Day 1: Interesting talks about Putin’s Shadow war, the phone of Paris Hilton and SAP as cyber weapon
Day 2: AI in phishing campaigns, privacy in a COVID tracking app, and micro attack simulations
Can we have privacy in a government mandated COVID tracking app? That was a question asked by Abraham Aranguren, a security researcher from 7ASecurity. He analysed the "LeaveHomeSafe" app, which was used by the Hong Kong government to track and prevent the spread of COVID-19. All residents had to install and use this app to scan a QR code whenever they left their homes and visited a place of business.
Several critical security issues were discovered in the iOS and Android applications, including an authentication bypass, a Man-in-the-middle attack due to a missing TLS certificate validation, and many more...
The disclosure of these vulnerabilities to the Hong Kong government was met with resistance. In accordance with the responsible disclosure process, the report was sent privately to the appropriate government instance. After one month without any sort of human response, the report was released publicly. Only then did the government provide a public statement, in which they attempted to discredit the findings and claimed the report was "unfair and inaccurate". Soon after, a new version of the mobile app was released, in which none of the reported vulnerabilities have been fixed...
3 top learnings of DeepSec
-
Technology Vulnerabilities:
We should not forget the critical importance of recognizing that even widely used and seemingly secure technologies can have significant vulnerabilities. For instance, the exploitation of T-Mobile’s phone number assignment process by a teenager demonstrates that even well-established companies may overlook security aspects in their systems. It underscores the need for thorough security assessments and the implementation of robust security measures to protect against potential threats in technology.
-
AI-enhanced Phishing:
The rise of artificial intelligence in cyberattacks is a growing concern. Attackers are increasingly using AI to automate and enhance their phishing campaigns. These AI-driven attacks can generate highly convincing phishing messages and even create deepfake content, making it more challenging for individuals and organizations to discern genuine communications from fraudulent ones. This learning emphasizes the evolving sophistication of cyber threats and the necessity for individuals and organizations to stay vigilant and employ advanced security measures to counteract these emerging threats effectively.
-
Government App Security:
The examination of the “LeaveHomeSafe” app and the government’s response to its security vulnerabilities reveal the potential risks associated with government-mandated tracking applications. The discovery of critical security flaws, including an authentication bypass and a lack of TLS certificate validation, underscores the importance of rigorous security assessments for such apps. This learning highlights the need for robust security and privacy safeguards in government-mandated apps and the importance of responsible disclosure and public awareness in addressing security concerns.
Looking back
Even though the conference was relatively short, the organization still managed to fit a whole lot of interesting content into the two days. In conclusion, it was a great experience, and I hope to attend again in the future!