Cutting-edge security research comes to Amsterdam

Held once again at De Beurs van Berlage, HITB2015AMS takes place from the 26-29 May 2015 and runs alongside HITB Haxpo, a 3-day technology expo for hackers, makers, builders and breakers.

The agenda for this year’s event is outstanding, here are some highlights:

Bootkit via SMS: 4G Access Level Security Assessment

Telecom operators constantly advertise the fastest, the cheapest and the best. Before diving into the internet with these new gadgets we decided to test how these ads correspond to reality-¦ To our reality.

Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. We tested SIM-cards, 4G USB modems, radio components, IP access networks and more looking for vulnerabilities that could be exploited remotely, via IP or radio network.

In some cases we managed to attack SIM-cards, “clone” phone and intercept traffic without boring rainbow tables, we were able to remotely update USB modem firmware and even gained access to the internal backbone network of the carrier.

Further evolutions to our attack helped us to achieve exploitation via SMS – delivered remotely enabling us to not only to compromise a USB modem and all the communications that go through it, but also to install a bootkit on the machine that the modem is connected to.

Relay Attacks in EMV Contactless Cards with Android OTS Devices

NFC (Near Field Communication) defines the set of RFID standards designed to communicate via wireless and interchange data point-to-point between devices in proximity, normally a few centimeters. Services that use NFC communications as contactless payments are exponentially growing: Public transport, parkings, fast supermarket cashers, vending machines and even NFC-capable credit/debit cards.

In this talk, we investigate relay attacks in NFC-capable credit/debit cards. This attack exploits the communication proximity principle in NFC, which is shown to be non secure. Although a lot of attack countermeasures exist, they do not face with this attack vector since up to date special hardware was required to perform it. However, the story is rewritten with the NFC-capable mobile devices available in the market.

This work shows how a relay attack in NFC-capable credit/debit cards is possible using an Android device with NFC capabilities without further modifications (i.e., no root required, custom firmware or custom OS). We have developed a PoC implementing the attack. Similarly, distributed relay attack scenarios that might become real in the near future will be shown.

How Many Million BIOSes Would You Like to Infect?

This talk is going to be all about how the automation of BIOS vulnerability exploitation and leveraging of built-in capabilities can yield highly portable UEFI firmware malware. And how millions of systems will be vulnerable for years, because no one cares enough to patch the BIOS bugs we’ve found.

So you think you’re doing OPSEC right, right? You’re going to crazy lengths to protect yourself, reinstalling your main OS every month, or using a privacy-conscious live DVD like TAILS. Guess what? BIOS malware doesn’t care! BIOS malware doesn’t give a shit!

Despite us disclosing numerous BIOS vulnerabilities, many people still doubt the feasibility of widespread BIOS infections. As newly independent researchers, with no need to get public release approvals, we can now combat that fallacy in the most direct fashion: live demonstrations of BIOS infection across multiple vendors’ machines! We’re not yet spreading via #badUSB, but stay tuned.

Oracle PeopleSoft Applications are Under Attack!

Oracle PeopleSoft applications include different critical business systems like HRMS, FMS, SCM, CRM, etc. They are widespread in the world (about 50 % of Fortune 100). In addition, some of these systems (especially HRMS) are accessible from the Internet. Nevertheless, there is almost no research on the security of PeopleSoft applications. Oracle publishes basic information about vulnerabilities in the applications on a regular basis, but it’s not enough for penetration testers. In addition, the uncommon internal architecture of PeopleSoft applications makes black-box testing much harder. Public news about successful attacks against PeopleSoft shows up from time to time and in this talk, I’ll try to fill this gap.

I’ll show and describe the main architecture of PeopleSoft applications, “design” decisions, and weak spots. The talk will be shaped as a guide for pentesters: a step-by-step how-to on attacking PeopleSoft applications and getting deeper. I will present vulnerabilities I’ve found and also show several different attack vectors which allow taking control over PeopleSoft applications. Some of the vulns and vectors (about 30 %) were shown in our workshop at BlackHat 2013 Las Vegas, but we have now conducted much deeper research and have new vulns, new attacks and ways to bypass some of Oracle’s patches.

In the end, I will present a new universal attack and tool for authentication bypass in PeopleSoft applications. It uses a widespread misconfiguration, so Oracle is unable to close it with a patch. Technical information about the attacks will include comprehensive exploitation and defense guidelines.

Yes Parking: Remotely Owning “Secure’ Parking Systems

While doing some research on parking management systems and associated technologies, I came across a specific manufacturer offering it’s customers the possibility of complete REMOTE MANAGEMENT of their parking systems with the ability to manage parking rates on-the-fly, view connected security cameras and even control barriers. Sounds like music to my ears!

In this talk I will cover all aspects from discovery to full remote compromise of one of Europe’s leading parking management system manufacturers. At the time of writing, we have detected over 190 remotely vulnerable parking management systems with more than a 150 of these located in Europe alone.

Share this