506 matches found
Quick Wins to Combat Data Leaks
Data leakage is a worry. Holding lots of sensitive information about your employees and your customers means that if data is exposed it would be a catastrophe. No one wants to be the next Mossack Fonseca, or Equifax, or Marriott Hotel, or Facebook, or… The majority of clients I speak to tell me...
Bitfi research receives Pwnie Award for ‘lamest vendor response’
The Pwnie Awards is an annual celebration of the achievements of security researchers and the security community. It's also an opportunity to roast vendors for lame responses to security concerns. The ceremony took place last night, August 8th, 2018 in Las Vegas at the BlackHat USA security...
Consumer advice: Giggle vulnerability
Another week passes and another organisation chooses to deny a critical vulnerability in their site rather than fix it. I’m talking of course about Giggle, the social network site designed as a safe space for women to, “give girls choice, control, consent and connection”. If you are not aware, ov...
Identity in IoT
NOTE: This was originally posted on 19 Jun 2020 but I decided that a rewrite was in order, for clarity and better flow. Identity is important in the Internet of Things Device identity is one of the most important security challenges in IoT. If you get identity management wrong, you run a...
Unclamping the Barnacle
You may have seen the furore around the Barnacle windscreen-based parking clamp back in January this year. It’s a different approach that allows the clamp to be unlocked remotely, so you don’t need the clamp company to come remove it for you. If you’re not familiar with the device here’s a video...
Reverse Engineering a 5g ‘Bioshield’
Six months ago the UK's Glastonbury Town Council set up a 5g Advisory Committee to explore the safety of the technology, and last month the local paper reported their findings. This statement is in their recommended measures report page 31 of this PDF: 5G Bioshield https://5gbioshield.com/ We use...
format test
TL;DR How does the Tesla update its firmware? What did we find when reverse engineering the display and instrument cluster? Here’s the result of a couple of weeks work, working on a real vehicle that mostly worked after we had finished. Part 1: analysing the hardware, complete with a 14 layer PCB...
Hacking the Bitfi. Part 1
A large number of security researchers have taken exception to the ‘unhackable’ claims made by Bitfi and John McAfee about the security of their hardware cryptocurrency wallet. The $100K bounty offered appears to be something of sham, given it covers a very, very specific scenario. Bitfi states...
Security Alarm Round-up
On the last day of IFSEC 2018 I was considering just how bad the security of some alarm products is. So, two years on from this post, has this sector's security improved?… PIR jamming First up is Yale Security with their trivially jammable wireless alarm system. You can replay disarm codes, and t...
No fix KrbRelay VMware style
TL;DR The VMware Enhanced Authentication plugin that is offered as part of VMware vSphere’s seamless login experience for the web console contains multiple vulnerabilities relating to Kerberos authentication relay. The first vulnerability, CVE-2024-22245, is a Kerberos relay vulnerability where a...
Airbus AoA – Angle of Attack sensor issue
I read a lot of air incident investigation reports. The aviation industry is a shining example of sharing and learning, resulting in increased safety. I wish that the cyber industry on the ground could find a way to effectively share similar experiences and learnings. Anyway, one report caught my...
Germ-term, but all year. How criminals are hacking schools
In some schools, the autumn term is often called “germ-term” due to the number of bugs the children bring back after the summer holidays. It usually calms down after a few weeks, however, with hacking there is no slow down. Its all year, its relentless. In the last 10 months of this year schools...
A cyber warning light. The canary in the mine
One of the most difficult challenges for any sector is trying to alert an audience without skills in ‘cyber’ to the presence of unusual activity that might suggest a hack or other security tampering. What if we could alert a ship’s captain, an airplane pilot, car driver or machine operator that...
Ships can’t be hacked. Wrong
I get a lot of objections from ships captains when discussing security flaws in ships, so I felt it worthwhile looking at these in some detail. The usual response is ‘ships can’t be hacked.’ When I dig further, what they usually seem to mean is that ‘processes aboard the bridge mean that the...
PrivEsc in Lenovo Solution Centre, 10 minutes later
CVE-2019-6177 - Lenovo Solution Centre Privilege Escalation. Slow, but sure. TL;DR We found a privilege escalation vulnerability in the Lenovo Solution Centre LSC software, which came pre-installed on many Windows-based Lenovo devices. Lenovo say LSC has been shipped since 2011, but haven’t been...
What’s My Name Again? Reolink camera command injection
TL;DR Research on Reolink’s RLC-520A smart motion detection camera has turned up an authenticated command injection vulnerability. Exploiting this vulnerability with an injected system command can render the device useless. Introduction The camera is vulnerable to an authenticated command injecti...
Moto E20 Readback Vulnerability
09/11/2022 Update: CVE ID CVE-2022-3917 has been reserved, with Lenovo to publish the Advisory Summary. TL;DR The Motorola E20 is an entry-level smartphone that uses a Unisoc system-on-chip. Motorola holds around 10% of the US smartphone market, though the sales of the E20 as a subset of that are...
You can’t stop me. MS Teams session hijacking and bypass
How cleartext session tokens are stored in an unsecured directory that can be stolen and used to impersonate a Teams user. TL;DR Microsoft Teams stores unencrypted session tokens and cached conversations in users’ roaming AppData, which can be used by an attacker to gain access to the victim’s...
Cyber Security Month. What can you do?
October is Cyber Security Month, when organisations like the CISA, the ECSM, and many more promote initiatives to help raise security awareness. Around the world companies are dedicating time to improve staff security awareness, and its a really busy time for us. You may be thinking you’d like to...
Free BrewDog beer, with a side order of shareholder PII?
TL;DR BrewDog exposed the details of over 200,000 ‘Equity for Punks’ shareholders for over 18 months plus many more customers Every mobile app user was given the same hard coded API Bearer Token, rendering request authorisation useless It was therefore trivial for any user to access any other...
A Vulnerability Disclosure Program is not just a page on a web site
It’s great to see an increasing number of organisations starting down the path of a Vulnerability Disclosure Program or ‘VDP,’ but it increasingly strikes me that these are ‘check box’ exercises rather than a genuine desire to interact positively with researchers and improve security. A VDP is a...
Hacking ghost hunters
We’ve been looking at the security of smart ghost hunting tech. The results were a bit… spooky. TL;DR We bought three devices online. One was a camera for taking photos of ghosts, another was a smart teddy bear for helping ghosts of children apparate, the last a ghost hunting tank camera: In some...
Bypassing MFA on Microsoft Azure Entra ID
TL;DR Even though MFA is effective it is one security control amongst many Even if MFA is in use, check its configuration Consider unexpected patterns of use, such as people logging in from Linux or macOS Make sure you log and can react to out-of-band behaviour Introduction On a recent Red Team...
Bullied by Bugcrowd over Kape CyberGhost disclosure
TL;DR The CyberGhost VPN client suffers from an elevation of privilege vulnerability and is filed under CVE-2023-30237. A specially crafted JSON payload sent to the CyberGhost RPC service can lead to command line injection when the OpenVPN process is launched, leading to full system compromise. T...
Security Awareness is as valuable today as ever
A while ago I saw a tweet that initially angered me for many reasons, but then I thought about it and wondered how much effort do companies put in to awareness and training. The tweet was: Security awareness is overrated. You got to do it, but dont expect users not clicking on phishing mails agai...
Short beacon analysis on the NHS iOS Tracking application
We recently helped the BBC with a piece on the new NHS COVID-19 tracking application. Concerns were raised by some about the ability for the app to track interactions while it was running in the background. There had been some discussion that suggested two iOS devices running the app whilst...
Housemates. The new Red Team?
You have the VPN set up, you have 2FA, you have a good enforced password policy, firewalls are in place, you even managed to squeeze in some remote training to make employees more aware of potential phishing. You stop, breathe a sigh of relief, and then think… I've no idea who my employees live...
Authenticating your call centre when everyone is remote
Some unique challenges present themselves as workforce's shift to remote working. One that is not likely top of the pile, but is an easy avenue for abuse is authentication. When I talk about authentication, I don’t mean how users logon or access their emails for example. What I mean is how you...
ITV: New rules to prevent children’s ‘smart’ toys from being hacked
In the run up to Christmas we were asked by ITV's Chris Choi to demonstrate some of the security fails we see in kids toys all the time. We showed him our research on My Friend Cayla, and Tekstra Toucan amongst others, and made the point that while manufacturers need standards and codes of practi...
Running a security awareness program
So, you've finally convinced management of the need for security awareness training. What next? I’ve been performing security awareness training for around 10 years, and doing it full time here at PTP for the last 3 and a half years. From the thousands of sessions I have run I’ve found the most...
How to root an Android device for analysis and vulnerability assessment
TL;DR Rooting is useful for Android assessments The process is relatively simple It will wipe all user data from the device and void any warranty Introduction For mobile testing, be it for apps or hardware, having complete control over the device is essential for analysis and vulnerability...
Hacking Electronic Flight Bags. Airbus NAVBLUE Flysmart+ Manager
We’ve been testing the security of a number of different electronic flight bag, or EFB, applications for a few years now. Here’s the latest on that now it has been remediated, 19 months after our initial disclosure to Airbus. TL;DR Flysmart+ is a suite of apps for pilot EFBs, helping deliver...
The reality of Apple watch pen testing
Introduction We were approached to do an Apple Watch application test. It seems this isnt a service offered by many companies including us, although we’ve done plenty of work on Android Wear before but also, little information exists online about attempts, experiences or if it’s even possible. So...
Efficient Infrastructure Testing
Before we start lets set the scene regarding vulnerability assessment. It is imperative that enterprises conduct their own continuous automated scanning, to have up-to-date assessments of threats that their networks may be susceptible to. Infrastructure penetration testing discussed in this blog...
From open Guest Wi-Fi to pwning a lift
…or why validating network segregation is critical TL;DR A recent engagement took quite an unexpected turn and led to me having remote control of a bunch of building services including a lift from the street outside, unauthenticated. A single firewall rule bypassed some well configured VLANs and...
Password managers for all staff. Why the resistance?!
I’ve lost count of the number of times I’ve talked about passwords. I mention them in every talk I do. They are used in pretty much every service we test, they are the gatekeepers to our data, they are the protectors of our money and yet we still have not fixed them. As security professionals we...
Consumer Advice: Kids GPS tracker watch security
Parents are advised to rethink using GPS tracking watches for their children as a result of serious security concerns. Tracker watches can be worn by children and report their position to their parents via a mobile app. They are designed to increase child safety: you always know where your child...
It’s Not Daddy Calling
How I found vulnerabilities that could put the safety of children in jeopardy How it started A friend recently showed me a tracker watch that he’d purchased for his son. It offered useful functionality such as two-way calling, and the accompanying app allowed him to track the location of his son...
Hijacking Philips Hue
We were filming a smart home hacking piece on the 5th May this year. Like most home users, the Wi-Fi PSK wasn’t strong enough, so we cracked it and joined the network. The user had a Philips Hue lighting system. None of us here had looked at Hue before - we made an assumption after the previous...
Netflix MH370: The plane that wasn’t hacked
I’m a sucker for a good documentary, but the recent Netflix MH370: The Plane That Disappeared had me shouting at the screen. The first episode talks about the most widely accepted theory; a tragic pilot-created murder-suicide. However, the second episode goes completely off the rails, discussing ...
Netflix MH370: The plane that wasn’t hacked
I’m a sucker for a good documentary, but the recent Netflix MH370 piece had me shouting at the screen. The first episode talks about the most widely accepted theory; a pilot-created murder-suicide. However, the second episode goes off the rails, discussing Russian special operations hacking the...
Database Integrity Vulnerabilities in Boeing’s Onboard Performance Tool
This post is released in a co-ordinated manner with Boeing. TL;DR: Security gaps in older, unprotected Windows desktop versions of Boeing’s Onboard Performance Tool OPT could make certain Electronic Flight Bags EFB more susceptible to attack. In particular, OPT’s use of plain text configuration...
Pwning smart garage door openers
TL;DR We reversed a smart garage door opener, which appeared pretty secure at first: The firmware was encrypted, debug access was restricted, the web server wasn’t running as root, it had unique passwords per device But we found a way in, allowing us to open all the garage doors …And made it play...
Scams and how to spot them
We’re in strange times at the moment. Some things dont change though e.g. the scams and fraudulent activity designed to separate people from their money or identity. When dealing with these scams the main thing to remember is: If it seems too good to be true, it probably is. While that statement ...
Speaking at security events
I don't claim to be an amazing speaker; I'm still in awe of great infosec speakers such as Mikko Hypponen, Charlie Miller, Mudge and many others. However, I do keep being invited back to speak at events, so I guess I'm doing something right. Sometimes it's a minor slot at a big event, but the...
Satellite communications equipment security
Introduction Satcoms are the game changer in maritime cyber security. In the past, satellite connectivity was so expensive as to be prohibitive for all but the most essential communication. Crew personal email and social media access was a pipe dream. However, now that ship operators have access ...
Hacking the Bitfi Part 5: MITM transactions
So what’s latest with the Bitfi unhackable/hackable crpto currency wallet? Bitfi release software version 89 over the weekend. Devices updated, so we had a look to see what had changed. First, they’ve tried to stop the passphrase and seed from being cached in memory and therefore trivially...
Advice for manufacturers on the coming PSTI regulation
TL;DR PSTI: The UK Product Security and Telecommunications Infrastructure Product Security Act Regulations effective from 29 April 2024 Assess how, where, why, and when you may be affected Review supply chain and in-house teams for compliance readiness Specific obligations for manufacturers,...
Cyber security for Credit Unions 101
American consumers have two clear yet vastly differing choices when it comes to banking. Many opt for a large-sized national or regional bank. Folks select this option for a variety of reasons, typically due to the vast services and ease of use these powerhouses provide. Roughly 60% of Americans...
Bluetooth + Electrical switchgear
The ongoing rapid growth of Industrial IoT IIoT across all business sectors continues to bring to focus the discrepancies that exist between the approaches to safety and cyber-security on safety critical sites. Safety has been culturally ingrained into all aspects of industrial site operations fo...