Amihai Neiderman
Head of Research Equus
BIOGRAPHY
My name is Amihai Neiderman, 26 years old. I worked with computers for the last 20 years or so, doing everything from high-level programming to bare metals electronic fun.
in the last 8 years I’ve been working in the field of security research,mostly doing vulnerability research and exploitation in windows,linux and embedded devices.
Today I work for a company called Equus as the head of research. searching for Android is IOS 0days.
How I hacked my city
The talk is an in-depth walkthrough on how I managed to take over the Tel-Aviv municipal Wi-Fi network “FREE_TLV”. The talk will take the audience through all of the steps I took while researching the network, from the first connection, getting the WAN side IP address, scanning the network and finding and exploiting a vulnerability in the network’s load-balancer.
My research began with an external IP address of the network, which I got from connecting to the Wi-Fi network and going to http://whatismyip.com . when scanning the network from the outside using nmap I got a single port open – 443. When connecting to it I found it’s a network device from a company called peplink. I started researching the device in a blackbox manner and couldn’t find anything interesting.
After detecting the type of the device (in a pretty cool way involving the research of the http headers that were being sent by the device) I went to the manufacturer site and downloaded the right firmware.
The firmware itself was encrypted by the company so I had to reverse the boot process and the kernel patches that were inserted in order to implement the encryption and decryption process.
To save time I tried to unpack a firmware update of a simpler version of the device with a weaker encryption mechanism and then I found a logic vulnerability which allowed me to download a specific cgi file from the device. I used this vulnerability in order to download this cgi binary from the target’s device. It happened to be that this cgi is a native binary which holds most of the web functionality which makes it a prime candidate for research. I started researching this binary until I have found a memory corruption vulnerability which was also easy to exploit.
To check my exploit POC I eventually reversed the entire boot process and hacked my way through their “encryption” (shorty XOR key :\ ) and built myself a working model on a VM of the device. I managed to write a successful exploit for Peplink’s load-balancer series.
During my talk I will explain my thought process and the problems I encountered and how I overcame them. The audience will learn how a real life research from the eyes of an attacker is done from the basics of how to detect the device you’re want to attack, finger printing it and eventually finding a vulnerability and testing it back home before using it in the wild.
DVB-T Hacking
DVB-T is a standard for digital television broadcasting. The standard requires a consumer who wants to watch the digital television broadcasts to purchase a special device that can receive and process the RF signals.
In my research I wanted to be able to exploit a DVBT receiver via an over the air attack – sending a specially crafted data packet over an RF signal and taking over the device.
The research was focused on a common receiver in Israel and Europe made by a Chinese company called MSTAR. The receiver itself is an embedded MIPS device which runs an embedded operating system. During the research I managed to extract the firmware from the flash memory chip on the board and analyze the binary dump. I reversed some of the main function in the OS and built a custom embedded debugger in order to be able to perform live debugging and eventually found and exploited a vulnerability in the DVBT protocol which allowed me using a USRP kit to exploit every DVBT receiver in an area of a few hundred meters.
Are you the next cyber security superstar?
If you are passionate about an information security topic or you have strong technical skills developing researches on your own, you should definitely Apply at Call for Papers. By submitting you will have the chance to showcase your work to +2000 attendees.
Other speakers joining this year
Inbar Raz
Principal Researcher PerimeterX Inc.
Vlad Sorici
Architecture & Services Project Manager Orange Romania
Dragos Comaneci
Principal Software Engineer IXIA
Ready for this year's presentations?
By registering you will unlock access to 60+ speakers and two full days with cyber security news & showcases from worldwide leaders.
COMPETITIONS
Sponsors & Partners
They help us make this conference possible.
POWERED BY
Orange Romania is part of the Orange Group, one of the largest global telecommunications operators that connects hundreds of millions of customers worldwide. With over 11 million local customers and an annual turnover exceeding 1.5 billion euros, Orange Romania connects 1 in 2 Romanians and offers an extensive range of communication solutions for both individual and corporate customers, from basic connectivity services to complete mobile, fixed internet, TV packages, and complex IT&C solutions through Orange Business.
Orange Romania is the number 1 operator in terms of network performance, and also holds nine consecutive Top Employer certifications, which confirm that Orange Romania, in addition to the remarkable products and services it offers, pays special attention to its employees and working environment. In the past 3 years Orange has launched two 5G Labs in Bucharest and Iasi, that aim to support researchers, startups and companies to test their 5G solutions in advance.
In addition, Orange is a long-term supporter of the startup ecosystem through the Orange Fab accelerator program designed to support entrepreneurs in the development of innovative products and their distribution locally and internationally.