About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Insecure by Design: Default Configurations in Embedded Systems- 1859

Kevin ChenPosted 2 Months Ago
  • The IoT OWASP top 10 includes Insecure Default Settings. To the author, this means a configuration that is insecure by default, a setting that the user must explicitly change, or a setting that is bad and unchangeable. They have several examples of this in the article.
  • The first target is the Kobo eReader, an alternative to Amazon Kindles. Using a debug shell, the default credentials are admin:admin. So, with access to a device, it's possible to login to it. Additionally, there is no key signing so it's trivial to reflash the firmware with arbitrary code.
  • The next thing they looked at was a Bitcoin ATM Kioisk. After clicking around for a while, they were able to access the Windows control panel. With access to the system logged in as an administrator, it would have been possible to backdoor the entire thing. To demonstrate this, they used Minikatz to extract creds and ran Doom on it.
  • A good post on some real-world issues. Insecure defaults have existed for years and will likely continue to do so. Good finds!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed