Pierre-Nicolas Allard-Coutu
Pierre-Nicolas Allard-Coutu is a senior penetration tester and offensive security R&D lead at Bell Canada's Security Testing and Incident Response team (STIRT). He is a seasoned red team operator with many years of experience specialized in the development of malware payloads and payload delivery systems. More recently, he has helped modernize Bell's physical penetration testing service offerings by developing novel exploitation techniques aimed at compromising UEFI preboot environments. He is currently the top public contributor to the Quebec Government Cyber Defense Center's vulnerability disclosure program, and part of the HackFest Challenge design team. The type of person who could never resist placing "><script>alert(1);<!-- in his bio.
2025 Talk
Talk Title: Stolen Laptops - Modern physical access attacks against hardware and firmware
Talk Abstract:
This talk will highlight modern tactics employed by offensive security teams and sophisticated threat actors to compromise laptops when adversaries have physical access to the target device. We will focus on direct memory access attacks, and discuss the limitations of hardware encryption leveraging the TPM versus these techniques. There will be practical demonstrations of hardware configuration required to exploit these issues, and overview of modern countermeasures, specifically usage of IOMMU (VTd and AMD-vi), Kernel DMA protection, and hardware whitelisting. We will go through methodologies used to extract and attack UEFI firmware from laptops, and demonstrate both password bypasses and hardware whitelisting bypasses via reverse engineering of DXE drivers. Finally, we will discuss inconsistencies surrounding UEFI implementations allowing us to bypass the IOMMU and DMA protection, and conduct a pre-boot DMA attack using novel tooling called FirstStrike to compromise a fresh windows install with countermeasures enabled.
This talk expands on my previous talk given on the same subject, with considerably more detailed analysis, updated video demos, and a whole section of UEFI driver reverse engineering with the goal of bypassing hardware whitelists which was not previously included, as well as updated tactics versus AV/EDR and pre-boot suitable for 2025.
2024 Talk
Talk Title: Stolen Laptops - From physical access to internal networks :: A brief overview of modern physical access attacks against UEFI, PCI Express, BitLocker and more!
Talk Abstract:
Laptops have become ubiquitous in modern times. An all but guaranteed organizational asset that quite literally holds keys to the kingdom, in every employee's hands. For an attacker, what's not to love? From large government organizations to fortune 500 companies, these assets are constantly on the move and often poorly secured against advanced threat actors seeking to extract their secrets. Trust me, encryption at rest is not the all encompassing shield it was once made out to be. With the evolving security landscape and ever-changing tactics of adversaries, it is absolutely critical to perform regular threat emulation in order to test countermeasures against these attack vectors.
This talk will showcase methodologies used by our offensive security teams to penetrate well-hardened laptops during these types of engagements. We begin by exploring the potential impact that a compromised laptop can have on an organization, briefly discussing potential lateral movement through extracted domain credentials, tickets, certificates, cookies, and sensitive data. After exposing the audience to the potential risk, we will discuss real attack vectors, with examples and video demos. No Credentials? No problem. We push the envelope to the limit of what can be realistically expected of next-generation adversaries.
We will explore together direct-memory access attacks, the physical and logical implementations of these techniques, defenses, bypasses, and more. On the menu is an overview of PCI Express technology, DMA hardware including FPGA boards and what we do with them, practical demonstrations of attacks against modern laptops, countermeasures introduced by hardware vendors to protect against these attacks, and ways that attacks circumvent these protection mechanisms. We will discuss BIOS/UEFI security, how it relates to DMA, and how we exploit pre-boot environments to gain access to a computer. This includes showcasing physical attacks against BIOS EEPROM chips using a universal programmer.
Finally, we will talk about encryption at rest, specifically BitLocker, TPMs, and the potential implications of using these technologies for attackers, with a focus on why these are not sufficient for preventing attackers with physical access from compromising a PC. Of course, we will discuss proper configuration that can limit or eliminate these attack vectors as well! The talk will touch upon the expertise that Bell Canada STIRT team brings to adversary emulation services in general, and showcase some R&D that has arisen due to our involvement in this space. We will discuss open source tooling such as PCILeech, MemProcFS, UEFITool, etc, and some closed source tooling including XGPro.