Should GNSS be a threat vector in your threat model?
Tue, 03 Apr 2018

GPS, also referred to as the broader term GNSS, is a fundamental technology for IoT positioning and time estimation. Developers typically regard GPS as a trusted input to the system because the difficulty of manipulating GPS signals is presumed to be too difficult for the casual attacker. Lab testing at Carve shows us that this isn't the case. There are easy software tools for manipulating GPS inputs to find software flaws. Time to rethink the threat model.

pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle
Sat, 06 Aug 2016

One of the most critical issues that we look for when we assess an embedded/IoT device is secrets that are shared across the device population. Usually, finding these secrets involves gaining full access to our own device in order to find out how other devices may be affected. For example, an LTE router may have a service account hard-coded into its firmware to allow for remote support. If we can recover the account credentials and method of access, we can "service" any device that is accessible to us. This post is about one of the methods we use to ...

NFC Edge Cases and Past Transgressions
Fri, 15 Apr 2016

First of all, if Fallout Boy wants to use this title for one of their songs, please contact my agent. Second, and more importantly, the Vancouver metro system was/is affected by a bug that can be exploited to grant free rides to anyone with an NFC smartphone. We as a security community have know about this since 2012 when Corey and I discovered, disclosed, and presented the bug. There was a lot of press surrounding our disclosure:

Welcome to IooT: Innovations on old Technology
Sat, 07 Nov 2015

Carve has been researching security trends in the IoT space for the last two years. The results are sobering.

IoT Hacking: Peeking in IPSEC tunnels with Wireshark
Fri, 30 Oct 2015

IPSEC locked the door? Use xt_TEE to inspect IPSEC traffic before encryption.

Patching BL/BLX instructions in ARM
Thu, 15 Oct 2015

Have you ever found yourself wanting to patch an ARM binary to change a BL instruction? If so, read on!