Program

Schedule

UTC+01:00 Friday November 20th Who
TBA Vulnerability Research: A full chained exploit from IT network to PLC’s unconstrained code execution Nicolas Delhaye and Flavian Dola
TBA Reverse Engineering archeology: Reverse engineering multiple devices with multiple versions, to put together a complex puzzle Shlomi Oberman, Moshe Kol and Ariel Schön
TBA No lightsaber is needed to break the Wookey David Berard
TBA Sneak into buildings with KNXnet/IP Claire Vacherot
TBA Discontinued Privacy: Personal Data Leaks in Apple Bluetooth-Low-Energy Continuity Protocols Guillaume Celosia and Mathieu Cunche
TBA RF Shadow games Sebastien Dudek
TBA The Great Hotel Hack: Adventures in attacking hospitality industry Etizaz Mohsin
TBA Anti-debugging tricks for Cortex-M chips Nicolas Oberli

Vulnerability Research: A full chained exploit from IT network to PLC’s unconstrained code execution

Nowadays, much of industrial companies own an Industrial Control System (ICS) environment regardless of their activity area. That mainly concerns critical sectors dealing with Operational Technology (OT) network such as in energy, automotive, water and so on. This presentation is intended to demonstrate the risk involved by the integration of such systems according to two major points. The first is that ICS implies a large attack surface due to the presence of many applications and embedded systems. The second is that an ICS is faced with many software design issues because security has not been historically considered. We would like to sensitize the public by emphasizing the points mentioned above through a real scenario based on our vulnerability research, resulting in several CVEs on a popular manufacturer. More precisely, we have succeeded in building a chained exploit which allowed us to take control of a PLC from an IT access by targeting the engineering station.

Nicolas Delhaye has been a vulnerability researcher since 2010 and he is currently working at Airbus CyberSecurity. Most of these findings are mainly focused on both Windows OS and security applications by looking for vulnerabilities in user and kernel land.
Flavian Dola is currently working at Airbus CyberSecurity as a vulnerability researcher specialized on embedded systems (IoT, ICS, …). His field of expertise lies on the areas of reverse engineering, fuzzing and exploit development.


Reverse Engineering Archeology:Multiple Devices, Multiple Versions

Ripple20 is a series of zero-day vulnerabilities discovered in a widely used low-level TCP/IP software library developed by Treck, Inc and disclosed by JSOF in June 2020. This session focuses on the original research process used to identify and pinpoint the Ripple20 vulnerabilities, their variants, and some attempts to piece together the historical timeline showing how the original software library changed over time. This was a complex process of reverse engineering multiple devices simultaneously, working in parallel on many different levels. In this session we will describe how we reverse engineered the devices simultaneously, using comparative techniques to confirm each point. We will explain an interesting outcome of the supply chain ripple effect, and how it is now possible to find a vulnerability affecting hundreds of devices for near zero effort.

Shlomi Oberman is an experienced security researcher and leader with over a decade of experience in security research and product security. He has spoken internationally and his research has been presented in industry conferences such as CodeBlue Tokyo and Hack-In-The-Box as well as other conferences. He is also an experienced teacher, training researchers and engineers in Embedded Exploitation and Secure Coding, as well as an organizer of local community cyber-security events. Shlomi has the unique advantage of a broad technical understanding of the Security Field as well as deep knowledge of an attacker's mindset.
Moshe Kol is a wickedly talented security researcher, currently finishing his Computer Science studies at the Hebrew University of Jerusalem. He has many years of networking and security research experience working for the MOD where he honed his skills originally developed at home - as he was led by sheer curiosity into the world of reverse engineering and security research.
Ariel Schön is an experienced security researcher with unique experience in embedded and IoT security as well as vulnerability research. Ariel is a veteran of the IDF Intelligence Corps, where he served in research and management positions.


No lightsaber is needed to break the Wookey

Wookey is a secure USB mass storage project, developed by ANSSI. Every two years a challenge in organized to evaluate CESTI/ITSEF, this year the Wookey project was chosen as a challenge target. This presentation details Synacktiv's results found during the hardware and software evaluation. A specific focus will be on the power glitches attacks and Wookey kernel exploitation.

David Berard is a security expert at Synacktiv in the reverse engineering team. He is specialized in mobile and embedded systems reverse engineering, vulnerability research and exploit development.


Sneak into buildings with KNXnet/IP

Building Management Systems (BMS) centralize and automate essential assets in a building. They are often linked to the LAN and sometimes reachable on the Internet, exposing building automation devices and network protocols that are usually not designed to handle cybersecurity issues. This presentation focuses on the BMS protocol KNX. We will discuss its technical details and the cybersecurity concerns raised by implementations, then present a Python library to perform basic KNX discovery, communication operations and to write advanced testing scripts. We will explain how to use it through fuzzing script examples, hoping that this library will be used to find and fix vulnerabilities in building management systems and as a handy tool for other research material on BMS protocols.

Claire Vacherot is a security auditor and pentester at Orange Cyberdefense. She likes to test systems and devices that interact with the real world and is particularly interested in industrial and embedded devices cybersecurity. As a former software developer, she never misses a chance to write scripts and tools.


Discontinued Privacy: Personal Data Leaks in Apple Bluetooth-Low-Energy Continuity Protocols

Apple Continuity protocols are the underlying network component of Apple Continuity services which allow seamless nearby applications such as activity and file transfer, device pairing and sharing a network connection. Those protocols rely on Bluetooth Low Energy (BLE) to exchange information between devices. In this work, we present a thorough reverse engineering of Apple Continuity protocols that we use to uncover a collection of privacy leaks. We introduce new artifacts, including identifiers, counters and battery levels, that can be used for passive tracking, and describe a novel active tracking attack based on Handoff messages. Beyond tracking issues, we shed light on severe privacy flaws.

Mathieu Cunche is an associate professor at INSA-Lyon, a member of the CITI Lab and a faculty member of the Inria PRIVATICS team. His research interests include privacy and security in the context of wireless networks, Internet of Things and mobile environments. He is also interested in the analysis of online censorship and surveillance. He conducted several studies on the exposure of personal data from mobile devices, especially with Wi-Fi and Bluetooth. He has been involved in standardization activities, in particular at IEEE 802 where he contributed to efforts on privacy protections.


The Great Hotel Hack: Adventures in attacking hospitality industry

Ever wondered your presence exposed to an unknown entity even when you are promised for full security and discretion in a hotel? Well, it would be scary to know that the hospitality industry is a prime board nowadays for cyber threats as hotels offer many opportunities for hackers and other cybercriminals to target them and therefore resulting in data breaches. The advanced persistent threat campaign called Darkhotel infected wifi-networks at luxury hotels, prompted the victim to download the malware and thus, succeeded in specifically targeting traveling business executives in a variety of industries and all its prevalence seems to have no end yet. We will discourse about the working of guest Wi-Fi systems, different use cases and their attack surfaces: device exploitation, network traffic hi-jacking, accessing guest's details and more. Common attacks and their corresponding defenses will be discussed. This talk will contain demos of attacks to reveal how the remote exploitation of such a device puts millions of guests at risk.

Etizaz Mohsin is an information security researcher and enthusiast. His core interest lies in low level software exploitation both in user and kernel mode, vulnerability research, reverse engineering. He holds a Bachelors in Software Engineering and started his career in Penetration Testing. He is an active speaker at international security conferences.


Anti-debugging tricks for Cortex-M chips

ARM Cortex-M chips are very common in embedded devices nowadays. Accessing their debug interface allows to recover their firmware, so you might think this interface is disabled on production devices. Turns out this is rarely the case for whatever reason. As a firmware developper, is there a way to detect and/or prevent a debug access to the software ?
During this talk, we will present how the ARM Debug Interface (ADI) works in details, and use that knowledge to build detection routines allowing the firmware to self-defend itself against unauthorized debug access. We will also present some lesser-known features of the ADI that can be leveraged to prevent firmware disassembly, and even allow the target device to counterattack.

Nicolas Oberli works as a security engineer for Kudelski IoT in Switzerland. His research focuses on embedded devices and communication protocols. In his spare time, he now spends more time designing CTF challenges than solving them. He is also one of the main developers of the Hydrabus hardware hacking tool and part of the BlackAlps security conference committee.