Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow (CVE-2020-26561)

Current Vendor: Belkin Vendor URL: https://www.linksys.com/sg/p/P-WRT160NL/ Versions affected: Latest FW version - 1.0.04 build 2 (FW_WRT160NL_1.0.04.002_US_20130619_code.bin) Systems Affected: Linksys WRT160NL (maybe others) Authors: Diego Gómez Marañón – Diego.GomezMaranon[at]nccgroup[dot]com CVE Identifier: CVE-2020-26561 Risk: 8.8 (High) – AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Summary The Linksys WRT160NL is a switch device initially owned by Cisco and, after the sale of its respective … Continue reading Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow (CVE-2020-26561)

There’s A Hole In Your SoC: Glitching The MediaTek BootROM

This research was conducted by our intern Ilya Zhuravlev, who has returned to school but will be rejoining our team after graduation, and was advised by Jeremy Boone of NCC Group's Hardware & Embedded Systems Practice. With the advent of affordable toolchains, such as ChipWhisperer, fault injection is no longer an attack vector that is … Continue reading There’s A Hole In Your SoC: Glitching The MediaTek BootROM

Lights, Camera, HACKED! An insight into the world of popular IP Cameras

Preface During the Covid-19 pandemic, the battle to secure and protect businesses as well as consumers changed from the office environment to our homes, but this did not stop us from working on research projects aimed at contributing to the creation of a safer online world. Working from home, this research was carried out to … Continue reading Lights, Camera, HACKED! An insight into the world of popular IP Cameras

Conference Talks – August 2020

This month, NCC Group researchers will be presenting their work at the following conferences: Dirk-Jan Mollema, "ROADtools and ROADrecon," to be presented at Black Hat USA 2020 (Virtual - August 1-6 2020)Chris Nevin, "Carnivore: Microsoft External Attack Tool" to be presented at Black Hat USA 2020 (Virtual - August 1-6 2020)Rory McCune, "Mastering Container Security … Continue reading Conference Talks – August 2020

Tool Release: Sinking U-Boots with Depthcharge

Depthcharge is an extensible Python 3 toolkit designed to aid security researchers when analyzing a customized, product-specific build of the U-Boot bootloader. This blog post details the motivations for Depthcharge’s creation, highlights some key features, and exemplifies its use in a “tethered jailbreak” of a smart speaker that leverages secure boot functionality. The first three … Continue reading Tool Release: Sinking U-Boots with Depthcharge

Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to device compromise on TP-Link C200 IP Camera

Vendor: TP-Link Vendor URL: https://www.tp-link.com/uk/ Versions affected: 1.7.0 Systems Affected: Tapo C200 Author: Dale Pavey Risk: High Summary: The device is vulnerable to the heartbleed vulnerability and a Pass-the-Hash attack. Impact: Successfully exploiting the Heartbleed vulnerability leads to the device being remotely taken over using the memory-leaked user hash and the Pass-the-Hash attack. Details: Using … Continue reading Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to device compromise on TP-Link C200 IP Camera

Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption

Vendor: ARM Vendor URL: https://os.mbed.com/ Versions affected: Prior to 5.15.2 Systems Affected: ARM Mbed OS Author: Ilya Zhuravlev Risk: High Summary: The ARM Mbed operating system contains a USB Mass Storage driver (USBMD), which allows emulation of a mass storage device over USB. This driver contains a three (3) memory safety vulnerabilities, allowing adversaries with … Continue reading Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption

Research Report – Zephyr and MCUboot Security Assessment

Over the years, NCC Group has audited countless embedded devices for our customers. Through these security assessments, we have observed that IoT devices are typically built using a hodgepodge of chipset vendor board support packages (BSP), bootloaders, SDKs, and an established Real Time Operating System (RTOS) such as Mbed or FreeRTOS. However, we have recently … Continue reading Research Report – Zephyr and MCUboot Security Assessment

Rise of the Sensors: Securing LoRaWAN Networks

One of the current research priorities for NCC Group is smart cities. We perceive that in the future substantial investment will be made into deploying intelligent sensor systems into our cities: initially the focus being on passive applications, gathering and collecting data, but potentially in future leading to more active applications, integrating systems to automatically … Continue reading Rise of the Sensors: Securing LoRaWAN Networks

Conference Talks – March 2020

This month, members of NCC Group will be presenting their work at the following conferences: Adam Rudderman, "Bug Bounty: Why is this happening?" presented at Nullcon Goa (Goa, India - March 3-7 2020) Rob Wood, "[Panel]: CSIS Security Panel Discussion," presented at OCP Global Summit (San Jose, CA - March 4-5 2020) Rory McCune, "[Training]: … Continue reading Conference Talks – March 2020