MOSEC

The Mobile Security Conference (MOSEC) is organized by Team Pangu and PoC and was first started in 2015. MOSEC focuses on cutting-edge research topics the area of mobile security, fosters information exchange among researchers and practitioners, and received high praise from both the attendees and the community.

MOSEC 2017 will be held on Friday, June 23rd, 2017 at the Grand Kempinski hotel, at Shanghai, China. Following the success of the past events, MOSEC 2017 will continue to facilitate the most advanced knowledge and technology sharing. MOSEC 2016 will bring excellent security researchers to present their frontier studies to the world.

Organizers

Founded by Team Pangu, the Pangu Lab is a security laboratory consisting of many senior security professionals with rich experience across a wide range of security research and industrial development. The members of the Pangu Lab discovered hundreds of 0day vulnerabilities in major operating systems and applications, and presented many papers and talks at the premier forums such as Black Hat, CanSecWest, Syscan, RUXCON, HITCon, PoC, XCon , IEEE S&P, USENIX Security, ACM CCS, and NDSS.

Pangu Lab’s current research focuses on mobile security. Team Pangu is known for its multiple releases of untethered jailbreak tools for iOS 7, iOS 8, and iOS 9. Team Pangu was also the first to jailbreak iOS 8 and iOS 9 in the world. Besides iOS, Pangu Lab also made great progress in Android security research, and developed various products for discovering vulnerabilities in Android apps, detecting malicious Android apps, and mining mobile threat information.

POC started in 2006 and has been organized by Korean hackers & security experts. It is the biggest international security & hacking conference in Korea. POC concentrates on technical and creative discussion and shows real hacking and security. POC will share knowledge for the sake of the power of community. POC believes that the power of community will make the world safer. POC has been making a history with sincere staffs, hackers from the world, and sponsors since 2006.

Speakers
Max Bazaliy
Pwning Apple Watch
Time 2017/06/23
Introduction

Apple Watch was introduced in 2015 and became a popular device. Apple Watch is running watchOS, which is modified version of 32 bit iOS operating system.

In this talk I will show how to compromise an Apple Watch. I will make an overview of watchOS security mechanisms, like codesign enforcement, sandboxing, memory protections etc.

I will cover a sequence of vulnerabilities and exploitation details that were used for initial kernel memory dump, sandbox bypassing, kernel level ASLR bypassing, kernel level code execution and finally setting up an SSH tunnel on a watch.

Current talk also will focus techniques used in a process of making a Apple Watch jailbreak. This includes kernel symbolication tools, patchfinder or a kernel structures analyzer.

And, following its security issues, compromised Apple Watch can spy on a user. Watch jailbreak does not require a phone jailbreak, so spyware can run autonomously only on a watch.

I will make a demo on how jailbroken watch can access user data, such as messages, contacts, gps or activate microphone without any indication it is happening.

Speaker

Max is a Staff Security Researcher at Lookout who has more than ten years experience in areas as mobile security, security protocols design and analysis, mobile security research, tools and techniques development for vulnerability assessment and post-exploitation, reverse engineering mobile\desktop platforms and penetration testing. Max was a lead security researcher at Pegasus malware investigation.

In the past few years, Max was a speaker on various security and engineering conferences, including BlackHat, CCC, Defcon, Ruxcon, RSA, UIKonf, Mobile Central Europe.

Max holds a Masters degree in Computer Science and currently is PhD student at the National Technical University of Ukraine “Kyiv Polytechnic Institute” where he’s working on dissertation in code obfuscation and privacy area.

Liang Chen
Revisiting the Kernel Security Enhancements in iOS 10
Time 2017/06/23
Introduction

Apple improves iOS kernel security in iOS 10 more than its previous releases. Efforts were put in different angles, including patching several critical vulnerabilities along with iOS 10 release, better handling in some key mechanism, introducing more exploitation mitigations, etc. Furthermore, those enhancements were continued and strengthened by Apple during 10.1-10.3.x releases.

In this topic, we will discuss about the research findings by Keen Lab for iOS 10 kernel security from three perspectives: Vulnerability, mechanism and exploitation mitigations.

Speaker

Liang Chen is co-founder of Tencent Keen Security Lab (Previously known as KeenTeam). He is leading the Pwn2Own contest project in Keen Lab. His major focus includes advanced exploitation techniques of modern browsers, Apple operating system (macOS/iOS) bug hunting and exploitation, etc. He is a winner for iOS category in Mobile Pwn2Own 2013, as well as OS X category in Pwn2Own 2014. He led the team in Keen Lab, united with Tencent PC Manager team, to win Master of Pwn title in Pwn2Own 2016.

In the past few years, Liang Chen was invited to talk at several domestic and world-wide security conferences, including Infiltrate 2017, Black Hat USA 2016,RECon 2016,CanSecWest 2015/2016,PoC 2015/2016,Black Hat Europe 2014, XCon2013, etc.

Tao Wei Yulong Zhang
Overcome the Restrictions of the Current Android App Signature Scheme
Time 2017/06/23
Introduction

The Android ecosystem is built upon its App signature scheme. For example, for most App stores, an updated App must be signed by the same private key that signed the old versions. App signatures are also checked on devices during App installation/upgrading and permission management. Moreover, the signing certificates are widely used by antivirus vendors for App reputation ranking and whitelisting. Consequently, maintaining the security of App signing key is of critical importance. If the private key got lost, one could not continue to publish new upgrades to the App store; and if the private key fell into an attacker’s hand, he/she could sign and distribute apps that impersonate/replace the authentic apps and bypass the detection of antivirus products. In a word, it is crucial to secure the App signing key.

However, based on our observation, the signing key leakage incidents keep happening all along, even for some large famous companies. It has become an urgent need to remedy this kind of issues. What’s more, many developers are using weak hash algorithms during signing, which is easy to break nowadays. Since the unchangeable signing certificates are bound to such weak signing algorithms, it also requires an upgrade solution without causing incompatibilities.

In this talk, we will perform a thorough study of the current Android signing process and compare it with other platforms. More importantly, we will describe an easy yet effective proposal that can be compatible with the existing signature scheme. Hopefully the whole ecosystem can adopt this new signature scheme, and fight altogether against the underground businesses abusing the lost signing keys.

Speaker

Yulong Zhang is the Senior Staff Security Scientist of Baidu; Dr. Lenx (Tao) Wei is the head of Baidu X-Lab and Chief Security Scientist of Baidu. Both of them has published articles and given talks at top conferences like Black Hat, RSA, USENIX Security, IEEE S&P, etc., and served as reviewers for prestigious conferences and journals. Their works have been widely covered by media like BBC, CNN, Reuters, etc. and have received acknowledgements from companies like Samsung, Apple, Qualcomm, Google, Pebble, etc.

Luca Todesco
A Look at Modern iOS Exploit Mitigation Techniques
Time 2017/06/23
Introduction

This talk will give a quick look at the history of iOS mitigations, the effectiveness of said mitigations from the point of view of an attacker, and implementation details of mitigation techniques such as WatchTower and the so-called AMCC.

Attack techniques and weaknesses for these mitigations will also be explained, with a look at the Yalu jailbreaks in particular.

Additionally, future mitigations such as control flow integrity will be discussed, and iOS specific weaknesses will be shown.

Speaker

Luca(aka @qwertyoruiopz) is a talented young Italian security researcher who likes looking into hardened devices. He released Yalu jailbreak for 10.2 this year and introduced way to fully bypass KPP. He has hacked devices like iPhone, PS4 and Nintendo Switch.

Peter Kamensky
Box of illusion
Time 2017/06/23
Introduction

The age of IoT is at our threshold. Many large-scale companies have already started developing security solutions to make this brave new world safe. One of possible, we may even say, surefire approaches is to create a device which would connect to a network and protect other devices in it. Let’s discuss the efficiency of the given approach in relation to BitDefender Box.

Speaker

Information security specialist at Embedi. Focuses on low-level,reversing, malware analysis, bypassing various protection systems, OS kernels.

Wanqiao Zhang
Castle in the Sky- Flight Safety Analysis
Time 2017/06/23
Introduction

This topic is talking about current security problems encountered by civil aircraft, including the aircraft itself comes with weak technology, such as: ADS-B system spoofing attacks, communication sniffing, voice injection attacks and other new threats. In view of the current "illegal drone" repeatedly disturbed the normal civil aircraft incident, the characteristics of the UAV communication link on the market were analyzed in detail, and the fingerprint characteristics of the UAV signal were revealed. A set of effective UAV control strategy for combating "illegal drone".

Speaker

Wanqiao Zhang is a researcher of the Qihoo360 radio security research department. Engaged in mobile network communications, aviation wireless communications, navigation satellite system communications and other areas of security research. Speaker of DEFCON, RUXCON, POC and other domestic security conference. One of the authors of security books "Radio Security Attack and Defense Reveal". Qihoo360 representative in 3GPP .

Hao Chen
The wounded Android Wi-Fi driver - from EoP to RCE
Time 2017/06/23
Introduction

Android Wi-Fi driver has been the focus of many security researchers, a large number of root vulnerabilities have been found in the Android Wi-Fi driver.But most of the vulnerabilities are present in the WEXT (Wireless-Extensions) interface, and WEXT is out of date now.

The cfg80211 is a new Wi-Fi configuration API, which is designed to replace the WEXT. In this topic, I will show you how to find a large number of vulnerabilities in the cfg80211 driver.

In addition, I will introduce the remote attack surface in the Wi-Fi driver, and describe how to use vulnerabilities in Wi-Fi chip to achieve kernel-level remote code execution.

Speaker

Hao Chen is a security researcher of 360 Alpha Team. He is now mainly focused on the vulnerability of Android, including root EoP, Sandbox escape.

He found many vulnerabilities in Android. He had given a speech at Kcon 2015 and Syscan360 2017.

Schedule

08:00 - 09:00

On-site Registration

09:00 - 09:10

Welcome Speak

09:10 - 10:00

Overcome the Restrictions of the Current Android App Signature Scheme

Tao Wei / Yulong Zhang (Security Scientist of Baidu)

10:00 - 10:50

A Look at Modern iOS Exploit Mitigation Techniques

Luca Todesco

10:50 - 11:10

Break

11:10 - 12:00

Castle in the Sky- Flight Safety Analysis

Wanqiao Zhang (UnicornTeam of Qihoo360)

12:00 - 13:30

Lunch

13:30 - 14:20

Pwning Apple Watch

Max Bazaliy (Security Researcher of Lookout)

14:20 - 15:10

The wounded Android Wi-Fi driver - from EoP to RCE

Hao Chen (Alpha Team of Qihoo360)

15:10 - 15:30

Break

15:30 - 16:20

Box of illusion

Peter Kamensky (Security specialist of Embedi)

16:20 - 17:10

Revisiting the Kernel Security Enhancements in iOS 10

Liang Chen (KeenLab of Tencent)

17:10 - 17:30

Close

Hotel
Grand Kempinski Hotel Shanghai
2017/06/23 (Friday)