This talk investigates security vulnerabilities of the wireless communication protocol Bluetooth Low Energy. The discovered vulnerabilities are united into a threat model using the STRIDE threat modeling approach. The vulnerabilities examined in this thesis range from packet sniffing on the physical layer to sophisticated Machine-in-the-Middle attacks that are built upon address spoofing and jamming attacks. The proposed threat model also identifies the optional and mandatory dependencies between the attack vectors.
If you own a Tesla, you might be familiar with the PhoneKey feature that lets you unlock and start your car with your smartphone. But did you know that this feature has some serious security flaws? In this talk, we will show you some of the ways hackers can exploit these vulnerabilities to steal or TEMPA with your Tesla. We will also discuss how Tesla has responded to these issues and whether they have fixed them or not.
Security researchers often have more questions than answers in this domain. The aim of this talk is to give some insights from the supplier's view. So get in and let me take you on a short road-trip through the current threat landscape. Let me show you how the industry picks up speed on vulnerability and incident management, puts the brakes on emerging threats and put the pedal to the metal on new security features and solutions. New standards and regulations are popping up as traffic signs to lead the way, but there are many other challenges suppliers have to navigate through with car manufacturers, such as holistic vehicle system security.
The 2022 Verizon Data Breach Investigations Report showed that 62% of system intrusion incidents came through a partner. To address this challenge, organisations across the industry have come together to design Minimum Viable Secure Product (MVSP) – a vendor-neutral security baseline that is designed to eliminate overhead, complexity and confusion during the procurement, RFP and vendor security assessment process by establishing minimum acceptable security baselines for enterprise B2B solutions.
In this presentation, we will talk about how Google uses MVSP, and the goals of the MVSP program to raise the minimum bar for enterprise software and services at scale.
This talk introduces a new and open platform to track and compare cloud vendors and their broken promises about secure cloud operations. CVEs are not working for cloud vendors and we need a better way than tribal knowledge and smoke signals to communicate these issues. The platform provides a structured way to search and evaluate past security incidents at cloud vendors.
Tabletops are not a new thing in Incident Response training. But oftentimes they’re pretty dull. But wait! What if we made this into a game much like D&D. But instead of fighting orcs with magic you are fighting a realistic ransomware scenario armed with your D20 playing as the dexterous apprentice (who’s always the scapegoat, right?) along with the rest of your team.
That sounds awesome, right? You know what? It is!
Come to my talk and I’ll tell you about my path to IR role playing, my experiences and how you can get started doing your own IR role playing games right away!
Physiotherapy mobile health (mhealth) applications facilitate the remote communication between practitioners and their patients. They process and keep track of sensitive health data such as pain levels and training exercises, which reveal health issues or physical impairment. In this presentation we give an introduction into the methodologies of our security and privacy evaluation of four selected physiotherapy mhealth apps commonly used in Austria. The static and dynamic analysis of the apps and web interfaces showed alarming results with plenty of room for improvement.
Staying under the radar and remaining undetected is one of our priorities during Red Teaming assessments. After all, we’re simulating real threat actors and want to reach our objectives without raising any suspicion. This becomes a more and more challenging task as new defences are implemented, requiring us to add new tools and techniques to our tool belt. Occasionally, though, there is a new technique that brings a broad set of features and doesn’t leave countless traces. This talk is about one such technique: beacon object files (BOFs)!
BOFs aren’t exactly the new hot stuff, as a matter of fact, they’ve been around for more than two years now. In those two years, a de-facto BOF standard has been adapted by many C2 frameworks out there. But what happens when your C2 doesn’t support it? Will you need to fall back to other, potentially less safe, alternative techniques?
That’s a problem we faced and decided to solve when we worked with Brute Ratel C4, which doesn’t support Cobalt Strike’s de-facto BOF standard API. In this talk, we’ll dig deep into the COFF format, show how the Cobalt-Strike de-facto standard is incompatible with Brute Ratel’s and how we established full compatibility between the two. A tool that automates this task and a blog post series about it will be released, accompanying the talk.
Multiple Zyxel devices are prone to critical vulnerabilities resulting from insecure coding practices and insecure configuration. One of the worst vulnerabilities is an unauthenticated buffer overflow in the custom "zhttpd" webserver. By bypassing ASLR, the buffer overflow can be turned into an unauthenticated remote code execution (RCE). Besides that, multiple other vulnerabilities including unauthenticated file disclosure, authenticated command injection and processing of symbolic links on storage media were found in the firmware.
This talk will detail the steps we took to analyze the embedded device and how we reverse engineered the webserver. Furthermore, we will showcase our Metasploit module that is able to gain a root shell on 50+ devices without authentication.