Hardware & Embedded Systems

Ghidra nanoMIPS ISA module

Introduction In late 2023 and early 2024, the NCC Group Hardware and Embedded Systems practice undertook an engagement to reverse engineer baseband firmware on several smartphones. This included MediaTek 5G baseband firmware based on the nanoMIPS architecture. While we were aware of some nanoMIPS modules for Ghidra having been developed…


Puckungfu 2: Another NETGEAR WAN Command Injection

A story on finding a zero day attacking the NETGEAR WAN interface after a last minute patch for Pwn2Own 2022, involving a command injection, predicting random numbers, boot timing and voltage supply variations.


Technical Advisory: Sonos Era 100 Secure Boot Bypass Through Unchecked setenv() call

Vendor: Sonos Vendor URL: https://www.sonos.com/ Versions affected: * Confirmed 73.0-42060 Systems Affected: Sonos Era 100 Author: Ilya Zhuravlev Advisory URL: Not provided by Sonos. Sonos state an update was released on 2023-11-15 which remediated the issue. CVE Identifier: N/A Risk: High Summary Sonos Era 100 is a smart speaker released…


Shooting Yourself in the .flags – Jailbreaking the Sonos Era 100

Research performed by Ilya Zhuravlev supporting the Exploit Development Group (EDG). The Era 100 is Sonos’s flagship device, released on March 28th 2023 and is a notable step up from the Sonos One. It was also one of the target devices for Pwn2Own Toronto 2023. NCC found multiple security weaknesses…


Public Report – Caliptra Security Assessment

During August and September of 2023, Microsoft engaged NCC Group to conduct a security assessment of Caliptra v0.9. Caliptra is an open-source silicon IP block for datacenter-focused server-class ASICs. It serves as the internal root-of-trust for both measurement and identity of a system-on-chip. The main use cases for Caliptra are…


HITB Phuket 2023 – Exploiting the Lexmark PostScript Stack

Aaron Adams presented this talk at HITB Phuket on the 24th August 2023. The talk detailed how NCC Exploit Development Group (EDG) in Pwn2Own 2022 Toronto was able to exploit two different PostScript vulnerabilities in Lexmark printers. The presentation is a good primer for those interested in further researching the…


LeaPFRogging PFR Implementations

Back in October of 2022, this announcement by AMI caught my eye. AMI has contributed a product named “Tektagon Open Edition” to the Open Compute Project (OCP).  Tektagon OpenEdition is an open-source Platform Root of Trust (PRoT) solution with foundational firmware security features that detect platform firmware corruption, recover the…


SysPWN – VR for Pwn2Own

Alex Plaskett (@alexjplaskett) presented a talk on the 10th of August 2023 at @SysPWN covering vulnerability research for Pwn2Own. The first section of the talk covered a high-level perspective of the event, personal history, and teams. It then discussed some considerations needing to be made when deciding on target, experiences,…


Intel BIOS Advisory – Memory Corruption in HID Drivers 

In this post, I will be focusing on two additional BIOS vulnerabilities. The first bug impacts the Bluetooth keyboard driver (HidKbDxe in BluetoothPkg) and the second bug impacts a touch panel driver (I2cTouchPanelDxe in AlderLakePlatSamplePkg).


Overview of Modern Memory Security Concerns

This article discusses the security concerns which must be taken into account whenever designing an embedded system. Failure to account for these security concerns in the system’s threat model can lead to a compromise of the most sensitive data within. Memory is a crucial part of any computer subsystem. The…


Machine Learning 104: Breaking AES With Power Side-Channels

This executable blog post is the fourth in a series related to machine learning and is a fascinating trifecta involving hardened cryptography software, embedded IoT-type hardware, and deep machine learning techniques. While the AES algorithm is designed such that a brute-force secret key guessing attack would likely finish ‘sometime near…


Medical Devices: A Hardware Security Perspective

Medical device security is gaining more attention for several reasons. The conversation often gets connected to device safety, that is, the degree to which the risk of patient harm is limited by preventing or controlling for device malfunction. Device security expands the scope of safety by supposing a malicious attacker…


NETGEAR Routers: A Playground for Hackers?

A detailed analysis on multiple vulnerabilities which were identified on the NETGEAR Nighthawk WiFi 6 Router (RAX AX2400) and may exist on other NETGEAR router models.


HITBAMS – Your Not so “Home” Office – Soho Hacking at Pwn2Own

Alex Plaskett and McCaulay Hudson presented this talk at HITB AMS on the 20th April 2023. The talk showcased NCC Exploit Development Group (EDG) in Pwn2Own 2022 Toronto targeting all consumer routers (Netgear, TP-Link and Synology) from both a LAN and WAN perspective.  The talk also described how we compromised…


Stepping Insyde System Management Mode

In October of 2022, Intel’s Alder Lake BIOS source code was leaked online. The leaked code was comprised of firmware components that originated from three sources: I obtained a copy of the leaked code and began to hunt for vulnerabilities. This writeup focuses on the vulnerabilities that I found and…


A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM

About four months ago, in October 2022, I was idly poking around the “ICE TEA” leak. This leak was of particular interest to me, because it happened to expose the source code for Intel’s Alder Lake platform BIOS. It’s always fun to finally get to see the code for modules…


Rustproofing Linux (Part 4/4 Shared Memory)

This is a four part blog post series that starts with Rustproofing Linux (Part 1/4 Leaking Addresses). Shared memory is often used to share data without the performance hit of copying. Whenever a shared resource is consumed by one component while being modified by another component, there is potential for…


Rustproofing Linux (Part 3/4 Integer Overflows)

This is a four part blog post series that starts with Rustproofing Linux (Part 1/4 Leaking Addresses). In the C programming language, integer types can be a bit confusing. Portability issues can arise when the same code is used in multiple hardware architectures or operating systems. For example, int is…


Rustproofing Linux (Part 2/4 Race Conditions)

This is a four part blog post series that starts with Rustproofing Linux (Part 1/4 Leaking Addresses). This post uses a simple example to demonstrate a class of vulnerability that we encounter quite frequently when auditing kernel drivers and firmware. It’s a race condition, or more precisely a TOCTOU vulnerability.…


Rustproofing Linux (Part 1/4 Leaking Addresses)

Rust is a programming language guaranteeing memory and thread safety while still being able to access raw memory and hardware. This sounds impossible, and it is, that’s why Rust has an unsafe keyword which allows a programmer to dereference a raw pointer and perform some other dangerous operations. The dangerous…


Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)

Summary U-Boot is a popular and feature-rich bootloader for embedded systems. It includes optional support for the USB Device Firmware Update (DFU) protocol, which can be used by devices to download new firmware, or upload their current firmware. The U-Boot DFU implementation does not bound the length field in USB…


Puckungfu: A NETGEAR WAN Command Injection

Summary Vulnerability Details Overview Execution Flow /bin/pucfu /usr/lib/libfwcheck.so get_check_fw fw_check_api curl_post /lib/libpu_util.so SetFileValue pegaPopen Check Firmware HTTPS Normal Request Response Exploitation Command Injection Response Root Shell Final Notes Patch Pwn2Own Note Summary This blog post describes a command injection vulnerability found and exploited in November 2022 by NCC Group in…


MeshyJSON: A TP-Link tdpServer JSON Stack Overflow

Summary Target Binary tdpServer Architecture Mitigations Forks Understanding The Vulnerability Reaching The Vulnerable Function Broadcast Fork Flow Server Fork Flow JSON Array Stack Overflow Triggering The Bug Broadcast Fork Response Server Fork Request Vulnerability Constraints Storing Arbitrary Content In Memory cJSON Summarized cJSON Struct cJSON Data cJSON Heap Memory Single…


Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)

Summary NXP System-on-a-Chip (SoC) fuse configurations with the SDP READ_REGISTER operation disabled (SDP_READ_DISABLE=1) but other serial download functionality still enabled (SDP_DISABLE=0) can be abused to read memory contents in warm and cold boot attack scenarios. In lieu of an enabled SDP READ_REGISTER operation, an attacker can use a series of…


Check out our new Microcorruption challenges!

New Microcorruption challenges created by Nick Galloway and Davee Morgan Today we are releasing several new challenges for the embedded security CTF, Microcorruption. These challenges highlight types of vulnerabilities that NCC Group’s Hardware and Embedded Systems practice have discovered in real products. The new challenges provide a simple interface to…


Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices

NXP’s HABv4 API documentation references a now-mitigated defect in ROM-resident High Assurance Boot (HAB) functionality present in devices with HAB version < 4.3.7. I could find no further public documentation on whether this constituted a vulnerability or an otherwise “uninteresting” errata item, so I analyzed it myself! This post shines…


There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities

UNISOC (formerly Spreadtrum) is a rapidly growing semiconductor company that is nowadays focused on the Android entry-level smartphone market. While still a rare sight in the west, the company has nevertheless achieved impressive growth claiming 11% of the global smartphone application processor market, according to Counterpoint Research. Recently, it’s been…


Technical Advisory – Multiple vulnerabilities in Nuki smart locks (CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507, CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508, CVE-2022-32505)

The following vulnerabilities were found as part of a research project looking at the state of security of the different Nuki (smart lock) products. The main goal was to look for vulnerabilities which could affect to the availability, integrity or confidentiality of the different devices, from hardware to software. Eleven…


Updated: Technical Advisory and Proofs of Concept – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)

By Nicolas Bidron, and Nicolas Guigo. [Editor’s note: This is an updated/expanded version of these advisories which we originally published on June 3 2022.] U-boot is a popular boot loader for embedded systems with implementations for a large number of architectures and prominent in most linux based embedded systems such…


Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)

By Nicolas Bidron, and Nicolas Guigo. U-boot is a popular boot loader for embedded systems with implementations for a large number of architectures and prominent in most Linux based embedded systems such as ChromeOS and Android Devices. Two vulnerabilities were uncovered in the IP Defragmentation algorithm implemented in U-Boot, with…


NCC Group’s Jeremy Boone recognized for Highest Quality and Most Eligible Reports through the Intel Circuit Breaker program

Congratulations to NCC Group researcher Jeremy Boone, who was recently recognized for both the Highest Quality Report, as well as the Most Eligible Reports, as an invited researcher to the Intel Circuit Breaker program! From Intel: “This exclusive event invited a select group of security researchers to hunt vulnerabilities in…


Hardware Security By Design: ESP32 Guidance

This discussion focuses on specific configuration details of the ESP32 family of microcontrollers and the recommended best practices associated with those details.


Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks

Summary The Kwikset/Weiser Kevo line of smart locks support Bluetooth Low Energy (BLE) passive entry through their Touch-to-Open functionality. When a user touches the exterior portion of the lock, the lock checks that an authorized BLE device is exterior to and within a short distance of the smart lock, and…


Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks

Summary The Tesla Model 3 and Model Y employ a Bluetooth Low Energy (BLE) based passive entry system. This system allows users with an authorized mobile device or key fob within a short range of the vehicle to unlock and operate the vehicle, with no user interaction required on the…


Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks

Summary Many products implement Bluetooth Low Energy (BLE) based proximity authentication, where the product unlocks or remains unlocked when a trusted BLE device is determined to be nearby. Common examples of such products include automotive Phone-as-a-Key systems, residential smart locks, BLE-based commercial building access control systems, and smartphones and laptops…


BrokenPrint: A Netgear stack overflow

This blog post describes a stack-based overflow vulnerability found and exploited in September 2021 in the Netgear R6700v3


Hardware & Embedded Systems: A little early effort in security can return a huge payoff

Editor’s note: This piece was originally published by embedded.com There’s no shortage of companies that need help configuring devices securely, or vendors seeking to remediate vulnerabilities. But from our vantage point at NCC Group, we mostly see devices when working directly with OEMs confronting security issues in their products —…


Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1)

Lexmark encrypts the firmware update packages provided to consumers, making the binary analysis more difficult. With little over a month of research time assigned and few targets to look at, NCC Group decided to remove the flash memory and extract the firmware using a programmer, firmware which we (correctly) assumed…


Choosing the Right MCU for Your Embedded Device — Desired Security Features of Microcontrollers

The Microcontroller Unit (MCU) is the heart of an embedded device, where the main firmware executes its instructions to carry out the system’s functions. These come in many varieties. Relatively simple microcontrollers with limited-resource processors may bundle only a few IO peripherals, a small amount of memory, and be intended…


FPGAs: Security Through Obscurity?

Background For the uninitiated, an FPGA is a field-programmable array of logic that is typically used to perform or accelerate some specific function (or functions) within a computer system. They are typically paired with a separate traditional microprocessor (or as part of a combined system-on-chip (SoC)) but can operate standalone…


Why IoT Security Matters

Introduction Internet of Things security can mean any number of things for your product and its users. This will depend largely on the context of the product and its deployment, and can include specific requirements, such as integrity, confidentiality, availability, safety, privacy, consent, authenticity, and more. Understanding how security fits…


The ABCs of NFC chip security

tl;dr NFC tags are becoming increasingly more common in everyday use cases such as:  Public spaces like museums, art galleries or even retail stores in order to provide additional information about an item or product.  Inventory management sites use NFC tags on product packaging to update information on its contents. …


Practical Considerations of Right-to-Repair Legislation

Background For some time there has been a growing movement amongst consumers who wish to repair their own devices in a cost effective manner, motivated to reduce their expenses, and reduce e-waste. This is becoming ever more difficult to achieve as devices reach ever higher levels of complexity, and include…


Alternative Approaches for Fault Injection Countermeasures (Part 3/3)

Authors: Jeremy Boone, Sultan Qasim Khan In the previous blog post we described a set of software-based fault injection countermeasures. However, we recognize that software-based mitigations are not a silver bullet and do have several drawbacks. Though they can frustrate an attacker and reduce the reliability of an exploit attempt,…


Software-Based Fault Injection Countermeasures (Part 2/3)

This post contains various C functions, macros and programming patterns that can be used to achieve double glitch resistance within software. By “double glitch resistance”, we mean that skipping or incorrect evaluation of any two instructions should not be able to induce incorrect entry to the protected side of a…


An Introduction to Fault Injection (Part 1/3)

This blog post is the first in a series on the topic of fault injection, also known as glitching. This first post covers the basic principles of fault injection – types of glitches, their effects, and how an attacker can characterize hardware and firmware to achieve a successful glitch. In later posts we will…


Public Report – Dell Secured Component Verification

During February 2021, Dell engaged NCC Group to conduct a security assessment of their supply chain security functionality and related and supportive foundational security functionality on 14th and 15th generation Dell servers. Documentation and source code was provided as well as access to a running lab server via network access,…


Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches

Multiple vulnerabilities were found in Netgear ProSafe Plus JGS516PE switches that may pose a serious risk to their users. The most critical vulnerability could allow unauthenticated users to gain arbitrary code execution. The following vulnerabilities were the most relevant identified during the internal research: Unauthenticated Remote Code Execution (CVE-2020-26919) NSDP…


Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot Configuration Auditing Introduced in Depthcharge v0.2.0

Depthcharge v0.2.0 is now available on GitHub and PyPi. This release introduces new “configuration checker” functionality and includes some major updates intended to improve usability. A tl;dr summary can be found in the CHANGELOG file. This blog post dives a bit more into the motivations for the changes, envisioned use-cases,…


Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow (CVE-2020-26561)

Current Vendor: Belkin Vendor URL: https://www.linksys.com/sg/p/P-WRT160NL/ Versions affected: Latest FW version - 1.0.04 build 2 (FW_WRT160NL_1.0.04.002_US_20130619_code.bin) Systems Affected: Linksys WRT160NL (maybe others) Authors: Diego Gómez Marañón – Diego.GomezMaranon[at]nccgroup[dot]com CVE Identifier: CVE-2020-26561 Risk: 8.8 (High) – AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Summary The Linksys WRT160NL is a switch device initially owned by Cisco and, after…


There’s A Hole In Your SoC: Glitching The MediaTek BootROM

This research was conducted by our intern Ilya Zhuravlev, who has returned to school but will be rejoining our team after graduation, and was advised by Jeremy Boone of NCC Group’s Hardware Embedded Systems Practice. With the advent of affordable toolchains, such as ChipWhisperer, fault injection is no longer an…


Lights, Camera, HACKED! An insight into the world of popular IP Cameras

Preface During the Covid-19 pandemic, the battle to secure and protect businesses as well as consumers changed from the office environment to our homes, but this did not stop us from working on research projects aimed at contributing to the creation of a safer online world. Working from home, this…


Conference Talks – August 2020

This month, NCC Group researchers will be presenting their work at the following conferences: Dirk-Jan Mollema, “ROADtools and ROADrecon,” to be presented at Black Hat USA 2020 (Virtual – August 1-6 2020) Chris Nevin, “Carnivore: Microsoft External Attack Tool” to be presented at Black Hat USA 2020 (Virtual – August…


Tool Release: Sinking U-Boots with Depthcharge

Depthcharge is an extensible Python 3 toolkit designed to aid security researchers when analyzing a customized, product-specific build of the U-Boot bootloader. This blog post details the motivations for Depthcharge’s creation, highlights some key features, and exemplifies its use in a “tethered jailbreak” of a smart speaker that leverages secure…


Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to device compromise on TP-Link C200 IP Camera

Vendor: TP-Link Vendor URL: https://www.tp-link.com/uk/ Versions affected: 1.7.0 Systems Affected: Tapo C200 Author: Dale Pavey Risk: High Summary: The device is vulnerable to the heartbleed vulnerability and a Pass-the-Hash attack. Impact: Successfully exploiting the Heartbleed vulnerability leads to the device being remotely taken over using the memory-leaked user hash and…


Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption

Vendor: ARM Vendor URL: https://os.mbed.com/ Versions affected: Prior to 5.15.2 Systems Affected: ARM Mbed OS Author: Ilya Zhuravlev Risk: High Summary: The ARM Mbed operating system contains a USB Mass Storage driver (USBMD), which allows emulation of a mass storage device over USB. This driver contains a three (3) memory…


Research Report – Zephyr and MCUboot Security Assessment

Authors: Jeremy Boone, Ilya Zhuravlev Over the years, NCC Group has audited countless embedded devices for our customers. Through these security assessments, we have observed that IoT devices are typically built using a hodgepodge of chipset vendor board support packages (BSP), bootloaders, SDKs, and an established Real Time Operating System…


Rise of the Sensors: Securing LoRaWAN Networks

One of the current research priorities for NCC Group is smart cities. We perceive that in the future substantial investment will be made into deploying intelligent sensor systems into our cities: initially the focus being on passive applications, gathering and collecting data, but potentially in future leading to more active…


Conference Talks – March 2020

This month, members of NCC Group will be presenting their work at the following conferences: Adam Rudderman, “Bug Bounty: Why is this happening?” presented at Nullcon Goa (Goa, India – March 3-7 2020) Rob Wood, “[Panel]: CSIS Security Panel Discussion,” presented at OCP Global Summit (San Jose, CA – March…


Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses

By Sultan Qasim Khan Microcontrollers commonly include features to prevent the readout of sensitive information in internal storage. Such features are commonly referred to as readback protection or readout protection. This paper describes common readback protection implementation flaws, discusses techniques that can be used to defeat readback protection, and provides…


Properly Signed Certificates on CPE Devices

During late January 2020, a hot topic surfaced between security professionals on an issue that has historically had different proposed solutions. This blog post seeks to explore these solutions and identify pragmatic approaches to risk reduction on this specific issue concerning Customer Premises Equipment (CPE) security. Two security researchers (Tom…


Security impact of IoT on the Enterprise

We are moving to a time where many ‘things’ that we know and use have the capability to be connected to a network either wired or wirelessly. The way we use technology is becoming more integrated in all aspects of our daily lives and is steadily integrating within the enterprise…


Secure Device Provisioning Best Practices: Heavy Truck Edition

The complexities of the heavy truck ecosystem poses challenges to the security of the ECU networks contained within the vehicles. This paper describes some of the major sources of complexity, and how each can be addressed to design and implement a secure robust ECU provisioning system. Such a system is…


Embedded Device Security Certifications

For those who have not attended previously, Hardwear.io is a technical conference focused on hardware security. While the conference is only in their 4th year, both the training and speakers have been world-class since its inception, and its success is obvious; it has expanded to a twice-a-year format, and even…


An Introduction to Ultrasound Security Research

Over the past few years there has been an increase in the use of sound as a communications channel for device-to-device communications. This practice has been termed Data-Over-Sound (DOS) and has been billed as a cheap and easy to use alternative to traditional communications protocols such as Wi-Fi and Bluetooth.…


Sniffle: A Sniffer for Bluetooth 5

Sniffle is the world’s first open source sniffer for Bluetooth 5. Sniffle also backwards compatible with Bluetooth 4.x LE. It is runs on Texas Instruments CC26x2 and CC1352 microcontrollers, including the low cost CC26x2R and CC1352R Launchpad development boards. The host side software for Sniffle is written in Python, enabling…


Technical Advisory: Multiple Vulnerabilities in Ricoh Printers

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in some Ricoh printers. The vulnerability list below was found affecting to some Ricoh printers: Multiple Buffer Overflows Parsing HTTP Cookie Headers (CVE-2019-14300) Multiple Buffer Overflows Parsing HTTP Parameters (CVE-2019-14305, CVE-2019-14307) Buffer Overflow Parsing LPD Packets (CVE-2019-14308) No…


Technical Advisory: Multiple Vulnerabilities in Brother Printers

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Brother printers. The vulnerability list below was found affecting to several Brother printers: Stack Buffer Overflow in Cookie Values (CVE-2019-13193) Heap Overflow in IPP Attribute Name (CVE-2019-13192) Information Disclosure Vulnerability (CVE-2019-13194) Technical Advisories: Stack Buffer Overflow…


Technical Advisory: Multiple Vulnerabilities in Xerox Printers

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Xerox printers. The vulnerability list below was found affecting to several Xerox printers: Buffer Overflow in Google Cloud Print Implementation (CVE-2019-13171) Multiple Buffer Overflows in IPP Service (CVE-2019-13165, CVE-2019-13168) Multiple Buffer Overflows in Web Server (CVE-2019-13169,…


Technical Advisory: Multiple Vulnerabilities in Kyocera Printers

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Kyocera printers. The vulnerability list below was found affecting to several Kyocera printers: Multiple Buffer Overflows in Web Server (CVE-2019-13196, CVE-2019-13197, CVE-2019-13202, CVE-2019-13203, CVE-2019-13206) Multiple Buffer Overflows in IPP Service (CVE-2019-13204) Buffer Overflow in LPD Service…


Technical Advisory: Multiple Vulnerabilities in HP Printers

Multiple vulnerabilities, ranging Cross-Site Scripting to buffer overflows, were found in several HP printers: Multiple Buffer Overflows in IPP Service (CVE-2019-6327) Buffer Overflow in Web Server (CVE-2019-6326) Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-6323, CVE-2019-6324) Cross-Site Request Forgery Countermeasures Bypass (CVE-2019-6325)   Technical Advisories: Multiple Buffer Overflows in IPP Service (CVE-2019-6327) Vendor:…


Technical Advisory: Multiple Vulnerabilities in Lexmark Printers

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Lexmark printers. The vulnerability list below was found affecting to several Lexmark printers: SNMP Denial of Service Vulnerability (CVE-2019-9931) Multiple Overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933) Information Disclosure Vulnerabilities (CVE-2019-9934, CVE-2019-9935) Information Disclosure Vulnerability…


The Sorry State of Aftermarket Head Unit Security

Authored by Colin Brum At NCC Group, we like to give our interns real world hacking challenges. Over the course of a semester, we teach our students about software and hardware security. For a final project, we challenge our interns to apply what they’ve learned to find a vulnerability and…


Owning the Virgin Media Hub 3.0: The perfect place for a backdoor

All of this research was performed by our Managing Security Consultant, Balazs Bucsay @xoreipeip (https://twitter.com/xoreipeip) during the winter of 2016/2017. After changing Internet provider at my home in 2016, I received a new broadband modem; the Virgin Media Hub 3.0. Somehow I always get this itchy feeling whenever a new device is…


Android Cloud Backup/Restore

In the summer of 2018, Google engaged NCC Group to conduct a security assessment of the Android Cloud Backup/Restore feature, which premiered in Android Pie. This engagement focused on a threat model that included attacks by rogue Google employees (or other malicious insiders) with privileges up to and including root-in-production. The Android…


Much Ado About Hardware Implants

By now most people have seen the three Bloomberg articles detailing the alleged conspiracy to install back-doors on servers assembled by SuperMicro via a tiny microchip. There are plenty of great takes already (1, 2, 3, 4, 5, 6, 7). Supply chain attacks are not new, nor are those using hardware implants. But this is high profile, alleged to be government perpetrated, and affects a large…


Improving Your Embedded Linux Security Posture With Yocto

Embedded systems are regularly found to lack modern security-focused designs and implementations, despite decades of advancements in the field of computer security. Although the emergence and adoption of projects such as Yocto and OpenEmbedded have made it easier to develop and maintain firmware for embedded Linux systems, NCC Group has…


How I did not get a shell

This is a story about a penetration test, where it was not possible to get a shell on a target device. We pentesters love to think that getting a shell is the goal of a penetration test and this story shows how frustrating it can sometimes be when trying to…


Technical Advisory: Mitel MiVoice 5330e Memory Corruption Flaw

Vendor: Mitel Vendor URL: https://www.mitel.com Versions affected: 5330e IP Phone Systems Affected: Mitel MiVoice Author: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]trust Advisory URL: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-18-0009 CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15497 Risk: Low-High (case dependent) – Denial of Service and possible Remote Code Execution Summary The Mitel MiVoice 5330e VoIP device is affected by a memory corruption…


umap

umap is a USB host security assessment tool, based on Facedancer by Travis Goodspeed.  For more information and to download the tool visit our GitHub page here.


BLEBoy

BLEBoy is a great resource for learning about BLE security and provides a single BLE peripheral that can be used to experiment with each BLE pairing method. This release of BLEBoy includes a parts list, instructions for how to construct the device, source code that needs to be compiled and…


TPM Genie: Interposer Attacks Against the Trusted Platform Module Serial Bus

TPM Genie is a serial bus interposer which has been designed to aid in the security research of Trusted Platform Module hardware. The tool demonstrates that a man-in-the-middle on the TPM serial bus can undermine many of the stated purposes of the TPM such as measured boot, remote attestation, sealed…


Spectre and Meltdown: What you Need to Know

In the first days of 2018, a number of vulnerabilities were disclosed that are present in many modern-day CPUs. In this blog post we address the most frequently asked questions about Spectre and Meltdown with a focus on providing you with actionable guidance about what to do. This post is…


The Update Framework (TUF) Security Assessment

NCC Group consultants Mason Hemmel and Jeff Dileo recently completed a one-week audit of the Kolide TUF client. The audit took place between August 28, 2017 and September 1, 2017. TUF, an acronym for The Update Framework, is a set-and-forget library for securing software updates. It combines a preponderance of…


Hacking the Extensible Firmware Interface

Agenda The role of the BIOS Attacking a legacy BIOS Limitations of the legacy BIOS Introduction to the EFI environment Attacking the EFI environment UEFI, summary and conclusions Some Caveats… This talk is about rootkit persistenceThis persistence How to deploy a rootkit from the BIOS/EFIHow EFI Not concerned with what…


Network Attached Security: Attacking a Synology NAS

Abstract Network-Attached Storage (NAS) devices are a popular way for people to store and share their photos, videos and documents. Securing these devices is essential as they can contain sensitive information and are often exposed to the Internet. Because  Synology is one of the top manufacturers of NAS devices, we chose to…


D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow

Title                                  D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow Reference                         VT-95 Discoverer                …


USB under the bonnet: Implications of USB security vulnerabilities in vehicle systems

Andy Davis, research director at NCC Group, delivered this presentation at the  escar Embedded Security in Cars Conference in Hamburg. His talk focused on how USB security affects embedded systems within vehicles. It covered an overview of USB basics and some classic examples of where vulnerabilities have been previously identified.…


Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions

Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions These slides come from Andy Davis’ presentation at Black Hat USA 2013. Andy’s presentation covers the topic of using techniques to analyse USB stack interactions to provide information such as the OS running on the embedded device, the USB drivers installed…


EDIDFuzzer

A tool for fuzzing Enhanced Display Identification Data, developed by Andy Davis. For more information and to download the tool visit our GitHub page here.


USB Undermining Security Barriers:further adventures with USB

These slides come from Andy Davis’ presentation from Black Hat USA in 2011. In this presentation Andy will discuss some of the security vulnerabilities around using USBs and the impact these vulnerabilities could have on your organisation.  Dowload Presentation There is also a white paper on this subject, you can…


To dock or not to dock, that is the question: Using laptop docking stations as hardware-based attack platforms

These slides come from Andy Davis’ presentation from BlackHat Europe 2013. In this presentation he will explain why docking stations are an attractive target for an attacker, how they can be attacked and discuss ways to detect and prevent such attacks.  Download Presentation You can also read the white paper…


Research Insights Volume 8 – Hardware Design: FPGA Security Risks

FPGA stands for field-programmable gate array. An FPGA is a logic device whose function can be changed while the device is in place within its working environment, allowing the hardware processing of a system to be altered by an external configuration loading process. Their very nature creates potential security risks, and…


Optimum Routers: Researching Managed Routers

Abstract ISPs have moved to managed routers due to increased customer service calls with the question “What is my Wi-Fi password?” Managed routers allow complete remote management of a user’s home network and have facilitated customer service centers across ISPs. In this paper, we discuss the process of finding vulnerabilities in remotely managed routers,…


Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode

Vulnerability Summary Title                                     Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode Release Date                     10 March 2016 Reference  …


D-Link routers vulnerable to Remote Code Execution (RCE)

Title                                  D-Link routers vulnerable to Remote Code Execution (RCE) Release Date                   11 Aug 2016 Reference                    …


GSM/GPRS Traffic Interception for Penetration Testing Engagements

Why we need it? Within the penetration testing domain quite often we have to deal with different technologies and devices.  It’s important to cover all aspects of connectivity of a device being tested which is why we have built a GSM/GPRS interception capability. There are a number of different devices…


Internet of Things Security

Abstract The Internet of Things (IoT) is an emerging phenomenon where different kinds of devices that were previously not networked are being connected to networks. Examples include network connected thermostats, light bulbs, and door locks. These newly networked devices present additional attack surfaces, and due to the ad hoc nature of their implementations,…


Hacking Displays Made Interesting

Many people are unaware that video displays send data which is then processed by the connected device and that this data can contain security threats. This paper aims to act as a useful introduction to the technologies involved in video interfacing, the potential for security vulnerabilities and ways to test for their…


What the HEC? Security implications of HDMI Ethernet Channel and other related protocols

These slides come from Andy Davis’ presentation “What the HEC? Security implications of HDMI Ethernet Channel and other related protocols” that was given at 44Con in 2012. In this presentation Andy discusses the importance of and security issues surrounding, HDMI, the CEC protocol and the HEC protocol.   Download our slides…


BlackHat Asia USB Physical Access

NCC Group Research Director Andy Davis presented ‘USB Attacks Need Physical Access Right? Not Any More…’ at this year’s BlackHat Asia in Singapore. Due to recent advances in a number of remoting technologies, USB attacks can now be launched over a network. The talk went into detail about how these…


A few notes on usefully exploiting libstagefright on Android 5.x

At NCC Group, a colleague and I recently spent some time trying to develop a more robust exploit for the Android libstagefright bug CVE-2015-3684. This is a bug that persisted through the patches Joshua Drake (jduck) originally provided to Google, so a few more firmware versions are vulnerable. In this…


Secure Device Manufacturing: Supply Chain Security Resilience

Today the production of hardware devices involves multiple suppliers at various stages of the production and support lifecycle. There is no electronics manufacturer who manufactures every single component of a device in their own factory. As such, and has been demonstrated, these hardware and manufacturing supply chains introduce risk that…


HDMI Ethernet Channel

HDMI is more than just a toll for displaying video and with increasing numbers of new laptops and PCs using the function it is important for organisations to understand the potential security issues that are likely to arise as the protocols start to become more widely used. This paper will…


Porting the Misfortune Cookie Exploit: A Look into Router Exploitation Using the TD-8817

By using just a few commonly available tools and a bit of time, it is possible to port the Misfortune Cookie exploit to exploit a TD-8817 V8 router running the latest firmware and gain reliable control over its web interface without crashing the router, even after repeated exploitation attempts. In…


Build Your Own Wi-Fi Mapping Drone Capability

This blog, as the name implies, discusses how I went about designing and building our initial Wi-Fi mapping drone capability (and you can too, hopefully). Before we begin, a brief disclaimer: we sought legal advice and complied with relevant laws. Before you embark on such a project, make sure you…


Spy-Pi: Do you trust your laptop docking stations?

Laptop docking stations are widely used in organisations, often in hot-desking environments. They provide a neat connectivity solution for workers who are semi-mobile and therefore use laptops rather than desktop PCs. However, laptop docks are an attractive target for an attacker. They have access to the network, to all the…