The null choice. A social engineering example in the wild

With social engineering there are lots of ways to get what you want, depending on the circumstance of course. The null choice is one that works really well when your desired outcome isn't obvious to the people you're trying to dupe. There are ways and means of overcoming a null choice scenario...

Ninja Turtles in your network: LAN Turtle 3G. A how-to for red teaming

Introduction This post will detail how to configure and utilise a LAN turtle 3G from Hak 5 to gain a persistent, remotely accessible presence within a network. With ethernet ports becoming less common on new hardware, many people have been forced into deploying an array of various dongles and...

Don’t ‘Roley’ your own encryption, says Bob the Builder

The Uplogix 3200 is a console server for out-of-band management. It claims ‘high security’ as it’s a closed appliance with a locked-down OS. We were a little surprised therefore to find security flaws in the method they use to protect passwords on the device. We were even more surprised by their...

The not so ultra lock

This post couldn't have been written without @evstykas and @cybergibbons. I became aware of the Ultraloq from U-tec a few months ago. For a room door lock it has a range of what look like really good features: Ultraloq UL3 smart lever lock is designed to be "Real Keyless". You are free to use...

F5 Networks Endpoint Inspector – Browser-to-RCE?

If a bug falls in the forest, and the vendor denies that it’s a bug, is it still a bug? TL;DR? The F5 Endpoint Inspector is an application which can be called from a web browser to scan a client for compliance. We found it can be abused to run arbitrary code, triggered by visiting a malicious...

Double-Free RCE in VLC. A honggfuzz how-to

Introduction I spent three months working on VLC using Honggfuzz, tweaking it to suit the target. In the process, I found five vulnerabilities, one of which was a high-risk double-free issue and merited CVE-2019-12874. Here’s the VLC advisory . Here’s how I found it. I hope you find the how-to...

Why we shouldn’t use sequential booking references

I travel a lot with work. In the last 6 months there have only be 2 weeks where I haven’t been to Heathrow airport. Heathrow isn’t the easiest journey by public transport for me as the PTP HQ is in a field in north Bucks. Hence, I usually end driving to the airport. I’ve been to Heathrow twice th...

Ewon Flexy IoT Router. A Deep dive

First off I would like to thank the techs at PTP for their insights and help during this process. I know what I know, and I don't know what I don’t know, so I asked for help sometimes. I've learned a lot from this project e.g. how XOR works, and how to use IDA to analyse ARM binaries better, so I...

Sharing the Secrets: Pwning an industrial IoT router

I get involved in a lot of IoT and ICS pen tests and found an interesting device on one of them. I didn’t have enough time on the job to go as deep as I wanted, so got PTP to buy a couple to play with. eBay FTW! It’s an Ewon Flexy IoT Router. It’s important to note that local access / public IP...

Covert Keylogging: Sniping your Typing

There have been many attempts at making key logging devices or software over the years, however, whilst a DIY solution is usually made from large Raspberry Pi devices or Arduino boards, the KeyLogger PRO offering from Maltronics has raised a few eyebrows with regards to the wealth of features...

Bloodhound walkthrough. A Tool for Many Tradecrafts

A walkthrough on how to set up and use BloodHound BloodHound is an application used to visualize active directory environments. The front-end is built on electron and the back-end is a Neo4j database, the data leveraged is pulled from a series of data collectors also referred to as ingestors whic...

Don’t get burnt on pay day. How to buy IoT gadgets sensibly

As it’s the end of the month, and pay day for many, I thought some timely advice would be helpful for people itching to spend their money on IoT gadgets. It’s not all bad. While many manufacturers happily continue to fill shelves with dross, we know plenty of responsible companies whose products...

Securing your red team kit with Uncomplicated Firewall

After reading Identifying Cobalt Strike team servers in the wild I started thinking, why are people not firewalling off their kit? If you read the above post and I suggest you do, you will see under section “Scanning and Results” that the research concluded that 7718 unique Cobalt Strike CS team...

Pwning the Nokelock API

Nokelock Vulnerabilities I’ve been talking at some Infosec meet ups about a certain padlock, called the Nokelock. I need to differentiate this right now as there is a product called nokē, this is not about that. This is about a set of Chinese made padlocks called Nokelock from a company called...

Tesla Killer: The Fuzzed and the Furious

The Tesla doesn’t have a conventional OBDII port onboard diagnostics as such. There’s a connector, but it’s just provided with +12V/ground in order to power things like insurance telematics dongles. Instead, there’s the Tesla diagnostics connector X427 which is where things get a bit weird. That...

FUD 101: How not to report healthcare cybersecurity issues

I was asked to review a report from Forescout about healthcare security by a journalist, as they were suspicious of the headlines. Here’s what got my spidey senses tingling: “The server SMB protocol is left open in 85% of connected devices in healthcare organisations, giving bad actors an easy an...

eyeDisk. Hacking the unhackable. Again

Last year, about the time we were messing around with a virtually unheard-of hardware wallet we got a bit excited about the word “unhackable”. Long story short, I ended up supporting a selection of kickstarters that had the word “unhackable” or similar in their title. Of these, at least one got...

Pwning WordPress GraphQL

Third-party plugins are often the security Achilles heel of Content Management Systems CMS. It seems like not a month goes by without one security researcher or another uncovers a vulnerability in a plugin, undermining the security of the whole platform. Plugins are used to add functionality that...

How To Do Firmware Analysis. Tools, Tips, and Tricks

So, you’ve got a firmware dump. Perhaps a raw read off a chip? An update file you downloaded off the internet? Now what? Taking a firmware dump and turning it into something useful can sometimes be painful. Sometimes you’ll be faced with proprietary barely documented file formats, strange raw dat...

UK Government gets serious about consumer IoT security. Legislation on the way

The Digital Minister Margot James today announced a concrete mandate for dealing with the slew of insecure IoT dross that has plagued consumers over the last few years. The aim is simple, to ensure that the millions of household items that are connected to the internet are better protected from...

Tic Toc Pwned

We were recently tipped off that the Australian Tic Toc Track watch was almost undoubtedly just a version of the Gator kids GPS tracking watch. That’s the tracker watch which leaked real time kids position data to anyone, it also allowed anyone to silently listen to children through the watch...

Cobalt Strike. Walkthrough for Red Teamers

What is Cobalt Strike? Raphael Mudge is the creator of Cobalt Strike CS, around 2010 he released a tool titled Armitage, which is described by wikipedia as a graphical cyber-attack management for the Metasploit Project, to put this more bluntly, Armitage is a gui that allows you to easily navigat...

Hacking Superyachts. Advice for integrators

I’ve written previously how superyachts are the homes, the offices, the play areas for their owners and how captains need to consider so many more risks than they used to. However, a common theme is you the integrator. Your job is to put all the owners toys and all the captains tools together in ...

Hacking Superyachts. Advice for captains

I’ve blogged already about how superyachts are the homes, the offices, the play areas for their owners. However, they are also the charge of the captains and homes of the crew, most owners simply see themselves as guests on the captain’s yacht, so what do you the captain and crew need to think...

Hacking Superyachts. Advice for owners

If you own a superyacht they are your homes, your offices, your play areas. They are islands of exclusivity and provide safety and security and above all privacy, but are they really as secure and private as you hope they are? Finding your yacht Most yachts have safety features such as Automatic...

Business banking fraud. Keep your eggs in TWO baskets. Here’s why…

This post has a cautionary tale all about spreading your business banking fraud risk. So, does your business have two bank accounts, with different banks? No? Then you would be well advised to do so, or risk being left unable to trade. WHY? Business banking ‘cyber’ fraud is increasingly common; I...

Remote command injection through an endpoint security product

TL;DR? We discovered command injection in a popular endpoint security product, Heimdal Thor. By using the product, customers PCs were exposed to compromise. Irony++ Heimdal fixed the issue quickly and responded well, but it appears that the vulnerability had been present in 650,000 PCs for around...

Connected camera cock up

I haven’t touched adult toy security for over a year now, mostly because we kept finding the same stuff over and over again. Besides, @internetofdongs has been doing some great work in this space, so it seemed pointless to duplicate his efforts. However, this morning, @dcuthbert tweeted us this: ...

Walkthrough. Investigating an SSD

I had an interesting job come in. A client wants the data off a dead SSD, and it’s a model that regular data recovery companies won’t deal with, an SK Hynix drive. It’s used extensively on many Dell laptops. The drive is NVMe which means it uses several PCIe lanes for communication. First things...

Gone in six seconds? Exploiting car alarms

Key relay attacks against keyless entry vehicles are well known. Many 3rd party car alarm vendors market themselves as solutions to this. We have shown that fitting these alarms can make your vehicle EVEN LESS SECURE! These alarms can expose you to hijack, may allow your engine to be stopped whil...

Hacking ski helmet audio

I love snow sports, and I also like my tunes, so purchasing the Outdoor Tech CHIPS smart headphones was a no-brainer. They fit into audio-equipped helmets and have huge 40mm drivers. Warm ears and good bass. Better yet, they’re touch sensitive even with gloves on and I can take calls handsfree...

Cisco RV130 – It’s 2019, but yet: strcpy

Yesterday Cisco released an advisory for CVE-2019-1663 – a pre-authentication code execution vulnerability in the RV110W, RV130W and RV215W router series. If you own one of the affected devices, check out that link for all remediation advice, including a new, patched firmware. We were one of two...

Different ‘smart’ lock, similar security issues

I was looking through Amazon and found this padlock at the cheaper end of the scale. For twenty of my well-earnt English pounds I could become the owner of a new and shiny SLOK lock. Image credit: Amazon It can be unlocked by BLE and can be shared to others, what could I do but buy one and revers...

Sinking a ship and hiding the evidence

Our earlier work on Voyage Data Recorder manipulation got us thinking about how a malicious individual or organisation might bring about the demise of a ship and hide the evidence. There are plenty of ways to get malware on to a ship. Whether it’s via satcoms, phishing, USB, crew Wi-Fi, dodgy DVD...

Oracle MAF store bypass, a how-to

On a recent assignment I was asked to look at the security of a cloud-based solution for expenses, the Oracle® ExpensesCloud with Fusion applications. It was being used for employees to create/save/edit/submit claims to the employer. TL;DR Having default hardcoded credentials allows an attacker...

Vulnerability disclosure buzzword bingo!

Play Buzzword Bingo With Us! In the last 5 or so years of research we’ve found a substantial number of products with vulnerabilities in their supporting apps and infrastructure, as well as in the devices themselves. Some were low-impact, some were just curiosities, but many critical flaws exposin...

BBC Inside Out. Consumer advice for the ‘smart’ homeowner

We were recently asked to demonstrate security flaws in a smart home for the BBC Inside Out TV show. We’ve done this before, so what was different? This home was by far the most connected we had looked at. Typically, homes have a few smart devices; a smart thermostat, CCTV, maybe a doorbell and...

Burp HMAC header extensions, a how-to

I was recently on a test where the client’s API used a custom authentication scheme to add a SHA256 HMAC dynamically on each request, based on the URL, time, and message body. My normal go-to for API testing is Postman especially when your client is lovely enough to give you definitions you can...

Super-systemic IoT flaws

IoT security flaws were always systemic: by that I mean that if I find a flaw in my smart thermostat, it affects ALL of those thermostats. A security problem with one connected car leads to problems with ALL the connected cars using that same system. That led to incidents such as the Mirai botnet...

Hacking floating hotels. Cruise ship compromise on the high seas

Modern cruise ships have all the amenities of a large resort hotel. Prior to entering the infosec space, I spent 5 years working in hotels. My experience of the security of both hotels and shipping indicates that the mix is not a good one for security. What’s the difference between a hotel and a...

GPS watch issues… AGAIN

Over the last year of looking at kids GPS tracking watches we have found some staggering issues. With these devices it almost seems that having multiple security issues is the new normal. While parents and guardians may get a feeling of security from using these devices, our testing and research...

IoT: OFF by default

It’s increasingly difficult to buy home appliances and other tech that DOESN’T have connectivity. Despite reservations about the security of smart tech, if we want to buy mid to high end devices, we often have no choice but to buy appliances with connectivity. To quote @Mikko Hypponen: If it is...

Shipping operators, what you need to know about phishing and CEO fraud

Maybe second only to ransomware, the most likely type of attack a shipping operator will experience will be a phishing scam. Usually this will be carried out by email, or social media, or even messaging apps. It will likely include a link to what seems a plausible website, and/or have an...

Hacking the Echo echo echo

Smart home assistant. Not-so-smart TV Amazon Echo is considered pretty secure in the security community. Remote exploitation is a pipe dream, requiring months of research to stand any chance. But what about using other devices in the home to exploit it instead? Working on a smart Samsung TV and a...

Hackers in Hot Water. Pwning smart hot tubs, yes really

TL;DR? Video first… We were given a tip by the awesome Ceri Coburn that something was amiss with the Balboa Water App, a mobile app used for controlling 30,000 hot tubs. You can remotely control your tub, so you can heat it up for when you’re ready, saving power when you don’t use it. Nice idea!...

Satellite communications equipment security

Introduction Satcoms are the game changer in maritime cyber security. In the past, satellite connectivity was so expensive as to be prohibitive for all but the most essential communication. Crew personal email and social media access was a pipe dream. However, now that ship operators have access ...

Worried about Spouseware?

We recently participated in a BBC Radio 4 interview for You and Yours about ‘Spouseware’. This covers smartphone apps which are used by a domestic abuser to track and monitor their victim. The tracking ‘spouseware’ can tell the abuser where their victim is, when they use the phone, what speed...

BBC: MiSafes’ child-tracking smartwatches are ‘easy to hack’

Following our research on the MiSafes kids tracking watch we spoke to the BBC's Rory Cellan-Jones and Leo Kelion about the risks, and what consumers can do. We found that the devices didn't encrypt user data, and that each child's account wasn't secured. The result is that children's movements...

ITV: New rules to prevent children’s ‘smart’ toys from being hacked

In the run up to Christmas we were asked by ITV's Chris Choi to demonstrate some of the security fails we see in kids toys all the time. We showed him our research on My Friend Cayla, and Tekstra Toucan amongst others, and made the point that while manufacturers need standards and codes of practi...

Advice on buying ‘smart’ gadgets for Christmas

Christmas isn’t far off, and many of you will be in full present buying mode. In the world of smart-this and connected-that there is more at stake than ever before, and we’re not talking about whether batteries are included or not. As we’ve been testing the security of smart products for over 5...