I’ve did a presentation at the Balkan Computer Congress “BalCCon”" in Novi Sad, Serbia. This talk was about kiosk mode environments and how to break out of them. These environments can be typically found in things like ATMs, visitor registration terminals, self-service order terminals, ticket systems for public transport or info terminals in a museum. The security of some of these systems is severely broken. This talk tried to be a collection of tips & tricks on how to break out of a kiosk mode. I’m sure a lot of people have stories to share on how they bypassed a kiosk mode environment and I wanted to share mine. There is knowledge, anecdotes and demos. Read more

I’ve did a presentation at the “Gulaschprogrammiernacht” in Karlsruhe. This talk was about RFID/NFC-based payment systems that are often seen in university menses or company canteens. You typically pay with the student ID card or you employee badge, which is preloaded with money or linked to you monthly salary. The security of some of these systems is severely broken due to the usage of old and insecure RFID/NFC technologies. The talk contains some basics about those insecure RFID/NFC technologies and stories of broken systems I’ve analyzed in the past. Read more

Some month ago I started to look into some RFID-based TOTP hardware tokens. Out of curiosity I bought some and started to reverse engineer them. This was just meant to be a learning experience. My colleague, Matthias Deeg, got interested as well and bought another token. Together we learned a lot about those devices. This post tells the story about the research I have done on the Token2 OTPC-P2. Links to Matthias’s research on the Protectimus SLIM can be found at the end of this post. Read more

Some time ago I came across a homee Brain Cube. This cube is an universal central device to connect smart home components of different vendors together and to control them. After opening up the case of this smart home bridge, I saw some potential to gain root access to the operating system running on it. Read more

Together with my colleague Matthias Deeg I’ve done some more research on wireless input devices. This is considered a follow up research to our previous work on wireless desktop sets. This time the focus was on presenters (aka presentation clickers) and Bluetooth keyboards. Again, we were able to find several security issues and presented them at Confidence in Krakow. Read more

With its online IT news platform “Heise online” and magazines like “c’t” Heise Medien GmbH & Co. KG is one of Germany’s biggest IT-related publisher. Therefore, I was happy when they offered me the opportunity to write some small articles, do an interview and even a video podcast. Back in 2017 they hand an article introducing an collection of “Hacking Gadgets” in c’t 18 /2017. Because the article was liked by its readers and there have been several new hacking gadgets/tools released since, they decided to make a new one. As a penetration tester with focus on hardware test, I was happy to give some insights on the tools I use (not all of them made it to the article). Read more

In 2016 my colleague, Matthias Deeg, and I have looked into the security of wireless alarm systems. At this time, the ABUS Secvest alarm system did not sign and/or encryption its packets, allowing an attacker to disarm it. Some time later they introduced rolling codes to their protocol. But as Thomas Detert found found out, they were still not secure. The used algorithm for generating the next valid code is predictable, just by looking at the communication. Thomas Detert and Matthias Deeg worked together to publish the new security issues. Furthermore, the attack was demonstrated in a TV report by “Voss & Team”, a German TV show for consumer protection. Read more

Together with my colleague Matthias Deeg I’ve done some research on several Bluetooth keyboards. This was a follow-up project to our research on wireless desktop sets. In general, Bluetooth-based keyboards seem to be more secure as the wireless keyboards with proprietary protocols. However, when it comes to Bluetooth security, there are some things which need to be taken into account. For me, the most interesting realization was about the trust relationship between paired devices. In some Bluetooth stacks (e.g. Android or iOS) a device can change complete without any waring to the user. For example a Bluetooth headset can turn into a full functional keyboard. Read more

I’ve did a presentation on the basics of RFID/NFC from my (a pentester) perspective. Since several parties were interested, I gave the presentation twice, once at the “Gulaschprogrammiernacht” in Karlsruhe and once at the “IT-Sicherheitskonferenz” in Stralsund. The main goal was to explain how some of the RFID/NFC technologies work and what security issues there are. Read more

I’ve been invited to the Vector Cyber Security Symposium to talk about pentesting cars. Since the audience does not only consists of techies, this presentation I gave was rather basic. It aims at providing a better understanding of why pentesting is important and souled be done for cars. The general theme of the talk is “improving security by breaking it”. Read more