Metal-as-a-Disservice: Exploiting Legacy Flaws in Cutting Edge Clouds

Name: Metal-as-a-Disservice: Exploiting Legacy Flaws in Cutting Edge Clouds
Description: The rise of GPU-focused cloud providers has created a new class of infrastructure security problems. Unlike established hyperscalers such as AWS, Azure, and Google Cloud — which have invested more tha

Bill Demirkapi

DEF CON 33 · Day 1 · Main Stage

The rise of GPU-focused cloud providers has created a new class of infrastructure security problems. Unlike established hyperscalers such as AWS, Azure, and Google Cloud — which have invested more tha

AI review

Demirkapi rents GPUs from ML-focused bare metal cloud providers and documents systemic failure across every firmware layer: UEFI boot persistence with authenticated variables, BMC takeover via vendor tool swapping, PCI option ROM backdoors that survive OS reinstalls, and cross-tenant RCE via unencrypted PXE provisioning. The 'bare metal is more secure than VMs' marketing claim is dismantled in real demos.

Watch on YouTube