Thought leaders in information security, we conduct radical, world-changing research and deliver renowned presentations around the world.
Blogs | INSIGHTS | May 24, 2012

QR Fuzzing Fun

QR codes [1] have become quite popular due to their fast readability and large storage capacity to send information. It is very easy to find QR codes anywhere these days with encoded information such as a URL, phone number, vCard information, etc. There exist tons of apps on smartphones that are able to read / scan QR codes.     The table below shows some of the most common apps and libraries for the major mobile platforms – keep in mind that there are many more apps than listed here….

Blogs | INSIGHTS | May 22, 2012

ST19XL18P – K5F0A Teardown

4 Metal, 350 nanometer fabrication process, EAL4+ smart card.  A device fabricated in 2002 and yet, today the latest ST19W/N series only main differences are the ROM data bus output width into the decrypt block and the fabrication process (180nm and 150nm shrink). The device was dipped into a HydroFluoric (HF) bath until the active shielding fell off.  The result of this saved about 10 minutes of polishing to remove the surface oxide and Metal 4 (M4).  This also helps begin the polishing process on the lower layers fairly evenly….

Blogs | INSIGHTS | May 15, 2012

#HITB2012AMS: Security Bigwigs and Hacker Crème de la Crème Converge in Amsterdam Next Week

  Hi guys! We’re less than a week away from #HITB2012AMSand we’re super excited to welcome you there! HITBSecConf2012 – Amsterdam, our third annual outing in Europe will be at the prestigious Hotel Okura Amsterdam and this year marks our first ever week-long event with what we think is a simply awesome line-up of trainings, speakers, contests and hands-on showcase activities. There should be pretty much something to…

Blogs | INSIGHTS | May 3, 2012

Enter the Dragon(Book), Pt 2

Nobody has been able to find this backdoor to date (one reason I’m talking about it). While the C specification defines many requirements, it also permits a considerable amount of implementation-defined behavior (even though it later struck me as odd that many compilers could be coerced into generating this backdoor in an identical way).   From the C specification; Environmental Considerations, Section 5.2—in particular section (Translation limits)—seems to offer the most relevant discussion on the topic.   Here’s a concise/complete example: typedef struct _copper {   char field1[0x7fffffff];…

Shane Macaulay
Blogs | INSIGHTS | April 25, 2012

Thoughts on AppSecDC 2012

The first week of April brought another edition of AppSecDC to Washington, D.C., but this year people from two different worlds came to the same conference: Web security and Industrial Control Systems security.  Of course, at the device level this convergence happened a long time ago if we take into account that almost every modern PLC  includes at least a web server, among other things.   I was presenting Real-world Backdoors in Industrial Devices on the Critical Infrastructure track, which included really exciting topics from well-known researchers including:…

Ruben Santamarta
Blogs | INSIGHTS | April 12, 2012

TLS Renegotiation and Load Balancers

  I seem to be fielding more and more questions of late around the rather well-known SSLv3 and TLS renegotiation flaw. For those who aren’t familiar, the TLS renegotiation flaw allows the injection of data into a SSLv3 or TLS stream, potentially causing data injection or the program to misbehave in some other fashion. It is not a full man-in-the-middle attack because the attacker can’t read what’s in the data stream, only inject into it. Ultimately, this is a protocol flaw—one that’s been fixed as an extension to TLS as…

Robert Zigweid
Blogs | INSIGHTS | April 4, 2012

Hackito Ergo Sum: Not Just Another Conference

My name is Jonathan Brossard, but you may know me under the nic Endrazine. Or maybe as the CEO of Toucan System.. Nevermind: I’m a hacker. Probably like yourself, if you’re reading this blog post. Along with my friends Matthieu Suiche and Philippe Langlois,—with the invaluable help of a large community worldwide—we’re trying to build a conference like no other: Hackito Ergo Sum. First, a bit of background on conferences as I have discovered them: I remember really well the first conference I attended almost a decade ago: it…

Blogs | RESEARCH | March 16, 2012

Atmel AT90SC3232CS Smartcard Destruction

Having heard that Atmel actually produced three variants of the AT90SC3232 device, we did some digging and found some of this previously never-seen-by-Flylogic AT90SC3232CS.  We had already several AT90SC3232 and AT90SC3232C.  We assumed that the CS was just a 3232C with an extra IO pad.  Well, one should never ass-u-me anything!  The AT90SC3232CS is a completely new design based on the larger AT90SC6464C device. Decapsulation revealed that Atmel actually did place an active shielding over the surface of the device.  A 350nm, 4 metal process was used on the AT90SC3232CS…

Blogs | INSIGHTS | March 12, 2012

3 Metal 350nm teardown explanation

Real quick image as posted on Facebook tech .at. profile. A Total of 4 overlayed images of a small section of an NEC upd78F9210 MCU. A FlipFlop and a few AND’s were quickly spotted. Can you find them?

Blogs | INSIGHTS | March 6, 2012

Enter the Dragon(Book), Part 1

This is a fairly large topic; I’ve summarized and written in a somewhat narrative/blog friendly way here.   A few years ago I was reading a blog about STL memory allocators (, memory allocators being a source of extreme security risk, I took the author’s statement, “I’ve carefully implemented all of the integer overflow checks and so forth that would be required in real production code.” as a bit of a challenge. After playing with permutations of the code I was able to get…

Shane Macaulay

Arm IDA and Cross Check: Reversing the 787’s Core Network

IOActive has documented detailed attack paths and component vulnerabilities to describe the first plausible, detailed public attack paths to effectively reach the avionics network on a 787, commercial airplane from either non-critical domains, such as Passenger Information and Entertainment Services, or even external networks.