{"code":"K7JNE8","speakers":[{"code":"MJ3KNB","name":"Paul Zenker","biography":"I am a security consultant at KPMG. I love breaking AI and using AI to break other stuff. When AI becomes too much hype and magic I go touch some grass and break into buildings.","avatar":"http://cfp.bsidesvienna.at/media/avatars/Bild_Paul_0bzXwqM.png"}],"title":"MCP - Most Concerning Protocol","submission_type":{"en":"Medium Talk"},"track":{"en":"Mittlerer Saal (Track 1 - 260 pax)"},"state":"confirmed","abstract":"TLDR: If you as an attacker want more tools to gain RCE and persistence MCP is exactly that.\r\n\r\nAI agents are rapidly becoming a new interface to enterprise systems: they read internal knowledge, call APIs, and execute actions through connected tools. MCP standardizes this tool access, but it also creates a new, high-impact attack surface: tool execution integrity.","description":"Basically our talk shows all the ways attackers can leverage MCP for RCE and persistence.\r\n\r\nIn this talk we demonstrate “MCP hijacking in the wild” through an attack demo that shows how a compromised or malicious MCP tool execution path can become an attacker control channel. Critically, we show why common hardening approaches are insufficient in practice by demonstrating bypass and/or time-of-check/time-of-use gaps during the demo itself.\r\n\r\nWe close with a proof-of-concept integrity protection method designed to raise the bar against MCP toolchain compromise by enforcing trustworthy tool identity and invocation integrity, with practical guidance","duration":45,"slot_count":1,"do_not_record":false,"is_featured":false,"content_locale":"en","slot":{"room":{"en":"Mittlerer Saal (Track 1)"},"start":"2026-06-27T09:30:00+02:00","end":"2026-06-27T10:15:00+02:00"},"image":null,"resources":[]}