Conversation

Notices

Phantasm (phnt@fluffytail.org)'s status on Thursday, 30-Jan-2025 07:54:39 JST Phantasm
@ins0mniak @dcc @nyanide @sysrq @mr64bit IoT is a goldmine of security vulns. It almost seems impossible to someone that hasn't dabbled in it. Like UART root shells, hard-coded passwords across multiple products, weak custom encryption and raw HTTP traffic are basically the norm to this day. Especially on products from Asia.

To this day basically no sysadmin updates firmware for most of the embedded devices on network. The Hollywood camera stuff presented at Blackhat a decade ago still mostly holds true. It's ridiculous.

In conversation about a month ago from fluffytail.org permalink
- mr64bit (mr64bit@p.mr64.net)'s status on Thursday, 30-Jan-2025 07:54:37 JST mr64bit
  in reply to
  @ins0mniak @dcc @phnt @nyanide @sysrq I've got a bunch of wifi cameras from a coworker that I want to use by gutting the chinese crapware they come with and writing my own. getting into them initially was hilariously trivial, root ftp with no creds, then I RE'd a binary to find command injection to get a shell.
  
  In conversation about a month ago permalink
  
  † top dog :pedomustdie: likes this.
- ins0mniak (ins0mniak@majestic12.airforce)'s status on Thursday, 30-Jan-2025 07:54:38 JST ins0mniak
  in reply to
  @phnt @dcc @nyanide @sysrq @mr64bit Oh agreed dude. IoT is so freaking fun.
  
  I got that no starch book a while ago so I've been playing around with it a lot. The best are those shitty Chinese security cameras. wow! those things.
  
  I keep a kit in my bag. just a pi, with some dongles and my flipper.
  
  That damn thing is rediculous.
  In conversation about a month ago permalink
  Attachments
  1. Untitled attachment
- † top dog :pedomustdie: (dcc@annihilation.social)'s status on Thursday, 30-Jan-2025 07:58:19 JST † top dog :pedomustdie:
  in reply to
  @phnt @nyanide @sysrq @ins0mniak @mr64bit Btw the rust program crashed again (same shit) :alex_lol:
  
  In conversation about a month ago permalink
- ins0mniak (ins0mniak@majestic12.airforce)'s status on Thursday, 30-Jan-2025 07:58:59 JST ins0mniak
  in reply to
  @mr64bit @dcc @phnt @nyanide @sysrq well people put them on their shitty networks too.
  
  Resturants do that crap all the time. You know like, they offer free wifi, which is on the same network as their pos systems, and of course the cameras.
  
  Hell they love using super old micros systems because oracle charged upwards of 10k for them. I've seen them running on windows CE.
  
  ill just walk around and use my phone to shell into my pi and just poke around the whole town.
  
  In conversation about a month ago permalink
  
  † top dog :pedomustdie: likes this.
- Phantasm (phnt@fluffytail.org)'s status on Thursday, 30-Jan-2025 08:07:50 JST Phantasm
  in reply to
  @dcc @nyanide @sysrq @ins0mniak @mr64bit Yeah, that's very likely a bug. It threw it's hands up before dereferencing NULL. That it compiled doesn't mean it's _correct_.
  
  Just by looking at the code very quickly, I think it improperly handles the case where it failed to get the resolve the sigs. It initializes it to None, tries to match some sig with a regex in a for loop and when every single one fails, it still is None. Which would later cause the crash when it tries to unwrap NULL.
  
  https://github.com/iv-org/inv_sig_helper/blob/master/src/player.rs#L77
  In conversation about a month ago permalink
  Attachments
  1. inv_sig_helper/src/player.rs at master · iv-org/inv_sig_helper
    
    Contribute to iv-org/inv_sig_helper development by creating an account on GitHub.
  † top dog :pedomustdie: likes this.

Public

Notices

Feeds