TyphoonCon
  • About
    • About Us
    • Venue
    • Sponsors
    • Press
    • Code Of Conduct
    • Contact
    • COVID-19 Regulations
    • Past events
      • TyphoonCon 2022
      • TyphoonCon Capture The Flag 2021
      • TyphoonCon 2020
      • TyphoonPWN 2020
      • TyphoonCon 2019
  • Conference
    • 2023 Speakers
    • 2023 Conference Agenda
  • Training
    • Introduction to hard target internals
    • Attacking the Linux Kernel
    • Mastering Fuzzing
  • Competitions
    • TyphoonPWN
    • TyphoonCon CTF 2023
BUY TICKETS

The talk will introduce two new network-based attacks. Both attacks can apply to any network. The first attack is against next-generation firewalls and can be used to bypass data limits of Wi-Fi or cellular subscriptions or to exfiltrate data. As a concrete demo, I will abuse it to bypass the usage limits of a cellular network in the Philippines, allowing an attacker to access to internet even though they ran out of consumable data. The second attack is against rate-limiting systems where the user is, for instance, only allowed to try a password three times before having to wait for one minute. I will present new techniques that can try more passwords than normally allowed and demonstrate this against a phone number verification system, where the presented technique can brute-force a 4-digit SMS code within roughly 15 minutes.

Two novel attacks are introduced. Both can apply to many networks and/or web services:

– The attacks presented against rate-limiting systems may apply against many more systems. Attendees will want to audit their own software to see if they can be attacker in similar ways.

– The attack against next-generation firewalls teaches attendees that such firewalls must be configured with care and illustrates some possible pitfalls. This will hopefully inspire attendees to double-check the security of their own networks.

-First attack

The first attack is against next-generation firewalls. In the talk I will start with a concrete, real-life scenario, where this attack was demonstrated. In particular, I will first explain how this was used against a cellular network provider of the Philippines that uses a firewall to block access to the internet once the consumable data is used up. In that situation, the user can still access the website of the cellular provider to pay for new consumable data, but cannot visit any other website. I will explain how the firewall inspects plaintext HTTP requests, and based on data in the HTTP request either allows or blocks access to the website. However, before the client can send this HTTP request, it must complete a TCP handshake with the remove server. Interestingly, the user can complete a TCP handshake with *any* server on the internet, but cannot send data over the established TCP connection.

-Second attack

The second attack targets rate-limiting systems. Similar to the first attack, I will start with a concrete scenario, and generalize from that. In particular, I will explain how a phone number verification system can be bypassed by guessing the SMS verification code within 15 minutes. In the system being targeted, the phone number verification system allows a user to enter the SMS verification code three times. After three attempts, the user must wait two minutes after which they can request a new SMS verification number. In other words, by default an adversary can make only 3 guesses for the SMS verification code per two minutes.

About the speaker

Mathy Vanhoef is an assistant professor in the DistriNet research group of the Department of Computer Science at KU Leuven. He previously was a PostDoc at NYU Abu Dhabi and obtained his PhD at KU Leuven.

BUY TICKETS
  • Facebook
  • Twitter
  • Linkedin
  • Email