Lucas Carmo
Lucas Carmo is a seasoned offensive security researcher and co-founder of Hakai Security, a Brazilian consultancy focused on red teaming, vulnerability research, and exploit development. With over eight years of experience in cybersecurity, Lucas holds respected certifications including OSWE (Offensive Security Web Expert), Offensive Security Wireless Professional (OSWP), and GMOB (GIAC Mobile Device Security Analyst). He has discovered multiple CVEs in widely used platforms such as Trend Micro Mobile Security, Nagios, PRTG, 3CX, and Centreon.
Lucas leads Delta7, Hakai’s advanced research division, where he guides a team of specialists in dissecting complex security flaws across web and Android environments. He has contributed to open-source projects like the ReconFTW web interface and frequently shares insights through blog posts, technical write-ups, and conference presentations.
Beyond the code, Lucas is passionate about tattoos and art. He sees hacking as a creative discipline that requires abstract thinking, intuition, and an artistic mindset. To him, connecting pieces of a system to uncover a vulnerability is like crafting a powerful visual composition: messy in the process, but beautiful in its outcome.
Session
Trend Micro Mobile Security (TMMS) is a solution widely trusted by enterprises to defend Android devices. But what if the protection becomes the threat? In this talk, I reveal how the very software meant to secure mobile endpoints can be exploited to compromise them. During my research, I identified three vulnerabilities, two confirmed by the vendor.
First, I found that TMMS exposes sensitive security reports online without requiring authentication, revealing device data to anyone. Second, I uncovered a persistent stored XSS sent from Android agents during scans. This payload executes in the browser of any who accesses the report, allowing attackers to inject further malicious scripts. Lastly, I’ll discuss a memory-level manipulation identified during dynamic analysis of the scan routine, which could lead to code execution. These flaws present a high-impact attack surface individually, and a dangerous chain if combined.
This presentation includes recorded demos and a deep dive into the methodology used to discover these issues. It is tailored for red teamers, offensive security professionals, and researchers focused on mobile and infrastructure security.