Public research has always been of huge importance to Context, with our consultants conducting research as part of normal business, for our customers and for ourselves. Below are some examples of recent research projects, with links to further information.
Exploiting vulnerable mobile applications, May 2017
This blog details how we found and disclosed a vulnerability in the update mechanism of an Android Anti-Virus application, Panda Mobile Security. This vulnerability would allow anyone running a malicious network to inject their own functionality into the Panda application, and was fixed after we disclosed it to the developer.
Hacking Unicorns with Bluetooth, February 2017
CloudPets are a range of Bluetooth Low Energy (BLE) children's toys. When a high-profile compromise of the backend database was announced, we published the results of our reverse-engineering of the BLE implementation in the toy, in this blog. It shows how the toy can be controlled via an unauthenticated BLE connection, something we demonstrated using the new Web Bluetooth support in Chrome.
Hacking an Android Conference Phone, February 2017
This blog covers how we managed to get root access on a piece of technology that's common to many offices, but might be overlooked from a security perspective: a conference phone. We managed to gain root access and take full control of a Mitel MiVoice Conference/Video Phone (also known as the Mitel UC360), which could allow an attacker to listen into meetings without alerting the room’s occupants, disable the mute button so that private discussions could be heard by everyone on a call and maintaining a remote backdoor into the network environment.
Attacking smart phones with SMS, January 2017
We found that Android phones are still vulnerable to SMS-based attacks. One of the bugs found by Context in older models of Samsung Galaxy devices could be triggered remotely and rendered the device unusable until a factory reset was performed, leaving users open to ransomware attacks. The vulnerability was triggered by the type of SMS messages sent by manufacturers and network operators for configuring carrier and other device configuration settings. More details here.
Porting exploits to a Netgear WNR2200 Router, September 2016
Whilst there's always a lot written about zero day vulnerabilities, old vulnerabilities will always be around too, especially on platforms with a slow upgrade cycle. This blog covers porting an old vulnerability to a platform that is typically slow to update, a Netgear home router.
Attacks on HTTPS via malicious PAC files, August 2016
This work, presented at DefCon 24, showed how recent improvements in online security and privacy can be undermined by decades old design flaws in obscure specifications. These design weaknesses can be exploited to intercept HTTPS URLs and proxy VPN tunnelled traffic. We demonstrated how a rogue access point or local network attacker can use these new techniques to bypass encryption, monitor your search history and take over your online accounts. More details here, here and here.
Reversing the string encryption in an iOS jailbreak, August 2016
This blog takes a closer look at the Pangu 9.3 iOS jailbreak, specifically focusing on the mechanism that has been used to encrypt strings within the application. We provide a detailed summary of the reverse engineering of this encryption using a mixture of static and off-device dynamic analysis.
Binary SMS messages – "the old backdoor to your new thing”, July 2016
This work highlighted how Short Messaging Service (SMS) is a weak link in a handset's security. Carriers are able to send remote command SMS messages to trigger and interact with hidden applications on their devices without the user's consent. As there is no concept of inspection, any bad packets are always forwarded, which is comparable to a computer running open services on the internet without a firewall.
“Push to Hack”: controlling a security camera over the Internet, February 2016
For this project we examined an outdoor cloud security camera, which like many devices of its generation a) has an associated mobile app b) is quick to setup and c) presents new security threats to your network. We were able to exploit the camera without access to the local network, steal secrets including the home network’s Wi-Fi password, obtain full control of the PTZ (Pan-Tilt-Zoom) controls and redirect the video feed and movement alerts to our own server; effectively watching the watchers.
"Alarm Bells Ringing": disabling a smart alarm, October 2015
We spent a couple of days looking at a smart alarm system – analysing the traffic and determining how the different components interact. After discovering an authenticated web-service running on the main router box, we disassembled it, identified the JTAG header for the ARM System-on-Chip, extracted the firmware and located the baked-in admin password for the webserver. This access allows us to deactivate all of the alarm sensors. Further details can be found in our blog.
WSUSpect – Compromising the Windows Enterprise via Windows Update, August 2015
This whitepaper, which accompanied a talk at BlackHat Vegas 2015, demonstrated how Windows Update can be abused for internal attacks on corporate networks by exploiting insecurely configured enterprise implementations of Windows Server Update Services (WSUS).
KGDB on Android: Debugging the kernel like a boss, August 2015
In this blog we showed how to build a serial debug cable and modify the Android kernel to enable kernel debugging of a modern Android smart phone.
“The Emergence of Bluetooth Low Energy”, May 2015
This blog and its follow-up detailed our work investigating the new Bluetooth protocol, including the use of an application-specific System-on-Chip to develop a new application. We released an Android application that has now had over one thousand install worldwide, to demonstrate how the packets transmitted by many wearable and IoT devices can be used to identify the product, and maybe the owner.
“Hacking Canon Pixma Printers – Doomed Encryption”, September 2014
This work involved finding vulnerabilities in the firmware of Canon Pixma printers to run custom code. The fundamental aspect of the research was the discovery that the firmware update check can be redirected and the firmware is encrypted rather than signed. The firmware does not run an operating system, but is a single lump of compressed ARM code that was reverse engineered using IDA Pro. The encryption mechanism was investigated and broken in order to achieve code execution on the printer. With the ability to create custom firmwares and after reversing functionality to steal printed documents and scanned files, Doom was then added to a custom firmware which could then be played on the printer screen. This hack was presented at 44CON and Hack-In-The-Box Malaysia.
“Hacking into an Internet connected light bulb”, July 2014
LIFX bulbs connect to a Wi-Fi network in order to allow them be controlled using a smart phone application. This research focussed on how the bulbs shared the Wi-Fi network credentials between themselves over the 6LowPAN mesh network. This was accomplished by accessing the PCB, extracting the firmware with JTAG and analysing with IDA Pro to find the static AES encryption keys. Armed with this knowledge we could then inject packets into the mesh network, capture the Wi-Fi details and decrypt the credentials, all without any prior authentication or alerting.