10:15 – 10:30
Carola Frediani has written about hacking, surveillance and cybercrime for Italian and foreign publications. She then went on to work as a cybersecurity awareness manager in international organisations. She joined the global security team at Amnesty International and is now an Infosec technologist at Human Rights Watch. She writes the free weekly newsletter Guerre di Rete, which analyses news and stories on cyber and digital rights. The newsletter has since evolved into an independent information project, Guerredirete.it, created together with the association Cyber Saiyan.
[ keynote | supply chain ]
In November 2020 when a Mandiant analyst decided to investigate a routine security alert that many others would have ignored, she had no idea what her simple sleuthing would uncover — a massive espionage campaign that slipped past the protections of some of the most secure government agencies and tech titans in the world and exposed a major vulnerability at the core of the software supply chain. In a single ingenious stroke that should have surprised no one, the hackers hijacked the build server of a global software supplier and injected their code into a trusted update. With that one feat they managed to infect more than 16,000 customers across government and industry — from the Department of Homeland Security to Microsoft and Mandiant, from VPN suppliers to managed service providers — and remain undetected for nearly a year.
This keynote will examine how the Russian spies behind the operation pulled off their masterful hack and how they were ultimately caught after several near-misses. It will look at the mistakes that were made — on the part of the intruders, investigators, and victims — and what the operation taught us. And it will reveal what we still don’t know about the campaign.
Kim Zetter is an investigative journalist who has been covering cybersecurity and national security for more than 15 years, writing about hacking, election security, spies, espionage, surveillance, and digital warfare for WIRED, Politico, the New York Times, Washington Post, and many others. She is the author of the book Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon and of the Substack newsletter Zero Day. Her most recent in-depth feature for WIRED is about the SolarWinds hacking campaign, which is considered the boldest and most sophisticated supply-chain hack ever pulled off.
[ attack | vuln research ]
MikroTik, as a supplier of network infrastructures, its products and RouterOS are adopted widely. Currently, at least 3 million+ devices are running RouterOS online. Being the target research by attackers actively, the exploits leaked from the CIA in 2018 and the massive exploits that followed are samples of the havoc that can be caused when such devices are maliciously exploited again. Therefore, RouterOS also attracts many researchers to hunt bugs in it. However, there are rarely high-impact vulnerabilities reported over a long period. Can the OS become perfect overnight? Of course not. Some details have been missed.
Researches on RouterOS were mainly against jailbreak, Nova Message in IPC, and analysis of exploits in the wild. Especially researches against Nova Message have reported tons of post-auth vulnerabilities. However, the architecture design and the lower-layer objects, which are closely related to the functionality of Nova Binary, were being neglected due to their complexity, causing some details to be overlooked for a long time. Starting by introducing the mechanisms of the socket callback and the remote object, we will disclose more about the overlooked attack surface and implementations in RouterOS. Moreover, we will discuss how we, at the end of rarely visited trails, found the pre-auth RCE that existed for nine years and can exploit all active versions and the race condition in the remote object. We will also share our methodology and vulnerability patterns.
Delving into the design of the RouterOS, attendees will have a greater understanding of the overlooked attack surface and implementation of it and be able to review the system more reliably. Additionally, we will also share our open-source tools and methodology to facilitate researchers researching RouterOS, making it less obscure.
Ting-Yu Chen, aka NiNi, is a security researcher at DEVCORE and a member of the Balsn CTF team. He won the title of the “Master of Pwn” at Pwn2Own Toronto 2022 with the DEVCORE team. NiNi has also made notable achievements in CTF competitions, including placing 2nd and 3rd in DEF CON CTF 27 and 28 as a member of HITCON⚔BFKinesiS and HITCON⚔Balsn teams, respectively. NiNi is currently immersed in vulnerability research and reverse engineering, continuing to hone his skills. You can keep up with his latest discoveries and musings on Twitter via his handle @terrynini38514 or blog at http://blog.terrynini.tw
[ attack | defense | windows internals ]
The rapid advancement of cyber defence products has necessitated sophisticated memory evasion techniques employed by the Red Team and Malware Development communities. Thread stack spoofing, an integral part of these approaches, conceals malicious calls within the stack by replacing selected stack frames with counterfeit ones.
In this talk, we will explore the evolution of thread stack spoofing, highlighting significant breakthroughs and limitations of previously implemented techniques. Furthermore, we will present Stack Moonwalking, a set of novel techniques that we have developed to implement a fully dynamic stack spoofer. Specifically, we will introduce a unique approach that we named “”Full Moon””, which leverages advanced mechanisms to desynchronize the control flow from the unwinding information, thereby maintaining a fully unwindable stack during the spoofing process.
After that, we will introduce Eclipse, a detection algorithm that extends the Windows unwinding algorithm to identify spoofed stack frames. We will delve into the technical details of Eclipse, focusing on its role in detecting spoofed stack frames. By extending the existing Windows unwinding algorithm, Eclipse analyses the characteristics and patterns of stack frames to differentiate genuine frames from spoofed ones. Towards the end of the talk, we will also evaluate the performance and shortcomings of this detection algorithm and see how it is possible for an attacker to abuse some gaps to remain unnoticed.
Alessandro is a Principal cyber security consultant with more than 10 years of experience in the IT field. Currently, he is part of the Security Testing Team at BSI, which is the UK national standards body, and a Global certification, training and cybersecurity firm. On top of his normal work, he works as an independent researcher for Synack RT, and an OSS developer for Porchetta Industries, where he maintains offensive tools.
13:00 – 14:30
It will be possible to have a lunch at the bar located inside the venue or at one of the many bars, fast food and restaurants located outside. We will provide more details to conference attendees in early September.
[ attack | vuln research | mobile ]
In this talk, we will be throwing light on a critical security vulnerability that has been discovered in the Voice over LTE (VoLTE) interface of iOS devices , including iPhones and Apple Watches reported to apple and fixed. This vulnerability has been present in the iOS operating system since the inception of 4G VoLTE, and we will shed light on the issue, its root cause, and how it arises due to improper implementation of GSMA guidelines, highlighting a design flaw in the implementation of the iOS IMS SIP agent.
We will delve into the technical details of the vulnerability, providing a comprehensive analysis of its impact on iOS devices and the potential risks it poses to users’ privacy and security. We will also explore the challenges faced during the discovery and disclosure of the vulnerability to Apple and discuss the response and mitigation measures taken by the company.
Furthermore, we will discuss the lessons learned from this vulnerability, highlighting the importance of adhering to industry standards and best practices in the implementation of communication protocols. We will also provide recommendations for improving the security of VoLTE interfaces in iOS devices and similar systems.
This talk is a must-attend for security researchers, mobile device manufacturers, network operators, and anyone interested in understanding the intricacies of VoLTE security and the implications of design flaws in the implementation of communication protocols in iOS devices. Join us as we uncover the details of this critical security issue and discuss its implications for the iOS ecosystem.
A security researcher challenging the depths and implementations in application security
A security researcher that previously worked as a cyber security consultant with various consulting firms. He has worked with clients in Telecommunication, Media, Technology, Manufacturing and BFSI sector across South-Asian and Middle-Eastern countries.
[ attack | defense | vuln research ]
As an indispensable part of our modern life, Smart Speakers have become a crucial role of Home Automation Systems. With Sonos emerging as a leader in this space, they have prioritized security, resulting in its Sonos One Speaker becoming as a Pwn2Own target for 3 consecutive years. As the first team to successfully hack it, we will share our experiences, stories, and insights throughout our past 3-year research journey. Our talk will explore attacks on the hardware, firmware, and software levels, as well as discuss the evolution of defenses we have observed from Sonos. We will also recount the cat-and-mouse game we played with the Sonos security team: Why were they always able to kill our vulnerabilities so precisely right after we developed a working exploit? This forces us to exhaust 4 different types of 0day to conquer a single Pwn2Own target.
The saga begins with our amusing but failed attempt in the first year, followed by our strong comeback in the second year, where we successfully took over the target using an Integer Underflow. After the competition, we witnessed a significant leap in Sonos’s defense mechanisms, which made our struggle with the Sonos security team even more challenging in the third year. To provide a comprehensive overview of our research, we will cover hardware attacks such as leveraging DMA Attack to jailbreak and obtain a Local Shell; firmware analysis, from firmware decryption to vulnerability discovery in the firmware over-the-air (FOTA) mechanism; and of course, software-level attack surface analysis and vulnerability mining in different ways. We will detail the stories behind our successful exploitations, such as bypassing all protections to exploit the target, racing the Thread Stack to different primitives to exploit the Stack Clash, and leveraging different types of vulnerabilities to achieve RCEs. These stories are all essential parts of our journey to win the Pwn2Own Toronto 2022 championship trophy and at least $80K in rewards.
Cheng-Da Tsai, aka Orange Tsai, is the principal security researcher of DEVCORE and the core member of CHROOT security group in Taiwan. He is also the champion and the “Master of Pwn” title holder in Pwn2Own 2021/2022. In addition, Orange has spoken at several top conferences such as Black Hat USA/ASIA, DEF CON, HITCON, HITB GSEC/AMS, CODE BLUE, POC, and WooYun!
Currently, Orange is a 0day researcher focusing on web/application security. His research got not only the Pwnie Awards for “Best Server-Side Bug” winner of 2019/2021 but also 1st place in “Top 10 Web Hacking Techniques” of 2017/2018. Orange also enjoys bug bounties in his free time. He is enthusiastic about the RCE bugs and uncovered RCEs in numerous vendors such as Twitter, Facebook, Uber, Apple, GitHub, Amazon, etc. You can find him on Twitter @orange_8361 and blog http://blog.orange.tw
[ attack | biometrics ]
Biometrics applied to PACS (Physical Access Control Systems) has been an hot-topic for a few years now. The handpunch PACS are based on the hand-geometry recognition. In this presentation we will have a look how this tech works and, in particular, we will focus our attention on reviewing some of existing handpunch devices: from a physical security POV until reversing the communication protocol. Moreover, during the presentation will be demonstrated how to remotely push a new super-admin user into it (i.e. persistent backdoor), how to dump existing users credentials. Eventually, thanks the cooperation with Shodan’s creator, it has been confirmed that more than 1800 of these vulnerable devices were found exposed on the Internet.
Luca Bongiorni is working as Director of the ZTE CyberSecurity Lab in Rome and is Founder of WHID – We Hack In Disguise: a cybersecurity boutique focused on R&D offensive hardware implants and IIoT Security. Luca is also actively involved in InfoSec where his main fields of research are: Radio Networks, Hardware Hacking, Internet of Things, and Physical Security. He also loves to share his knowledge and present some cool projects at security conferences around the globe: BlackHat Europe & USA, TROOPERS, HackInParis, DEFCON, HackInBo, Defcon Moscow, OWASP Chapters, Security Analyst Summit, etc. At the moment, he is focusing his researches on bypassing biometric access control systems, IIoT Security & Forensics, Air-Gapped Environments and IoOT (Internet of Offensive Things).
17:00 – 17:50
Speaker’s round table on some of the challenges emerged during the talks: from system’s vulnerabilities to the importance of collaboration between companies and researchers
17:50 – 18:00
starting @ 19:00, Tata’ Restaurant (5 minutes by walk)
RomHack is made with 🤍 by Cyber Saiyan
Support us making a donation or becoming a member
Cyber Saiyan Ente del Terzo Settore – C.F. (FC) 97958200582 – VAT 14669161003
