INSIGHTS, NEWS & DISCOVERIES
FROM IOACTIVE RESEARCHERS

Monday, April 23, 2018

HooToo TripMate Routers are Cute But Insecure

By Tao Sauvage

It has been a while since I published something about a really broken router. To be honest, it has been a while since I even looked at a router, but let me fix that with this blog post.

TL;DR: While HooToo TripMate routers are cute, they are also extremely insecure. Multiple memory corruptions, multiple OS command injections, arbitrary file upload, and arbitrary firmware update: all of them unauthenticated.

Wednesday, January 31, 2018

Security Theater and the Watch Effect in Third-party Assessments

By: Daniel Miessler
Before the facts were in, nearly every journalist and salesperson in infosec was thinking about how to squeeze lemonade from the Equifax breach. Let’s be honest – it was and is a big breach. There are lessons to be learned, but people seemed to have the answers before the facts were available. 

Wednesday, January 24, 2018

Cryptocurrency and the Interconnected Home

By: Neil Haskins
There are many tiny elements to cryptocurrency that are not getting the awareness time they deserve. To start, the very thing that attracts people to cryptocurrency is also the very thing that is seemingly overlooked as a challenge. Cryptocurrencies are not backed by governments or institutions. The transactions allow the trader or investor to operate with anonymity. We have seen a massive increase in the last year of cyber bad guys hiding behind these inconspicuous transactions - ransomware demanding payment in bitcoin; bitcoin ATMs being used by various dealers to effectively clean money.

Wednesday, January 17, 2018

Easy SSL Certificate Testing

By: Enrique Nissim
tl;dr: Certslayer allows testing of how an application handles SSL certificates and whether or not it is verifying relevant details on them to prevent MiTM attacks: https://github.com/n3k/CertSlayer.

Thursday, January 11, 2018

SCADA and Mobile Security in the IoT Era

By: Alexander Bolshev (dark_k3y) Security Consultant, IOActive
Ivan Yushkevich (Steph) Information Security Auditor, Embedi

Two years ago, we assessed 20 mobile applications that worked with ICS software and hardware. At that time, mobile technologies were widespread, but Internet of Things (IoT) mania was only starting. Our research concluded the combination of SCADA systems and mobile applications had the potential to be a very dangerous and vulnerable cocktail. In the introduction of our paper, we stated “convenience often wins over security. Nowadays, you can monitor (or even control!) your ICS from a brand-new Android [device].”

Tuesday, November 21, 2017

Hidden Exploitable Behaviors in Programming Languages

By Fernando Arnaboldi

In February 28th 2015 Egor Homakov wrote an article[1] exposing the dangers in the open() function from Ruby. The function is commonly used when requesting URLs programmatically with the open-uri library. However, instead of requesting URLs you may end up executing operating system commands.