Jonathan Lalou's Blog

Posts Tagged ‘DefCon32’

Elonka Dunin and Klaus Schmeh, renowned cryptology experts, unravel the mystery of encrypted advertisements published in The Times between 1850 and 1855. Intended for Captain Richard Collinson during his Arctic expedition, these ads used a modified Royal Navy signal-book cipher. Elonka and Klaus’s presentation traces their efforts to decrypt all ads, providing historical and cryptographic insights into a unique communication system.

The Collinson Cipher System

Elonka introduces the encrypted ads, designed to keep Collinson informed of family matters during his search for the lost Franklin expedition. The cipher, based on a Royal Navy signal-book, allowed Collinson’s family to encode messages for publication in The Times, accessible globally. Elonka’s narrative highlights the system’s ingenuity, enabling secure communication in an era of limited technology.

Decrypting Historical Messages

Klaus details their decryption process, building on 1990s efforts to break the cipher. Using their expertise, documented in their book from No Starch Press, Klaus and Elonka decoded over 50 ads, placing them in geographic and cultural context. Their work reveals personal details, such as messages from Collinson’s sister Julia, showcasing the cipher’s effectiveness despite logistical challenges.

Challenges and Limitations

The duo discusses the system’s mixed success, noting that Collinson received only four messages in Banuwangi due to expedition unrest. Klaus addresses the cipher’s vulnerabilities, such as predictable patterns, which modern techniques could exploit. Their analysis, enriched by historical records, underscores the challenges of maintaining secure communication in remote settings.

Modern Cryptographic Relevance

Concluding, Elonka explores the potential of artificial intelligence in cryptanalysis, noting that LLMs struggle with precise tasks like counting letters but excel in pattern recognition. Their work invites further research into historical ciphers, inspiring cryptographers to apply modern tools to uncover past secrets, preserving the legacy of Collinson’s innovative system.

Links:

• Elonka Dunin on LinkedIn
• No Starch Press website

Nikita, Grifter, and other DEF CON organizers deliver an engaging DC101 panel, guiding newcomers through the conference’s vibrant ecosystem. Their session offers practical advice on navigating DEF CON’s contests, social events, and hacking opportunities, fostering an inclusive environment for first-time attendees. Nikita’s candid leadership and the team’s anecdotes create a welcoming introduction to the DEF CON community.

Navigating DEF CON’s Landscape

Nikita opens by outlining DEF CON’s extensive schedule, from 8:00 a.m. to 2:00 a.m., filled with contests, parties, and spontaneous hacking sessions. As director of content and coordination, Nikita emphasizes the variety of activities, such as laser Tetris and social gatherings, ensuring newcomers find engaging ways to connect and learn.

Engaging with Contests and Events

Grifter, the lead for contests and events, shares insights into DEF CON’s competitive spirit, highlighting past highlights like T-Rex fights and the infamous “naked guy” incident from a scavenger hunt. His anecdotes illustrate the creativity and unpredictability of DEF CON’s challenges, encouraging attendees to participate in contests to hone their skills.

Building Community Connections

The panel emphasizes the importance of community, with Nikita encouraging attendees to network and collaborate. The hotline program, led by another organizer, facilitates communication, ensuring newcomers feel supported. Their advice to engage with others, even in informal settings, fosters a sense of belonging in the hacking community.

Inspiring Future Contributions

Concluding, Nikita urges attendees to submit to the Call for Papers (CFP) for future DEF CONs, emphasizing that research and passion can earn a main stage spot. The panel’s lighthearted yet practical guidance, enriched with stories like the bean chair contest, inspires newcomers to dive into DEF CON’s dynamic culture and contribute to its legacy.

Links:

• None

JiaQing Huang, Hao Zheng, and Yue Liu, security researchers at Shanghai Jiao Tong University, explore an uncharted attack surface in VMware’s device virtualization within the VMKernel. Their presentation unveils eight vulnerabilities, three assigned CVEs, discovered through reverse-engineering. JiaQing, Hao, and Yue provide insights into exploiting these flaws, some successfully demonstrated at Tianfu Cup, and discuss their implications for virtual machine security.

Exploring VMware’s VMKernel

JiaQing introduces the VMKernel’s device virtualization, focusing on the virtual machine monitor (vmm) and UserRPC mechanisms that enable communication between the hypervisor and host. Their reverse-engineering, conducted at Shanghai Jiao Tong University, uncovered vulnerabilities in USB and SCSI emulation, revealing a previously unexplored attack surface critical to VMware Workstation and ESXi.

USB System Vulnerabilities

Hao details flaws in the USB system, including the host controller, VUsb middleware, and backend devices. Their analysis identified exploitable issues, such as improper input validation, that could allow attackers to manipulate virtual devices. By exploiting these vulnerabilities, Hao and his team achieved privilege escalation, demonstrating the risks to virtualized environments.

SCSI Emulation Flaws

Yue focuses on the SCSI-related emulation in VMware’s virtual disk system, highlighting differences between Workstation and ESXi. Their discovery of an out-of-bounds write in the unmap command, due to unchecked parameter lengths, caused system crashes. Yue’s analysis underscores design flaws in disk emulation, exposing potential avenues for virtual machine escape.

Mitigating Virtualization Risks

Concluding, JiaQing proposes enhancing sandbox protections and elevating process privileges to prevent exploits. Their work, officially confirmed by VMware, calls for robust mitigation strategies to secure virtual environments. By sharing their findings, JiaQing, Hao, and Yue encourage researchers to explore VMKernel security, strengthening virtualization against emerging threats.

Links:

• Shanghai Jiao Tong University website

Michal Grygarek and Martin Petr, embedded systems security experts at Accenture in Prague, reveal the vulnerabilities of eFuse-based memories used to store sensitive data like encryption keys. Their presentation explores the process of extracting confidential information from these chips using accessible tools, challenging the assumption that eFuse memories are inherently secure. Michal and Martin’s work underscores the need for enhanced protection mechanisms in embedded systems.

Decoding eFuse Vulnerabilities

Martin opens by explaining the role of eFuse memories in securing encryption keys and debugging interfaces. Traditionally considered robust, these memories are susceptible to physical attacks due to their readable properties. Martin details their journey, starting with chip decapsulation using household items like a wet stone, demonstrating that determined attackers can bypass protections without advanced equipment.

Reverse-Engineering Techniques

Michal delves into their methodology, which involved delayering chips to access eFuse data. Using a Scanning Electron Microscope (SEM) rented from a local university, they read encryption keys, breaking the confidentiality of encrypted flash memory. Their approach, supported by Accenture, highlights the ease of extracting sensitive data, as the physical destruction of the chip was not a barrier to recovering firmware.

Implications for Embedded Security

The duo emphasizes the broader implications, noting that eFuse vulnerabilities threaten devices relying on these memories for security. Martin addresses the misconception that delayering is prohibitively complex, showing that basic tools and minimal resources suffice. Their findings, including a giveaway of decapsulated ESP32 chips, encourage hands-on experimentation to understand these risks.

Strengthening Protection Mechanisms

Concluding, Michal advocates for advanced obfuscation techniques and alternative storage solutions to secure sensitive data. Their work, presented at DEF CON 32, calls for vendors to reassess eFuse reliance and implement robust safeguards. By sharing their techniques, Michal and Martin inspire the cybersecurity community to address these overlooked vulnerabilities in embedded systems.

Links:

• Accenture website

Xiling Gong and Eugene Rodionov, security researchers at Google, delve into the vulnerabilities of Qualcomm’s Adreno GPU, a critical component in Android devices. Their presentation uncovers nine exploitable flaws leading to kernel code execution, demonstrating a novel exploit method that bypasses Android’s CFI and W^X mitigations. Xiling and Eugene’s work highlights the risks in GPU drivers and proposes actionable mitigations to enhance mobile security.

Uncovering Adreno GPU Vulnerabilities

Xiling opens by detailing their analysis of the Adreno GPU kernel module, prevalent in Qualcomm-based devices. Their research identified nine vulnerabilities, including race conditions and integer overflows, exploitable from unprivileged apps. These flaws, discovered through meticulous fuzzing, expose the GPU’s complex attack surface, making it a prime target for local privilege escalation.

Novel Exploit Techniques

Eugene describes their innovative exploit method, leveraging GPU features to achieve arbitrary physical memory read/write. By exploiting a race condition, they achieved kernel code execution with 100% success on a fully patched Android device. This technique bypasses Control-flow Integrity (CFI) and Write XOR Execute (W^X) protections, demonstrating the potency of GPU-based attacks and the need for robust defenses.

Challenges in GPU Security

The duo highlights the difficulties in securing GPU drivers, which are accessible to untrusted code and critical for performance. Xiling notes that Android’s reliance on in-process GPU handling, unlike isolated IPC mechanisms, exacerbates risks. Their fuzzing efforts, tailored for concurrent code, revealed the complexity of reproducing and mitigating these vulnerabilities, underscoring the need for advanced testing.

Proposing Robust Mitigations

Concluding, Eugene suggests moving GPU operations to out-of-process handling and adopting memory-safe languages to reduce vulnerabilities. Their work, published via Google’s Android security research portal, calls for vendor action to limit attack surfaces. By sharing their exploit techniques, Xiling and Eugene inspire the community to strengthen mobile security against evolving threats.

Links:

• Google Android Security website

Alexander Rubin and Martin Rakhmanov, security engineers at Amazon Web Services’ RDS Red Team, present a groundbreaking MySQL honeypot designed to counterattack malicious actors. Leveraging vulnerabilities CVE-2023-21980 and CVE-2024-21096, their “Atomic Honeypot” exploits attackers’ systems, uncovering new attack vectors. Alexander and Martin demonstrate how this active defense mechanism turns the tables on adversaries targeting database servers.

Designing an Active Defense Honeypot

Alexander introduces the Atomic Honeypot, a high-interaction MySQL server that mimics legitimate databases to attract bots. Unlike passive honeypots, this system exploits vulnerabilities in MySQL’s client programs (CVE-2023-21980) and mysqldump utility (CVE-2024-21096), enabling remote code execution on attackers’ systems. Their approach, detailed at DEF CON 32, uses a chain of three vulnerabilities, including an arbitrary file read, to analyze and counterattack malicious code.

Exploiting Attacker Systems

Martin explains the technical mechanics, focusing on the MySQL protocol’s server-initiated nature, which allows their honeypot to manipulate client connections. By crafting a rogue server, they executed command injections, downloading attackers’ Python scripts designed for brute-forcing passwords and data exfiltration. This enabled Alexander and Martin to study attacker behavior, uncovering two novel MySQL attack vectors.

Ethical and Practical Implications

The duo addresses the ethical considerations of active defense, emphasizing responsible use to avoid collateral damage. Their honeypot, which requires no specialized tools and can be set up with a vulnerable MySQL instance, empowers researchers to replicate their findings. However, Martin notes that Oracle’s recent patches may limit the window for experimentation, urging swift action by the community.

Future of Defensive Security

Concluding, Alexander advocates for integrating active defense into cybersecurity strategies, highlighting the honeypot’s ability to provide actionable intelligence. Their work, supported by AWS, inspires researchers to explore innovative countermeasures, strengthening database security against relentless bot attacks. By sharing their exploit chain, Alexander and Martin pave the way for proactive defense mechanisms.

Links:

• Alexander Rubin on LinkedIn
• Amazon Web Services website
• Atomic Honeypot website

Lennert Wouters and Ian Carroll, security researchers from KU Leuven and application security experts, respectively, unveil critical vulnerabilities in dormakaba’s Saflok hotel lock system, affecting three million units worldwide. Their presentation details reverse-engineering efforts that enabled them to forge keycards, exposing flaws in the proprietary encryption and key derivation functions. Lennert and Ian also discuss their responsible disclosure process and offer practical advice for hotel guests to verify lock security.

Uncovering Saflok Vulnerabilities

Lennert begins by explaining the Saflok system’s reliance on MIFARE Classic cards, widely used in Las Vegas’s 150,000 hotel rooms. By reverse-engineering the proprietary key derivation and encryption algorithms, Lennert and Ian crafted two forged keycards from a single guest card, capable of unlocking any room and disabling deadbolts. Their findings reveal systemic weaknesses in a decades-old system never previously scrutinized by researchers.

Exploitation Techniques

Ian details the technical approach, which involved analyzing the Saflok’s software and hardware to bypass its protections. Using a low-privilege guest card, they exploited vulnerabilities to generate master keycards, granting unauthorized access. Their demonstration, inspired by prior work on Onity and Vingcard locks, underscores the ease of compromising unpatched systems, posing risks to guest safety and property security.

Responsible Disclosure and Mitigation

The duo responsibly disclosed their findings to dormakaba in September 2022, leading to mitigation efforts, including the adoption of Ultralight C cards and secure element encoders. Lennert discusses challenges in patching millions of locks, noting that legacy encoders may still support vulnerable MIFARE Classic cards. Their work has prompted dormakaba to enhance system security, though full deployment remains ongoing.

Empowering Guest Safety

Concluding, Ian offers practical guidance for hotel guests to check if their room’s lock is patched, such as verifying card types. Their presentation, lauded by peers like Iceman, calls for continued scrutiny of electronic lock systems. By sharing their methodologies, Lennert and Ian empower the cybersecurity community to strengthen hospitality security against emerging threats.

Links:

• Lennert Wouters on LinkedIn
• KU Leuven website

Perry Adams and Andrew Carney, representatives from DARPA and ARPA-H, preside over the closing ceremonies of the AI Cyber Challenge (AIxCC) at DEF CON 32. Their presentation celebrates the innovative efforts of participants who developed AI-driven systems to detect and patch software vulnerabilities, emphasizing the critical role of secure software in safeguarding global infrastructure. Perry and Andrew highlight the competition’s impact, announce finalists, and inspire continued collaboration in cybersecurity.

The Vision of AIxCC

Perry opens by reflecting on the AIxCC’s inception, announced at the previous DEF CON, aiming to harness AI to secure critical infrastructure. With over 12,000 visitors to the AIxCC village, the challenge engaged a diverse community in building systems to identify and fix software flaws. Perry underscores the urgency of this mission, given the pervasive vulnerabilities in software underpinning essential services like power grids and healthcare systems.

Recognizing Team Achievements

Andrew highlights standout teams, such as Team Lacrosse for their memorable patch and Team Atlanta for their innovative SQLite findings. The ceremony acknowledges the creative use of large language models (LLMs) and fuzzing techniques by participants. By sharing lessons learned, teams like Trail of Bits contribute to the broader cybersecurity community, fostering transparency and collective progress in tackling software vulnerabilities.

Impact on Critical Infrastructure

The duo emphasizes the broader implications of AIxCC, noting that insecure software threatens global stability. Perry and Andrew praise competitors for developing systems that autonomously detect and mitigate vulnerabilities, reducing reliance on manual processes. Their work aligns with DARPA’s mission to advance technologies that protect national and global infrastructure from cyber threats.

Looking Ahead to Finals

Concluding, Perry announces the finalists, each awarded $2 million and a chance to compete at DEF CON 2025. Andrew encourages ongoing engagement, promising detailed scoring feedback to participants. Their call to action inspires researchers to refine AI-driven security solutions, ensuring a resilient digital ecosystem through collaborative innovation.

Links:

• DARPA website
• ARPA-H website

Johannes Willbold, Moritz Schloegel, and Robin Bisping, researchers focused on satellite communications, expose vulnerabilities in VSAT modems, specifically the Newtec MDM2200. Their presentation details reverse-engineering efforts and novel signal injection attacks using software-defined radios (SDRs). By exploiting these systems, Johannes, Moritz, and Robin highlight the expanded attack surface of satellite communications, urging improved security for remote connectivity.

Reverse-Engineering VSAT Modems

Johannes outlines their approach to dissecting the MDM2200’s software stack, uncovering zero-day vulnerabilities. By analyzing firmware, they identified flaws that could allow remote code execution. This meticulous reverse-engineering, part of a broader project published at ACM WiSec 2024, reveals systemic weaknesses in VSAT systems critical for maritime and crisis communications.

Signal Injection Attacks

Moritz details their groundbreaking SDR-based attacks, injecting signals through the modem’s antenna to deliver bogus firmware updates or gain root shell access. Unlike previous VSAT attacks, such as the 2022 ViaSat hack, their method operates entirely from Earth, bypassing traditional network-based exploits. This approach significantly broadens the potential for remote exploitation.

Implications for Satellite Security

Robin discusses the real-world impact, noting that outdated Linux kernels (e.g., version 2.6.3) and latency-sensitive protocols like IPsec exacerbate vulnerabilities. Their end-to-end attack demonstrates the feasibility of compromising satellite modems, potentially disrupting critical communications. The researchers stress the urgency of updating VSAT security practices to protect remote regions.

Call for Robust Defenses

Concluding, Johannes advocates for modernized protocols, such as TLS over IPsec, and regular firmware updates to secure VSAT systems. Their work, soon to be published, invites further research to address these vulnerabilities. By demonstrating practical attacks, Johannes, Moritz, and Robin urge stakeholders to prioritize satellite communication security to safeguard global connectivity.

Links:

• None

Eduard Agavriloae and Matei Josephs, security researchers from KPMG Romania and Syncubes, present a chilling exploration of vulnerabilities in public Amazon Machine Images (AMIs). Their project, scanning 3.1 million AMIs, uncovered exposed AWS access credentials, posing risks of account takeovers. Eduard and Matei share their methodologies and advocate for robust cloud security practices to mitigate these threats.

Uncovering Secrets in Public AMIs

Eduard opens by detailing their CloudQuarry project, which scanned millions of public AMIs using tools like ScoutSuite. They discovered critical findings, such as exposed access keys, that could enable attackers to compromise AWS accounts. Supported by KPMG Romania, Eduard and Matei’s research highlights the pervasive issue of misconfigured cloud resources, a problem they believe will persist due to human error.

Methodologies and Tools

Matei explains their approach, leveraging automated tools to identify public AMIs and extract sensitive data. Their analysis revealed credentials embedded in AMIs, often overlooked by organizations. By responsibly disclosing findings to affected parties, Eduard and Matei avoided exploiting these keys, demonstrating ethical restraint while highlighting the potential for malicious actors to cause widespread damage.

Risks of Account Takeover

The duo delves into the consequences of exposed credentials, which could lead to unauthorized access, data breaches, or ransomware attacks. Their findings, shared with companies expecting only T-shirts in return, underscore the ease of exploiting public AMIs. Eduard emphasizes the adrenaline rush of discovering such vulnerabilities, reflecting the stakes in cloud security.

Strengthening Cloud Security

Concluding, Matei advocates for enhanced configuration reviews and automated monitoring to prevent AMI exposures. Their collaborative approach, inviting community feedback, reinforces the importance of collective vigilance in securing cloud environments. By sharing their tools and lessons, Eduard and Matei empower organizations to fortify their AWS deployments against emerging threats.

Links:

• KPMG Romania website
• Syncubes website