Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks

Vendor: Kwikset/Weiser (Spectrum Brands) Vendor URLs: https://www.kwikset.com/kevo/smart-lock, https://www.weiserlock.com/en/kevo/default Versions Affected: All versions. Attack tested on Kevo Generation 2 hardware with firmware v1.9.49 and Android application version Kevo 2.9.1.21765p. Systems Affected: Kevo smart locks, including Kevo Contemporary Author: Sultan Qasim Khan Risk: <6.8 CVSS v3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N> - An attacker within BLE signal range of a smartphone … Continue reading Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks

Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks

Vendor: Tesla, Inc. Vendor URL: https://www.tesla.com Versions affected: Attack tested with vehicle software v11.0 (2022.8.2 383989fadeea) and iOS app 4.6.1-891 (3784ebe63). Systems Affected: Attack tested on Model 3. Model Y is likely also affected. Author: Sultan Qasim Khan <sultan.qasimkhan[at]nccgroup[dot]com> Risk: <6.8 CVSS v3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N> An attacker within Bluetooth signal range of a mobile device configured … Continue reading Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks

Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks

Vendor: Bluetooth SIG, Inc. Vendor URL: https://www.bluetooth.com Versions Affected: Specification versions 4.0 to 5.3 Systems Affected: Any systems relying on the presence of a Bluetooth LE connection as confirmation of physical proximity, regardless of whether link layer encryption is used Author: <Sultan Qasim Khan> <sultan.qasimkhan[at]nccgroup[dot]com> Risk: An attacker can falsely indicate the proximity of Bluetooth … Continue reading Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks

Hardware & Embedded Systems: A little early effort in security can return a huge payoff

Editor's note: This piece was originally published by embedded.com There’s no shortage of companies that need help configuring devices securely, or vendors seeking to remediate vulnerabilities. But from our vantage point at NCC Group, we mostly see devices when working directly with OEMs confronting security issues in their products — and by this point, it’s … Continue reading Hardware & Embedded Systems: A little early effort in security can return a huge payoff

Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1)

Lexmark encrypts the firmware update packages provided to consumers, making the binary analysis more difficult. With little over a month of research time assigned and few targets to look at, NCC Group decided to remove the flash memory and extract the firmware using a programmer, firmware which we (correctly) assumed would be stored unencrypted. This allowed us to bypass the firmware update package encryption. With the firmware extracted, the binaries could be reverse-engineered to find vulnerabilities that would allow remote code execution.

Choosing the Right MCU for Your Embedded Device — Desired Security Features of Microcontrollers

The Microcontroller Unit (MCU) is the heart of an embedded device, where the main firmware executes its instructions to carry out the system’s functions. These come in many varieties. Relatively simple microcontrollers with limited-resource processors may bundle only a few IO peripherals, a small amount of memory, and be intended to run a small real-time … Continue reading Choosing the Right MCU for Your Embedded Device — Desired Security Features of Microcontrollers

FPGAs: Security Through Obscurity?

Background For the uninitiated, an FPGA is a field-programmable array of logic that is typically used to perform or accelerate some specific function (or functions) within a computer system. They are typically paired with a separate traditional microprocessor (or as part of a combined system-on-chip (SoC)) but can operate standalone as well. They can be … Continue reading FPGAs: Security Through Obscurity?

Why IoT Security Matters

Introduction Internet of Things security can mean any number of things for your product and its users. This will depend largely on the context of the product and its deployment, and can include specific requirements, such as integrity, confidentiality, availability, safety, privacy, consent, authenticity, and more. Understanding how security fits into the product’s threat modelling … Continue reading Why IoT Security Matters

The ABCs of NFC chip security

tl;dr NFC tags are becoming increasingly more common in everyday use cases such as:  Public spaces like museums, art galleries or even retail stores in order to provide additional information about an item or product. Inventory management sites use NFC tags on product packaging to update information on its contents. Industrial facilities can use NFC for sharing … Continue reading The ABCs of NFC chip security