Keynote: Raising the Bar with Software Protection with Béatrice Creusillet (Quarkslab)

The Talsec Mobile App Security Conference in Prague was a two-day, invite-only event on fraud, malware, and API abuse in modern mobile apps, held at Chateau St. Havel on November 3–4, 2025, and hosted by Talsec, freeRASP, and partners. It brought together leading experts and practitioners to strengthen the mobile AppSec community, connect engineers with attackers and defenders, and share practical techniques for high‑stakes sectors like banking, fintech, and e‑government.

The EV Charger Hacking Case Study

Béatrice Creusillet, the R&D lead for the product division at Quarkslab, delivered a keynote on the critical need for software protection, illustrating her points with a real-world hacking story involving an electric vehicle (EV) charger. While absolute protection is impossible, layering defense mechanisms like obfuscation and integrity checks drastically raises the cost and expertise required for successful attacks.

Overview of the Attack

The presentation began with a story of three Quarkslab engineers participating in the Pwn2Own bug bounty competition. Target was a "Hotel Maxi Charger AC wallbox," an electric vehicle supply equipment (EVSE) or charger used for residential and commercial purposes.

The device is highly connected and supports USB, Ethernet, Bluetooth, Wi-Fi, and NFC communication. It is managed through a companion Android application that interfaces with both the charger and the vendor’s cloud infrastructure. The presentation examines how limited software protections significantly reduced the cost and complexity of the attack.

The attack is conducted in four distinct phases and requires approximately 33 person-days of effort. Both the Android application and the device firmware implement only minimal protection mechanisms, consisting primarily of application packing and light encryption.

Firmware Retrieval

The engineers could not extract the firmware directly from the charger, so they retrieved it via the Android companion application. The application was packed, requiring several days of dynamic analysis to unpack and retrieve the full application code. They then used static analysis to find the URL and tokens needed to download the encrypted firmware from the cloud.

Decryption

The encrypted firmware was "lightly encrypted". It took a cryptanalyst three days to decrypt it, using expertise to make "some lucky guesses".

Analysis and Vulnerability Finding

The engineers discovered the firmware was unprotected; it was not obfuscated and lacked common mitigations like ASLR and stack protection. Although the code was "strict" (no symbols), they identified the operating system as a freeRTOS and located the Bluetooth and USB stacks. This analysis led to the discovery of three vulnerabilities, which took 20 person-days.

Exploitation

Because there were "no protections," the team easily developed two exploitation chains leveraging Bluetooth and USB. They even made the chains persistent across future firmware updates by implanting them in the bootloader.

While the attack ultimately failed at Pwn2Own because they based their work on the European version of the firmware, not the US version used in the competition, the vulnerabilities were reported and fixed by the vendor.

The successful exploit could have allowed free charging, damaged the vehicle or battery, or provided access to the home/company network, nearby Bluetooth devices, or the cloud-based vendor backend.

Impact of Layered Protection

The presentation uses the attack timeline to demonstrate how even basic software protection mechanisms significantly increase the time, cost, and expertise required to compromise a system. The absence of layered defenses allows attackers to progress rapidly from firmware acquisition to full exploitation.

Key Lessons Learned

The primary lesson from this case study is the critical importance of protecting IoT devices and their companion applications. Companion applications frequently represent the weakest link, as they expose device logic, credentials, and cloud interfaces, and often provide a direct path into private networks and backend systems.

Core Concepts in Software Protection

The objective of application protection is to preserve application behavior, ensure operational safety, and protect company revenue. This requires safeguarding sensitive assets such as credentials, cryptographic keys, configuration parameters, and proprietary algorithms.

Software protection is built on two fundamental properties:

• Integrity, which ensures that the application has not been modified or tampered with. Common techniques include code integrity checks and runtime application self-protection mechanisms.

• Confidentiality, which aims to conceal application logic and sensitive data through methods such as code obfuscation and white-box cryptography.

Obfuscation increases the difficulty of reverse engineering by hiding program structure, transforming control flow, and concealing constants and strings. An additional benefit of obfuscation is diversification. By protecting different builds or instances differently, an exploit developed for one binary may not apply to another, buying valuable time for remediation.

No technique alone is enough. It is important to combine and layer both software and hardware protection mechanisms. Obfuscation, runtime protection, integrity verification, and encryption must be used together.

Thank you, Béatrice, Quarkslab, for showcasing how thoughtful research and practical insight can bridge the gap between theory and real-world security challenges. Your work highlights the importance of clear thinking, strong fundamentals, and curiosity-driven exploration in advancing modern cybersecurity.