Before yesterdayResearch Blog by Security Research Labs
-
Research Blog by Security Research Labs
- Hacking mobile networks has gotten a lot more interesting with 5G and Open RAN
Hacking mobile networks has gotten a lot more interesting with 5G and Open RAN
8 August 2022 at 06:53
Cloud security is often the weakest link in modern 5G networks according to our red team hacking assessments. Telcos have an opportunity now to embrace cloud security best practices and make 5G networks much more hacking resilient.
-
Research Blog by Security Research Labs
- Extended Android security check: SnoopSnitch tests for Java vulnerabilities
Extended Android security check: SnoopSnitch tests for Java vulnerabilities
8 June 2022 at 08:20
SRLabs research found a significant patch gap in the Android patch ecosystem, which has since been shrunk. In our hunt for more missing patches, our SnoopSnitch app now detects significantly more potential vulnerabilities by analyzing Java bytecode.
-
Research Blog by Security Research Labs
- Chaining Three Zero-Day Exploits in ITSM Software ServiceTonic for Remote Code Execution
Chaining Three Zero-Day Exploits in ITSM Software ServiceTonic for Remote Code Execution
8 June 2022 at 08:20
This blog post covers how three zero-days in one software product were chained together to access a company network through an Internet-accessible web application and then fully compromise it.
-
Research Blog by Security Research Labs
- When your phone gets sick: FluBot abuses Accessibility features to steal data
When your phone gets sick: FluBot abuses Accessibility features to steal data
8 June 2022 at 08:20
By abusing Accessibility features the FluBot malware circumvents Android's permission system to steal banking credentials. We explain how FluBot does this and what app developers can do to protect their users.
New RCS technology exposes most mobile users to hacking
8 June 2022 at 07:56
In the second half of 2019, Google and a group of mobile operators started implementing a new communication technology, Rich Communication Services (RCS). RCS is poised to replace calling and text messaging for billions of people.
-
Research Blog by Security Research Labs
- The Android patch ecosystem β Still fragmented, but improving
The Android patch ecosystem β Still fragmented, but improving
25 April 2022 at 11:16
Since 2018, SRLabs has refined Android patch analysis through the app SnoopSnitch. Recent SnoopSnitch data paints an improved picture of the Android ecosystem over what we saw in 2018.
-
Research Blog by Security Research Labs
- Mobile networks differ widely in security, none protect well in all dimensions
Mobile networks differ widely in security, none protect well in all dimensions
28 June 2022 at 12:06
The base technology of most cell phone networks in the world β GSM β has been known to be weak for years.Β To publicly track the (currently slow) progress of security upgrading is publicly tracked by us to allow users to choose the highest protection.
The Android ecosystem contains a hidden patch gap
28 June 2022 at 12:50
Android is the most successful operating system to date, with two billion devices in active use.Β Our large study of Android phones finds that some Android vendors regularly miss patches, leaving parts of the ecosystem exposed to the underlying risks.
-
Research Blog by Security Research Labs
- Payment terminals allow for remote PIN capture and card cloning
Payment terminals allow for remote PIN capture and card cloning
28 June 2022 at 12:06
Plastic cards are an increasingly popular means of payment all over the world. An analysis of the most widely deployed payment terminal in Germany found serious weaknesses.
Outdated payment protocols expose customers and merchants
28 June 2022 at 12:06
Payment terminals have conquered nearly every retail outlet and payment cards are as pervasive as cash. Major parts of this critical payment infrastructure, however, rely on proprietary protocolsΒ from the 90βs with large security deficiencies.
The Cloud exposes your private IP cameras
24 March 2022 at 15:06
Most remote video cameras are not exposed directly to the internet. However, insecure cloud services put them at a similar risk of becoming part of the next IoT camera botnet.
-
Research Blog by Security Research Labs
- Your Blockchain is only as secureΒ asΒ theΒ application on top of itΒ
Your Blockchain is only as secureΒ asΒ theΒ application on top of itΒ
24 March 2022 at 08:21
Applications interacting with blockchain networks can be an attack surface to malicious actors and therefore need to be reviewed thoroughly.
USB peripherals can turn against their users
28 June 2022 at 12:06
USB devices are connected to β and in many cases even built into β virtually all computers.Β The interface standard conquered the world over the past two decades thanks to its versatility.Β This versatility is also USBβs Achilles heel.
-
Research Blog by Security Research Labs
- Legic Prime RFID cards rely on obscurity and consequently did not withstand scrutiny
Legic Prime RFID cards rely on obscurity and consequently did not withstand scrutiny
28 June 2022 at 12:06
The Legic Prime system uses proprietary RFIDs for access control to buildings throughout Europe.Β Despite its use in high security installations, access cards can be cloned from a distance or newly created using a spoofed master token.
-
Research Blog by Security Research Labs
- Cryptographic problems are reduced to their true hardness by SAT solvers
Cryptographic problems are reduced to their true hardness by SAT solvers
11 March 2022 at 17:54
Many industrial ciphersβincluding those in todayβs access control and NFC applicationsβuse algebraically insecure cryptographic functions that can be broken using SAT solvers in an automated process.
-
Research Blog by Security Research Labs
- The physical access control market is ripe for an upgrade to modern technology
The physical access control market is ripe for an upgrade to modern technology
11 March 2022 at 17:54
Physical access control systems today predominantly use access badges with weak cryptography or no cryptography at all despite better building blocks being available.
Decrypting GSM phone calls
11 March 2022 at 17:54
GSM telephony is the worldβs most popular communication technology spanning most countries and connecting over four billion devices. The security standards for voice and text messaging date back to 1990 and have never been overhauled.
-
Research Blog by Security Research Labs
- Blockchain security β Six common mistakes found in Substrate chains
Blockchain security β Six common mistakes found in Substrate chains
16 June 2022 at 08:40
There is relatively little guidance on security mistakes to expect when working on blockchain projects. This post lists six mistakes we regularly find when auditing Substrate-based chains along with hands-on advice on how to mitigate the issues.
-
Research Blog by Security Research Labs
- Balancing long-term technology evolution with short-term side-effects - Vulnerability disclosure best practices
Balancing long-term technology evolution with short-term side-effects - Vulnerability disclosure best practices
21 December 2021 at 07:30
Responsible disclosure is the best practice to handle and fix unknown vulnerabilities. This blog includes real-world experience and advice from over a decade of SRLabs disclosing vulnerabilities responsibly.