Hack the Sky: Adventures in Drone Security | Gabriel Gonzalez
Taking aim at the attack surface of these buzzy devices uncovers real-world risks In the grand theater of innovation, drones have their spot in the conversation near the top of a short list of real game changers, captivating multiple industries with their potential. From advanced military applications to futuristic automated delivery systems, from agricultural management to oil and gas exploration and beyond, drones appear to be here to stay. If so, it’s time we start thinking about the security of these complex pieces of airborne technology. The Imperative Around Drone…
IOActive Presents at HARRIS 2024, a Unique Workshop for Chip Reverse Engineering | Tony Moor
The Hardware Reverse Engineering Workshop (HARRIS) is the first ever annual workshop devoted solely to chip reverse engineering, and 2024 was its second year. IOActive has been present both years, and this year I attended to see what all the fuss was about. Background The workshop is organized by the Embedded Security group of the Max Planck Institute for Security and Privacy (MPI-SP) together with Cyber Security in the Age of Large-Scale Adversaries (CASA) and
IOActive Security Advisory | Movistar 4G Router – Multiple Vulnerabilities
IOActive found that the Android Debug Bridge (ADB) is listening on all interfaces and gives access to a shell with root privileges; a malicious actor with access to the same network that the router is providing access to will have full control of the device. A malicious actor can send a specific payload to the gui.cgi using the ping_traceroute_process functionality to execute arbitrary commands as the privileged root user. IOActive saw a general lack of protection against cross-site request forgery (CSRF) attacks. CVE-2024-2414, CVE-2024-2415, CVE-2024-2416
IOActive Security Advisory | Hikvision Camera Denial of Service
CVE-2023-28811. The Hikvision DS-7732NI-14(B) is a 32-channel Network Video Recorder (NVR). IOActive had the opportunity to assess the DS-7732NI-I4 and identified one high-risk vulnerability. This issue could be exploited to cause a denial of service (DoS) to the device.
IOActive Security Advisory | Socomec NET VISION – Multiple Vulnerabilities
IOActive Security Advisory/Disclosure document (CVE TBA) by Daniel Martinez, IOActive Senior Security Consultant, of the multiple vulnerabilities discovered in the Socomec NET VISION devices. Socomec, Inc. (Socomec) is an electrical equipment design and manufacturing company, specializing in low-voltage energy performance in terms of safety, service continuity, quality and energy efficiency. NET VISION is a professional network adapter for monitoring and controlling UPS units from a remote location. It allows direct connection of a UPS to the IPv4 or IPv6 Ethernet network, thereby enabling remote management of the UPS using a…
IOActive Security Advisory | Lamassu Douro Bitcoin ATM – Multiple Vulnerabilities
Supporting security advisory/disclosure document (CVE-2024-0175, CVE-2024-0176 and CVE-2024-0177) supporting the Lamassu Douro Bitcoin ATM research by Gabriel Gonzalez, IOActive Director of Hardware Security. IOActive had access to few of these machines, specifically to Lamassu’s Douro ATM. This provided the team with the opportunity to assess the security of these devices – more specifically, to attempt to gain full control over them – assuming the role of an attacker with the same physical access to the device that a regular customer might have.
Opinion: AGI Influencing the Secure Code Review Profession
It’s tough to be a secure code reviewer. There are already over 700 programming languages according to Wikipedia, and seemingly more languages materializing every year. Expectations are high that rapid developments in Artificial Generative Intelligence (AGI) will bring a new suite of languages and security issues that’ll have an oversized impact on software development. Consequently, secure software development lifecycle (SDL) processes and security code review are having to evolve rapidly. I’m both excited and nervous about AGI advancements in the world of software development and secure…
Exploring AMD Platform Secure Boot | IOActive Labs Blog | Krzysztof Okupski
Krzysztof Okupski, IOActive Associate Principal Security Consultant, has posted a blog in the continuing research into platform security. In a previous IOActive Research post on platform security (see ‘Back to the Future with Platform Security’), we provided a brief introduction into platform security protections on AMD-based platforms and touched upon the topic of AMD Platform Secure Boot (PSB). In this installment of the platform security blog series, we will dig deeper into the details of PSB, including a first glimpse of how it works under the hood,…
Owning a Bitcoin ATM | IOActive Labs Blog | Gabriel Gonzalez, Antonio Requena, Sergio Ruiz
In this IOActive Labs blog, Gabriel Gonzalez, Antonio Requena and Sergio Ruiz, of IOActive Research, explains the steps they followed to identify a series of vulnerabilities (CVE-2024-0175, CVE-2024-0176 and CVE-2024-0177) that allows full control over Bitcoin ATMs. Nowadays, Bitcoin and cryptocurrencies might look less popular than they did just a few years ago. However, it is still quite common to find Bitcoin ATMs in numerous locations. IOActive had access to few of these machines, specifically to Lamassu’s Douro ATM. This provided the team with the opportunity…
Navigating the Cybersecurity Threatscape of Today’s Airports
Everything is ‘Connected’ in Today’s Modern Airports Cybersecurity in global aviation is increasingly dependent on vulnerabilities in Information Technology (IT) and Operational Technology (OT) systems. The definition of OT systems in this context is defined as hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices such as valves or pumps. OT systems are much less organized and are rarely monitored as closely as conventional IT networks. Airports use several critical OT systems, including baggage handling, airport refueling systems, runway lights,…