INSIGHTS, NEWS & DISCOVERIES
FROM IOACTIVE RESEARCHERS

Thursday, December 17, 2015

(In)secure iOS Mobile Banking Apps – 2015 Edition

By Ariel Sanchez

Two years ago, I decided to conduct research in order to obtain a global view of the state of security of mobile banking apps from some important banks.
In this blog post, I will present my latest results to show how the security of the same mobile banking apps has evolved.

Scope

My research included 40 mobile banking apps with the following global distribution:



The metrics I used for this research are the same as before:
  • Limited to iOS platform
  • Black box approach
  • All tests were only performed on the app (client side); my research excluded any server-side testing
  • This research does not describe the vulnerabilities I found or how to exploit them in order to protect the owners of the apps and their customers
  • Some of the affected banks were contacted, and the vulnerabilities reported

Wednesday, December 9, 2015

Maritime Security: Hacking into a Voyage Data Recorder (VDR)

by Ruben Santamarta @reversemode


In 2014, IOActive disclosed a series of attacks that affect multiple SATCOM devices, some of which are commonly deployed on vessels. Although there is no doubt that maritime assets are valuable targets, we cannot limit the attack surface to those communication devices that vessels, or even large cruise ships, are usually equipped with. In response to this situation, IOActive provides services to evaluate the security posture of the systems and devices that make up the modern integrated bridges and engine rooms found on cargo vessels and cruise ships. [1]

There are multiple facilities, devices, and systems located on ports and vessels and in the maritime domain in general, which are crucial to maintaining safe and secure operations across multiple sectors and nations.

Port security refers to protecting all of these assets from acts of piracy, terrorism, and other unlawful activities, such as smuggling. Recent activity appears to demonstrate that cyberattacks against this sector may have been underestimated. As threats evolve, procedures and policies must improve to take these new attack scenarios into account. For example, https://www.federalregister.gov/articles/2014/12/18/2014-29658/guidance-on-maritime-cybersecurity-standards

This blog post describes IOActive’s research related to one type of equipment usually present in vessels, Voyage Data Recorders (VDRs). In order to understand a little bit more about these devices, I’ll detail some of the internals and vulnerabilities found in one of these devices, the Furuno VR-3000.