Two Pwnie Awards
The first firm to have ever won two Pwnie Awards (https://en.wikipedia.org/wiki/Pwnie_Awards) at Black Hat. We won them for the Bitfi disclosure, winning ‘worst vendor response’ to the vulnerabilities that we, and a broader group of researchers that we helped coordinate, discovered in the crypto wallet promoted by John McAfee
Nation-state grade red teaming
Trusted by UK government and the central bank to test at a nation state level. We are one of a handful of 10 firms with the coveted ‘CBEST’ accreditation that allows us to test critical financial services organisations. Breaches of these firms could cause catastrophic damage to the global financial system.
World first ransomware on IoT
Presented the very first proof of concept ransomware running on an embedded device: at DEFCON 24: ransomware on desktop and server operating systems is well known, but the challenge of creating ransomware to run on a smart thermostat in a highly constrained environment was significant.
Changing regulation around IoT security
Helped create the first laws to ensure that smart consumer devices were secure. My Friend Cayla the smart, swearing kids dolly, was taken to the EU Parliament, UK Parliament and briefed a number of US senators about the perils of poor cyber security. The US federal gov, NIST, the UK gov and the EU have all now implemented regulations, citing our work as catalyst in some cases.
TED talks
Gave TED talks about the security of smart devices, helping bring consumer awareness to IoT. We also unmasked major security flaws with ‘adult’ toys, helping protect minorities and military personnel posted overseas from exploitation and extortion.
Airplane electronic flight bags
Discovered security flaws in electronic flight bags, the tablets that pilots use to calculate safe take off distances. By exploiting these, pilots could be fooled in to using too little power to take off safely. Fortunately, Boeing responded promptly to our reports and quickly fixed the issues, subsequently inviting us to Seattle to brief them further. We also found similar bugs in Airbus apps, but have to involve the regulator to convince Airbus to fix them!
Writing CSi Cyber
We helped write an episode of CSI Cyber, about a spying kids dolly, based on our work on My Friend Cayla. We gave them a plausible script that worked technically, based on fact. Sadly, they went off at a tangent and dubbed another dolly instead!
Hacking in flight entertainment systems
Found vulnerabilities in In Flight Entertainment systems on retired 747s. In theory, we could have spooked passengers in to thinking the flight had been hijacked. So whilst it may not have caused a safety incident, it certainly would have caused some very negative PR for the airline.
Making EV chargers destabilise the power grid
Discovered serious security flaws in numerous brands of smart car charger. We could have switched thousands of car chargers on and off simultaneously, potentially affecting the stability of our power grid. We briefed the UK gov department (OZEV) who then changed the law to require smart chargers to wait up to 120 seconds before charging, mitigating the potential energy spike on the grid
Forensically recovering money for victims of fraud
Helped BBC Rip Off Britain recover £10K for a victim of banking fraud by forensically proving that the transaction was created by malware on their phone. Helped another victim prove that there was a mole inside a bank’s fraud team, resulting in £14K of stolen funds being returned.
Proving that Egyptian police were using vulnerabilities to persecute minorities
Uncovered that the Egyptian police were exploiting vulnerabilities in a popular LGBT dating app in order to unmask gay men and then persecute them.
Unpicking the botnet that was used to take down Twitter
Were the first to decipher the true source of the Mirai botnet that was used to take down DynDNS through DDoS, resulting in both Twitter and Facebook going offline in 2016. Other researchers had mistakenly attributed it to issues with printers, routers and even TV receivers. Through extensive reverse engineering, we proved it was actually a single vendor of CCTV DVR software called XiongMai that had caused the problem. We also proved that a single change to the code would have made the attack far far worse.
Samsung’s snooping smart TVs
After reading a media story about Samsung terms and conditions allowing access to ones voice, we decided to investigate further. After taking my own TV to work (much to the confusion of my wife) we hooked it up to Wireshark and started inspecting the traffic.
What we discovered is that, not only was the TV listening continuously for voice commands, it was sending that voice data to a company called Nuance in the USA for decoding in to text. That text data was then sent back to the TV. The data privacy concerns were huge. Even worse, those communications were not encrypted, so audio transcripts of conversations near our TVs were available for third parties to intercept. Samsung never acknowledged our findings, but did eventually fix the issue.
Hacking a piano
Whilst pen testing a cruise ship on its shake down trip after construction, we started investigating the security of a high end connected Yamaha grand piano in the main cocktail bar.
A mobile app was used to interface with the piano over a Wi-Fi access point on the piano itself, rather like a juke box app, though contained the data required to command keystrokes.
Our team found a vulnerability in the authentication process between mobile app and piano, so one could connect during a concert and have it play, for example Never Gonna Give You Up. Rick rolled!
Mitsubishi Outlander PHEV
We bought an early Outlander specifically to investigate its unusual mobile app connection. Rather than using mobile data to connect, the app connected direct to a Wi-Fi AP on the vehicle. This saved cost in terms of requiring a TCU and cloud platform, though did limit the user to remote access from near to the car.
The access point had static, weak credentials which took very little to crack. By reverse engineering the mobile application and binary protocol involved, we could disable the car alarm, open a door and code a key, enabling theft of the car.
Mitsubishi were initially unresponsive, then dismissive, but finally realised the seriousness of the problems when we asked a trusted journalist to intervene on our behalf.
Hack yourself Glastonbury tickets
Over the years, we have found multiple ways to circumvent the online queuing systems for online ticket purchases, by keeping sessions open, iterating load balancing server names and other fun techniques. Each was fixed, though the most recent issue was an authorisation flaw in SeeTickets. This allowed other customers tickets to be stolen through poor authentication.
SeeTickets were responsive and quickly fixed the issue.
Hacking Britain and America’s Got Talent
We discovered a series of authorisation flaws in the APIs connected to kids tracking watches. These allowed a rogue user to take control of the cellular modem in the tracker watch and cause it to send SMS messages to any recipient. As nearly 3 million devices were available and vulnerable on the API, it would have been possible to cast enough SMS votes to create a winner, causing betting fraud to occur. There would have been no detectable fraud pattern to identify.
Amusingly, we found that this had actually happened: a Russian Show called The Voice Kids experienced similar fraud patterns when the daughter of a wealthy businessman won the show.
On top of this, we could re-write the reported GPS position of the child: we did a proof of concept of this with Troy Hunt (of haveibeenpwned fame) and dropped his daughter in the sea off the Gold Coast of Australia. Oh, and we could also switch on the microphone on the kids watch and bug them
The first firm to find a vulnerability in the Ring doorbell
Not long after Ring had rebranded from DoorBot and way before it was acquired by Amazon, we discovered a serious security flaw in the smart doorbell. It could easily be unscrewed from the door using a Torx T4 bit, then a large red ‘reset’ button was exposed. After resetting the doorbell, it would offer an open Wi-Fi access point, back to factory settings.
However, the user’s Wi-Fi key (PSK) survived the factory reset. It could be recovered over Wi-Fi from the doorbell, effectively meaning that a hacker could walk up to ones front door and access your home wireless network. Ring were responsive and quickly fixed the vulnerability.
Stealing your email passwords from your fridge
At DEFCON 23 we had a Samsung smart refrigerator to play with in the IoT Village. It didn’t take long for us to discover that the email client on the fridge (yes, really) failed to pin its SSL certificates.
It needed the client in order to display for example a shared family calendar on a screen on the door. As a result for missing pinning, it was possible to man in the middle the connection over Wi-Fi and pinch the email creds. The crazy, wild west of the early days of IoT!
Bore BrewDog bad bearer token behaviour
As an ‘Equity for Punks’ shareholder, one of our team looked at the mobile app and associated API for member sof the scheme.
It transpired that is had had a static bearer token for around 18 months, exposing personal data of around 200,000 shareholders. This allowed both identity and beer theft.
BrewDog didn’t do a great job of fixing the bug, trying 6 new iterations of the app before finally getting it right.
Found the first security flaw in a connected Aga oven
During the frenzied rush to connect everything to the internet in the late 2010s, even Aga, the manufacturer of cast iron kitchen ranges, connected their ovens…
Imagine our surprise when we discovered a lack of authentication to the platform that offered remote control. The irony was not lost on us, or the iron.
Hacking car hacking tools
The ODB Eleven is a popular tool for unlocking premium functionality on some VW Group vehicles. It exploits issues with UDS seeds to unlock some ECUs.
Their financial model is to charge for the dongle and app, charging significantly less than VW does for enabling the same features.
Unfortunately, we would security flaws in their mobile app that meant anyone could unlock any functionality for free. We informed both VW and ODB Eleven, but it appeared that neither could fix the issues!
Hacking car theft tools
The VVDI toolset is sold in theory to the motor trade to allow lost car keys to be recoded and replacement odometers to be calibrated, among extensive functionality.
However, this same functionality can be used to facilitate car theft through unlocking a large number of vehicle ECUs. We wanted to find out how this was being done.
The toolset was exploiting various glitching attacks. One attack we reverse engineered required a very sensitive and expensive oscilloscope, but through this we discovered that the VVDI was glitching the ECU time clock and unlocking it, thus allowing new car keys to be coded and a vehicle to be stolen. This is an unusual attack, as glitching is more commonly carried out using voltage.
We reported the findings to the manufacturers of the various ECUs involved.
Exploiting NAC to compromise a ship load computer
Whilst testing the security on board a ship, we discovered an unusual connection between the load computer user interface and its server. The load computer manages the ships stability. If mismanaged or compromised, it can result in the ship heeling excessively or even capsizing.
The UI and server were separated by 7 decks. Drilling a hole through deck is expensive, owing for the need for waterproofing and fire proofing. The vessel had NAC running, to prevent unauthorised devices being connected to the networks. However, if an unauthorised device was connected, it was dropped in to a ‘black hole’. Oddly, any device placed in to black hole could communicate with any others!
The installer used this to connect the server and UI, avoiding deck penetrations. We came along, connected to the network, joined the black hole and discovered that we could tamper with all loading data. Had we wished to, we could have affected the stability of the ship. This was quickly addressed!
