Father of two sons and ARIS fan.
Named NOT A UNICORN!🦄
IDOR as a service.
@_ifigeneia
husband
@atroposai
jack of all trades
Never ethical , mostly legal...
Hello
@xiaomi
and
@XiaomiIndia
is there a reason my phone that is setup on India region has a constant connection over XMPP to a US ip ? It seems this is from your internal com.xiaomi.xmsf app
@MakisSinodinos
@TheKoulWay
Όταν ο πόλεμος τελειώσει οι πολιτικοί παίρνουν πίσω τα εναπομείναντα πυρομαχικά, οι πλούσιοι παράγουν περισσότερη τροφή και οι φτωχοί ψάχνουν τα μνήματα με τα ονόματα των παιδιών τους…
Defcon uploaded all talks on media server so my
#defcon31
talk : The art of compromising C2 servers - A web application vulnerabilities prespective is now available.
I hope you enjoy it as much as I enjoyed returning home :D
Totally Pwning the Tapplock Smart Lock (the API way)
Special thanks to
@TheKenMunroShow
and
@cybergibbons
for all their help for this disclosure.
@Tapplock
brought the api down until its fixed after some pressure so I am able to release this.
Probably one of the best talks I ever did, happy that I managed to talk in
#defcon
and did not end in a van. A massive thank you to everyone that attended!
So my wife just told me "what IoT do you want as a gift to hack for your birthday?". Other people get shirts and travels, I will get a scada modem! I see it as a win!
Also is there a reason you are sending all kind of "telemetry" including the known URLs issue to which seems to be hosted in Hong Kong ? I vaguely remember someone reassuring that ALL india data is kept within india. This is most certainly not an India IP
9yo: our teacher does not allow us to turn off cameras but I have visual effects, freeze myself by using a video of the past minute and do what I want. I don't know if I should be proud or furious...
I guess
#DEFCON31
git repository is ready.
5 botnets C2 source code dumped.
3 of them with an un-authenticated RCE.
The number of active bots is ridiculously high.
I will be presenting this at 13th of August at 11:00 on track 2
Hello
@XiaomiIndia
and
@Xiaomi
how are you ? Remember me ? I am that strange guy tha constantly look at your requests... So you know what is going to happen right ? A Saturday thread about you Mi pay indian app.
I decided to take a deeper look on EV chargers industry. After more than a year of research :
✔️3 account takeover vulnerabilities
✔️2 platform takeover vulnerabilities
✔️multiple hardware vulnerabilities.
I can say: mission accomplished.
We looked at 6 smart electric car chargers: VERY variable security. Trivial account hijack, missing request authorisation, potential to destabilise power grid & more.
@evstykas
explains:
Hello and good morning again
@Xiaomi
and
@XiaomiIndia
, I can see from here that you are trying to cover GDPR but yeah: I see you missed quite a few: Norway requires you to follow GDPR. And yes I set my region to Norway and you sent data to a hong kong...
Ok was just joking with my last question I know how to opt out. When I switch my region to a GDPR country no "telemetry" (except the browser) is being sent. So you either care too much about Europe users privacy or too little about their "better experience". I am sure its No 1
So someone did what I was warning about for watches in
@44CON
but with...routers. INTERESTING. This is a viable attack vector on any device that can send SMS.
Your "music" app EVERY click that I do + all the songs that I play, stop and pause back in batches. Is this something you monitor for "better usage" ? If yes can we just opt out somehow ?
@printfJess
I have so many questions too. But my main goal is not to get killed or a divorce so I will try to get a shell once I am back in Greece in a month. If I break it remotely while not being in the house , my wife will find me and WILL KILL ME
Today I was obliged to learn about ifs and whiles in pseudocode by my son's teacher. It was really interesting to see how other parents with no connection to CS struggled. It was so really scary when I understood how many things I took for granted when explaining shit to people.
I don't believe I have to say that after 4 years but: DO NOT USE CHEAP GPS DEVICES TO TRACK ANYTHING.
It was not funny 4 years ago, it still isn't. Trackmageddon devices are still being actively sold. FFS
Also your miuidaemon app (as noted YEARS ago from
@fs0c131y
). I really cant see any reason all those things to be uploaded to a Hong Kong server. I cannot see a reason this app being in my default user build.
Iot vendors that feel that having a root account with a hardcoded password on ALL your devices that you don't mention is ok. STOP. This will not end well for you or your users.
If you are around at
#defcon31
and interested at malware come see my talk tomorrow at 11:00 on track 2.
Will release source code for the following c2s: Smokeloader , Amadey , Harly, Clipper and Manipulated Caiman.
And WHY all those metrics stop IMMEDIATELY when I put my region in the EU ? (they work if my region is in India, US or China) Is there a reason you don't need all those intrusive statistics for someone in Europe ?
Hello
@Xiaomi
and
@XiaomiIndia
remember me ? I am that strange guy with the Redmi device! Is there a reason you are sending 1 request every minute to (ip is 161.117.193.95 and location is CHINA not India).
Now after that what could we do ? Probably RCE but that's beyond our scope and well within CMA region. What we should do ?
Mark as spam wait for chrome to process it and educate our friends about scams and phishing.
Nice start for the week !
So to sum up : Consistent constant XMPP connection to a US server. Super intrusive "telemetry" that stop immediately when region is in the EU and a daemon application that has no place and seems to be able to gather EVERYTHING from the phone. That does not look good.
Guess who reached 6 owned c2 panels on his
#defcon31
talk ? Interesting panel , written in go.
Also "Signer - Currently doesnt work. have to get real EV cert"
Ok I stand corrected. This is all the apps that I have run through the day. I cannot see any reason that this is needed. Also this is attached to the md5 of my IMEI. ALL those data are going to a Hong Kong server.
Today I am talking on
@AutoSecResGroup
on how you can attack cars from the cloud. It's mostly videos of frustrated colleagues with bricked cars in the UK and me laughing in Greece...
I told you today is going to be strange... IDOR to expose half a million internal networks. 2 weeks to patch. The irony of using a firewall as a backdoor device from the cloud is GOLD
So you've got your iphone stolen, tried calling it from several phones and it was turned off. Soon after all phones get an SMS with a phishing link that tell you to login so that you can see where your phone is.
A 🧵with a (not so deep) dive in a panel ->
Σοκ παιδιά είναι όταν είναι πρώτη φορά. Όταν ΔΟΛΟΦΟΝΕΙΤΑΙ και εισαγγελέας λέει πλημέλλήμα, και όταν πέσιμο σε άσχετους το ξεπλένετε σαν "συμπλοκή" γιατί το ρούβλι στο μεντεγίν της ελλάδας είναι πολύ, δεν έχετε δικαίωμα να σοκάρεστε. Συλλυπητήρια στη οικογένεια.
So its one of those days , that
@cybergibbons
asks you about an API and you end up with a legitimate function that is named "crash server"...
Why do you do this to yourself and your products ?
API developers that think passing raw sql as a parameter is a good idea. ITS NOT. It never is. It never was. And it will NEVER BE. On a totally unrelated note, you should also have a daily backup.
- What do you do for a living Dad ?
- Finding IDORs and holes in clouds mainly.
- Clouds as in the sky ?
- NO
- So your name is Jesus ?
- NO
- So you can manipulate everything over...
- NO
- Can I watch "Cloudy with a Chance of Meatballs" ?
- Yes
Grandstream provide IP video, voice, Wi-Fi & related services and equipment around the world. Our
@evstykas
had a look at their GWN Cloud management platform...
'Cloud-y, with a chance of hacking all the wireless things'
#IDOR
#VulnerabilityDisclosure
I can only guess why this is done (GDPR might ring a bell), but I have to give extra credit that the developer went the extra mile and said that "if the country is empty lets assume he is in the EU just to be safe"
So
@olihough86
gave us this really nice gift of bad code annd I have 20 minutes free before kiddos undestand I am not actually working so lets download the source and see what the heck is wrong with this :)
Gather around folks that gonna be FUN!
So I had a great time presenting stuff we found through the year with
@tautology0
at
@BSidesAth
. First talk of a series that is coming... Need to up my skills on speaking!
#bsidesberlin
and Berlin in general were epic! Really happy that I was able to present my C2 research for the last time. Next one is
@BSidesLondon
and connected chaos !
Keep in mind that the music and shareme apps seem to have over 100 million downloads on Google play store so this is a rather big userbase that is affected.
So 2020 goal was to prove to myself that I can get some certifications. OSCP done. Azure fundamentals done. AWAE starting this week. Lets see how many I can do by end of this year :)
Vulnerability in
@CalAmp
cloud service used by several high profile car alarms and remote car start systems, allowed attackers to take over user account and vehicles. This is now patched so we (
@georlav
and me) are releasing it
The application has the same issue that your browser had back in March and
@cybergibbons
reported it, but it's a little bit worse. Would definitely want to see your opinion of this "non issue" again
Back home after a really nice
#BsidesLDN2022
!
Really happy that I saw so many people yesterday (and sorry I missed people that I shouldn't!)
Next one is
@BSidesRoma
!