Consumer Advice: Kids GPS tracker watch security

Parents are advised to rethink using GPS tracking watches for their children as a result of serious security concerns. Tracker watches can be worn by children and report their position to their parents via a mobile app. They are designed to increase child safety: you always know where your child...

Tracking and snooping on a million kids

How I found vulnerabilities that could jeopardise child safety. How it started A friend recently showed me a tracker watch that he’d purchased for his young son for less than £10. It offered useful functionality such as two-way calling using a SIM and cellular connection. The accompanying app...

Flogging a dead smart horse

Connected stuff is getting everywhere, even in to managing the health of your connected horse. Yes, really. One Friday afternoon after PTP lunchtime drinks in the pub, we bought an ‘Orscana’ horse tracking device. It sat on the shelf for 13 months until after another session in the pub over lunch...

Decapping with Dave (chip decapping)

Thought I'd share my first attempt at chip decapping using the @LargeCardinal technique. I found using a gas soldering iron more flexible than a blowtorch. This is attempt number two, this time with an Atmel 328 MCU; this is almost a work of art. Blowtorch decapping try number 3. Firstly an STC M...

No need for lock picking tools

This is something I knocked up to show how terrible some locks are. I found this one in my garage. It was from when my wife and I went to a Download festival a couple of years back and is a lock from one of those paid-for secure storage places where you can leave your car keys, phone etc. Let's...

Ghost hardware. Device No.1, the Ghost Pro

Colloquially known as a “Ghost Pro” this full spectrum camera is supposed to allow you to see beyond the visible spectrum, into the infrared and ultraviolet ranges. This one has Wi-Fi as well, for ease of remote control. There’s a few questions we wanted to answer with this one. Who’s the camera...

Ghost hardware. Device No.3, the Ghost Rover

The Ghost Rover is a ghost hunting tank. You control it with a mobile app. We’ve looked at a toy spy tank before, it wasn’t great from a security point of view. Let’s hope our ghost-hunting tank – which, at $200, cost almost 4 time as much as the spy tank – has considerable security improvements ...

Ghost hardware. Device No.2, the Boo Buddy

The “Boo Buddy” is sold as a “trigger object” with a wide range of internal functionality such as EMF, motion and temperature detection. It’s a “trigger object”, in the sense that it is designed to evoke the spirits of children, who might be drawn in by the presence of a toy. Many people have...

Hacking ghost hunters

We’ve been looking at the security of smart ghost hunting tech. The results were a bit… spooky. TL;DR We bought three devices online. One was a camera for taking photos of ghosts, another was a smart teddy bear for helping ghosts of children apparate, the last a ghost hunting tank camera: In some...

Cisco device config dumping

Quick guide to recovering configs from Cisco switches and routers We have recently done work in situations where recovering the Cisco config from one device e.g. an edge switch can give us useful information. This includes: VLANs even for VLANs that are not used on that piece of equipment Which...

Time Travel Debugging: finding Windows GDI flaws

Introduction Microsoft Patches for October 2018 included a total of 49 security patches. There were many interesting ones including kernel privilege escalation as well as critical ones which could lead to remote code execution such as the MSXML one. In this post we will be analysing a case of a W...

It’s Not Daddy Calling

How I found vulnerabilities that could put the safety of children in jeopardy How it started A friend recently showed me a tracker watch that he’d purchased for his son. It offered useful functionality such as two-way calling, and the accompanying app allowed him to track the location of his son...

‘Secure by Design’ & SB-327. Standards for a secure IoT?

The ‘Secure by Design’ guidance for consumer IoT security from the UK's Department for Digital, Culture, Media and Sport DCMS is coming shortly. In the meantime we’ve seen SB-327 from California legislators, mandating some basic security standards for consumer smart tech. Both are big steps...

Which? Magazine recommends vulnerable smart home camera

You’ll already know that we have a keen interest in smart home camera security. Our recent work on Swann and FLIR cameras showed how it could be trivially easy to spy on people through their security cameras. Which? Magazine has a well-earned reputation for providing product reviews for consumers...

Running a security awareness program

So, you've finally convinced management of the need for security awareness training. What next? I’ve been performing security awareness training for around 10 years, and doing it full time here at PTP for the last 3 and a half years. From the thousands of sessions I have run I’ve found the most...

Speaking at TEDx

I was privileged enough to be invited to speak at a TEDx event in Dornbirn, Austria. I speak at 2-3 events per week, with audiences from 25-2500 people, so why did this one make me nervous? I don’t get nervous before speaking in public. Lots of practice and plenty of material to work with usually...

Container theft, the legal system and poor maritime security

One of the most interesting legal cases I’ve read recently involves a theft of two containers of cobalt metal briquettes from a terminal at the port of Antwerp. Original judgment: Appeal: What drew me to this case was the amount of useful data that had entered the public domain concerning a crime...

Hacking AIS

Maritime AIS, or ‘Automatic Identification System’ is used for broadcast and reception of vessel position and information alerts. It has proved invaluable since its introduction in the 1990s and has undoubtedly helped prevent many marine accidents, collisions and related incidents. Previous...

Hacking an assault tank… A Nerf one

TL;DR A complex, challenging reverse and hijack of a toy tank Nerf gun camera, but the result was we got to shoot the 44Con conference organiser with it! Why A remote-controlled Nerf gun with video feed and aiming crosshairs. Who wouldn’t want to reverse the RF and firmware, with a view to...

Automotive theft affects shipping security

Cars and ships – there’s not that much in common with two areas that we carry out a lot of research in to. One uses CAN for safety critical controls, the other uses serial and +/- 10V. Yet, security of the two sectors is linked through vehicle theft and fraud: Most modern vehicles have telematic...

Smart Locks: Dumb Security

Dave Lodge and I presented at the BSides Manchester pre-party, aka ‘beersides’ on the subject of not very smart locks. Doubtless you’ve already seen our work on the Tapplock over BLE and the API, our hardware work on the Fipilock, and maybe even our smart lock security interview with hardware.io...

Smart Lock Security: Interview with hardware.io

In advance of the hardware.io event at The Hague next month Andrew Tierney gave them an interview about smart lock security… Technology today has transformed the traditional locks to smart locks. Thanks to the advancement in the technical frontier. The days of the mechanical lock and keys has...

PTP, IoT & the Norwegian Government

We were privileged to be invited to speak an event in Arendal, Norway yesterday to make the case for IoT regulation. 'Arendalsuka' is the largest political gathering in Norway, an open forum event where the public can interact directly with political leaders, business leaders, entrepreneurs,...

Hacking the Bitfi Part 5: MITM transactions

So what’s latest with the Bitfi unhackable/hackable crpto currency wallet? Bitfi release software version 89 over the weekend. Devices updated, so we had a look to see what had changed. First, they’ve tried to stop the passphrase and seed from being cached in memory and therefore trivially...

Bitfi research receives Pwnie Award for ‘lamest vendor response’

The Pwnie Awards is an annual celebration of the achievements of security researchers and the security community. It's also an opportunity to roast vendors for lame responses to security concerns. The ceremony took place last night, August 8th, 2018 in Las Vegas at the BlackHat USA security...

Tamper proofing review: the iZettle card payment terminal

Tamper resistance is an increasingly important factor in smart devices. Together with secure hardware design and defensive coding, it can deliver a very secure device. One of the most common areas the average consumer will encounter tamper resistant devices is in payment terminals, or Pin Entry...

Copycat Kali, with mykali for Kali Linux

If you’re anything like me, you like to customise your environment quite a bit. I do most of my work from a Kali Linux VM which has had a plethora of changes made to it. I like to use i3 instead of gnome, I’ve a ton of git repositories cloned, packages installed, custom configuration files and...

Hacking the Bitfi Part 3: The device with no storage

TL;DR? Here’s proof that the Bitfi has storage and that it’s been rooted. -The Bitfi boots at 20 seconds. We’re not disclosing the method yet, as there is plenty more work to be done here. If you’ve been keeping an eye on Twitter, no doubt you’ve seen the unravelling mess that is the security of...

COSCO incident. Phishing frenzy and exploding goods?

If you haven’t seen the coverage, COSCO the world’s 4th largest shipping line has had a ransomware outbreak. Sounds terribly familiar, doesn’t it. One wonders why on earth they didn’t carry out a thorough review after the Maersk incident, so as to be rather better prepared. Phishing time Breaches...

Hacking the Bitfi. Part 2: John McAfee’s video

The unhackable Bitfi story isn't going away any time soon. Following John McAfee's tweet yesterday that he would put out a "definitive video countering all of the nonsense claims instigated and co-coordinated by BirFi's sic established, monolithic competitors in the hardware wallet space" here's ...

Hacking the Bitfi. Part 1

A large number of security researchers have taken exception to the ‘unhackable’ claims made by Bitfi and John McAfee about the security of their hardware cryptocurrency wallet. The $100K bounty offered appears to be something of sham, given it covers a very, very specific scenario. Bitfi states...

“Unhackable” Bitfi crypto wallet. What’s all the fuss about?

If you haven’t already seen the Bitfi cryptocurrency wallet, check it out here. With backing from John McAfee, it’s claimed that the device is unhackable. So why all the fuss in the infosec community? Here’s the claim they make: ‘Completely un-hackable’ That is a very, very brave claim to make...

Security Alarm Round-up

On the last day of IFSEC 2018 I was considering just how bad the security of some alarm products is. So, two years on from this post, has this sector's security improved?… PIR jamming First up is Yale Security with their trivially jammable wireless alarm system. You can replay disarm codes, and t...

FLIR FX / Lorex video stream hijack: Disclosure train wreck

We found that anyone could access any video stream for certain Swann wireless home security cameras. The technical detail is here. It was a consequence of weak authorisation by the cloud service provider, Ozvision. They claim to provide the back end to 3 million cameras, so we started looking at...

Hacking Swann & FLIR/Lorex home security camera video

A few weeks back we read a story on the BBC web site about a BBC employee seeing someone else’s video footage on the mobile app for their home security camera. It wasn’t clear how this happened, but we were intrigued, so we bought several of the cameras in question to see for ourselves. We put a...

Bluetooth vuln CVE-2018-5383 explained

Yesterday a vulnerability, CVE-2018-5383 was released in the security specification for Bluetooth, with the title "Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange". It was given an adjusted CVSSv2 score of 5.7 - so roughly a...

EU Cybersecurity Act IoT FAIL

The EU recently announced that its plans for a Cybersecurity Act had been backed by industry committee MEPs. This was a significant opportunity for consumer IoT security to be regulated and resolve the current mess. Sadly, they’ve stopped short and made the code voluntary for all but certain...

Data exfiltration techniques

Data exfiltration is the last stage of the kill chain in a generally targeted attack on an organisation. Whilst many excellent papers and tools are available for various techniques this is our attempt to pull all these together. This could also be used as a crib sheet for fellow pen testers who a...

Breaking up is hard to do… with IoT

Evidence is starting to emerge of former partners stalking their ex through the smart tech in their home. If you have a break up, what steps should you take to protect yourself? Is the very tech that is supposed to protect you actually exposing you to your ex? Smart doorbells I was contacted by a...

Hacking Navtex maritime warning messages

When data roaming was still expensive across Europe and cellular data service was patchy, I used Navtex extensively whilst sailing in the Mediterranean. Every four hours, one could get a useful marine weather forecast. Was there a fun days sailing ahead, or was a dash for port and gin & tonic in ...

Hacking Serial Networks on Ships

Three different ways to intercept and modify serial data on ship networks. The serial data that controls steering, engine control and so much more on board ship… How-to Vessels typically have two distinct networks on board; one IP/ethernet network for business systems, crew mail & web browsing an...

Hardware reverse engineering. A tale from the workbench

In line with our previous work on the Tapplock, I decided to have some fun with some electronic locks and ordered a few from a large retail company. Half of these are currently en route to me, on the slowboat from China, but one arrived early. Before I state, let me just say here that I’m not...

Windows Server settings. Administrative Templates – Network Items. A security how-to

This is the first part of a multi part series looking at the settings within Windows Server that are looked at as part of a standard build review. Sometimes a red team exercise, where the consultant turns up with ninja gear, lock picks and grappling hooks isn’t what you need in a security...

Totally Pwning the Tapplock (the API way)

An awesome researcher contacted us on the back of our recent Tapplock pwnage. We had been looking at the local BLE unlock mechanism, however he focussed instead on the mobile app API. Vangelis Stykas @evstykas has found a way to unlock any lock, plus scrape users PII and home addresses. Read his...

Totally Pwning the Tapplock Smart Lock

TL;DR – How to open a Tapplock over BLE in under two seconds: Totally Pwning the Tapplock Smart Lock A couple of weekends ago, a YouTuber called JerryRigEverything posted a teardown of a “smart” padlock, called the Tapplock. He discovered that, using a sticky GoPro mount, he could remove the back...

Hacking, tracking, stealing and sinking ships

At Infosecurity Europe this year, we demonstrated multiple methods to interrupt the shipping industry, several of which haven’t been demonstrated in public before, to our knowledge. Some of these issues were simply through poor security hygiene on board, but others were linked to the protocols us...

So, you just caused a data breach, by CCing the wrong person in an email…

I had two encounters today both of which I thought I’d share. The first thing that happened A received a call from a friend who had made a mistake at work, due to the area I work within they decided I could save them Yes, it happened THEY COPIED THE WRONG PERSON IN AN EMAIL. Happily working away...

Z-Shave. Exploiting Z-Wave downgrade attacks

TL;DR: Stronger S2 Z-Wave pairing security process can be downgraded to weak S0, exposing smart devices to compromise. Z-Wave uses a shared network key to secure traffic. This key is exchanged between the controller and the client devices ‘nodes’ when the devices are paired. The keys are used to...

Penetration Testing Requirements for GDPR

We get lots of people asking us what it is they need to have tested as a requirement for GDPR Compliance, so I've put this together to provide some clarity. This post is NOT a definitive guide to the General Data Protection Regulations. It is however, helpful, real world advice about what you...

Hijacking Philips Hue

We were filming a smart home hacking piece on the 5th May this year. Like most home users, the Wi-Fi PSK wasn’t strong enough, so we cracked it and joined the network. The user had a Philips Hue lighting system. None of us here had looked at Hue before - we made an assumption after the previous...