WithSecure at DEF CON 31: Medical data hacking, Azure Service Tags, and Android Permissions

WithSecure consultants take to the stages in Las Vegas, August 10 - 13

Helsinki, Finland - August 3, 2023: WithSecure (formerly known as F-Secure Business) has announced a schedule of speakers at the upcoming DEF CON 31 in Las Vegas, Nevada, 10-13 August. Now in its 31st iteration, DEF CON is the world's largest annual hacker convention, welcoming thousands through its doors each year. This year, WithSecure's presence at the event stretches across the main stage, AppSec and Cloud Villages.

In recent years, the use of internet-connected devices has become prevalent in the healthcare sector, particularly to communicate patient data. Therefore, it is essential that security testing of these devices identifies misconfigurations that could cause a severe impact. While modern healthcare protocols such as FHIR (Fast Healthcare Interoperability Resources) use the HTTP protocol to communicate and make security testing relatively easy, the use of older protocols such as HL7 (Health Level Seven) is more widespread. These protocols are bespoke and difficult to intercept, making device security testing challenging.

Speaking on the main stage, Security Consultant Katie Inns will demo her new tool "HL7Magic" designed to provide security testers with an easier method for testing the security of medical devices using protocols such as HL7.

Joining the AppSec Village, Milosz Gaczkowski and William Taylor will lead a workshop looking at the Android permissions model. They will discuss how the way in which Android applications talk to each other is often misunderstood and how it is common to see sensitive functionality open to anyone. Attendees will have the opportunity to look at common implementation flaws and practice exploiting said flaws from the perspective of an unprivileged application.

Over in the CloudSec Village, Aled Mehta is delving into Azure Service Tags and their role within cloud environments as the approach to securing networks and resources has shifted. Components of network and security controls have been abstracted away from administrators, which can often result in resources being left more exposed than intended. In addition to discussing Service Tags and their use cases, this session from Aled will highlight several novel methods attackers can use to access a corporate environment and provide practical recommendations for Service Tag usage.

Timings for each of the sessions can be found below:

HL7Magic: Medical data hacking made easy

Main Stage, 11th August, 17:00

Katie Inns, Security Consultant

Per-mission Impossible: Exploring the Android permissions model and intents

AppSec Village, 12 August, 15:00

Milosz Gaczkowski, Consultant & William Taylor, Security Consultant

Tag, You're Exposed: Exploring Azure service tags and their impact on your security boundary

Cloud Village, 13th August, 10:40

Aled Mehta, Security Consultant

WithSecure™ media relations
Kelly Friend
+44 (0) 7880 488 357