Bridge Attack(BA) is new attack surface for mobile phone and IoT devices in LAN. The abstract bridge is usually implemented by some custom schemes or protocols, such as Javascript Bridge in webview, Upnp Protocol in IoT. In some cases, the Bridge's expanded ability makes the risks of devices in LAN, and the vulnerability can be persistently exploited with a common web attack（Eg. XSS/CSRF)

Bridge Attack finds the potential vulnerability in communication between internal and external components. We think that external component gives more data-ﬂow attack entries which should be checked identification in the internal component. That means bridge attack makes devices in LAN face more attack risks which can lead to remote code execution, sensitive data leak and IOT devices being controlled.

Zidong Han, is an android security researcher from Tencent Mobile Security Lab, Razor Team. Focuses on mobile security research, especially App vulnerability and IOT related security research, Attended HITB-SECCONF-2018-Beijing,as a speaker in CommSec:《Who Hijacked My Smart Home: One URL to Hack ALL IoT Devices 》Attended GeekPwn 2018, Hack Pwn in House. Found and exploited more than 20 vulnerabilities in eight kinds of IoT devices.



WeChat: hzddm12340

Weiguang Li is a mobile network security researcher from UnicornTeam of 360 Technology Co. Ltd in China. He mainly focuses on GSM and LTE security, He is also interested in NB-IOT baseband reverse engineering and software-defined radio development. WeChat: ColorLight

Public warning system (PWS) based on mobile communication system is used to alert the public to emergency events such as earthquakes, tsunamis, hurricanes, etc. We carefully study the PWS in LTE network and uncover the vulnerability of PWS in LTE air interface, i.e., the warning messages of the PWS are not encrypted or signed when they are transmitted over the air. Thus, it is possible that malicious PWS warning messages can be transmitted. We simply use a low cost soft define radio (SDR) device and modify not much code of the LTE open source project srsLTE in order to forge the warning messages. Both Apple and Android test mobile phones are affected by our forged warning messages. Fake PWS warning messages will cause serious panics among the population, they also could be used to send advertising or spam messages. The public warning system may become paralyzed and useless under the threat of the abuse of fake warning messages.

Ramiro Pareja is the technical leader of the Riscure security testing laboratory located in China. He has large experience on hardware security and he specializes on Embedded Systems and SoC security. In the last years, Ramiro has developed an interest and expertise in the automotive industry (embedded and connected technologies deployed in modern vehicles), applying fault injection and side channel attacks – very common in other markets like smartcards or content protection – to the automotive electronic systems. If it has chips, he can break it ;) www.riscure.com

Fault injection, also known as glitch attacks, is a hardware hacking technique that has been successfully used to attack all kind of targets for more than 20 years. However, most of the security experts ignore about its existence or understates its risks. With the recent decrease on the tooling cost required to perform fault injection, these type of attacks have become affordable for the masses. At the same time, the generalization of secure coding practices and the rise of the IoT devices based on small SoCs is increasing the interest on these and other hardware attacks, as quite often nowdays they are the only resort to attack some electronic devices. In this talk, we tell our war stories about performing fault injection attacks on a wide variety of devices used by different industries. Our real stories - a compendium of more than 10 years of experience as hardware security analysts - will cover the full spectrum what fault injection is about. We will be talking about shooting lasers, breaking military grade cryptography, unblocking locked devices, revealing the deepest secrets hidden in the hardware and much more. But not everything is lost for your electronic devices! We will also talk about how you can protect your hardware and software against these powerful attacks.

Breaking the back end! It is not always a bug. Sometimes, it is just bad design!

Gregory Pickett Cybersecurity Operations, Hellfire Security

Reverse engineering is critical to exploitation. However, going through the process of reverse engineering can often lead to a great deal more than just uncovering a bug. So much so that you might find what you need for exploitation even if you don't find a bug.



That’s right. If you go through object data, object representation, object states, and state changes enough you can find out quite a lot. Yes. Poor application logic is a bitch. Just ask any application penetration tester. This time it is not the magstripe. It’s appsec and you will get to see how application attacks can be used against a hardware platform.



In this talk, I will go through the journey that I took in reverse engineering the public transportation system of an east asian mega-city, the questions that I asked as I wondered “How does this work?”, the experiments that I ran to answers those questions, what I learned that lead me to an exploit capable of generating millions of dollars in fake tickets for that very same system, and how other designers can avoid the same fate. Not without risk, this research was done under a junta so I will also be telling you how I kept myself out of jail while doing it. Please join me. You won’t want to miss it.

Gregory Pickett CISSP, GCIA, GPEN has a background in intrusion analysis for Fortune 100 companies but now heads up Hellfire Security’s Managed Security Services efforts and participates in their assessment practice as a network security subject matter expert. As a security professional, his primary area of focus and occasional research is networks with an interest in using network traffic to better understand, to better defend, and sometimes to better exploit the hosts that live on them. He holds a B.S. in Psychology which is completely unrelated but interesting to know. While it does nothing to contribute to how he makes a living, it does demonstrate how screwed up he actually is.



@shogun7273, https://sourceforge.net/u/shogun7273/profile/

Attacks you can't combat: vulnerabilities of most robust mobile operators Sergey Puzankov Telecom Security Expert, Positive Technologies The mobile world is moving to 5G. However, there are billions of subscribers who still use old 2G and 3G networks. These networks rely on the SS7 (Signaling System #7) protocol stack that was developed in the 1970s. The SS7 stack was supposed to be used as an isolated network within a small club of large telephone operators, so nobody thought about upper-layer security mechanisms. Further development of SS7 brought the possibility of sending signaling traffic over IP networks. Thus, the SS7 stack got vulnerabilities “by-design” that allow an external intruder to perform such attacks as location tracking, service disruption, SMS and voice call interception. Mobile operators, equipment vendors, and non-commercial organizations (such as the GSMA - the association of mobile operators) are aware of the problem. They develop and implement security solutions mitigating threats from SS7 networks.



Our recent research shows that SS7 has vulnerabilities that allow bypassing any protection tools. Manipulation of parameters on different layers of an SS7 message may help an intruder to cheat a security tool and achieve the goal even with subscribers served by a well-protected network. The research findings were reported to the GSMA Coordinated Vulnerability Disclosure Programme and FASG (Fraud and Security Group). The report was used for a security recommendations update.



In this presentation, I will demonstrate how an intruder can use new SS7 vulnerabilities to bypass security tools. I will explain why it is possible and how network equipment reacts to malicious traffic. In addition, I will give recommendations to operators on how to make their networks more secure. Sergey was born in 1976. He graduated from Penza State University with a degree in automated data processing and management systems in 1998. Before joining Positive Technologies in 2012, he worked as a quality engineer at VimpelCom. Being a security expert in telecommunication systems at Positive Technologies, he researches signaling network security and participates in audits for mobile operators around the world.



Sergey is also the general developer of the PT Telecom Vulnerability Scanner tool, member of the PT Telecom Attack Discovery development team, writes Positive Technologies annual reports on telecom security.



He is part of the team that revealed vulnerable points in popular two-factor authentication schemes using texts and demonstrated how easy it is to compromise Facebook, WhatsApp, Telegram accounts, and a Bitcoin wallet. Apart from that, Sergey actively contributes the results of security research and discovered vulnerabilities to global organizations, such as GSMA and ITU. Twitter: xigins

Derevolutionizing OS Fingerprinting: The Cat and Mouse Game Jaime Sanchez Global Security Research Lead, Telefónica With the explosive growth and distributed nature of computer networks, it has become progressively more difficult to manage, secure, and identify Internet devices. An outsider has the capability to discover general information, such as which operating system a host is running, by searching for default stack parameters, ambiguities in IETF RFCs or non-compliant TCP/IP implementations in responses to malformed requests. By pinpointing the exact OS of a host, an attacker can launch an educated and precise attack against a target machine.



There are lot of reasons to hide your OS to the entire world: Revealing your OS makes things easier to find and successfully run an exploit against any of your devices.

Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won't trust you any longer! In addition, these kind of 'bad' news are always sent to the public opinion.

Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS (data inference). For example if your system is a MS Windows, and you are running a database, it's highly likely that you are running MS-SQL.

It could be convenient for other software companies, to offer you a new OS environment (because they know which you are running).

And finally, privacy; nobody needs to know the systems you've got running. This talk aims to present well-known methods that perform classification using application-layer traffic (TCP/IP/UDP headers, ICMP packets, or some combination thereof), old style approaches to defeat remote OS fingerprinting (like tweaking Windows registry or implement patches to the Linux kernel) and why this doesn't work with nowadays and could affect TCP/IP stack performance. We'll also present a new approach to detect and defeat both active/passive OS fingerprint with OSfooler-NG, a completely rewritten tool, highly portable, completely undetectable for the attackers and capable of detecting and defeating famous tools like nmap, p0f, Xprobe, pfsense and many commercial engines.



Sorry guys, OS fingerprinting is over... Jaime Sánchez (aka @segofensiva) has worked for over 20 years as a specialist advisor for large national and international companies, focusing on different aspects of security such as consulting, auditing, training, and ethical hacking techniques. He holds a Computer Engineering degree and an Executive MBA. In addition, he holds several certifications, like CISA , CISM , CISSP , just to name a few, and a NATO SECRET security clearance, as a result of his role as advisory of many law enforcement organizations, banks and large companies in Europe and Spain.



He has spoken in renowned security conferences nationally and internationally, as in RootedCON , Nuit du Hack , Black Hat , Defcon , DerbyCON , NocOnName , Deepsec , Shmoocon or Cyber Defence Symposium , among others. As a result of his researches, he has notified security findings and vulnerabilities to top companies and vendors, like Banco Popular, WhatsApp, Snapchat, Microsoft, Apple etc.



He is a frequent contributor on TV (TVE, Cuatro, LaSexta, Telecinco), press (El Pais, El Mundo, LA Times, NBC News) and radio programs, and writes a blog called 'SeguridadOfensiva'



Twitter: @segofensiva

Website: https://www.seguridadofensiva.com

Tools: https://github.com/segofensiva

VoIPShark: Open Source VoIP Analysis Platform Nishant Sharma R&D Manager, Pentester Academy Jeswin Mathai Security Researcher, Pentester Academy Ashish Bhangale Senior Security Researcher, Pentester Academy Leveraging the packet switched network for making phone calls or VoIP has come a long way now. Today, it has already replaced conventional circuit switching based telephones from the large organizations and now moving to capture the non-commercial users. In this talk, we will focus on the traffic analysis based security analysis of SIP and RTP protocols which are one of the most popular protocols for VoIP. These protocols are already gaining new adopters on high rate and also replacing older protocols like H323.



We will discuss VoIPShark open source VoIP Analysis Platform which will allow people to analyze live or stored VoIP traffic, easily decrypt encrypted SRTP stream, perform macro analysis, generate summary specific to VoIP traffic/nodes and export calls/SMS/DTMF in popular user friendly file formats. We will also be releasing VoIPShark collection of Wireshark plugins written in Lua under GPL. VoIPShark is plug-n-play, easy to modify/extend and platform independent in nature. We will also discuss the currently available open source tools for SRTP decryption, their shortcomings and how VoIPShark address those. Nishant Sharma is a R&D Manager at Pentester Academy and Attack Defense. He is also the Architect at Hacker Arsenal where he leads the development of multiple gadgets for WiFi pentesting such as WiMonitor, WiNX and WiMini. He also handles technical content creation and moderation for Pentester Academy TV. He has 6+ years of experience in information security field including 4+ years in WiFi security research and development. He has presented/published his work at Blackhat USA/Asia, Wireless Village, IoT village and Demo labs (DEFCON). Prior to joining Pentester Academy, he worked as a firmware developer at Mojo Networks where he contributed in developing new features for the enterprise-grade WiFi APs and maintaining the state of art WiFi Intrusion Prevention System (WIPS). He has a Master's degree in Information Security from IIIT Delhi. He has also published peer-reviewed academic research on HMAC security. His areas of interest include WiFi and IoT security, AD security, Forensics and Cryptography.



LinkedIn: https://www.linkedin.com/in/wifisecguy/

Twitter: @wifisecguy

Facebook: https://www.facebook.com/wifisecguy Ashish Bhangale is a Senior Security Researcher at Pentester Academy and Attack Defense. He has 6+ years of experience in Network and Web Application Security. He has also worked with the state law enforcement agencies in the capacity of a Digital Forensics Investigator and was instrumental in solving IT fraud/crime cases. He was responsible for developing and testing the Chigula (WiFi Forensics Framework) and Chellam (First pure WiFi Firewall) frameworks. He has also created and managed multiple projects like Vulnerable Web Application OSes, Vulnerable Router Project and Damn Vulnerable Wordpress. He has presented/published his work at Blackhat, Wireless Village, IoT village and Demo labs (DEFCON). His areas of interest include Forensics, WiFi and AD security. Jeswin Mathai is a Researcher at Pentester Academy and Attack Defense. He has published his work at Blackhat Arsenal and Demo labs (DEFCON). He has a Bachelor's degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals, conducted awareness workshops for government institutions. He was also the part of team Pied Piper who won Smart India Hackathon 2017, a national level competition organized by GoI. His area of interest includes Malware Analysis and Reverse Engineering, Cryptography, WiFi security and Web Application Security.



LinkedIn: https://www.linkedin.com/in/jeswinmathai/

Twitter: @jeswinMathai

Facebook: https://www.facebook.com/jeswinMathai

Tag-side attacks against NFC Christopher Wade This talk covers tag-side attacks against NFC communication protocols, including cracking of Mifare encryption keys and performing targeted attacks against NFC readers. In addition, it will cover the design and creation of devices capable of emulating NFC tags down to the raw protocol using standard components and tools, with no abstraction to dedicated hardware, covering and expanding on the capabilities of available products. This talk will contain how 13.56MHz NFC works at a raw level, how tools can be built for analysing it, how the protocol can be implemented in full on standard Microcontrollers, and the security weaknesses present in its design. Chris is a seasoned security researcher and testing consultant. His main focuses are in reverse engineering hardware, fingerprinting USB vulnerabilities and playing with Software Defined Radios, with his key strength lying in firmware analysis, which he utilises as part of the hardware testing team at Pen Test Partners.



https://github.com/Iskuri

@Iskuri1 on Twitter

How to perform security analysis on IoT equipment through building a base station system XiaoHuiHui Senior Security Researcher, Baidu,Inc. Every year billions more smart devices, like those in vending machines\automobile central controls\shared bicycles\smart watches, are connecting to the network using 2/3/4G technology. On one hand, we need to obtain the data of connections between devices and cloud to analyze and find the vulnerabilities. On the other hand, as latest devices do not have as many direct break-in points to exploit, sniffing and man-in-the-middle into 2/3/4G traffic seem to be the trending and effective attacks, which may cause serious security issues such as leaking confidential information and remote command execution etc.



In this talk, we will first show how to build a test GSM base station system under legal premise, and then introduce a new method (inspired from learnings on malicious BTS practices in China) which make the mobile devices connected to the test base station system automatically. Using this method, we can sniff and run MITM attack easily. This affects all kinds of devices using 2/3/4G. We will demonstrate 4 examples, which use this method to find the vulnerability and take control of the devices. At the end, we will present how to build a 4G LTE test base station to perform the fast and stable testing on mobile devices. Shupeng is a member of Baidu Security Lab. He is an expert on IoT security, AI security, penetration testing, etc. He was invited to talk on multiple security conferences, and successfully pwned IOT equipments on XPwn 2016/2017/2018, GeekPwn May/October 2017, the biggest pwn competitions in China.