The following security research was performed whilst at NCC Group between 2021-now.
Revving Up: The Journey to Pwn2Own Automotive 2024
On the 28th of September, Alex Plaskett and McCaulay Hudson presented this talk at ROMHack, Italy.
The abstract of the talk was follows:
Throughout this presentation we will describe our process with a deep dive into in-vehicle entertainment systems and an electric vehicle (EV) charger controller (Phoenix Contact CHARX SEC-3100).
We will reveal multiple zero-day vulnerabilities which were used to compromise these devices. EV charging security is currently a hot topic where there is expected to be over 3 million charging stations in Europe at the end of 2024 and continuously expanding. However, most importantly we will describe our methodology and approach, allowing aspiring bug hunters to understand the trials and tribulations of vulnerability research against automotive targets. This will also allow vendors to see the amount of effort vulnerability researchers take to compromise these devices.
Our talk will include attack surface research and how we priorities finding vulnerable areas. We will also demonstrate tooling we use to speed up and automate the process. We will discuss both hardware and software attacks and the need to first perform hardware attacks to gain an understanding of the target before software only exploits could be developed to obtain remote code execution.
For fun we will also demonstrate both a light show on the CHARX device and porting and running DOOM on the Alpine IVI.
Briefly we will discuss our failures and lessons learned, to show that not everything was plain sailing with the research.
Finally, we will wrap up with conclusions and guidance to both automotive manufacturers and prospective hacking competition participants.
Charging Ahead: Exploiting an EV Charger Controller at Pwn2Own Automotive 2024
On the 18th of September 2024, McCaulay Hudson and Alex Plaskett presented this talk at 44CON, London.
The full abstract for the talk is as follows:
Brace yourselves for an electrifying journey into the world of automotive cybersecurity. Our talk will unveil how we exploited multiple zero-day vulnerabilities to compromise an electric vehicle (EV) charger controller during the Pwn2Own competition.
At the end of March 2024, there were 59,000 EV charging points across the UK (a 47% increase since 2023) and expected to grow significantly with the push to electric vehicles, with this comes serious security challenges.
In the talk we will discuss our methodology, attack surface analysis, and demonstrate tooling which we have created to speed up finding vulnerabilities in firmware and how we applied this to a specific EV charger controller. EV chargers overall have a wide range of features and wide-ranging connectivity leading to significant attack surfaces.
We will discuss our journey from having zero knowledge of the specific target (Phoenix Contact CHARX SEC-3100) to remotely compromising it, perform privilege escalation and more.
We will dive into the intricacies of this “build you own” charging component on how this enables deployment of charging infrastructure.
We will discuss weaknesses with uploading arbitrary file contents, state switching, and injection techniques to build an exploit chain which was eligible for the Pwn2Own competition. The audience will gain an understanding of how multiple seemingly low-risk vulnerabilities can be chained together to escalate their impact, leading to code execution on the charger controller and demonstrating real world impact.
We will wrap up with an overview of EV charger post-exploitation and outline some threat scenarios and impacts which could occur if an attacker was to compromise these devices and maintain persistence. In this presentation we will have multiple demos, including demonstration of tooling and exploits against the device to obtain a shell. For fun we will also show a lightshow running on the EV charger demonstrating full control of the device.
Finally, we will conclude with our thoughts on building a robust security architecture for EV charging deployments.
Listen-Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap
On the 8th of August 2024, Alex Plaskett and Robert Herrera presented this talk at BlackHat 2024 in Las Vegas, USA.
The abstract of the talk was as follows:
Over the last year NCC Group found and exploited many different vulnerabilities within Sonos devices. This led to an entire break in the security of Sonos’s secure boot process across a wide range of devices and remotely being able to compromise several devices over the air.
We leveraged these vulnerabilities to perform hidden recordings of the microphone to demonstrate how a remote attacker could be able to obtain covert audio capture from Sonos devices.
In this talk, we will start off with an introduction to Sonos devices, and describe the device architecture and security controls implemented (such as secure boot and disk encryption).
Then we will move into a deep dive on the Wi-Fi driver architecture and attack surface on the Sonos One. The talk will then describe a vulnerability we identified in the WPA2 Handshake which can allow a remote attacker to compromise the kernel over the air.
The talk will then move to the exploitation of this issue and discuss the novel challenges of developing a remote kernel exploit. To wrap up this section, we will then perform a demo of the attack where we will turn the device into a wiretap capturing all the audio within the physical proximity of the compromised device.
Finally, we will discuss vulnerabilities and exploitation techniques that allowed us to develop the world’s first “jailbreak” of Sonos’s flagship device - the Era-100 by breaking the secure boot chain. This affected 23 Sonos products and allowed the extraction of cryptographic material.
Exploit Engineering – Attacking the Linux Kernel
On the 19th of May 2023, Alex Plaskett and Cedric Halbronn presentered this talk at Offensivecon 2023 in Berlin.
The abstract from the talk was as follows:
Over the last year the Exploit Development Group (EDG) at NCC Group found and exploited three different 0-day Linux kernel local privilege escalation vulnerabilities (CVE-2022-0185, CVE-2022-0995, CVE-2022-32250) against fully patched OSs with all mitigations enabled. The most recent vulnerability was patched against versions of the kernel going back 6 years affecting most stable Linux distributions.
Unlike developing proof of concepts, our exploits need to be ultra-reliable and support many different OS variations and kernel versions so they can be used by our security assessment consultants or Red Teams. This calls for a much more rigorous engineering process to be followed.
In this talk, we start with an overview of our bug hunting processes and approach to rapidly find high impact vulnerabilities within the Linux kernel. The talk will then describe key vulnerability details, discuss the challenges of reliable exploitation across multiple targets and describe the exploitation techniques used (and what is appropriate in 2023). We discuss rigorous exploit engineering approaches – including tooling which we have developed for heap analysis libslub and automation for mining, creation, deployment and scaling across many different environments (TargetMob). Finally, we will conclude with our thoughts on areas where more strategic hardening and attack surface reduction can be introduced to hinder against advanced attackers using 0-days in the Linux kernel. We will leave you with a release of our tooling for heap analysis libslub and the knowledge to go out there and find, analyse and exploit your own Linux kernel vulnerabilities!
This research was performed by Alex Plaskett, Cedric Halbronn, Aaron Adams and presented at Offensivecon 23.
Your Not so “Home” Office – Soho Hacking at Pwn2Own
On the 20th April 2023, Alex Plaskett and McCaulay Hudson presented this talk at HITB AMS. The talk showcased NCC EDG in Pwn2Own 2022 Toronto targeting all consumer routers (Netgear, TP-Link and Synology) from both a LAN and WAN perspective. The talk also described how we compromised a small business device (Ubiquiti) via the WAN and used that to pivot to attack a device on the LAN (a printer). In total we created 7 different exploit chains and found many more vulnerabilities within the process.
This research was performed by Alex Plaskett, Cedric Halbronn, Aaron Adams, McCaulay Hudson and presented at HITB AMS 2023.
Toner Deaf – Printing your next persistence
In November 2021, NCC Group won at the Pwn2Own hacking contest against a Lexmark printer. This talk is about the journey from purchase of the printer, having zero knowledge of its internals, remotely compromising it using a vulnerability which affected 235 models, developing a persistence mechanism and more.
This talk is particularly relevant due to printers having access to a wide range of documents within an organisation, the printers often being connected to internal/sensitive parts of a network, their lack of detection/monitoring capability and often poor firmware update management processes.
This research was performed by Alex Plaskett, Cedric Halbronn, Aaron Adams, Catalin Visinescu and presented at Hexacon 2022.
Pwn2Own 2021 - Remotely Exploiting 3 Embedded Devices
This research demonstrates the process taken and vulnerabilities used for Pwn2Own Austin 2021 which were used to compromise a Western Digital PR4100 NAS, a Lexmark MC3224i and outside of the competition a Netgear R6700v3.
Remotely Exploiting 3 Embedded Devices Slides
How to win $$$ at a hacking contest? Slides
This research was performed by Alex Plaskett, Cedric Halbronn, Aaron Adams, Catalin Visinescu and presented at NCC Con Europe 2021.
Pwning the Windows 10 Kernel with NTFS and WNF
A local privilege escalation vulnerability (CVE-2021-31956) 0-day was identified as being exploited in the wild by Kaspersky. At the time it affected a broad range of Windows versions (right up to the latest and greatest of Windows 10). With no access to the exploit or details of how it worked other than a vulnerability summary the following plan was enacted:
- Understand how exploitable the issue was in the presence of features such as the Windows 10 Kernel Heap-Backed Pool (Segment Heap).
- Determine how the Windows Notification Framework (WNF) could be used to enable novel exploit primitives.
- Understand the challenges an attacker faces with modern kernel pool exploitation and what factors are in play to reduce reliability and hinder exploitation.
- Gain insight from this exploit which could be used to enable detection and response by defenders.
The talk covered the above key areas and provides a detailed walk through, moving from introducing the subject, all the way up to the knowledge which is needed for both offense and defence on modern Windows versions.
The following security research was performed whilst at MWR InfoSecurity (now F-Secure Consulting) between 2011-2018.
Big Game Fuzzing - Pwn2Own Apple Safari
This research describes the vulnerabilities used for Pwn2Own Desktop 2018 to compromise Apple macOS Safari. It describes the tools developed and the process taken in order to identify these vulnerabilities. The slides and whitepaper also describe the exploit development process and techniques used for exploitation of the vulnerabilities. The vulnerabilities described within these documents are a Wasm vulnerability (CVE-2018-4121), an SVG vulnerability (CVE-2018-4199) and a sandbox escape within the Dock component (CVE-2018-4196).
This research was performed by Fabian Beterke, Georgi Geshev and Alex Plaskett and presented at T2 2018.
The Mate Escape - Huawei Pwn2Own
This research demonstrates the process taken and vulnerabilities used for Pwn2Own Mobile 2018 which were used to compromise a Android Huawei Mate 9 Pro device. The vulnerabilities used within this chain were logic type bugs and no memory corruption issues were used. Whilst memory corruption protections and mitigations are offering additional protection to the platform, logic bugs are often neglected and can be used to equally damaging effect.
This research was performed by Alex Plaskett and James Louerio and presented at Snoopcon 2018, Hacktivity 2018.
Apple Safari - Wasm Section Exploit
This whitepaper describes the process taken when investigating a potential vulnerability for Pwn2Own. Web Assembly was a relatively new feature added the browser and therefore was expected to not have undergone as much security assurance at other areas. Unfortunately whilst performing exploit development of the issue, the issue was fixed by Apple (and therefore would not qualify for Pwn2Own). The issue was addressed publicly with macOS 10.13.4 and was found independently by Natalie Silvanovich of Google Project Zero.
This research was performed by Fabian Beterke, Alex Plaskett and Georgi Geshev in 2018 and presented at T2.fi.
Biting the Apple That Feeds You - macOS Kernel Fuzzing
This research demonstrated techniques for macOS kernel fuzzing in order to find security issues with macOS. Previously, only a small amount of research had been published about automating finding vulnerabilities within the macOS kernel. The slides describe the tooling which was developed and the issues which were found (and addressed by Apple) as part of this research. The slides demonstrate that different fuzzer approaches can lead to different vulnerabilities being found. macOS IPC subsystem was also discussed and tooling produced to target these features.
This research was performed by Alex Plaskett and James Louerio and presented at Warcon 2017, 44CON 2017, Deepsec 2017.
QNX - 99 Problems But A Microkernel Ain’t One!
This research investigated the security of the QNX operating system and outlined methods for finding vulnerabilities in this area. There are a large number of devices which run QNX under the hood. These are often Cars, Turbines and Safety Critical Systems, therefore the security of these devices in paramount. This research focused on Blackberry 10’s version of QNX, however, this research is applicable to all QNX based devices. The slides and whitepaper provide an overview of the operating system, our methods for identifying vulnerabilities and any issues identified. The research also described how the subsystems on QNX communicate and methods an attacker may used to perform privilege escalation across the trust boundaries.
This research was performed by Alex Plaskett and Georgi Geshev and presented in 2016 at Confidence 2016, Troopers 16, BSides NYC 2016.
Windows Phone 8 - Navigating A Sea Of Pwn
This research investigated the security of Windows Phone 8 applications and described methods which could be used to test them. Whilst Windows Phone 8 is now a deprecated platform, at the time it was Microsoft’s latest mobile operating system. This research shows approaches which can be taken when assessing a Windows Phone 8 application and potential security issues which can arise.
The research was performed by Nick Walker and Alex Plaskett and presented at Syscan and Qualcomm Security Summit in 2014.
Windows Phone 7 - Owned Every Mobile
This talk presented the research performed into Windows Phone 7 and demonstrated one of the first browser (Internet Explorer) exploits against the platform. It demonstrated weaknesses the OEMs had also introduced into the platform and demonstrated methods to bypass sandbox restrictions.
The research was presented at 44CON, T2.fi, DeepSec and Microsoft BlueHat in 2011.
Windows Phone 7 - Microsoft BlueHat v11 Executive Briefings
This talk presented a higher level view of the security research performed against Windows Phone 7 to a number of Microsoft Execs during BlueHat v11.
This research was presented at Microsoft’s BlueHat Executive Briefings in 2011.