Black Hat | Connect. Learn. Lead in Cybersecurity

Since 1997, Black Hat has been the global stage for cutting-edge cybersecurity. With events across the US, Europe, Asia, the Middle East & Africa, and Canada, we bring together top minds to share the latest research, trends, and innovations. Whether you're a seasoned pro, a rising talent, or a tech innovator—Black Hat delivers: • Expert-led Briefings & Trainings, handpicked by our independent Black Hat Review Board • Networking with thousands of security professionals • The latest Arsenal tools in our Business Hall • Career connections & exclusive Summits Join the community shaping cybersecurity’s next chapter. 🔗 blackhat.com #BlackHat #Cybersecurity #Cybersecurity #TechConference #BHEU #BHUSA #BHASIA #Sectorca #BlackHatTrainings

source https://www.youtube.com/watch?v=2G9dyPgnOUM

Dismantling the SEOS Protocol

In this talk, we present the first open source implementation of HID SEOS communication protocol over RFID. HID SEOS is a credential technology designed to provide enhanced security, flexibility, and convenience for access control and identity management applications. It's currently the leading access control solution for HID Global and is widely used in corporate, educational, healthcare, and government settings. The documentation for this card technology is not publicly available so no previous open source implementation exists. We will demonstrate how it works and give insights in our process of making this project happen. The source code has been incorporated into the Proxmark3 project. By: Iceman | Co-Founder, AuroraSec, RRG Adam (evildaemond) Foster | Senior Penetration Tester, Onestep Group Full Abstract and Presentation Materials: https://ift.tt/WUMR5CJ

source https://www.youtube.com/watch?v=mnhGx1i6x08

Impostor Syndrome - Hacking Apple MDMs Using Rogue Device Enrolments

Apple's solution for mobile device management seems like an airtight process. Enterprise customers buy devices from registered retailers, these are automatically registered in Apple Business Manager which in turn integrates seamlessly with the customer's choice of MDM platform. A company can have devices set up and shipped to remote employees without ever touching them. With many seemingly airtight systems, the devil is in the details. How do all these systems fit together? How do they authenticate each other? And most importantly who is responsible for security? This talk will focus on the gaps between the systems and how an attacker can leverage those to compromise enterprise customers. We will reverse engineer the enrolment process in MacOS, bypass security controls, build rogue machines and look at a series of common misconfigurations that when combined can have devastating outcomes. We will see how the black box of the Apple MDM process can be opened up and can contain some surprising loot. By: Marcell Molnár | Lead Offensive Security Engineer, Form3 Magdalena Oczadły | Senior Offensive Security Engineer Full Abstract and Presentation Materials Available: https://ift.tt/PpI3ewL

source https://www.youtube.com/watch?v=qFxBneMlYZQ

Should We Chat, Too? Security Analysis of WeChat's MMTLS Encryption Protocol

WeChat, with over 1.2 billion monthly active users, stands as the most popular messaging and social media platform in China and third globally. Instead of TLS, WeChat mainly uses a proprietary network encryption protocol called "MMTLS". We performed the first public analysis of the security and privacy properties of MMTLS and found it to be a modified version of TLS 1.3, with many of the modifications that WeChat developers made to the cryptography introducing weaknesses. We also discovered a second layer of encryption inside MMTLS which we refer to as "Business-layer encryption". We analyzed the security and privacy of Business-layer encryption and found serious issues including metadata leak, forgeable integrity check signatures, potential AES-CBC padding oracle and Key, IV re-use in block cipher mode. These issues are not directly exploitable thanks to the protection of outer MMTLS encryption. Finally, we hypothesize that WeChat's double-layer encryption is a technical debt, and discuss the wider trend of Chinese apps rolling their own crypto. By: Pellaeon Lin | Researcher, Citizen Lab Mona Wang | Researcher, Citizen Lab Jeffrey Knockel | Senior Research Associate, Citizen Lab Full Abstract and Presentation Materials: https://ift.tt/xsEonCd

source https://www.youtube.com/watch?v=i98Ce4NhjhA

A Journey into Advanced Theoretical Reverse Engineering

Unveiling the Mysteries of Qualcomm's QDSP6 JTAG: A Journey into Advanced Theoretical Reverse Engineering This talk invites you on an exploration of advanced reverse engineering techniques applied to sophisticated proprietary hardware. Rather than focusing on well-known hands-on methods such as hardware decapsulation and schematic analysis, I will demonstrate how a unique combination of patent analysis, firmware reverse engineering, and theoretical modeling can unlock the intricacies of undocumented hardware technologies and their application semantics. Qualcomm's QDSP6, also known as "Hexagon", is a little-known mobile-first microarchitecture distinct from ARM and RISC-V. In fact, Hexagon chips power critical components like cellular modems and DSPs within Snapdragon processors, which, in turn, drive a significant portion of the smartphone market, including certain iPhone models. A proprietary real-time operating system named QuRT runs on Hexagon cores side-by-side with the main OS running on ARM cores, such as Android or iOS. Furthermore, Hexagon chips are notoriously secure; any debugging access is severely restricted, even for OEM partners, unless they have close relationships with the vendor. As an independent hacker, you can't debug Hexagon cores at all, even with full hardware access to a Snapdragon development board. JTAG is the industry standard for low-level debugging of computer hardware, which is presumed to be available, to some extent, on every System-on-Chip. During my investigation into JTAG availability on Qualcomm SoCs as part of a privately funded research project, I discovered a more complex scenario. The entire hardware debugging ecosystem for QDSP6 is governed by ISDB (In-Silicon Debugger), a proprietary technology layered on top of JTAG. ISDB is the kind of mysterious technology that cannot be looked up on Google (excluding name collisions with ISDB-T, a TV broadcasting standard); it can only be faintly glimpsed through sparse mentions in Qualcomm's technical specifications and a few obscure patents. I accepted the challenge to reverse engineer ISDB without touching hardware, which is the topic of this talk. A foundational understanding of assembly programming, low-level debugging, and binary reverse engineering will be helpful. By: Alisa Esage | Founder, Zero Day Engineering Full Abstract and Presentation Materials Available: https://ift.tt/G7onkLJ

source https://www.youtube.com/watch?v=_0W3zeQhBB8

Tinker Tailor LLM Spy: Investigate & Respond to Attacks on GenAI Chatbots

It's coming, and you aren't ready—your first generative AI chatbot incident. GenAI chatbots, leveraging LLMs, are revolutionizing customer engagement by providing real-time, automated 24/7 chat support. But when your company's virtual agent starts responding inappropriately to requests and handing out customer PII to anyone who asks nicely, who are they going to call? You. You've seen the cool prompt injection attack demos and may even be vaguely aware of preventions like LLM guardrails; but are you ready to investigate and respond when those preventions inevitably fail? Would you even know where to start? It's time to connect traditional investigation and response procedures with the exciting new world of GenAI chatbots. In this talk, you'll learn how to investigate and respond to the unique threats targeting these systems. You'll discover new methods for isolating attacks, gathering information, and getting to the root cause of an incident using AI defense tooling and LLM guardrails. You'll come away from this talk with a playbook for investigating and responding to this new class of GenAI incidents and the preparation steps you'll need to take before your company's chatbot responses start going viral—for the wrong reasons. By: lyn Stott | Senior Staff Engineer, Airbnb Full Abstract Available: https://ift.tt/YnoUATF

source https://www.youtube.com/watch?v=QfUdKtkBRjA

JDD: In-depth Mining of Java Deserialization Gadget Chains

JDD: In-depth Mining of Java Deserialization Gadget Chains via Bottom-up Gadget Search and Dataflow-aided Payload Construction Java serialization and deserialization facilitate cooperation between different Java systems, enabling convenient data and code exchange. However, a significant vulnerability known as Java Object Injection (JOI) allows remote attackers to inject crafted serialized objects, triggering internal Java methods (gadgets) and resulting in severe consequences such as remote code execution (RCE). Previous works have attempted to detect and chain gadgets for JOI vulnerabilities using static searches and dynamic payload construction via fuzzing. However, these methods face two key challenges: (i) path explosion in static gadget searches and (ii) a lack of fine-grained object relations connected via object fields in dynamic payload construction. - First, we will introduce a gadget fragment-based summary and bottom-up search approach to address the path explosion challenge. - Second, we will then demonstrate how to infer the dataflow dependencies between injection objects' fields and use them to guide dynamic fuzzing to generate exploitable objects. We evaluate JDD upon six popular Java applications (e.g., Apache Dubbo, Sofa-RPC, Solon, etc) in their latest version, which finds 127 zero-day exploitable gadget chains with six Common Vulnerabilities and Exposures (CVE) identifiers assigned (i.e., CVE-2023-35839, CVE-2023-29234, CVE-2023-39131, CVE-2023-48967, CVE-2024-23636, and CVE-2023-41331). Each of these CVEs has a CVSS score of 9.8, indicating an extremely high risk of exploitation and the potential to cause significant security damage. Given the wide range of impacts and potential consequences of these vulnerabilities, the related developers patched all these gadget chains in a prompt and timely manner after we reported our findings. By: Bofei Chen | Ph.D Candidate, Fudan University Yinzhi Cao | Associate Professor, Johns Hopkins University Lei Zhang | Assistant Professor, Fudan University Xinyou Huang | Master's Student, Fudan University Yuan Zhang | Professor, Fudan University Min Yang | Professor, Fudan University Full Abstract and Presentation Materials Available: https://ift.tt/NoyRHGM

source https://www.youtube.com/watch?v=HWMjP7uFA1s

Think Inside the Box: In-the-Wild Abuse of Windows Sandbox in Targeted Attacks

Windows Sandbox is a lightweight virtualization mechanism introduced in 2018, designed to provide an isolated desktop environment for quickly testing suspicious applications. However, this feature can also serve as a "magic cloak" for adversaries. In 2024, we observed an abuse of Windows Sandbox by the APT group Earth Kasha, believed to operate under the APT10 umbrella. After gaining control of the target machine via a backdoor named "ANEL," delivered through a spear-phishing email, the adversary uploaded multiple components to deploy a secondary payload, dubbed "NOOPDOOR," within Windows Sandbox. Initially, the adversary configured Windows Sandbox using a .wsb file to enable network access and map a host folder to a folder within the Sandbox, allowing access to host files from within the Sandbox. Next, they executed an installer script to extract NOOPDOOR components from a password-protected WinRAR archive and launched it inside the Sandbox. Additionally, the adversary leveraged the TOR application to obscure backdoor traffic originating from the Sandbox. These techniques helped the adversary conceal malicious activity from host-based EPP and EDR solutions. This presentation will cover the fundamentals of Windows Sandbox, provide a detailed analysis of the TTPs used for defensive evasion, and discuss actionable countermeasures for prevention and threat hunting. By: Hiroaki Hara | Senior Threat Researcher, Trend Micro Full Abstract and Presentation Materials Available: https://ift.tt/nbq1WfC

source https://www.youtube.com/watch?v=YFa_Cs_hSUM

Weaponized Deception: Lessons from Indonesia's Muslim Cyber Army

A defunct Indonesian cyber deception collective of attackers known as Muslim Cyber Army (MCA) modeled one of the first known examples of weaponizing deception and disinformation to disrupt Indonesian politics more than a decade ago, well before the notorious Russian attempts to undermine American electoral politics in 2016. This presentation by one of the only former FBI profilers in the world specializing in cyber deception will detail how the MCA organized and functioned as a cyber deception attacker collective. While there has been some commentary on the defunct MCA, there has not been analysis looking at how MCA applied deception to its attacks. Several attackers in the MCA grew up and taught in Islamic boarding schools (pesantren) communities in West and Central Java, Indonesia, which is where the presenter conducted ethnographic research in the past shadowing proselytizers in pesantren, and studying communication practices. This presentation will explore the group dynamics of these communities to frame the origin stories of the MCA founder and MCA attackers. This presentation will also feature the first behavioral assessment of the jailed MCA founder and the first application of an expanded deception framework analyzing the MCA's cyber deception activity online. This presentation will outline how MCA contributed to the cyber deception field. By: Tim Pappa | Incident Response Engineer - Cyber Deception Strategy, Marketing, and Content Development Full Abstract and Presentation Materials: https://ift.tt/q8M3cPY

source https://www.youtube.com/watch?v=5OpirNF1duo

Sweeping the Blockchain: Unmasking Illicit Accounts in Web3 Scams

The web3 applications have recently been growing, especially on the Ethereum platform, starting to become the target of scammers. The web3 scams, imitating the services provided by legitimate platforms, mimic regular activity to deceive users. We will provide a case study where attendees will learn how a malicious scam mimics a normal transaction to deceive users. Previous studies have primarily concentrated on de-anonymization and phishing nodes, neglecting the distinctive features of web3 scams. Moreover, the current phishing account detection tools utilize graph learning or sampling algorithms to obtain graph features. However, large-scale transaction networks with temporal attributes conform to a power-law distribution, posing challenges in detecting web3 scams. In this talk, we will introduce ScamSweeper, a novel framework designed to address these challenges. ScamSweeper focuses on the dynamic evolution of transaction graphs to better detect Web3 scams on Ethereum. Attendees will learn how ScamSweeper improves on existing methods by utilizing a structure-temporal random walk to sample transaction networks, capturing both temporal and structural features. The framework also incorporates a variational transformer to analyze the dynamic evolution of transaction patterns over time. To detect and analyze these scams, we've collected a large-scale transaction dataset for experiments consisting of web3 scams, phishing, and normal accounts, which are from the first 18 million block heights on Ethereum. Our experiments indicate that ScamSweeper exceeds the state-of-the-art in detecting web3 scams, with advantages of 17.29% in weighted F1-score. In addition, ScamSweeper in phishing node detection has an advantage of 17.5% in F1-score. We will walk through how to collect large-scale datasets, what the distinctions of the datasets are in various attributes, how Scamsweeper samples the large-scale transaction data and reduces computational costs, and how Scamsweeper works in web3 scam detection. Attendees will gain a clear understanding of how to apply ScamSweeper to real-world Ethereum transactions, and how to incorporate dynamic evolution analysis into malicious behavior research. By: Wenkai Li | PhD Candidate, Hainan University Zhijie Liu | Graduate Student, ShanghaiTech University Xiaoqi Li | Associate Professor, Hainan University Full Abstract and Presentation Materials: https://ift.tt/wY8xoBn

source https://www.youtube.com/watch?v=Nhrc_PbeNu8

Unveiling New Attack Vectors in Bluetooth Vulnerability Discovery through Protocol State Machine

State Manipulation: Unveiling New Attack Vectors in Bluetooth Vulnerability Discovery through Protocol State Machine Reconfiguration The Bluetooth protocol has become ubiquitous, supporting a wide range of devices from personal gadgets like headphones and smartphones to complex systems in automotive and IoT environments. While Bluetooth's flexibility and performance have been thoroughly validated, an overlooked attack surface exists within the protocol's underlying state machines. This study uncovers Bluetooth vulnerabilities by analyzing state machine mechanisms in various applications, including automotive and mobile devices. Unlike prior research, which primarily focuses on traditional Bluetooth security issues—such as buffer overflows or crashes triggered by malformed packets in the protocol's Type-Length-Value (TLV) structure—our work delves into the complexities of state machine interactions among supported profiles within the protocol stack. By carefully examining state machine sequences and their interdependencies, we attempt to break the standard execution order and reconfigure protocol interaction states, thereby opening a new path for Bluetooth protocol vulnerability discovery. Since state machine-based vulnerabilities often do not produce visible logs or crash data, they frequently evade detection. We will provide in-depth insights into techniques for manipulating Bluetooth state machine interactions, focusing on systematic methods for discovering these vulnerabilities and assessing their impact on the Bluetooth ecosystem. By: Lidong Li | Chief Security Officer, SouceGuard Oliver Dong | CEO, SouceGuard Xiao Wang | Senior Security Researcher, SouceGuard Lewei Qu | Security Architect, Bytedance Full Abstract and Presentation Materials: https://ift.tt/nQCyxZz

source https://www.youtube.com/watch?v=3M9UT77VFIA