The DeepSec experience

The DeepSec experience

Dec 07, 2023
Written by Thimo De Souter

Taking place in the picturesque city of Vienna, DeepSec is a yearly cyber security conference which attracts all types of computer enthusiasts, hackers and security professionals. A wide range of topics are covered by both local and international speakers.

I was fortunate enough to be able to attend this completely sold-out 2023 edition.

Located in the Renaissance Wien hotel, the conference hosts two tracks, so hard decisions had to be made regarding which talks to attend.

Day 1: Interesting talks about Putin’s Shadow war, the phone of Paris Hilton and SAP as cyber weapon

We started the first day off with a less technical, but nevertheless interesting talk: Putin's Shadow War. Presented by Swedish journalist Maria Georgieva. She explained how OSINT was used to gather evidence that Russia was performing espionage missions with the goal of mapping critical infrastructure. 

Next up was Scott Shapiro, he revealed the long-awaited truth about how Paris Hilton's phone was hacked. Unexpectedly, this was not a tale of a sophisticated cyber-attack, executed by exploiting deep-rooted technical flaws. But rather how a teenage boy was simply able to re-assign Paris Hilton's phone number to himself, using only the T-Mobile website. In their haste to build one of the first iterations of the smartphone, it appears T-Mobile neglected to include process security in their blueprints. A costly lesson.

In the last presentation before lunch, we heard from Andreas Wiegenstein, who talked about SAP as a Cyber Weapon. A topic which was unknown to me. It mainly covered the different ways a company's SAP infrastructure could be exploited in a post-compromise scenario. Seeing as a company's development, QA and production environments are often linked to each other, an attacker who manages to get a foothold in a poorly secured development machine could pivot to the production environment.  He also explained how SAP's own programming language (ABAP) could be used to create malware implants which are extremely difficult to detect.

The final presentation of the first day, was brought by Moritz Abrell. He exposed multiple vulnerabilities in Zoom's zero-touch provisioning functionality for IP/desk phones, such as hard-coded secret keys, lack of immutable trust, and the absence of ownership verification. By combining these flaws, the IP phones could be completely compromised, sometimes even remotely!

Day 2: AI in phishing campaigns, privacy in a COVID tracking app, and micro attack simulations

Artificial Intelligence seems to be everywhere lately, even in phishing campaigns! Alexander Hurbean & Wolfgang Ettlinger performed a deep dive into their phishing methods, which are created and automated with the help of various AI tools. Both the offensive and defensive sides were touched upon in their presentation, which also included multiple very convincing "deepfakes", which can be used in (voice)phishing or similar social engineering attacks.

Can we have privacy in a government mandated COVID tracking app? That was a question asked by Abraham Aranguren, a security researcher from 7ASecurity. He analysed the "LeaveHomeSafe" app, which was used by the Hong Kong government to track and prevent the spread of COVID-19. All residents had to install and use this app to scan a QR code whenever they left their homes and visited a place of business.

Several critical security issues were discovered in the iOS and Android applications, including an authentication bypass, a Man-in-the-middle attack due to a missing TLS certificate validation, and many more...

The disclosure of these vulnerabilities to the Hong Kong government was met with resistance. In accordance with the responsible disclosure process, the report was sent privately to the appropriate government instance. After one month without any sort of human response, the report was released publicly. Only then did the government provide a public statement, in which they attempted to discredit the findings and claimed the report was "unfair and inaccurate".  Soon after, a new version of the mobile app was released, in which none of the reported vulnerabilities have been fixed...

An interesting alternative for a full-blown pentest by a red-team could be found in (automated) micro attack simulations. Christian Schneider demonstrated how these simulations can be used to determine the possible points of failure in a cyber kill-chain, and how these tools can be used to verify that the implemented defences are working correctly. This could be compared to a white box pentest approach, where access to an employee laptop was provided, and the attacker performs each step from initial exploitation to full network compromise step by step.

3 top learnings of DeepSec

  1. Technology Vulnerabilities:

    We should not forget the critical importance of recognizing that even widely used and seemingly secure technologies can have significant vulnerabilities. For instance, the exploitation of T-Mobile’s phone number assignment process by a teenager demonstrates that even well-established companies may overlook security aspects in their systems. It underscores the need for thorough security assessments and the implementation of robust security measures to protect against potential threats in technology.

     

  2. AI-enhanced Phishing:

    The rise of artificial intelligence in cyberattacks is a growing concern. Attackers are increasingly using AI to automate and enhance their phishing campaigns. These AI-driven attacks can generate highly convincing phishing messages and even create deepfake content, making it more challenging for individuals and organizations to discern genuine communications from fraudulent ones. This learning emphasizes the evolving sophistication of cyber threats and the necessity for individuals and organizations to stay vigilant and employ advanced security measures to counteract these emerging threats effectively.

     

  3. Government App Security:

    The examination of the “LeaveHomeSafe” app and the government’s response to its security vulnerabilities reveal the potential risks associated with government-mandated tracking applications. The discovery of critical security flaws, including an authentication bypass and a lack of TLS certificate validation, underscores the importance of rigorous security assessments for such apps. This learning highlights the need for robust security and privacy safeguards in government-mandated apps and the importance of responsible disclosure and public awareness in addressing security concerns.

Looking back

Even though the conference was relatively short, the organization still managed to fit a whole lot of interesting content into the two days. In conclusion, it was a great experience, and I hope to attend again in the future!

Share this news