Showing Posts From

Hardware Security

Multiple vulnerabilities in eLinkSmart padlocks

Multiple vulnerabilities were found in the eLinkSmart smart lock range. Flaws in the implementation of the locks' Bluetooth Low Energy (BLE) communication and the back-end API enable an attacker to unlock any lock within Bluetooth range, identify the location of any lock in the world, and compromise user credentials. This blog post describes the vulnerabilities, as well as the process followed to identify them, and demonstrates the issues in action.

  • 13 Sep 2023

Guiding black-box CAN fuzzing with electromagnetic side-channel analysis

An electromagnetic side-channel analysis technique is introduced for guiding black-box CAN fuzzing in automotive Electronic Control Units (ECUs). The method helps identify valid CAN message IDs by analyzing electromagnetic emissions during message processing. This approach improves fuzzing effectiveness when detailed system documentation is unavailable.

Megafeis-palm: Exploiting Vulnerabilities to Open Bluetooth SmartLocks

A security analysis of Megafeis smart padlocks revealed critical vulnerabilities in their mobile application and API. By exploiting authorization flaws, an attacker within Bluetooth range can enumerate account information and transfer lock ownership to their own account. The research demonstrates significant security weaknesses in the smart lock's backend infrastructure and mobile application.

Faking Another Positive COVID Test

A vulnerability was discovered in the Cue Health Home COVID-19 Test that allows manipulation of Bluetooth-transmitted test results. By exploiting weaknesses in the device's Protobuf communication protocol, test results could be changed from negative to positive. A Frida script was developed to intercept and modify Bluetooth packets, successfully altering the test outcome.

Faking A Positive COVID Test

A vulnerability was discovered in the Ellume COVID-19 Home Test that allows falsifying test results. By manipulating Bluetooth traffic, it was possible to change a negative test to a positive result. The attack involved modifying specific byte values in the device's communication protocol and recalculating checksums, ultimately obtaining a verified COVID test certificate from Azova.

Printing Shellz

Multiple zero-day vulnerabilities were discovered affecting over 150 HP multi-function printers. The vulnerabilities enable network infrastructure compromise through malicious printing and web-based exploits. New tooling was developed to demonstrate how printers can serve as entry points for network attacks.

Sniff, there leaks my BitLocker key

A low-cost method was demonstrated to extract BitLocker encryption keys by sniffing the SPI bus of a Trusted Platform Module (TPM). The attack requires brief physical access to a target machine and can be performed using publicly available tools. By capturing TPM communication, the Volume Master Key can be retrieved and used to decrypt a BitLocker-protected drive.

  • 15 Jul 2020

The Fake Cisco

An IT company discovered hardware failures in suspected counterfeit Cisco Catalyst 2960-X network switches. F-Secure's Hardware Security team investigated the devices and identified an undocumented vulnerability that bypasses Secure Boot restrictions. The investigation concluded with reasonable confidence that no intentional backdoors were present in the counterfeit hardware.

  • 6 May 2020

U-Booting securely

This whitepaper analyzes security vulnerabilities and misconfigurations in U-Boot for embedded systems. It provides guidance to developers on securing hardware products against potential security compromises. The analysis is based on real-world research by hardware security experts investigating secure boot implementations.

TamaGo

TamaGo is a Go-based framework for developing secure embedded system firmware without C dependencies or complex operating systems. It provides a minimal runtime with direct hardware drivers for specific System-on-Chip platforms, enabling Go applications to run directly on bare metal hardware. The framework aims to reduce firmware attack surfaces by eliminating traditional low-level code complexities.

  • 24 Dec 2019

Hackin' around the Christmas tree

A vulnerability was discovered in the Abis HD6000+ SMART Android projector that allows remote code execution on the local network. The vulnerability stems from an unauthenticated HTTP endpoint on port 9909 that enables command execution. An attacker can potentially escalate the attack to a wide-area network remote code execution scenario using WebRTC techniques.

  • 20 Dec 2019

Opening Up the Samsung Q60 series smart TV

A technical analysis was conducted on the Samsung Q60 series smart TV, exploring its hardware, firmware, and network services through detailed reverse engineering techniques. The investigation involved board-level analysis, extracting and examining the eMMC flash memory, and investigating the proprietary VDFS filesystem. Multiple approaches were used to understand the TV's internal architecture, including examining debug ports, firmware upgrade processes, and network services.

Digital lockpicking - stealing keys to the kingdom

A security analysis of the KeyWe Smart Lock revealed critical vulnerabilities in its Bluetooth Low Energy communication protocol. The lock's in-house key exchange mechanism allows attackers to easily intercept and decrypt device communications by exploiting a predictable common key generation process. By analyzing the mobile application and BLE traffic, the vulnerability in the lock's cryptographic design was exposed.

  • 21 Dec 2018

Twinkly Twinkly Little Star

Multiple security vulnerabilities were discovered in Twinkly IoT Christmas lights. The vulnerabilities include unencrypted local network communications, trivial authentication bypass, and potential remote control through MQTT and DNS rebinding attacks. These flaws could allow attackers to manipulate or control the lights remotely, potentially affecting thousands of connected devices.

  • 2 Nov 2018

HP NonStop Basics

HP NonStop is a fault-tolerant computing platform used in critical transaction systems since 1976. The system features a unique architecture with Guardian and Open System Services environments, and uses specialized security components like Safeguard for user management and access control. The platform employs a distinctive approach to user and file management, with unique identifiers, access control lists, and specific security configurations that differ significantly from standard Unix or Windows systems.

Investigating RF Controls with RTL-SDR

A presentation at BSidesNYC 2018 explored Software Defined Radio (SDR) techniques using RTL-SDR to investigate insecure wireless signals. The talk demonstrated how affordable SDR tools can capture and decode simple RF controls like remote switches and car fobs. It highlighted the ongoing vulnerabilities in wireless communication protocols and encouraged exploration of RF security.

  • 1 Aug 2017

Alexa, are you listening?

A physical attack on early Amazon Echo models allows root access by exploiting exposed debug pads and an SD card boot configuration. By gaining root shell access, an attacker can install a malware implant that turns the device into a remote wiretap. The attack requires physical access to the device and can potentially stream live microphone audio to remote services without disrupting the Echo's normal functionality.

  • 10 Jan 2017

Digital Lockpicking: Why Your Front Door Shouldn't Be On The Internet

A critical vulnerability was discovered in FingerTec/ZKTeco biometric access control devices. The unencrypted UDP protocol allows attackers to create unauthorized admin accounts, extract user data, and potentially unlock doors without authorization. Over 4000 such devices are exposed on the internet, posing significant security risks.

H-field electromagnetic sniffing

An electromagnetic side-channel attack technique using a custom H-field sensor is demonstrated to sniff secret information from electronic devices. The method involves capturing electromagnetic emissions during data transmission using off-the-shelf components like a shielded-loop antenna, low-noise amplifier, and software-defined radio. By processing the captured signals through cross-correlation and statistical analysis, hidden serial communication data can be successfully extracted.

  • 24 Jun 2016

Don't Try This at Home: Decapping ICs With Boiling Acid

A technical blog post details the process of decapping integrated circuits using boiling nitric and sulphuric acids. The technique involves dissolving the epoxy packaging to expose the silicon chip inside. Decapping can be used for identifying counterfeit chips, resetting lock bits, and performing hardware reverse engineering.

  • 23 Mar 2016

LoRa Security: Building a secure LoRa solution

A whitepaper by Rob Miller explores the security aspects of LoRaWAN technology. The document provides insights into securing LoRa systems and understanding potential attack methodologies. It aims to help developers comprehend their security responsibilities when building LoRa solutions.

CVE-2014-8272: A Case of Weak Session-ID in Dell iDRAC

A vulnerability in Dell iDRAC's IPMI v1.5 implementation allows unauthenticated attackers to predict session IDs. The weak session ID generation mechanism enables attackers to inject arbitrary commands into privileged sessions by exploiting predictable session identification. The vulnerability potentially allows privilege escalation across different IPMI communication channels.

  • 18 Jun 2014

BeagleBone Black, GNU Radio, and HackRF One

This guide details setting up a BeagleBone Black with Ångström Linux to compile GNU Radio and HackRF drivers. The tutorial provides step-by-step instructions for configuring an embedded Linux system to work with a HackRF One software-defined radio. Configuration involves installing dependencies, setting up system settings, and building software components for software-defined radio applications.

  • 12 May 2014

HackLab 2014 - Builders are better Breakers

A hardware design project at HackLab 2014 explored electronics and embedded programming to enhance security testing skills. Team members experimented with various electronic components, protocols, and design challenges through hands-on learning. The project aimed to provide practical experience in understanding system design from a builder's perspective.

HackLab 2014 - Hard disk drives? Squishy disk drives!

A technical investigation examined the security of hardware-encrypted hard drives by exploring potential vulnerabilities in ATA disk protection passwords and microcontroller access. The study focused on self-encrypting drives from Samsung, Intel, and Seagate, analyzing firmware update utilities and potential attack vectors for accessing drive encryption keys. Multiple approaches were pursued to understand the practical security limitations of hardware-encrypted storage devices.

  • 12 May 2014

HackLab 2014

HackLab 2014 was an internal hacking event featuring three technical projects. Projects included building a quadcopter, developing a mysterious hardware project, and exploring hard drive firmware hacking. Participants collaborated in the Basingstoke offices, fueled by pizza and caffeine to tackle innovative technical challenges.

  • 16 May 2013

MWR HackLab - Getting Frequency with SDR

A Software Defined Radio (SDR) workshop explored wireless signal interception and replay techniques using tools like USRP E100 and GNU/Radio. The project focused on analyzing low-cost wireless devices, such as 433MHz doorbells, demonstrating vulnerabilities in basic wireless technologies through signal capture and replay attacks.

  • 16 May 2013

MWR HackLab - MWRcade

MWR HackLab developed a custom arcade machine capable of running multiple console emulators across different platforms. The project aimed to create a unified gaming interface using Linux, SDL, and Python for settling office disputes between employees. The machine supports multiple gaming consoles and was designed to enable remote multiplayer gaming between different office locations.

  • 25 Apr 2013

MWR HackLab - Root/Beer Fridge

A cybersecurity team created an innovative beer fridge that unlocks through hacking challenges. The system uses a Raspberry Pi and Arduino with solenoid locks to create an interactive reward mechanism for solving technical puzzles. The project aimed to gamify hacking achievements by providing beer as a reward for completing security challenges.

  • 22 Apr 2013

MWR HackLab

MWR Labs hosted an internal hackathon where team members collaborated on diverse technology projects. Participants worked on innovative ideas across areas like data analysis, hardware hacking, and electronic systems. The event fostered creativity and team engagement through hands-on exploration of technical challenges.

PinPadPwn

A presentation at BlackHat 2012 exposed critical security vulnerabilities in payment terminals. Memory corruption attacks were demonstrated to be possible through complex input handling and network interfaces. The research highlighted potential code execution risks in payment terminal systems.

  • 20 Jul 2012

Hacking Embedded Devices: UART Consoles

Hardware hacking techniques can provide root-level access to embedded devices through UART console interfaces. By physically inspecting circuit boards and identifying specific pins, access to hidden device consoles can be obtained. The methodology involves using tools like oscilloscopes and logic analyzers to locate and interact with serial interfaces on devices such as routers and modems.

USB Attacks: Fun with Plug and 0wn - T2'09

A presentation on USB attack techniques was given by Rafael Dominguez Vega at T2'09 in Helsinki, Finland. The presentation explored vulnerabilities related to USB attacks. Accompanying slides and an advisory were released detailing the research findings.

USB Research to be Presented at t2'09

A USB security research presentation will be given at T2 in Finland, focusing on attack methods and vulnerabilities in USB drivers. The talk will explore potential security risks associated with malicious USB devices and techniques for identifying and exploiting driver vulnerabilities. The presentation follows previous research presented at Defcon 17.

Fun with Plug & 0wn

Rafael Dominguez Vega presented USB security research at Defcon 17 in Las Vegas on August 2nd, 2009. The presentation materials discussing USB security vulnerabilities are available for download. The talk focused on research findings related to USB security.