[ MI CASA-SU CASA ] My 192.168.1.1 is Your 192.168.1.1

Sunday at 13:00 in Track 1
45 minutes | Demo, Tool

Elliott Thompson Senior Security Consultant, SureCloud Ltd

Your browser thinks my 192.168.1.1 is the same as your 192.168.1.1. Using a novel combination of redirects, Karma, JavaScript and caching we demonstrate that it’s viable to attack internal management interfaces without ever connecting to your network. Using the MICASA-SUCASA tool it’s possible to automate the exploitation of hundreds of interfaces at once. This presentation will introduce the attack vector and demonstration, but also the public release of the MICASA-SUCASA tool.

Elliott Thompson
The alphabet soup: OSCP, CTL/CCT-APP Senior pentester and researcher for the last 3 years, with hundreds of successful engagements behind me. Passionate about security and involved in various article pieces for infosec magazine, the BBC and the UK consumer watchdog Which?. Last year I discovered and disclosed an exploit on some Android tablets that allowed RCE through the tag. [ CVE-2018-16618 ]

Adventures In Smart Buttplug Penetration (testing)

Sunday at 10:00 in Track 2
45 minutes | Demo, Tool

smea

Analysts believe there are currently on the order of 10 billions Internet of Things (IoT) devices out in the wild. Sometimes, these devices find their way up people's butts: as it turns out, cheap and low-power radio-connected chips aren't just great for home automation - they're also changing the way we interact with sex toys. In this talk, we'll dive into the world of teledildonics and see how connected buttplugs' security holds up against a vaguely motivated attacker, finding and exploiting vulnerabilities at every level of the stack, ultimately allowing us to compromise these toys and the devices they connect to.

smea
smea got his start making video games for closed consoles like the Nintendo DS using whatever hacks were available at the time. At some point consoles started getting actual security features and he transitioned from just making homebrew software to actually making the jailbreaks that let people run it. He's best known for his work on the Nintendo 3DS and Wii U but has also done exploitation work against high profile web browsers and virtualization stacks. Now he hacks buttplugs, apparently.

Twitter: @smealum
Github: https://github.com/smealum

Backdooring Hardware Devices By Injecting Malicious Payloads On Microcontrollers

Sunday at 10:00 in Track 1
45 minutes | Demo, Tool

Sheila Ayelen Berta Security Researcher

Is targeting microcontrollers worth the effort? Nowadays, they are responsible for controlling a wide range of interesting systems, e.g., physical security systems, car’s ECUs, semaphores, elevators, sensors, critical components of industrial systems, some home appliances and even robots.

In this talk, it will be explained how microcontrollers can be backdoored too. After a quick review of basic knowledge about uC, we will dive into three different approaches to achieve payload injection, from basic to advanced techniques. The first method consists on locating the entry point of the firmware and inject our payload there, this is an easy way to execute it at least once. As a second -and more complex- technique, we will backdoor the EUSART communication injecting a malicious payload at the code routine of that hardware peripheral; we will be able to get the right memory address by inspecting the GIE, PEIE and polling process at the uC interrupt vector. Finally, the third technique allow us to take control of the microcontroller’s program flow by manipulating the stack writing memory addresses at the TOS; with this we can execute a payload made with instructions already written in the original program, performing it just like a ROP-chain technique.

Sheila Ayelen Berta
Sheila Ayelen Berta is an Information Security Specialist and Developer, who started at 12 years-old by herself. At the age of 15, she wrote her first book about Web Hacking, published by RedUSERS Editorial in several countries. Over the years, Sheila has discovered lots of vulnerabilities in popular web applications and softwares. She also has given courses of Hacking Techniques in universities and private institutes in Argentina. Sheila currently works as Security Researcher who specializes in offensive techniques, reverse engineering and exploit writing. She is also a developer in ASM (microcontrollers and microprocessors x86/x64), C/C++, Golang and Python. Sheila is an international speaker who has spoken at important security conferences such as Black Hat Briefings, DEF CON 26, DEF CON 25 CHV, HITB, HackInParis, Ekoparty, IEEE ArgenCon, Hack.Lu, OWASP Latam Tour and others.

Twitter: @UnaPibaGeek

Cheating in eSports: How to Cheat at Virtual Cycling Using USB Hacks

Sunday at 14:00 in Track 2
45 minutes | Demo, Tool

Brad Dixon Security Consultant, Carve Systems

Athletes are competing in virtual cycling by riding real bikes on stationary trainers which power the in-game athletic performance. Riders train and compete online against each other. New racing teams are even competing in Union Cycliste Internationale (UCI) sanctioned events. Better at hacking than riding? Me, too. I’ll expand on the dubious achievements of prior cycling cheaters by showing how to use the open source USBQ toolkit to inspect and modify USB communications between the Zwift application and the wireless sensors that monitor and control the stationary trainer. USBQ is a Python module and application that uses standard hardware, such as the Beaglebone Black, to inspect and modify communications between USB devices and the host. You’ll ride away with a lesson on building your own customized USB man-in-the-middle hacking tool, too.

Brad Dixon
Brad once told his parents that if they gave him a Commodore 64 it would be the last computer he’d ever want. He never got that Commodore 64. Nevertheless Brad managed to become a computer nerd at a young age. Brad studied Computer Engineering at Georgia Tech and jumped into embedded software engineering. He worked for many years helping developers to design embedded Linux into telecom, network, and mobile products. Brad also took a turn as a product manager for embedded development tools and a mobile location analytics product. At Carve he hacks IoT, embedded, and Linux systems.

Github: https://github.com/rbdixon

Closing Ceremonies

Sunday at 16:00 in Paris Ballroom
120 minutes

The Dark Tangent & Goons

DEF CON 27 draws to a close. Prizes awarded, Black Badge winners announced, thanks given, future plans revealed.

Contests Awards Ceremony

Sunday at 14:00 in Track 4
90 minutes

Contests & Events Goons

You've seen the Contests, you've played in a Contest, you've won a Contest and may have lost a Contest! Whatever the outcome was, come join as as we celebrate the winners and contestants of our DEF CON 27 Contests! DEF CON 27 Contests and Events Closing Ceremonies will be August 11th at 14:00 in Track 4. Black Badge winning Contests will still be honored at the main DEF CON 27 Closing Ceremonies on August 11th at 16:00 in the Paris Ballroom!

Exploiting Qualcomm WLAN and Modem Over The Air

Sunday at 11:00 in Track 3
45 minutes | Demo, Exploit

Xiling Gong Consultant, NCC Group

Peter Pi Senior Security Researcher of Tencent Blade Team

In this talk, we will share our research in which we successfully exploit Qualcomm WLAN in FIRMWARE layer, break down the isolation between WLAN and Modem and then fully control the Modem over the air.

Setup the real-time debugger is the key. Without the debugger, it's difficult to inspect the program flow and runtime status. On Qualcomm platform, subsystems are protected by the Secure Boot and unable to be touched externally. We'll introduce the vulnerability we found in Modem to defeat the Secure Boot and elevate privilege into Modem locally so that we can setup the live debugger for baseband.

The Modem and WLAN firmware is quite complex and reverse engineering is a tough work. Thanks to the debugger, we finally figure out the system architecture, the components, the program flow, the data flow, and the attack surfaces of WLAN firmware. We'll share these techniques in detail, along with the zero-days we found on the attack surfaces.

There are multiple mitigations on Qualcomm baseband, including DEP, stack protection, heap cookie, system call constraint, etc. All the details of the exploitation and mitigation bypassing techniques will be given during the presentation.

Starting from Snapdragon 835, WLAN firmware is integrated into the Modem subsystem as an isolated userspace process. We'll discuss these constraints, and then leverage the weakness we found to fully exploit into Modem.

Xiling Gong
Xiling Gong is a Senior Security Researcher of Tencent Blade Team. He has discovered many vulnerabilities of vendors like Google and Qualcomm. He is the speaker of CanSecWest 2018.

Twitter: @Gxiling

Peter Pi
Peter Pi is a Senior Security Researcher of Tencent Blade Team. He has discovered many vulnerabilities of vendors like Google, Microsoft, Apple, Qualcomm, Adobe and Tesla. He was the #1 researcher of Google Android VRP in year 2016. He has spoken at many famous security conferences such as BlackHat, CanSecWest, HITB GSEC and Hitcon.

Twitter: @tencent_blade

Firmware Slap: Automating Discovery of Exploitable Vulnerabilities in Firmware

Sunday at 14:00 in Track 1
45 minutes | Demo, Tool

Christopher Roberts

DARPA’s Grand Cyber Challenge foretold an ominous future stricken with machines exploiting our code and automatically compromising our systems. Today, we have the chance to steel ourselves by creating new hope through stronger tools and techniques to find our bugs before our big-brother nation-states can take advantage. The firmware holding our phones, our routers, and our cars is our weakest link and it demands new methods of finding exploitable vulnerabilities. This talk will present Firmware Slap, the culmination of concolic analysis and semi-supervised firmware function learning. Each binary or library in a given firmware provides slices of information to accelerate and enable fault-resistant concolic analysis. These techniques provide a method of knowing where our vulnerabilities are and how we can trigger them.

Christopher Roberts
Christopher Roberts is a security researcher at REDLattice Inc. He has extensive vulnerability research experience in embedded systems and program analysis frameworks. He competes and speaks in George Mason’s competitive cyber club. He’s known for building several tools which automatically solve and produce flags from pwnable and reversing CTF problems. (Zeratool) (PinCTF)

Github: https://github.com/ChrisTheCoolHut

Hacking WebAssembly Games with Binary Instrumentation

Sunday at 10:00 in Track 3
45 minutes | Demo, Tool

Jack Baker

WebAssembly is the newest way to play video games in your web browser. Both Unity3d and Unreal Engine now support WebAssembly, meaning the amount of WebAssembly games available is growing rapidly. Unfortunately the WebAssembly specification is missing some features game hackers might otherwise rely on. In this talk I will demonstrate adapting a number of game hacking techniques to WebAssembly while dealing with the limitations of the specification.

For reverse engineers, I will show how to build and inject your own "watchpoints" for debugging WebAssembly binaries and how to insert symbols into a stripped binary.

For game hackers, I will show how to use binary instrumentation to implement some old-school game hacking tricks and show off some new ones.

I will be releasing two tools: a binary instrumentation library built for modifying WebAssembly binaries in the browser, and a browser extension that implements common game hacking methods a la Cheat Engine.

Jack Baker
Jack Baker is a professional vulnerability researcher and amateur video game hacker. His primary areas of expertise include web application security, embedded reverse engineering, and Tony Hawk's Pro Skater 3.

Github: https://github.com/Qwokka

Help Me, Vulnerabilities. You're My Only Hope

Sunday at 12:00 in Track 4
45 minutes | Tool, Exploit

Jacob Baines Research Engineer, Tenable

MikroTik routers keep getting owned. They’ve been exploited by advanced threats like VPNFilter, Slingshot APT, and Trickbot. They’ve been compromised by coin miners, botnets, and who knows what else. With each new campaign the security industry publishes new indicators of compromise and everyone moves on.

However, MikroTik administrators operate in a sandbox. They have very limited access to the router’s underlying file system and almost no ability to directly interact with the Linux operating system. Due to these limitations, file hashes cannot answer the fundamental question that is asked again and again on the MikroTik forums, “Have I been compromised?”

It’s time the users had their question answered. In this talk, I’ll present three vulnerabilities that can help MikroTik administrators break out of the sandbox. I’ll show how to use these vulnerabilities to help determine if the router has been compromised.

Jacob Baines
Jacob is the founding member of Tenable's Zero Day Research group. He focuses much of his research efforts on routers and other IoT devices. Sometimes he even finds vulnerabilities.

Twitter: @junior_baines

HTTP Desync Attacks: Smashing into the Cell Next Door

Sunday at 12:00 in Track 3
45 minutes | Demo, Tool

albinowax Head of Research, PortSwigger

HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $50k in bug bounties.

Using these targets as case studies, I’ll show you how to delicately amend victim's requests to route them into malicious territory, invoke harmful responses, and lure credentials into your open arms. I’ll also demonstrate using backend reassembly on your own requests to exploit every modicum of trust placed on the frontend, gain maximum privilege access to internal APIs, poison web caches, and compromise my favourite login page.

Although documented over a decade ago, a fearsome reputation for difficulty and collateral damage has left this attack optimistically ignored for years while the web's susceptibility grew. By applying fresh ideas and new techniques, I’ll unveil a vast expanse of vulnerable systems ranging from huge content delivery networks to bespoke backends, and ensure you leave equipped to devise your own desync techniques and tailor attacks to your target of choice.

albinowax
James Kettle is Head of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience cultivating novel attack techniques, including server-side RCE via Template Injection, client-side RCE via malicious formulas in CSV exports, and abusing the HTTP Host header to poison password reset emails and server-side caches. He has spoken at numerous prestigious venues including both BlackHat USA and EU, and OWASP AppSec USA and EU.

Twitter: @albinowax
Website: https://skeletonscribe.net/

I'm In Your Cloud... Pwning Your Azure Environement

Sunday at 12:00 in Track 1
45 minutes | Demo, Tool, Exploit

Dirk-jan Mollema Security Expert - Fox-IT

After having compromised on-premise for many years, there is now also the cloud! Now your configuration mistakes can be accessed by anyone on the internet, without that fancy next-gen firewall saving you. With this talk I’ll share my current research on Azure privileges, vulnerabilities and what attackers can do once they gain access to your cloud, or how they can abuse your on-premise cloud components. We start with becoming Domain Admin by compromising Azure AD Sync, sync vulnerabilities that allow for Azure admin account takeover and insecure Single Sign On configurations. Up next is cloud roles and privileges, backdooring Azure AD with service accounts, escalating privileges as limited admin and getting past MFA without touching someone's phone. Then we finish with cloud integrations, also known as "how a developer can destroy your whole infrastructure with a single commit": Exploring Azure DevOps, backdooring build pipelines, dumping credentials and compromising Azure Resource Manager through connected services. Besides all the fun we'll also look into how this translates into the questions you should ask yourself before moving things to the cloud and how this differs from on-premise.

Dirk-jan Mollema
Dirk-jan is one of the core researchers of Active Directory and Azure AD at Fox-IT. Amongst the open source tools published to advance the state of AD research are aclpwn, krbrelayx, mitm6, ldapdomaindump and a Python port of BloodHound. He blogs at dirkjanm.io, where he publishes about new Active Directory attack chains, which included the discovery of the PrivExchange vulnerability. He is also co-author of ntlmrelayx and contributor to several other open source tools and libraries. After discovering that breaking stuff is a lot of fun he never looked back at his freelance web developer days, but is still thankful for the knowledge and experience that those days provided him.

Twitter: @_dirkjan
Website: dirkjanm.io

Malproxying: Leave Your Malware at Home

Sunday at 12:00 in Track 2
45 minutes | Demo, Tool

Hila Cohen Security Researcher, XM Cyber

Amit Waisel Senior Technical Leader, XM Cyber

During a classic cyber attack, one of the major offensive goals is to execute code remotely on valuable machines. The purpose of that code varies on the spectrum from information extraction to physical damage. As defenders, our goal is to detect and eliminate any malicious code activity, while hackers continuously find ways to bypass the most advanced detection mechanisms. It’s an endless cat-and-mouse game where new mitigations and features are continuously added to the endpoint protection solutions and even the OS itself in order to protect the users against newly discovered attack techniques. In this talk, we present a new approach for malicious code to bypass most of endpoint protection measures. Our approach covertly proxies the malicious code operations over the network, never deploying the actual malicious code on the victim side. We are going to execute code on an endpoint, without really storing the code on disk or loading it to memory. This technique potentially allows attackers to run malicious code on remote victims, in such a way that the code is undetected by the victim’s security solutions. We denote this technique as “malproxying”.

Hila Cohen
Hila Cohen is a passionate Security Researcher at XM Cyber, where she investigates new attack techniques and develops detection and mitigation capabilities. Hila has a vast knowledge in the fields of malware analysis, reverse engineering and incident response.

Amit Waisel
Amit Waisel is a Senior Technical Leader at XM Cyber. He is a seasoned data security expert with vast experience in cyber offensive projects. Prior to XM Cyber, Amit filled multiple data security positions in the Israeli intelligence community. Amit is well experienced with malware detection and analysis techniques, operating system internals and security-oriented software development. He graduated with honors from Tel Aviv University with a MSc. in Computer Science.

Owning The Cloud Through Server-Side Request Forgery

Sunday at 13:00 in Track 3
45 minutes | Demo, Tool

Ben Sadeghipour Nahamsec

Cody Brocious (Daeken)

With how many apps are running in the cloud, hacking these instances becomes easier with a simple vulnerability due to an unsanitized user input. In this talk, we’ll discuss a number of different methods that helped us exfil data from different applications using Server-Side Request Forgery (SSRF). Using these methods, we were able to hack some of the major transportation, hospitality, and social media companies and make $50,000 in rewards in 3 months.

Ben Sadeghipour
Ben is the Hacker Operations Lead at HackerOne by day, and a hacker by night. He has helped identify and exploit over 500 security vulnerabilities across 100s of web and mobile applications for companies such as Yahoo, Airbnb, Snapchat, The US Department of Defense, Yelp, and more. He also invested time in the security community, by creating a community of 200+ active hackers who share ideas and their experiences. He has also held free workshops and trainings to teach others about security and web application hacking.

Twitter: @nahamsec
Website: nahamsec.com

Cody Brocious (Daeken)
Cody is the Head of Hacker Education at HackerOne where he dedicates his time to teaching hackers to be more effective and empowered. A reverse engineer and software developer with well over a decade of experience. Cody is also the lead instructor for Hacker101, a free course for web security.

Twitter: @daeken
Website: daeken.svbtle.com

QiLing

Sunday from 10:00 – 11:50 in Sunset 6 at Planet Hollywood
Audience: Reverse Engineers, Hardware (IoT) Hackers

KaiJern, Lau & Dr. Nguyen Anh Quynh

QiLing, a cross platform and multi architecture binary emulator, it will also able to do the following:

To execute binary applications for (Windows, Mac, Linux, Android, iOS, etc) and CPU architectures (Intel, Arm, AArch64 and Mips).
To be executed multiple platforms: Windows, MacOS, Linux, BSD. Sandbox analysis, so potential malicious activities are under control.
Provide Python instrumentation framework, so users can build add-on plugins to customize runtime analysis.
Analyze & report the code execution in friendly and fully customizable high-level format.

Besides working as an independent tool, QiLing also provides plugins for disassemblers such as Ghidra & IDA Pro. QiLing is designed to be alightweight and pluginable emulator. To handle real binaries reasonably, it should be fast, and offer instrumentation capability for users to build customized analysis.

- Able to handle hardware emulation
- Dynamically patch binary during execution in order to redirecting execution flow to bypass non critical check.
- Handle full binary emulation, not just raw code without context. To achieve this, emulate some parts of OS (such as syscalls , system libraries and part of kernel).
- Enable user-customized analysis via a Python framework.

QiLing is a opensource project.

KaiJern, Lau
KaiJern (xwings), is Lab Director of The ShepherdLab, of JD Security by JD.COM. He presented his findings in different international security conferences like HITB, Codegate, QCon, KCon, Brucon, H2HC few different Defcon group and etc. He also conducted hardware Hacking course in various places around the globe.

Dr. Nguyen Anh Quynh
Dr.Nguyen Anh Quynh is a regular speaker at various industrial cybersecurity conferences such as Blackhat USA/Europe/Asia, Defcon,, Deepsec, XCon, Hitcon, Brucon, Zeronights, Tensec, H2HC, etc. He also presented his researches in academic venues such as Usenix, IEEE, ACM, LNCS. Dr. Nguyen is also the founder and maintainer: Capstone (http://capstone-engine.org), Unicorn (http://unicorn-engine.org) & Keystone (http://keystone-engine.org).

Rhodiola

Sunday from 10:00 – 11:50 in Sunset 5 at Planet Hollywood
Audience: Offense

Utku Sen

Adversaries need to have a wordlist or combination-generation tool while conducting password guessing attacks. To narrow the combination pool, researchers developed a method named ”mask attack” where the attacker needs to assume a password’s structure. Even if it narrows the combination pool significantly, it’s still too large to use for online attacks or offline attacks with low hardware resources. In the real world, a password’s structure is an unknown value, just like the password itself. Even if we specify a password structure with masks, we are still brute forcing characters in the mask. When we analyzed Ashley Madison and Myspace wordlists, we saw that they are mostly consists of sequential alpha characters. Which means that there is a high probability that they are meaningful words. Our research shows that 30% of the Ashley Madison wordlist and 36% of Myspace wordlist contains meaningful English words. Rhodiola tool is developed to narrow the combination pool by creating a personalized wordlist for target people. It finds interest areas of a given user by analyzing his/her tweets, and builds a personalized wordlist. Wordlist consists of most used nouns & proper nouns, paired nouns & proper nouns, cities and years related to detected proper nouns.

Utku Sen
Utku Sen is a security researcher who is mostly focused on application security, network security and tool development. He presented his different tools and researches in Black Hat USA Arsenal, DEF CON Demo Labs and Packet Hacking Village in recent years. He's also nominated for Pwnie Awards on "Best Backdoor" category in 2016. He is currently working for Tear Security.

Say Cheese - How I Ransomwared Your DSLR Camera

Sunday at 11:00 in Track 4
45 minutes | Demo, Exploit

Eyal Itkin Vulnerability Researcher at Check Point Software Technologies

It's a nice sunny day on your vacation, the views are stunning, and like on any other day you take out your DSLR camera and start taking pictures. Sounds magical right? But when you get back to your hotel the real shock hits you: someone infected your camera with ransomware! All your images are encrypted, and the camera is locked. How could that happen?In this talk, we show a live demo of this exact scenario. Join us as we take a deep dive into the world of the Picture Transfer Protocol (PTP). The same protocol that allows you to control your camera from your phone or computer, can also enable any attacker to do that and more. We will describe in detail how we found multiple vulnerabilities in the protocol and how we exploited them remotely(!) to take over this embedded device.But it doesn't end here. While digging into our camera, we found a reliable way to take over most of the DSLR cameras without exploiting any vulnerability at all. We simply had to ask our camera to do that for us, and it worked.

This is the first vulnerability research on the Picture Transfer Protocol, a vendor agnostic logical layer that is common to all modern-day cameras. As DSLR cameras are used by consumers and journalists alike, this opens up the door for future research on these sensitive embedded devices.

Eyal Itkin
Eyal Itkin is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Software Technologies. Eyal has an extensive background in security research, that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking I2P or FAX, he loves bouldering, swimming, and thinking about the next target for his research.

Twitter: @EyalItkin

SDR Against Smart TVs: URL and Channel Injection Attacks

Sunday at 11:00 in Track 2
45 minutes | Demo, Tool

Pedro Cabrera Camara Founder, Ethon Shield

Software-defined-radio has revolutionized the state of the art in IoT security and especially one of the most widespread devices: Smart TV. This presentation will show in detail the HbbTV platform of Smart TV, to understand and demonstrate two attacks on these televisions using low cost SDR devices: TV channel and HbbTV server impersonation (channel and URL injection). This last attack will allow more sophisticated remote attacks: social engineering, keylogging, crypto-mining, and browser vulnerability assessment.

Pedro Cabrera Camara
Industrial and Electronics Engineer, Pedro is an enthusiast of Software Defined Radio and UAVs, which has worked for 12 years in the main Spanish telecommunications operators, conducting security audits and pentesting in mobile and fixed networks. In addition to working with telecommunications operators, Pedro leads open source projects such as intrusion detection systems for GSM, UMTS and LTE networks, which has led him to study the various fake stations attacks and existing solutions. In recent years he has participated in security events in the United States (RSA, CyberSpectrum, DEF CON DemoLabs), Asia (BlackHat Trainings) and Europe (Rootedcon, Euskalhack, AlligatorCON)

Twitter: @PcabreraCamara
Website: http://www.fakebts.com

Sound Effects: Exploring Acoustic Cyber-weapons

Sunday at 13:00 in Track 2
45 minutes | Tool

Matt Wixey Cyber Security Research Lead, PwC UK

While recent research has explored the capability of attacks to cause harm by targeting devices – e.g., SCADA systems, vehicles, medical implant devices - little consideration has been given to the concept of attacks affecting psychological and physiological health by targeting humans themselves.

In a first-of-its-kind study, we assessed the capability of several consumer devices to produce sound at high and low frequencies which may be imperceptible to many people, as a result of remote and local attacks, and compared the resulting sound levels to maximum recommended levels. In doing so, we tested their viability as localised acoustic weapons which could cause temporary/permanent hearing damage and/or adverse psychological effects. We examined a number of countermeasures, including a tool to detect specified frequencies above specified thresholds.

In this talk, I will cover the background of malware which has, intentionally or not, caused physical or psychological harm. I will explore previous research on the harmful effects of sound, focusing particularly on high and low frequencies, and some of the guidance which has been proposed to limit exposure to such sound. I will examine the use of imperceptible sound as applied to security research (covert channels, ultrasonic tracking beacons, etc), and will present our experiments and findings, including threat models, methodology, the attacks we developed, and the implications of our results. Finally, I will suggest a number of countermeasures and outline some possible areas for future research.

Matt Wixey
Matt is a PhD candidate at the Dawes Centre for Future Crimes, University College London, and leads technical research for the PwC Cyber Security practice in the UK. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.

Twitter: @darkartlab