BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//leHACK//NONSGML Events//EN
BEGIN:VEVENT
UID:2173
DTSTAMP:20260517T103414
DTSTART:20260627T183000
DTEND:20260627T185000
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:Comment écouter le réseau 3G avec ce que l'on a sous la main ?\nAvec un récepteur TV, une antenne bricolé, gr-gsm et simple_IMSI-catcher.py !
SUMMARY:simple_IMSI-catcher déjà 11 ans! - Oros
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#simple_imsi-catcher-deja-11-ans
END:VEVENT
BEGIN:VEVENT
UID:2170
DTSTAMP:20260517T103135
DTSTART:20260627T174500
DTEND:20260627T183000
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:Avez-vous déjà tenté de vous infiltrer dans un événement hautement sécurisé ?\n\nProbablement non — nous, si :).\n\nÀ travers cette conférence, nous verrons comment les dispositifs de sécurité de certains des plus grands événements peuvent être contournés à l’aide de différentes méthodes, outils et techniques, allant de l’OSINT à l’ingénierie sociale.\n\nÀ partir de cas réels d’intrusions physiques, nous décortiquerons leur architecture : périmètres, zones d’accès, rôles humains, accréditations etc…\n\nEnfin, des démonstrations illustreront comment des dispositifs conçus pour protéger peuvent devenir exploitables dès lors que la validation repose sur des mécanismes humains.
SUMMARY:ALL ACCESS AUTHORIZED : How to infiltrate major events for fun and profit
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#all-access-authorized-how-to-infiltrate-major-events-for-fun-and-profit
END:VEVENT
BEGIN:VEVENT
UID:2167
DTSTAMP:20260517T102939
DTSTART:20260627T172000
DTEND:20260627T174000
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:Les applications de “smart city” promettent sécurité, modernité et économies d’énergie. Sur le papier, tout est parfaitement sous contrôle. Dans la réalité… disons que c’est plus lumineux que sécurisé.\n\nCette présentation propose l’analyse d’une application mobile permettant de contrôler l’éclairage public, signaler des zones dangereuses et partager sa position avec des proches. Officiellement, le système est protégé, restreint (et selon son créateur :“impiratable”).\n\nDans les faits, une compréhension même modérée de son fonctionnement permet de contourner les restrictions géographiques et d’activer l’ensemble des lampadaires d’une ville (voire de centaines de communes) sans la moindre authentification. sign\n\nMais ce n’est qu’un début. Des failles critiques permettent également d’identifier des utilisateurs supposément anonymes, de reconstituer leurs habitudes, d’accéder à des événements privés et de manipuler le partage de position en temps réel.\n\nÀ travers une analyse technique rigoureuse et un certain sens de la nuance, ce talk met en lumière une vérité simple : annoncer une sécurité avancée ne suffit pas à la rendre réelle.
SUMMARY:LeHack 117 : Permis d’illuminer toute la ville - MadSquirrel
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#lehack-117-permis-dilluminer-toute-la-ville
END:VEVENT
BEGIN:VEVENT
UID:2178
DTSTAMP:20260517T102721
DTSTART:20260627T170000
DTEND:20260627T172000
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:Les fréquences radio transportent toutes sortes de données, des communications aériennes aux télécommandes de voiture, et la plupart d'entre elles sont étonnamment faciles à intercepter. Ce talk vous montre comment fonctionne réellement le piratage radio. Pas besoin d'équipement coûteux ni d'années d'expérience. Avec les bons outils et les bonnes connaissances, le spectre devient enfin visible.
SUMMARY:R4di0_P1r4cy - Beemo
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#r4di0_p1r4cy
END:VEVENT
BEGIN:VEVENT
UID:2168
DTSTAMP:20260517T102524
DTSTART:20260627T161500
DTEND:20260627T170000
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:Le protocole Bluetooth Low Energy et ses vulnérabilités, tout le monde les connaît car\nelles font régulièrement la une des actualités et 2026 n'a pas dérogé à la régle. Mécanisme\nd'appaîrage simplifié exploitable par des pirates, communications non-chiffrées laissant fuiter\ndes informations sensibles, robots humanoïdes compromis avec une injection de commande transmise\npar BLE, injection de flux audio dans des écouteurs, autant de problèmes révélés ces dernières années\ngrâce à de nombreux chercheurs en sécurité et qui mettent à mal l'image ce protocole et des équipements\nqui l'emploient. Mais connaissez-vous vraiment *tous* les moyens à votre disposition permettant de\ncompromettre de tels équipements ?\n\nDans ce talk, nous allons aborder des aspects moins connus du protocole Bluetooth Low Energy et la manière\ndont ces derniers peuvent être exploités pour compromettre l'intégrité et la sécurité d'équipements\nconnectés. Certaines de ces techniques ont été découvertes lors de l'analyse de différentes implémentations,\nvoire directement lors de tests effectués sur des équipements domotique ou des smartphones, d'autres sont \ntrès peu connues ou n'ont jamais été publiées à ce jour. Si vous êtes expert sur ce protocole de\ncommunication ou simple néophyte curieux de découvrir des attaques avancées, ce talk peut vous apprendre\ndes choses assez surprenantes.
SUMMARY:Pwning bluetooth devices in unexpected ways - Virtualabs
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#pwning-bluetooth-devices-in-unexpected-ways
END:VEVENT
BEGIN:VEVENT
UID:2166
DTSTAMP:20260517T102402
DTSTART:20260627T155000
DTEND:20260627T161000
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:Quand on pense au warez on pense jeux video , la suite adobe ou microsoft word. Mais il existe une autre scène qui existe aussi depuis longtemps, c'est la scène pour les logiciels de contrôle-commande industrielle.\n\nCes logicielles sont les environnements de développement et d'interactions des systèmes de contrôle physique, de la programmations des automate industrielle, en bref, les logicielle qui font fonctionner notre monde industriel. \n\nNous allons essayer ici d'analyser ce marché via deux angles. \n\nD'un côté une analyse technique en regardant certains crack keygen, mais aussi des tools contournant la sécurité intégrer des automate pour voir ce qu'ils font techniquement, et constater si leurs actions sont légitimes ou si ce n'est que du sucre de l'eaux et beaucoup de mallware.  \n\nD'un autre côté, la distribution, les vendeurs et les clients cible de ce dernier.
SUMMARY:Warez for the working man : investigations d'une warez des logiciel de contrôle commande industrielle. - biero-el-corridor
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#warez-for-the-working-man-investigations-dune-warez-des-logiciel-de-controle-commande-industrielle
END:VEVENT
BEGIN:VEVENT
UID:2174
DTSTAMP:20260517T102212
DTSTART:20260627T153000
DTEND:20260627T155000
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:This talk aims at reviewing and explaining in detail the technical Sighax exploit. The Nintendo 3DS, despite having layered security based on a strong chain of trust and a privilege split between two processors ARM11 and ARM9, implements improper validation of the RSA PKCS#1 v1.5 padding in the ARM9 bootrom code. This vulnerability, combined with a custom uncautious ASN.1 parser, makes it possible to bruteforce specific RSA signatures causing the signature's hash to be computed against itself on the stack, allowing to bypass a signature check.\nWe will also discuss how this exploit, coupled with the design of Nintendo's FIRM file format, allows to dump the protected bottom half of the ARM9 bootrom, which is locked away by the time any firmware is loaded.\nThe goal is to provide a clear overview of how a console can go from executing confined userland homebrew to cold boot, pre firmware persistence with full access over the console in just a few mistakes.\nWe will go over the 3DS security architecture with its ARM9 / ARM11, the FIRM boot chain, the RSA PKCS#1 v1.5 padding implementation flaw, the ASN.1 parser mistakes and how "perfect" signatures were bruteforced to take advantage of these issues in order to sign any firmware stored in the console eMMC.
SUMMARY:Sighax deep dive: breaking the 3DS chain of trust - Cyprien Molinet (@cypelf)
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#sighax-deep-dive-breaking-the-3ds-chain-of-trust
END:VEVENT
BEGIN:VEVENT
UID:2193
DTSTAMP:20260517T101946
DTSTART:20260627T144500
DTEND:20260627T153000
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:macOS has long been perceived as a low-risk platform, often treated as a secondary concern...
SUMMARY:macOS Zero Mercy: Inside the Mind of a Malware Developer - Zoziel Freire
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#macos-zero-mercy-inside-the-mind-of-a-malware-developer
END:VEVENT
BEGIN:VEVENT
UID:2222
DTSTAMP:20260517T103725
DTSTART:20260627T142000
DTEND:20260627T144000
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:PLACEHOLDER
SUMMARY:Parcours d'un fraudeur - Cybermoustache
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#parcours-dun-fraudeur
END:VEVENT
BEGIN:VEVENT
UID:2176
DTSTAMP:20260517T101311
DTSTART:20260627T140000
DTEND:20260627T142000
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:Souvent sous-estimée par les organisations, l’intrusion physique constitue pourtant un vecteur de compromission particulièrement efficace, en dépit des investissements croissants dans les dispositifs techniques et humains. \n\nCette conférence propose une analyse concrète des mécanismes qui mènent au succès ou à l’échec d’une intrusion physique, en s’appuyant sur des retours d’expérience, des cas réels et des missions de red team.\n\nNous examinerons les facteurs clés de réussite, tels que l’ingénierie sociale, les failles organisationnelles ou la surestimation des contrôles techniques, ainsi que les éléments conduisant à l’échec : vigilance du personnel, procédures adaptées, culture de sécurité, ou encore certaines limitations imposées par les clients.\n\nL’objectif est de dépasser une vision purement technologique afin de mettre en lumière le rôle central de l’humain et des processus.
SUMMARY:Physical intrusion: Success and Failure - Joker2a
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#physical-intrusion-success-and-failure
END:VEVENT
BEGIN:VEVENT
UID:2182
DTSTAMP:20260517T101200
DTSTART:20260627T113000
DTEND:20260627T121500
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:n8n is an open-source workflow automation platform with AI agents, used by thousands of organizations worldwide. With more than 70,000 publicly accessible instances on Shodan and recent critical CVEs listed in CISA's Known Exploited Vulnerabilities catalog, it has become a high-value target for attackers.\n\nThis talk first explores what attackers can do with leaked n8n credentials. Starting from real-world n8n JWT tokens exposed on GitHub, we found around 1,300 publicly reachable instances. Among those, 25% authenticated successfully, giving us a live dataset of production n8n instances to answer one question: what can an attacker do once inside?\n\nWe built three attack chains to find out. First, we demonstrate Remote Code Execution leveraging real-world workflow abuse and existing CVEs, showing how n8n's legitimate execution capabilities turn into a direct shell. Second, we walk through credentials enumeration, extraction, and exfiltration: n8n instances store third-party API keys, OAuth tokens, and database credentials directly in workflows, making a single JWT a skeleton key to an organization's entire integration stack. Third, we reveal original cryptographic weaknesses in n8n's native secret handling, what we call n8ive crypto, exposing design flaws that allow offline secret recovery and privilege escalation.\n\nBeyond the practical attacks, this talk raises a broader question: when automation platforms become the central hub of modern infrastructure, an account compromise is now a launchpad for attacks across the entire stack.
SUMMARY:n8ive by Design: One Leaked Key, Three Attack Chains - guedou
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#n8ive-by-design-one-leaked-key-three-attack-chains
END:VEVENT
BEGIN:VEVENT
UID:2177
DTSTAMP:20260509T105255
DTSTART:20260627T104500
DTEND:20260627T110500
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:Squirrel.Windows est l’un des frameworks de mise à jour automatique les plus utilisés sur Windows. \nIl est notamment utilisé par Discord, Slack, GitHub Desktop et de nombreuses applications Electron utilisées par des millions d’utilisateurs.\n\nDans ce talk, je présente les résultats d’un audit de sécurité complet du pipeline de mise à jour de Squirrel.Windows qui a révélé 8 vulnérabilités affectant plusieurs couches du système de mise à jour.\n\nCette recherche montre que plusieurs mécanismes de sécurité attendus dans un système d’auto-update moderne sont absents ou défaillants : absence de signature du manifest de mise à jour, vérification d’intégrité circulaire des packages, absence de vérification Authenticode, vulnérabilités Zip Slip permettant l’écriture arbitraire de fichiers, parsing XML vulnérable aux attaques XXE et gestion dangereuse des répertoires temporaires.\n\nEn combinant ces failles, un attaquant capable d’intercepter le trafic de mise à jour peut compromettre entièrement le processus d’update et atteindre une exécution de code à distance lors de l’installation d’une mise à jour.\n\nLe talk inclura plusieurs démonstrations pratiques montrant :\n- l’injection d’un manifest de mise à jour malveillant dans un scénario MITM\n- l’exploitation d’un package .nupkg forgé permettant de sortir du répertoire de l’application\n- l’impact d’autres vulnérabilités comme XXE ou la vérification delta défaillante\n\nNous terminerons par une analyse des erreurs de conception observées dans ce type de framework et des recommandations pour concevoir des systèmes de mise à jour sécurisés.
SUMMARY:Hacking Discord Through Its Update System
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#hacking-discord-through-its-update-system
END:VEVENT
BEGIN:VEVENT
UID:2184
DTSTAMP:20260517T094244
DTSTART:20260627T100000
DTEND:20260627T104500
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:Fifteen years ago, compromising an organization could be as simple as walking through the front door with confidence, dropping a USB drive in a parking lot, or sending a poorly crafted phishing email. At NDH2K11, Jayson E. Street demonstrated just how easily organizations could be compromised using little more than human trust and a bit of creativity.\n\nFast-forward fifteen years. The technology landscape has transformed—AI-generated voices can impersonate executives, phishing campaigns are automated at scale, and attackers now leverage OSINT and generative technologies that dramatically lower the barrier to entry.\n\nYet despite this technological evolution, one uncomfortable truth remains: the fundamental weaknesses, attackers exploiting humans have not changed.\n\nIn this retrospective talk, Jayson revisits real examples from his early work compromising banks and organizations through social engineering and physical infiltration, comparing them to modern attacks involving phishing, vishing, and AI-driven deception. Through stories, demonstrations, and lessons learned across more than a decade of adversarial testing, he shows how attackers continue to succeed not because of cutting-edge exploits—but because organizations still rely on the same fragile assumptions about trust, process, and human behavior.\n\nThe session concludes by challenging the industry’s traditional approach to security validation and introduces a modern framework for adversarial simulation designed to help organizations experience real-world attacks safely before criminals deliver them for real.\n\nAfter fifteen years of evolving tools, tactics, and technology, the biggest lesson may be the simplest one:\n\nAttack methods change.\n\nHuman nature does not.
SUMMARY:From NDH2K11 to LeHack XXVI: A 15 year Retrospective… or Oh my how things (really haven’t) changed!” - Jayson E. Street
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#from-ndh2k11-to-lehack-xxvi-a-15-year-retrospective-or-oh-my-how-things-really-havent-changed
END:VEVENT
BEGIN:VEVENT
UID:2188
DTSTAMP:20260509T105548
DTSTART:20260626T000000
DTEND:20260627T013000
LOCATION:Workshop Room
DESCRIPTION:Understand the fundamentals of reverse engineering Android applications.\nLearn to use debugging tools to analyze Android app behavior.\nBypass security mechanisms using Frida scripts.\nSniff and replay Bluetooth Low Energy (BLE) communications.\nModify Smali code to alter app functionality.\nReverse engineer native libraries used in Android apps.\nPerform Man-in-the-Middle (MITM) attacks on HTTPS services.
SUMMARY:Apkpatcher: Reverse Engineering and Modifying Android Applications Without Rooting
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/workshops/#apkpatcher-reverse-engineering-and-modifying-android-applications-without-rooting
END:VEVENT
BEGIN:VEVENT
UID:2191
DTSTAMP:20260509T105619
DTSTART:20260626T000000
DTEND:20260627T013000
LOCATION:Workshop Room
DESCRIPTION:Ce workshop introduit un framework dédié aux attaques de protocoles sans-fil, WHAD, avec un focus tout particulier sur le protocole Bluetooth Low Energy. Il fait écho au talk soumis par l'auteur sur le même sujet, et permettra de mettre en pratique les attaques évoquées dans ce dernier sur de véritables équipements connectés.
SUMMARY:Hacking Bluetooth Low Energy Devices with WHAD
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/workshops/#hacking-bluetooth-low-energy-devices-with-whad
END:VEVENT
BEGIN:VEVENT
UID:2198
DTSTAMP:20260517T094137
DTSTART:20260626T183000
DTEND:20260626T191500
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:Placeholder
SUMMARY:x86 (temp placeholder)
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#x86-temp-placeholder
END:VEVENT
BEGIN:VEVENT
UID:2179
DTSTAMP:20260517T101037
DTSTART:20260626T180500
DTEND:20260626T182500
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:Modified drone companion apps claiming to unlock FCC transmission modes are widely circulated among hobbyist communities, yet their internal mechanisms remain largely undocumented. This talk presents a reverse engineering case study of such a patched Android application, revealing how runtime instrumentation frameworks—specifically Frida—are embedded and abused to dynamically alter application behavior.\n\nThrough differential APK analysis, deobfuscation of injected JavaScript Frida payloads, and inspection of native libraries, we uncover a full instrumentation pipeline designed to hook critical Java class methods to bypass regulatory constraints. The session concludes with a discussion on technical limitations, potential firmware-level barriers, and implications for mobile app integrity.
SUMMARY:Reverse Engineering of FCC Unlocks in DJI Fly clones - Klcium
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#reverse-engineering-of-fcc-unlocks-in-dji-fly-clones
END:VEVENT
BEGIN:VEVENT
UID:2180
DTSTAMP:20260517T093154
DTSTART:20260626T174500
DTEND:20260626T180500
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:What if the backdoor phase required no code at all?\n\nLast year at leHack, I introduced a framework for reasoning\nabout unconventional persistence — backdoors built from\nconfiguration and trust rather than malware. The audience\nasked for more demos, more operational reality.\n\nThis talk delivers. Through live demonstrations on realistic\nenvironments, we show how subtle, codeless modifications to\na system can create invisible conditions for future\ncode execution — triggered later through channels no\ndefender would think to suspect.\n\nNo binary, no shell, no payload on disk. Just\nchanges that look benign, pass audits, and wait patiently.\n\nBuilt from tested tradecraft, real red team operations, and\nongoing research.
SUMMARY:The Art of Staying In, Part II: Target Weakening - m101
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#the-art-of-staying-in-part-ii-target-weakening
END:VEVENT
BEGIN:VEVENT
UID:2172
DTSTAMP:20260517T100900
DTSTART:20260626T170000
DTEND:20260626T174500
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:Est ce que le reverse c’est IDA, R2, Frida, Ghidra, QEMU, et bien d’autres ? Non, c’est tout ça, et tout ça ce n’est pas  le secret que l’on veut découvrir, la DRM que l’on veut casser, ce n’est que le moyen. Aujourd’hui, après Dexcalibur, et plus de 5 ans de développement nous libérons en open source  Reversense, une plateforme d’automatisation du reverse qui crée une projection de votre application mobile ou votre binaire dans une représentation \nuniverselle interrogeable, analysable et exécutable. Reversense offre une interface graphique permettant de naviguer et analyser la projection de l’application, statiquement ou à travers les exécutions, ainsi que de \nnombreuses fonctionnalités en dehors du champ des outils traditionnels : automatisation du parcours de l’interface, génération et édition automatique des hooks Frida qui vont muter d’une exécution à l’autre, instrumentation cross-process ou cross-device, fuzzing inapp, gestion \nd’une ferme de téléphones, …\n\nLe talk présente l’outil - l’idée et l’usage - mais surtout comment nous avons repensé le métier de reverser à une ère où le binaire est omniprésent, le temps pour reverser toujours plus réduit mais où nous voulons garder du plaisir.
SUMMARY:Reversense: One Hook, Then the Universe - Georges-Bastien Michel (@FrenchYeti)
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#reversense-one-hook-then-the-universe
END:VEVENT
BEGIN:VEVENT
UID:2175
DTSTAMP:20260517T100635
DTSTART:20260626T163500
DTEND:20260626T165500
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:Espressif designs small, low-cost system-on-chips primarily intended for wireless connectivity such as Wi-Fi and Bluetooth Low Energy. These SoCs are widely used as the networking and control component in IoT and embedded products, handling external inputs, protocol parsing, and communication with the rest of the system. Espressif has publicly reported cumulative shipments on the order of one billion chips, with hundreds of millions of devices deployed in the field, making vulnerabilities in shared firmware components a product-scale security concern rather than an isolated implementation detail.\n\nIn this talk, we present a set of real security vulnerabilities identified in Espressif’s software development kit (SDK) and USB stack. Rather than focusing on vulnerability counts, we explain how we deliberately filtered out noise to concentrate on issues that are reachable, cross trust boundaries, and have realistic security impact in shipped products.\n\nWe briefly introduce the analysis approach that enabled this triage, including graph-based code exploration, backward slicing from security-sensitive operations, reachability and exploitability reasoning, and threat-model awareness. We then deep-dive into a USB vulnerability, walking through the vulnerable code path, violated assumptions, and attacker-controlled inputs. Where available, we present ongoing exploitation work and discuss the practical challenges and constraints of turning such bugs into reliable exploits on embedded targets.\n\nFinally, we connect these findings to real-world Espressif-based products, illustrating how low-level firmware vulnerabilities can propagate to product-level security risks. We conclude with lessons learned for embedded developers and security engineers on how to reason about exploitability, prioritization, and impact in modern IoT and embedded software stacks.
SUMMARY:From USB to ESP: Security Vulnerabilities in Espressif Firmware - Maxime Rossi Bellom & Ramtine Tofighi Shirazi
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#from-usb-to-esp-security-vulnerabilities-in-espressif-firmware
END:VEVENT
BEGIN:VEVENT
UID:2186
DTSTAMP:20260517T100514
DTSTART:20260626T161500
DTEND:20260626T163500
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:WSO2 products (API Manager, Identity Server) are massively deployed \nacross critical infrastructure (banking, insurance, defense, government) \nin France and worldwide. During offensive security engagements at \nAmbionics Security (LEXFO), we discovered over a dozen critical 0-day \nvulnerabilities in WSO2's shared Java codebase and achieved RCE on \ndozens of client instances across French organizations.\n\nThe vulnerabilities span the full spectrum: authentication bypasses via \npath parameter confusion, full-control SSRF through a 2008-era legacy \nproxy, systemic CSRF on every SOAP administration service, account \ntakeover via flawed password reset logic, and multiple RCE vectors \nthrough Siddhi Streaming SQL, H2 database UDFs, SQLite file-write to JSP \nwebshell, and unsandboxed JavaScript execution in the JVM.\n\nBut the real challenge came next. Facing a properly hardened deployment \n(management console firewalled off, no admin ports exposed, zero \noutbound connectivity), we chained 7 N-days into a single-request \nunauthenticated RCE through the only reachable endpoint: the API Gateway \nHTTPS port. The chain combines blind XXE, SSRF relay, HTTP request \nsmuggling via CRLF injection in Axis2 headers, and privilege escalation \ninto a reliable exploit against near-current WSO2 versions.\n\nPacked with Java web exploitation tricks, the talk concludes with a live \ndemo: one request, seven vulnerabilities, a reverse shell.
SUMMARY:Attacking WSO2: 0-Days and N-Day Chains for Pre-Auth RCE  on Enterprise Java - Noel MACCARY
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#attacking-wso2-0-days-and-n-day-chains-for-pre-auth-rce-on-enterprise-java
END:VEVENT
BEGIN:VEVENT
UID:2196
DTSTAMP:20260517T100316
DTSTART:20260626T153000
DTEND:20260626T161500
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:Placeholder, more to come.
SUMMARY:Pas besoin d'être un Mytho pour faire de l'offensif - Patrick Ventuzelo
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#pas-besoin-detre-un-mytho-pour-faire-de-loffensif-temp
END:VEVENT
BEGIN:VEVENT
UID:2194
DTSTAMP:20260517T095941
DTSTART:20260626T144500
DTEND:20260626T153000
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:Whilst organisations and individuals continue to heavily focus on digital initial access vectors, many continue...
SUMMARY:Overcast Panda - Jake Lomas & Antoine Vianey-Liaud
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#overcast-panda-temp
END:VEVENT
BEGIN:VEVENT
UID:2171
DTSTAMP:20260517T095628
DTSTART:20260626T140000
DTEND:20260626T144500
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:SAP is widely used by Fortune 500 companies and often underpins critical business processes, yet its attack surface is difficult to evaluate due to its proprietary nature. In this talk, I retrace how I approached that problem in practice: starting from a single thread and following it through reverse engineering, archive format internals, black-box fuzzing, and exploit development.\n\nAlong the way, I show how that process led to multiple vulnerabilities across different SAP components, ranging from local privilege escalation to remote unauthenticated memory corruption. I also cover the practical role LLMs played during the research, as a tool for crash triage, root-cause analysis, and exploit development.
SUMMARY:Getting Lost in SAP: From LPE to Remote Memory Corruption - Tao Sauvage
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#getting-lost-in-sap-from-lpe-to-remote-memory-corruption
END:VEVENT
BEGIN:VEVENT
UID:2169
DTSTAMP:20260517T103521
DTSTART:20260626T113000
DTEND:20260626T115000
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:Windows shortcut (.LNK) files remain a persistent threat vector. While simple bypasses like adding spaces exist, this session reveals undocumented techniques for deceptive payload delivery and execution. We’ll explore why these methods work, the black-box research methodology used to find them, and the defensive implications. We are also introducing an open-source tool for security teams to simulate and defend against these advanced LNK-based attacks.
SUMMARY:Trust Me, I'm A Shortcut: New LNK Abuse Methods - Wietze Beukema
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#trust-me-im-a-shortcut-new-lnk-abuse-methods
END:VEVENT
BEGIN:VEVENT
UID:2185
DTSTAMP:20260517T094917
DTSTART:20260626T104500
DTEND:20260626T113000
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:L'écosystème Microsoft Entra ID et Microsoft 365 est devenu en 2025-2026 l'épicentre des compromissions cloud en entreprise. Les rapports sont unanimes : l'identité est le premier vecteur d'attaque, et les environnements M365 représentent la surface d'attaque la plus convoitée : des APT étatiques aux opérateurs de Phishing-as-a-Service.\n\nLe talk couvrira les techniques les plus récentes et impactantes, dont l'abus FOCI (Family of Client IDs), l'extraction de tokens OAuth depuis les caches Windows (TokenBroker, WAM, Azure CLI), le contournement des politiques MFA et Conditional Access, et les angles morts de la détection. En fil rouge, une démonstration live d'OAuthBandit v2, outil open-source de post-exploitation spécialisé dans l'extraction, la validation et l'exploitation de tokens Microsoft OAuth depuis des endpoints compromis : avec le release public de nouvelles fonctionnalités avancées.\n\nCette présentation est un retour terrain brut. Basée sur des cas concrets de réponse à incident et de missions offensives sur des tenants M365 compromis, elle décortique les kill chains modernes observées en production : de l'accès initial par phishing OAuth jusqu'à la prise de contrôle complète du tenant, en passant par le mouvement latéral cloud-to-cloud et la persistence invisible.. ainsi que d’autres surprises ...\n\nL'objectif : armer les défenseurs avec la compréhension fine des TTPs modernes sur M365/Entra ID et des stratégies concrètes de détection et de réponse.
SUMMARY:Entra ID & Microsoft 365 Under Siege : Autopsie des Compromissions Cloud Modernes et Stratégies de Riposte - Kondah Hamza
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#entra-id-microsoft-365-under-siege-autopsie-des-compromissions-cloud-modernes-et-strategies-de-riposte
END:VEVENT
BEGIN:VEVENT
UID:2199
DTSTAMP:20260509T105650
DTSTART:20260626T100000
DTEND:20260626T104500
LOCATION:Amphithéâtre Gaston Berger
DESCRIPTION:PLACEHOLDER
SUMMARY:Keynote ( temp placeholder )
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/conferences/#keynot-temp-placeholder
END:VEVENT
BEGIN:VEVENT
UID:2187
DTSTAMP:20260509T105534
DTSTART:20260626T000000
DTEND:20260621T013000
LOCATION:Workshop Room
DESCRIPTION:Most reverse engineering workflows treat a binary as a static artifact. Dynamic Binary Instrumentation flips that: instead of reading code, you *watch it run*, intercepting every instruction and memory access with nothing but Python.\n\nThis workshop is a hands-on introduction to DBI using [PyQBDI](https://qbdi.readthedocs.io/en/stable/get_started-pyqbdi.html). Attendees go from zero to writing instrumentation scripts that trace execution, inspect runtime state, instrument native libraries, and ultimately bypass anti-debugging protections to extract a hidden flag. They leave with reusable scripts and the foundations to apply QBDI in professional engagements, CTF challenges, or personal research.\n\n[QBDI](https://qbdi.quarkslab.com/) is an open-source framework developed at Quarkslab, supporting Linux, Windows, Android, and macOS. It has been used in practice to [break whitebox cryptographic implementations](https://blog.quarkslab.com/introduction-to-whiteboxes-and-collision-based-attacks-with-qbdi.html), [deobfuscate VM-protected binaries](https://blog.quarkslab.com/qbdi-vs-tritondse-against-a-vm-who-will-be-the-fastest.html), and [analyze Android native libraries without source code](https://blog.quarkslab.com/android-native-library-analysis-with-qbdi.html).
SUMMARY:Introduction à l'instrumentation dynamique binaire avec QBDI
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/workshops/#introduction-a-linstrumentation-dynamique-binaire-avec-qbdi
END:VEVENT
BEGIN:VEVENT
UID:2189
DTSTAMP:20260509T105557
DTSTART:20260626T000000
DTEND:20260621T013000
LOCATION:Workshop Room
DESCRIPTION:Your favorite Android mobile apps or smart TV are probably fortresses: obfuscated code, anti hooking defenses, encrypted protocols. Traditional RE tools? Weeks of manual grinding. But what if you could teach your hooks to evolve, fuzz vendor services for hidden root commands, and let an AI orchestrate the entire RE workflow?\n\nIn this hands-on workshop, you'll learn to autopsy mobile applications using Reversense, a free collaborative reverse engineering platform now available as open source. Unlike traditional tools that require weeks of manual analysis, Reversense automates the discovery, modeling, and instrumentation of mobile apps in their real execution context.\n\nYou'll work through 3 real-world scenarios:\n\n- Hardened App Security Audit : Identify sensitive data and bypass security mechanisms, such as anti-hooking, using self-improved hooks and dynamic modeling.\n\n- Discovery of Undocumented ADB Commands : Use combination of built-in fuzzing engine, and cross-app hooking to uncover hidden vendor backdoors and factory test modes in Android devices.\n\n- AI-Powered Reverse Automation : Leverage MCP (Model Context Protocol) integration to orchestrate complex multi-stage reverse engineering workflows.
SUMMARY:Teaching hooks to hunt: automated Android app reversing
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/workshops/#teaching-hooks-to-hunt-automated-android-app-reversing
END:VEVENT
BEGIN:VEVENT
UID:2190
DTSTAMP:20260509T105610
DTSTART:20260626T000000
DTEND:20260621T013000
LOCATION:Workshop Room
DESCRIPTION:keep digging for that root shell
SUMMARY:Hardware hacking : keep digging for that root shell
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/workshops/#hardware-hacking-keep-digging-for-that-root-shell
END:VEVENT
BEGIN:VEVENT
UID:2192
DTSTAMP:20260509T105624
DTSTART:20260626T000000
DTEND:20260621T013000
LOCATION:Workshop Room
DESCRIPTION:The world of Web Hacking is evolving, and with it, our tooling must evolve as well. Caido, the new guy on the HTTP Proxy block, brings a new set of tools and capabilities to web hackers that minimize friction and increase efficiency in your hacking process. Join us as we explore:\n* HTTPQL Search\n* Caido Workflows (easy to understand & integrate low-code/no-code automation)\n* Environment Variables (no, not that kind)\n* Organization/Note Taking\n* Shift - Caido AI Integration\n* and much more
SUMMARY:Efficient Web Hacking with Caido
ATTACH;FMTTYPE=image/jpeg:
URL;VALUE=URI:https://lehack.org/2026/tracks/workshops/#efficient-web-hacking-with-caido
END:VEVENT
END:VCALENDAR