IoT Security with Larry Pesce

06/15/2023

While still in the public comment phase, I'm of the opinion that CVSS 4.0 scoring will be a huge improvement in how organizations can make decisions on risk. It looks like we could benefit from the proposed metrics to contextualize actual exploitability, and how it applies to critical areas such as OT/ICS and even healthcare.

06/12/2023

In an apparent series of "Why does this thing need to be IoT enabled", Cyrill Künzi hacked his Philips Sonicare toothbrush: It is NFC enabled! . then chimed in with the full breakdown of the NFC password calculation: https://buff.ly/3N47Ztr. Now it is even in the Proxmark Iceman firmware....

After buying a new Philips Sonicare toothbrush I was surprised to see that it reacts to the insertion of a brush head by blinking an LED. A quick online search reveals that the head communicates with the toothbrush handle to remind you when it’s time to buy a new one. From the Philips product page...

06/09/2023

One of my amazing coworkers jsut put together some thoughts on the new and upcoming CVSS 4.0 scoring. TL;DR: He's excited. https://buff.ly/3J6TeEW

06/07/2023

We all knew it would happen... however in this case it was not due to some l33t IoT hax, it was due to a lack of segregation of duties for the support contractors; they had access to all of the video on the backend whether they needed it or not. Further proof that traditional security techniques need to apply to the overall IoT ecosystem.

It's what we all feared, but hoped wouldn't be the case.

06/03/2023

Yep, I am AT keyboard and DB9 serial mouse connector old. We can add editing AUTOEXEC.BAT and CONFIG.SYS with COPY CON to that list too...

05/19/2023

Just a reminder to my friends that if you are also this old, you probably should top off your upstairs, downstairs, basement, car, kitchen, etc Advil (not all at one go of course, because at our age thats a lot of activity all at once).

05/18/2023

This was a great write up on getting RCE on some Wemo smart plugs. It figures, I use a few of these at home, so maybe its time find something new and send them to the "lab"!

‘FriendlyName’ Buffer Overflow Vulnerability in Wemo Smart Plug V2 | Sternum https://buff.ly/3pTSRXP

05/18/2023

I was doing some digging recently for all sorts of connected vehicle firmware and such. I got some, and let me tell you, it is a wild ride out there folks.

Supporting Connected, Autonomous, Shared, and Electric (CASE) Vehicle Security Using SBOMs

Discover how to enhance CASE vehicle security in a sustainable future with our new report on how SBOMs are helping to tackle new cybersecurity challenges

05/17/2023

While the cat's away the mice will play! Paul is out for tonight's episode of Security Weekly, so it will be hosted by yours truly! Join us for the news, and some fun with my good friend Kevin Johnson!

https://buff.ly/3MAOwSf

05/15/2023

Well, this is an interesting model: Give away TVs that constantly show you ads on a second screen. Of course they are OTA updatable, so I wonder what the mechanism looks like. IoT hackfest anyone? Telly's Free 4K TVs: https://buff.ly/3IcMdSu

05/12/2023

Thanks Google for releasing a few new TLDs! I'm not quite sure who thought .zip and .mov were a good idea, but I registered rofl.zip, firmware.zip and sbom.zip. This could get interesting.

Google TLDs: https://buff.ly/3VVxocU