PRESS RELEASE: Researchers to Present New Software and Hardware Vulnerabilities In Mobile Devices

Amsterdam – March 28th  2017: We live in an age where mobile devices have become our primary tool to communicate privately and professionally. As technology companies continue to enhance their mobile applications to expand their user base, security often continues to give way to convenience. Users assume the underlying hardware and software system, mobile antivirus, password managers and encryption technology will protect them from malicious attacks on their communications. Research presented at the HITB Security Conference in Amsterdam suggests to think twice before trusting mobile security blindly and shows that security is not a final product, but rather a bumpy process.

To secure communication via mobile devices, layered security includes secure mobile network devices. In Femtocell Hacking: From Zero to Zero Day, Korean security researcher Jeonghoon Shin takes a closer look at how to audit Femtocells – small, low-power cellular base stations typically designed for home use and now being introduced to service customers all over the world. He will show how to commandeer the device to expose SMS, voice, and call data packets sent and received through the exposed femtocell.

Many security professionals consider Signal to be the most trusted secure messaging and voice application. After “Vault 7” was released, Signal creator Moxie Marlinspike has confirmed that the technology is working as designed and its encryption is not broken. Markus Vervier, a security researcher from Germany, will discuss Hunting For Vulnerabilities in Signal on the second day of the conference. In addition to presenting the general architecture of Signal, its attack surface and tools to analyze it, Markus will also be demonstrating how he found vulnerabilities in the Signal Android client. A bug in the underlying Java libsignal library can be used to crash Signal remotely to subsequently bypass the MAC authentication for certain attached files, and to trigger memory corruption bugs.

When it comes to password management, we are constantly told to make it as complex as possible. There are only so many complex passwords a human brain can memorize before we seek automation, thus the increasing use of password manager applications.

A team of security researchers from the Fraunhofer Institute for Secure Information Technology conducted research on 15 of the most popular Android password manager applications. In their talk Extracting All Your Secrets: Vulnerabilities in Android Password Managers, Stephan Huber, Steven Arzt and Siegfried Rasthofer will present the findings of their research, including various vulnerabilities which enable them to have unauthorized access to the app and, more importantly, leading them to obtain sensitive information including the master password that protects the secured vault of passwords and credentials.

Vulnerabilities in hardware are rarer to find and more difficult to resolve than in software. One of the most serious hardware bugs in recent years was Rowhammer. Victor van der Veen, PhD candidate in the VUSec group at the Vrije Universiteit Amsterdam, researched the vulnerability and drew international attention with the publication of Drammer in October 2016. Drammer is an attack that exploits the Rowhammer hardware vulnerability by using the Flip Feng Shui (FFS) exploitation technique, to manipulate data in memory without accessing it. Drammer resulted in the first Android root exploit that requires no user permissions and relies on no software vulnerability. In his talk Drammer: The Making-Of, Victor will present Drammer from a hacker’s perspective and share trial and error stories of flipping bits.

-END-

NOTE TO EDITORS

Visiting the Hack In The Box Conference as press can be done by sending a request for a Media Pass to media@hackinthebox.org. Specific requests for interviews with speakers can also be sent to this address.

About HITBSecConf

HITB Security Conference or HITBSecConf is a community-backed, not-for-profit series of security conferences held annually in various locations in Asia and Amsterdam, The Netherlands. The annual series has also previously been held in the Middle East and Asia with conferences in Kuala Lumpur, Bahrain and Dubai. The main aim of HITBSecConf is to enable the dissemination, discussion and sharing of deep knowledge network security information with a focus on groundbreaking attack and defense methods. HITBSecConf is endorsed by various government and professional associations.

Website: https://conference.hitb.org/hitbsecconf2017ams/

Twitter: @HITBSecConf @HITBMedia #HITB2017AMS

Facebook:  https://www.facebook.com/hackinthebox

LinkedIn:  https://www.linkedin.com/groups?gid=40911

 

PR Contact (International)

Mei Ling Foo

HITB Core Crew – Media Coordination
Email: meiling.foo@hackinthebox.org

Tel: +603-26157299 (0900 – 1800 MYT)

PR Contact (Netherlands)

Sabine Hengeveld-Auer

HITB.NL Media
Email: bine@hackinthebox.nl

Tel: +31 6 818 799 04