In the 1990s PC-based cybercrime started as "benign" DDoS attacks and pranks by young programmers showing off their skills - aided by the non-existent security posture in Windows-based computers. (We can all look back fondly on the benign worms like the "Kournikova Worm".) However, by the late 90s and early 2000s cybercrime organizations started to monetize vulnerabilities by releasing targeted malware and spyware viruses/worms that rapidly spread. "Phishing" became a highly lucrative business. "Love Letter", "MyDoom", "Confiker" these were a bit more nefarious.
As the host of "Risky Biz" Patrick Grey has pointed out astutely on several of his shows, we are going to see the same evolution with regard to IoT!
History is a funny thing. It tends to repeat itself.
Investing in a company, whether that investment is time, money, or reputation, starts with people. You invest in people that inspire, and Stephen Ridley, Founder of Senrio, is one of those people. He blends incredible enthusiasm with world-class expertise. I saw this first hand when we worked together on bleeding-edge projects for the Intelligence Community 10 years ago. But the team is more than Stephen. The Senrio family he is assembling (and has already assembled), has that ideal mix of hunger and experience. That passion and capacity continues to scale as the employee count grows, and success for Senrio has not hurt their humility. This group will continue to attract like-minded individuals.
Unique Snowflakes Or Ubiquitous Tech? The Truth Behind The Industrial Internet of Things (IIoT and ICS)
During last week's ICS Cyber Security Conference in Atlanta (the world's oldest Industrial Control security conference), we made an announcement that sounded obvious to us but was surprising to many attendees:
“We are just before the curve on embedded security. There are sparce product and service offerings in this area now simply because of the uncanny valley. We also haven’t yet experienced the big watershed event that will cause the reactionary security industry to shift focus - but that appears imminent.” Stephen Ridley briefing US government and Intelligence Agencies in early 2015
Friday's Internet outages and the DDOS attack on security journalist Brian Krebs are just the tip of the iceberg of the types of damage IoT vulnerabilities could cause.
Jamison's "big picture" approach to understanding Infosec solutions comes from years spent learning (and presenting) the details beyond the technicalities of a hack. Instead he delves into the workings of the criminal industry; how and why malware is written, how criminals monetize attacks, and how understanding attacker motivations helps protect networks against malicious forces. Armed with this knowledge, Jamison has built teams to help deploy custom solutions to meet customer need. Jamison is a contributor to ITSP magazine and has blogged on various cyber security topics.
Imagine you are handed this device and asked to get root on it as quickly as possible. No further information is given. Where would you begin? (If you just want to see the router get rooted, jump down to "Mounting an Attack: Rooting a Home Router" ;-)
Our target: A VERY common/popular consumer Access Point.
Since you have the device in your hands, you might try directly attacking the hardware. However, if you've never done any kind of hardware hacking, getting started can be intimidating. In this post, we are going to talk about the fundamental information you need to know to use JTAG for hacking hardware. We'll also go over a quick example to illustrate the power of direct hardware access.
Why Do Manufacturers Use JTAG?
JTAG is a common hardware interface that provides your computer with a way to communicate directly with the chips on a board. It was originally developed by a consortium, the Joint (European) Test Access Group, in the mid-80s to address the increasing difficulty of testing printed circuit boards (PCBs). JTAG has been in widespread use ever since it was included in the Intel 80486 processor in 1990 and codified as IEEE 1491 that same year. Today JTAG is used for debugging, programming and testing on virtually ALL embedded devices.
In this new world of "Internet of Things" and billions of networked embedded devices, it is crucial for device manufacturers to bake security into their new designs before they leave the factory. Here are five tips from a team of security researchers who make a living reverse engineering (hacking) into IoT devices on behalf of industry clients.
Explosive growth of networked embedded devices and a shifting threat landscape require a new approach to IoT Security. Here is why.
Why is Everything Connected Now?
Not a day goes by without a story of a new “smart” device being launched. A perfect storm of new enabling technologies is driving the adoption of Internet-connected devices: The rise of inexpensive Systems-on-a-chip (SOCs) running full operating systems has effectively eradicated many industry use cases for expensive, custom application-specific integrated circuits (ASICs). Any product developer, hobbyist or high-schooler can use an off-the-shelf low-cost computing device like the Raspberry Pi and launch a functioning product in under three months of development. The commoditization of hardware, coupled with rapidly decreasing cost of bandwidth and processing has lead to an explosion of Internet-connected devices. Most of the buzz has been focused in the consumer space with smart toasters, kettles, and diapers?! The proliferation of useless novelty devices has led to a fatigue with the term “Internet of Things” causing Goldman Sachs to quip in 2014 “you cannot spell idiot without IoT”.
In our last post we talked about a vulnerability discovered in the D-Link DCS-930L Cloud Camera. Since then the Senrio Research Team has been working closely with the D-Link Security Incident Report Team. Below we disclose technical details of our efforts.
In today’s age of constant connectivity the allure of remotely checking on your home and loved ones is appealing and manufacturers of Wifi Cameras promise a “second set of eyes around the home or office.” However, you may not be the only one peeping in. The dangers of unsecured webcams and baby monitors have been reported in 2014 with cautionary tales warning consumers to change their default passwords. So that’s the end of the story, right? Adding a password will protect me from creepy strangers looking into my home. Not so fast. Researchers at Senrio discovered a vulnerability in a popular Wifi camera that lets attackers overwrite the administrator password.
Cybersecurity Researchers Launch Solution to Address Inherent Vulnerabilities in Network Embedded Devices, with Focus on Healthcare, Critical Infrastructure and Corporate Environments
Portland,OR: Today, Senrio, an Internet of Things (IoT) cybersecurity solution, emerges from stealth mode with the launch of an IoT network cybersecurity platform that provides visibility and defense for networked embedded devices (NEDs) used in healthcare, critical infrastructure, retail and corporate environments.
Senrio in the press!
IoT Hacking comic book!
Watch some our IoT security research
Live On Twitch.tv
Upcoming Trainings by our Team!
Practical Android Exploitation
Blackhat, Las Vegas 2017
Software Exploitation Via Hardware Exploitation
Blackhat Las, Vegas 2017
Practical ARM Exploitation