Although London enjoys one of the most vibrant infosec industries in the world, there are not as many hacker and security events and one would think. Meetings-wise, we have organizations such as 2600, Defcon, and Owasp among others. However, the number of attendees needs to be improved. Usually, having a turnup of 20 people on one of these meetings is considered a success in London. Not much for such a big city if you think about it. [...]
What is this post about? Well, this is something that pdp and I were playing with a few years ago. As you might already know, although we also do a vulnerability research at GNUCITIZEN, what we like the best is insecurity by design. There is nothing better than finding an attack vector that won’t be resolved by the vendor simply because the product is designed to follow certain behavior. Personally, from a security research point of view, I think that these attacks are the best. [...]
I really think that web interfaces are the low-hanging fruit of embedded devices. Sure classic attacks such as predictable SNMP community strings, exposed TFTP services and buffer overflows still apply. However, by exploiting the web interface we can steal the data we want, we can enable remote access to the compromised router, we own the victim’s connection. In short, bugs on the web interface gives us all we need! Anyway, enough talking! [...]
A couple of weeks ago, my wife pointed out to me this really cool appliance she saw on a magazine. Since she knows I like spending my free time hacking/researching embedded devices, she thought I’d be interested.
In summary, you hookup Slingbox to your TV box, be it digital TV, or cable. Then you can do streaming to your laptop, desktop computer or even mobile/cell phone. [...]
The following are the full details of the vulnerabilities we reported (BID 25972) to BT regarding their Home Hub router. We are going to have a brief detail on all POCs. If you have any suggestions, recommendations or corrections, do not hesitate to contact us. All the vulnerabilities and demo exploits discussed below have been tested on version 126.96.36.199 of the firmware, unless otherwise specified. Have fun and be responsible! [...]
This was very interesting. [...]
Here are the news: it seems that BT is restricting/crippling the remote assistance feature as a result of the vulnerabilities we reported. I personally found the following statement interesting:
Something tells me that this separate Remote Access feature will also be open to abuse if not locked down properly. Furthermore, some of the vulnerabilities we found (which we forwarded to BT) can still be exploited even if the Remote Assistance featured is removed. [...]
In this post I’ll elaborate a bit more on our demo video previously released and what the intruder can do to remotely access the Home Hub anytime and from anywhere after it’s been been broken into. You are recommended to read the first part of this post if you haven’t done so yet.
So here is the attack illustrated in the demo video. The victim user is tricked – through Gtalk – to visit a website that contains malicious code. [...]
OK, let me get to the point. The BT Home Hub, which is probably the most popular home router in the UK, is susceptible to critical vulnerabilities.
BT’s plan is to sneak one of these boxes into every UK home. Not only does the BT Home Hub support broadband but also VoIP (BT Broadband Talk), UMA mobile telephony (BT Fusion), and digital TV (BT Vision). Additionally BT will give users the option to use their BT Home Hub to join FON, a community-shared Wi-Fi. [...]
I’ve done some research on Axis IP cameras, which now I am able to disclose to you and reveal some of the magic. Although this is not independent research, I am mentioning it here as it may interest some.
The research is made of two components: a purple paper (one of the traditions we follow in GNUCITIZEN) and a video. I promise you that I won’t bore you with PoCs, but actual Hollywood-style exploits. [...]