Authored CVEs

CVE # Title Vendor Author(s) Additional Details
2016-2060 Command Execution in netd daemon Qualcomm Jake Valletta FireEye blog post
2017-3748 Improper access controls in nac_server binary Lenovo Jake Valletta FireEye blog post
2017-3749 Local backups enabled in Lenovo Idea Friend application Lenovo Jake Valletta Released with 2017-3748 + 2017-3750
2017-3750 Local backups enabled in Lenovo Security application Lenovo Jake Valletta Released with 2017-3748 + 2017-3749
2018-18766 Elevation of privilege in Call Dispatcher service SiteKiosk Jake Valletta
2019-11509 Authenticated remote code execution in administrative interface Pulse Secure Jake Valletta Advisory
2020-9306 Hardcoded credentials Telsa/Solarcity Jake Valletta, Sam Sabetan Blog pt1, pt2
2020-12878 Execution with unnecessary privileges Telsa/Solarcity Jake Valletta, Sam Sabetan Released with 2020-12878
2020-15467 Authenticated command injection in administrative interface (vns3:vpn) Cohesive Networks Jake Valletta Advisory
2020-25217 Authenticated command injection in administrative interface (GRP261x devices) Grandstream Networks Jake Valletta, Michael Maturi Advisory
2020-25218 Authentication bypass in administrative interface (GRP261x devices) Grandstream Networks Jake Valletta, Michael Maturi Advisory

Presentations & Workshops

2018

  • ANYCON 2018 (September, 2018) - “Navigating SEAndroid Trust Relationships: Exploitation Techniques for Modern Android Devices” [video]

2017

  • ArcticCon 2017 (October, 2017) - “Navigating SEAndroid Trust Relationships: Exploitation Techniques for Modern Android Devices” [slides]

2016

  • BSides Denver (October, 2016) - “Attacking the Core: Uncovering Vulnerabilities in Android System Services” [slides]
  • Bsides Nashville (April, 2016) - “Put a Sock(et) in it: Understanding and Attacking Sockets on Android” [abstract] [slides] [video]

2015

  • Blackhat Europe - Arsenal (November, 2015) - “Android Device Testing Framework v1.3” [abstract]
  • BSides Asheville (June, 2015) - “All the Looks without the Price Tag: A Case Study of Device Security for Knock-Off Android Phones” [abstract] [slides] [video]

2014

  • BruCON 0x06 (September, 2014) - “Exploiting the Bells and Whistles: Uncovering OEM Vulnerabilities in Android” Workshop [abstract]
  • Blackhat USA - Arsenal (August, 2014) - “Android Device Testing Framework” [slides] [abstract]
  • CarolinaCon X (May, 2014) - “Exploiting the Bells and Whistles: Uncovering OEM Vulnerabilities in Android” [slides] [video] [abstract]

2013

  • B-Sides DC (October, 2013) - “Dynamic Analysis using CobraDroid” [slides] [abstract]
  • BruCON 0x05 (September, 2013) - “CobraDroid: Hooking Android Applications” [slides] [video] [abstract]

2012

  • MIRcon (October, 2012) - “Finding Evil with Data Stacking” [slides]
  • OWASP NYC (June, 2012) - “Finding Evil with Data Stacking” [slides] [abstract]

2011

  • New York State Cyber Security Conference (June, 2011) - “Data Exfiltration using Covert Communication Channels” [slides] [tools]

Accolades & Honorary Mentions

  • Android Security Acknowledgements (2016) [link]
  • Qualcomm Hall of Fame (2016) [link]
  • CodeAurora Hall of Fame (2016) [link]