Profile cover photo
Profile photo
Dragos Ruiu
Stop, Think, Pwn.
Stop, Think, Pwn.
Dragos's interests
View all
Dragos's posts

FFS who ever thought that including an I2C bus on VGA and DVI connectors that can reflash the firmware on any Mediatek/Mstar SoCs/CPUs used in most smart TVs (esp 4k models, they proudly proclaim their leading marketshare) and Android based TV boxes or video anything without any authentication was a good idea.

Bet you thought those were analog video plugs on those cables you were plugging in right?

Ha ha, we are so screwed.

Post has attachment
Did you know that your phone memory, and your desktop/laptop SSD have a special TPM-like encrypted area of storage called the RPMB (replay protected memory block) which can only be read or written if you have the special encryption key, and that key can only be programmed once, with no reset procedure? Sounds perfect for stealthy malware, along with the TWO boot areas you can swap in which are also inacessible to user and operating system code. Oh, also there is a way to update the storage controller firmware which is portable across all phones, SSDs, computers and devices from all manufacturers. Oh, thank you, JEDEC for making universal stealthy malware easy as pie....

JSON Parser crashes? Interesting.... (heh)

Some really good work here. 

Post has attachment
So about those biometrics.... the folks at CCC continue their long battle against them, and have now created a synthetic general fingerprint that unlocks 65% of phones. Passwords you can't change, and now someone has guessed the passwords. I've always said those fingerprint sensors provide about the comparative level of security of a TSA luggage lock.

So you may be wondering if your life is interesting enough to have earned an APT (advanced persistent threat) "implant" on your phone... or not... either way here is a little test that can give you some indications. On Android and IOS devices, once you force power cycle the the device, they shut down. On some variants of implants the force power cycled phone reboots, and restarts immediately or a short time period after the forced power cycle. Shut down your phone with the two finger salute, and if it starts right back up like an undead zombie... yep, your life is probably more interesting than you wanted, and you may want to consider what what information you are putting into your digital devices and sharing with parties unknown.

Presumably this behaviour is to maintain the phone device as a gateway for all your other pwned devices that are communicating over Bluetooth Low Energy PAN (personal area network, a Bluetooth peer to peer thingie). Yes, I know you've turned off all your bluetooth settings, and maybe even uninstalled the drivers on your laptop for your combo WiFi / Bluetooth card. But even though your OS is reporting that it's off - that is not really any indication of whether the chip is really disabled and if there is a any code somewhere on your device talking to that sucker or not. The only real ways to be sure are to electrically disconnect it, or verify lack of transmissions using a spectrum analyzer, to look for the distinctive bluetooh frequency hoping bandwidth use, or a logic analyzer to trigger on Bluetooth traffic being put into the card.

Post has attachment
Of Intel ME, BBBc, SPI, SOIC, MEI, flashrom, and many things... (all of which you should probably be concerned with but likely aren't yet)

Post has attachment
Why is the security functionality always the most vulnerable. Microsoft Application Verifier Provider vuln.

One of the incidents that has bugged me a lot, is trying to figure out how the display drivers on one of the computers we will use to project classic arcade games to play with XArcade tank sticks on big screens so folks can get their Street Fighter rivalries settled for the party room at CanSecWest changed. It had bugged me because this computer had no network cards, and had never been networked since we were using a special os image and drivers a bunch of very kind and gracious folks at Microsoft had helped us debug to get it working at a previous year's conference for this specific single use. Now I can put that mystery to rest(and begin other investigation :-) because I realized that machine had shared HDMI monitors (a "smart" TV) with another computer of more dubious security level and configuration. Someone must have gone there. Guess folks (well me really :-) need to remember that secured computers sharing monitors is the computer equivalent of unprotected sex, especially since HDMI 1.3 and later made HDMI == Ethernet.

Post has attachment
There are really a very large number of ways that high resolution timers are dangerous weapons - which should have access controls for safety, and here is another new one: Timing MMU page table walks from Javascript to nullify ASLR address space randomization portably on many many OSes and computers. FYI the only vendor I know that gives you granular control of high resolution timers, allowing the owner to enable or disable them from BIOS, is Intel - another reason I like their hardware so much.

Post has attachment
‪mac macro malware‬
Wait while more posts are being loaded