Reverse engineering is critical to exploitation. However, going through the process of reverse engineering can often lead to a great deal more than just uncovering a bug. So much so that you might find what you need for exploitation even if you don’t find a bug.
That’s right. If you go through object data, object representation, object states, and state changes enough you can find out quite a lot. Yes. Poor application logic is a bitch. Just ask any application penetration tester. This time it is not the magstripe. It’s appsec and you will get to see how application attacks can be used against a hardware platform.
In this talk, I will go through the journey that I took in reverse engineering the public transportation system of an east asian mega-city, the questions that I asked as I wondered “How does this work?”, the experiments that I ran to answers those questions, what I learned that lead me to an exploit capable of generating millions of dollars in fake tickets for that very same system, and how other designers can avoid the same fate. Not without risk, this research was done under a junta so I will also be telling you how I kept myself out of jail while doing it. Please join me. You won’t want to miss it.
Gregory Pickett CISSP, GCIA, GPEN has a background in intrusion analysis for Fortune 100 companies but now heads up Hellfire Security’s Managed Security Services efforts and participates in their assessment practice as a network security subject matter expert. As a security professional, his primary area of focus and occasional research is networks with an interest in using network traffic to better understand, to better defend, and sometimes to better exploit the hosts that live on them. He holds a B.S. in Psychology which is completely unrelated but interesting to know. While it does nothing to contribute to how he makes a living, it does demonstrate how screwed up he actually is.