Benjamin Kunz Mejri
Quick Facts
Biography
Benjamin Kunz Mejri (born 6 May 1983) is a German IT security specialist and penetration tester. His research interests include vulnerabilities in computer systems, bug bounties, the security of e-payment services and the protection of privacy. Mejri is well known as a usual suspect to uncover new vulnerabilities and to publish them openly.
Life
Kunz Mejri grew up in the city near Kassel in Hessen and was at the technical school Kassel from 2003 to 2005 specializing in business computer science. In 2005 he published at the CeBIT in Hannover with the firm f-secure for the first time a report about a ssl zero-day vulnerability in the mozilla Firefox browser engine. Since 2008 Mejri is research director of the vulnerability labs and became in 2014 managing director, of the evolution security gmbh based in Kassel-Wilhelmshöhe.
Research
Evolution Security
Kunz Mejri started in 2010 the company Evolution Security with the developer pim campers from the Netherlands. The company is known for manual security checks and detection of vulnerabilities or backdoors in operating systems, hardware or software. 2014 the company changed its legal form and became an official gmbh, based in the technology center in Kassel-Wilhelmshöhe.
Vulnerability Laboratory
2007 Kunz Mejri started an own laboratory for recording zero-day vulnerabilities. The public vulnerability lab has more than 1000 active researchers from the international space and lists over 2,000 specially reported vulnerabilities with the technical details. In addition, the laboratory has documents, videos and analysis in the field of IT security in relation to vulnerabilities. Vulnerability Laboratory is the first internationally registered bounty and vulnerabilities portal in the field of IT security for independent security researchers or bounty hunter.
Securityanalysis of Skype (VoIP)
2011 Kunz Mejri published on the "Hack in the Box" conference in kuala lumpur, Malaysia one of the first reports about vulnerabilities in the skype software and architecture. The former publication took place in cooperation with skype. Kunz Mejri explained in the presentation multiple own discovered vulnerabilities in the software for linux, windows and macos.
Airport-Security München, Köln/Bonn & Düsseldorf
In 2012, kunz mejri reported several critical vulnerabilities in the infrastructure of multiple German airports. The vulnerabilities allowed the reading of the sql database records of the airports Düsseldorf, Cologne/Bonn and Munich. Affected areas also affiliated airlines such as the German Lufthansa or Air Berlin. Following the publication of two vulnerabilities in airport service pages, the digital security architecture of the affected companies changed permanently.
Microsoft- & Skype-Account-System
In 2012, Kunz Mejri published about four critical vulnerabilities in Microsoft about Skype, which allowed that in any Hotmail - Live - Xbox - and Skype account could not be accessed without permission or authentication. His analysis of security against the products series flowed into the production of Microsoft's new account systems and improved infrastructure of logins.
In February 2013, Mejri reported a critical vulnerability in the validation of the official SharePoint cloud web application of Microsoft. In early September 2013, the newly detected vulnerability in SharePoint was examined by the security firm Symantec and the SANS Institute. In the same year, 16 confirmed vulnerabilities were reported in the office 365 cloud software to the Microsoft security response center by Mejri. By the end of 2013, all reported vulnerabilities were patched by the development team and security division of Microsoft.
Def Con Las Vegas 2013
2013 Mejri was invited as a speaker to the DEF CON in Las Vegas, Nevada to discuss his security related findings in the Skype software. 14 days before the conference Kunz Mejri was removed for unknown reasons with the general safety of the speaker list. Reason for that was an appeal of the announced visit to the former NSA - Chefs Keith Alexander, who acted with direct reference to the new revealed safety problems by Mejri.
Barracuda-Networks-Infrastructure
2013 Kunz Mejri also published over 40 vulnerabilities in Barracuda Networks Firewall and other productsAll vulnerabilities were reliably closed during the year by the manufacturer. The hand-over documents were processed by the development team of the company and Dave Farrow for future processes. Kunz Mejri influenced 2012-2014 the product line by permanent security related interactions with the security teams of barracuda networks.
Apple iOS Passcode
2014 published kunz mejri restarted a new vulnerability in iOS V6, which made it possible to bypass the passcode security feature. The vulnerability was found in the function for emergency calls, allowing access to the device without entering a pin. Shortly thereafter, in the same year mejri developed an exploit, the iOS version V6.x in a so-called "Black Screen Mode" (Black Screen Mode) offset and so allow access to the internal memory. Once the vulnerability was published, the emergency calls increased by the abusive exploitation in imitation of the vulnerability in the international space by 17%. The vulnerability has been closed by Apple Cupertino about one month after the publication.
2015 Kunz Mejri presented in a public a video before, as you can cut short the latest SIM lock an iOS V7.x device to use the device without permission or authentication. Approximately 14 days after publication of the vulnerability, the apple product security team patched the issue via hotfix and release.
In March 2016 Mejri discovered another vulnerability in Siri by apple. Siri allowed by another, not limited function to overcome illicit device lock without passcode or fingerprint. Apple released the same day a hotfix that redirects the API calls of Siri to close the security problem temporarily. After that the vulnerability was permanently fixed by an official release.
NASA-Mission Orion
December 4, 2014, Kunz Mejri published a vulnerability in the boarding pass application of the Orion - mission of the American space agency NASA. The vulnerability was coordinated and confirmed by the CERT team of the US Department of Defense on November 25, 2014. The boarding pass information to the application were later written by electron beam lithography on a silicon microchip prototype launched 4 December aboard the space shuttle. One of the test exploit payloads of the researcher was not deleted by the NASA and transferred to the isolated microchip. Mejris Exploit Payload spent after the launch of the rocket four hours and 24 minutes to two elliptical orbits around the Earth with an apogee (peak) of 5800 kilometers. A study of NASA with an eleven members team confirmed that one of the stored payloads in boarding pass was accidentally transmitted to the silicone Microchip. Since the microchip but was isolated, there was no danger for the art or the spacecraft itself. NASA provided Mejri few days a specially crafted image ready with a joke entry of Mejri in NASA's no-fly list.
PayPal Inc & J.P. Morgan
From 2011 to 2016 Kunz Mejri worked on improving the security in PayPal and J.P. Morgan and eBay Inc. Kunz Mejri discovered until 2016 over 120 vulnerabilities in the PayPal infrastructure. He was the first German that participated in the official PayPal bug bounty program. 2013 he reported security investigators several sql injection vulnerabilities in PayPal's billsafe-service providers. 2014 he detected in the mobile api of PayPal iOS app a vulnerability that allowed him to unauthenticated access each account by successful exploitation.
Wincor Nixdorf – Sparkassen Automated Teller Machines & SB-Terminals
In 2015, Kunz Mejri published a vulnerability as reportage in self-service terminals and automated teller machines of the company Wincor Nixdorf. The automated teller machines were used throughout Germany by the sparkasse. Using a key combination Mejri could make an update console of administrators visible during an update. The console gave an insight view into sensitive data that was optical copied over the monitor. The vulnerability has been fixed by Wincor Nixdorf permanently. The security update was recorded and tested by the Sparkasse as a pilot program in Hessen for ruther implementation into the productive line. After the pilot program tests was established the security updates was transmitted to the German country infrastructure to prevent attacks against the affected automated teller machines.
Who am I – Filmcharacter
2014 a part of kunz mejris history was used for a computer hacker thriller and Hollywood blockbuster movie titled Who Am I - No System Is Safe. The main character of "Benjamin" played the well-known actor German actor Tom Schilling. 2015, the film won six awards, including the international film award for the "Best International Movie" and the Bambi Award. The film Who Am I was acquired mid 2015 by Sony Entertainment (Warner Studios) and will be published again in an international remake.