Highlights from Hack.lu 2024 (Day 3)
Day 3 of Hack.lu featured a mix of talks exploring both physical and digital security challenges. From discussions on outdated physical security measures to vulnerabilities in cutting-edge mobile app frameworks and critical infrastructure systems, the day offered valuable insights for cybersecurity professionals. The sessions provided practical demonstrations and real-world examples of how attackers exploit weaknesses in both physical and virtual environments, while also highlighting tools and techniques for enhancing detection and prevention.
Morning Sessions
Back to the Failure - Did Your Physical Security Really Evolve in the Last 40 Years? Presented by Simon Geusebroek from Synacktiv, this talk revisited the evolution (or lack thereof) of physical security measures over the past four decades. Geusebroek demonstrated how many physical security systems, such as locks and access controls, remain vulnerable to basic bypass techniques. The session highlighted how outdated security practices and reliance on certifications give a false sense of security, allowing attackers to easily breach supposedly “secure” facilities.
Blowing up Gas Stations for Fun and Profit Pedro Umbelino exposed vulnerabilities in Automated Tank Gauging (ATG) systems, which monitor fuel levels in critical infrastructures like gas stations and military bases. Umbelino revealed several zero-day vulnerabilities that could allow attackers to remotely manipulate fuel storage systems, potentially causing environmental and economic damage. Despite previous warnings, many ATG systems remain unprotected and accessible online, leaving critical infrastructure at risk.
Reversing Flutter with Blutter and Radare2 This technical workshop delved into the complexities of reverse engineering Flutter applications. Axelle Apvrille guided attendees through the complexities of reverse engineering Flutter applications. Flutter, a popular cross-platform mobile development framework, poses unique challenges for reverse engineers due to its custom binary format. Apvrille introduced tools like Blutter and Radare2 to analyze and manipulate Flutter binaries, offering practical techniques to uncover vulnerabilities and modify app behavior.
Afternoon Sessions
Scanning with the Artemis Security Scanner Presented by Krzysztof Zając, this session focused on Artemis, an open-source tool for automating vulnerability scanning across domains. Zając walked through how CSIRTs, network administrators, and hosting providers can set up Artemis to scan large networks and automatically report findings. The hands-on session covered the tool’s installation, configuration, and reporting capabilities, providing a scalable solution for identifying vulnerabilities across thousands of domains.
iOS Compromise Detection Using Open Source Tools David Durvaux and Christophe Vandeplas led this workshop on detecting compromises on iOS devices using sysdiagnose and other open-source tools. They demonstrated how sysdiagnose can collect detailed diagnostic data from iPhones and iPads, and how security teams can use these tools to uncover potential breaches, including spyware and misconfigurations. Participants learned how to parse sysdiagnose files and use the data to build timelines, enabling more efficient and thorough investigations of iOS device