506 matches found
Fails and Fixes with IoT
After nearly 6 years of tearing apart 'internet of things' devices, here's a look at the high level fails that we keep seeing. We're not going to go in to point issues such as Wi-Fi credential leakage and Bluetooth compromise: our blog is littered with those! What are the root issues and what can...
Tracking and snooping on a million kids
How I found vulnerabilities that could jeopardise child safety. How it started A friend recently showed me a tracker watch that he’d purchased for his young son for less than £10. It offered useful functionality such as two-way calling using a SIM and cellular connection. The accompanying app...
IoT Secure Development Guide
Introduction This guide deals with threat modelling and early stages of development so that security issues and controls are identified before committing to manufacturing. Current attack methods, and the pitfalls we find in embedded designs, have been highlighted so that a finished product is as...
Is IoT ever really yours?
When we buy a product, we generally assume that it’s ours and that we own it, right? The question of ownership gets quite interesting when we look at music – you might remember the alleged 2012 spat between Bruce Willis and Apple over ownership of iTunes purchases. It gets even more interesting...
Email Relaying. A how-to and a reminder
On a recent internal infrastructure test I came across a server that had port 25/TCP open. This is normally the Simple Mail Transfer Protocol SMTP service, and sure enough a quick look confirmed it. Now, such services on an internal network are not unusual. System and network administrators...
Password choice
Introduction We’ve been advocates of regular password auditing for years. Over that time, we’ve noticed that password choice is not only very personal, but hugely influenced by current events, trends, and even what’s sat on your desk. Its given us a unique opportunity to see these common influenc...
Introduction to PLCs and Ladder Logic
Introduction We do a lot of client work with ICS, IIoT, and SCADA. We've been to various power plants, factories, electricity substations and they all use the same technology in the form of a PLC. A PLC is a Programmable Logic Controller. PLCs are what keep our Critical National Infrastructure...
You can’t build a great IoT system without a strong foundation
Introduction Building a secure IoT system requires secure IoT devices, and building a secure IoT device requires a strong foundation. The hardware in the device must support and enable security. Too often, we've found that IoT products use innappropriate hardware. Worse still, many devices contai...
PrivEsc in Lenovo Vantage. Two minutes later
TL;DR The latest and greatest Lenovo Vantage software which ships with the most recent Lenovo devices is affected by a privilege escalation vulnerability. Whilst Vantage has been released since circa 2016, the software replaced Lenovo Solutions Centre LSC as the recommended platform management an...
Listening in at Latimer House. RF emissions and more
Loose lips sink ships, loose tweets sink fleets. Intelligence, espionage, technological advancements and other learnings from our annual company conference at the historic and underappreciated Latimer House. “Loose lips might sink ships” was a phrase used in UK propaganda posters in WWII. It...
Hacking ski helmet audio
I love snow sports, and I also like my tunes, so purchasing the Outdoor Tech CHIPS smart headphones was a no-brainer. They fit into audio-equipped helmets and have huge 40mm drivers. Warm ears and good bass. Better yet, they’re touch sensitive even with gloves on and I can take calls handsfree...
EFB vulnerability in Lufthansa’s Lido eRouteManual
Almost all commercial airlines now use electronic flight bags EFBs to drive efficiency and safety in their operations. We’ve been testing the security of EFBs and their apps, here’s our latest findings. TL;DR Many airlines use Lufthansa Systems Lido eRoute Manual for their EFB approach plates. We...
Attacking EFB updates
Software So who actually develops the software installed on Electronic Flight Bags EFBs? The software can originate from a large range of sources: System software developers including the OS, drivers, firmware and utility The aircraft manufacturer for Installed & Portable EFB devices The airline...
Where maritime cyber checklists fail
The coming IMO cyber security regulations are a step in the right direction towards vessel security, but the impracticality of assessing the cyber security of a ship, together with a huge skills shortage, leads classification societies towards checklist based assessments. Having seen some of thes...
Fill your Boots with credential stuffing protections
Yet again another company suffers a ‘hack’ that turns out to be nothing more than a credential stuffing attack. This time Boots have stopped customers using advantage card points to pay for products. This is after 600,000 Tesco accounts were compromised in the same way. No systems at Boots were...
Breaking up is hard to do… with IoT
Evidence is starting to emerge of former partners stalking their ex through the smart tech in their home. If you have a break up, what steps should you take to protect yourself? Is the very tech that is supposed to protect you actually exposing you to your ex? Smart doorbells I was contacted by a...
Airbus Navblue Flysmart LPC-NG issues
LPC-NG or Less Paper Cockpit - Next Generation is an electronic flight bag EFB application offered by Navblue, a part of Airbus. It’s used for calculating engine thrust requirements perf on takeoff and braking action on landing, among many features that help make flight safer and more efficient...
How to install Frida into an Android application
On a recent job I was testing a rather interesting piece of technology that had several server side checks but they wanted to add some additional security on the client side. Great!! One of these additional checks was to see if Frida was running on the device, this was proving a difficult nut to...
Breaking the NFC chips in tens of millions of smart phones, and a few PoS systems
This second post is a companion to the DEF CON 29 video. Starts at 25:43 here. About a year ago I did some research into adding new capabilities to Samsung’s NFC chips in their smartphones, by bypassing their signature protection and applying code patches. This allowed me to add custom NFC tag...
360lock Smart Lock Review
Two years ago I helped kick start a smart lock, the 360lock. It finally arrived this week. It has different modules like a keybox below and a bike chain. I originally live tweeted the hack on Tuesday Sep 8, 2020. So, how good is it? Blockchain integration! According to the website the 360lock has...
Embedded security fails in ICS
Over the last 5 years, we’ve seen an increasing use of open-source software in ICS Industrial Control Systems devices, with a move away from traditional RTOS Real Time Operating System and proprietary software. We’ve seen RTUs Remote Terminal Units, HMIs Human-Machine Interfaces and even PLCs...
A not so Clearview?
Unless you were asleep last week, you probably saw the press story about the controversial facial recognition vendor, Clearview AI, being breached. There is debate about whether Clearview should be permitted to scrape photos from social media and use them to populate its facial recognition system...
The snooping girl on a train, again. How to compromise a business
So, I’m on a train, again, sat at a four-seat table, next to two men facing each other. From their conversation and interactions I’ve concluded that they are colleagues. The chap to my left is clearly working on implementation plans for a building management system, for a company I know yeah, I g...
Real-life social engineering. Two days in tweets
This is the write-up of my live tweets while on a recent social engineering engagement. It’s all available on my feed @ghostie I did this because I wanted to share what it's like to prep for, and work through a job, warts and all. If you can take anything away, to enhance your technique, or defen...
Hacking Superyachts. Advice for integrators
I’ve written previously how superyachts are the homes, the offices, the play areas for their owners and how captains need to consider so many more risks than they used to. However, a common theme is you the integrator. Your job is to put all the owners toys and all the captains tools together in ...
KnowBe4 RCE and LPE
Introduction Our latest investigation has uncovered significant security flaws in three KnowBe4 applications- Phish Alert Button, PasswordIQ, and Second Chance. These applications, commonly used in security awareness and training, were found to have vulnerabilities allowing remote command executi...
Fastboot Fuzzing
TL;DR The Fastboot protocol can often have hidden commands Those commands can do interesting things Conventionally they’re found by reverse engineering Cant find a copy of the firmware? Guess the commands A custom implementation of the protocol enables fuzzing via dictionary or brute force A simp...
Unmasking mystery boxes on ship’s bridges
We pen test a variety of vessel and platform types across different fleets and operators. In every single test to date we have unearthed a system or device, that of the few crew that were aware, no-one could tell us what it is was for. In other scenarios an undocumented system or device would be...
BBC: MiSafes’ child-tracking smartwatches are ‘easy to hack’
Following our research on the MiSafes kids tracking watch we spoke to the BBC's Rory Cellan-Jones and Leo Kelion about the risks, and what consumers can do. We found that the devices didn't encrypt user data, and that each child's account wasn't secured. The result is that children's movements...
Vulnerabilities that aren’t. Unquoted Spaces
I’ve covered a couple of web vulnerabilities that mostly aren’t, and now it’s time for a Windows specific one. A common finding from build reviews and CIS comparisons: unquoted spaces in service or run paths. What is it? Windows has always been inconsistent in how its API handles uncommon...
Cyber Essentials and the New Normal
TL;DR Cyber Essentials has changed and aspects of the new normal are catching many by surprise. Increased levels of evidence and stricter controls determining a pass or a fail are in place. Be prepared for the increased hurdles Ask for assistance before starting the process if you are uncertain o...
Cyber Security advice for Finance staff
Working in the finance team at PTP I’m constantly reminded just how little attention is paid to hacking and cyber crime in accounting and finance training and education. When I was studying for my AAT qualification we did a whole module on finance fraud; our obligations, how to spot fraud, etc. b...
Objections to IoT regulation. A rational reply
I often hear objections to consumer IoT regulation, specifically IoT security regulation. It's typically from industry lobby groups that have a vested interest in keeping regulation very ‘light touch’. Their mantra is: It’ll stifle innovation and increase cost I strongly disagree, and here’s why...
FUD 101: How not to report healthcare cybersecurity issues
I was asked to review a report from Forescout about healthcare security by a journalist, as they were suspicious of the headlines. Here’s what got my spidey senses tingling: “The server SMB protocol is left open in 85% of connected devices in healthcare organisations, giving bad actors an easy an...
Smart Lock Security: Interview with hardware.io
In advance of the hardware.io event at The Hague next month Andrew Tierney gave them an interview about smart lock security… Technology today has transformed the traditional locks to smart locks. Thanks to the advancement in the technical frontier. The days of the mechanical lock and keys has...
Data exfiltration techniques
Data exfiltration is the last stage of the kill chain in a generally targeted attack on an organisation. Whilst many excellent papers and tools are available for various techniques this is our attempt to pull all these together. This could also be used as a crib sheet for fellow pen testers who a...
Fuzzy matching with Ghidra BSim, a guide
TL;DR BSim, Ghidra’s new built-in plugin is a game-changer for reversing firmware and other stripped binaries. Rapidly identify and annotate functions from known libraries. Fuzzy matching works with unknowns, like exact library versions and compiler options. Automatically define custom variable...
Intercepting MFA. Phishing and Adversary in The Middle attacks
3 of my last 5 business email compromise investigations have involved an Adversary in The Middle AiTM attack. Even the more security-aware people with bolstered Microsoft 365 M365 configurations are coming up blank as to how their comprehensive MFA policies have been bypassed. It’s a technique we...
Red Teaming. Practice what you preach
We carry out plenty of Red Teaming for customers. As a CBEST, STAR-FS and GBEST accredited supplier, our Red Team work with many large regulated organisations every day of the week. We frequently remind our clients how a simulated attack can be one of the best ways to assess prevention, detection...
Building a lab with Server 2019 Server Core and PowerShell …then attacking it!
A lot of people want to get into red teaming but dont know how. Our Andy Gill / @ZephrFish has written about that. One of the most important skills a red teamer needs to have is a plan to fail mentality. By planning to fail you can plan for all eventualities. This is a very common military tactic...
DCMS Practical Guidelines. Actionable information
The DCMS guidelines for IoT security are an excellent set of recommendations. They help developers secure devices by outlining the basic ways one can prevent common security weaknesses from being present in their devices and infrastructure. The recommendations are well thought out, and encourage...
Business banking fraud. Keep your eggs in TWO baskets. Here’s why…
This post has a cautionary tale all about spreading your business banking fraud risk. So, does your business have two bank accounts, with different banks? No? Then you would be well advised to do so, or risk being left unable to trade. WHY? Business banking ‘cyber’ fraud is increasingly common; I...
Copycat Kali, with mykali for Kali Linux
If you’re anything like me, you like to customise your environment quite a bit. I do most of my work from a Kali Linux VM which has had a plethora of changes made to it. I like to use i3 instead of gnome, I’ve a ton of git repositories cloned, packages installed, custom configuration files and...
Deploying EFBs securely
It may come as a surprise to some to discover that electronic flight bag security at airlines is often quite variable. Whilst some use an MDM, a lot don’t. Of those who do, PINs are often weak. Some airlines actively encourage pilots to use their devices for personal use. We’ve heard stories of a...
GDPR.EU has er… a data leakage issue
GDPR.EU is an advice site ‘operated by Proton Technologies AG, co-funded by … the EU Horizon Framework’. It’s full of useful advice for organisations that need to comply with GDPR. Whilst it isn’t an official EU Commission site, it is partly funded by the EU. You may also be familiar with Proton...
Speaking at TEDx
I was privileged enough to be invited to speak at a TEDx event in Dornbirn, Austria. I speak at 2-3 events per week, with audiences from 25-2500 people, so why did this one make me nervous? I don’t get nervous before speaking in public. Lots of practice and plenty of material to work with usually...
“Unhackable” Bitfi crypto wallet. What’s all the fuss about?
If you haven’t already seen the Bitfi cryptocurrency wallet, check it out here. With backing from John McAfee, it’s claimed that the device is unhackable. So why all the fuss in the infosec community? Here’s the claim they make: ‘Completely un-hackable’ That is a very, very brave claim to make...
OSINT in 60 seconds. Mind reading on TV
TL;DR We were asked to help with a Channel 5 consumer education series about online banking scams The presenter, Alexis Conran, was to ‘read’ the minds of members of the public walking past a coffee shop A release form was signed by the targets, with their name, email, and phone number, then pass...
n00b’s guide to DEF CON. Surviving the Matrix of the underground
Ah, DEF CON. The worlds largest hacker convention. A beacon for the diverse spectrum of cyber security enthusiasts. From code-cracking challenges to the infamous Wall of Sheep, the event is a hive of activities and opportunities. But before we dive into the world of hackerdom, lets get one thing...
What the cluck?! Cyber hygiene when eating out.
This feels like the new norm for eating out at a restaurant: Stand uncomfortably, 2 metres from the party in front/furrow your brow when the other party move within your “safe zone”. Make a huge over-theatrical show of sanitising your hands, as though you’re about to perform some major surgery...