Studies and Whitepapers


This paper considers smart home systems as currently one of the most popular application fields regarding the “Internet of Things”. It examines what a smart home system is, how it is constructed and which protocols are used to communicate between the components themselves and their users. Furthermore, common threats to different sub-areas of smart home systems are discussed and the most popular communication protocols as well as their current state of security are presented.



Currently, applications are mostly developed in the form of web applications. Although security-specific requirements such as design, implementation and operation are sometimes published in conjunction with the call for tender, frequently they are also developed throughout the course of a project. As a result, web applications have recurrent vulnerabilities which can be exploited for a multitude of attacks.

With its guide for the development of secure web applications the Federal Office for Information Security (hereafter BSI), in collaboration with SEC Consult, offers a solution to this problem. Consistent, thorough guidelines for a secure development process linked with a structured approach for testing and client acceptance processes facilitate the optimization of IT security within the Federal Administration and beyond it. A guide is provided to IT- and project managers of public institutions as well as managers from the industry which can serve as a tool for the creation of bidding and contract documentation or the establishment of performance and acceptance criteria, and thus supports the entire contracting process.

The study is divided into two parts: The first defines requirements for the contractor. In the second part, the client receives guidance on how compliance with these requirements can be assessed.

Guidelines are only available in German:

Leitfaden zur Entwicklung sicherer Webanwendungen – Empfehlungen und Anforderungen an die Auftragnehmer

Leitfaden zur Entwicklung sicherer Webanwendungen – Empfehlungen und Anforderungen an Auftraggeber aus der öffentlichen Verwaltung


SEC Consult, an international leader in application security services and consultancy, and Capgemini, one of the world’s foremost providers of consulting, technology and outsourcing services, released the first international study on security of 3rd party Core Banking Packages. The study summarizes the vendors’ promises, commitments and relevant activities relating to the application security of their products. As a ‘reality check’ three Core Banking products have been tested and severe security vulnerabilities not detected by the vendors have been found in each. The study emphasizes that state-of-the-art application security has to be demanded and consecutively validated by application security tests. Failure to do so can result in the implementation of insecure software products and incur operational risks.



Remote Function Call (RFC) is a proprietary communication protocol required for all systems operating the SAP® Application Server for ABAP®, making it one of the most appealing targets for attacks on business-critical SAP system landscapes. With the talk ”Attacking the Giants: Exploiting SAP Internals” presented by M. Nunez at Black Hat Europe 2007, the protocol reached the security research community for the first time. Nowadays, SAP systems became increasingly interconnected not only internally, but also across network trust boundaries. This circumstance results in enterprises relying on the RFC interface technology and its codebase more than ever. The present paper reports on an independent analysis of the protocol as it is used in SAP NetWeaver® Application Server ABAP and ABAP Platform for server-to-server communication of type ’3’. By employing a hybrid security testing approach combining static and dynamic analysis techniques, the objective of this research in re-assessing the RFC attack surface yielded alternate logon material, cryptographic failures, memory corruptions, and ABAP programming pitfalls. This paper  examines each of the identified vulnerabilities, demystifying somewhat forgotten inner workings of the protocol and key security mechanisms to highlight novel attack vectors and a wormable exploitation chain.

PDF (Englisch)

This paper describes the results of the research conducted by SEC Consult Vulnerability Lab on the security of McAfee Application Control. This product is an example of an application whitelisting solution which can be used to further harden critical systems such as server systems in SCADA environments or client systems with high security requirements like administrative workstations. Application whitelisting is a concept which works by whitelisting all installed software on a system and after that prevent the execution of not whitelisted software. This should prevent the execution of malware and therefore protect against advanced persistent threat (APT) attacks.  McAfee Application Control is an example of such a software. It can be installed on any system, however, the main field of application is the protection of highly critical infrastructures. While the core feature of the product is application whitelisting, it also supports additional security features including write- and read-protection as well as different memory corruption protections.


The paper will show:

  • how application whitelisting can be bypassed in multiple ways
  • how User-Account-Control can be bypassed on such protected systems
  • how additional protections such as read- or write-protections can be bypassed
  • how additional memory corruption protections can easily be bypassed
  • that the software can decrease the overall security of your operating system


In 2013, Blackberry has presented a brand new operating system which significantly differs from others presented on the smartphone market. A very high security level is announced, and the expectations are corresponding. Some analytics consider this as the last chance for Blackberry “to get back in the big game” and stand in the row with such giants as iOS and Android. The goal of this whitepaper is to show an approach for testing the new Blackberry 10 operating system and to identify vulnerabilities on a new Blackberry 10 device.

A set of methods and tools has been developed. In the paper we will:

  • Discuss specifics of the operating system
  • Check for vulnerabilities “by design”
  • Talk about fuzzers
  • Test default utilities
  • Dump the “boot sector”
  • Mention other interesting entry points / notices
  • Propose further steps for future research


Backdoors have always been a concern of the security community. In recent years the idea of not trusting the developer has gained momentum and manifested itself in various forms of source code review. For Java, being one of the most popular programming languages, numerous tools and papers have been written to help during reviews. While these tools and techniques are getting developed further, they usually focus on traditional programming paradigms. Modern concepts like Aspect Oriented Programming or the Java Reflection API are left out. Especially the use of Java’s Reflection API in conjunction with the lesser known “string pool” can lead to a new kind of backdoor. This backdoor hides itself from unwary reviewer by disguising its access to critical resources like credential through indirection. To raise the awareness about this particular kind of backdoor, this paper will:

  • Provide a short introduction to the string pool.
  • Show how reflection can be used to manipulate it.
  • Demonstrate how a backdoor can abuse this.
  • Discuss how it can be uncovered.

In the end, there is one more attack vector the reviewer has to consider. Time will show if automated analyses will be able to detect this threat but up to this point knowledge, experience and intuition of a human reviewer are the only defense.


In the course of a security analysis of the Symbian mobile operating system, SEC Consult discovered a series of vulnerabilities in popular Nokia smartphones. These weaknesses are particularly critical since they can be exploited by sending manipulated videos over MMS, creating the potential for the spread of an MMS worm.

Nokia has been confidentially notified of the problems. The analysis techniques and tools used in this project are described in a recently released whitepaper, available on the SEC Consult web site.

“Typical Symbian smartphones have a number of potentially exploitable features, but a great deal of effort and knowledge is required to analyze the platform. Once we had the right tools, however, we found vulnerabilities very quickly, comparable to well-known vulnerabilities in other operating systems,” says Bernhard Müller, leader of the SEC Consult Vulnerability Lab.

The whitepaper strongly recommends that smartphone manufacturers implement suitable countermeasures in the form of software quality management and update services for smartphones. SEC Consult recommends that users of smartphones regularly update their devices firmware and avoid opening SMS, MMS, or E-Mail messages from unknown senders.


Newly emerging techniques of DNS cache poisoning have caused quite a stir recently, prompting security researchers to speculate on the nature of the issue, and naturally inducing press stunts by some individuals, including “accidential” information leaks and hasty exploit releases. Many other, more relaxed researchers, who had figured out the attack and had coded working exploits within a few hours (which, by the way, was incredibly easy to do, knowing that an undocumented attack actually existed), decided to coordinate with Dan Kaminsky, who had organized a huge multi-vendor security patch, and withhold information for the proposed 30 days.

Bernhard Mueller of SEC Consult was among the first researchers to write a working “fast cache poisoning” exploit, details of which will now be published in a whitepaper, which also includes some calculations on the reliability of the attack.

The paper details a way of making DNS cache poisoning / response spoofing attacks more reliable. A caching server will store any NS delegation RRs if it receives a delegation which is “closer” to the answer than the nameservers it already knows. By spoofing replies that contain a delegation for a single node, the nameserver will eventually cache the delegation when we hit the right transfer id.


This paper from the SEC Consult vulnerability lab describes how the fireware hack can be applied to Windows Vista. By overwriting certain memory regions using the firewire DMA feature, password authentication under Vista can be deactivated.


SEC Consult Blog