Azure Machine Learning bugs, Jailbreaking the Apple HomePod, and a keynote from Microsoft’s security research chief are among the technical talks we can look forward to at Nullcon Goa 2023.
Other innovative research confirmed for the conference, which takes place between September 20-24, includes phone call interception over PSTN, the abuse of vulnerabilities in Meta’s Ray-Ban Stories camera sunglasses to plant footage, and exploiting signature schemes to manipulate an Android APK binary.
John Lambert, who heads up the security research team for Microsoft Security, will confirm his keynote topic for the event’s 14th annual edition soon. Previous roles in his 20-year-plus Microsoft career include founding and leading the Microsoft Threat Intelligence Center (MSTIC), managing the network security team and leading the Microsoft Security Response Center’s (MSRC) engineering team.
Web race condition attacks
In a precis of his latest groundbreaking research, James Kettle, director of research at PortSwigger, asserts that the latent potential of web race condition attacks has “been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples”.
In ‘Smashing the State Machine: The True Potential of Web Race Conditions’, James ‘Albinowax’ Kettle will “introduce multiple new classes of race conditions that go far beyond the limit-overrun exploits you’re probably already familiar with”.
The regular Black Hat speaker and HTTP desync attacks pioneer will also “show how to fire salvos of conflicting inputs to make state machines collapse, enabling you to forge trusted data, misroute tokens, and mask backdoors. These exploits will be demonstrated across multiple high-profile websites and a certain popular authentication framework.”
HomePod jailbreak
Mobile vulnerability researcher Tihmstar, meanwhile, will outline various approaches to leveraging the checkm8 bootrom exploit released in 2019 “to execute custom high-level code on vulnerable devices and compare that to previous BootROM exploits”.
Tihmstar will target the Apple HomePod smart speaker to “guide you through the start-to-finish process of getting BootROM code execution, booting the system, progressing to userspace code execution, installing SSH, and system-wide tweaks”. In doing so, he will “answer the two most important questions about HomePod hacking”, namely: “How do I even connect that thing to my computer?” And: “What can I do with a jailbroken HomePod?”
Ray-Ban Stories
Daniel Schwendner, security researcher and DevOps engineer, will revisit the compelling discovery of vulnerabilities in Meta’s Ray-Ban Stories camera sunglasses during a live hacking event.
“This talk offers an in-depth overview of the reverse engineering process, exploring the smart sunglasses’ companion mobile applications, retrieving and reverse engineering the embedded firmware, as well as the security mechanisms and wireless communication systems they employ,” he explains.
“The presentation demonstrates how various misconfigurations can be chained together, enabling an attacker to steal videos and inject fake media into the sunglasses’ companion app.”
Azure Machine Learning
Another must-see session will centre on five vulnerabilities in Azure Machine Learning, Microsoft’s Machine Learning as a Service (MLaaS) platform.
“We will demonstrate various analysis techniques we adapted to while researching the service, giving the attendees a glimpse of how managed services like AML can be assessed when there are blurred lines in the shared responsibility model of security {of, in} the cloud,” says Trend Micro senior threat researcher Nitesh Surana.
Android APK attack
Ayan Saha and Achute Sharma, respectively security researcher and security team lead with Application & Threat Intelligence Research Centre (ATIRC) at Keysight Technologies,
will explore the abuse of shortcomings in the Signature Schemes (v1, v2, v3) used in Android APKs in order to “change an Android APK binary without breaking its signature”.
Among other things, the research duo will show how malicious data can subsequently pass “undetected through AVs when embedded in the legit applications downloaded from Play Store while still preserving its signing signature, and how it is also an effective technique to create variations of malware with lower detection count with the example of Pegasus malware.”
PLC hacking
Anton Dorfman, researcher and reverse engineer, will pull off the impressive trick of hacking the Mitsubishi FX5U PLC when the firmware is inaccessible.
“In this report, we share how we collected information piece by piece and reconstructed the protocol. We describe how we used documentation of similar protocols, error codes, vendor utilities, a PLC simulator, brute force, and other methods,” he says. “We briefly describe the whole bunch of the vulnerabilities found.”
Intercepting phone calls
Meanwhile, Kirils Solovjovs, hacker at Possible Security, will propose a novel method for intercepting phone calls over PSTN, including on mobile networks.
“We’ll briefly discuss the necessary components of the attack, including Caller ID spoofing, SS7, call diverts, and social engineering, and then join this all together to form the novel attack method,” he explains.
Also lined up for Nullcon’s Indian edition are a crash course in fuzzing from senior Google researcher Rushikesh Nandedkar; ‘Captain Kelvin’ of Hardware Ninja testing an open-source, hand-crafted anti-drone device; and security research engineer Gaurav Gogia discussing open-source software that facilitates ‘DevPrivOps’ by detecting and mitigating all privacy violations in pre-deployment applications.
The Nullcon Goa conference will split between technical and CXO tracks, plus iOS/MacOS, developer and bountycraft tracks, as well as workshops.
Hands-on training
Hands-on training sessions will cover rapid threat model prototyping (RTMP), defending and attacking Kubernetes, practical IoT hacking and web application security, among other topics. A career clinic will also offer informal workshops to help graduates, young professionals and seasoned pros alike further their careers.
As ever, the exhibitor list is a roll call of some of the most prestigious names in tech. Microsoft, Android, Palo Alto Networks, Salesforce, Airtel, Cyble, HackerOne, Innspark, Cyware and ServiceNow will be showcasing their security services and technologies.
As for Capture the Flag (CTF) competitions, the excitement for Nullcon will ramp up when HackIM kicks off tomorrow (19 August). At Nullcon Goa itself, there will be the usual CTF organized by virtual Nullcon community Winja as well as the SCADA/ICS CTF for hackers with a penchant for compromising industrial systems.
Author: Adam Bannister
