I work for Reversec since April 2025. My first blog post for them tells that I found some vulnerabilities in LAPSWebUI in a client engagement and reported the findings to the vendor Truesec, who confirmed most of them and issued a new version with fixes.
Do you pentest IoT equipment before joining it to your network? I did,
fortunately. I bought a Swedish reader to connect to the P1 port of my
electricity meter, and found a number of vulnerabilities that in combination
let an attacker “wardriving” outside my house use the P1 reader to join my
Wi-Fi network!
So it’s true what they say: the S in IoT stands for Security! ;)
This is an attachment to the blog post Wardriving 2024: Using Electricity Meter Readers to Get In.
Vulnerability Metadata Vulnerability identifier: P1IB-LABAN-008
Summary: Insecure defaults.
CWE: CWE-1188: Initialization of a Resource with an Insecure Default
CVE: None. A CVE was requested from the MITRE CNA-LR without any response.
CVSS: 8.7 / High CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/R:U
MITRE Submission The following information was submitted to the MITRE CNA-LR in CVE Request 1610270 for CVE ID Request the 24th of February 2024.
This is an attachment to the blog post Wardriving 2024: Using Electricity Meter Readers to Get In.
Vulnerability Metadata Vulnerability identifier: P1IB-LABAN-006
Summary: Credentials (password for admin interface, PSK for Wi-Fi, MQTT password) retrievable once set.
CWE: CWE-522: Insufficiently Protected Credentials
CVE: None. A CVE was requested from the MITRE CNA-LR without any response.
CVSS: 6.3 / Medium CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N
MITRE Submission The following information was submitted to the MITRE CNA-LR in CVE Request 1610270 for CVE ID Request the 24th of February 2024.
This is an attachment to the blog post Wardriving 2024: Using Electricity Meter Readers to Get In.
Vulnerability Metadata Vulnerability identifier: P1IB-LABAN-005
Summary: Password stored in plain text.
CWE: CWE-256: Plaintext Storage of a Password
CVE: None. A CVE was requested from the MITRE CNA-LR without any response.
CVSS: 6.9 / Medium CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
MITRE Submission The following information was submitted to the MITRE CNA-LR in CVE Request 1610270 for CVE ID Request the 24th of February 2024.
This is an attachment to the blog post Wardriving 2024: Using Electricity Meter Readers to Get In.
Vulnerability Metadata Vulnerability identifier: P1IB-LABAN-002
Summary: Cross-Site Request Forgery.
CWE: CWE-352: Cross-Site Request Forgery (CSRF)
CVE: None. A CVE was requested from the MITRE CNA-LR without any response.
CVSS: 9.3 / Critical CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/AU:Y/R:U
MITRE Submission The following information was submitted to the MITRE CNA-LR in CVE Request 1610270 for CVE ID Request the 24th of February 2024.
This is an attachment to the blog post Wardriving 2024: Using Electricity Meter Readers to Get In.
Vulnerability Metadata Vulnerability identifier: P1IB-LABAN-001
Summary: A wireless or adjacent network attacker can completely compromise the device, including extracting Pre-Shared Key (PSK) for the Wi-Fi SSID the device is connected to.
CWE: CWE-862: Missing Authorization
CVE: None
CVSS: 9.9 / Critical CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/AU:Y/R:U/V:C/RE:M
MITRE Submission The following information was submitted to the MITRE CNA-LR in CVE Request 1610270 for CVE ID Request the 24th of February 2024.
When working for my employer Sentor I discovered an origin disclosure vulnerability in Akamai GTM, but they didn’t agree it was a vulnerability. I blogged about it on the company blog: The Akamai origin disclosure non-vulnerability
When working for my employer Sentor I discovered an authentication bypass vulnerability in Auth0. I blogged about it on the company blog: Vulnerability disclosure: Authentication bypass in Auth0
When working for my employer Sentor I discovered a session fixation vulnerability in Auth0. I blogged about it on the company blog: Vulnerability disclosure: Session fixation in Auth0
Last week my favorite IT security podcast Bli säker (Become Secure in English) published the episode The Epochalypse and the QR Code (only in Swedish) where they explained the techonology behind mobile authenticator apps. I felt I needed to refresh my TOTP algorithm support investigation from 2019 before the recording of the next episode of the Bli säker podcast. :)
So this is an update to the blog post I published in July 2019 called Many Common Mobile Authenticator Apps Accept QR Codes for Modes They Don’t Support.
During 2021 I had access to a facility equipped with an alarm system from Securitas Direct. I had access as a regular user to Securitas Direct’s My Pages at mypages-pro.securitas-direct.com, which is used to administer some aspects of one’s security alarm installation. That web application suffered a CWE-384 Session Fixation vulnerability which can be used by an attacker in a so-called Man-In-The-Middle (MiTM) position.
Home page of Securitas Direct My Pages In summary, if an attacker is on the same network as the victim or somewhere else between the victim and Securitas Direct’s server, and if the attacker can make the victim’s browser make an unencrypted HTTP request to a subdomain of securitas-direct.
I work for the security consultant company
Defensify where I conduct security assessments of
applications and networks. In December 2020 I made a review of a web
application written in Ruby on Rails. I will not
disclose the name of the client or any other vulnerabilities found in the
client’s application, but this blog post tells the story of how I found a
security vulnerability in one of the third-party dependencies they use, which
is open source, and got my first ever CVE assigned. \o/
This is a follow-up on the previous post Brute-Forcing Borrowers’ PINs at the
Swedish Board of Student Finance (CSN) where I
describe some vulnerabilities discovered in August 2020 and the response from
CSN. It seems I missed another problem with the CAPTCHA though. And it was
right in front of my eyes…
Maintenance banner on csn.se at the time of publication of this blog post, in Swedish. This is an attachment to the blog post about Brute-Forcing Borrowers’ PINs at the Swedish Board of Student Finance (CSN).
Original too many tries message in Swedish. This is an attachment to the blog post about Brute-Forcing Borrowers’ PINs at the Swedish Board of Student Finance (CSN).
Original PIN login form in Swedish. This is an attachment to the blog post about Brute-Forcing Borrowers’ PINs at the Swedish Board of Student Finance (CSN).
Original personal code order confirmation in Swedish. This is an attachment to the blog post about Brute-Forcing Borrowers’ PINs at the Swedish Board of Student Finance (CSN).
Original order personal code form in Swedish. There is now a new version of the form. This is an attachment to the blog post about Brute-Forcing Borrowers’ PINs at the Swedish Board of Student Finance (CSN).
Original login menu in Swedish. This is an attachment to the blog post about Brute-Forcing Borrowers’ PINs at the Swedish Board of Student Finance (CSN).
Original incorrect PIN message in Swedish. This is an attachment to the blog post about Brute-Forcing Borrowers’ PINs at the Swedish Board of Student Finance (CSN).
Original choose delivery method form in Swedish. This is an attachment to the blog post about Brute-Forcing Borrowers’ PINs at the Swedish Board of Student Finance (CSN).
New design of the order personal code form in Swedish. This is an attachment to the blog post about Brute-Forcing Borrowers’ PINs at the Swedish Board of Student Finance (CSN).
New design of the choose delivery method form in Swedish. This is an attachment to the blog post about Brute-Forcing Borrowers’ PINs at the Swedish Board of Student Finance (CSN).
The Swedish Board of Student Finance CSN is the government agency that manages
Swedish student finance, i.e. grants and loans for studies. They also manage
driving licence loans and home equipment loans.
(Source)
This is the story of when I found two security vulnerabilities in their login
functionality and reported it to them.
This is the story on how I discovered that Yubico used an invalid certificate chain in their Personal Identity Verification (PIV) attestation feature on YubiKey 4.3 and YubiKey NEO, which could only be solved by a new hardware release. The impact for users and organizations is that the certificate chain will be deemed invalid by tools that verifies the chain properly, such as OpenSSL version 1.1.0 and later. Yubico has published a custom Python script that can be used to verify their attestation certificate chains.
This is an attachment to the blog post about the broken attestation certificate chain in YubiKey 4.3 and YubiKey NEO.
Headers are mine and not part of the original conversation. Long commands have been split to multiple lines using \ to fit the blog. All indications of time are given in two time zones: CEST where I was sitting and PDT where Yubico Support was sitting.
Initial Report on Wrong Commands in Documentation From me to Yubico Support:
You probably use an “authenticator app” such as Google Authenticator to enable two-step verification (sometimes called two-factor authentication, 2FA, or multi-factor authentication, MFA) for an online account. The method is called Time-Based One-Time Password Algorithm (TOTP) and is standardized in RFC 6238. In October 2017 when I evaluated HashiCorp Vault for generating and storing TOTP secrets for a system at work I realized that the Android version and iOS version of Google Authenticator differed a lot when it comes to which modes are supported.
TL;DR: This post has a lot of details. Skip to the Summary if you know the challenge and are here just for the solution.
Door icon made by Freepik from www.flaticon.com is licensed by CC 3.0 BY. Between Christmas and New Year’s I attended the 35th Chaos Communication Congress (CCC), 35C3, in Leipzig, Germany, together with Malmö based Xil hackerspace. It was my third congress (in a row).
Since 2012 there has been a Capture The Flag (CTF) competition at congress.
Inpired by Hackeriet’s blog where Alexander Kjäll use to post CTF write-ups, I’ve decided to create a personal one for myself. Focus will be on IT security.
Hackeriet’s blog is powered by Jekyll which is a static site generator written in Ruby. See their post Creating a fast blog for how they set up their blog.
I have decided to try another static site generator called Hugo, which is written in Go.