3 min
IoT
IoT Security and Risk: What Is It, Where Is It Heading, and How Do We Embrace It?
In this blog, we discuss what security professionals should be doing to secure their IoT devices and where companies often go wrong with IoT security.
9 min
Vulnerability Disclosure
Investigating the Plumbing of the IoT Ecosystem (R7-2018-65, R7-2019-07) (FIXED)
Two vulnerabilities have been disclosed for Eaton's Home Lighting HALO Home Smart Lighting System and BlueCats' AA Beacon.
4 min
Research
Extracting Firmware from Microcontrollers’
Onboard Flash Memory, Part 4
In our fourth and final part of this ongoing series, we will conduct further firmware extraction exercises with the Texas Instruments RF microcontroller.
4 min
IoT
Extracting Firmware from Microcontrollers'
Onboard Flash Memory, Part 3: Microchip PIC Microcontrollers
In this blog, we will conduct another firmware extraction exercise dealing with the Microchip PIC microcontroller (PIC32MX695F512H).
3 min
IoT
Extracting Firmware from Microcontrollers'
Onboard Flash Memory, Part 2: Nordic RF Microcontrollers
In this blog, we will conduct another firmware extraction exercise dealing with the Nordic RF microcontroller (nRF51822).
3 min
Research
Extracting Firmware from Microcontrollers' Onboard Flash Memory, Part 1: Atmel Microcontrollers
As part of our ongoing discussion of hardware hacking for security professionals, this blog covers the Amtel Atmega2561 microcontroller.
8 min
Public Policy
The IoT Cybersecurity Improvement Act of 2019
In this blog post, we will walk through the newly introduced IoT Cybersecurity Improvement Act of 2019 and describe Rapid7's position on it.
6 min
IoT
[IoT Security] Introduction to Embedded Hardware Hacking
Many security professionals and researchers are intrigued by the idea of opening up and exploring embedded technologies but aren’t sure where to start.
4 min
Haxmas
Once a Haxer, Always a Haxor
Like most hackers, I liked to take apart my holiday gifts as a kid. In this blog, I take apart Amazon's voice-controlled microwave oven to see how it works.
4 min
IoT
Lessons and Takeaways from CTIA’s Recently Released IoT Security Certification Program
The CTIA recently announced a new cybersecurity certification program for cellular- and Wi-Fi-connected IoT devices. Here is my high-level overview of this program.
3 min
IoT
Enhancing IoT Security Through Research Partnerships
Securing IoT devices requires a proactive security approach to test both devices and the IoT product ecosystem. To accomplish this, consider setting up a research partnership.
5 min
IoT
Security Impact of Easily Accessible
UART on IoT Technology
When it comes to securing IoT devices, it’s important to know that Universal
Asynchronous Receiver Transmitter (UART) ports are often the keys to the kingdom
for device analysis when you have physical access. For example, as part of
ongoing security research and testing projects on embedded technology we own, I
have opened up a number of devices and discovered a majority of them having UART
enabled. Those with UART enabled have—in every case—provided a path to full root
access and allowed me to
6 min
IoT
NCSAM Security Crash Diet, Week 4: IoT
The final week of our 'Security Crash Diet' series for NCSAM explores what the IoT device purchasing process is like for consumers who want to buy IoT with security in mind. Spoiler: It isn't easy.
3 min
IoT
ROCA: Vulnerable RSA Key Generation
In the KRACK-related and BadRabbit-related chaos of the past week and a half,
some people missed a less flashy vulnerability that nevertheless dug up key
long-term questions on IoT supply chains and embedded technology. The
Czech-based Center for Research on Cryptography and Security published research
last weekon a vulnerability (CVE-2017-15361) in the RSA key generation process
in a widely-used cryptographic software library found in Infineon secure chips.
Specifically:
“The algorithmic vulne
8 min
Vulnerability Disclosure
Multiple vulnerabilities in Wink and Insteon smart home systems
Today we are announcing four issues affecting two popular home automation
solutions: Wink's Hub 2 and Insteon's Hub. Neither vendor stored sensitive
credentials securely on their associated Android apps. In addition, the Wink
cloud-based management API does not properly expire and revoke authentication
tokens, and the Insteon Hub uses an unencrypted radio transmission protocol for
potentially sensitive security controls such as garage door locks.
As most of these issues have not yet been addres