NCC Group placed first in global 5G Cyber Security Hack competition

In June of this year, Traficom - the Finnish transport and communications agency - along with the Aalto University, Cisco, Ericsson, Nokia, and PwC, organized the 5G Cyber Security Hack competition. A similar event was organised in November 2019 in Oulu, Finland and this hackathon-style event was a follow-up to their successful 2019 event. Due … Continue reading NCC Group placed first in global 5G Cyber Security Hack competition

The Challenges of Fuzzing 5G Protocols

If you have ever looked at fuzzing in any depth you will quickly realize it’s not as trivial as it first appears. There are many different types of fuzzers, but here we are focused on network fuzzers.  These fuzzers are of particular interest as they are most suited to fuzzing telecoms products/protocols, where the application … Continue reading The Challenges of Fuzzing 5G Protocols

Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)

Vendor: Open5GS Vendor URL: https://github.com/open5gs/open5gs Versions affected: 1.0.0 to 2.3.3 Systems Affected: Linux Author: mark.tedman[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2021-41794 Risk: CVSSv3.1: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) Summary When connecting to the UPF port for the PFCP protocol (8805) and sending an Association Setup Request followed by a Session Establishment Request with a PDI Network Instance set … Continue reading Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)

Domestic IoT Nightmares: Smart Doorbells

Preface Half way through 2020, UK independent consumer champion Which? magazine reached out to us and asked if we could assist investigating the security of a series of domestic IoT devices and to perform a vulnerability assessment of each device. The assessments included smart plugs and smart/connected doorbells. We also worked on a number of … Continue reading Domestic IoT Nightmares: Smart Doorbells

Compromising a Hospital Network for £118 (Plus Postage & Packaging)

TL; DR We bought a medical infusion pump device from eBay and from it, forensically retrieved the WPA key and server authentication credentials for a real-world hospital’s wireless network and medical pump management server. In the wrong hands, such capability could be life-threatening given the level of network-based access this information would present to attackers … Continue reading Compromising a Hospital Network for £118 (Plus Postage & Packaging)