Last week I attended BlackHat EMEA down at the exCel exhibition centre in London. This is an annual trip for me and I’ve been going for a number of years. This is a deep dive conference with some great examples of security research – with many vulnerability analysis reports, tools and hands on demonstrations of some extremely timely issues that exist across our entire security ecosystem. Earlier in the week I attended the two day deep dive Cryptography Attacks course, which provided some detail on vulnerability exploitation within crypto protocols and primitives often found in our IAM ecosystems.
A few highlights for me included:
Briefings
Side Channel Attacks on Intel TDX
Side channel attacks are incredibly powerful attacks against the processing of confidential information such as crypto keys or sensitive data – by analysing external factors such as power consumption, electrical emissions and execution timing. Intel’s Trusted Domain Extension (TDX) (which is used to support confidentiality for data in use) was vulnerable to a particular type of stepping attack that allowed the bad guys to slow down execution of code within the TEE (trusted execution environment) and perform an interrupt based attack. Intel research devised several mitigations that provided a more “defence in depth” protection model.
Security Analysis of Residential Gateways and ISPs
Nearly every home was a router (or residential gateway RG) and we typically also have no insight into the security of the Internet Service Providers (ISP) we use everyday. RG’s are good targets for adversarial activity due to similarity in hardware and software versioning, allowing automated attacks and replication of attack techniques and manipulation of the remote management capability many RGs support. Reading the firmware from a device is an important step in being able to create adversarial “versions” that can then be flashed against other devices – and in turn providing specialist access – simply as many RGs don’t support secure boot and firmware attestation. Other approaches include leveraging hard coded credentials that are based on external facing MAC addresses.
Ways of mitigating such attacks include having a secondary device acting as a firewall before accessing the gateway from the “internal” LAN and leveraging IP address blocking on the external side of the device towards the private address space.
Vulnerabilities in eSIM Download Protocol
SIM cards seem like the will eventually be replaced by a digital version – known as an eSIM. The stages involved in a physical SIM card creation and provisioning are complex with several different stages and operational boundaries, that support the nice separation of duties needed between wafer creation, right through to key generation and personalised. eSIMs aim to streamline all of this with downloadable OTA (over the air) ways of getting SIM related data – which in turn gets stored in a secure eUIC (embedded universal integrated circuit). However, as you can imagine researchers have found vulnerabilities – namely in the activation process, which involves the user engaging an MNO (mobile network operator), scanning a QR code on a mobile app which triggers the eSIM integration process. Clearly the more steps involved here, the more risks that can be exploited. Protection mechanisms reliant on a coarse grained TLS layer provided avenues for attack where verification of the download target were not completed. The talk focused on doing both a formal security analysis and the use of working assumptions – ie assuming that the adversarial activity can occur at multiple parts of the eSIM activation process. Mitigation recommendations included between user verification as well as ownership / mobile device verification for where the eSIM was being downloaded to.
State-Sponsored Mobile Surveillance Malware from Russia, China, and North Korea
This talk from Lookout, provided some great high level information on the motives and tactics, techniques and procedures of threat actors operating at a nation state level – with good coverage on attribution, threat group names and types with a specific focus on the mobile device landscape. There were some interesting approaches based upon social engineering, application download techniques and whether concepts such as device physical access or deception techniques were being leveraged. Relevant counter measures included using basic anti-phishing controls, implementation of mobile anti-virus and threat scanning tools, the use of managed device tooling when operating within the enterprise and having strong mobile policy and end user awareness.
Hidden Vulnerabilities in Automotive MPU
Modern cars are essentially computer systems on wheels – with complex software and hardware platforms powering safety, control and infotainment systems. To that end there have an integrated set of ECU (electronic code unit) and MPU (memory protection unit) components. This talk highlighted vulnerabilities can be exploited within this memory usage area. An MPU is essentially a programmable filtering system to prevent access to memory address ranges – allowing multiple cores to use the same memory hardware without interfering with each others running code. These MPU rules should be set at startup time and made read-only – but the talk explained how this can be manipulated.
Tools from the Arsenal
FaceGSM – Tooling that helps create images that can overcome facial recognition models
WeakPassJS – Collection of tools for cracking and hash-comparing of passwords
MSInvader – Adversary emulation tool for attacking MS Entra IAM services
Firebase Misconfig Detection Toolkit – detects issues with Google Firebase authentication platform
Silver SAML Forger – Tool that can craft forged SAML assertions