Social Engineering dos and don’ts

Another day, another success at sneaking into a building and pretending to be staff. I do so love drinking other peoples expensive office coffee. No fruit bowls though. Close, but no banana. It got me thinking, again, about what makes for good social engineering SE, and what advice would I give m...

Moto E20 Readback Vulnerability

09/11/2022 Update: CVE ID CVE-2022-3917 has been reserved, with Lenovo to publish the Advisory Summary. TL;DR The Motorola E20 is an entry-level smartphone that uses a Unisoc system-on-chip. Motorola holds around 10% of the US smartphone market, though the sales of the E20 as a subset of that are...

MS Enterprise app management service RCE. CVE-2022-35841

TL;DR A remote command execution and local privilege escalation vulnerability has been fixed by Microsoft as part of September’s patch Tuesday. The vulnerability, filed under CVE-2022-35841, affects the Enterprise App Management Service which handles the installation of enterprise applications...

Living off the Cloud. Cloudy with a Chance of Exfiltration

Part one of a series aimed at demonstrating malicious usage of Office 365 services. TL;DR Unless default settings are changed, typical Office 365 O365 licences come loaded with various services that are all usable by end users without special permissions. Power Automate can be used maliciously by...

Airbus AoA – Angle of Attack sensor issue

I read a lot of air incident investigation reports. The aviation industry is a shining example of sharing and learning, resulting in increased safety. I wish that the cyber industry on the ground could find a way to effectively share similar experiences and learnings. Anyway, one report caught my...

Attacking Encrypted HTTP Communications

TL;DR The Reolink RLC-520A PoE camera obfuscates its HTTP communication by encrypting the POST body data. This level of security does defend against opportunistic attackers but falls short when defending against persistent attackers. Introduction Different embedded devices have their own take on...

You can’t stop me. MS Teams session hijacking and bypass

How cleartext session tokens are stored in an unsecured directory that can be stolen and used to impersonate a Teams user. TL;DR Microsoft Teams stores unencrypted session tokens and cached conversations in users’ roaming AppData, which can be used by an attacker to gain access to the victim’s...

DEF CON 30. Hacking EFBs. Engine Performance

At DEF CON 30 this year we demonstrated some vulnerabilities in electronic flight bags and the potential impact on flight safety. There’s plenty more detail of EFB security issues here. As part of the Aerospace Village at DEF CON 30, we invited people to fly our flight sim under instruction from...

When disclosure goes wrong. People

My experience of vulnerability disclosure is that it is rarely as easy or simple as it could be. I had hoped that bug bounty programmes and vulnerability disclosure programmes VDPs would help matters. Broadly that doesn’t seem to be the case, often for unexpected reasons. It’s not all bad though...

Living off the land, AD CS style

Introduction Unless you have been living under a rock for the last year or so, Active Directory Certificate Services AD CS abuse continues to be a hot topic in offensive security, ever since the excellent research released by Will Schroeder @harmj0y and Lee Christensen @tifkin. I, like many, have...

Bluetooth + Electrical switchgear

The ongoing rapid growth of Industrial IoT IIoT across all business sectors continues to bring to focus the discrepancies that exist between the approaches to safety and cyber-security on safety critical sites. Safety has been culturally ingrained into all aspects of industrial site operations fo...

Database Integrity Vulnerabilities in Boeing’s Onboard Performance Tool

This post is released in a co-ordinated manner with Boeing. TL;DR: Security gaps in older, unprotected Windows desktop versions of Boeing’s Onboard Performance Tool OPT could make certain Electronic Flight Bags EFB more susceptible to attack. In particular, OPT’s use of plain text configuration...

Maritime regulation. All Hands-on Deck!

TL;DR The regulation from the IMO has changed, you need to do more about cyber security. Key things to focus on: Start asking questions of your supply chain, of your own IT and OT teams Assess the security configuration per vessel – each are different Use Critical National Infrastructure controls...

Efficient Infrastructure Testing

Before we start lets set the scene regarding vulnerability assessment. It is imperative that enterprises conduct their own continuous automated scanning, to have up-to-date assessments of threats that their networks may be susceptible to. Infrastructure penetration testing discussed in this blog...

Attacking EFB updates

Software So who actually develops the software installed on Electronic Flight Bags EFBs? The software can originate from a large range of sources: System software developers including the OS, drivers, firmware and utility The aircraft manufacturer for Installed & Portable EFB devices The airline...

EFB ePIL. Pinching passenger PII from pilots

TL;DR The Passenger Information List PIL is often now available on EFBs and crew devices. It stores information such as passenger names, seat numbers, and customer services information. Digital versions of the PIL enable crew to offer more bespoke customer service Information on a PIL is differen...

Stop using phishing as a measure of your cyber awareness culture

If I had a penny for every time someone said to me “let’s measure our security culture by phishing our staff” I’d probably be able to fill my car up. It’s a really easy thing to do, you carry out some online training and typically they come with phishing simulations as a free or low cost add on. ...

Scanning for security.txt files

Introduction RFC 9116 was written by E. Foudil and Y. Shafranovich and left draft status in April 2022. This RFC formally defines the unofficial security.txt file that has been an unofficial standard for many years, initially created back in 2017 and documented at . The security.txt file provides...

EFB Tampering. Holdover Time

TL;DR Holdover applications are a relatively new method of calculating the effectiveness of anti-icing fluid sprayed onto aircraft wings. Applications such as these have additional attack surfaces as the developer and source databases need to be considered Airlines often view limits as targets to...

Cloud OSINT. Finding Interesting Resources

Locating sensitive information, personally identifiable information PII and questionable assets in the cloud. TL; DR I had a curiosity driven excursion into the public clouds of AWS and Azure to find what is publicly hosted and who by. As anticipated, the results were extremely broad and...

CMC Electronics EFB breakout vulnerability

We’ve been finding vulnerabilities in electronic flight bags for a few years now. Disclosure response from the vendors involved has varied from excellent to radio silence. In every case we have tried extremely hard to engage with the vendors involved, even where we were ignored. We asked friendly...

Follina 0day exploit. Malicious code execution in Office docs

Disclaimer: I know this isn’t a unique post on the subject, and that many other outlets are covering it, but this zero-day is so serious that it needs as much coverage as possible. It simply needs shouting about. Updated 06/06/2022 following advice from Microsofts @reybango. The vulnerability was...

Your cloud? My cloud now

A true story on taking over a client’s Azure tenant via a successful phish. TL;DR A tempting phish got lots of users to disclose their passwords, and a lack of training resulted in the victims accepting the Microsoft push-based multi-factor authentication. This resulted in gaining access to Slack...

747 Hackathon

As is probably clear from our blog and public talks aviation cyber security is an area of huge interest to us. Some of us are also light aircraft pilots, so the crossover of two of our loves makes for some fascinating research. Over the last few years we’ve managed to get access to several...

Password policy guidance

Why do we need strong passwords? Passwords are stored by using a one-way hashing algorithm to generate a representation of the original password on a securely designed system. Authentication mechanisms then compare the calculated hash of an entered password with the stored hash value to determine...

We need to talk about sex toys and cyber security

Introduction We’ve written about the appalling security of smart sex toys over the years. Finally, an invite came to give a talk on the subject to a TEDx audience. I debated whether to give the talk with colleagues, as we’ve never wanted to be pigeon-holed in this space! But we felt that public...

Galleon NTS-6002-GPS Command Injection vulnerability (CVE-2022-27224)

TL;DR Galleon Systems’ GPS NTP time server had a command injection vulnerability in the firmware of their NTS GPS device which could allow total control of the device through the web management interface. The vulnerability - CVE-2022-27224 https://vulners.com/cve/CVE-2022-27224 Device: Galleon...

Got the security controls wrong in OT and maritime? Watch as engineers work around them

Industrial control systems security is slowly improving, partly a result of attention from regulators and lawmakers. However, we often see security controls implemented that don’t take account of the unique challenges that engineers looking after OT environments face. We see controls brought in...

Constrained environment breakout. .NET Assembly exfiltration via Internet Options

It’s not uncommon for developers to find that they need to help their end users. For starter, the business requirements for software can be highly convoluted and technical. Working with banking systems, insurance firms, actuarial services etc, most developers aren’t going to understand the proces...

Reporting of cyber incidents becomes law in the USA

On March 15th 2022, president Joe Biden and the US Government passed new legislation to strengthen the Department for Justice DOJ Cybersecurity and Infrastructure Security Agency CISA position by requiring the reporting of all cyber incidents or ransomware payments. The Cyber Incident Reporting f...

The reality of OT segregation

One of the areas I find most fascinating about industrial control systems and related operational technology is the perception that OT networks are segregated and isolated from the wider IT network. We’re often told that “IT and OT are totally separated” as there’s a genuine belief that OT is...

To Pay or Not to Pay? That is the Ransomware question

During a review of a client’s incident response capabilities the discussion turned to ransomware and strategies for handling it. The client’s board-level view was that if they were unable to restore their systems they would pay-up. They’d gone so far as considering setting up a cryptocurrency...

Red Team lab automation

It’s not uncommon for red teamers to regularly tear down and rebuild their test labs, I know I do on a sometimes daily basis. It keeps things fresh and manageable, and now, using Infrastructure as Code IaC, we can create a consistent environment to test tools and techniques in. If we break...

OAuth consent phishing, in the wild

TL;DR An interesting incident response investigation showed exploitation of a recent OAuth related consent-phishing issue. We had been asked to investigate as the organisation had noticed some odd behaviours in the mailbox of one of the exec team. The mailbox was being queried using GraphAPI and...

OpSec. Hunting wireless access points

Continuing my series on OSINT techniques you can use for reviewing your own corporate OpSec, one of the most common services available in a modern corporate office is of course wireless. How do we go about finding wireless access points and what can they tell us? Finding wireless We have spoken...

Vulnerabilities that aren’t. Unquoted Spaces

I’ve covered a couple of web vulnerabilities that mostly aren’t, and now it’s time for a Windows specific one. A common finding from build reviews and CIS comparisons: unquoted spaces in service or run paths. What is it? Windows has always been inconsistent in how its API handles uncommon...

DPD package sniffing

TL;DR An unauthenticated API call was identified in DPD Group’s public API that could allow a user with a valid package ID to, with some basic OSINT, discover the package’s destination postcode and thus obtain all details about the package. DPD Group were prompt in the triage and resolution of th...

Vulnerabilities that aren’t. ETag headers

This time were looking at the ETag Entity Tag header. I take some of the blame for this one as I first added a dissector of the header to Nikto’s headers plugin back in 2008, then other scanners added it. What Is It? The header is a simplistic method of helping the user-agent identify whether it...

Who has access to your leased Tesla?

One of the cool features of a Tesla is controlling it through the mobile application. This gives a whole host of options such as controlling the air conditioning, opening the “frunk”, and setting charge limits. The most useful feature however is using you mobile as a car key. Walk up to the car a...

Vulnerabilities that aren’t. Cross Site Tracing / XST

This is the first of my posts that explain why some common security vulnerabilities are most likely not real threats. They should be treated as security enhancements rather than vulnerabilities. Bearing in mind the number of scanning tools that rate such vulnerabilities as "high" its no wonder...

Domestic CCTV and audio recording

Last week, we had BBC Morning Live in to film a piece on the legalities and challenges of domestic CCTV systems. You can watch it on iPlayer here, starting at 10:30. It was sparked by a conversation we had with Radio 4 before Xmas, where a journalist had taken an interest in CCTV systems exposed ...

Audio bugging with the Fisher Price Chatter Bluetooth Telephone

The Fisher Price Chatter Bluetooth Telephone is a reincarnation of a familiar kids toy. It acts as a Bluetooth headset, so the user can connect their smartphone to it and take calls using the kids phone handset. Cute! Unfortunately, little to no consideration has been given to privacy and securit...

Gumtree – leaking your data and not really listening

Sometimes finding vulnerabilities is as simple as… just looking. TL;DR 1. Gumtree is a UK-based site where users can advertise items for sale. 2. It leaked the PII of sellers to other users of the site within the HTML source of the adverts. Email address, postcode, GPS location, and the seller’s...

A masterclass in responding to vulnerability disclosure: The Buddi app and tracker

The Buddi tracker is used for tracking elderly and vulnerable people. It’s a GPS/GSM-based clip-on device that reports wearer position to an app via a platform. It means that the wearer can easily be found by their carer or the emergency services, should they become lost and unable to make their...

What does the Product Security and Telecommunications Infrastructure bill mean for me?

The UK’s Department for Culture, Media and Sport DCMS introduced a bill to Parliament yesterday. But what does that mean for IoT manufacturers and consumers? First, this bill has been a long time coming. Many people have been lobbying and working hard to create it. Industry and others with vested...

SkyFail. 6 million routers left exposed

Sky broadband had a significant security flaw in around 6 million of their customer routers that would allow remote compromise of home networks. When informed about it, they took nearly 18 months to fully fix the problem. TL;DR Around 6 million Sky routers were vulnerable to a DNS rebinding...

Hijacking smart luggage

When is a vulnerability not a vulnerability? I’m not sure this counts as a vuln per-se, but some easily-fixed and simple manufacturer mistakes result in trivial hijack of…. yes… your smart luggage. The Airwheel SR5 is the first smart luggage that we’ve seen. It can automatically follow the owner...

Pun-free Cylance vulnerability, fixed

TL;DR Blackberry Cylance for Windows is affected by three vulnerabilities. CVE-2021-32021 - Denial of service in message broker. CVE-2021-32022 - Low privileged delete using CEF RPC server. CVE-2021-32023 - Elevation of privilege in message broker. A heap overflow resulting in a denial of service...

Time based username enumeration

Back in the day, it used to be easy to enumerate email addresses from forgotten password forms. Differences in the response made it easy to check if accounts existed. After that, you could brute force the password if there weren’t lockouts in place, or if there were, you could lockout a lot of us...

Limiting your exposure to location data resellers

Location data is valuable, just ask Huq Industries, who make a living out of selling your location information, then found that the apps they bought it from hadn’t asked the end users permission to have it! Naughty! The organisations they sell it to use it for better marketing, to get a better...