Black Hat USA 2025 | Use and Abuse of Personal Information -- Politics Edition

Over the past 5 years, we have employed active open-source intelligence (OSINT) techniques to test the question of how our personal information is used, shared, or otherwise abused. To do this, we created an automated collection framework with realistic fake identities used in one-time online transactions and then passively collect email, voicemail, and SMS responses from that event. The key highlight of this talk are the results from 2000+ fake identities signed up to the declared political candidates for the 2024 U.S. elections (U.S. House and Senate pre-primary candidates as of ~Oct 2023; presidential candidates added as announced), tracing how information was used (e.g., numbers and patterns of email, comparison of "hot" races to "in the bag" ones, geographical responses, sentiment analysis) or shared (e.g., routine sharing and overnight/unified shift in Democratic party support of Harris after Biden withdrawal). Additional trends are demonstrated for attempting to predict the outcomes of races based upon their messaging behaviors, coordinated intra-party responses to events, the post-election and post-inauguration phases, the lack of direct mailings, and other fun anecdotes like having one of our fake IDs traced back to us via IP inspection. We will strive to keep the discussion apolitical, as the focus is more about the data/trends and what our expectations should be for our personal privacy when providing our information to political candidates. As this talk builds on a prior Black Hat USA 2021 talk, we'll also discuss automation techniques for active OSINT frameworks and preliminary results for a fully integrated "interaction engine" that enables generative AI email responses with machine generated personalities, based on the "Big-5" psychometric factors. By: Alan Michaels | Northrop Grumman Sr. Faculty Fellow / Professor and Director, Spectrum Dominance, Virginia Tech National Security Institute Jared Byers | Research Associate, Virginia Tech National Security Institute Full Presentation Materials Available at: https://ift.tt/14FDvj5

source https://www.youtube.com/watch?v=Lf2k8QPEPqs

Black Hat USA 2025 | Smart Charging, Smarter Hackers: The Unseen Risks of ISO 15118

The rise of electric vehicles (EVs) is reshaping global mobility, paving the way for a cleaner, more sustainable future. But this shift is not without challenges. By 2040, more than 600 million EVs are expected to be on the roads, placing enormous pressure on our electricity grids. This could lead to instability and disruptions in the electricity supply, particularly during peak demand. To address this challenge, the International Organization for Standardization released 15118 - a standard that introduces technologies like smart charging and Vehicle-to-Grid communication. These innovations not only help reduce the pressure on the grid, but also promise to enhance the user experience of charging an EV, making it more intuitive and, more importantly, secure. That said, while resolving several critical cybersecurity issues, the standard also introduces new risks. This session will explore how ISO 15118 reshapes the threat landscape of EV charging. We will examine the cybersecurity implications of the standard, looking at the risks it mitigates, shifts, and creates. In fact, while ISO 15118 offers substantial improvements, we argue that the standard is not sufficient to fully secure the EV charging ecosystem. Using ISO 15118 as an example, we will demonstrate how standards and policies - even those that explicitly target cybersecurity - can inadvertently introduce new attack vectors, making them a double-edged sword. By: Salvatore Gariuolo | Senior Threat Researcher, Trend Micro Inc. Presentation Materials Available at: https://ift.tt/N3t72Hg

source https://www.youtube.com/watch?v=_furvigQmxk

Black Hat Asia 2026 Speaker Spotlight - Tal Be'ery

Tal Be'ery of Black Hat Asia Briefings - Your Number Is Up: When 3.5 Billion Strangers Can Exploit Your WhatsApp Devices

source https://www.youtube.com/watch?v=OPz7GJ5e6mw

Black Hat USA 2025 | HTTP/1.1 Must Die! The Desync Endgame

Some people think the days of critical HTTP request smuggling attacks on hardened targets have passed. Unfortunately, this is an illusion propped up by wafer-thin mitigations that collapse as soon as you apply a little creativity. As long as HTTP/1.1 lives, desync attacks will thrive. In this session, I'll introduce multiple new classes of desync attack, enabling mass compromise of user credentials across hundreds of targets, including tech giants, SaaS providers, US government systems, and almost every company using a certain CDN. Every technique has been honed for maximum impact with minimum effort, with an unplanned collaboration yielding over $200,000 in bug bounties in two weeks. I'll also share the research methodology and open-source toolkit that made this possible, replacing outdated, canned-exploit probes with focused analysis that reveals each target's unique weak spots. This strategy creates an avalanche of desync research leads, yielding results ranging from entire new attack classes, down to exotic implementation flaws that bleed server memory into attackers' welcoming arms. You'll witness attacks meticulously crafted from theoretical foundations alongside accidental exploits with a root cause so incomprehensible, the developers ended up even more confused than me. You'll leave this talk equipped with everything you need to join me in the desync research endgame: the mission to kill HTTP/1. By: James Kettle | Director of Research, PortSwigger Presentation Materials Available at: https://ift.tt/CxqeYvS

source https://www.youtube.com/watch?v=FJbuAyxTTWc

Black Hat USA 2025 | "Dead Pixel Detected" - A Security Assessment of Apple's Graphics Subsystem

As one of the most significant attack surfaces in Operating Systems, the graphics subsystem has always been a focus of the security community. Given the lack of source code and technical documentation, conducting a comprehensive security assessment of such subsystems, particularly their kernel-mode components, remains an arduous task. Let's consider the Apple Silicon platform as a reference. Upon examining the security advisories from the past year, it is clear that the number of kernel vulnerabilities has diverged from the theoretical error rate per ten thousand lines of binary code. In the meantime, the AI revolution is accelerating, and large language models are placing more stringent demands on platform security. As security researchers, it is our obligation to step forward and safeguard these critical infrastructures. This presentation will delve into the Apple's Intel-based GPU, Apple Graphics Accelerator (AGX GPU), IOMobileFrameBuffer (IOMFB) and Display Co-processor (DCP), from the perspectives of system architecture and implementation, reverse engineering and attack surface evaluation, fuzzing and vulnerability hunting. As part of the findings, this presentation will share with you more than a dozen kernel vulnerabilities, including CVE-2024-40854, CVE-2024-44197, CVE-2024-44199, CVE-2025-24111, CVE-2025-24257, CVE-2025-24273, etc. These brand new issues impact each of the components mentioned above. Through these case studies, you might gain a deeper understanding of the architecture design of Apple's graphics subsystem, as well as the security challenges emerging in the era of Apple Private Cloud Compute. By: Yu Wang | Co-founder and CEO, CyberServal Weiteng Chen | Researcher, Microsoft Research, Redmond Presentation Materials Available at: https://ift.tt/RuOxmbG

source https://www.youtube.com/watch?v=JYmh7gCoIFo

Black Hat USA 2025 | Peril at the Plug: Investigating EV Charger Security and Safety Failures

The past few years have seen a rapid increase in Level 2 EV charging equipment (EVSE) options for consumers. Along with choosing the right equipment, EV owners face installation decisions, such as hiring specialized installers or doing it themselves. However, many consumers are unaware of the cybersecurity risks inherent in all chargers. Vulnerability bounty programs have shown that even simple remote attacks can take full control of these devices. These challenges create an environment of safety risks that can endanger life and property. Our research examines the real-world consequences of compromised EVSE through the destructive testing of seven different products. We begin by reviewing common remote attacks found across various EV chargers and disclose several recently identified zero-day vulnerabilities. We then introduce a testing methodology simulating a worst-case scenario where a malicious actor bypasses safety mechanisms to cause maximum damage. The results include video footage of the tests, showcasing any destruction, collateral damage, and latent hazards. Lastly, we offer recommendations for enhancing safety through security best practices, hardware design, and implementation. Attendees will gain insight into the current state of EVSE security, how to assess EVSE safety mechanisms and the real-world dangers of using EVSE with safety features that can be bypassed via compromise. By: Jonathan Andersson | Sr. Manager Security Research, Trend Micro Thanos Kaliyanakis | Vulnerability Researcher, Trend Micro Full Session Details Available at: https://ift.tt/8B4w6Hz

source https://www.youtube.com/watch?v=4l6hsv8IlWE

Black Hat USA 2025 | Racing for Privilege

Racing for Privilege: Leaking Privileged Memory From Any Intel System Using a Microarchitectural Race Condition Enhanced Indirect Branch Restricted Speculation (eIBRS) is Intel's primary defense against Branch Target Injection-style (BTI) Spectre attacks. eIBRS prevents misuse of untrusted branch target predictions in higher privilege domains (i.e., kernel/hypervisor mode) by restricting predictions from other privilege domains other than the one they were created for. Since its inception in late 2018, eIBRS remains the best-suited BTI defense that all major operating systems and hypervisors rely on, and it has so far successfully prevented attackers from injecting arbitrary branch target predictions across privilege boundaries. However, our research finds that microarchitectural mitigations like eIBRS, much like software, are vulnerable to race conditions. Consequently, we will demonstrate an exploitation technique that allows attackers to inject branch target predictions not only into higher privilege domains, but also across prediction barriers (i.e., IBPB) meant to invalidate all such predictions. Tracing back the bug to its origin, we find that it has been present ever since the eIBRS was first introduced, meaning systems have been vulnerable for over 7 years! We will demonstrate that this issue is easy to exploit by building an arbitrary privileged memory read primitive, evaluated (5.6 kB/s) on an up-to-date Ubuntu 24.04 system with all default mitigations enabled. This attack shows how easily hardware mitigations can fall apart when integrated into a complex CPU design, and it gives us a reminder of how much trust the computer industry faithfully puts into hardware vendors' security claims. By: Sandro Rüegge | Security Researcher, ETH Zürich Johannes Wikner | CPU Therapist, PhD, ETH Zurich Presentation Materials Available at: https://ift.tt/0UQ7idh

source https://www.youtube.com/watch?v=ULXuhxj-WgA

Black Hat USA 2025 | Hackers Dropping Mid-Heist Selfies

Hackers Dropping Mid-Heist Selfies: LLM Identifies Information Stealer Infection Vector and Extracts IoCs Information stealer malware has become one of the most prolific and damaging threats in today's cybercrime landscape, siphoning off everything from browser-stored credentials to session tokens and other system secrets. In 2024 alone, we witnessed more than 30 million stealer logs traded on underground markets. Yet buried within these logs is an underexplored goldmine: screenshots captured at the precise moment of infection. Think of it as a thief taking a selfie mid-heist, unexpected but convenient for us, right? Surprisingly, these crime scene snapshots have been largely overlooked until now. Leveraging infostealer infection screenshots and Large Language Models (LLMs), we propose a new approach to identify infection vectors, extract indicators of compromise (IoCs) and track infostealer campaigns at scale. Our approach found several hundred potential IoCs in the form of URLs leading to the download of the malware-laden payload. By applying this method to "fresh" stealer logs, we can detect and mitigate infection vectors almost instantaneously, reducing further infections. Our analysis uncovered distribution strategies, lure themes and social engineering techniques used by threat actors in successful infection campaigns. We will break down three distinct campaigns to illustrate the tactics they use to deliver malware and deceive victims: cracked versions of popular software, ads pointing to popular software and free AI image generators. This presentation, with its live demonstration, shows how LLMs can be harnessed to extract IoCs at scale while addressing the challenges and costs of implementation. Attendees will walk away with a deeper understanding of the modern infostealer ecosystem and will want to apply LLM to other illicit artifacts to extract actionable intelligence. By: Estelle Ruellan | Threat Intelligence Researcher, Flare Olivier Bilodeau | Principal Security Researcher, Flare Presentation Materials Available at: https://ift.tt/1GYAekO

source https://www.youtube.com/watch?v=WQFIfORignI

Black Hat USA 2025 | Unix Underworld: Tales from the Dark Side of z/OS

You may have heard tales of mainframe pentesting and exploitation before - mostly from us! Those stories often focused on the MVS/ISPF side of the IBM z/OS. But did you know that all those same tricks (and more!) can be pulled off in z/OS Unix System Services (OMVS) as well? I bet you didn't even know z/OS had a UNIX side! Over the years, we've discovered multiple unique attack paths when it comes to Unix on the mainframe. In this talk, we'll present live demos of real-world scenarios we've encountered during mainframe penetration tests. These examples will showcase what can happen with poor file hygiene leading to database compromises, inadequate file permissions enabling privilege escalation, a lack of ESM resource understanding allowing for privileged command execution, and how dataset protection won't save you from these attacks. We'll also be demonstrating what can happen when we overflow the buffer in an APF authorized dataset. Attendees will learn how to test these controls themselves using freely available open-source tools and how to (partially) detect these attacks. While privesc in UNIX isn't game over for your mainframe, it's pretty close. By the end, it will be clear that simply granting superuser access to Unix can be just as dangerous, if not more so, than giving access to TSO on the mainframe. By: Philip Young | Director Mainframe Penetration Testing Services, NetSPI Chad Rikansrud | Software Security Researcher, Broadcom Presentation Materials Available at: https://ift.tt/DOXYWFE

source https://www.youtube.com/watch?v=3wQHhGxVTuo

Black Hat USA 2025 | Booting into Breaches: Hunting Windows SecureBoot's Remote Attack Surfaces

SecureBoot, designed to protect against firmware-level tampering, has long been dismissed as a "local-only" attack surface. This research shatters that assumption, exposing systemic flaws that enable remote exploitation of SecureBoot—culminating in Pre-Auth RCE on fully patched systems. With 31 CVEs discovered and fixed in Microsoft's SecureBoot implementation, we reveal how attackers can weaponize bootloader components (network stacks, BCD registries, filesystems) to bypass critical security guarantees. We dissect novel attack surfaces in Windows' UEFI environment, including an overlooked network protocol parser and a single 100-line BCD registry function harboring 6 vulnerabilities. Our custom debugging and fuzzing frameworks can assist vulnerability hunting in the UEFI environment efficiently. Beyond the bootloader, we demonstrate how kernel and userland components inherit these weaknesses, including a RCE demo on a SecureBoot-enforced Hyper-V host. By chaining logical flaws in SecureBoot's trust model, we illustrate how attackers can pivot from firmware to OS-level control without physical access. We conclude with actionable mitigations and a critical call to re-evaluate firmware security paradigms in an era where remote exploitation nullifies the "local access" defense. By: Jietao Yang | Security Researcher, Cyber Kunlun Lab Presentation Materials Available at: https://ift.tt/z6oEmWw

source https://www.youtube.com/watch?v=p4EXzE0dvWE

Black Hat USA 2025 | I'm in Your Logs Now, Deceiving Your Analysts and Blinding Your EDR

What if you could leverage Event Tracing for Windows (ETW) to manipulate telemetry data, challenging the trust placed in endpoint detection and response (EDR) tools? ETW is a critical component to the operating system for Event Log generation as well as EDR telemetry collection. By injecting custom events into the ETW stream, I've found a safe way for blue teams to replicate attack telemetry without executing these risky processes on production systems. Additionally, red teams can exploit this same technique to mislead incident analysts or, worse, trigger capping mechanisms in EDRs, effectively rendering them partially blind to malicious activities. Current Windows protection mechanisms mostly allow these techniques to be executed from any un-elevated process, in user mode. I will demonstrate the injection of telemetry events and the exploitation of event capping—illustrating how an overflow in event generation can cause the Defender for Endpoint to disregard subsequent logs, including those from genuine threats. I will showcase how automated risk assessment can lead to the revocation of tenant access for that device. By: Olaf Hartong | Security Researcher, FalconForce Presentation Materials Available at: https://ift.tt/uRoVyUj

source https://www.youtube.com/watch?v=G3Ft0gtmm4I