Meltdown and Spectre. Oh My!
Fri, 05 Jan 2018

There have been a lot of new terms floating around the internet these last few days: Meltdown, Spectre, etc... What does it all mean? In this post, I will explain the high-level pieces, what systems are affected by this, and what you can do to better protect yourself against it.

Android 7 Cellular MiTM
Tue, 24 Oct 2017

Performing security assessments of complex systems sometimes requires some technical gymnastics to "man-in-the-middle" (MITM) communications between components. MITM techniques are essential for observing and manipulating communications in ways that a developer may not have anticipated. As system defenses improve the task of setting up a MITM environment for a system …

Proxying WBXML Services
Wed, 20 Sep 2017

What could make XML more excruciating? BINARY XML!

Shell Escapes
Fri, 02 Dec 2016

All too often developers give authenticated users access to a restricted CLI and hope for the best. It usually doesn't work out well for them.

MiTM using Golang, meet Timmy
Tue, 08 Nov 2016

This post is an introduction to Timmy (Tiny evil man in the middle). There are a lot of MiTM tools used to assess software that communicates via TCP/IP. They all have a few basic ingredients, but often differ stylistically or in their intended use cases. Burp can do invisible …

Wear's the MITM?
Wed, 19 Oct 2016

Recently, we needed to man-in-the-middle TLS traffic coming from an Android Wear application. On a regular Android app, this would be an easy thing to do, but we started to run into trouble pretty quickly on the only Android watch that we had at our disposal, the 1st generation LG …

pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle
Sat, 06 Aug 2016

One of the most critical issues that we look for when we assess an embedded/IoT device is secrets that are shared across the device population. Usually, finding these secrets involves gaining full access to our own device in order to find out how other devices may be affected. For example, an LTE router may have a service account hard-coded into its firmware to allow for remote support. If we can recover the account credentials and method of access, we can "service" any device that is accessible to us. This post is about one of the methods we use to ...

Securing M2M Gateways
Fri, 10 Jun 2016

There are a staggering number of M2M gateways on the market. In some cases, gateways are designed and marketed for specific use-cases, such as in-vehicle connectivity and fleet management, sensor data aggregation and telematics, and home automation and management. Others are meant to provide failover cellular connectivity for a satellite office or kiosk. Over the last several years, Carve has researched gateway security, analyzing dozens of devices from various manufacturers. Throughout the process, we’ve disclosed numerous vulnerabilities and worked with the vendors to fix or control the issues we raise.

NFC Edge Cases and Past Transgressions
Fri, 15 Apr 2016

First of all, if Fallout Boy wants to use this title for one of their songs, please contact my agent. Second, and more importantly, the Vancouver metro system was/is affected by a bug that can be exploited to grant free rides to anyone with an NFC smartphone. We as a security community have know about this since 2012 when Corey and I discovered, disclosed, and presented the bug. There was a lot of press surrounding our disclosure:

Welcome to IooT: Innovations on old Technology
Sat, 07 Nov 2015

Carve has been researching security trends in the IoT space for the last two years. The results are sobering.