Millions of Xiongmai Video Surveillance Devices Can be Hacked via Cloud Feature (XMEye P2P Cloud)

On 9. Oct

All devices from Xiongmai, a Chinese OEM who manufactures white-label video surveillance equipment, come with an always-on cloud feature called XMEye P2P cloud. This feature contains serious vulnerabilities that allow attacks on millions of devices, even ones that are behind firewalls.

GovWare 2018: The Internet was built to outlast nuclear war but fails at smart toasters

On 24. Sep

SEC Consult, CyberTrap and IoT Inspector showcased their consulting services around information security, reaching from penetration testing, source code review, red teaming, and ISO27001 ISMS implementation to security awareness trainings by the SEC Academy

Solutions for the Google CTF 2018 Hacking Contest

On 10. Sep

Google CTF is a hacking competition in the style of Capture-the-Flag, which has been going on for many years. Here are a few inputs on how to master it.

Application Security Monitoring: The one thing companies claim not to have a budget for

On 25. Jun

Time is money and money obviously is what keeps a company running. Up until the very moment it doesn’t: product releases get postponed, stakeholders leave and so does your window of opportunity to conquer the market. If you can’t think of a way to fix it, it is time to start over.

True Story: The Case of a Hacked Baby Monitor (Gwelltimes P2P Cloud)

On 21. Jun

Some time ago, a case about a hacked baby monitor made the news in the US. A mother claimed someone had taken control over the device and surveilled her baby. SEC Consult investigated the issue at a technical level. How it all started Earlier this month, news articles surfaced (Daily Mail, ABC News, NPR) on a case […]

Pentester’s Windows NTFS Tricks Collection

On 12. Jun

In this blog post René Freingruber (@ReneFreingruber) from the SEC Consult Vulnerability Lab shares different filesystem tricks which were collected over the last years from various blog posts or found by himself. These tricks don’t lead to a directly exploitable condition, however, they can indirectly lead to exploitable flaws in special situations because of the non-intuitive behavior. […]

TR-069: IoT before it was cool!

On 24. May

TR-069 is the most widespread IoT management protocol. Most likely, you have a few devices in your home that use it on a daily basis. SEC Consult found some interesting vulnerabilities.

Small business owners: When cybercrime threatens your existence

On 17. May

One click on an email attachment is all it takes to bring the production of a company to a sudden end. The data is encrypted with a cryptolocker. The hackers blackmail ransom. The current order can no longer be produced in time for the customer.

Tips and Tricks for the Austria Cyber Security Challenge 2018

On 14. May

On the 5th of May 2018, the qualification to the Austria Cyber Security Challenge 2018 (ACSC 2018) and the Austrian State Championships started. Pupils and students can attend in the competition and must solve tasks from various categories in the field of IT security. Since this year there is also an open competition – the […]

Oracle Access Manager’s Identity Crisis

On 3. May

Last November, the SEC Consult Cryptography Competence Center came across a rather interesting cryptographic format used by the Oracle Access Manager (OAM). In this blog post we will demonstrate how minor peculiarities of the cryptographic implementation had a real-life impact on the security of the product. By exploiting this vulnerability we were able to fabricate arbitrary […]

Page 1 of 712 3 ›»

Blog