GeekPwn 2015 conference: smart security offensive and defensive Art

Geekpwn commitment to innovation, technology and fashion for the meaning of life, love of technology geek a stage, leading the future of science and technology, the intelligent life and fashion. In absorbing the domestic and international security events advantages, innovative design the world's first platform based on the combination of intelligent hardware equipment and software security geeks Carnival event, is the forefront of the international intelligent safe community, is also the world's first concern intelligent life safety geeks carnival. The second session of the geekpwn Carnival will be in 2015 October 24 - 25 grand stage in Shanghai Himalayas Center held.  wonderful hackers to show will be on display.

In 2015 carnival, the October 24, geekpwn, from the global top white hat hackers players show wonderful hack show, home intelligent door locks, cameras, routers and other products may become compromised. At the same time, the General Assembly will be invited to top security researchers at home and abroad, in October 25th the summit on the issue of smart security cutting-edge technology.

GeekPwn share in the forefront of the dry cargo security technology!

Graphic record
  • 17:15GeekPwn summit to enter the final award. In the end, the team from the Tsinghua University won the highest award, won 460 thousand yuan prize.

  • 16:10KeenTeam senior researcher Chen Liang share the X OS core information leakage topic. Attack surface has Syscall, IOkit, HFS, etc., to protect the core of Apple introduced the KASLR, DEP, SMEP and other mitigation programs. Recently, apple X OS security improvements, blocking the release of the key to ease. History OS X happened some breaches, such as the VM map copy T, it has characteristics of kernel memory spray and information disclosure. Evasi0n 6 in prison break first, and Mach port kobject, in before and OS X10.7 version, the function for access to Mach Mach_potzai kernel object correspondence address, DUI cunfang Zai kernel Data segment of the global obj address can be obtained. In his speech, Chen Liang also tells how to use the CVE-2015-3676 vulnerability to bypass KASLR.

  • 15:30Brian gorenc and Abdul Aziz Hariri, pwn2own hacking contest organizers in the afternoon speech in-depth study adobe reader to open and not open to the public API, share some POC the reality of the case and the introduction of conducive to vulnerability mining code audit skills.

  • 12:25Tencent basaltic laboratory in Yang shared a bar code system for the general method of attack, the attacker only needs a group of special design of bar code can be realized in the system execute arbitrary code, and to complete this attack requires only a piece of paper. One dimensional bar code through the black and white space, according to a certain rules to record information. Bar code contains static area, start character, data character, terminator. Code reader first to get the image, and then decode the conversion (UPC/EAN, Code 39, Code 128 and other protocols standard), data transmission (RS232, PS/2, etc.). At present, only one-dimensional bar code, the agreement there are dozens, of which code 128 not only supports the digital storage, letters, also supports all of the ASCII characters, efficient, high density of information, also contains four customizable function code, there are three coded character set: CodeA, CodeB, CodeC. Almost all of the code scanning device support it. Known barcode security issues include: triggered by the bar code overflow, triggering the format string, triggering SOL injection, triggering XSS. In addition, there can be used to predict the use of bar code - forgery attacks, copy attacks, phishing attacks /CSRF (mainly two-dimensional code). Basaltic laboratory found that the output of a lot of bar code reader is a PS / 2 or hid keyboard, through the code128 is possible "input" Ctrl+* and of the terminal pose a threat. Then he demonstrated multiple attacks demo.

  • 13:30Microsoft cloud security chief security manager Zhu Chengyun said that the market is increasing year by year enterprise cloud, cloud security is essential. He discussed the topic today covering Microsoft cloud security against 0day defense mechanism. He was 08-067 MS as an example of the vulnerability, the analysis of the discovery of the 0day vulnerability, the situation and the process of perception of the process. Through this loophole, they understand that there is a good enough data sources, while doing massive data analysis to automatically analyze and manual analysis combined.

  • 11:20Yesterday repeatedly break the pavilion of the science and technology chief security researcher / co-founder Yang Kun shared years after participating in the CTF, summed up some memory leaks using skills: stack overflow, heap overflow, and Libc symbol resolutions and some practical gadgets, such as in the aspects of heap overflow mainly explain the ptmalloc use of skills.

  • 10:20Qualcomm product safety director Ge Renwei in Qualcomm engaged in 8 years of product safety work, responsible for product development cycle, security events corresponding to attack the event information, hardware, platforms and application security lights. He mainly share: Qualcomm snapdragon series (Application in routing, vehicle, field of IOT of snapdragon chip) of the security situation, in recent years by aggressive behavior, and work on security products, such as TrustZone data isolation mechanism, fast response and upgrade, and using open source projects to take the initiative to find loopholes.

  • 9:35Google programmer Vyukov Dmitry shared how to use Memory Shadow to detect the existence of various types of vulnerabilities in the system. And introduces the process of using Sanitizers Kernel and Thread Sanitizer Kernel to find the problems of memory and data, and the common methods.

  • 9:00October 25th, GeekPwn pole Safety Summit officially opened. The first lecture by HP Security Research Institute vulnerabilities manager Brian gorenc and HP Security Research Institute researcher Abdul Aziz Hariri share "turn the tide - HP zdi project and pwn2own contest". First Gorenc ZDI describes the Brian project (currently the world's largest inter vendor vulnerability Award Scheme) and the Pwn2Own contest in recent years the situation. Then Abdul through the presentation, the body day to share the use of Reader JavaScript API Adobe weakness for a total of. They will also be detailed in the afternoon to share vulnerability mining tips.

  • 16:45After a short rest, GeekPwn assembly into the last link "the first day of the intelligent routing arena". Three groups of players will be on the scene to break 10 different brands of mainstream intelligent routing, including Newifi, TP-Link, millet, 360, etc.. Players will try to remote access to the router's root permissions, and tampering with the router DNS records. After the break, the players will show the judges of the router's shell root, and show the hijacked GeekPwn site.

  • 16:28Our mobile phone fingerprint verification project. Players through the implementation of ADB in shell exploit in the latest version of our mobile phone, so that all of the Android fingerprint verification failed, including the lock screen, Alipay.com transfer etc..

  • 16:12Thinkpad X240 Lenovo project. Players will be displayed in the absence of any special permissions, the malicious code to perform the ordinary user's identity can be changed from any one of the accounts in the device (including Admin) to steal the fingerprint image fingerprint. The victim device opens the fingerprint login user to perform the player's malicious program, all the fingerprint information on the device will be automatically sent to the server.

  • 16:08Parrot UAV project. Legal control terminal installation of AR.FreeFlight 2 mobile applications, and then control the AirDrone2.0 Parrot UAV suspended to the air. Players through on raspberry PI development board to install a wireless attack tools, disconnect the legal control terminal and the parrot between man-machine connection, so that the parrot UAV loses control and suspended into the air and eventually take over control of the parrot.

  • 15:46Another set of crack Haier smart care team, on a group of players use the method is capture, then proceed to attack the group is through the loopholes in the firmware, control permissions. This vulnerability affects the surface is very wide, the same batch of equipment can be attacked because of this vulnerability.

  • 15:40In the morning to crack a series of smart cameras for the pavilion of the science and technology, in the match in the afternoon were another project -- up to camp / visa POS items. Players in the attack, only need a PC, and do not need to contact the POS machine, and do not need Ethernet, Wi-Fi and other networks to achieve remote attacks POS. Total success, when the user credit card spending, players can get a copy of the user's bank card and password.

  • 15:20Haier project demo link, showing the effect of the attack.

  • 15:15Broadlink smart home attack project. Players will be targeted at the Broadlink smart socket vulnerabilities exist for remote hijacking, and control of its functions.

  • 15:01Side Channel HTTPS project: players live demonstration of the use of browser vulnerabilities, access to user account information.

  • 14:52After the players announced to crack e home clean, the other closed the cloud services. So the players changed the scene to crack the object, and successfully attacked the aunt to help App payment system.

  • 14:45Side Channel HTTPS project. HTTPS although the system has been gradually improved, but there are still some loopholes. Players use actual defects Safari, IE browser, new side channel attacks on HTTPS, leaking HTTPS pages to load the resource path, on Taobao HTTPS Pages Total, leaking users to buy goods, to mainstream cloud disk implementation of the total, so as to obtain the cloud disk account in the privacy of the information, such as photos, documents and so on.

  • 14:34E home cleaning up system project. The players on their mobile phone call Alipay.com, pay a certain amount of money in the actual situation, after successful recharge, so the balance of payment of tens to one hundred times the. In addition, players can log any account, view the information inside.

  • 14:30Socket crack hijacking project: the success of the scene, the player can be directly remote control signal lamp display and sound.

  • 14:20Haier smart home suite. According to the players, the Haier App can control access, smart sockets and other smart devices, through the phone's App to control the start and function of the device. They will use the Haier smart home several design flaws and without contacting the equipment, respectively, from four different Ao attacks, including access login Haier intelligent equipment account password, forged malicious terminal equipment, control the smart home devices.

  • 14:16Oven hijacking project: live crack.

  • 14:11Small K2 generation socket crack hijack project. Players through the socket and cloud services in the communication process between the middle attack, when the firmware upgrade to replace the firmware, and the new firmware in the back door.

  • 14:09Long emperor intelligent oven control of the project. Players through the Jingdong micro link App remote hijacking, to get the control of the oven, and its control authority authorized to other devices, such as the home computer. Players said that after the successful hijacking of App, not only can control the oven, you can also get other Jingdong micro link App support for the control of the device.

  • 12:07Mobile phone success root, modify the boot screen.

  • 12:02Get root permissions.

  • 11:40Platform 1 is the most outstanding Xin'an sipper show Root project. Players through the installation of a common authority on the Android phone APP, the use of local access to the right to access the system root permissions, and close the SELinux to achieve init protection Lake Comprehensive context. After obtaining the highest authority, the APP will replace the phone boot screen, boot screen in the Android system read-only partition, only after obtaining the above permissions can be replaced. Standard regulations: after running ADB, in the mobile phone shell APP display root permissions process. This shows root permissions init context or set to permissive mode SElinux. Restart the phone, the display is replaced by the boot screen. Successfully hijacked the millet S4 and HUAWEI mobile phones are used in Android 5 system.

  • 11:403 Taiwan is a classmate Li show Kung Fu bear APP project. By using app itself and verification mechanism defects, any remote login account, login account have all the permissions of the account, the create / cancel the order, when and where to use service and arbitrary user home address and other sensitive information don't the heart to cancel orders and disguised as a service personnel on-site implementation of the crime. Standard regulations: the use of real users to attack demonstrations, remote login the account. View / cancel the order and obtain the home address and other sensitive information. If the account has a balance of the consumer balance.

  • 11:351 Tai Zhineng camera series. Players through the root permissions on the computer, the invasion of the camera, the camera remote real-time screen or the history of the invasion of video, tampering with the basic functions of the camera. Its standard regulations: after the attack, the players on the computer display root permissions Shell. Show to steal the camera real-time screen or historical video. Remote control with PTZ camera motion. Remote control with sound playback function of the camera to play the tamper with the sound.

  • 11:30Taiwan 2 to showcase the domestic financial services HTTPS project, players to build the WiFi environment to carry out financial services HTTPS intermediaries attack. Demo client access the environment with a browser to access enough bank and China UnionPay, Taobao, financial pay pass HTTPS service and landing, the whole communication using the HTTPS protection, players get to sign in to your account balance, consumer records and other sensitive information, and sign in to your account. Landing with the browser Jingdong shopping, the use of UnionPay payment, the player as a middleman to achieve malicious payments.

  • Kara: Project player successfully obtained the user's bank card information for fraudulent.

  • Kara POS machine hijacked demonstration results.

  • 11:30Table 1 the project is still riusksk to display, the demonstration project is the latest Kara Treasure Collection project. Players through the Android intercontinental binding Kara receivables Po POS machine and on the phone installation xposed module to hijack the transaction information, and then using the bank card to complete a balance inquiry action, trading details down to eat, then another piece of card to card transfers, enter any password you can earn to go in front of the bank card balance. Standard regulations: the web page of the bank card is hijacked by the bank card transaction information. In the card no password, steal in the Kara brush off bank card balance.

  • Zhuliang is using the phone to demonstrate the process.

  • 11:002 team player for the Zhuliang, the project is to pay the box POS project description. The player through the jailbreak iPhone to install a plugin, by hook technology, the success of the box POS payment at the time of payment not strictly implemented once a secret key vulnerabilities, leakage victim user card money. The premise is only the user on the POS brush off the card, and enter the password. Its standard regulations: user spending 10.24 yuan, in the box to pay POS on the card and enter the password checkout. Show how to subtract 1888.88 yuan user Cary. Show user Cary money deducted after the server returns to sign purchase orders and the victim card detained money SMS alerts.

  • Md5_salt using a mobile phone is a demonstration process.

  • 10:50Table 3 the team leader is md5_salt, the team was demonstrated in Manicure recharge system project by doodle on their mobile phone to call Alipay.com, to pay 1 cents in the actual situation, the price of any order recharge. Its standard regulations: after the player's mobile phone payment is completed, check the balance of the amount of pre orders are consistent with the balance. On the phone to view the changes in the official, confirmed that more than the balance of the balance of the order of the same.

  • 10:302 Taiwan's team took the lead in the demonstration. The team is responsible for people from Tencent security platform terminal security team responsible person Gmxp. The player demo project is hijacking, Xinjiang PHantom3 unmanned, players use the wireless node eat hormone after intervention and gain control of the UAV to Xinjiang. Its standard regulations: in the case can not touch the UAV remote control, access to the control of the uav. To guide the UAV to fly around the attacker. The difficulty lies in the interior of the WiFi chaos, not easy to find the UAV signal, it is difficult to enter the UAV system control.

  • 10:10Tencent vice president DingKe says: geek's dream and experts struggle is the main theme of the great assembly, hope everyone has his own interest part.

  • 10:00HP Security Research Institute of vulnerability research director Pwn2Own organizers Brian-Gorenc speech.

  • 9:45Shanghai City, vice secretary of the municipal Party Committee Wang is talked about: everyone are producers of information, everyone is consumer information, nowadays information security more and more appear in people's life, this is the Shanghai Information Technology Association of an important event, is the geek Sheng will, leading the pace of new era.

  • 9:30"The concept of ultimate play color GeekPwn launched and founder, organizers KEEN founder and CEO Wang Qi made the opening speech. He spoke of the general assembly to pay tribute to the history geek pioneer, more and more of the world need to hack to lead the people forward.

  • 9:30GeekPwn 2015 conference is about to begin, please look forward to exciting content.

  • October 20thGeekPwn 2015 conference in October 24th 25 in Shanghai - Himalaya grand stage presents the largest hacker carnival. Scene is not only a wonderful scene intelligent field devices crack and global first-class security technology expert Gonghua intelligent life security attack and defense art.

  • Guest speaker
    KEEN founder and CEO Wang Qi
    Wang Li, deputy secretary of the Shanghai Municipal Committee of the Communist Party of
    Pwn2Own organizer Gorenc Brian
    Ding Ke, vice president of Tencent Inc
    HP Security Research Institute vulnerability director Gorenc Brian
    HP Security Research Institute researcher Hariri Abdul-Aziz
    Google programmer Vyukov Dmitry
    Quaicomm product safety director Ge Renwei
    Changting chief security researcher & co-founder Yang Kun
    Microsoft cloud security department chief security manager Zhu Chengyun
    Tencent basaltic research room Yu Yang
    KeenTeamz senior researcher Chen Liang
    The scene.