OWASP FSTM, stage 2: Obtaining IOT device firmware
This article explains the possible mechanisms for obtaining IoT device firmware
OWASP FSTM, stage 1: Information gathering and reconnaissance
This article presents the first stage of the OWASP FSTM methodology for firmware analysis of IoT devices.
PLCTool plugin support
The newly implemented plugin support of PLCTool allows for the addition of new functionalities without the need of modifying the base code This article presents PLCTool’s plugin support and offers a guide of implementation of new plugins, so the users can add new functionalities to the tool and adapt it to their needs. In the previous article, the PLCTool software was presented as a tool for the inspection and analysis of PRIME networks, the main communication system of most energy meters in current households. This tool features basic auditing functionalities for these networks such as turning on and off energy meter given a password that is commonly shared in the network without encryption. In the last PLCTool update plugin support ...
Introduction to fuzzing: How to automatically discover bugs
Fuzzing techniques are used to detect security breaches and other bugs by generating inputs not contemplated by the programmer ¿What's Fuzzing? - Security testing Fuzzing is a technique used by programmers, security researchers and bug hunters to test and discover vulnerabilities in software. This technique consists of performing automated tests on an application, introducing random data and modifications of expected data inputs , in order to provoke faults in its behaviour. Fuzzing history Software development has evolved at great speeds since its beginnings. Subject to relatively low development cost when compared to other sectors such as in hardware design, it has demonstrated the ability to iterate multiple generations for each hardware generation. To this capacity for change, one must add ...
IoT and embedded devices security analysis following OWASP
OWASP-FSTM methodology offers a standardized guide, step by step, of how to perform a security analysis on IoT and embedded devices. This guide is elaborated so that all possible topics are covered and to ensure that a detailed analysis is performed. Context Everyday smart devices such as smartwatches, speakers, cookers, cleaning robots, etc. are small computers with limited processing capacity. Sometimes, in the electronic design process jargon, one may refer to onboard systems when talking about bigger devices and to “embedded systems” when referring to smaller and more limited devices. In either case, when these devices are connected and integrated into a communication network where they can exchange data, they are usually referred to as IoT devices. But what ...
PLCTool, the Swiss army knife of smart meters
The following article is an introduction and description of the PLCTool project, along with a user's guide to start investigating PRIME/DLMS networks and smart meters. As support material for researchers and as a continuation of the series of articles published by Tarlogic in its research on smart meters and PRIME networks, this article describes the PLCTool. This was presented in the talk Hacking Smart Meters of the RootedCON 2022, during which its use with the ATPL360-EK evaluation kit to send and receive data in PLC networks was demonstrated. The following sections describe the PLCTool project, composed of two repositories: the PLCTool application itself and Candleblow, the firmware developed for the evaluation kit. Along with the description of the project, an ...
Risks of hardware design
This article presents a current problem, the risks of hardware design by using obsolete components or components about to end their life cycle
AD CS: from ManageCA to RCE
Introduction In our previous article, we covered an engagement where it was necessary to execute the ESC7 attack to escalate privileges by abusing the Active Directory Certificate Services (AD CS). During this Red Team operation, a detailed research was conducted and it resulted in the publication of several modules for Certify, which allow the abuse of the ManageCA and ManageCertificates permissions as suggested in the original paper. Since the article was published, we have continued with this research, which has led us to discover two new ways to compromise the CA server (Certificate Authority) itself by abusing the ManageCA privilege. These attacks could be useful in different scenarios: When there are no certificate templates available for users that we can ...
Memory Reader: obtaining access keys from IoT devices
The security of IoT devices and memory readers often presents security gaps. Tarlogic's Innovation team highlights some of them IoT devices are becoming more and more widespread and established in domestic environments. They help us in our daily lives and allow us to perform numerous functions that until a few years ago were unthinkable, such as controlling the heating remotely, the lights from the cell phone or interacting with a smart speaker or TV to play the music or series we want to listen to or watch. Depending on the different functionalities of the IoT devices, their design can be more or less complex. However, they all share a common element, they make use of small memories to store the ...
AD CS: weaponizing the ESC7 attack
Introduction to AD CS ESC7 Last year, SpecterOps published an in-depth research about the security state in Active Directory Certificate Services (AD CS) that is still a common topic of debate around the community. The technical paper, layouts different attacks around misconfigurations in these services that can lead to privilege escalation or act as a persistence mechanism. At the same time, different tools were released around this topic, some to exploit these weaknesses (Certify y ForgeCert) and others to audit an AD CS environment looking for potential misconfigurations (PSPKIAudit). As a Red Teaming, we have relied on these new vectors in different engagements throughout the last months, mainly to escalate and keep the acquired privileges. In this context, the techniques labeled as ESC1 ...