Clik here to view.
Why Nationwide’s SSL is broken on one of their domains
This is just here to explain clearly to Nationwide what is wrong with their SSL on the domain olb2.nationet.com If you visit this site in Firefox 37.0.2, you are shown this warning: The SSL handshake...
View ArticleClik here to view.
Interesting Shodan searches: Yesco electronic billboards
A search for “Prismview Player” on Shodan yields ~200 results for what look like electronic billboards. Again, no HTTPS. Their site suggests you use a Windows client to update the billboard itself, and...
View ArticleClik here to view.
Interesting Shodan searches: Envisalink
About 360 devices are showing up for a search for “Envisalink“. Turns out this is the IP interface for a large number of alarms across the US. No auth or user/user. No HTTPS.
View ArticleClik here to view.
Interesting Shodan searches: Saphir HVAC controllers
A number of WinCE devices that don’t appear to have seen any updates for the last 15 years. Controlling HVAC. Seem to be made by Siemens. Yeah. No HTTPS. Can change all settings. Pff.
View ArticleClik here to view.
Interesting Shodan searches: Moxa ethernet->serial bridges
I’ve noticed, whilst sat on the train, an AP called “MOXA”. A quick google shows that these guys are in the “industrial IoT” market. I suspect they have something to do with the CCTV on the train. Off...
View ArticleClik here to view.
Interesting Shodan searches: Netopia open telnet on routers
I sometime search for “diagnostics” on Shodan – it gives interesting results. I noticed one telnet result with a menu system – a router. If we make the search more specific to that menu system “Easy...
View ArticleClik here to view.
Interesting Shodan searches: Dedicated Micros DVRs
This one was found just browing “port:23 country:GB” results. It appears that SD Advanced DVRs don’t always require a username and password to get into them – “SD Advanced Closed IPTV -username“ Yeah....
View ArticleClik here to view.
Interesting Shodan searches: PIP technologies ANPR cameras
Again, browsing telnet, I see the word “ANPR” – Automatic Number Plate Recognition. Most of these say “P372″ and a Shodan search for that delivers the goods. The telnet prompt shows us P372, but nearly...
View ArticleClik here to view.
MintDNS dynamic DNS software – multiple vulnerabilities
MintDNS is a piece of software used to provide dynamic DNS services. It runs under Windows, and I can find ~50 different CCTV/NVR providers using it. I’ve only had a very quick check of this piece of...
View ArticleClik here to view.
Why dynamic DNS is a bad idea for the Internet of Things
Dynamic DNS has been around for a good while now, allowing users who have dynamic IPs (or even those with static IPs, no DNS, and bad memory) to use a hostname of their dynamic DNS provider to point...
View ArticleClik here to view.
Subjects don’t need to be preserved in Certificate Signing Requests
I’ve been playing round with certificates, keys and Certificate Signing Requests (CSRs) whilst evaluating the security of an IoT solution. I’ve had a longstanding misconception around CSRs and I...
View ArticleClik here to view.
Insecure CSL Dualcom mobile app
CSL Dualcom, the intruder alarm signalling provider, recently released a mobile app. It’s aimed at installers, and appears to allow them to perform site surveys (see signal strength for different...
View ArticleStop doing client-side password hashing
Right, this has come up enough to write a post about it. Stop hashing passwords on the client-side and sending the hash in the clear. It is not a substitute for HTTPS! Here is an example of this being...
View ArticleClik here to view.
You don’t need to read or agree to a EULA to extract binaries
Impero Software have sent a particularly dickish letter to @TheWack0lian after he raised a security vulnerability (unauthenticated user remote command execution) in their software. Impero’s entire...
View ArticleClik here to view.
InSecurTek Monitoring
Update The director of IT from Securtek got in touch via the contact form. They are working to fix these issues, and his response was measured and reasonable, especially in light of my rather...
View ArticleBackdoor root account on Visonic Powerlink 2 modules
During a routine pen-test of an alarm receiving centre, a repository of manufacturer firmware was found. This is often quite hard to get hold of, and I welcomed the opportunity to reverse some of...
View ArticleClik here to view.
Open Risco support portal including private FTP credentials
During a routine pen-test of an alarm receiving centre, I was googling for default usernames and passwords of Risco software and alarms. When doing this, I found an abandoned support portal...
View ArticleVulnerability in Risco Lightsys protocol encryption
During a routine pen-test of an alarm receiving centre, a piece of software was found that was used to remotely configure Risco alarms. This software communicates with alarm panels, sometimes over IP,...
View ArticleClik here to view.
Customer database leak on CSL Dualcom’s SIM registration portal
CSL Dualcom sell SIMs for M2M purposes. They need to be registered on their website. This website is http://m2mconnect.csldual.com/SignUp – firstly note how this does not have TLS. This is not...
View ArticleCSL Dualcom Gemini Cisco VPN endpoint vulnerable to POODLE attack
CSL Dualcom use Cisco VPN software to connect to their management platform, Gemini. The server that does this is listed as https://cslvpn.cslconnect.com/ On inspection with SSLLabs test, there are...
View Article
