Pwnie Award Nominee

Yesterday a friend of mine let me know that some of my BT Home Hub security research (details here and here) got nominated for the Pwnie Awards.

At first I thought oh, that’s cool, but then I learned the category my research had been nominated to: Most Overhyped Bug. [...]

more | comments | comments rss | posted by

OWI: Yet Another Anonymous Point of Attack?

About a month ago I traveled by train for a pre-sales meeting with a prospective customer. The trip was about two hours long, which would usually mean that it’d be boring. In this case it was different though: I was surprised with free OWI (Onboard Wireless Internet) on the train!

Simply connect to the available open (no encryption) wireless access point and you will be redirected to a login portal, aka captive portal. Just like any hotspot you find at coffee shops such as Starbucks. [...]

more | comments | comments rss | posted by

Dumping the admin password of the BT Home Hub (pt 2)

This is just a quick update regarding our previous post which details how to extract the default admin password for the latest firmware of the BT Home Hub (6.2.6.E at time of writing). I recommend you to read the previous post if you have not done so yet.

The BT Home Hub’s serial number – which is the default admin password – can also be found on UPnP description XML files. [...]

more | comments | comments rss | posted by

Dumping the admin password of the BT Home Hub

So BT added a new security feature on the latest version of the BT Home Hub firmware (6.2.6.E at time of writing) which changes the default admin password from admin to the serial number of the router. From BT Support and Advice site:

When I first noticed this new feature I thought it was quite cool and definitely a good move from BT. [...]

more | comments | comments rss | posted by

Agile Hacking: A Homegrown Telnet-based Portscanner

So here is the scenario: the attacker has limited access to a box and he/she needs to perform a portscan from it. However, he/she does not want to download any tools to the target system. There might be various reasons for not wanting to upload a portscanner to the box. Perhaps, the attacker wants to minimize the footprint. [...]

more | comments | comments rss | posted by

Default key algorithm in Thomson and BT Home Hub routers

Yes, we’re back with more embedded devices vulnerability research! And yes, we’re also back with more security attacks against the BT Home Hub (most popular DSL router in the UK)!

As you know, we encourage folks in the community to team up with us in different projects as we’ve had very successful experiences doing so. This time it was Kevin Devine’s turn. [...]

more | comments | comments rss | posted by

ZyXEL Gateways Vulnerability Research (Part 2)

Here is the second version of the ZyXEL routers penetration testing paper. This second part of the paper is also fully practical just like the first one. No theory whatsoever, but rather real juicy attacks which is what we pentesters/whitehats are interested in (after all we need to be aware of what the bad guys can do)!

Unlike the first part of the paper, this one focuses more on attack techniques rather than newly-discovered vulnerabilities. [...]

more | comments | comments rss | posted by

Exploring the UNKNOWN: Scanning the Internet via SNMP!

Hacking is not only about coming up with interesting solutions to problems, but also about exploring the unknown. It was this drive for knowledge philosophy that lead to surveying a significant sample of the Internet which allowed us to make some VERY interesting observations and get an idea of the current state of remote SNMP hacking.


2.5 million random IP addresses were surveyed via SNMP. Why SNMP you might be asking? Well, there are several reasons. [...]

more | comments | comments rss | posted by

HITB Dubai 2008: we can’t wait!

One of the things I like about the hacker/security community is how much ideas exchanging takes place. Most researchers soon realize that there is nothing like a good session of sharing ideas with other peers in order to come up with even more interesting thoughts!

We’re happy to say that GNUCITIZEN will be part of one of the events we were the most interested in: HITB Dubai 2008. Both pdp (client-side hacking), and my (embedded devices hacking) material were accepted by the HITB folks. [...]

more | comments | comments rss | posted by

Holes in Embedded Devices: Authentication bypass (pt 4)

This kind of authentication bypass bug can go easily undetected during a security assessment if not enough attention is paid. In order to understand this type of vulnerability, we need to be familiar with settings pages available on devices’ web interface that allow the admin user to modify settings.

Administrative web interfaces have different sections/menus available to logged-in administrators. Each section is just a HTML page with a form designed to make configuration changes. [...]

more | comments | comments rss | posted by