RESOURCES

Thought leaders in information security, we conduct radical, world-changing research and deliver renowned presentations around the world.
Blogs | RESEARCH | August 17, 2016

Multiple Vulnerabilities in BHU WiFi “uRouter”

A Wonderful (and !Secure) Router from China The BHU WiFi uRouter, manufactured and sold in China, looks great – and it contains multiple critical vulnerabilities. An unauthenticated attacker could bypass authentication, access sensitive information stored in its system logs, and in the worst case, execute OS commands on the router with root privileges. In addition, the uRouter ships with hidden users, SSH enabled by default and a hardcoded root password…and injects a third-party JavaScript file into all users’ HTTP traffic. In this blog post, we cover the main security issues…

Tao Sauvage
Disclosures | ADVISORIES | August 3, 2016

Multiple Vulnerabilities in BHU WiFi “uRouter”

The BHU WiFi uRouter, manufactured and sold in China, contains multiple critical vulnerabilities. An unauthenticated attacker could bypass authentication, access sensitive information stored in its system logs, and in the worst case, execute OS commands on the router with root privileges. In addition, the uRouter ships with hidden users, SSH enabled by default and a hardcoded root password…and injects a third-party JavaScript file into all users’ HTTP traffic. IOActive has identified seven medium to critical risk vulnerabilities in the product. An attacker could exploit these issues to fully compromise the…

Launch PDF
Tao Sauvage
Disclosures | ADVISORIES | July 21, 2016

Multiple Vulnerabilities in D-Link DCS-5009L IP Camera

The D-Link DCS-5009L IP Camera can be used to remotely monitor your home. It can be accessed via the D-Link Cloud or configured to upload recordings to an FTP server, as well as send notifications by email. The DCS-5009L can rotate and tilt, and has night vision and movement detection. IOActive has identified four high-risk and two low-risk vulnerabilities in the D-Link DCS-5009L IP Camera. An attacker could exploit these issues to fully compromise the confidentiality, integrity, and availability of the product.

Launch PDF
Tao Sauvage
Blogs | INSIGHTS | March 22, 2016

Inside the IOActive Silicon Lab: Interpreting Images

In the post “Reading CMOS layout,” we discussed understanding CMOS layout in order to reverse-engineer photographs of a circuit to a transistor-level schematic. This was all well and good, but I glossed over an important (and often overlooked) part of the process: using the photos to observe and understand the circuit’s actual geometry. Optical Microscopy Let’s start with brightfield optical microscope imagery. (Darkfield microscopy is rarely used for semiconductor work.) Although reading lower metal layers on modern deep-submicron processes does usually require electron microscopy, optical microscopes still have…

Andrew Zonenberg
Disclosures | ADVISORIES | February 17, 2016

SimpliSafe Alarm System Replay Attack

The radio interface for the SimpliSafe home burglar/fire alarm systems is not encrypted and does not use “rolling codes,” nonces, two-way handshakes, or other techniques to prevent transmissions from being recorded and reused. An attacker who is able to intercept the radio signals between the keypad and base station can record and re-play the signal in order to turn off the alarm at a time of his choice in the future.

Launch PDF
Andrew Zonenberg
Disclosures | ADVISORIES | November 19, 2015

Lenovo TVSUkernel Escalation of Privileges

The Lenovo System Update allows least-privileged users to perform system updates. To do this, System Update includes the System Update service (SUService.exe). This service runs as the privileged SYSTEM user, creates a temporary user account with Administrator privileges, and starts a GUI application (Tvsukernel.exe) with the new Administrator account. Once the application is closed, the temporary Administrator account is appropriately deleted. However the GUI application contains links to online support and privacy help topics, which, when clicked, start a web browser instance under the temporary Administrator account to display the…

Launch PDF
Sofiane Talmat
Disclosures | ADVISORIES |

Lenovo System Update Created an Insecure Random Administrator Password

This vulnerability allows a local unprivileged user to elevate privileges to Administrator or SYSTEM. Since the user is running the System Update is an unprivileged user, the SUService that is running as System will run the UACsdk.exe binary to create a temporary Administrator account to run the GUI application (Tvsukernel.exe).

Launch PDF
Sofiane Talmat
Disclosures | ADVISORIES | September 28, 2015

Harman-Kardon UConnect Vulnerability

UConnect 8.4AN/RA3/RA4 are vehicle-based infotainment systems. UConnect systems are integrated in certain makes of Chrysler, Dodge, Jeep, and Ram vehicles. The UConnect infotainment system allowed an unauthenticated connection from other access points on the Sprint Network. An attacker could issue commands to other components within the vehicle through the infotainment system.

Launch PDF
Chris Valasek & Charlie Miller

Arm IDA and Cross Check: Reversing the 787’s Core Network

IOActive has documented detailed attack paths and component vulnerabilities to describe the first plausible, detailed public attack paths to effectively reach the avionics network on a 787, commercial airplane from either non-critical domains, such as Passenger Information and Entertainment Services, or even external networks.

ACCESS THE WHITEPAPER


IOACTIVE CORPORATE OVERVIEW (PDF)