inject fabricated paging messages, and mount denial-of-service attacks.
We also demonstrate that, in 4G and 5G, it is plausible for an adversary to retrieve a victim device's persistent identity (i.e., IMSI) with a brute-force "IMSI−Cracking" attack while using ToRPEDO as an attack sub-step. Our further investigation on 4G paging protocol deployments also identified an implementation oversight of several network providers which enables the adversary to launch a new kind of IMSI-Catching attack, named PIERCER (Persistent Information ExposuRe by the CorE netwoRk), for associating a victim's phone number with its IMSI; subsequently allowing targeted user location tracking. All of our attacks have been validated and evaluated in network operators of many different counties including US, Canada, Europe, and South-East Aisa using commodity hardware and software.
Finally, this talk discusses the potential flaws of the proposed fixes by the Third Generation Partnership Project (3GPP), the standard body for the cellular networks and thus concludes with a direction of potential countermeasures against the presented attacks.
Tags:
Conference: BlackHat EU 2019
Authors:
2019-12-05
In June 2017, Maersk suffered a major notpetya cyber-attack, this session explains lessons learned and how they are now being applied within Maersk.
Tags:
Conference: BlackHat EU 2019
Authors:
2019-12-05
tldr - powered by Generative AI
The presentation discusses the vulnerabilities in cloud applications due to bad coding practices and the need for developers to follow security principles.
- Cloud applications are vulnerable to attacks due to bad coding practices
- Developers need to follow security principles such as the least privilege principle
- Automation is necessary for securing cloud applications with multiple resources
- The presentation provides examples of how to exploit vulnerabilities in cloud applications
- The speaker emphasizes that the problem is not with the cloud, but with bad coding practices
Tags: