cryptogirl


Over the last few months or years I have reported vulnerabilities on several IoT devices. None have been patched so far, and I think it is time to discuss the situation openly. One of the issues I have faced several times is the zero-security-culture phenomenon. Some of those IoT companies were typically very small and young, with sadly neither the skills nor the resources to fix security issues. For example, I remember sending several vulnerabilities to a given company. I got an automated response for the first email (ok),... [Read More]
by RSS Axelle Apvrille  |  May 17, 2017  |  Filed in: Security Research
Welcome back to our monthly review of some of the most interesting security research publications. Previous edition: March 2017 What happened to your home? IoT Hacking and Forensic with 0-day from TROOPERS 17, by Park and Jin Figure 1: Hacking a vacuum cleaner The authors hacked a vacuum cleaner, which, besides cleaning, also includes an embedded camera and microphone. The hack wasn’t easy because the vacuum wasn’t too badly secured. The authors however found 2 vectors: 1. They connected on the... [Read More]
by RSS Axelle Apvrille  |  May 10, 2017  |  Filed in: Security Research
You missed Insomni'hack? You shouldn't have: although there are now something like 700 attendees, it's still a friendly and well organized hacking conference with an interesting mix between wild hackers, CTOs, and CISOs (some being hackers and CISOs at the same time ;). As usual when there are several tracks, you end up with the difficult dilemma of which talks to attend. That's what happened to me when I had to choose between a talk on connected medical devices (close to my own research topics, but probably not very technical)... [Read More]
by RSS Axelle Apvrille  |  Mar 25, 2016  |  Filed in: Industry Trends & News
Our automated crawling and analysis system, SherlockDroid / Alligator, has just discovered a new Android malware family, on a third party marketplace. Figure 1: Part of SherlockDroid report. Android/BadMirror sample found as suspicious The malware is an application whose name translated to "Phone Mirror". Because it is malicious, we have dubbed it 'BadMirror'.  The malware sends loads of information to its remote CnC (phone number, MAC adddress, list of installed applications...) - see Figure 2 - but it also has... [Read More]
by RSS Axelle Apvrille  |  Mar 07, 2016  |  Filed in: Security Research
Update Aug 28, 2015: Typos in the final table: CVE-2015-3864 does not concern covr but tx3g. CVE-2015-3828 does not occur for yrrc. Detecting the PoCs published by Zimperium is not difficult: you can fingerprint the PoCs, for example. Detecting variants of the PoCs, i.e., MP4s that use one of the discovered vulnerabilities, is far more difficult. I'll explain why in a moment. First, apart from here (in Chinese), there hasn't been so much in the way of technical details. Getting into the guts of StageFright... [Read More]
by RSS Axelle Apvrille  |  Aug 25, 2015  |  Filed in: Security Research
The conference started with Adi Shamir's keynote. As it was covered at length by rootshell, I won't be discussing it in this post - apart from the fact that I was really happy to listen to such a brilliant mind like Adi Shamir. I also appreciated his talk which was more like a research / hacking talk than like a generic keynote. I will now give you my personal opinion on some of the best talks I attended. The white papers and slides are available on BlackHat's website. Quantified Self - a path to self-enlightenment or just a security nightmare? Candid... [Read More]
by RSS Axelle Apvrille  |  Oct 29, 2014  |  Filed in: Security Research
This Tuesday, January 28th, marks a significant day of observation. No, it's not another presidential holiday. And you probably won't get the day off from work - at least not without calling in sick. January 28 is in fact Data Privacy Day. Led by the non-profit public-private partnership National Cyber Security Alliance, Data Privacy Day is a concerted, international effort that aims to educate and empower users to better safeguard their personally identifying information and take control of their digital footprint. The effort stems from the... [Read More]
by RSS Stefanie Hoffman  |  Jan 28, 2014  |  Filed in: Industry Trends & News
Recently I received this SMS on my mobile phone. Basically, it tells me I have to call back 018377xxxx to collect a parcel. As this phone number is not premium and I was indeed waiting for a parcel, I nearly fell in for the trick. Figure 1. SMS scam received on the phone. It says: "E-Relay Hello, your parcel Ref: M794610 is waiting for you since July 8th, 2013. More details at 018377xxxx" I guess that AV analysts get suspicious about everything, and I checked it on a search engine. I quickly found out that plenty of other victims were complaining... [Read More]
by RSS Axelle Apvrille  |  Jul 17, 2013  |  Filed in: Security Research