506 matches found
Analysing the Attack Surface of an Industrial Data Acquisition Device
Introduction The Data Station Plus from Red Lion Controls was handed to me to analyse the attack surface. The device is designed to connect to SCADA data acquisition devices over Modbus, Profibus, etc. by Serial or Ethernet connection. Data is collected and recorded to a local compact flash card...
2021. The age of the super vulnerability?
I don’t know about you, but to me it seems that every week we are seeing another vulnerability that not only grants significant access to the vulnerable system but also more widely internally. This last week we have seen the latest round of Microsoft Exchange vulnerabilities. The April 2021 updat...
Too Interested?
I was asked to investigate an incident a while back where my client was being subjected to a sizeable DDoS attack. It was causing them significant pain and, owing to the nature of their business, implementing something like CloudFlare quickly wasn’t an option. It had the hallmarks of a...
Think you’ve had a breach? Top 5 things to do
Realising that you may have had a data breach can be the start of a stressful and confusing time. Ideally, you would reach for your carefully crafted and practised incident management plan to guide you through the process. In reality though these plans fall into two camps: They don’t exist yet Th...
Brute forcing device passwords
When working with IoT and embedded systems, brute-force password guessing attacks are an effective tool to gain access. Over the years, I’ve learned some tips and tricks to make these attacks more effective. What is brute forcing? Very simply, it’s guessing passwords so that you can find a valid...
Out of cyber class. Maritime compliance.
Ships classification societies have a key role to play in the International Maritime Organisations cyber security requirements. Based on our experience to date, there are some significant issues coming that maritime insurers need to be aware of before writing cover for any vessel that includes...
DEF CON 28: ILS and TCAS Spoofing
This post is a companion to the DEF CON 28 video available here The purpose here is to give some practical demonstrations of two kinds of radio frequency spoofing attack against two different types of cockpit instruments that are found in virtually every single commercial aircraft flying today...
Help, my accounts have been hacked! What should I do?
I run staff security awareness sessions for a huge variety of organisations. Regardless of where I am the most common question I get asked is “How do I recover from being hacked at home?”. For businesses, we have some simple advice, but what about everybody else? A client contacted me. One of the...
COSCO incident. Phishing frenzy and exploding goods?
If you haven’t seen the coverage, COSCO the world’s 4th largest shipping line has had a ransomware outbreak. Sounds terribly familiar, doesn’t it. One wonders why on earth they didn’t carry out a thorough review after the Maersk incident, so as to be rather better prepared. Phishing time Breaches...
Hardware reverse engineering. A tale from the workbench
In line with our previous work on the Tapplock, I decided to have some fun with some electronic locks and ordered a few from a large retail company. Half of these are currently en route to me, on the slowboat from China, but one arrived early. Before I state, let me just say here that I’m not...
Tracking Amazon delivery staff
TL; DR The Amazon delivery tracking API allows ultra-precise tracking of drivers. Amazon claim that customers can only track the driver for the 10 stops prior to theirs. This isn’t the case – one can track the driver on the entire route and all drops, including their speed on the road. This preci...
2×4 Security
I had someone at the house recently, talking about physical security. We have all the usual stuff like alarms and CCTV, locks on the windows and doors but the aim of the exercise was to have someone who is familiar with attacks vectors physical security in this case, but the principal applies to...
A Secure “Smart” Kettle?
We haven’t looked at smart kettles for a long time, mostly as the UK market leader, Smarter, fixed their security with the iKettle 3.0. So I got quite excited when a colleague pointed out the Xiaomi ‘smart’ kettle a few weeks back. It’s the first kettle with a mobile app that we’ve seen for a...
Shipping operators, what you need to know about phishing and CEO fraud
Maybe second only to ransomware, the most likely type of attack a shipping operator will experience will be a phishing scam. Usually this will be carried out by email, or social media, or even messaging apps. It will likely include a link to what seems a plausible website, and/or have an...
Ransomware. In the air?
Introduction As an exercise, we were asked to look at the potential vectors for ransomware to affect flight despatch and operations. In most cases, flight systems simply werent significantly exposed, but ground systems affected by ransomware may make flight ops either impossible or significantly...
Remote command injection through an endpoint security product
TL;DR? We discovered command injection in a popular endpoint security product, Heimdal Thor. By using the product, customers PCs were exposed to compromise. Irony++ Heimdal fixed the issue quickly and responded well, but it appears that the vulnerability had been present in 650,000 PCs for around...
Super-systemic IoT flaws
IoT security flaws were always systemic: by that I mean that if I find a flaw in my smart thermostat, it affects ALL of those thermostats. A security problem with one connected car leads to problems with ALL the connected cars using that same system. That led to incidents such as the Mirai botnet...
Nuclear Satcoms
The Fukushima Daiichi nuclear incident in 2011 has led to safety changes that may have an interesting knock-on effect on reactor security. Loss of telemetry during the flooding, as a result of the subsequent loss of power, made assessment of the incident hard to manage. Critical data about the...
Ghost hardware. Device No.1, the Ghost Pro
Colloquially known as a “Ghost Pro” this full spectrum camera is supposed to allow you to see beyond the visible spectrum, into the infrared and ultraviolet ranges. This one has Wi-Fi as well, for ease of remote control. There’s a few questions we wanted to answer with this one. Who’s the camera...
Why hackers don’t fly coach
Physical security is relied on too heavily for cabin-based systems on the Airline Information Services Domain AISD. Whilst the Aircraft Control Domain ACD is separated, there are still plenty of interesting information, data and systems that are accessible from the cabin, for those who are prepar...
Training apps. Have their privacy settings improved in 5 years?
TL;DR Run and bike tracking apps still have a pretty poor approach to password security & default privacy settings From being one of the more secure apps 5 years ago, Strava has now been pushed to the back of this pack as others improved Amazingly, none of these apps support multi factor...
ASSURE Aviation Cyber Security Testing
We've long been supporters and champions of a formalised approach to Aviation Cyber Security Testing. Our research and blogging has taken us on an interesting journey regarding airside and landside security, mapping attack surfaces and explaining how systems work and interact. Speaking and...
Ghost hardware. Device No.3, the Ghost Rover
The Ghost Rover is a ghost hunting tank. You control it with a mobile app. We’ve looked at a toy spy tank before, it wasn’t great from a security point of view. Let’s hope our ghost-hunting tank – which, at $200, cost almost 4 time as much as the spy tank – has considerable security improvements ...
Hacking Navtex maritime warning messages
When data roaming was still expensive across Europe and cellular data service was patchy, I used Navtex extensively whilst sailing in the Mediterranean. Every four hours, one could get a useful marine weather forecast. Was there a fun days sailing ahead, or was a dash for port and gin & tonic in ...
EFB Safety Advice for Pilots
As a pilot you will be all too aware of how important an electronic flight bag EFB is to you and your role. It’s probably critical to your takeoff performance calculations, your roster, pax lists and plenty more. It’s one thing if its not working, but have you ever stopped to consider what could...
Hacking smart devices to convince dementia sufferers to overdose
Weve looked at numerous smart tracker watches over recent years. All had some disastrous security flaws. However, we found one recently that was a little different: it was aimed at the elderly, particularly those with dementia or other cognitive impairments. If the wearer goes for a walk and...
Hacking Superyachts. Advice for owners
If you own a superyacht they are your homes, your offices, your play areas. They are islands of exclusivity and provide safety and security and above all privacy, but are they really as secure and private as you hope they are? Finding your yacht Most yachts have safety features such as Automatic...
Worried about Spouseware?
We recently participated in a BBC Radio 4 interview for You and Yours about ‘Spouseware’. This covers smartphone apps which are used by a domestic abuser to track and monitor their victim. The tracking ‘spouseware’ can tell the abuser where their victim is, when they use the phone, what speed...
Exploiting Copilot AI for SharePoint
TL;DR AI Assistants are becoming far more common Copilot for SharePoint is Microsoft’s answer to generative AI assistance on SharePoint Attackers will look to exploit anything they can get their hands on Your current controls and logging may be insufficient Be careful what you keep on platforms...
Living off the land with native SSH and split tunnelling
TL;DR Attackers can use Microsoft native SSH client to forward out internal network traffic Windows native SSH is common The attack only needs minimal set-up and commands Quicker and more cost effective for an attacker than using C2 infrastructure Reduces likelihood of Blue team detection...
From a TCU to Corporate Domain Admin
How we went from a telematics control unit in a vehicle to domain admin on a corporate network We’ve tested numerous telematics control units over recent years and gathered many of our findings in to some good practice guidance here. However, just occasionally we find something that blows our min...
Hacking Superyachts. Advice for captains
I’ve blogged already about how superyachts are the homes, the offices, the play areas for their owners. However, they are also the charge of the captains and homes of the crew, most owners simply see themselves as guests on the captain’s yacht, so what do you the captain and crew need to think...
Flogging a dead smart horse
Connected stuff is getting everywhere, even in to managing the health of your connected horse. Yes, really. One Friday afternoon after PTP lunchtime drinks in the pub, we bought an ‘Orscana’ horse tracking device. It sat on the shelf for 13 months until after another session in the pub over lunch...
Ghost hardware. Device No.2, the Boo Buddy
The “Boo Buddy” is sold as a “trigger object” with a wide range of internal functionality such as EMF, motion and temperature detection. It’s a “trigger object”, in the sense that it is designed to evoke the spirits of children, who might be drawn in by the presence of a toy. Many people have...
Automotive theft affects shipping security
Cars and ships – there’s not that much in common with two areas that we carry out a lot of research in to. One uses CAN for safety critical controls, the other uses serial and +/- 10V. Yet, security of the two sectors is linked through vehicle theft and fraud: Most modern vehicles have telematic...
EU Cybersecurity Act IoT FAIL
The EU recently announced that its plans for a Cybersecurity Act had been backed by industry committee MEPs. This was a significant opportunity for consumer IoT security to be regulated and resolve the current mess. Sadly, they’ve stopped short and made the code voluntary for all but certain...
Galleon NTS-6002-GPS Command Injection vulnerability (CVE-2022-27224)
TL;DR Galleon Systems’ GPS NTP time server had a command injection vulnerability in the firmware of their NTS GPS device which could allow total control of the device through the web management interface. The vulnerability - CVE-2022-27224 https://vulners.com/cve/CVE-2022-27224 Device: Galleon...
Multi-factor Authentication. Reset MFA you say?
MFA is a no brainer. It helps mitigate the risk of password re-use, overly simple passwords and more. Just don’t confuse it with 2 step verification… Anyway, when we’re red teaming, MFA can make things more complicated. So why not social engineer your way around it? Having worked on a helpdesk...
Ethical dilemmas with responsible disclosure
We do a LOT of disclosures, probably starting one a day on average. Between us, we spend a man day or so per week just managing disclosures. It creates pain for us and consumes time, particularly when the vendor won’t listen. We get the occasional legal threat, which takes time and money to slap...
Business Email Compromise. What to do
The FBI has just released it’s annual Internet Crime Report for 2019, it makes for some really interesting and depressing reading. The mainstream media focused on the headline figure of $3.5Bn in losses in 2019, but what caught my eye is the Business Email Compromise BEC or CEO Fraud stats. I...
Tamper proofing review: the iZettle card payment terminal
Tamper resistance is an increasingly important factor in smart devices. Together with secure hardware design and defensive coding, it can deliver a very secure device. One of the most common areas the average consumer will encounter tamper resistant devices is in payment terminals, or Pin Entry...
Totally Pwning the Tapplock (the API way)
An awesome researcher contacted us on the back of our recent Tapplock pwnage. We had been looking at the local BLE unlock mechanism, however he focussed instead on the mobile app API. Vangelis Stykas @evstykas has found a way to unlock any lock, plus scrape users PII and home addresses. Read his...
Homeworking vs Homeschooling. The cyber challenge
March 2020 was a significant challenge. We were propelled into lockdown. From happily working in an office I had to switch to working from home. Previously I had always looked at my home as exactly that, a home. A place to relax and spend time as a family. Never did I expect to be spending every...
K&R insurance. Kidnap and Ransom(ware)
Businesses are increasingly getting insurance cover for cyber liability incidents. Whilst cover was traditionally focussed on US-style 3rd party losses relating to data breaches, claims are accelerating in the 1st party / ransomware and business interruption arena. Ransomware claims are growing s...
Cloud firewall management API SNAFU put 500k SonicWall customers at risk
TL;DR I found an IDOR in SonicWalls cloud management platform API Any user could add themselves to any account at any organisation using it Anyone could create a user account to exploit the issue, from the public internet Can be used to change firewall rules, or add rogue VPN users, for example...
Speed 2 – The Poseidon Adventure – Part One
This post is a companion to the DEF CON 28 video available here This is a tale of how we tested a brand new cruise ship over the course of a week. TL;DR How fire zone safety design affects security When ballasting control goes wrong Where maritime tech providers let security down, badly Are IMO &...
Honeyroasting. How to detect Kerberoast breaches with honeypots
Introduction As we know one of the main issues facing defenders, especially in large environments, is protecting against threat actors after they gain a foothold in the environment. If an attacker lands on a domain-joined PC, the attack surface is massive, and it is vital to detect them as quickl...
Hacking floating hotels. Cruise ship compromise on the high seas
Modern cruise ships have all the amenities of a large resort hotel. Prior to entering the infosec space, I spent 5 years working in hotels. My experience of the security of both hotels and shipping indicates that the mix is not a good one for security. What’s the difference between a hotel and a...
Direct Memory Access (DMA) attacks. Risks, techniques, and mitigations in hardware hacking
TL;DR Direct Memory Access DMA attacks are a powerful class of attack that give read and write access to the memory of a target system, bypassing the main CPU to gain kernel privileges. We became interested in DMA attacks for expanding the toolkit for rooting embedded devices. A lot of embedded...
Real-life social engineering. Another two days in tweets
What happens in a real life social engineering exercise? There’s a lot of planning and preparation that goes on behind the scenes: it’s not a matter of turning up to a site and ‘winging it’! I live tweeted an exercise a little while back, to give a flavour of a real task in real time. For reasons...