Kids Tracker Watches: CloudPets, exploiting athletes and hijacking reality TV

Kids smart tracker watch security: everyone has missed the point. It’s not a few thousand here and there. It’s at least 47 million, probably around 150 million exposed tracking devices. It all points back to two or three lazy device manufacturers, much like Mirai v1 did There have been lots of...

Xmas Light Security Improves… a bit

We've looked at smart Xmas lights before; whilst they were vulnerable, there was no consequence to the hack other than making them flash in a different order! In 2018 we looked at the all-new Twinkly smart festive lights. We found a number of security issues, reported them to the vendor and to a...

Hacking Hardware Password Managers: The RecZone

TL:DR Hardware security can be difficult to fathom, so I set out to research three password vaults as a newbie, sharing my findings. I picked three popular hardware vaults, each with different components, requiring different skills and equipment. Here's how I learned about disassembly, chipset...

Hacking Hardware Password Managers: passwordsFAST

TL:DR Taking three hardware password managers I used them to: Learn the basics of hardware hacking Practice disassembling Perform chipset research Understand pinouts and protocols Read data off each device The passwordFast device uses different ways to store the data on a flash chip with a...

Hacking Hardware Password Managers: Royal Vault Password Keeper

TL;DR: Taking three hardware password managers I used them to: Learn the basics of hardware hacking Practice disassembling Perform chipset research Understand pinouts and protocols Read data off each device The royal password vault boards looked to be reused from a previous hardware device with...

Nuclear Satcoms

The Fukushima Daiichi nuclear incident in 2011 has led to safety changes that may have an interesting knock-on effect on reactor security. Loss of telemetry during the flooding, as a result of the subsequent loss of power, made assessment of the incident hard to manage. Critical data about the...

Commands and Tools for Embedded Reverse Engineering

We’ve been training a lot of people to look at embedded systems. The training is intensive, and it can be hard to remember all the commands and tools used. This is just a quick rundown of those tools with enough information to jog your memory! Basic Commands If we want to see the content of a fil...

Analysing the Attack Surface of an Industrial Data Acquisition Device

Introduction The Data Station Plus from Red Lion Controls was handed to me to analyse the attack surface. The device is designed to connect to SCADA data acquisition devices over Modbus, Profibus, etc. by Serial or Ethernet connection. Data is collected and recorded to a local compact flash card...

The snooping girl on a train, again. How to compromise a business

So, I’m on a train, again, sat at a four-seat table, next to two men facing each other. From their conversation and interactions I’ve concluded that they are colleagues. The chap to my left is clearly working on implementation plans for a building management system, for a company I know yeah, I g...

Embedded device research. The tools you’ll need

Over the last couple of years, we’ve run many courses on embedded device security. The focus is often defensive, but all the courses have an aspect of offensive: hacking demonstration and real devices so that you can understand the mindset of an attacker. To hack devices, you need tools. And the...

Ships engines, a guide for pen testers

I spent several years as a ships engineer before straying in to pen testing. Ships used to be fairly secure; they were physically isolated at sea. Satcoms were scarily expensive, usually available only to the captain for business-critical communication. Even satphone use was heavily rationed. All...

Christmas socialising. Goodwill to all, and keep your devices safe

It’s that time of year again. Christmas parties, socialising, travelling, and time spent away from home. Seasonal socialising generally involves eating, drinking, and making merry, and there’s nothing wrong with that. The downside is that a “goodwill to all” attitude and an excess of alcohol caus...

The Disgruntled Employee?

When we talk about cyber threat actors one of the terms we use is “Disgruntled Employee”. Everyone knows what that means; someone who is fed up at work, has an axe to grind, feels aggrieved etc. There are sometimes other factors though, ones that aren’t as obvious… The symptoms and effects I was...

Updating Airplanes

If you think updating Windows etc is painful, spare a thought for avionics maintenance engineers. Flight Management System FMS and related navigation databases navaids, airspace etc have to be updated monthly, locally. On older planes, it’s sometimes still done on 3.5” floppy. It’s more common to...

Schiphol hijack false alarm. An insiders view of what happened

I had the misfortune of being at Schiphol last night as this unfolded: All ended well, delayed by about an hour. Had the incident been real, it could have been much worse. Here’s what the pilot had to say about it thanks to @asantosb: Our flight was at D16, the incident flight was directly the...

Pwning a Smart Car Charger, Building a Botnet

…or Why We Don’t Build Commercial IoT on a Raspberry Pi. A positive story of disclosure and remediation. We’re quite into our electric vehicles at PTP, so we started hunting for a smart car charger. There are plenty of industrial chargers out there and some research has been done in the past. We...

Objections to IoT regulation. A rational reply

I often hear objections to consumer IoT regulation, specifically IoT security regulation. It's typically from industry lobby groups that have a vested interest in keeping regulation very ‘light touch’. Their mantra is: It’ll stifle innovation and increase cost I strongly disagree, and here’s why...

Unmasking mystery boxes on ship’s bridges

We pen test a variety of vessel and platform types across different fleets and operators. In every single test to date we have unearthed a system or device, that of the few crew that were aware, no-one could tell us what it is was for. In other scenarios an undocumented system or device would be...

Mapping the Attack Surface of an Airport

Aviation security is a complex environment. What first sparked my interest in avionics security was a comment from an airport customer of ours. They had seen the media coverage of the DHS work against a Boeing 757 a few years ago and were concerned that an ‘infected’ airplane might create a fresh...

Operational Technology Networks or OT

Operational Technology Networks or OT Notes: It’s mixing up OT with maritime, so probably isn’t suitable as is. The first section is really good, very relevant. We can use all of that. Once we get in to NMEA data, then it goes off topic. I suggest: Network equipment such as the Scalance Then a...

Help, my accounts have been hacked! What should I do?

I run staff security awareness sessions for a huge variety of organisations. Regardless of where I am the most common question I get asked is “How do I recover from being hacked at home?”. For businesses, we have some simple advice, but what about everybody else? A client contacted me. One of the...

Too Interested?

I was asked to investigate an incident a while back where my client was being subjected to a sizeable DDoS attack. It was causing them significant pain and, owing to the nature of their business, implementing something like CloudFlare quickly wasn’t an option. It had the hallmarks of a...

Real-life social engineering. Another two days in tweets

What happens in a real life social engineering exercise? There’s a lot of planning and preparation that goes on behind the scenes: it’s not a matter of turning up to a site and ‘winging it’! I live tweeted an exercise a little while back, to give a flavour of a real task in real time. For reasons...

OSINT for Avionics

One of the biggest challenges with avionics research is simply getting hold of equipment to work on. Current equipment is frighteningly expensive – think $100,000 and up for some components, reflecting the relatively short production run, high reliability requirement and significant certification...

The 5 breach readiness mistakes

The most common mistakes we see in engagements Responding to cyber incidents and data breaches is rarely straightforward. You are generally faced with making on-the-spot critical decisions with little or no real information. This often leads to mistakes. Let’s review some of the common mistakes w...

A security researcher has made contact. What do I do?

Businesses say that they take security of customer data seriously but, when presented with a vulnerability, are often more concerned about their own reputation than the security of their customers. Handle disclosure correctly and you can do both: protect your customers and protect your reputation...

Think you’ve had a breach? Top 5 things to do

Realising that you may have had a data breach can be the start of a stressful and confusing time. Ideally, you would reach for your carefully crafted and practised incident management plan to guide you through the process. In reality though these plans fall into two camps: They don’t exist yet Th...

Drilling open a smart door lock in 4 seconds

The BBC asked us to have a look at some smart locks for a TV show recently. We didn’t have much prep time, but were genuinely shocked by just how easy this one was to compromise. Usually, we spend time looking at Bluetooth/RF, the mobile app, the API and then move on to hardware. This time we...

A Pen Tester’s First Solo: Aviation Security 101

My colleague Ken and I are both private pilots with a keen interest in avionics and security. We were fortunate to have access to some end of life, functioning airframes so had the opportunity to start investigating the security of airplane and avionics. Here’s a primer for anyone interested in...

How to: Kerberoast like a boss

Kerberoasting: by default, all standard domain users can request a copy of all service accounts along with their correlating password hashes. Crack these and you could have administrative privileges. But that’s so 2014. Why write a blog post about this in 2019 then? It still works well, yet there...

Real-life social engineering. Two days in tweets

This is the write-up of my live tweets while on a recent social engineering engagement. It’s all available on my feed @ghostie I did this because I wanted to share what it's like to prep for, and work through a job, warts and all. If you can take anything away, to enhance your technique, or defen...

Pwning a Siemens Scalance ICS switch through ARM reversing

We’ve been working in industrial control systems security for a long time. Several of the team here used to work in OT control rooms or support SCADA environments. Whilst pen testing a ship control system, we noticed a heavy reliance on Siemens Scalance industrial ethernet switches, so bought a...

A Secure “Smart” Kettle?

We haven’t looked at smart kettles for a long time, mostly as the UK market leader, Smarter, fixed their security with the iKettle 3.0. So I got quite excited when a colleague pointed out the Xiaomi ‘smart’ kettle a few weeks back. It’s the first kettle with a mobile app that we’ve seen for a...

PrivEsc in Lenovo Solution Centre, 10 minutes later

CVE-2019-6177 - Lenovo Solution Centre Privilege Escalation. Slow, but sure. TL;DR We found a privilege escalation vulnerability in the Lenovo Solution Centre LSC software, which came pre-installed on many Windows-based Lenovo devices. Lenovo say LSC has been shipped since 2011, but haven’t been...

Lojack’d: Pwning Smart vehicle trackers

This research is by @evstykas with help from @Yekki1 and @TheKenMunroShow. Many car insurers insist that smart trackers are fitted to high end vehicles. In the event of theft, the car can be tracked and recovered. Probably the most well-known is LoJack, also known as Tracker in Europe. We also...

Dating apps that track users from home to work and everywhere in-between

TL;DR We were able to precisely locate and track the users of four major dating apps, potentially putting at risk 10 million users This risk level is elevated for the LGBT+ community who may use these apps in countries with poor human rights where they may be subject to arrest and persecution. Ap...

Reverse Engineering 4G Hotspots for fun, bugs and net financial loss

a.k.a. 4G hotspots and their Discontents You might be here because you saw our talk at Defcon 27. You might want to watch that for the full rundown! TL;DR We found multiple vulnerabilities in several well known vendors Mi-Fi devices, including pre- and post-auth command injection and code executi...

Breaking (Bad) Cross-Site Request Forgery Protection – The Netgear Nighthawk M1

What is CSRF? Cross-site Request Forgery CSRF is a descriptive term, but pretty oblique if you don’t know exactly what it means. Broken down, it’s pretty simple: A malicious web page running in your browser can send requests to other sites. When it sends those requests, it’ll use the current...

CVE-2019-12103 – Analysis of a Pre-Auth RCE on the TP-Link M7350, with Ghidra!

TL;DR The TP-Link M7350 V3 is affected by a pre-authentication CVE-2019-12103, and a few post-authentication CVE-2019-12104 command injection vulnerabilities. These injections can be exploited remotely, if the attacker is on the same LAN or otherwise able to get access to the router web interface...

Breaking (bad) firmware encryption. Case study on the Netgear Nighthawk M1

TL;DR The firmware encryption for the Netgear Nighthawk M1 is mainly XOR. It’s possible to derive the XOR key by statistical analysis, just from the firmware update file itself. It’s then possible to extract an AES key from what’s XOR’d, which can be used to decrypt other parts of the firmware...

ZTE MF910 – An end of life router, running lots of vivacious hidden code

You might be here because you saw our talk at Defcon 27. You might want to watch that for the full rundown! The ZTE MF910 is a really interesting router for reversing, mainly because it’s full of nice debug calls, and underused functionality. Also, it’s never going to get patched, and it’s really...

Group sex app leaks locations, pics and personal details. Identifies users in White House and Supreme Court

We’ve seen some pretty poor security in dating apps over recent years; breaches of personal data, leaking users locations and more. But this one really takes the biscuit: probably the worst security for any dating app we’ve ever seen And it’s used for arranging threesomes. It’s 3fun. It exposes t...

PTP at DEF CON 27

Here's the lowdown on our 14 DEF CON 27 talks, workshops, and panel sessions: Main Stage Track 3 Paris: Saturday 13:00 Chris Wade presents Tag-side attacks against NFC Track 2 Paris: Saturday 15:00 G Richter presents Reverse-Engineering 4g Hotspots for Fun, Bugs and Net Financial Loss Villages...

DCMS Practical Guidelines. Actionable information

The DCMS guidelines for IoT security are an excellent set of recommendations. They help developers secure devices by outlining the basic ways one can prevent common security weaknesses from being present in their devices and infrastructure. The recommendations are well thought out, and encourage...

Vehicle Telematics Security; getting it right

We spend a LOT of time looking at vehicle telematics security, sometimes on client projects but mostly doing vanilla research on telematics components that we’ve bought ourselves, or investigating our own vehicles. We have a pile of vehicle TCUs here that’s several feet high, plus a couple of...

Social engineering. When you’re the mark…

Who am I? I am Scott, and you may have met me, if you did your recollection of me will be unique most likely. I am a social chameleon. I can be your best mate, the lost friend you never knew you lost and even an expert in things you are interested in. I live off your stories and I weave my way in...

Fails and Fixes with IoT

After nearly 6 years of tearing apart 'internet of things' devices, here's a look at the high level fails that we keep seeing. We're not going to go in to point issues such as Wi-Fi credential leakage and Bluetooth compromise: our blog is littered with those! What are the root issues and what can...

Burning down the house with IoT

For years we’ve been trying to set fire to ‘smart’ things by hacking them. We got some charring on the iKettle, but nothing more. Then we found some smart hair straighteners. The Glamoriser straighteners were promoted heavily on TV at Christmas; they piqued my interest because of the BLE...

Getting your head under the hood and out of the sand: Automotive security testing

We’ve been doing automotive pen testing for several years now. Along the way we’ve had some fascinating experiences, working with some insightful and forward-thinking OEMs. But we’ve also worked with some OEMs and suppliers that consider pen testing to be a box checking exercise and frankly, buri...

Slok API

You may have read my previous post where I had a look at the SLOK padlock and found it had an interesting BLE interface which I couldn’t find a vulnerability for and a physical design that took seconds to work around. Anyway, I alluded to some weirdness from the API and an actual vulnerability in...