BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.recon.cx//recon-2026//talk//KZCARU
BEGIN:VTIMEZONE
TZID:EST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T070000Z
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T080000Z
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-recon-2026-KZCARU@cfp.recon.cx
DTSTART;TZID=EST:20260621T130000
DTEND;TZID=EST:20260621T140000
DESCRIPTION:How safe is the data on your phone? On modern Android phones\, 
 all OS data except a minimal boot image is encrypted on the flash memory i
 n a way that is device-bound\, so that if we take out the flash and dump i
 t we get nothing of interest. But encrypted with what?\n\nThis talk presen
 ts our research on cold-storage security on Android against an attacker wi
 th physical access. In the process\, we uncovered a decade-old vulnerabili
 ty on Mediatek-based Android phones (CVE-2026-20435)\, which allows us to 
 recover the PIN and all user data (including Keystore content) from the fl
 ash memory of a switched-off phone. Depending on the models\, it only take
 s a USB access and a few minutes\, which we will demonstrate during the ta
 lk.
DTSTAMP:20260612T173317Z
LOCATION:Grand Salon Opera
SUMMARY:Forgotten TEE keys in plain sight - Florent TARDIF
URL:https://cfp.recon.cx/recon-2026/talk/KZCARU/
END:VEVENT
END:VCALENDAR