SecTor 2025 | Sharing Is Caring About an RCE Attack Chain on Quick Share

Quick Share (formerly Nearby Share) has allowed Android users to easily share files for four years now. A year ago, Google introduced a Windows version. Google's promotion of Quick Share for preinstallation on Windows, alongside the limited recent research, ignited our curiosity about its safety, leading to an investigation that uncovered more than we had imagined. We studied its Protobuf-based protocol using hooks, built tools to communicate with Quick Share devices, and a fuzzer that found non-exploitable crashes in the Windows app. We then diverted to search for logic vulnerabilities, and boy oh boy, we regretted we hadn't done it sooner. We found 10 vulnerabilities, both in Windows & Android, allowing us to remotely write files into devices without approval, force the Windows app to crash in additional ways, redirect its traffic to our WiFi AP, traverse paths to the user's folder, and more. However, we were looking for the holy grail, an RCE. Thus, we returned to the drawing board, where we realized that the RCE is already in our possession in the form of a complex chain. In this talk, we'll introduce QuickShell - An RCE attack chain on Windows combining 5 out of 10 vulnerabilities in Quick Share. We'll provide an overview of Quick Share's protocol, present our fuzzer, the found vulnerabilities, a new HTTPS MITM technique, and finally, the RCE chain. By: Or Yair | Security Researcher, SafeBreach Presentation Materials Available at: https://ift.tt/SyYzDsH

source https://www.youtube.com/watch?v=mafI9UoxL6A

SecTor 2025 | Leading Across the Generations

Each generation brings unique strengths, perspectives, and challenges. Leading a diverse, multigenerational team requires more than just understanding technology—it requires understanding people. The strategies that resonate with seasoned professionals likely differ from those that inspire the youngest members of your team. When you also consider the impact of technology and the pace of change brought about by that technology, interesting trends and patterns emerge. As leaders better understand those trends and patterns, they lead their teams to be much higher performing. The ultimate result is happier, more productive employees, higher retention and better recruiting possibilities. In this session, we'll explore why leadership is the foundation of every successful cybersecurity initiative. We'll also dive into the nuances of leading across generations, offering proven tactics to effectively manage, motivate, and unify your team. Discover how to harness the potential of every team By: Randy Raw | CISO, Veterans United Home Loans Presentation Materials Available at: https://ift.tt/4dKi6VT

source https://www.youtube.com/watch?v=rc69Nnam6fI

SecTor 2025 | One Agent to Rule Them All: How One Malicious Agent Hijacks A2A System

As multi-agent architectures become increasingly essential to enterprise workflows, Google's A2A and Anthropic's MCP have been proposed as standard protocols for agent communication and integration. These protocols have become foundational for scaling AI agents Technology, enabling the seamless integration of third-party agents, often available as open-source code, into existing systems. However, these protocols must also ensure system safety, and potential security risks must be carefully considered. In this presentation, we will highlight a key vulnerability in these protocols: integrating outsourced agent card's text into the delegator agent's instructions introduces a backdoor for cyber security attacks. Our presentation will first explain the protocol design and its weaknesses. Then, we will show how malicious agents with hidden prompt injection can bypass current defenses and checks. We will also present a way to combine user's trust in LLMs and LLM hallucinations to drive the user to install malicious agent. Finally, we demonstrate how such malicious agents enable full system compromise, including DoS, sensitive data theft, Phishing and lateral spread. All those attacks are done without detections at all and look to the user as normal behavior of the system. By: Adar Peleg | Cyber Researcher, Technion Stav Cohen | PhD Student, Technion Shaked Adi | Student & Researcher, ATLAS - The Technion's AI Security Lab Dvir Alsheich | Student & Researcher, ATLAS - The Technion's AI Security Lab Rom Himelstein | Graduate Student & Supervisor, ATLAS - The Technion's AI Security Lab Amit LeVi | Principle AI Security Researcher & Advisor, ATLAS - Technion Lab: AI Trust, Learning, Architecture, Security Avi Mendelson | Head of the ATLAS Lab, Technion – Technical University Presentation Materials Available at: https://ift.tt/SN8hlKe

source https://www.youtube.com/watch?v=X_Qb_EVDQx4

Black Hat USA 2025 | ReVault! Compromised by Your Secure SoC

We all love security, right? And when we trust a security component to safeguard our most valuable assets, such as passwords, key material and biometrics, we want to believe they're doing a good job at it. But what happens when this assumption is flawed, and the chip that was going to protect our assets turns against us? In this talk, we'll present the ReVault attack that targets an embedded chip found in millions of business laptops. We will demonstrate how a low privilege user can fully compromise the chip, plunder its secrets, gain persistence on its application firmware and even hack Windows back. Are you ready for the heist? By: Philippe Laulheret | Senior Vulnerability Researcher, Cisco Talos Full Session Details Available at: https://ift.tt/tXNJfoh

source https://www.youtube.com/watch?v=oGMa7BFzLK4

Black Hat USA 2025 | Watch Your (Lock)Step: Glitching into Automotive Processors

The firmware and secrets in automotive processors (such as in ECUs & co) are often protected using a variety of hardware security and safety features, such as read-out protection & co. One such feature is lockstep: Each instruction is basically executed twice, which is commonly interpreted as a mitigation against hardware attacks such as fault-injection. But how effective is it really? In this talk, we will look at glitching different lockstep processors using different fancy hardware hacking methods, and also demonstrate vulnerabilities allowing us to fully bypass the protection on certain processors - breaking their read-out protection and letting us read-out firmware & secrets! By: Thomas 'stacksmashing' Roth | Founder, hextree.io Full Session Details Available At: https://ift.tt/58BVc9j

source https://www.youtube.com/watch?v=wg9b6R9HvGg

Black Hat USA 2025 | LLM-Driven Reasoning for Automated Vulnerability Discovery Behind Hall-of-Fame

Vulnerability discovery traditionally relies on two primary approaches: manual auditing and fuzzing. Each method possesses distinct strengths and inherent limitations. Manual auditing is good at identifying complex logic flaws due to its reliance on deep contextual understanding and expert insight, ensuring comprehensive analysis; however, this method is labor-intensive, time-consuming, and heavily dependent on specialized knowledge. Conversely, fuzzing offers automation, scalability, and efficiency, yet it may overlook vulnerabilities that require intricate semantic comprehension or encounter limitations in scenarios where fuzzing is infeasible. Recent advancements in artificial intelligence have created opportunities to bridge the gap between the precision of manual auditing and the scalability of fuzzing, paving the way for more sophisticated vulnerability discovery tools. In this presentation, we will introduce our LLM-powered automated binary vulnerability discovery tool, which integrates LLM reasoning capabilities with established static analysis and dynamic debugging methods. Despite its experimental approach, our tool demonstrates exceptional efficiency and effectiveness in identifying vulnerabilities. We will illustrate the effectiveness of this approach through our application to Samsung's remote attack surface, successfully uncovering multiple sophisticated memory corruption vulnerabilities. This significant achievement secured us the Rank 1 position in the 2024 Hall of Fame for vulnerability research. By: Qinrun Dai | Independent Researcher, Yifei Xie | Independent Security Researcher/Student Presentation Materials Available at: https://ift.tt/HISLJxl

source https://www.youtube.com/watch?v=WVjnipkKp4U

Black Hat USA 2025 | Leveraging Jamf for Red Teaming in Enterprise Environments

During the preceding year, SpecterOps has had a surprising amount of success leveraging Jamf APIs to laterally move and execute code on managed macOS systems in mature Fortune 500 client environments with multiple name-brand security products in use. Much of this is due to a lack of awareness among defenders regarding the impacts a compromised Jamf account can have on their organization. Come learn the details of Jamf exploitation techniques available to threat actors and employed by SpecterOps during the preceding year, performing red team assessments of Fortune 500 client organizations to execute reconnaissance and lateral movement undetected. SpecterOps will share the processes they employ upon gaining access to Jamf administrators or service accounts to leverage APIs to accomplish objectives targeting macOS while evading detections in mature environments. Demonstrations will be included of newly available open-source tooling introduced to automate the attack paths described. The presentation will end with recommendations to prevent and detect the actions performed for onsite or cloud hosted Jamf tenants. By: Lance Cain | Service Architect - Consulting Services, SpecterOps, Inc. Daniel Mayer | Consultant - Adversary Simulation, SpecterOps, Inc. Presentation Materials Available at: https://ift.tt/nGwZoVp

source https://www.youtube.com/watch?v=IDFeNbz2lI4

Behind Every Badge Is a Story | Meet Or Yair, Security Research Team Lead at SafeBreach

Meet Or Yair, Security Research Team Lead at SafeBreach. Or reveals what makes Black Hat essential: a community that drives real impact, shares cutting-edge research, and accelerates breakthroughs across the security industry. 🎥 Watch the full story: https://youtu.be/rNtuyrXPIc0?si=zgkZJsWfJQWImoM3 🔗 Visit our site: https://blackhat.com/ 📧 Subscribe to our free newsletter: https://ift.tt/V0eDtd4 #BlackHatStories #BHEU #BlackHat #cybersecurity

source https://www.youtube.com/shorts/pf98Pf-fAX4

Black Hat USA 2025 | 2 Cops 2 Broadcasting: TETRA End-To-End Under Scrutiny

In this talk, we will present the first public security analysis of TETRA end-to-end encryption (E2EE) used for the most sensitive communications - such as those by intelligence agencies and special forces. In all-new material, we present seven security vulnerabilities pertaining to TETRA and its E2EE, three of which are critical. TETRA is a European standard for trunked radio used globally by police and military operators. Additionally, TETRA is widely deployed in industrial environments such as harbors and airports, as well as critical infrastructure such as SCADA telecontrol of pipelines, transportation and electric and water utilities. While we previously reverse-engineered and published the then-secret algorithms underpinning TETRA cryptography, the vendor-proprietary E2EE solution (which enjoys significant end-user trust) intended for the most critical use cases remained undisclosed and proved quite hard to obtain. Given the opaque nature of this solution and TETRA's history of offering significantly less security than advertised (including backdoored ciphers), we decided to undertake the effort of reverse-engineering a TETRA E2EE solution. We did this by extracting it from a popular Sepura radio and discovering several critical 0-day vulnerabilities in the radio in the process, presenting additional key extraction and covert implanting vulnerabilities. We will publish the E2EE design along with a security analysis, identifying several severe shortcomings ranging from the ability to inject voice traffic into E2EE channels and replay SDS messages to an intentionally weakened E2EE variant, which reduces its 128-bit key to only 56 bits. In addition, we will discuss new findings related to multi-algorithm networks and official patches, relevant for asset owners mitigating the TETRA:BURST vulnerabilities previously uncovered by us. Finally, we will demonstrate the E2EE voice injection attack as well as the previously theoretical TETRA packet injection attack on SCADA networks. By: Carlo Meijer | MSc, Midnight Blue Wouter Bokslag | MSc, Midnight Blue Jos Wetzels | MSc, Midnight Blue Full Session Details Available at: https://ift.tt/J9qIkXg

source https://www.youtube.com/watch?v=oUhb2tTgmgg

Black Hat USA 2025 | Bypassing PQC Signature Verification with Fault Injection

Post-quantum cryptographic (PQC) algorithms are being integrated into firmware, bootloaders, and other embedded systems as a replacement for RSA and ECC. While these schemes are designed to resist quantum attacks, their implementations remain vulnerable to classical fault injection techniques. This talk presents practical voltage fault injection attacks on three major PQC signature schemes: Dilithium, XMSS, and SPHINCS+. By targeting signature verification logic — including challenge generation, bit shifts, and checksum validation — we demonstrate how to forge valid signatures without breaking the underlying cryptographic primitives. All attacks are performed on real microcontroller hardware using open-source PQC libraries running on bare metal. We also show how shared components like WOTS+ introduce common vulnerabilities across XMSS and SPHINCS+, exposing a broader attack surface. This work highlights how fault injection continues to be effective, even against modern cryptography, and the ever-present need for effective countermeasures for implementation-level threats. By: Fikret Garipay | Security Engineer, Keysight Device Security Testing Presentation Materials Available at: https://ift.tt/nelXRIS

source https://www.youtube.com/watch?v=JS30uepSuMo

Black Hat USA 2025 | The 5G Titanic

5G networks are designed with advanced protections to counter interception, fraud, and denial-of-service attacks. But what happens when an attacker leverages legitimate protocol semantics to navigate beyond intended security boundaries? This talk presents a new class of attacks that exploit subtle flaws in the design and deployment of 5G user plane architecture. Through hands-on evaluation across multiple commercial and open-source 5G cores, we demonstrate how trust assumptions in user-plane traffic can be broken—enabling communication with otherwise unreachable core systems. The findings expose limitations in current protections and call for a reexamination of user plane trust in 5G architectures. By: Altaf Shaik | Senior Researcher, Fast IoT and TU Berlin Robert Jaschek | MS Student in Computer Science, TU Berlin Presentation Materials Available at: https://ift.tt/UFdEQBq

source https://www.youtube.com/watch?v=AZ4y3ODsVW4