To see the exploit in action, check out our video on Vimeo. For full technical teardown, click here.

Summary
Given the increasingly vital role IoT plays in modern life, we strive to improve the state of IoT security and share the knowledge we gain through our research with IoT manufacturers and users.

Our latest discovery was found in an Axis Communications security camera — the M3004 model. Axis Communications is one of the largest manufacturers of security web cameras globally. In fact, while passing through LAX last week, we saw one of the vulnerable models in use at the airport.

After about a day of analysis, we discovered a stack buffer overflow vulnerability (CVE-2017-9765), which we’re calling Devil’s Ivy*. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library, from gSOAP (more on that later). When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.

Axis informed us that Devil’s Ivy is present in 249 distinct camera models, the exception being three of their older cameras. Once we verified Axis’s fix prevented our exploit from working, Axis quickly began releasing patched firmware and prompting partners and customers to upgrade.

THE IMPACT GOES FAR BEYOND AXIS

The impact of Devil’s Ivy goes far beyond Axis. It lies deep in the communication layer, in an open source third-party toolkit called gSOAP  (Simple Object Access Protocol). gSOAP is a widely used web services toolkit, and developers around the world use gSOAP as part of a software stack to enable devices of all kinds to talk to the internet. Software or device manufacturers who rely on gSOAP to support their services are affected by Devil’s Ivy, though the extent to which such devices may be exploited cannot be determined at this time. Based on our research, servers are more likely to be exploited. But clients can be vulnerable as well, if they receive a SOAP message from a malicious server.

We recently discovered two vulnerabilities in TP-Link’s WR841N V8 router that we exploited to obtain custom code execution on the router. After working closely with the vendor to patch the router’s firmware, we are disclosing the details of our work. 

Our team conducts research into networked embedded devices in order to improve our product and spread security knowledge among the embedded device manufacturing and security communities. The WR841N is the  same router model we use to teach students about hardware hacking in our classes, and the focus of our JTAG Explained blog post. During the process of our research into this router, we found a logic flaw in a configuration service which allowed us to circumvent its access controls and reset the router’s credentials (CVE-2017-9466). We then used our increased access to gain code execution by exploiting a stack overflow vulnerability available through the configuration service. 
​
In this proximity-based attack, we used a smartphone’s hotspot capability to reset the router’s credentials by taking advantage of a protocol that had been removed from the firmware for newer hardware models. Unfortunately, although older models may no longer be supported, they often remain in critical positions. Fortunately, TP-Link agreed to remove the configuration service from this model once we brought the issue to their attention.

We are sharing the details, step by step, in case our work sparks any ideas or discussion regarding proximity-based attacks, unsupported versions, logic flaws in encryption, or vulnerable configuration services. 

​Click here to skip to the full technical details, or read on for a high level summary of our work.

​Medical device security has largely been concerned with attacks that might compromise device safety and effectiveness. An additionally important but under-appreciated issue is device integrity. In situations where devices are expected to provide objective testimony, the integrity of the device and the data it generates is paramount.

You probably don’t know Ross Compton, but last fall the 59-year-old claimed that when he noticed his house was on fire, he hurriedly packed some personal belongings, broke a window with his cane, and rushed out of the house. Police, suspicious of his claims, got a warrant for Compton’s pacemaker data. The data showed that he had not been in a state of activity he described at the time of the fire. That data, plus physical evidence collected by fire investigators, was more than enough to charge Compton with arson and insurance fraud.

​Cases like this bring to light the importance of issues related to integrity verification. The value of device logs as an objective record of facts only exists if we can be assured that the ability to generate records, and the records themselves, have not been compromised.

​Overview

Medical devices like pacemakers and drug infusion pumps keep detailed logs of all activity. Due to these logs value in monitoring patient care, device operation, and incident investigation, there is a risk of data modification attacks through physical or remote access. 

Consider a generic infusion pump that primarily dispenses pain medication and writes logs to battery-backed RAM. These logs record the dose of drugs as requested and delivered, any program changes, and when infusion starts and stops. If a patient suffered a medical emergency that could be linked to the pump, or anything went awry, investigators would depend on the device logs to tell them the story. But what if those logs didn’t have the whole story, or an accurate one?

Watch a hardware prep video preview below! 

Our trainings sell out pretty quickly (they are popular and unfortunately, there are limited seats) so if you're interested in participating, sign up below to get details before we make them available publicly! 

​History is a funny thing. It tends to repeat itself. 

​Investing in a company, whether that investment is time, money, or reputation, starts with people. You invest in people that inspire, and Stephen Ridley, Founder of Senrio, is one of those people. He blends incredible enthusiasm with world-class expertise. I saw this first hand when we worked together on bleeding-edge projects for the Intelligence Community 10 years ago. But the team is more than Stephen.  The Senrio family he is assembling (and has already assembled), has that ideal mix of hunger and experience. That passion and capacity continues to scale as the employee count grows, and success for Senrio has not hurt their humility. This group will continue to attract like-minded individuals.

During last week's ICS Cyber Security Conference in Atlanta (the world's oldest Industrial Control security conference), we made an announcement that sounded obvious to us but was surprising to many attendees:

Friday's Internet outages and the DDOS attack on security journalist Brian Krebs are just the tip of the iceberg of the types of damage IoT vulnerabilities could cause.

Jamison's "big picture" approach to understanding Infosec solutions comes from years spent learning (and presenting) the details beyond the technicalities of a hack.  Instead he delves into the workings of the criminal industry; how and why malware is written, how criminals monetize attacks, and how understanding attacker motivations helps protect networks against malicious forces. Armed with this knowledge, Jamison has built teams to help deploy custom solutions to meet customer need. Jamison is a contributor to ITSP magazine and has blogged on  various cyber security topics.  ​

Imagine you are handed this device and asked to get root on it as quickly as possible. No further information is given. Where would you begin?  (If you just want to see the router get rooted, jump down to "Mounting an Attack: Rooting a Home Router" ;-)

Since you have the device in your hands, you might try directly attacking the hardware. However, if you've never done any kind of hardware hacking, getting started can be intimidating. In this post, we are going to talk about the fundamental information you need to know to use JTAG for hacking hardware. We'll also go over a quick example to illustrate the power of direct hardware access. ​

​JTAG is a common hardware interface that provides your computer with a way to communicate directly with the chips on a board. It was originally developed by a consortium, the Joint (European) Test Access Group, in the mid-80s to address the increasing difficulty of testing printed circuit boards (PCBs). JTAG has been in widespread use ever since it was included in the Intel 80486 processor in 1990 and codified as IEEE 1491 that same year. Today JTAG is used for debugging, programming and testing on virtually ALL embedded devices. 

​In this new world of "Internet of Things" and billions of networked embedded devices,  it is crucial for device manufacturers to bake security into their new designs before they leave the factory. Here are five tips from a team of security researchers who make a living reverse engineering (hacking) into IoT devices on behalf of industry clients.  

In our last post we talked about a vulnerability discovered in the D-Link DCS-930L Cloud Camera. Since then the Senrio Research Team has been working closely with the D-Link Security Incident Report Team. Below we disclose technical details of our efforts.