Is IoT ever really yours?

When we buy a product, we generally assume that it’s ours and that we own it, right? The question of ownership gets quite interesting when we look at music – you might remember the alleged 2012 spat between Bruce Willis and Apple over ownership of iTunes purchases. It gets even more interesting...

EFB Tampering 1. Introduction and Class Differences

TL;DR Electronic flight bags EFBs are devices that flight crews use to help with flight management tasks Different airlines use different devices e.g. iPads, netbooks, custom devices Some are carried on by flight crew, others are built-in to the cockpit Some important functions are carried out by...

Grid. Locked.

In the UK we are used to having a reliable and stable electricity grid. So stable that you can keep time with it. Before quartz clocks became common, mains powered clocks used the electricity grid frequency of 50Hz as their time reference, you can still find the odd central heating timer or old...

Feature and Permission Policies. Security issues

Introduction In order to help enhance the user experience of their site, companies may ask to use features of your browser, such as geolocation or notifications to produce a more tailored experience. Web site developers may configure the site or allow third-party content, loaded in frames, to use...

K&R insurance. Kidnap and Ransom(ware)

Businesses are increasingly getting insurance cover for cyber liability incidents. Whilst cover was traditionally focussed on US-style 3rd party losses relating to data breaches, claims are accelerating in the 1st party / ransomware and business interruption arena. Ransomware claims are growing s...

Reverse Engineering Keys from Firmware. A how-to

TL;DR It is possible to reverse engineer keys from firmware with some tips: 1. Always looks for strings/constants. 2. Make guesses about the original source. 3. Find a function you can recognise and work backwards to identify other functions. 4. It helps if they use open-source code so you can cr...

Email Relaying. A how-to and a reminder

On a recent internal infrastructure test I came across a server that had port 25/TCP open. This is normally the Simple Mail Transfer Protocol SMTP service, and sure enough a quick look confirmed it. Now, such services on an internal network are not unusual. System and network administrators...

Cyber Essentials and the New Normal

TL;DR Cyber Essentials has changed and aspects of the new normal are catching many by surprise. Increased levels of evidence and stricter controls determining a pass or a fail are in place. Be prepared for the increased hurdles Ask for assistance before starting the process if you are uncertain o...

Three Word Passwords

Introduction The National Cyber Security Centre NCSC have advocated the use of three random words for several years to create strong passwords, and that advice has been repeated recently by the National Crime Agency, and multiple police forces in the UK…. but just how strong are these passwords?...

Cyber Security advice for Finance staff

Working in the finance team at PTP I’m constantly reminded just how little attention is paid to hacking and cyber crime in accounting and finance training and education. When I was studying for my AAT qualification we did a whole module on finance fraud; our obligations, how to spot fraud, etc. b...

Azure AD. Attack of the Default Config

Uncloaking dangerous and default configurations within Azure. TL; DR There are several default configurations within the admin portal of Azure. The main affected area is Azure Active Directory Azure AD which is the primary area that controls user authentication, group memberships and privileges...

Where maritime cyber checklists fail

The coming IMO cyber security regulations are a step in the right direction towards vessel security, but the impracticality of assessing the cyber security of a ship, together with a huge skills shortage, leads classification societies towards checklist based assessments. Having seen some of thes...

Schneider T200 RTU vulnerabilities

A few CVEs published in a Schneider T300 RTU recently jogged my memory. I went back 8 years to 2012 to dig out a disclosure we made to Schneider via an operator. And there it was, similar probably identical vulnerabilities in its predecessor, the Easergy T200. As we were working via the operator,...

How to make a software BTRFS RAID1 with LUKS2 FDE

The guide below is simplified in a way that preparing the boot partition is not covered. Software based btrfs RAID1 requires two devices, which conceptually dont even need to be on different disks. But for obvious reasons, its a good idea if they are… Having mirroring against encrypted storage...

How to use Keepalived for high availability and load balancing

In a nutshell Keepalived implements VRRP Virtual Router Redundancy Protocol on a Linux system as well as managing Linux Virtual Server configuration. Keepalived can implement High Availability active/passive and load balancing active/active setups that can be made responsive to several customisab...

A Logical Volume Manager / LVM primer for Linux

About LVM LVM is an abstraction layer that provides block devices same kind of disk partitions. This is done by using 3 layers: physical volumes PV - disk partitions; volume groups VG - aggregates of physical volumes, could be across multiple disks or multiple partitions, whatever; logical volume...

Mimosa Cloud. Invite friends, not hackers

TL;DR Global wireless network provider had an IDOR in their cloud management platform Anyone can create an account, anyone can upgrade that account to take control of anyone else’s devices Excellent VDP, responded to promptly Fixed in ONE WORKING DAY! Other vendors can learn from Mimosa Who? Mimo...

Serious Vulnerabilities in Dualog Connection Suite

TL;DR The flaws found in this maritime comms and connection suite were many, and not insignificant: Directory traversal 2FA challenge/response is performed in a client-side application Default install password SQL injection User data leakage Easily brute forcible password hashes Introduction Duri...

Locking down your cyber life in lockdown

Today the NCSC refreshed their advice for online shoppers, so I thought it’d be handy to review and advise on other aspects of consumer security hygiene. More than ever, we’re reliant on technology, so now that we’re in various stages of lockdown it’s a great time to have a look at your home and...

What the cluck?! Cyber hygiene when eating out.

This feels like the new norm for eating out at a restaurant: Stand uncomfortably, 2 metres from the party in front/furrow your brow when the other party move within your “safe zone”. Make a huge over-theatrical show of sanitising your hands, as though you’re about to perform some major surgery...

Understanding Binary and Data Representation with CyberChef

A significant part of reverse engineering and attacking devices relies on viewing and recognising data in various forms and working out how to decode it. We typically use Linux tools and scripts to do this, but you can make the first few steps using a really neat online tool called CyberChef. Wha...

OBDeleven vulnerability

OBDelevens OBD-II dongle is an onboard diagnostics port module that connects to a mobile app over Bluetooth. It takes advantage of weaknesses in UDS secure access to unlock the vehicle ECU and enable enhanced diagnostics and some additional functionality. Some of these functions are only availabl...

Brute forcing device passwords

When working with IoT and embedded systems, brute-force password guessing attacks are an effective tool to gain access. Over the years, I’ve learned some tips and tricks to make these attacks more effective. What is brute forcing? Very simply, it’s guessing passwords so that you can find a valid...

Snakes and Ladder Logic

A click to a reverse shell in OpenPLC and ladder logic OR Why you shouldn’t run everything as root in PLC and RTUs. TL;DR Most of the RTU’s and PLC’s that run a Unix based OS that we test and, and some devices on Windows that we’ve tested on maritime engagements, run as root and/or admin. They al...

Password choice

Introduction We’ve been advocates of regular password auditing for years. Over that time, we’ve noticed that password choice is not only very personal, but hugely influenced by current events, trends, and even what’s sat on your desk. Its given us a unique opportunity to see these common influenc...

Abusing RDP’s Remote Credential Guard with Rubeus PTT

TL;DR Microsoft’s Remote Credential Guard RCG for RDP protects creds if an RDP server is compromised. It leaves little scope for password or NTLM credential dumping when a user connects to the server. It does however introduce workstation attack vectors. Abusing a user’s Kerberos token allows...

Cyber Security Month. What can you do?

October is Cyber Security Month, when organisations like the CISA, the ECSM, and many more promote initiatives to help raise security awareness. Around the world companies are dedicating time to improve staff security awareness, and its a really busy time for us. You may be thinking you’d like to...

Smart male chastity lock cock-up

TL;DR Smart Bluetooth male chastity lock, designed for user to give remote control to a trusted 3rd party using mobile app/API Multiple API flaws meant anyone could remotely lock all devices and prevent users from releasing themselves Removal then requires an angle grinder or similar, used in clo...

DLL Hijacking in NVIDIA SMI

What is NVIDIA SMI? The NVIDIA System Management Interface nvidia-smi is a command line utility, based on top of the NVIDIA Management Library NVML, intended to aid in the management and monitoring of NVIDIA GPU devices. This utility allows administrators to query GPU device state and with the...

Cloud-y, with a chance of hacking all the wireless things

Grandstream are a provider of IP video and voice services, as well as Wi-Fi and other related services and equipment. Their products are sold in over 150 countries and they have offices around the globe. We were having a look at their GWN.Cloud management platform, used for remote device and...

CVE-2020-1472/Zerologon. As an IT manager should I worry?

TL;DR Yes, apply the update from Microsoft. The new MS08-067? CVE-2020-1472 is an elevation of privilege vulnerability in a cryptographic authentication scheme used by the Netlogon service and was discovered and named Zerologon by Tom Tervoort at Secura. It does not require authentication. It can...

The Return of Raining SYSTEM Shells with Citrix Workspace app

TL;DR Back in July I documented a new Citrix Workspace vulnerability that allowed attackers to remotely execute arbitrary commands under the SYSTEM account. Well after some further investigation on the initial fix I discovered a new vector that quite frankly should not exist at all since the...

Speed 2 – The Poseidon Adventure – Part Two

This post is a companion to the DEF CON 28 video available here Part One is available here Issue 3: Time and Tide Wait for No VLAN As mentioned the cabin switch appeared to be the key to all our access requirements. From that we could get to the trunk network, and all those TV, VOIP, and Wi-Fi...

Consumer advice: Giggle vulnerability

Another week passes and another organisation chooses to deny a critical vulnerability in their site rather than fix it. I’m talking of course about Giggle, the social network site designed as a safe space for women to, “give girls choice, control, consent and connection”. If you are not aware, ov...

360lock Smart Lock Review

Two years ago I helped kick start a smart lock, the 360lock. It finally arrived this week. It has different modules like a keybox below and a bike chain. I originally live tweeted the hack on Tuesday Sep 8, 2020. So, how good is it? Blockchain integration! According to the website the 360lock has...

Speed 2 – The Poseidon Adventure – Part One

This post is a companion to the DEF CON 28 video available here This is a tale of how we tested a brand new cruise ship over the course of a week. TL;DR How fire zone safety design affects security When ballasting control goes wrong Where maritime tech providers let security down, badly Are IMO &...

Cloud firewall management API SNAFU put 500k SonicWall customers at risk

TL;DR I found an IDOR in SonicWalls cloud management platform API Any user could add themselves to any account at any organisation using it Anyone could create a user account to exploit the issue, from the public internet Can be used to change firewall rules, or add rogue VPN users, for example...

Protected: TBD

This content is password protected. To view it please enter your password below: Password:...

A Vulnerability Disclosure Program is not just a page on a web site

It’s great to see an increasing number of organisations starting down the path of a Vulnerability Disclosure Program or ‘VDP,’ but it increasingly strikes me that these are ‘check box’ exercises rather than a genuine desire to interact positively with researchers and improve security. A VDP is a...

Breaking Samsung firmware, or turning your S8/S9/S10 into a DIY “Proxmark”

This post is a companion to the DEF CON 28 video available here Breaking the Firmware of Samsung’s NFC Chips Recently I have been looking into how to push the capabilities of my old smartphones beyond what you could traditionally do just by rooting it. Smartphones contain huge amounts of hardware...

DEF CON 28: 747 Walkthrough from a Hacker’s Perspective

This post is a companion to the DEF CON 28 video available here Airframe tour Alex: Welcome to this virtual 747-400 walkthrough. One of the advantages of DEF CON Safe Mode this year is that we’re able to bring you things like this. Nothing beats being able to climb onboard and poke around a real...

DEF CON 28: ILS and TCAS Spoofing

This post is a companion to the DEF CON 28 video available here The purpose here is to give some practical demonstrations of two kinds of radio frequency spoofing attack against two different types of cockpit instruments that are found in virtually every single commercial aircraft flying today...

DEF CON 28: Introduction to ACARS

This post is a companion to the DEF CON 28 video available here What is ACARS? ACARS Aircraft Communications Addressing and Reporting System, pronounced ‘ay-cars’ which is an avionics system used to for sending text messages between ground and airborne stations. This is a light touch on the topic...

Security Awareness is as valuable today as ever

A while ago I saw a tweet that initially angered me for many reasons, but then I thought about it and wondered how much effort do companies put in to awareness and training. The tweet was: Security awareness is overrated. You got to do it, but dont expect users not clicking on phishing mails agai...

Building a lab with Server 2019 Server Core and PowerShell …then attacking it!

A lot of people want to get into red teaming but dont know how. Our Andy Gill / @ZephrFish has written about that. One of the most important skills a red teamer needs to have is a plan to fail mentality. By planning to fail you can plan for all eventualities. This is a very common military tactic...

Raining SYSTEM Shells with Citrix Workspace app

TL;DR Citrix Workspace is vulnerable to a remote command execution attack running under the context of the SYSTEM account. By sending a crafted message over a named pipe and spoofing the client process ID, the Citrix Workspace Updater Service can be tricked into executing an arbitrary process und...

Threat modelling and IoT hubs

IoT hubs are increasingly being used to provide a single point of access to the myriad of smart devices in the home. One ring to rule them all, if rather than multiple apps for different devices. When reviewing devices we often start with the single biggest security threat: unauthorised access to...

Bridging the gaps between Red and Blue teaming

Red Team, Blue Team, Purple Team, Black Team… Rainbow team? What are all of these things and what do they all mean? Is this a new case of a new found buzzword bingo or do they have a place and a purpose? The coloured teams are something that is thrown around a lot and while some of them are bette...

Hacking smart devices to convince dementia sufferers to overdose

Weve looked at numerous smart tracker watches over recent years. All had some disastrous security flaws. However, we found one recently that was a little different: it was aimed at the elderly, particularly those with dementia or other cognitive impairments. If the wearer goes for a walk and...

Patchless AMSI bypass using SharpBlock

Introduction For those that followed my personal blog posts on Creating an EDR and Bypassing It, I developed a new tool called SharpBlock. The tool implements a Windows debugger to prevent EDR’s or any other DLL from loading into a process that SharpBlock launches. One feature that was missing fr...