SyScan, day 1

Opening speech: Thomas Lim

Thomas gave a great introduction, the conference is as big as ever and attracted a whole bunch of different people. BlackHat Asia is going to stay in Singapore, so there will be some challenges in the future. Most speakers on the other hand preferred to drop their 0days at SyScan instead of BH.

Car Hacking for Poories: Charlie Miller and Chris Valasek

Charlie and Chris talked about their great car hacking research for cheap. They basically bought a bunch of ECU off ebay and started wiring them together, ending with a fully functional car without the car parts (i.e., just the electronics). One of the nicer attack vectors is to own one of these ECUs and start sending CAN bus messages around to, e.g., stop the car, accelerate, turn the steering wheel and so on.

Setup for Failure: Defeating SecureBoot: Corey Kallenberg

Corey talked about new ways to baypass UEFI secure boot by temporarily surpressing SMM. He had a bunch of different exploits that allowed to disable the write-protected flash and upload your own rootkit early in the startup process. Many of the BIOSes that are currently in use are broken and most of them can easily be compromised.

Mission mPOSsible: Nils and Jon Butler

Compared to magnetic stripe devices like the ones Square offeres there are also more sophisticated point-of-sale devices that look at chip and pin and are supposed to be secure. Nils and Jon bought a couple of mobile point of sale devices and found that they had (i) usb serial connectors and (ii) were vulnerable to a bunch of command injection vulnerabilities. Pwned.

Scientific Best Practices for Recurrent Problems in Computer Security R&D: Daniel Bilar

Daniel talked about a large set of talks we should have watched in the last 1-2 years. He presented research highlights of hacker talks and how those hacking results were adopted in academia. Adhere to best practices and follow good statistics and methodologies when developing your research.

Deep-Submicron Backdoor: Alfredo Ortega

Let's add a backdoor into the VLSI code of a chip. How would such a backdoor look like and what kind of capabilities could we add? Add a small malicious state machine between the CPU and the memory bus to provide peek/poke functionality, this let's you implement a debugger. The whole debugger can be implemented in a few lines of VLSI code. The talk included an awesome 3D flight through the individual layers of the rendered chip. His second backdoor uses long pins to emit radio frequency to send data from the chip to a receiver outside (basically implementing a neat covert channel). Alfredo included a nice demo that showed how he can exfiltrate keypress data from a running chip.

RFIDler: Adam Laurie

A project inspired by software defined radio that brings software to RFID. The idea is to have software defined RFID tools that allow hacking, tinkering, and fooling around. Existing tools like Proxmark3 are too complicated and too expensive. FUNcube receiver is a great, cheap SDR that one can use to play around. Development time: 1 hours from seeing a new kind of tag to walking into the building. RFID should not be used for access control!


After all the main talks were over we headed over to Brewerks to BarCon where we listened to some more talks while we had some beers (and later food and more beers).

Expr'ssing Your Heart's True Desire with LLDB Expressions: Miaubiz

Miaubiz talked about different LLDB hacks he did to enable a smoother debugging experience on iOS. Big audio problems stopped this talk from being awesome.

Getting User Credentials is not only Admin's Privilege: Anton Sapozhnikow

Anton talked about alternative ways to get access to user credentials (usernames and passwords) using an indirect loop through the webbrowser. Nice attack.

From New Zealand with Fail: Dean Carter and Shahn Harris

Great talk about all the infosec fails that happened in New Zealand in the last couple of years, lots of laughs and fun!