Thijs Alkemade (@xnyhps) works at the security research division of at Computest. This division is responsible for advanced security research on commonly used systems and environments. Thijs has won Pwn2Own twice, by demonstrating a zero-day attack against Zoom at Pwn2Own Vancouver 2021 and by demonstrating multiple exploits in ICS systems at Pwn2Own Miami 2022. In previous research he demonstrated several attacks against the macOS and iOS operating systems. He has a background in both mathematics and computer science, which gives him a lot of experience with cryptography and programming language theory.
"SomeApp would like to access files in your Documents folder." Anyone who has used macOS recently will be familiar with these prompts. But how do they work? What happens if you deny the access? Are they an effective defense against malware?
This talk will give an up to date overview of the local security measures of macOS and describe some ways they can be defeated in practice.
Last year we won Pwn2Own by demonstrating remote code execution, using a chain of three vulnerabilities, on the then latest version of the Zoom client. In this talk we would like to share all details of the vulnerabilities we found and how we combined them into a fully working exploit.
Last April we won Pwn2Own Miami by demonstrating five zero-day attacks against software that is commonly used in the ICS world. ICS, or Industrial Control Systems, are systems that are involved with running an industrial process, for example in a factory or power plant. Our targets range from SCADA to HMI systems. During this talk we would like to share details about the competition and the vulnerabilities we found.