COMMSEC LAB: A Practical Approach to Advanced Code Obfuscation with MBA Expressions
One of the foundational blocks of current state-of-the-art code obfuscation are Mixed Boolean-Arithmetic (MBA) expressions: those combining both integer arithmetic and bitwise operators. Such expressions can be leveraged to arbitrarily increase the data-flow complexity of targeted code by iteratively applying rewrite rules and function identities which mess the syntax while preserving its semantic behavior. They […]
Hunting Trojans with AST Transformers and Machine Learning
PRESENTATION SLIDES In this presentation, you’ll understand why you learned graph theory and machine learning at university 🙂 The speaker will discuss what awaits you in the Python ecosystem if you carelessly download a Trojan-infected project. We will explore the obfuscation techniques used by malicious actors to complicate their detection and analysis — and how […]
TBA
TBA
TBA
TBA
COMMSEC: Leaking Kakao – How a Combination of Bugs in KakaoTalk Compromises User Privacy
PRESENTATION SLIDES KakaoTalk is the WhatsApp of South Korea with more than 100 million downloads from the Google Playstore. In this talk we show how multiple vulnerabilities in a chat app can lead to the disclosure of users’ messages. We start by showing an account takeover “one-click” exploit in KakaoTalk’s regular chat room without breaking […]
COMMSEC: BadUSB Attacks on MacOS: Beyond Using the Terminal and Shell Commands
PRESENTATION SLIDES BadUSB attacks have been an essential part of a Red Teamer’s bag of tricks for years. They allow us to relatively easily obtain a foothold on any unattended machine their user forgot to lock, by using a USB device that emulates a keyboard and sends a series of scripted malicious keystrokes. While it […]
Exploiting the In-Vehicle Browser: A Novel Attack Vector in Autonomous Vehicles
PRESENTATION SLIDES As the automobile industry accelerates towards the era of fully autonomous vehicles, the sophistication of in-vehicle entertainment systems, especially those integrating web browsers within the head unit, has dramatically increased. This integration not only enhances the user experience but also introduces significant security risks, potentially compromising driver privacy and vehicle safety. Despite the […]
Discovering and Investigating Propagated Vulnerabilities from Ethereum to Its Layer-2 Blockchains
PRESENTATION SLIDES Ethereum is the most popular blockchain for hosting smart contracts. Despite its decentralization, Ethereum suffers from expensive transaction fees and low throughput in terms of TPS (transactions per second). As a result, third-party layer-2 blockchain networks have emerged in recent years, including self-contained networks such as BSC, Polygon, and Avalanche, as well as […]
One SMS to Root Them All: Exposing Critical Threats in Millions of Connected Devices
PRESENTATION SLIDES In 2023, we have discovered several vulnerabilities, including RCE, in a family of cellular modems manufactured by Telit, which can lead to their complete compromise. We identified a number of security-related problems in user applications – MIDlets, and the OEM–developed firmware of these modems. We have found that it is possible to compromise […]
COMMSEC: Aerospace Cybersecurity – Ask Me Anything
Hugo Teso is a commercial pilot with over 20 years of experience in aviation cyber security. During his career he has discovered and reported dozens of vulnerabilities in multiple aircraft and ground support systems, and has worked with many of the most important airlines, manufacturers and OEMs of the Aviation industry. Interested to know more […]
