Owais Shaikh

Security Researcher  ×  Software Engineer
🔏 OpenPGP key ▸ 5B48 7733 2829 B7F4 8ABE C1CB CA2D 14E0 F9F7 3BA8

If you've received a signed document from me, click on the key above to download it, then run the following commands:

gpg --import <key_name>.asc
gpg --verify <file_name>.signed --output <file_name>

Hi, I'm Owais. I'm a Security Researcher. I believe in solving complex problems with simple solutions. I love breaking things down and exploring them in-depth, and contributing to open-source stuff.

View résumé

Connect with me

Email Blog GitHub LinkedIn Mastodon

Donation links

GitHub Sponsors

▲⋅▼⋅▲⋅▼⋅▲



Piiscout

April 2024

Started working on Piiscout with the brilliant Othman Ali Khan, who helped with regional PII definitions for Saudi Arabia.

Mercedes-Benz Secret Leak discovery

January 2024

Secretsearch is an open-source tool I wrote at RedHunt Labs in Golang. Using concurrency and a custom regex list containing secret type definitions with zero-maintenance, it can scan almost 100,000 commit files of any size in less than a minute, running almost 150 regex checks on them in a loop.

This tool was instrumental in catching a publicly exposed GitHub secret from Mercedes-Benz that exposed all of Mercedes-Benz’s cloud access keys, blueprints, design documents, private repositories, future projects, employees and other intellectual property.

Read the TechCrunch article here!

BlackHat Middle East and Africa

November 2023

Presenting in Riyadh

!سلام عليكم، سعوديه .شكراً للاستقبال (و مبروك للهلال)

Presented Octopii v2 and BucketLoot with Umair in Riyadh, Saudi Arabia. Met tons of people, learned a myriad of new stuff from them.

I was also interviewed about my journey in cybersecurity and some of my experiences there!, which they were kind enough to publish.

AntiSquat

June 2023

AntiSquat banner

Some people I knew started getting a flurry of phishing credit card links in their emails and text messages. This was the inspiration for AntiSquat, an AI-powered phishing domain finder and typosquatting detector that can help organizations catch similar-looking domain names.

BlackHat Arsenal USA 2023

AntiSquat gets featured at BlackHat Arsenal USA 2023. Presented that and BucketLoot with Umair.

Original blog here

Unfortunately, I never got a chance to work on the second version of the tool, so I left it alone.

Fourteenth International Conference, ITC 2023

January 2023

Authored “Detection and Classification of Personally Identifiable Information in Images Using Artificial Intelligence,” based on PII research conducted at RedHunt Labs.

Available here

Graduation

October 2022

Got my Bachelor’s degree from KLS Gogte Institute of Technology. Made some amazing friends. What a fun four years.

College taught me the concept of makeshift/workarounds/jerryrigging/hacks, or as Hindi speakers call it - “जुगाड़”. Finding quicker solutions to problems irrespective of the status quo helps you generate alternate and unique perspectives on how things work. For example, folding your clothes and keeping them under your bed while sleeping overnight to “iron” them, reusing an old laptop as a gaming console or home server, hanging up wet curtains to use them as passive air-conditioning, using your backpack as dumb-bells, gluing things together, you name it!

BlackHat Arsenal USA

August 2022

BlackHat Arsenal USA 2022

Octopii gets featured at BlackHat Arsenal USA 2022.

Octopii

March 2022

Octopii banner

Wrote Octopii, an AI-powered Personally Identifiable Information (PII) scanner powered by Haar Cascades, Tesseract, Optical Character Recognition (OCR) and NLTK.

I came across this problem when I was performing some research at work. Since we collect IP addresses and such, I received one, where Apache directory listing was enabled. It belonged to a small business, and it had pictures of hundreds of Indian government ID (Aadhaar, PAN, drivers’ licenses). I was looking for an open-source tool that helped me automate the detection of these resources and couldn’t, and so I tried making one. The first version was terrible, since I was tackling the problem incorrectly. In order to train a model on images of PII, I need…images of PII! Which is not something that is easy to obtain. So I took the alternate route in v2, which was scanning text already present on PII and approximating metadata about it. This worked and had far less computation and labor involved.

Octopii was mentioned on Intigriti’s Bug Bytes Newsletter and on Daniel Miessler’s Unsupervised Learning podcast, gained a lot of unexpected traction in the GitHub, OSINT and Kali Linux communities and is currently RedHunt Labs’ most active repository. I was also thrilled to learn that I made it to the Hackers of India community thanks to all the love you showed to it.

Original blog here

RedHunt Labs Private Limited

January 2022

Joined RedHunt Labs as a Security Researcher. Managed deployments and infrastructure for the Research team. Worked with ElasticSearch, Logstash and Kibana. Wrote and debugged several security tools in Golang and Python. Learned a lot from Somdev, Pinaki and Umair.

RedHunt Team photo

ThinkPad E14 Synaptics driver port

July 2021

libusb code

My second ever reverse-engineering/port. This one was a bit more difficult than I expected, so I left it alone. A lot of people starred it and were willing to fund it though. If you’d like to contribute, contact me or fork the project.

Lenovo basically cheaped out on their hardware and tried to use Shenzhen Goodix fingerprint scanners because they’re cheap. However, this OEM hasn’t made anything open source or available online, making Linux compatibility of these scanners an absolute nightmare.

Archived here

Bonhomie Solutions

March 2021

Worked on backend, infrastructure, data protection policies and system design with Stephen, Ross and Kuda on project HomieBot.

Keyspace

February 2021

Keyspace.cloud

Founding member of keyspace.cloud, along with Rohan and Nimish.

Wrote the official Android app for it.

GetPerms

November 2020

Wrote my first library, GetPerms. Nothing special, was just curious to see how many permissions can an Android app read from other Android apps. To my surprise - a lot! To a point where you can almost “fingerprint” people’s phones.

Fortunately, Google fixed this in Android 11.

Wristkey

February 2020

Old Wristkey banner

Wrote a completely standalone two-factor authentication app for Android Wear / Wear OS. Google pulled their Authenticator out of the Wear Play Store and I needed an offline 2FA authenticator because my G Watch W100 doesn’t have WiFi. Released it on GitHub to help others in my situation.

The app is now unexpectedly unique, in that it can read data from USB, perform encrypted Wi-Fi transfers from devices that are several generations old and can import from several password managers, irrespective of platform or manufacturers, meaning that any Android-based device can run the app, without any pairing required.

Gained unexpected popularity and got mentioned on Reddit a bit.

Play Store link

openTransmit

September 2019

openTransmit

Wrote FTPSetup for Android and openTransmit for iOS, two utilities to make data transfers between iOS 11+ devices and Linux distros more seamless.

Polytechnic

December 2018

Graduated from Polytechnic school after failing math for 4 semesters.

Failures

Turns out math is not as difficult as it seems. Everyone has a style of learning, and mine was through visualization, as opposed to rote memorization of techniques and formulae. I sat down and went back to the basics of arithmetic, what numbers are, and the concepts of statistics and calculus, deriving everything from scratch. I also tried seeing how of these would plot on a graph, and how incorporating this into my daily life made it easier.

This philosophy of skillsets being interoperable and transferable helped me immensely (for example: realizing that summations in statistics are for loops, that Wi-Fi and cellular signals used Fourier Transforms, Material Design animation used interpolation in calculus etc.), and made the universe around me feel beautiful and alive. For the first time, everything made sense.

This nearly 8 year long struggle with math reminds me of Claudia Mueller and Carol Dweck’s locus of control experiment.

Laser Communications System

November 2017

Laser communications

My initial Polytechnic school final year project I made with Nelson. Got rejected because it wasn’t “CS enough” (whatever that means).

The idea was to link large distances with lasers so that I could have calls with my friends in the neighborhood without worrying about cell phone bills. A prototype of this worked, though it sounded extremely attenuated. I thus got the idea of submitting it as a project, but they rejected it and imposed upon us the idea of some strange app.

Archived here

Home automation

February 2014

Performed my own automation setup, with a Raspberry Pi 1A, IFTTT, Tasker and a Belkin Wemo switch.

tasker

I later realized how many attack vectors it had and how important educating yourself first is important, especially before exposing your home devices on the internet.

Moto X APK ports

December 2013

Moto G XT1033 modded settings screenshot Moto G XT1033 touchless control training screenshot

My first major project, an attempt at reverse-engineering and porting some very popular features from the first ever Moto X. Became top Moto G repo of the week on XDA Developers.

Archived here (Please don’t roast me, I was a kid trying to look cool)


↑ Go to top



© Copyright 2023 Owais Shaikh. All rights reserved.