Black Hat USA 2025 | Use and Abuse of Palo Alto's Remote Access Solution

Palo Alto Networks' GlobalProtect is a widely adopted remote access solution used by major organisations worldwide — but how robust is it? Is it designed following secure development principles? Is it possible that this highly-privileged agent, typically installed on all user endpoints, could actually be a source of vulnerability? In this talk, I will introduce and discuss the research that led to the discovery of several security vulnerabilities that could be used to bypass the VPN or escalate privileges on MacOS and Linux endpoints with GlobalProtect installed. As well as providing technical details and practical demonstration of the vulnerabilities, I'll provide an overview of how the GlobalProtect client works and consider its design from the security engineer's perspective. I'll explore fundamental design decisions whose overlooked risks directly contributed to the discovered vulnerabilities. By: Alex Bourla | Security Engineer and Researcher, Graham Brereton | Senior Software Engineer, Form3 Presentation Materials Available at: https://ift.tt/w0StFJf

source https://www.youtube.com/watch?v=6IGmNLs4tk8

Black Hat USA 2025 | Turning Camera Surveillance on its Axis

What are the consequences if an adversary compromises the surveillance cameras of thousands of leading Western organizations and companies? In a world of losing trust in Chinese-made IoT devices, there is less variety left for organizations to choose from. This is even more prevalent when it comes to video surveillance and cameras, in which multiple countries around the world have chosen to ban the use of products made by Dahua and Hikvision in government facilities. This question drove our research, leading us to discover that surveillance platforms can be double-edged swords. We researched Axis Communications, one of the dominant vendors in the field of video surveillance and monitoring, heavily adopted by US government agencies, schools and medical facilities and even Fortune 500 companies around the world. In our talk, we will showcase the comprehensive research we've conducted on the Axis.Remoting communication protocol, identifying critical vulnerabilities allowing attackers to gain preauth RCE on Axis platforms, giving attackers a runway into the organization's internal networks through their surveillance infrastructure. In addition, we've identified a novel method to passively exfiltrate information about each organization that uses this equipment, potentially enabling attackers to pinpoint their attack. Noam Moshe | Vulnerability Researcher, Claroty Team82 Presentation Materials Available at: https://ift.tt/I0frAWY

source https://www.youtube.com/watch?v=7J7UgLwrxdQ

Black Hat USA 2025 | Uncovering Threats and Exposing Vulnerabilities in Next-Gen Cellular RAN

5G Radio Access Networks (RANs) are undergoing a major shift from tightly integrated, vendor-specific systems to disaggregated, software-driven architectures. At the forefront is the Open RAN (O-RAN) movement, which defines new standardized interfaces to support RAN disaggregation and introduces modular RAN Intelligent Controllers (RIC) for smarter network optimization. While this openness promotes innovation and interoperability, it also significantly expands the attack surface. In this talk, we will reveal how O-RAN's design exposes critical interfaces to potentially malicious user equipment (UEs) and under-protected RAN nodes, and demonstrate how these exposed interfaces can be exploited to launch new classes of attacks. We will also present how our systematic testing has uncovered 26 previously unknown memory-corruption vulnerabilities across widely used O-RAN RIC and RAN implementations, resulting in silent service disruptions, performance degradation, component crashes, and even system-wide failures. These vulnerabilities resulted in 20 new CVEs. As major operators worldwide accelerate the adoption of O-RAN, our talk will demonstrate the significance of architecture-specific security testing for such emerging systems. We will begin by mapping out new attack surfaces and associated protection challenges introduced by O-RAN's microservice-based, cloud-native architecture, contrasting them with traditional closed RANs. To guide threat modeling and defense strategies, we will introduce a taxonomy of attack vectors targeting the O-RAN stack. We will then share our insights on testing this unique system and present the first automated security testing framework designed for O-RAN. Our approach combines dynamic tracing and static analysis to uncover inter-component dependencies and generate constraint-driven test inputs capable of reaching deep internal logic within RICs, RANs, and third-party xApps. Finally, we will showcase the vulnerabilities we uncovered and how these issues are remotely exploitable via public-facing interfaces by malicious UEs or rogue RAN nodes, demonstrating the potential operational impact of these attacks in real-world deployments. By: Tianchang Yang | Research Assistant, The Pennsylvania State University Kai Tu | Research Assistant, The Pennsylvania State University Syed Md Mukit Rashid | Research Assistant, The Pennsylvania State University Ali Ranjbar | Research Assistant, The Pennsylvania State University Gang Tan | Professor of Computer Science and Engineering, The Pennsylvania State University Syed Rafiul Hussain | Assistant Professor, The Pennsylvania State University Presentation Materials Available at: https://ift.tt/UnLvoGi

source https://www.youtube.com/watch?v=rqzK1xd3wng

Black Hat USA 2025 | Training Specialist Models: Automating Malware Development

You get what you optimize for. The current trajectory of major AI research labs emphasizes training large language models (LLMs) optimized with verifiable rewards in broadly applicable domains such as mathematics and competitive programming. However, this generalist approach neglects niche applications, especially those explicitly restricted by major providers, including security testing and AV/EDR evasion. Such tasks present unique opportunities suited to smaller teams and independent researchers. This presentation discusses reinforcement learning (RL) fine-tuning for LLMs tailored to highly specialized tasks, using evasive malware development as a case study. A new 7-billion parameter model demonstrating significant performance improvements over state-of-the-art generalist models on AV/EDR evasion tasks will be released alongside the Briefing. By: Kyle Avery | Principal Offensive Specialist Lead, Outflank Presentation Materials Available at: https://ift.tt/PAygKVL

source https://www.youtube.com/watch?v=WKmEzRJZ6H4

Black Hat USA 2025 | Lost & Found: The Hidden Risks of Account Recovery in a Passwordless Future

We explored the Recover my account option of some of the 25 most visited websites. We considered permutations and combinations of scenarios where account recovery can be triggered by a user and how these websites allow the claiming entity (user or an adversary) to gain control over the account. We turned the authentication maze into an easy-to-follow test suite that allows security auditors and webmasters to evaluate the security of the account recovery mechanism of a given website. We learned several lessons on designing a secure and usable account recovery procedure by recovering our own user accounts thousands of times. The wisdom passed on by the security community is one of the reasons why users mislay their authentication credentials: Pick a strong password, change it as frequently as possible, and use a password manager. Despite being unable to keep track of the many passwords we all have, the user adoption of password managers is still low. In this talk, we will give insights on the security of account recovery procedures in the wild from the websites we tested, how to evaluate it yourself with the test suite (or auditing framework) we designed, and how to get it right with the best practice recommendations that we drafted. By: Sid Rao | Senior Security Research Scientist, Nokia Bell Labs Gabriela Sonkeri | Security Engineer, Wolt Amel Bourdoucen | User and Impact Researcher, Aalto University, F-Secure Janne Lindqvist | Associate Professor, Aalto University Presentation Materials Available at: https://ift.tt/4NXgskr

source https://www.youtube.com/watch?v=PtVGiROEBAM

Black Hat USA 2025 | Breaking Chains: Hacking Android Key Attestation

Android key attestation provides a way for a device's secure hardware to verify that cryptographic material is in secure hardware, protected against compromise of the Android OS. If you've ever encountered a password-less authentication flow (e.g., WebAuthN) in a banking app on your Android device you have most likely utilized this feature. However, the entry point for this research involved the investigation of an implementation to combat bot fraud/abuse. This presentation will take attendees on a deep dive into the Android Keystore, Android key attestation, and a litany of PKI vulnerabilities we discovered in an Android key attestation implementation, which includes the discovery of a systemic issue in Google's open source library for parsing Android key attestation X.509 certificate chains. As part of this talk, we will cover how we discovered/exploited these vulnerabilities to circumvent our target's bot protections and present tooling to enable researchers to test their own Android key attestation implementations. To beat the bots, you have to be the bots! By: Alex Gonzalez | Senior Red Team Engineer, Amazon Presentation Materials Available at: https://ift.tt/69tSQnU

source https://www.youtube.com/watch?v=RUHDSokGhLE

Black Hat USA 2025 | Pwning User Phishing Training Through Scientific Lure Crafting

Phishing training has been sold as a silver bullet for twenty years—just show people a few fake emails, teach them what to look for, and they'll magically stop clicking, right? Wrong. Our 8-month, real-world study across 20,000+ employees blows that narrative wide open. We didn't run a controlled lab test. We embedded ourselves in the wild. And what we found was clear: current phishing training doesn't move the needle. Worse, the lures themselves behave chaotically—some bait (like "urgent dress code updates") consistently outperformed others, and not in ways that align with conventional wisdom. This talk digs into why phishing training metrics are a dangerous mirage—used as both security theater and a flawed defense strategy. We'll dissect how gamified lure creation inside orgs can backfire, how novelty and context collide, and why click rates may say more about the bait than the user. Finally, we'll open the floor to the hard questions: Can internal phish metrics be hacked for good—or evil? Are we designing for behavior change or just measuring clicks? And what does a post-phishing-training world even look like? By: Christian Dameff | Co-director, UC San Diego Center for Healthcare Cybersecurity Ariana Mirian | Senior Security Researcher, Censys Presentation Materials Available at: https://ift.tt/G5iS1OY

source https://www.youtube.com/watch?v=YKHlOHhKsvI

Black Hat USA 2025 | Uncovering 'NASty' 5G Baseband Vulnerabilities through Dependency-Aware Fuzzing

While baseband modems are the unseen engines of cellular communication, their proprietary nature, closed-source development, and reliance on memory-unsafe C/C++ form a massive attack surface with minimal visibility. Prior work has shown that GSM and LTE basebands (e.g., Samsung's Shannon) can be fuzzed, but only with extensive manual annotation and harnessing. These approaches fall short on modern 5G systems, where complex state dependencies and evolving firmware architectures make manual harnessing time-consuming and unscalable for reaching deep execution states. In this talk, we delve into the reverse engineering and emulation of Samsung and Pixel 5G basebands, with a focus on Non-Access Stratum (NAS) messaging. We unpack the increased complexity and challenges introduced in the evolution from 4G to 5G, including shifts in CPU architecture, the move from C to C++, and a redesigned inter-task communication model. To tackle these challenges, we present a stateful fuzzing framework that runs directly on emulated baseband firmware. At the heart of our system is an iterative symbolic analysis technique that progressively uncovers state variables and their preconditions to reach different execution paths, enabling fuzzing to target deep, state-dependent paths while mitigating the path explosion problem. Applying our framework to real-world devices (including Google Pixel and Samsung Galaxy models), we uncovered 7 previously unknown vulnerabilities. So far, 5 CVEs have been assigned, with several rated high or critical by vendors. We'll walk through our findings, demonstrate real-world exploits such as SMS and malicious network-triggered crashes, and show how automation can supercharge reverse engineering to expose deep flaws that prior efforts missed. If you're into baseband internals, firmware fuzzing, or breaking wireless systems for the greater good, this talk is for you. By: Ali Ranjbar | Research Assistant, The Pennsylvania State University Tianchang Yang | Research Assistant, The Pennsylvania State University Kai Tu | Research Assistant, The Pennsylvania State University Saaman Khalilollahi | Graduate Researcher (former), The Pennsylvania State University Kanika Gupta | Graduate Student, The Pennsylvania State University Syed Rafiul Hussain | Assistant Professor, The Pennsylvania State University Presentation Materials Available at: https://ift.tt/gxIWcqA

source https://www.youtube.com/watch?v=gXGIo5fy800

Black Hat USA 2025 | If Google Uses It to Find Webpages, We Can Use It to Find Fraudsters

If Google Uses It to Find Webpages, We Can Use It to Find Fraudsters: TF-IDF for Real-Time Fraud Detection Fraud detection has traditionally relied on supervised learning, rule-based heuristics, and anomaly detection. However, these methods struggle against adaptive fraud schemes, emerging attack vectors, and low-frequency fraud patterns. This talk presents a novel, real-time fraud detection technique leveraging Term Frequency-Inverse Document Frequency (TF-IDF) as a similarity measure to link fraudulent entities. Originally developed for Natural Language Processing (NLP), TF-IDF can be repurposed for fraud detection by treating transaction metadata, device identifiers, and behavioral signals as a "corpus." This approach uncovers hidden relationships between fraudulent activities, enabling a hybrid detection model that enhances real-time fraud identification beyond traditional heuristics or anomaly-based methods. Through real-world case studies in financial services, e-commerce, and identity verification, we demonstrate how this method identifies unknown fraud patterns before they escalate into large-scale fraud rings. We will cover mathematical formulations, implementation steps, and a comparative performance evaluation against conventional supervised fraud models. Additionally, we will discuss potential evasion tactics and mitigation strategies to strengthen resilience. Join us as we explore cutting-edge strategies in fraud detection and cybersecurity. With deep expertise in fraud prevention, identity security, and risk management, we will share actionable insights on leveraging TF-IDF and advanced machine learning for real-time fraud detection. Attendees will learn how combining text-based feature extraction with behavioral biometrics and device intelligence enhances detection accuracy and mitigates sophisticated fraud threats. This session provides practical knowledge on applying these innovations to stay ahead of evolving fraud tactics and improve overall security posture. By: David Mahdi | CIO, Transmit Security Ido Rozen | Head of Fraud Detection Engineering, Transmit Security Full Session Details Available at: https://ift.tt/D8gw3od

source https://www.youtube.com/watch?v=WVHxCedkYSg

Black Hat USA 2025 | Let LLM Learn: When Your Static Analyzer Actually 'Gets It'

Imagine the process of a human security auditor. What distinguishes an expert? It's their accumulated knowledge and nuanced understanding, allowing them to see beyond simple rules. Indeed, Large Language Models (LLMs) demonstrate semantic understanding capabilities potentially exceeding traditional rule-based static analysis. However, raw reasoning power isn't synonymous with effective learning in this complex domain. While LLMs have shown promise for semantic reasoning tasks, deploying them directly on massive codebases is frequently impractical due to scalability constraints and excessive computational overhead. Additionally, isolated semantic summarization at function or module granularities often yields overly abstract results lacking practical actionable insights, or excessive context that proves too cumbersome to analyze effectively. In this talk, we propose "Let LLM Learn," an innovative approach that facilitates incremental semantic knowledge learning *using* reasoning models. Our method reframes the role of static analysis; instead of relying directly on its predefined rules, we leverage it to identify and extract relevant code segments which serve as focused learning material for the LLM. We then strategically partition complex codebases into meaningful, semantic-level slices pertinent to vulnerability propagation. Leveraging these slices, our framework incrementally teaches the LLM—potentially guided by human annotations—to summarize and cache valuable semantic knowledge. This process significantly enhances accuracy, efficiency, and context-awareness in automated vulnerability detection. Empirical evaluations demonstrate that our approach effectively identifies over 70 previously unknown bugs in real-world software projects, including VirtualBox and critical medical device systems in the IN-CYPHER project led by the UK and Singapore. Crucially, the semantic knowledge accumulated by our system naturally encodes high-value vulnerability patterns, closely resembling the intuition and analytical capabilities of human security experts. Our technique thereby bridges a critical gap between human expertise and automated analysis capabilities, considerably enhancing vulnerability detection effectiveness, precision, and practical utility. By: Zong Cao | Phd Student, Imperial Global Singapore and Nanyang Technological University Zhengzi Xu Yeqi Fu Yuqiang Sun Kaixuan Li Yang Liu Full Session Details Available at: https://ift.tt/GCBnQyo

source https://www.youtube.com/watch?v=FPzOgf2EGQE

Black Hat USA 2025 | Wormable Zero-Click RCE in AirPlay Impacts Billions of Apple and IoT Devices

Since its introduction in 2010, AirPlay has transformed the way Apple users stream media. Today, it is integrated into a wide range of devices, including speakers, smart TVs, audio receivers and even automotive systems, making it a key part of the world's multimedia ecosystem. In this session, we will share new details about AirBorne - a series of vulnerabilities within Apple's AirPlay protocol that can compromise Apple devices as well as AirPlay supported devices that use the AirPlay SDK. These attacks can be carried out over the network and on nearby devices, since AirPlay supports peer-to-peer connections. Among the AirBorne class of vulnerabilities, there are multiple vulnerabilities that lead to remote code execution, access control bypass, privilege escalation and sensitive information disclosure. When chained together, the vulnerabilities allowed us to fully compromise a wide range of devices from Apple and other vendors. In this talk, we'll demonstrate full exploits on three kinds of devices: MacBook, Bose speaker and a Pioneer CarPlay device. We will reveal, for the first time, the technical details of the Zero-Click RCE vulnerabilities impacting nearly every AirPlay-enabled device, including IoT devices that may take years to update and some that may never be patched. By: Gal Elbaz | Co-Founder & CTO, Oligo Security Avi Lumelsky | AI Security Researcher, Oligo Security Uri Katz | Senior Vulnerability Researcher, Oligo Security Full Session Details Available at: https://ift.tt/MeBTz9a

source https://www.youtube.com/watch?v=cNCSml35wLU