Watch the stream
Laptops have become ubiquitous in modern times. An all but guaranteed organizational asset that quite literally holds keys to the kingdom, in every employee's hands. For an attacker, what's not to love? From large government organizations to fortune 500 companies, these assets are constantly on the move and often poorly secured against advanced threat actors seeking to extract their secrets. Encryption at rest is NOT enough in 2025! And I can show you why.
This talk will showcase methodologies used by our offensive security team to penetrate well-hardened, modern laptops during engagements we call “stolen laptop scenarios”. No power? No credentials? No problem! We push the envelope to the limit of what can be realistically expected of next-generation adversaries. We begin by exploring the potential impact that a compromised laptop can have on an organization, briefly discussing potential lateral movement through extracted domain credentials, tickets, certificates, cookies, and sensitive data. After exposing the audience to the value obtained through physical compromise, we will discuss real attack vectors, with examples and video demos.
We will explore together direct-memory access attacks, the physical and logical implementations of these techniques, defenses, bypasses, and more. On the menu is an overview of PCI Express technology, DMA hardware including FPGA boards and what we do with them, practical demonstrations of attacks against modern laptops, countermeasures introduced by hardware vendors to protect against these attacks, and ways that attackers circumvent these protection mechanisms. Naturally, we will discuss BIOS/UEFI security, how it relates to DMA, and how we exploit pre-boot environments to gain access to a stolen computer. This includes showcasing physical attacks against BIOS EEPROM chips using a universal programmer.
Finally, we will talk about encryption at rest, specifically BitLocker, TPM implementation, and the potential implications of using these technologies for attackers, with a focus on why these are not sufficient for preventing attackers with physical access from compromising a PC. This section will culminate with an exploit demonstration compromising windows OS from UEFI via DMA when all modern countermeasures are enabled. Of course, we will discuss proper configuration that can limit or eliminate these attack vectors as well! We will discuss open-source tooling such as PCILeech, MemProcFS, UEFITool, etc, and some closed source tooling including XGPro.
Pierre-Nicolas Allard-Coutu Senior Penetration Tester, Bell Canada
Pierre-Nicolas Allard-Coutu is a senior penetration tester and offensive security R&D lead at Bell Canada's Security Testing and Incident Response team (STIRT). He is a seasoned red team operator with many years of experience specialized in the development of malware payloads and payload delivery systems. More recently, he has spearheaded the creation of physical penetration test methodologies including novel exploitation techniques aimed at compromising UEFI pre-boot environments and enabling Direct Memory Access vectors against modern laptops. He is currently the top public contributor to the Quebec Government Cyber Defense Center's vulnerability disclosure program, and part of the HackFest Challenge design team. The type of person who could never resist placing ">