2026-06-04 –, Track 2
One black friday deal + one afternoon + basic software engineering knowledge was all it took for me to remotely manage hundreds of thousands of Android point-of-sale devices through an obscure administrator panel, with a significant portion being right here in the Netherlands and some being in use by sizeable companies.
I am a 20 year old software engineering student with no expert knowledge in cybersecurity at all, i have just started picking up ethical hacking as a hobby by tearing apart random IOT devices. I should not have been able to do this.
This is a story about how dangerously simple critical infrastructure vulnerabilities can be, what responsible disclosure actually looks like from a first-timer's perspective, and why "we fixed it" doesn't always mean what you think it means.
Expect a very casual presentation outlining all of the mistakes that were made.
The vulnerabilities have not been made public yet, all of this happened quietly months ago. This is the first time you will hear about them!
This talk covers the entire timeline of this discovery, including:
- The events that led up to the discovery.
- The very simplistic breakdown of the vulnerability itself.
- The scope of the access gained (spoiler: it is BAD)
- Issues which first timers face with responsible reporting of severe bugs.
- The responses from vendors and their (incomplete) fixes.
- Why simple issues like these will become more prevalent with current industry shifts.
Marcel is a 20 year old software engineering student who has just started doing security research as a hobby. This means he has no expert knowledge about cybersecurity yet, however the vulnerabilities he has managed to find are concerning to say the least.
With a passion for (publicly) breaking open random IOT devices he finds on the internet, he always has some insane story to tell about his findings. From being able to take a selfie on a self checkout scanner from Albert Heijn, finding payment service API keys and order data of 400+ dutch restaurants and video calling 100.000+ smart kid robots, to becoming a super admin of hundreds of thousands of critical point of sale terminals around the world.
Marcel's goal is to responsibly disclose all the issues he finds in these critical fields to let the companies involved fix the issues. After which Marcel aims to make the public aware these issues existed in the first place.