Research Blog

Insights and research from our global cybersecurity team.

Filter Content

Rigging the Vote: Uniqueness in Verifiable Random Functions

This blog post presents a whirlwind overview of Verifiable Random Functions (VRFs) as used by several leading-edge blockchains, and shows how a very interesting and recently found implementation oversight causes the VRF’s assurance of uniqueness to fall apart. As VRFs are commonly used for selecting blockchain consensus voting committees, this…

Read more

Medical Devices: A Hardware Security Perspective

Medical device security is gaining more attention for several reasons. The conversation often gets connected to device safety, that is, the degree to which the risk of patient harm is limited by preventing or controlling for device malfunction. Device security expands the scope of safety by supposing a malicious attacker…

Read more

NETGEAR Routers: A Playground for Hackers?

A detailed analysis on multiple vulnerabilities which were identified on the NETGEAR Nighthawk WiFi 6 Router (RAX AX2400) and may exist on other NETGEAR router models.

Read more

Real World Cryptography Conference 2023 – Part I

The annual Real World Cryptography Conference organized by the IACR recently took place in Tokyo, Japan. On top of 3 days of excellent talks, RWC was preceded by the 2nd annual Conference and the Real World Post-Quantum Cryptography Workshop and followed by the High Assurance Crypto Software Workshop. Nearly…

Read more

May 10, 2023

11 mins read

Read more

Public Report – AWS Nitro System API & Security Claims

In the last calendar quarter of 2022, Amazon Web Services (AWS) engaged NCC Group to conduct an architecture review of the AWS Nitro System design, with focus on specific claims AWS made for the security of the Nitro System APIs. The public report for this review may be downloaded below:

Read more

May 3, 2023

1 min read

Read more

State of DNS Rebinding in 2023

Different forms of DNS rebinding attacks have been described as far back as 1996 for Java Applets and 2002 for JavaScript (Quick-Swap). It has been four years since our State of DNS Rebinding presentation in 2019 at DEF CON 27 (slides), where we introduced our DNS rebinding attack framework Singularity…

Read more

Machine Learning 103: Exploring LLM Code Generation

This executable blog post is the third in a series related to machine learning and explores code generation from a 16 billion parameter large language model (LLM). After a brief look under the hood at the LLM structure and parameter allocation, we generate a variety of Python functions and make…

Read more

HITBAMS – Your Not so “Home” Office – Soho Hacking at Pwn2Own

Alex Plaskett and McCaulay Hudson presented this talk at HITB AMS on the 20th April 2023. The talk showcased NCC Exploit Development Group (EDG) in Pwn2Own 2022 Toronto targeting all consumer routers (Netgear, TP-Link and Synology) from both a LAN and WAN perspective.  The talk also described how we compromised…

Read more

Public Report – Kubernetes 1.24 Security Audit

NCC Group was selected to perform a security evaluation of Kubernetes 1.24.0 release in response to Kubernetes SIG Security’s Third-Party Security Audit Request for Proposals. The testing portion of the audit took place in May and June 2022. The global project team performed a security architectural design review that resulted…

Read more

Public Report – Solana Program Library ZK-Token Security Assessment

In August 2022, Solana Foundation engaged NCC Group to conduct a security assessment of the ZK-Token SDK, a collection of open-source functions and types that implement the core cryptographic functionalities of the Solana Program Library (SPL) Confidential Token extension. These functionalities are homomorphic encryption and associated proofs used to demonstrate…

Read more

No Results Found :(

Call us before you need us.

Our experts will help you.

Get in touch