The first Mobile Security Conference (MOSEC) was organized by Team Pangu and PoC and was held on June 5th, 2015, at the Langham hotel, Shanghai, China. The one-day schedule of the conference presented seven cutting-edge technical talks in the area of mobile security and covered a variety of security research related to iOS, Android, and Windows, three most popular mobile platforms. The MOSEC 2015 sold out in 15 days, and received high praise from both the attendees and the community.
The second MOSEC will be held on Friday, July 1st, 2016 at the Grand Kempinski hotel, at Shanghai, China. Following the success of the past event, MOSEC 2016 will continue to facilitate the most advanced knowledge and technology sharing. MOSEC 2016 will bring excellent security researchers to present their frontier studies to the world.
POC, the biggest hacker conference in South Korea, is highly reputable in Asia and in the world. The POC 2015 will mark the 10th anniversary of this great conference.
Founded by Team Pangu, the Pangu Lab is a security laboratory consisting of many senior security professionals with rich experience across a wide range of security research and industrial development. The members of the Pangu Lab discovered hundreds of 0day vulnerabilities in major operating systems and applications, and presented many papers and talks at the premier forums such as Black Hat, CanSecWest, Syscan, RUXCON, HITCon, PoC, XCon , IEEE S&P, USENIX Security, ACM CCS, and NDSS.
Pangu Lab’s current research focuses on mobile security. Team Pangu is known for its multiple releases of untethered jailbreak tools for iOS 7, iOS 8, and iOS 9. Team Pangu was also the first to jailbreak iOS 8 and iOS 9 in the world. Besides iOS, Pangu Lab also made great progress in Android security research, and developed various products for discovering vulnerabilities in Android apps, detecting malicious Android apps, and mining mobile threat information.
POC started in 2006 and has been organized by Korean hackers & security experts. It is the biggest international security & hacking conference in Korea. POC concentrates on technical and creative discussion and shows real hacking and security. POC will share knowledge for the sake of the power of community. POC believes that the power of community will make the world safer. POC has been making a history with sincere staffs, hackers from the world, and sponsors since 2006.
The Lost Land of the Chain of Trust on iOS
While it is widely believed that iOS devices are equipped with the secure boot chain and mandatory code signing mechanisms to ensure that only trusted code can be executed on the devices, this talk will discuss an exceptional case, i.e., no code signing protection in certain coprocessors at all. Specifically, this talk will present and demonstrate in details how we installed a manipulated firmware in an iOS device's camera coprocessor and thus gained arbitrary code execution in the camera. Along with this finding, this talk will also explore an underlying data sharing channel between applications, the kernel and the user space, and discuss how it could lead to severe compromises of user privacy and data integrity, e.g., it could be leveraged by any container app to stealthily get the wallpaper of an iOS device or the last photo the user took.
Founded by Team Pangu, the Pangu Lab is a security laboratory consisting of many senior security professionals with rich experience across a wide range of security research and industrial development. Pangu Lab’s current research focuses on mobile security.
KeenLab of Tencent
Talk is cheap, show me the code - How we rooted 10 million phones with one exploit again
On March 18th, an OOB security advisory was released by Google to address vulnerability CVE-2015-1805. This vulnerability exsits in pipe implementation and was affecting almost all Android devices by the time it was discovered, covering more devices even than CVE-2015-3636 (Android 4.2+). Although it was reported by C0RE team and Zimperium in Feberuary and March respectively, Keen Lab, aka, we were the first to publish a working PoC (Dec 2015). Also we were the author of the exploit in KingRoot which was discovered by Zimperium. In this session, we are going to discuss the vulnearbility itself, how we successfully exploited it on varies of devices without hardcoding, and our thoughts and findings based on this unexpected event. Talk is cheap, show me the code
The root team of Keen Lab has been working on high-impact root for Android devices in the past 2 years. In 2015 they have released PingPong Root (CVE-2015-3636) which was nominated for the best privilege escalation bug of Pwnie awards. This year they are going to share the details on how they did the whole universal root thing again in 2016.
James Fang (@idl3r) is a security researcher from Keen Lab, focusing on Android kernel and root. He shared how to root 10 million phones with one exploit on MOSEC 2015 last year.
Di Shen (@returnsme) is a security researcher from Keen Lab focus on Android. He has been working on hunting and exploiting Android kernel bugs for years. He also presented about TrustZone exploits on MOSEC 2015 last year.
Wen Niu (@NWMonster) is a security reseacher from Keen Lab, focus on mobile security research.
IceSword Lab of Qihoo 360
Advanced Android Root Technique: bypass PXN
PXN means “Privileged Execute-Never” which is one of exploit mitigations used on Android devices. It can stop executing shellcode from user space to make exploit much harder. In this topic, we will discuss a way to bypass PXN. The technique we will disclose is different from traditional ROP/JOP technique. It will take advantage of existing module in kernel so it is compatible for almost all Android devices. Also we will show how to root an Android device by the technique we discussed today. It exploit a vulnerability reported to Google by IceWord Lab which exists in driver of Qualcomm.
@jianqiangzhao is a security researcher of IceSword Lab who is focus on developing Linux kernel driver and finding Android kernel vulnerabilities.
@jiayy is a security researcher of IceSword Lab who works on finding and exploiting Android kernel vulnerabilities.
@jfpan is leader of IceSword Lab.
@jianqiangzhao and @jiayy already report dozens bug to Google in 2016.
A Way of Breaking Chrome’s Sandbox in Android
As we known, many vulnerabilities exist in Android system services. Unfortunately, because render processes of chrome run in the domain isolated_app and processes in this domain can access only a minority of system services, most of the vulnerabilities in system services can’t be triggered by render processes. In this presentation, we are going to introduce a way of breaking chrome’s sandbox in android by the assistant of bugs in system services. Some famous vulnerabilities in system services can be exploited to bypass sandbox through this way. We’ve found some new bugs which can use this method too. At the end of the presentation. We’ll detail how to exploit a bug of this type to get WIFI password.
Guang Gong(@oldfresher) is a security researcher of the Mobile Safe Team of Qihoo 360. His research interests include Windows rootkits, virtualization and cloud computing. He currently focuses on mobile security, especially on hunting and exploiting Android’s vulnerabilities. He has spoken at several security conferences such as Black Hat, CanSecWest, PHDays, PacSec, SysCan360. He is the winner of Pwn2Own 2015, Pwn0Rama 2016 (the category of mobile devices), and Pwn2Own 2016 (the target: Chrome).
Analyzing vehicle's CAN network with help of CANToolz
Each car has own CAN network with different set of ECUs. How to understand this traffic? How to get frames that give us ability to control ECU and perform actions? In most cases information about this traffic not exposed to the public and researchers need to do some reverse engineering and black-box analysis on CAN network. For that purpose we have developed Open-Source framework - CANToolz, which gives us ability to play with CAN bus and understand how ECU communicate each other. In this talk, we will describe our experience with taking control over the car on CAN. All steps, from how to find and test CAN wires and ECU to how to do a simple traffic analysis to get ECU control's frames, like "unlock car", "open trunk" and etc. And then we will show you how to use math/statistics methods and correlation mechanisms of CANToolz to get more accurate data classification and command/event detection.
Michael Elizarov (@_saplt) is a security researcher from Russia. Focused on penetration testing and protocol security.
Sergey Kononenko is a leading software engineer at Siemens R&D department.
Give Mobile Security the Boot
The security of both Android and iOS rests in the boot process. As started long ago with Apple's iOS, the "chain of trust" model of verified firmware boot has been adopted by Android as well, by utilizing ARM's novel TrustZone (ARMv7) and ELx architecture (ARMv8).This talk will compare and contrast the boot loading sequence of iOS 9/10 and that of leading Android devices (e.g. Nexus, Samsung). Special emphasis will be given to the secure monitor infrastructures used by both, as well as cryptographic techniques which ensure the integrity of the OS both in the boot process and throughout its lifetime.
Jonathan Levin is the founder and CTO of Technologeeks, a group of experts devoted to tackling the toughest problems and most challenging technologies in software today. Focusing on operating system internals and networking, we aim to deliver expert solutions for the Big Three (Windows, Linux and Mac OS), and the leading mobile derivatives - Android and iOS. Jonathan is the author of "Android Internals" and "Mac OS X and iOS Internals", the two definitive works on the inner workings of today's mobile operating systems.
Rapid Radio Reversing
Wireless security researchers have an unprecedented array of tools at their disposal today. Although Software Defined Radio (SDR) is the single most valuable tool for reverse engineering wireless signals, it is sometimes faster and easier to use other tools for portions of the reverse engineering process. I'll discuss how beneficial a hybrid SDR/non-SDR approach has been to security researchers, and I'll walk through an example of the process.
Michael Ossmann is a wireless security researcher who makes hardware for hackers. Best known for the open source HackRF, Ubertooth, and Daisho projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.