Black Hat Europe 2025 | Offensive Testing Of HarmonyOS NEXT Applications With Harm0nyz3r & DVHA

HarmonyOS NEXT marks Huawei's transition to a fully independent operating system, powering a growing ecosystem of mobile devices and applications. While adoption is accelerating, public research into its security architecture, and its implications for app developers and end users, remains minimal. This talk presents the results of a security assessment of HarmonyOS NEXT and its application ecosystem, combining a custom-built testing framework (Harm0nyz3r) with a purposely vulnerable application (Damn Vulnerable HarmonyOS Application – DVHA). Harm0nyz3r, inspired by Android security tools like Drozer, enables researchers to enumerate and interact with app IPC endpoints, fuzz abilities, and invoke hidden or restricted components. DVHA serves as a realistic playground, containing vulnerabilities such as insecure logging, hardcoded credentials, insecure data storage, SQL injection, command injection, and access control bypasses. We will walk through methodology, exploitation workflows, and real-world findings, including challenges posed by HarmonyOS NEXT's unique security model and differences from Android. Live demonstrations will show how Harm0nyz3r maps an application's attack surface, crafts malicious payloads, and successfully exploits vulnerabilities in DVHA — with clear takeaways for vulnerability discovery in production apps. Attendees will leave with a practical understanding of HarmonyOS NEXT app security, new offensive testing techniques for this emerging platform, and an appreciation of why mobile security research must expand beyond Android and iOS to address the next wave of global devices. By: Jorge Wallace | Cybersecurity Technical Leader, DEKRA https://ift.tt/UDduJcN

source https://www.youtube.com/watch?v=4xfSTNgy8UE

Black Hat Europe 2025 | Pickle Exploitation Techniques And Their Detection Using SaferPickle

Python's pickle format is a security minefield, yet it remains a cornerstone of modern AI/ML and data science workflows. While its dangers are well-known, the effectiveness of existing open-source scanners against sophisticated attacks has remained largely unexamined. In this talk we introduce five novel bypass techniques to defeat popular open-source scanners like Fickling, Modelscan and Picklescan. We will demonstrate how these tools can be tricked into classifying overtly malicious pickles as safe. To combat these threats, we propose SaferPickle, a new open-source library. This library enhances the pickle format's security at runtime through transparent hardening. We will present its robust, multi-layered scanning engine, which integrates behavioral analysis, direct opcode inspection, and an intelligent module resolution system capable of securely reconstructing malicious calls from fragmented code. Finally, we'll share our journey of deploying SaferPickle to protect ML workloads at Google and integrating it as the first-ever pickle scanner in VirusTotal. Attendees will leave with knowledge of bypass techniques, a new open-source tool and experience of how to harden the ML supply chain against one of its most persistent threats. By: George Litvinov | Security Engineer, Google Andrew Johnston | Senior Security Engineer, Google https://ift.tt/rmJUbLh

source https://www.youtube.com/watch?v=hWc1P_yYrkY

Black Hat Europe 2025 | Habemus Securitas - Exploring Apple's Hidden Territories

With the Secure Page Table Monitor (SPTM) and Exclaves, Apple has introduced a broad spectrum of new memory protection mechanisms over the past few years, realized through their Guarded Execution Feature (GXF). Currently, there is little public discussion on piecing these mechanisms together and exploring the broader implications of XNU compartmentalization. In this talk, we will delve into the inner workings of SPTM, exploring how its services are utilized by XNU and other secure world clients, namely the Secure Kernel (SK), Trusted Execution Monitor (TXM), and Exclaves, and the contributions they make to system and memory security. To achieve this, we analyze the underlying SPTM functionality, with a focus on memory frame typing, page mapping, and the implemented rulesets governing iOS memory mapping across newly introduced SPTM security domains. By: Moritz Steffin | Master's Student, Hasso Plattner Institute, University of Posdam https://ift.tt/RphTtXI

source https://www.youtube.com/watch?v=rQnu_0aPQY0

Black Hat Europe 2025 | Low-Cost Memory Interposer Attacks On Confidential Computing

As cloud computing adoption grows, so do concerns about trust and data privacy. Confidential computing, powered by innovative hardware technologies like Intel SGX and AMD SEV, promises strong isolation and transparent memory encryption to protect against privileged attackers and physical threats such as bus snooping and cold boot attacks. In this talk we present a custom, low-cost (50 dollar) DDR4 interposer that dynamically manipulates memory address lines to create adversarial aliases, tricking the processor into granting unauthorized access to encrypted memory. Crucially, our interposer operates at runtime, allowing it to bypass recent boot-time firmware mitigations deployed by Intel and AMD in response to our earlier software-based "BadRAM" memory aliasing attacks. Using our novel interposer, we undermine trust in both the Intel SGX and AMD SEV ecosystems. We demonstrate the first successful attack on Intel's Scalable SGX single-key memory domain, enabling arbitrary plaintext read/write access and extraction of SGX's platform provisioning key used for remote attestation. Additionally, we achieve full attestation bypasses on up-to-date AMD SEV-SNP systems despite the latest firmware defenses, allowing us to forge attestation reports and implant persistent backdoors in SEV-protected virtual machines. In the broader context, our results challenge fundamental assumptions about encrypted memory security guarantees and expose critical flaws in the performance-security trade-offs of today's confidential cloud computing systems. By: Jesse De Meulemeester | PhD researcher, COSIC, KU Leuven Jo Van Bulck | Prof., DistriNet, KU Leuven David Oswald | Prof., Durham University https://ift.tt/cCXioZJ

source https://www.youtube.com/watch?v=AyJqRmIBHKk

Black Hat Europe 2025 | The Fragile Lock: Novel Bypasses For SAML Authentication

SAML2 has been the backbone of enterprise single sign-on for over 20 years. Behind its familiar facade lies a chaotic mix of legacy specifications, fragile XML processing, and false assurances of security. Despite endless patches and best practices, the protocol continues to collapse under the weight of its own complexity. In this talk, I will show you how to bypass authentication using subtle flaws in XML handling. I will introduce several previously unpublished techniques that enable the crafting of reliable, stealthy exploits against SAML implementations that appear secure on the surface. I will also release an open-source toolkit designed to identify and exploit these vulnerabilities in real-world SAML deployments. It is time to stop patching the unpatchable and start questioning the protocol itself. By: Zak Fedotkin | Researcher, PortSwigger https://ift.tt/D4o6VIw

source https://www.youtube.com/watch?v=o5KpYzbQYG0

Black Hat Europe 2025 | Why We Can't Retrofit Old Security Principles Onto AI Agents

Traditional security relies on axioms like separating code from data, but LLM-based agents blur these lines by treating user prompts and untrusted external content as identical semantic inputs. Dr. Ilia Shumailov argues that current defenses are fundamentally flawed: adaptive attacks bypass standard guardrails with over 90% success, and existing red-teaming incentives often perpetuate vulnerabilities rather than fixing them. This session presents a breakthrough alternative—deployment architectures that fix prompt injections by design and scale to support complex Web and Computer Use Agents. Discover how to move beyond fragile detection models toward systems with provable security against control-flow injections and verifiable security against data-flow attacks for the next generation of autonomous agents. By: Ilia Shumailov | PhD in Computer Science from the University of Cambridge https://ift.tt/t9mGWCQ

source https://www.youtube.com/watch?v=HGCwYIUgoKc

Black Hat Intercepted | Mike Spicer, Black Hat NOC Lead

Meet Mike Spicer (aka DarkMatter), a NOC lead at Black Hat, revealing how the team detected and tracked down a compromised attendee during the conference. When a device connected to the network and started communicating with a known malicious source, an alert was triggered among hundreds of thousands of events. The team conducted a deep dive analysis, examining packet types and communication patterns to identify the threat actor through behavioral analysis. Using open-source intelligence techniques, the team fingerprinted the network communication, pieced together the digital breadcrumbs, and matched the activity to a registered attendee. The team successfully made contact to help secure the compromised device.

source https://www.youtube.com/shorts/ddpZoTcvGmQ

Black Hat Europe 2025 | Understanding Trends & Patterns In Insider Threat: Analysis Of 1,000+ Cases

This session examines the world of malicious insider threat by identifying the trends and patterns of the Tactics, Techniques, and Procedures (TTPs) observed in over 1,000 cases. Rather than focus on attitudinal surveys or anecdotal data, this session will explore the TTPs used by malicious insiders which are most valuable to digital forensic examiners and incident responders. By: Michael Robinson | Senior Security Analyst, Google https://ift.tt/bNAYdWc

source https://www.youtube.com/watch?v=-ueCcEdDjOM

Black Hat Europe 2025 | Token Injection: Crashing LLM Inference With Special Tokens

As large language models (LLMs) are deployed at scale, their underlying inference frameworks (e.g., vLLM, SGLang, TensorRT-LLM) have become critical operational pillars. These systems must splice user prompts with control structures, tokenise them, and schedule requests within milliseconds. Within this high-speed pipeline, we identify an underappreciated attack surface: special tokens. We introduce the first "Token Injection" attack model, showing how a single prompt composed solely of special tokens can trigger uncaught exceptions in embedding and CUDA computation stages, resulting in denial of service (DoS) or full-service crashes. It can also cause inference manipulation, such as chat interruption and context pollution. The attack requires no authentication and works via standard input interfaces, affecting both self-hosted and managed deployments. We validate impact across multiple inference frameworks, including vLLM, SGLang, TensorRT-LLM, MLX, Ollama, and Hugging Face TGI; and across major platforms, including NVIDIA NIM, Google Vertex AI, Azure AI Foundry, Hugging Face, Meta AI, and OpenRouter. This work shifts the AI security focus from "model output" to the security of inference infrastructure, offering practitioners a new perspective and a concrete defence paradigm. By: Pengyu Ding | PhD Student, Infra Security, Ant Group & Huazhong University of Science and Technology Ziteng Xu | Senior Cybersecurity Expert, Infra Security, Ant Group Zhiniang Peng | Associate Professor, Huazhong University of Science and Technology Dongliang Mu | Associate Professor, Huazhong University of Science and Technology https://ift.tt/v9tsYEh

source https://www.youtube.com/watch?v=ILnTkeuxPPw

Black Hat Europe 2025 | Insights From Phishing-Resistant Authentication

How many phishing attempts bypass enterprise pre-authentication security, including email gateways, DNS filtering, SASE, SWG, browser security, and endpoint protection, to trick users into malicious logins? And how effectively do current security systems detect and respond to these? While general phishing trends are known, the true impact and organizational defense postures remain unclear. Analyzing two years of phishing attempts stopped only by phishing-resistant authentication, we quantify a notable volume of attacks that bypass the pre-authentication security layers and successfully trick users. We then dive into events linked to AiTM campaigns using EvilProxy kits, dissecting their patterns across verticals and company sizes, identifying indicators of compromise, and tracking longitudinal trends. As part of our investigation, we also reached out to impacted organizations, with a notable number indicating they hadn't detected these attempts until our notifications. This work provides crucial, data-driven evidence highlighting the importance of phishing-resistant authentication and exposing many organizations' often mediocre security postures. It transforms failed authentication into actionable threat intelligence, revealing and helping address organizations' actual security gaps. By: Fei Liu | Principal Emerging Technology Researcher, Okta

source https://www.youtube.com/watch?v=6jw8vG8FaEQ

Black Hat Stories | Jessica Oppenheimer, Director, SOC Integrations, Splunk Security

source https://www.youtube.com/watch?v=UM_Ct9Sf17o