Papers
A Vulnerability Analysis of Endpoint Management & Monitoring Solutions
Technical Whitepaper - ERNW GmbH
Endpoint management and monitoring solutions are used to monitor and administrate servers and clients in most corporate networks. While enabling automation and centralized management, they also significantly add to the networks attack surface. Most solutions deploy high-privileged agent services to all systems in the network that are centrally controlled via custom communication protocols. A security vulnerability in either the central component, the agent services, or the communication channels can have a major impact on network integrity affecting the entire company.
In this paper we analysed some well-known endpoint management & monitoring solutions for vulnerabilities. Our research shows that all of the analysed solutions contained vulnerabilities, often with a critical impact that allowed to execute arbitrary code on certain components of the solution.
Lost and Found: Stopping Bluetooth Finders from Leaking Private Information
A Bluetooth finder is a small battery-powered device that can be attached to important items such as bags, keychains, or bikes. The finder maintains a Bluetooth connection with the user’s phone, and the user is notified immediately on connection loss. We provide the first comprehensive security and privacy analysis of current commercial Bluetooth finders. Our analysis reveals several significant security vulnerabilities in those products concerning mobile applications and the corresponding backend services in the cloud. We also show that all analyzed cloud-based products leak more private data than required for their respective cloud services. Overall, there is a big market for Bluetooth finders, but none of the existing products is privacy-friendly. We close this gap by designing and implementing PrivateFind, which ensures locations of the user are never leaked to third parties. It is designed to run on similar hardware as existing finders, allowing vendors to update their systems using PrivateFind.
Vacuums in the Cloud: Analyzing Security in a Hardened IoT Ecosystem
Scientific Paper - Usenix WOOT 2019
With the advent of robot vacuum cleaners, mobile sensing platforms entered millions of homes. These gadgets not only put “eyes and ears” into formerly private spaces, but also communicate gathered information into the cloud. Furthermore, they reside inside the customer’s local network. Hence, they are a prime target for attacks and if compromised become a privacy and security nightmare. Vendors are aware of robots being a target of interest; they employ various security mechanisms against tampering with devices and recorded data in the cloud.
In this paper, the Neato BotVac Connected and Vorwerk Kobold VR300 ecosystems are analyzed and the robot firmware is reverse engineered. To achieve the latter, a technique to bypass the devices’ secure boot process is presented revealing the firmware, which is then dissected to evaluate device-specific secret key generation and to trace vulnerabilities. We present flaws in the secret key generation and provide insight on the occurrence and exploitation of a buffer overflow, which give an attacker complete control not only in the local network but also via the robots’ cloud interface. Eventually, multiple attacks based on the findings are described and security implications are discussed. We shared our findings with the vendors, who further increased their otherwise commendable security mechanisms, and hope more vendors can take away valuable lessons from this highly complex Internet of Things (IoT) ecosystem.