Users connect and manage their Xiaomi e-scooter over Bluetooth Low Energy (BLE) through the Mi Home mobile app. We reverse-engineer the four iterations of the Xiaomi proprietary protocol spoken over BLE and exploit six vulnerabilities to break security, privacy, and safety. We develop four proximity and remote attacks that we call Malicious Pairing and Session Downgrade. As a result, we are able to unlock software-locked e-scooters (and steal them) or prevent access to the e-scooter via Mi Home. We evaluate three e-scooters and five BLE subsystems using our open-source toolkit, and we fix the attacks by proposing two practical countermeasures.

Marco Casagrande (speaker), Riccardo Cestaro, Eleonora Losiouk, Mauro Conti and Daniele Antonioli Institut Eurecom, Sophia-Antipolis

Ciao! We present the BLUFFS attacks (CVE-2023-24023), six novel attacks breaking Bluetooth's forward and future secrecy. Our attacks enable device impersonation and machine-in-the-middle across sessions by compromising and re-using one session key. We also cover related work like KNOB, BIAS, and BLUR, and educational Bluetooth security tips and tricks.

Download the PDF
Daniele Antonioli Institut Eurecom, Sophia-Antipolis

Smart meters are nowadays everywhere, and are used to monitor energy and water consumptions. There are many different devices, from different manufacturers, and each of them need to send information to a collecting station/device. Thus the encryption of the said data is an important stake. Water meters in particular rely on local radio communication, transmitting water consumption records to local base stations. There were few security audits on those devices, especially because they rely on proprietary radio protocols, while the data they transmit can be sensitive and personal. This work is about learning, understanding and reversing radio protocols, to notice that sometimes security measures may be unsatisfactory, mainly because of how the encryption mechanisms are implemented.

Download the PDF
Lucas Georget (speaker), Gauthier Vidal and Aurélien Francillon LAAS-CNRS Toulouse, Institut Eurecom, Sophia-Antipolis

This talk uncovers the CVE-2023-2612 vulnerability in Ubuntu Shiftfs, originally intended for participation in Pwn2Own. The presentation will describe an unbalanced unlock bug and its impacts. Furthermore, we discuss the process of converting this bug into primitives for Local Privilege Escalation (LPE), while also addressing the encountered challenges.

Download the PDF
Jean-Baptise Cayrou Synacktiv, Toulouse

While building a stand-alone decontamination station for removable USB disks, Viveris Technologies identified some security threat scenarios related to the usage of untrusted USB disks (bypass of the station, malicious files or on-disk filesystem formats) that could lead to data ex/in-filtration. The talk is about the mitigations that were identified, evaluated and implemented.

Valentin Belmon, Benoît Guillon (speakers), Didier Barvaux Viveris Technologies

During physical security assessments of IoT devices, one of the goals is to take advantage of debug interfaces or accessible chips to study how the devices work. An ideal scenario is the extraction of the full file system to find a way to gain root access to the device. Then, it is easier to check what services are running, debug them if needed, to finally take control of the target. It is common to encounter protections on the debug interfaces that forbid access to its full functionalities, or on the boot chain that forbid any modification on it. Glitching is one way to try to bypass this kind of protection. In this presentation, we will introduce voltage glitching with several study cases to understand how it works and how it can be helpful.

Download the PDF
Théo Gordyjan Synacktiv

Malware analysis consists of studying a sample of suspicious code to understand it and producing a representation or explanation of this code that can be used by a human expert or a clustering/classification/detection tool. The analysis can be static (only the code is studied) or dynamic (only the interaction between the code and its host during one or more executions is studied). The quality of the interpretation of a code and its later detection depends on the quality of the information contained in this representation. To date, many analyses produce voluminous reports that are difficult to handle quickly. In this article, we present BAGUETTE, a graph-based representation of the interactions of a sample and the resources offered by the host system during one execution. We explain how BAGUETTE helps automatically search for specific behaviors in a malware database and how it efficiently assists the expert in analyzing samples. We also develop a possible use case of BAGUETTE being currently researched: explainable unsupervised malware behavior clustering.

Download the PDF
Pierre-François Gimenez (speaker) Vincent Raulin, Yufei Han and Valérie Viet Triem Tong INRIA/Centrale Supelec, Rennes

Experimenting in cybersecurity requires manipulating reliable and realistic data. In particular, labelled data derived from the observation of a complete campaign is rarely available, due to its high sensitivity and the difficulty of accurately labelling datasets. This situation harms the reproducibility of research results and therefore to their impact. The CERBERE project addresses this issue through a reproducible attack-defense exercise and a labelled dataset usable for research purposes. The attack-defense exercise is first composed of an exercise for red teamers automatically deployed with variable attack scenarios. Second, an exercise for blue teamers can be operated using the system and network logs generated during the attack phase. We provide the software to rebuild the infrastructure for red teamers and we share a labelled dataset where we spot the ground truth.

Download the PDF
Natan Talon (speaker) Pierre-Victor Besson, Romain Brisse, Hélène Orsini, Jean-François Lalande, Frédéric Majorczyk, Alexandre Sanchez and Valérie Viet Triem Tong Hackuity, Rennes

The use of Machine Learning for anomaly detection in cyber security-critical applications, such as intrusion detection systems, has been hindered by the lack of explainability. Without understanding the reason behind anomaly alerts, it is too expensive or impossible for human analysts to verify and identify cyber-attacks. We propose a novel post-hoc explanation method, called AE-pvalues, which is based on the p-values of the reconstruction errors produced by an Auto-Encoder-based anomaly detection system. Our work identifies the most abnormal network traffic features associated with an anomaly alert, providing interpretations for the generated alerts. We conduct an empirical study using a network intrusion dataset, CICIDS2017, to compare the proposed AE-pvalues method with two state-of-the-art baselines. Our experimental results show that the AE-pvalues method accurately identifies abnormal influential network traffic features. Furthermore, our study demonstrates that the explanation outputs can help identify different types of network attacks in the detected anomalies, enabling human security analysts to understand the root cause of the anomalies and take prompt action to strengthen security measures.

Maxime Lanvin (speaker), Pierre-François Gimenez, Yufei Han, Frédéric Majorczyk, Ludovic MÉ and Eric Totel Université de Rennes, IRISA, Rennes

Recent waves of cyber attacks using social engineering techniques and targeting the public and the institutions have highlighted the considerable need for companies and institutions to set up phishing campaigns to improve people's awareness. This presentation proposes a new approach to raise awareness on the human vulnerabilities exploited in cybersecurity attacks. It details the process of the creation of a serious game designed to improve public alertness in an proper, effective and sustainable way.

Download the PDF
Ladislas Hajnal (speaker), Clément Vuillaume ENAC, Toulouse

With the new personal data protection or export control regulations, the Principle of Least Privilege is mandatory and must be applied even for system administrators. This article explores the different approaches implemented by the main operating systems (namely Linux, Windows, FreeBSD and Solaris) to control the privileges of system administrators in order to enforce the Principle of Least Privilege

Eddie Billoir (speaker), Romain Laborde, Ahmad Samer Wazan, Yves Rutschle and Abdelmalek Benzekri IRIT, Université Toulouse 3, Toulouse

In the past, to leak local files, it was required to either fully control the path pointing to the file to leak, or to have a path traversal to go up in the file tree. Most importantly, it was mandatory for the server to send you back its content in the response. In both cases, the affected PHP functions support wrappers, the most iconic being file:// which is a prefix before a file path. Other wrappers such as php://filter can also be passed on these methods which allows leaking PHP sources by base64 encoding them (ex : php://filter/convert.base64-encode/resource=index.php). In this presentation, we will see tricks allowing to use the php://filter wrapper to either prepend arbitrary data to a file content, or use it to leak data via an error based oracle. Exploitation examples will be presented as well as patches to protect yourself against this kind of vulnerability.

Rémi Matasse Synacktiv, Rennes

Coming soom

Download the PDF
Michael Dorin University of Saint Thomas, US