Sat. 25 May - Sun. 26 May
OCBC Arena @ Singapore Sports Hub
topic page title

Boris Larin

Principal Security Researcher, Kaspersky

Operation Triangulation: Do Not Attack iPhones of Researchers!

Imagine discovering a 0-click attack targeting Apple mobile devices of your colleagues and managing to capture all the stages of the attack. That's exactly what happened to us! This led to the fixing of four zero-day vulnerabilities and discovering of a previously unknown and highly sophisticated spyware that had been around for years without anyone noticing. We call it "Operation Triangulation". This is the story of the most sophisticated attack chain and spyware ever discovered by Kaspersky. We will demonstrate live how vulnerabilities used against us are exploited.
Boris is a Principal Security Researcher at Kaspersky's Global Research & Analysis Team (GReAT), focusing on finding zero-day exploits exploited in the wild. He has discovered numerous APT attacks and reported 19 zero-day exploits used in the wild in various malware campaigns. Besides work, Boris enjoys reverse engineering, vulnerability research and video games. He was the first researcher recognized in Sony PlayStation's bug bounty program on HackerOne after discovering critical vulnerabilities in the firmware of PlayStation 3 & 4. He also makes "impossible" modifications for video games: adding a full-fledged third-person camera to Metal Gear Solid 2 through reverse engineering and rewriting. Boris has presented his research at many conferences including CanSecWest, Security Analyst Summit (SAS), BlueHat, TyphoonCon, CodeBlue, Chaos Communication Congress, OffensiveCon, etc.
calendar title
AI and Hackers
Annual Themed Debate
30 + 5
In-depth Sharing
Web3 and Hackers
Annual Themed Contest
AI and Hackers
Annual Themed Debate
30 + 5
In-depth Sharing
Web3 and Hackers
Annual Themed Contest
DAF (Defense & Attack Force) Contest is an immersive, unparalleled and extraordinary hacking contest like no other,
which unveils the real-world vulnerability exploitation threats by showcasing cyber adversarial activities in smart devices and network services.
As an upgraded version of GEEKPWN, DAF Contest continuously encourages contestants to PWN everything.
1. Submission: Online submission to by April 15th. Vulnerability details and codes are not needed in the submission.
2. Evaluation: The GEEKCON Committee will review the submitted applications according to the order of submissions, and select the final accepted project.
3. On-site contest: On May 25th - 26th in Singapore, the accepted contestants will tackle on-site challenges and showcase their exploitation to the audience.
Challenge Objectives
Participants in the submission process can select their own challenge targets, encompassing commercially available or commonly used smart devices and software systems, including commercial/open-source software, IoT products, AI-related products, frameworks, and libraries.
Through the exploitation of security vulnerabilities in their chosen targets, participants are expected to achieve actions such as unauthorized control, unauthorized data access, circumventing original security mechanisms, or guiding the target to make incorrect decisions under reasonable attack conditions.
Challenge Rules
a) Participants are restricted to targeting the original systems, applications, or native security modules of device manufacturers. The software or firmware version of the target device or security module must be equal to or higher than the latest version 30 days before the contest and set to default or commonly used configurations.
b) GEEKCON organizers, based on the information provided by participants regarding their chosen targets and versions, will prepare corresponding contest equipment and environments. Participants must complete the challenge within the contest environment. In instances where the organizer are unable to prepare the challenge environment, participants can request to provide their own challenge equipment. After verification and approval by the organizers, they can participate in the contest.
c) The technical methods and exploited security flaws used by participants in the contest must be self-discovered and implemented. Publicly known or existing security flaws and techniques cannot be used as criteria for winning the contest. If the techniques and security flaws used by participants include non-self-discovered elements, they must inform the organizer during submission process.
d) Participants must complete the challenge within 20 minutes. Failure to do so results in a challenge failure.
Evaluation Criteria
DAF contest participants who successfully complete the challenge will be comprehensively evaluated by the GEEKCON judging committee based on the technical difficulty, technical value, consequences and impact of the challenge project, as well as on-site performance. The final comprehensive score for the challenge project will be calculated.
Participation Rewards
Participants are not obligated to provide details of the vulnerabilities used in their attack to the GEEKCON committee. However, after successfully completing the challenge project, they must provide an overall explanation of how the attack occurred. The judge panel will rate the attack based on the evaluation criteria, determine award levels according to the score, and distribute contest prizes accordingly.
Reference Challenge Projects
a) Exploitation of Automotive Information System Vulnerabilities: Challenge participants discover a 0-day vulnerability in a specific car. After connecting to the in-car WiFi from outside the vehicle, they exploit the vulnerability to gain administrative privileges and open locked car doors from outside.
b) Exploitation of Facial Recognition Access Control System Vulnerabilities: Challenge participants discover a 0-day vulnerability in a specific brand's facial recognition access control system. They use this vulnerability to gain control of the system, modify facial information, bypass identity authentication, and unlock access control.
c) Exploitation of AI Algorithm Deficiencies: Challenge participants can use a special conversational approach to bypass security restrictions of large models like AI. This can induce the targeted model to leak sensitive information, training data, or execute harmful operations.
For more information, please refer to the Call for Paper document.
notice title

1     GEEKCON organizing committee (hereinafter referred to as "the committee") recognizes the technical capability of the winner individually, but doesn't acknowledge that it represents the capability of the winner's working organization.

2    We recognize and promote the comprehensive assessment of vulnerability exploitation capabilities and mitigation mechanisms from a confrontational perspective, and do not endorse the judgement of security levels of the target products involved in the event based on a single dimension or non-quantitative dimension.

3    The committee firmly follows the Responsible Disclosure principle. The committee and contestant commit not to disclose any details to third-party before manufactures fix the issues.

4    The committee advocates and encourages in-depth knowledge sharing and communication, but firmly opposes any speech and behavior that violates laws and regulations or infringes on the rights of others.

5    The committee guarantees that the participants' personal information will not be disclosed to third-party or used for commercial activities without their agreement and authentication.

6    We will set up awards and honors based on the research efforts, technical breakthrough, and technical innovation of the projects. As the top 1 security geek IP operator in China, we always advocate a reward mechanism that emphasizes both honor and moderate bounty, encouraging more geeks to participate in technical innovation and knowledge sharing.

Past and Current Partners
Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 2 Icon 3 Icon 4 Icon 5 Icon 6 Icon 7 Icon 8 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1 Icon 1
DARKNAVY, an independent and free-spirited security research organization and service provider. We have invented and established AVSS (Adversarial Vulnerability Scoring System) to evaluate and quantify vulnerabilities and the effectiveness of system mitigation mechanisms in real adversarial environments. We have also initiated and organized GEEKCON, a unique and top-class security geek event, to empower the development of the global security community.
Our goal is to create a more secure digital world by eliminating vulnerabilities in IT products/services. By sharing our knowledge through consulting and R&D experiences, we aim to enable organizations to better prepare and protect themselves against the ever-evolving threat of cyber attacks.
GEEKCON is the new version of the top security competition, GeekPwn. Initiated by DARKNAVY, GEEKCON aims to become a globally unparalleled technical event for security geeks, pioneering and promoting the visualization and measurable values of security ecosystem capabilities.


Registration Desk:
Business&Media Cooperations:
© GEEKCON Committee