506 matches found
Pwning smart garage door openers
TL;DR We reversed a smart garage door opener, which appeared pretty secure at first: The firmware was encrypted, debug access was restricted, the web server wasn’t running as root, it had unique passwords per device But we found a way in, allowing us to open all the garage doors …And made it play...
Identity in IoT
NOTE: This was originally posted on 19 Jun 2020 but I decided that a rewrite was in order, for clarity and better flow. Identity is important in the Internet of Things Device identity is one of the most important security challenges in IoT. If you get identity management wrong, you run a...
What an IoT assurance scheme could look like
We’ve seen our fair share of vulnerable smart devices over recent years, our blog is littered with examples. We have already commented on the DCMS Secure by Design initiative, it’s a great initiative as is, however, we do want to see it evolve and become more rigorous over time. This should not b...
Scams and how to spot them
We’re in strange times at the moment. Some things dont change though e.g. the scams and fraudulent activity designed to separate people from their money or identity. When dealing with these scams the main thing to remember is: If it seems too good to be true, it probably is. While that statement ...
Congrats, you got everyone remote. But did you do it securely?
The lockdown has meant entire companies of typically office based staff being forced to work from home. The change to our way of life is like nothing anyone has in living memory ever seen. However, alongside that, IT teams have had to rush to deliver solutions that were simply not designed for th...
Embedded security fails in ICS
Over the last 5 years, we’ve seen an increasing use of open-source software in ICS Industrial Control Systems devices, with a move away from traditional RTOS Real Time Operating System and proprietary software. We’ve seen RTUs Remote Terminal Units, HMIs Human-Machine Interfaces and even PLCs...
Revisiting old tools
Many, many years ago I was onsite and noticed that a company's internal website had checked out their website using the subversion code versioning system. This subversion archive contained the site's web.config which has a set of credentials for SQL server, which through many steps led to domain...
A cyber warning light. The canary in the mine
One of the most difficult challenges for any sector is trying to alert an audience without skills in ‘cyber’ to the presence of unusual activity that might suggest a hack or other security tampering. What if we could alert a ship’s captain, an airplane pilot, car driver or machine operator that...
Unclamping the Barnacle
You may have seen the furore around the Barnacle windscreen-based parking clamp back in January this year. It’s a different approach that allows the clamp to be unlocked remotely, so you don’t need the clamp company to come remove it for you. If you’re not familiar with the device here’s a video...
Introduction to PLCs and Ladder Logic
Introduction We do a lot of client work with ICS, IIoT, and SCADA. We've been to various power plants, factories, electricity substations and they all use the same technology in the form of a PLC. A PLC is a Programmable Logic Controller. PLCs are what keep our Critical National Infrastructure...
Reverse Engineering a 5g ‘Bioshield’
Six months ago the UK's Glastonbury Town Council set up a 5g Advisory Committee to explore the safety of the technology, and last month the local paper reported their findings. This statement is in their recommended measures report page 31 of this PDF: 5G Bioshield https://5gbioshield.com/ We use...
In Flight Entertainment System Security
Contrary to alarmist stories in the press, it really isn’t practically possible to hack an airplane from the in-flight entertainment system IFE/IFEC. The ‘C’ adds Connectivity, so internet access Whilst earlier moving map systems did take a feed from the flight management system, particularly so...
Docker Desktop for Windows PrivEsc (CVE-2020-11492)
TL;DR Docker Desktop for Windows suffers from a privilege escalation vulnerability to SYSTEM. The core of the issue lies with the fact that the Docker Desktop Service, the primary Windows service for Docker, communicates as a client to child processes using named pipes. The high privilege Docker...
Ethical dilemmas with responsible disclosure
We do a LOT of disclosures, probably starting one a day on average. Between us, we spend a man day or so per week just managing disclosures. It creates pain for us and consumes time, particularly when the vendor won’t listen. We get the occasional legal threat, which takes time and money to slap...
Short beacon analysis on the NHS iOS Tracking application
We recently helped the BBC with a piece on the new NHS COVID-19 tracking application. Concerns were raised by some about the ability for the app to track interactions while it was running in the background. There had been some discussion that suggested two iOS devices running the app whilst...
Housemates. The new Red Team?
You have the VPN set up, you have 2FA, you have a good enforced password policy, firewalls are in place, you even managed to squeeze in some remote training to make employees more aware of potential phishing. You stop, breathe a sigh of relief, and then think… I've no idea who my employees live...
Speaking at security events
I don't claim to be an amazing speaker; I'm still in awe of great infosec speakers such as Mikko Hypponen, Charlie Miller, Mudge and many others. However, I do keep being invited back to speak at events, so I guess I'm doing something right. Sometimes it's a minor slot at a big event, but the...
Jeopardising aircraft through TCAS spoofing
The Traffic Alert & Collision Avoidance System or TCAS was first developed in the early 1980s using transponders on aircraft to interrogate other aircraft within a set range about their distance, altitude, and heading. If a collision course is detected and the aircraft is suitably equipped, a TCA...
GDPR.EU has er… a data leakage issue
GDPR.EU is an advice site ‘operated by Proton Technologies AG, co-funded by … the EU Horizon Framework’. It’s full of useful advice for organisations that need to comply with GDPR. Whilst it isn’t an official EU Commission site, it is partly funded by the EU. You may also be familiar with Proton...
From a TCU to Corporate Domain Admin
How we went from a telematics control unit in a vehicle to domain admin on a corporate network We’ve tested numerous telematics control units over recent years and gathered many of our findings in to some good practice guidance here. However, just occasionally we find something that blows our min...
Are you cyber seaworthy?
The decision to set sail in a commercial vessel rests with the captain. A captain with years of experience and training, who is skilled at sailing and navigating in all conditions. Increasingly, the state of a vessel’s cyber security will affect its seaworthiness. Yet in future we may expect a...
You can’t build a great IoT system without a strong foundation
Introduction Building a secure IoT system requires secure IoT devices, and building a secure IoT device requires a strong foundation. The hardware in the device must support and enable security. Too often, we've found that IoT products use innappropriate hardware. Worse still, many devices contai...
SweetPotato – Service to SYSTEM
I've had a keen interest in the original RottenPotato and JuicyPotato exploits that utilize DCOM and NTLM reflection to perform privilege escalation to SYSTEM from service accounts. The applications behave by leveraging the SeImpersontePrivilege and MITM to perform privilege escalation when a hig...
Authenticating your call centre when everyone is remote
Some unique challenges present themselves as workforce's shift to remote working. One that is not likely top of the pile, but is an easy avenue for abuse is authentication. When I talk about authentication, I don’t mean how users logon or access their emails for example. What I mean is how you...
Honeyroasting. How to detect Kerberoast breaches with honeypots
Introduction As we know one of the main issues facing defenders, especially in large environments, is protecting against threat actors after they gain a foothold in the environment. If an attacker lands on a domain-joined PC, the attack surface is massive, and it is vital to detect them as quickl...
Quick wins with Adobe Experience Manager
Introduction Adobe Experience Manager AEM, is a comprehensive content management solution for building websites, mobile apps and forms. And it makes it easy to manage your marketing content and assets. If you've ever looked into AEM you may have heard of Mikhail Egorov @0ang3el. He has done some...
Turning an OBD-II reader into a USB / NFC attack tool
One of my favourite sorts of hardware hacking is making a device do something it was never intended for. It's creative, disruptive, and fun. Everyone has their own way of going about things. Different methodologies, habits, and skill sets mean that approaches will be diverse. This is how I work...
Spying on old folks
We’ve tested plenty of kids GPS tracker watches over the years. Nearly all we looked at had critical security issues. For a BBC show a while back we were asked to investigate the security of similar trackers for the elderly. They’re a nice idea; allowing people to live independently for longer an...
PrivEsc in Lenovo Vantage. Two minutes later
TL;DR The latest and greatest Lenovo Vantage software which ships with the most recent Lenovo devices is affected by a privilege escalation vulnerability. Whilst Vantage has been released since circa 2016, the software replaced Lenovo Solutions Centre LSC as the recommended platform management an...
Introduction to Bluetooth Low Energy
Bluetooth Low Energy BLE is used by almost everyone in our everyday lives, from wireless headphones, to car stereos, computer keyboards and mice, and other everyday items. Even though this standard is popular there seems a general lack of understanding of how it works and what certain terms mean...
9 things to consider when staff work from home unexpectedly
Many businesses are reviewing and updating their response plans currently. Some might consider closing offices. This may be an appropriate response, but have you considered the effect on employees that have never worked from home before? Security considerations can be quite different, as working ...
Hardware Router CTF
Here at Pen Test Partners we love hardware and also love a good CTF. So here's how I figured out my way through the hardware CTF that PTP set as a pre-requisite for some interviews. I'm pretty new to hardware, so learned quite a bit along the way. We have now moved on to a new 'interview' CTF so,...
Fill your Boots with credential stuffing protections
Yet again another company suffers a ‘hack’ that turns out to be nothing more than a credential stuffing attack. This time Boots have stopped customers using advantage card points to pay for products. This is after 600,000 Tesco accounts were compromised in the same way. No systems at Boots were...
A not so Clearview?
Unless you were asleep last week, you probably saw the press story about the controversial facial recognition vendor, Clearview AI, being breached. There is debate about whether Clearview should be permitted to scrape photos from social media and use them to populate its facial recognition system...
From Minecraft to Metasploit. Game hacking could start your cyber security career
Human beings are curious. Give a computer game to a kid and it’s only a matter of time before they get bored with the constraints of the gameplay and start trying novel things. This is encouraged by a lot of game developers by hiding Easter eggs in hard to reach locations. Once the confines have...
Hardcoding Keys. Is that Wyse?
A couple of years ago, we were testing a large system of around 3000 Wyse terminals, all operating unattended. To configure themselves, they download a configuration file called wlx.ini from a webserver. This file contained a few fields that seemed interesting - ChangeRootPassword and...
Ships can’t be hacked. Wrong
I get a lot of objections from ships captains when discussing security flaws in ships, so I felt it worthwhile looking at these in some detail. The usual response is ‘ships can’t be hacked.’ When I dig further, what they usually seem to mean is that ‘processes aboard the bridge mean that the...
Out Of Band, Out Of Sight, Out Of Mind
Satellite receivers aboard maritime vessels can be tricky things to manage, yet are crucial to efficient operations of modern drilling rigs and ships. Particularly on rigs, it’s not that unusual for a receiver dish to be knocked out of alignment during drilling operations. Lose satcoms and you’re...
Business Email Compromise. What to do
The FBI has just released it’s annual Internet Crime Report for 2019, it makes for some really interesting and depressing reading. The mainstream media focused on the headline figure of $3.5Bn in losses in 2019, but what caught my eye is the Business Email Compromise BEC or CEO Fraud stats. I...
format test
TL;DR How does the Tesla update its firmware? What did we find when reverse engineering the display and instrument cluster? Here’s the result of a couple of weeks work, working on a real vehicle that mostly worked after we had finished. Part 1: analysing the hardware, complete with a 14 layer PCB...
Reverse Engineering the Tesla Firmware Update Process
TL;DR How does the Tesla Model S update its firmware? What did we find when reverse engineering the display and instrument cluster? Here’s the result of a couple of weeks work, working on a real vehicle that mostly worked after we had finished. Part 1: analysing the hardware, complete with a 14...
Reverse Engineering Tesla Hardware
TL;DR How does the Tesla Model S update its firmware? What did we find when reverse engineering the display and instrument cluster? Here’s the result of a couple of weeks work, working on a real vehicle that mostly worked after we had finished. Part 1: analysing the hardware, complete with a 14...
Reverse Engineering the Tesla Firmware Update Process
TL;DR How does the Tesla update its firmware? What did we find when reverse engineering the display and instrument cluster? Here’s the result of a couple of weeks work, working on a real vehicle that mostly worked after we had finished. Part 1: analysing the hardware, complete with a 14 layer PCB...
Password managers for all staff. Why the resistance?!
I’ve lost count of the number of times I’ve talked about passwords. I mention them in every talk I do. They are used in pretty much every service we test, they are the gatekeepers to our data, they are the protectors of our money and yet we still have not fixed them. As security professionals we...
2×4 Security
I had someone at the house recently, talking about physical security. We have all the usual stuff like alarms and CCTV, locks on the windows and doors but the aim of the exercise was to have someone who is familiar with attacks vectors physical security in this case, but the principal applies to...
Pen Testing Ships. A year in review
Partially driven by the upcoming inclusion of Cyber Security by the IMO International Maritime Organisation, 2019 was a really busy year for maritime security testing at PTP. What can we all learn from a year of evaluating the security of ships? We’ve been involved in all sorts of ship testing,...
HTTP Request Smuggling. A how-to
TL;DR HTTP Request Smuggling is not a new issue, a 2005 white paper from Watchfire discusses it in detail and there are other resources too. What I found missing was practical, actionable, how-to references. This post covers my findings and, hopefully, sheds some light on the intricacies of HTTP...
ASSURE Aviation Cyber Security Testing
We've long been supporters and champions of a formalised approach to Aviation Cyber Security Testing. Our research and blogging has taken us on an interesting journey regarding airside and landside security, mapping attack surfaces and explaining how systems work and interact. Speaking and...
IR & Forensics in the Cloud
More and more organisations are moving their business to the cloud. This makes securing data and being able to respond effectively to incidents in cloud environments an important topic. Having the skills on hand to properly collect digital forensics data in response to a legal dispute or during a...
Quick Wins to Combat Data Leaks
Data leakage is a worry. Holding lots of sensitive information about your employees and your customers means that if data is exposed it would be a catastrophe. No one wants to be the next Mossack Fonseca, or Equifax, or Marriott Hotel, or Facebook, or… The majority of clients I speak to tell me...