2025

CONFERENCE

BLACK HAT 2025 ASIE

In-car dash cameras (dashcams) have become quintessential to our daily lives, supported by guidelines and regulations from insurance companies as part of insurance reduction or substantiating claims during an accident. However, this can be a double-edged sword without proper security measures, potentially compromising privacy and increasing susceptibility to identity theft.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Quick Share (formerly Nearby Share) has allowed Android users to easily share files for four years now. A year ago, Google introduced a Windows version.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Windows Sandbox is a lightweight virtualization mechanism introduced in 2018, designed to provide an isolated desktop environment for quickly testing suspicious applications. However, this feature can also serve as a "magic cloak" for adversaries.

2025

CONFERENCE

BLACK HAT 2025 ASIE

As one of the most widely-used commercial virtualization platforms, the security of VMware virtualization suite has long been a focal point of scrutiny. Over the past few years, we have focused extensively on identifying vulnerabilities within VMware products, particularly those in ESXi and Workstation virtualization implementations.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Java serialization and deserialization facilitate cooperation between different Java systems, enabling convenient data and code exchange. However, a significant vulnerability known as Java Object Injection (JOI) allows remote attackers to inject crafted serialized objects, triggering internal Java methods (gadgets) and resulting in severe consequences such as remote code execution (RCE).

2025

CONFERENCE

BLACK HAT 2025 ASIE

With the new AI moving to the cloud, a sequence of ML/AI tooling suites has been integrated into the core Azure DevOps functionalities, yielding a new concept of MLOps to enable the LLM capabilities for Azure.

2025

CONFERENCE

BLACK HAT 2025 ASIE

As WebAssembly becomes more integrated into modern web browsers, its interaction with JavaScript creates new opportunities for performance optimization, but also introduces significant security risks. This presentation dives deep into the vulnerabilities emerging from the boundaries between WebAssembly and JavaScript, with a focus on type confusion issues and improper handling of object boundaries within the V8 engine.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Obtaining the hardware, extracting firmware, and then reverse engineering to uncover vulnerabilities in automotive systems is a common practice within the vehicle security community. However, access to vehicle components can often be limited—especially for newer models—making it challenging for researchers who do not own the vehicle. Dissecting a car can also be risky and expensive for many security researchers.

2025

CONFERENCE

BLACK HAT 2025 ASIE

For many years, security research on CI/CD platforms has been a popular topic, but researchers often tend to look for flaws that are visibly present across various functionalities within the workflow rather than auditing CI/CD platform implementations to analyze application mechanisms and identify potential vulnerabilities.

2025

CONFERENCE

BLACK HAT 2025 ASIE

This talk invites you on an exploration of advanced reverse engineering techniques applied to sophisticated proprietary hardware. Rather than focusing on well-known hands-on methods such as hardware decapsulation and schematic analysis, I will demonstrate how a unique combination of patent analysis, firmware reverse engineering, and theoretical modeling can unlock the intricacies of undocumented hardware technologies and their application semantics.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Software Composition Analysis tools are known to generate a flood of vulnerability data in third party code. The key challenge today is determining the number of vulnerabilities that are actually exploitable in the products that are shipped. A lot of tools have started exploring this problem. However, it cannot be completely solved without internal developer context on how a third party package is being used.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Currently, the application of LLMs within the security landscape has achieved widespread adoption, becoming a standard practice across the industry. In the realm of threat intelligence, LLMs have distinguished themselves through their exceptional capabilities in extracting IOCs and summarizing cyberattack reports, significantly enhancing the efficiency and precision of threat intelligence processing.

2025

CONFERENCE

BLACK HAT 2025 ASIE

As the security protection mechanisms of the Windows operating system are constantly being proposed and applied, it is becoming increasingly difficult to find exploitable vulnerabilities on current Windows, especially vulnerabilities that can cause preauth 0-click RCE. But, is there really no such vulnerabilities?

2025

CONFERENCE

BLACK HAT 2025 ASIE

Over the past decade, foreign information manipulation and interference (FIMI) operations have grown in complexity and scope. More specifically, Russia and China have continuously invested resources into developing their hybrid warfare strategy. Hybrid warfare goes beyond physical confrontation.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Linux kernel vulnerability reproduction is a critical task in system security. To reproduce a kernel vulnerability, the vulnerable environment and the Proof of Concept (PoC) program are needed. Most existing research focuses on the generation of PoC, while the construction of the environment is overlooked.

2025

CONFERENCE

BLACK HAT 2025 ASIE

In the mobile app ecosystem, super-apps serve as platforms hosting mini-apps, facilitating cross-platform operation across Android and iOS. Traditionally, attacks on mobile apps have targeted native applications, web pages, and networks. Our research pioneers a novel exploitation vector targeting mobile apps via mini-apps.

2025

CONFERENCE

BLACK HAT 2025 ASIE

WeChat, with over 1.2 billion monthly active users, stands as the most popular messaging and social media platform in China and third globally. Instead of TLS, WeChat mainly uses a proprietary network encryption protocol called "MMTLS". We performed the first public analysis of the security and privacy properties of MMTLS and found it to be a modified version of TLS 1.3, with many of the modifications that WeChat developers made to the cryptography introducing weaknesses.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Recently, Google Chrome and other browsers have started restricting traditional tracking methods, such as third-party cookies, to improve user privacy. Still, websites can leverage browser fingerprinting to track users across websites, even when they try to protect their privacy. Interestingly, the same principles can be leveraged to enhance the security of web applications, such as in risk-based authentication, where users are identified based on their browser fingerprint.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Voice phishing (a.k.a. vishing) is a crime in which scammers deceive victims through phone calls in order to fraudulently obtain funds or steal personal information.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Modern mobile OSs employ lock screens and user confirmation prompts to shield sensitive data from attackers with access to the device's USB port. In this talk, we present novel attacks and attack techniques that bypass both of these critical security mechanisms to gain USB-based file access on state-of-the-art mobile devices.

2025

CONFERENCE

BLACK HAT 2025 ASIE

In May 2024, Microsoft introduced a new category of PCs designed for AI, called Copilot+ PCs. According to Microsoft, those PCs are starting a new chapter of AI integration on Windows and, thus, personal computing. Each device will have an NPU enabling the device to run Large-Language Models (LLMs) locally. But how exactly were those NPUs integrated into Windows?

2025

CONFERENCE

BLACK HAT 2025 ASIE

Cloning RFID tags - you probably tried it, or at least heard about it.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Apple's solution for mobile device management seems like an airtight process. Enterprise customers buy devices from registered retailers, these are automatically registered in Apple Business Manager which in turn integrates seamlessly with the customer's choice of MDM platform. A company can have devices set up and shipped to remote employees without ever touching them.

2025

CONFERENCE

BLACK HAT 2025 ASIE

WebAssembly (Wasm) is an increasingly popular compilation target, offering compact representation, efficient validation and compilation, and safe low to no-overhead execution. Wasm is popular not only on the browsers but finding adoption across various platforms. As its popularity grows for various applications, so does the need to obfuscate it, subsequently raising the necessity to de-obfuscate. In this talk we will discuss how to de-obfuscate Wasm code using LLVM compiler infrastructure.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Distributed energy resources (DER), such as solar power systems, are rapidly becoming essential elements of power grids worldwide. However, cybersecurity for these systems is often an afterthought, creating a growing risk to grid reliability. While each residential solar system produces limited power, their combined output reaches dozens of gigawatts — making their collective impact on grid stability too significant to ignore.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Content Delivery Networks (CDNs) are widely adopted to enhance web performance and offer protection against DDoS attacks. However, our research unveils a critical vulnerability within CDN back-to-origin strategies, allowing attackers to exploit these mechanisms for massive amplification attacks, termed as Back-to-Origin Amplification (BtOAmp) attacks. These attacks leverage CDN configurations that prioritize performance over security, leading to the exhaustion of origin server resources.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Deep Learning (DL) has recently received significant attention in breaking cryptographic implementations on embedded systems. However, research on the subject mostly focused on side-channel attacks (SCAs).

2025

CONFERENCE

BLACK HAT 2025 ASIE

In mid-2024, we disclosed a cyber campaign named TIDRONE, attributed to an unidentified threat actor likely linked to Chinese-speaking groups. This campaign revealed a strong focus on the military industry, specifically targeting drone manufacturers in Taiwan.

2025

CONFERENCE

BLACK HAT 2025 ASIE

In this talk, we present the first open source implementation of HID SEOS communication protocol over RFID. HID SEOS is a credential technology designed to provide enhanced security, flexibility, and convenience for access control and identity management applications.

2025

CONFERENCE

BLACK HAT 2025 ASIE

In this talk, we present a generic software-induced side-channel attack, KernelSnitch, on the operating system. With this new side-channel attack we opened up a novel attack surface in operating systems that are both, potent and difficult to patch.

2025

CONFERENCE

BLACK HAT 2025 ASIE

The Border Gateway Protocol (BGP) is the core routing protocol on the Internet, but it lacks security mechanisms. At the same time, the democratization of access has transformed the Internet into the default platform, where global services and communications happen.

2025

CONFERENCE

BLACK HAT 2025 ASIE

In Windows build 2407, Microsoft released Python support inside Excel as embedded =PY() functions. According to the Microsoft website: "Python in Excel brings the power of Python analytics into Excel.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Generative AI concentrates on generating novel and unique content in various forms, including text, image, and video. Many researchers focus on utilizing GenAI models to improve our lives or identifying vulnerabilities in GenAI models.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Email attachments have become a favored delivery vector for malware campaigns. In response, email attachment detectors are widely deployed to safeguard email security. However, an emerging threat arises when adversaries exploit parsing discrepancies between email detectors and clients to evade detection. Currently, uncovering these vulnerabilities still depends on manual, ad hoc methods.

2025

CONFERENCE

BLACK HAT 2025 ASIE

The Bluetooth protocol has become ubiquitous, supporting a wide range of devices from personal gadgets like headphones and smartphones to complex systems in automotive and IoT environments. While Bluetooth's flexibility and performance have been thoroughly validated, an overlooked attack surface exists within the protocol's underlying state machines.

2025

CONFERENCE

BLACK HAT 2025 ASIE

The web3 applications have recently been growing, especially on the Ethereum platform, starting to become the target of scammers. The web3 scams, imitating the services provided by legitimate platforms, mimic regular activity to deceive users.

2025

CONFERENCE

BLACK HAT 2025 ASIE

Today's vehicles are evolving rapidly, with a rising number of electric models and an expanding array of digital technologies, such as onboard Wi-Fi, Bluetooth, and USB connectivity. These advancements are making cars increasingly connected and technologically complex. However, most vehicles still have largely proprietary internal systems, which, coupled with the critical importance of automotive safety, makes them a significant area of focus for security research.

2025

CONFERENCE

BLACK HAT 2025 ASIE

A defunct Indonesian cyber deception collective of attackers known as Muslim Cyber Army (MCA) modeled one of the first known examples of weaponizing deception and disinformation to disrupt Indonesian politics more than a decade ago, well before the notorious Russian attempts to undermine American electoral politics in 2016.

2022

CONFERENCE

RECON 2022

Zoom is a video conferencing solution that has gained popularity throughout the pandemic. It is also one of the more interesting targets that I have reverse engineered in some time. This talk describes my security analysis of Zoom's client and server, with a focus on the reverse engineering challenges. It covers understanding large systems, analyzing software and protocols with Frida, fuzzing non-relocatable binaries and much more.

2022

CONFERENCE

RECON 2022

Big control-flow graphs are scary! Imagine opening a target and IDA tells you that the graph is too big to be displayed on screen. A great tool to circumvent this issue is symbolic execution, a technique where you can match binary state with the corresponding input that caused its execution.

2022

CONFERENCE

RECON 2022

Android has the largest install base on the mobile landscape, with it there are a lot of vendors and telecom operators that install system applications on stock images. These are usually background applications running with high privileges, which the user can’t uninstall and in some cases can’t even disable.

2022

CONFERENCE

RECON 2022

While busy hacking the planet, have you ever encountered an unfamiliar architecture and simply had no idea where to start? You pried the firmware from a reluctant (and almost not smoldering) flash chip, loaded the thing in IDA, but what's next?

2022

CONFERENCE

RECON 2022

Linux kernel bugs are plentiful and also powerful. However, sandboxing limits the amount of kernel code that is reachable from within (like an Android app, for example).

2022

CONFERENCE

RECON 2022

For the first time, we looked at the Unisoc baseband as a target for security research. We reverse-engineered and fuzzed the implementation of the NAS protocol to find a way to disrupt the device's radio communication with a malformed packet.

2022

CONFERENCE

RECON 2022

Our talk first gives an overview of contemporary code obfuscation schemes, where we focus on the design & architecture of virtual machines. Then, we work out the weaknesses of well-established approaches and discuss how modern virtual machines can be broken in a (semi-)automated fashion. Afterward, we present the core design principles behind the next generation of virtual machines and highlight how they abuse inherent weaknesses of the deobfuscation techniques in order to provide long-lasting resilience. We conclude the talk by pointing out that such techniques will shape the landscape of modern obfuscation in the next few years; further, we outline required advances in code deobfuscation research to tackle such virtual machines.

2022

CONFERENCE

RECON 2022

2022

CONFERENCE

RECON 2022

2022

CONFERENCE

RECON 2022

Early Launch Antimalware (ELAM) functionality in Windows offers robust anti-tampering mitigations whereby security vendors declare a Microsoft-approved list of explicitly allowed signers to run as protected (PPL) services. Microsoft makes clear that these mitigations are best-effort attempts to mitigate against security product tampering by labeling ELAM and PPL "defense-in-depth security features." This talk aims to make clear why these mitigations are "best-effort" and ultimately indefensible.

2022

CONFERENCE

RECON 2022

Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. 

2022

CONFERENCE

RECON 2022

In the wide expanse of router manufacturers and models, there is one reverse engineering target that stands out from the rest: MikroTik. Unlike many routers which run a patchwork of services that vary widely across models and firmware versions, MikroTik maintains a uniform, standardized operating system, RouterOS, which runs across all router models. 

2022

CONFERENCE

RECON 2022

Wslink is a unique loader, linked to the Lazarus group, that we documented at the end of the last year for the first time. Most of the Wslink samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts, such as specific section names, that easily link them to an already known and publicly described obfuscator. This VM additionally introduces several other obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.

2022

CONFERENCE

RECON 2022

Back in 2018 when Spectre was found, you could exploit its second and most dangerous variant (Spectre-v2) to easily leak arbitrary data across privilege levels. As a result, OS developers initially deployed various stopgap software mitigations—with non-negligible performance overhead. Luckily Intel and Arm released more efficient hardware defenses which now are the de-facto solutions on every modern system.

2022

CONFERENCE

RECON 2022

As firmware threats are becoming more prevalent, security companies are starting to provide UEFI firmware scanners to detect malicious firmware implants. These scanners first acquire a firmware image inside a SPI flash memory on hardware then parse and scan the image with known signatures.

2022

CONFERENCE

RECON 2022

The .NET PE file format is one of the most complicated file formats, documented in hundreds of pages of technical spec. Parsing the .NET PE file format without reliance on the .NET framework is a challenging task. In addition, .NET is popular amongst malware authors, offering high-level programming capabilities and useful features for malware development.

2022

CONFERENCE

RECON 2022

After power off, modern iPhones keep their wireless chips on. Find My advertisements are sent by the Bluetooth chip upon user-initiated and automated low-power shutdown since iOS 15.