Thought leaders in information security, we conduct radical, world-changing research and deliver renowned presentations around the world.
Blogs | INSIGHTS | September 8, 2015

The Beauty of Old-school Backdoors

Currently, voodoo advanced rootkit techniques exist for persistence after you’ve got a shell during a pen test. Moreover, there are some bugdoorsimplemented on purpose by vendors, but that’s a different story. Beautiful techniques and code are available these days, but, do you remember that subtle code you used to use to sneak through the door? Enjoy that nostalgia by sharing your favorite one(s) using the #oldschoolbackdoors on social networks.   In this post, I present five Remote Administration Tools (RATs) a.k.a. backdoors that I personally used and admired. It’s important…

Alejandro Hernandez
Blogs | INSIGHTS | June 4, 2013

Industrial Device Firmware Can Reveal FTP Treasures!

Security professionals are becoming more aware of backdoors, security bugs, certificates, and similar bugs within ICS device firmware. I want to highlight another bug that is common in the firmware for critical industrial devices: the remote access provided by some vendors between their devices and ftp servers for troubleshooting or testing. In many cases this remote access could allow an attacker to compromise the device itself, the company the device belongs to, or even the entire vendor organization. I discovered this vulnerability while tracking connectivity test functions within the firmware…

Sofiane Talmat
Blogs | INSIGHTS | May 23, 2013

Identify Backdoors in Firmware By Using Automatic String Analysis

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) this Friday published an advisory about some backdoors I found in two programmable gateways from TURCK, a leading German manufacturer of industrial automation products. Using hard-coded account credentials in industrial devices is a bad idea. I can understand the temptation among manufacturers to include a backdoor “support” mechanism in the firmware for a product such as this. This backdoor allows them to troubleshoot problems remotely with minimal inconvenience to the customer. On the other hand, it is only a…

Ruben Santamarta
Blogs | INSIGHTS | May 3, 2012

Enter the Dragon(Book), Pt 2

Nobody has been able to find this backdoor to date (one reason I’m talking about it). While the C specification defines many requirements, it also permits a considerable amount of implementation-defined behavior (even though it later struck me as odd that many compilers could be coerced into generating this backdoor in an identical way).   From the C specification; Environmental Considerations, Section 5.2—in particular section (Translation limits)—seems to offer the most relevant discussion on the topic.   Here’s a concise/complete example: typedef struct _copper {   char field1[0x7fffffff];…

Shane Macaulay
Blogs | INSIGHTS | March 6, 2012

Enter the Dragon(Book), Part 1

This is a fairly large topic; I’ve summarized and written in a somewhat narrative/blog friendly way here.   A few years ago I was reading a blog about STL memory allocators (, memory allocators being a source of extreme security risk, I took the author’s statement, “I’ve carefully implemented all of the integer overflow checks and so forth that would be required in real production code.” as a bit of a challenge. After playing with permutations of the code I was able to get failures of this…

Shane Macaulay

Arm IDA and Cross Check: Reversing the 787’s Core Network

IOActive has documented detailed attack paths and component vulnerabilities to describe the first plausible, detailed public attack paths to effectively reach the avionics network on a 787, commercial airplane from either non-critical domains, such as Passenger Information and Entertainment Services, or even external networks.