IOT 漏洞收集
2024
- Hacking a Smart Home Device
- Pixel_GPU_Exploit: Android 14 kernel exploit for Pixel7/8 Pro
- When Samsung meets Mediatek: the story of a small bug chain
- Unburdened By What Has Been: Exploiting New Attack Surfaces in Radio Layer 2 for Baseband RCE on Samsung Exynos
- Samsung WB850F Firmware Reverse-Engineering
- 17 vulnerabilities in Sharp Multi-Function Printers - IT Security Research by Pierre
- Exploiting n-day in Home Security Camera
- Hack the Sky: Adventures in Drone Security
- DJI - The ART of obfuscation
- Hacking a 2014 tablet… in 2024!
- CVE-2024-20356: Jailbreaking a Cisco appliance to run DOOM
- DaBootZone:Breaking the DA1469x BootROM
- Off-By-One con 徽章设计与破解
- One Key Bug in OneKey Mini
- Draytek Vigor 3910
- 小米AX9000路由器CVE-2023-26315漏洞挖掘
- 【GeekCon 2024】TI C2000 DSP Chip Hacking: 绕过德州仪器C2000芯片的安全保护机制
- JTAG Hacking with a Raspberry Pi - Introducing the PiFex
- 20 Security Issues Found in Xiaomi Devices
- Android-DirtyStream 漏洞详细说明
- “Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps
- TP-Link TDDP Buffer Overflow Vulnerability
- TheOfficialFloW/PPPwn: PPPwn - PlayStation 4 PPPoE RCE
- Arlo: I’m watching you
- Gaining kernel code execution on an MTE-enabled Pixel 8
- Breaking Fortinet Firmware Encryption
- Exploring AMD Platform Secure Boot
- 浅析安全启动(Secure Boot)
- CVE-2023-4001: a vulnerability in the (downstream) GRUB boot manager
- PixieFail: Nine vulnerabilities in Tianocore’s EDK II IPv6 network stack
- Hand Me Your SECRET, MCU! Microarchitectural Timing Attacks on Microcontrollers are Practical
2023
- 5Ghoul - 5G NR Attacks & 5G OTA Fuzzing
- BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses
- Forescout Vedere Labs discloses 21 new vulnerabilities affecting OT/IoT routers
- SysPWN – VR for Pwn2Own
- Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero
- Understanding CVE-2020-7958: Biometric Data Extraction in Android
- NVMe: New Vulnerabilities Made Easy
- 【TrustZone相关漏洞导读】探索澎湃S1的安全视界
- 议题学习:MOSEC2022 MediAttack - break the boot chain of MediaTek SoC
- Smartphones With Popular Qualcomm Chip Secretly Share Private Information With US Chip-Maker
- RedTeam Pentesting GmbH - D-Link DAP-X1860: Remote Command Injection
- The Old, The New and The Bypass - One-click/Open-redirect to own Samsung S22 at Pwn2Own 2022
- Pulling MikroTik into the Limelight
- TETRA:BURST | Midnight Blue
- Rooting Xiaomi WiFi Routers
- Vulnerabilities and Hardware Teardown of GL.iNET MT300N-V2
- DJI Mavic 3 Drone Firmware Analysis
- Applying Fault Injection to the Firmware Update Process of a Drone Paper
- Rooting the FiiO M6 - Part 2 - Writing an LPE Exploit For Our Overflow Bug
- Cisco SPA112 固件解包/打包分析
- Pwn2Own Toronto 22: Exploit Netgear Nighthawk RAX30 Routers
- The Dragon Who Sold His Camaro: Analyzing Custom Router Implant
- Drone-Hacks, the best way to hack your DJI Drone
- Hacking my “smart” toothbrush
- Teardown of the Disneyland entry band
- Practical Introduction to BLE GATT Reverse Engineering: Hacking the Domyos EL500 · Hack The World
- Hacking the Nintendo DSi Browser
- Hue Light Hack
- Debugging D-Link: Emulating firmware and hacking hardware
- BLACKHAT_Asia2023/AS23-Xing-Dilemma-In-IoT-Access-Control
- The Fuzzing Guide to the Galaxy: An Attempt with Android System Services
- I hack, U-Boot
- Hacking Brightway scooters: A case study
- BreakMi:a security assessment toolkit for BLE fitness trackers
- 电信天翼网关3.0分析(上)
- Multiple Vulnerabilities in Qualcomm and Lenovo ARM-based Devices
- SS7 Hack Software - How to hack SS7 and Intercept SMS
- Drone Security and the Mysterious Case of DJI’s DroneID - NDSS Symposium
- Project Zero: Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems
- The Threat on Your Desk: Building an Evil USB-C Dock · Aura Research Division
- PWNING THE TP-LINK AX1800 WIFI 6 ROUTER: UNCOVERED AND EXPLOITED A MEMORY CORRUPTION VULNERABILITY
- REUnziP: Re-Exploiting Huawei Recovery With FaultyUSB - taszk.io labs
- Multiple Vulnerabilities in Qualcomm and Lenovo ARM-based Devices
- Nightmare: One Byte to ROP // Deep Dive Edition
- Exploiting CVE-2022-42703 - Bringing back the stack attack
- CVE-2022-21819 | PCIe DMA Attack against a secured Jetson Nano
- WEEKEND DESTROYER - RCE in Western Digital PR4100 NAS
- mast1c0re: Introduction – Exploiting the PS4 and PS5 through a game save – McCaulay
- DualShock4 Reverse Engineering
- PabloMK7/ENLBufferPwn: Information and PoC about the ENLBufferPwn vulnerability
- Manipulating AES Traffic using a Chain of Proxies and Hardcoded Keys
- Analyzing an Old Netatalk dsi_writeinit Buffer Overflow Vulnerability in NETGEAR Router
- When an N-Day turns into a 0day. (Part 1 of 2)
- Netcomm - Unauthenticated Remote Code Execution
- Xiaomi-HyperOS-BootLoader-Bypass
- Fixing the Volume on my Bluetooth Earbuds
- Full Chain Baseband Exploits
- Hacking the Canon imageCLASS MF742Cdw/MF743Cdw (again)
- A Remote Code Execution (RCE) vulnerability has been discovered in the com.tcl.browser application
- Building an Exploit for FortiGate Vulnerability CVE-2023-27997
- CVE-2023-43786 & CVE-2023-43787 Vulns in libX11: All You Need To Know
- A journey into the Pwn2Own contest. Part 1: Netgear RAX30 router WAN vulnerabilities
- Diving into Starlink’s User Terminal Firmware
- research.nccgroup.com/2023/12/04/shooting-yourself-in-the-flags-jailbreaking-the-sonos-era-100/
- Unlimited Results: Breaking Firmware Encryption of ESP32-V3
2022
- Attacking Titan M with Only One Byte
- bypass-sentry-safe
- CVE-2022-27255 - Realtek eCos SDK SIP ALG buffer overflow
- Networking - VLAN Hopping
- MeshyJSON: A TP-Link tdpServer JSON Stack Overflow
- The Last Breath of Our Netgear RAX30 Bugs - A Tragic Tale before Pwn2Own Toronto 2022
- Cool vulns don’t live long - Netgear and Pwn2Own
- Analysis of TBS Crossfire, reverse engineering the air link
- Intro to Embedded RE: UART Discovery and Firmware Extraction via UBoot
- A journey into IoT - Unknown Chinese alarm - Part 4 - Internal communications
- Vlind Glitch: A Blind VCC Glitching Technique to Bypass the Secure Boot of the Qualcomm MSM8916 Mobile SoC
- Zyxel authentication bypass patch analysis (CVE-2022-0342)
- Shedding Light on Huawei’s Security Hypervisor
- Huawei Security Hypervisor Vulnerability
- Netcomm - Unauthenticated Remote Code Execution
- Puckungfu: A NETGEAR WAN Command Injection
- Reversing and Exploiting Samsung’s NPU PART2
- The Android kernel mitigations obstacle race
- Moto E20 Readback Vulnerability
- Accidental $70k Google Pixel Lock Screen Bypass
- Xiongmai IoT Exploitation
- TP-Link Tapo c200 Unauthenticated RCE
- Hacking Zyxel IP cameras to gain a root shell
- Tenda Ax12 设备分析
- BrokenStrokes: On the (in)Security of Wireless Keyboards
- NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)
- Hacking Smartwatches for Spear Phishing
- Code execution as root via AT commands on the Quectel EG25-G modem
- Extract Forensic Information for LEAs from Encrypted SmartPhones
- immunIT – Ethernet ghosting & NAC bypass
- Nozomi-Networks-WP-UWB-Real-Time-Locating-Systems uwb-rtls
- Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices
- SiriSpy - iOS bug allowed apps to eavesdrop on your conversations with Siri
- size_t-to-int vulnerability in exFAT leads to memory corruption via malformed USB flash drives
- Pulling MikroTik into the Limelight
- Pixel6: Booting up (part 1)
- Pixel 6 bootloader: Emulation, ROP(part 2)
- Pixel 6 Bootloader: Exploitation (part 3)
- Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices
- FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass Technical Deep Dive (CVE-2022-40684)
- Security Advisory: NETGEAR Routers FunJSQ Vulnerabilities
- CVE-2022-27255 - Realtek eCos SDK SIP ALG buffer overflow
- SpiderSMS: An End to End Encrypted SMS and SMS Tunneling app
- Contec FLEXLAN FXA2000 and FXA3000 series vulnerability report which provide WiFi on airplanes
- Security Advisory: NETGEAR Routers FunJSQ Vulnerabilities
- When Athletic Abilities Just Aren’t Enough - Scoreboard Hacking Part 1
- Symlinks as mount portals: Abusing container mount points on MikroTik’s RouterOS to gain code execution
- Vulnerabilities Identified in EZVIZ Smart Cams whitepaper
- Exploring the XBAND Video Game Modem and Executing Arbitrary Code Over a Phone Line in 2022
- Attacking the Android kernel using the Qualcomm TrustZone
- Vulnerability in Dahua’s ONVIF Implementation Threatens IP Camera Security
- QNAP Poisoned XML Command Injection (Silently Patched)
- 对某款智能手环的分析与攻击
- Starlink User Terminal Modchip
- Vulnerability within the UNISOC baseband opens mobile phones communications to remote hacker attacks
- CVE-2022-1040 Sophos XG Firewall Authentication bypass (viettelcybersecurity.com)
- SELinux confined
- Qualcomm IPQ40xx: Analysis of Critical QSEE Vulnerabilities
- FOISted: MikroTik remote jailbreak for v6.x.x
- (Un)protected Broadcasts in Android 9 and 10
- CVE-2022-23088: Exploiting a Heap Overflow in the FreeBSD Wi-Fi Stack
- randy: A pre-authenticated RCE exploit for Inductive Automation Ignition(Bypass,RCE) Source
- FESTO: CECC-X-M1 - Command Injection Vulnerabilities
- Reversing Simatic S7 PLC Programs
- CVE-2020-27861 nday exploit: netgear orbi unauthenticated command injection
- Retbleed: Arbitrary Speculative Code Execution with Return Instructions
- Ghost in the Wireless, iwlwifi edition
- TPM Sniffing Attacks Against Non-Bitlocker Targets
- A vulnerability allows opening electronic safes from the Sentry Safe and Master Lock company without any pin code.
- Multiple vulnerabilities in Zyxel zysh
- Gary’s hacking stuff: Exploiting the Wii U’s USB Descriptor parsing
- Pulling MikroTik into the Limelight
- Firmware key extraction by gaining EL3
- Satellite (In)security: Vulnerability Analysis of Wideye SATCOM Terminals
- Black Hat Asia 2022议题解读:Unix Domain Socket:安卓生态系统中通往权限提升的暗门
- Hardware Security By Design: ESP32 Guidance
- The printer goes brrrrr!!! (堆溢出)
- Nozomi Networks Discovers Unpatched DNS Bug in Popular C Standard Library Putting IoT at Risk
- Microsoft finds new elevation of privilege Linux vulnerability(D-BUS)
- Hacking Canon Pixma Printers - Doomed Encryption
- Another vulnerability in the LPC55S69 ROM
- Exploiting Undocumented Hardware Blocks in the LPC55S69
- CVE-2022-23121: Remote Code Execution on Western Digital PR4100 NAS
- Analysis and reverse-engineering of the original Starlink router
- AcidRain酸雨|VIASAT商用卫星通信系统攻击事件分析
- Pwning the bcm61650
- TP-Link-WDR-7660 VxWorks 路由器安全研究之固件分析
- Your NAS is not your NAS !
- Advanced Software Analysis: Pwning a Cisco RV340 with a 4 bug chain exploit
- Advanced Software Analysis: CVE-2022-27643 - NETGEAR R6700v3 upnpd Buffer Overflow Remote Code Execution Vulnerability
- Pwn2Own Austin 2021 : Defeating the Netgear R6700v3
- A Backdoor Lockpick. Reversing and Subverting Phicomm’s…
- Finding bugs to trigger Unauthenticated Command Injection in a NETGEAR router
- Repeatable Failures:AMI UsbRt - Six years later, firmware attack vector still affect millions of enterprise devices
- Shielder - Reversing embedded device bootloader (U-Boot) - p.1
- Shielder - Reversing embedded device bootloader (U-Boot) - p.2
- Longue vue : an exploit chain that can compromise over the internet NETGEAR DGND3700v2 devices. Github
- A journey into IoT - Unknown Chinese alarm - Part 1 - Discover components and ports
- LTrack: Stealthy Tracking of Mobile Phones in LTE
- Real World CTF Trust or Not Wp
- PwnedPiper:Nine vulnerabilities in critical infrastructure used by 80% of major hospitals in North America.
- Test Point Break: Analysis of Huawei’s OTA Fix For BootROM Vulnerabilities
- How To Tame Your Unicorn: Exploring And Exploiting Zero-Click Remote Interfaces of Huawei Smartphones
- Exploiting CSN.1 Bugs in MediaTek Basebands
- Unbox Your Phone —— reverse engineering and exploiting Samsung’s TrustZone
- TLStorm: Three critical vulnerabilities discovered in APC Smart-UPS devices can allow attackers to remotely manipulate the power of millions of enterprise devices.
- Repeatable Firmware Security Failures:16 High Impact Vulnerabilities Discovered in HP Devices
- CVE-2022-24990: TerraMaster TOS unauthenticated remote command execution via PHP Object Instantiation
- Alexa vs Alexa(AvA)
- BrokenPrint: A Netgear stack overflow
- CVE-2021-1965: WiFi Zero Click RCE Trigger PoC
- Trust Dies in Darkness: Shedding Light on Samsung’s TrustZone Keymaster Design
- samsung-q60t-exploit: Exploit and firmware decryption script Slides Video
- flashback_connects (Cisco RV340 SSL VPN Unauthenticated Remote Code Execution as root)
- CVE-2021-1965: CVE-2021-1965 WiFi Zero Click RCE Trigger PoC
- Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2)
- Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1)
- 0vercl0k/zenith: Zenith exploits a memory corruption vulnerability in the NetUSB driver to get remote-code execution on the TP-Link Archer C7 V5 router for Pwn2Own Austin 2021. Detail
- Moxa MXview Network Management System Vulnerabilities Patched
- GoIP-1 GSM gateway could be harnessed for phone fraud by hackers
- Advisory: Western Digital My Cloud Pro Series PR4100 RCE - IoT Inspector (命令注入)
- TP-Link Tapo c200 Unauthenticated RCE(命令注入)
- Sim hijacking
- Zero-Click RCE Exploit for the Peloton Bike Identified and Patched (nowsecure.com)
- Reverse Engineering Bare Metal Firmware Images — Part 2 | by Ragnar Security
- How I hacked SONOS and YouTube the same day
- LoRaWAN’s Protocol Stacks: The Forgotten Targets at Risk Whitepaper
- FIRMWIRE: Transparent Dynamic Analysis for Cellular Baseband Firmware
- Uniview PreAuth RCE - SSD Secure Disclosure (栈溢出)
- Raspberry Pi - GPU Exploitation
- CVE-2021-20038: SonicWall SMA-100 Unauth RCE Exploit (栈溢出)
- CVE-2021-45608: NetUSB RCE Flaw in Millions of End User Routers
- Dumping the Amlogic A113X Bootrom
- PowerPC PWN从入门到实践
- Code execution as root via AT commands on the Quectel EG25-G modem
- Hunting mobile devices endpoints - the RF and the Hard way
- Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets
- Hacking a $5 Smartband.
- Security probe of Qualcomm MSM data services
- FLASHBACK CONNECTS - Cisco RV340 SSL VPN RCE
- Competing in Pwn2Own 2021 Austin: Icarus at the Zenith
2021
- CPR-Zero: CVE-2020-11292 QUALCOMM SNAPDRAGON AUTO VOICE SERVICE OF BUFFER OVERFLOW
- 破解与攻击智能门锁
- Hideez Key 2 FAIL: How a good idea turns into a SPF (Security Product Failure)
- Reverse Engineering Radios - ARM Binary Images in IDA Pro
- Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices
- Reverse Engineering Yaesu FT-70D Firmware Encryption
- CVE-2021-42342 GoAhead 远程命令执行漏洞深入分析与复现
- Multiple RTOS (Update D) | CISA
- Netgear Nighthawk R6700 Multiple Vulnerabilities(命令注入、明文存储)
- Intruding 5G SA core networks from outside and inside
- Exploit the Fuzz – Exploiting Vulnerabilities in 5G Core Networks
- Hacking the Nokia Fastmile
- Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices
- Discovering a Firmware Backdoor 译文
- Attacks on Wireless Coexistence: Exploiting Cross-Technology Performance Features for Inter-Chip Privilege Escalation
- CVE-2021-39238: Printing Shellz:affect more than 150 HP multi-function printers Whitepapaer FAQ
- How We Hacked a TP-Link Router and Took Home $55.000 in Pwn2Own:hacking Video
- Multiple Vulnerabilities in Victure WR1200 WiFi Router (密码可推测、命令注入)
- Cisco RV34X Series - Privilege Escalation in vpnTimer(权限提升)
- CVE-2021-34991: Netgear SOHO Devices upnpd Service Pre-Authentication Stack Overflow
- CVE-2021-41653: TP-Link TL-WR840N V5(EU) (命令注入)
- CVE-2021-34991: Netgear SOHO Devices upnpd Service Pre-Authentication Stack Overflow
- 以Tenda AC15 CVE-2018-5767 为例进行 fuzz 测试
- Reverse-engineering the Yamaha DX7 synthesizer’s sound chip from die photos
- TPM sniffing
- Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver
- NUCLEUS:13 - New Critical Vulnerabilities Found on Nucleus TCP/IP Stack
- Baryon Sweeper lets you unbrick PSP 2000/3000, Pandora battery style
- Tianfu Cup 2021 RT-AX56U RCE
- Critical Vulnerabilities in Altus Sistemas de Automacao products (命令注入、硬编码、CSRF)
- Critical Vulnerabilities in HiKam - High Infinity Technology (认证绕过、信息泄露…)
- The Challenges of Fuzzing 5G Protocols
- CVE-2021-41794: Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF
- Your vulnerability is in another OEM! (Western Digital PR4100 NAS)
- CVE-2021-34710: Cisco ATA19X Privilege Escalation and RCE - IoT Inspector (命令注入)
- Cracking WiFi at Scale with One Simple Trick
- Swimming Upstream: Uncovering Broadcom SDK vulnerabilities from bug reports(SSDP M-SEARCH 溢出))
- Forced Entry: A Security Test for Automatic Garage Doors Detail
- Change Your BLE Passkey Like You Change Your Underwear
- Hacking the Furbo Dog Camera: Part I
- Hacking the Furbo Dog Camera: Part II
- Cisco Hyperflex: How We Got RCE Through Login Form and Other Findings
- Hacking LG WebOS Smart TVs Using A Phone
- DD-WRT UPNP Buffer Overflow (缓冲区溢出)
- Swimming Upstream: Uncovering Broadcom SDK Vulnerabilities from Bug Reports(堆溢出)
- Cracking the Victure IPC360 Monitor (访问控制不当、缓冲区溢出、私有协议分析)
- Dahua authentication bypass
- How to reset H.264 Network DVR (for lost password)
- Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260) POC
- ANALYSIS OF PRODUCTS MADE BY Huawei, Xiaomi and OnePlus
- Mama Always Told Me Not to Trust Strangers without Certificates
- QNAP MusicStation/MalwareRemover Pre-Auth Remote Code Execution
- NanoMQ: Improper Handling of Payload Length
- Code execution as root via AT commands on the Quectel EG25-G modem
- Full disclosure: 0-day RCE backdoor in Teradek IP video device firmwares
- Do you like to read? I can take over your Kindle with an e-book
- Breaking the Android Bootloader on the Qualcomm Snapdragon 660
- Cisco RV160W系列路由器漏洞:从1day分析到0day挖掘
- 家用路由器漏洞挖掘实例分析 图解D-LINK DIR-815多次溢出漏洞
- Advisory: Multiple Issues in Realtek SDK Affects Hundreds of Thousands of Devices Down the Supply Chain
- Gaining root access on Sonos Play (1st gen and 2nd gen ‘One’)(DMA 攻击)
- Bypassing Authentication on Arcadyan Routers with CVE-2021–20090 and rooting some Buffalo
- Identifying Bugs in Router Firmware at Scale with Taint Analysis
- Bypassing Windows Hello Without Masks or Plastic Surgery
- Meet WiFiDemon: iOS WiFi RCE 0-Day Vulnerability & a ‘Zero-Click’ Vulnerability That was Silently Patched
- CVE-2021-3438: 16 Years In Hiding - Millions of Printers Worldwide Vulnerable Analysis
- 云丁鹿客门锁BLE通信的分析
- CVE-2021-35973:Netgear wac104 身份认证绕过
- UDP Technology IP Camera vulnerabilities
- Aruba in Chains: Chaining Vulnerabilities for Fun and Profit
- Dumping and extracting the SpaceX Starlink User Terminal firmware
- Reverse Engineering the M6 Smart Fitness Bracelet 译文
- ATC_MiThermometer: Custom firmware for the Xiaomi Thermometers and Telink Flasher via USB to Serial converter(SWire Debug)
- Microsoft finds new NETGEAR firmware vulnerabilities that could lead to identity theft and full system compromise(认证绕过、侧信道) 译文
- 如何日穿自家光猫(后门、命令入住)
- 记一次网关设备的pwn-智能设备(硬编码、栈溢出)
- 开源USB协议栈漏洞挖掘
- 手环BLE蓝牙认证绕过,可实现远程控制
- Pwn2Own Qualcomm DSP
- DIGGING INTO A UBIQUITI FIRMWARE UPDATE BUG(curl -k insecure option MITM)
- Multiple Critical Vulnerabilities in Korenix Technology, Westermo and Pepperl+Fuchs products
- Attacking Xerox multi function printers Slide video
- Pwning Home Router - Linksys WRT54G
- NETGEAR Switches Pre-Authentication Command Injection
- BadAlloc: Memory allocation vulnerabilities could affect wide range of IoT and OT devices
- Send My: Arbitrary data transmission via Apple’s Find My network
- Bluetooth → Wi-Fi Code Execution & Wi-Fi Debugging
- Realtek RTL8710C WPA2 handshake mechanism buffer overflow(缓冲区溢出)
- CVE-2020-12351:Linux蓝牙模块拒绝服务漏洞分析
- Remote code execution vulnerabilities in Cosori smart air fryer(溢出、命令执行)
- Tenda D151 D301 exploit(未授权配置文件下载)
- NETGEAR Nighthawk R7000 httpd PreAuth RCE(堆溢出)
- Junos OS overlayd service bss Buffer Overflow
- Inside SimpliSafe Alarm System
- VOOdoo - Remotely Compromising VOO Cable Modems
- DUMPING THE SONOS ONE SMART SPEAKER
- PWN2OWN TOKYO 2020: DEFEATING THE TP-LINK AC1750
- Reverse Engineering the TP-Link HS110
- 破解与攻击智能门锁
- VisualDoor: SonicWall SSL-VPN Exploit
- Netgear固件分析与后门植入
- Pwn2Own: A Tale of a Bug Found and Lost Again
- 锐捷网络-EWEB网管系统(命令注入)
- A Practical Approach To Attacking IoT Embedded Designs (I)
- NCC Group’s 2020 Annual Research Report
- Major Vulnerabilities discovered and patched in Realtek RTL8195A Wi-Fi Module
- Hidden Vulnerabilities in Wireless Doorbells, Cameras
- CVE-2020-13117: Wavlink Multiple AP Products: Unauthenticated Remote Root Command Execution
- 物联网开源组件安全Node-RED白盒审计
- Shining a Light on SolarCity: Practical Exploitation of the X2e IoT Device (Part Two)
- Shining a Light on SolarCity: Practical Exploitation of the X2e IoT Device (Part One)
- CVE-2020-XXXXX - Getting root on webOS 译文
- Multiple vulnerabilities found in FiberHome HG6245D routers
- DNSpooq: 7 vulnerabilities in Dnsmasq
- Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches
- Exploiting the Nespresso smart cards for fun and profit coffee
- Hongdian H8922 Multiple Vulnerabilities(硬编码/命令注入)
- Multiple Issues in Libre Wireless LS9 Modules(认证绕过/信息泄露)
- CVE-2021-28144: D-Link DIR-3060 Authenticated RCE(命令注入)
- Cisco RV34X Series – Authentication Bypass and Remote Command Execution
- NETGEAR Switches Pre-Authentication Command Injection
- 【PM3】重置小米空气净化器滤芯
- Reverse Engineering Bare-Metal Firmware — Part 3 | Analyzing ARM Assembly and Exploiting Vulnerabilities
- Analysis and reverse-engineering of the original Starlink router
2020
- Hunting for backdoors in Counterfeit Cisco devices
- Espressif ESP32: Controlling PC during Secure Boot
- CVE-2020–15509 | Norec Attack: Stripping BLE encryption from Nordic’s Library
- Exploitable Flaws Found in Facial Recognition Devices
- 物联网安全系列之远程破解Google Home
- Kernel Vulnerabilities Affecting All Qualcomm Devices
- Over The Air Baseband Exploit: Gaining Remote Code Execution on 5G Smartphones
- (Un)protected Broadcasts in Android 9 and 10
- Zombies ate my printer’s ink Attacking a Canon printer, from firmware gathering to remote code execution Silde
- CVE-2020–9380 IPTV Smarters Exploit Github
- CVE-2020-9530/9531: exploited the Xiaomi Mi9 through NFC tag
- CVE-2020-11959/11960: 实战逻辑漏洞:三个漏洞搞定一台路由器(小米AIoT路由器AX3600) Slides Video
- 逆向分析下小爱音箱root密码
- CVE-2020-14096: Xiaomi AI Speaker Authenticated Part 2 Part 3
- XIAOMI AI speaker get root shell by accessing UART
- CVE-2020-29583: Undocumented user account in Zyxel products
- LINGERING RTA ENIP STACK VULNERABILITY POSES RISK TO ICS DEVICES
- LILIN DVR/NVR 在野0-day漏洞攻击报告2
- Extraordinary Vulnerabilities Discovered in TCL Android TVs, Now World’s 3rd Largest TV Manufacturer
- MULTIPLE VULNERABILITIES IN ZTE WLAN ROUTER MF253V
- Multiple Vulnerabilities in Wavlink Router leads to Unauthenticated RCE – CVE-2020-10971 and CVE-2020-10972 More
- Crafting symbolic links to root a TP-Link AC1750
- Exploiting Samsung Router WLAN AP WEA453e
- Don’t Ruck Us Again - The Exploit Returns
- Remote Command Execution in Ruckus IoT Controller (CVE-2020-26878 & CVE-2020-26879)
- [write Up] Damn Vulnerable Arm Router
- Smart male chastity lock cock-up
- WarezTheRemote: Turning Remotes Into Listening Devices
- SweynTooth Cybersecurity Vulnerabilities May Affect Certain Medical Devices: FDA Safety Communication White Paper
- Abuse UPnP,Firefox for Android LAN-Based Intent Triggering
- Espressif ESP32: Bypassing Encrypted Secure Boot (CVE-2020-13629)
- Call an Exorcist! My Robot’s Possessed!
- Backdoors and other vulnerabilities in HiSilicon based hardware video encoders
- Speed 2 – The Poseidon Adventure PART-2
- No buffers harmed: Rooting Sierra Wireless AirLink devices through logic bugs
- 360lock Smart Lock Review
- Critical Vulnerabilities Discovered in MoFi Routers
- Netgear Nighthawk R8300 upnpd PreAuth RCE 分析与复现
- Don’t be silly – it’s only a lightbulb
- Ruijie Networks Switch Version S29_RGOS 11.4(1)B12P11 eWeb Directory Traversal
- Multiple Vulnerabilities discovered in the D-link Firmware DIR-816L 译文
- Security testing of the pacemaker ecosystem Part 1 ALL 译文 Part1
- INTERNET OF THINGS Threat modelling and IoT hubs
- Tenda AC15 AC1900 Vulnerabilities Discovered and Exploited
- ARBITRARY OS COMMAND INJECTION ON V-SOL HOME ROUTERS
- My Adventures Hacking the iParcelBox
- Hacking smart devices to convince dementia sufferers to overdose
- Multiple vulnerabilities found in CDATA OLTs
- Pwning smart garage door openers
- RCE on Telia Routers
- 0-Day Vulnerabilities in Yale IP Cameras
- Multiple vulnerabilities in Tenda PA6 Wi-Fi Powerline extender
- ZDI-20-709: HEAP OVERFLOW IN THE NETGEAR NIGHTHAWK R6700 ROUTER 译文 分析 Github
- 79 Netgear router models httpd Firmware Upload Stack-based Buffer Overflow Remote Code POC
- Ripple20: 19 Zero-Day Vulnerabilities Amplified by the Supply Chain Whitepaper 1
- 6 New Vulnerabilities Found on D-Link Home Routers
- nRF52 Debug Resurrection (APPROTECT Bypass)
- CVE-2020-12695: UPnP CallStranger
- An EL1/EL3 coldboot vulnerability affecting 7 years of LG Android devices
- Open the Gates! The (In)Security of Cloudless Smart Door Systems
- ASUS and Xiaomi smart home devices
- SurfingAttack: 超声波与语音助手交互的隐秘攻击
- 博通内核漏洞 Cable Haunt
- CVE-2019-15126:Kr00k Wi-Fi 加密缺陷
- Mozilla WebThings IoT gateway Interfaces.d to RCE
- 0day vulnerability (backdoor) in firmware for HiSilicon-based DVRs, NVRs and IP cameras
- Google Maps Hacks
- How Business and Home Networks Can Be Hacked from a Lightbulb
- CNVD-2021-14536 锐捷 RG-UAC 统一上网行为管理审计系统信息泄露漏洞
- Vulnerabilities Discovered in Qualcomm QCMAP enable remote root access
- SCTF 2020 Password Lock Plus 入门STM32逆向
- Machine-in-the-Middle (MitM) BLE Attack
2019
- Extracting BitLocker keys from a TPM
- 物联网终端安全白皮书(2019)
- 智慧城市网络安全白皮书
- 2019互联网设备-智能音箱安全白皮书
- 启明星辰ADLab:智能音箱网络安全与隐私研究报告
- 激光入侵语音控制系统
- BLEEDINGBIT:THE HIDDEN ATTACK SURFACE WITHIN BLE CHIPS
- CVE-2019-1663 Cisco 的多个低端设备的堆栈缓冲区溢出漏洞分析
- CVE-2019-12272 OpenWrt图形化管理界面LuCI命令注入
- 4G LTE Man in the Middle Attacks with a Hacked Femtocell Video Silde
- Riding the lightning: iLO4&5 BMC security wrap-up
- Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller
- D-Link DIR-859 —Unauthenticated RCE (CVE-2019–17621) UPnP Command Injection
- Hacking Hardware Password Managers: Royal Vault Password Keeper(COMS Flash)
- Hacking Hardware Password Managers: passwordsFAST(I2C Flash)
- Hacking Hardware Password Managers: The RecZone(SPI Flash)
- Wifi deauthentication attacks and home security
- Children’s GPS Smart Watches (R7-2019-57)
- Linksys velop authentication bypass
- 小米系列路由器远程命令执行漏洞(CVE-2019-18370、CVE-2019-18371)
- Xiaomi Smart Plug (ZNCZ02LM) Part 2:Beyond Architecture Part 3:Live Debugging
- 绿板小爱同学升级启用root密码后的故事。。
- Multiple Vulnerabilities in ZTE mobile Hotspot MS910S(硬编码、nday)
- 中華電信數據機遠端代碼執行漏洞
- Xiongmai Camera - Investigational Journey
- Laser-Based Audio Injection on Voice-Controllable Systems
- Security cameras vulnerable to hijacking
- After SIMJacker, WIBattack hacking technique disclosed. Billions of users at risk
- CVE-2019-12103 – Analysis of a Pre-Auth RCE on the TP-Link M7350
- Say Cheese: Ransomware-ing a DSLR Camera
- Multiple Hickory Smart Lock Vulnerabilities
- 大华部分产品VideoTalk音频下载功能未授权访问
- Logitech Unifying Vluns
- Breaking & Entering with Zipato SmartHubs
- Ewon Flexy IoT Router. A Deep dive
- Buffer Overflow Vulnerability in TP-Link Routers Can Allow Remote Attackers to Take Control
- We Decide What You See: Remote Code Execution on a Major IPTV Platform
- CVE-2019-7406: Critical RCE Vulnerability in TP-Link Wi-Fi Extenders Can Grant Attackers Remote Control
- 路由器漏洞挖掘之 DIR-805L 越权文件读取漏洞分析
- MINDSHARE: HARDWARE REVERSING WITH THE BELKIN SURF N300 ROUTER
- 乌克兰IPTV平台——Infomir的远程代码执行漏洞利用分析
- WD My Cloud RCE
- Love is in the air: Reverse Engineering a shitty drone
- EXPLOITING 10,000+ DEVICES USED BY BRITAIN’S MOST VULNERABLE
- Invading Your Personal Cloud — ISE Labs Exploits the Seagate stcr3000101
- Over 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw
- OEM Presentation Platform Vulnerabilities
- ZyXEL / Billion Multiple Vulnerabilities
- Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection
- Multiple vulnerabilities in Sierra Wireless AirLink ES450
- CVE-2019-1652/CVE-2019-1653 Exploits For Cisco RV320
- Arbitrary Command Execution On The TP-Link SR20 Smart Hub And Router
- Grandstream 设备中的 RCE 漏洞 EXPLOIT 集合
- BlueSDK Hell2CAP 0day
- Breaking & Entering with Zipato SmartHubs
- Multiple D-Link Routers Found Vulnerable To Unauthenticated Remote Code Execution(命令注入)
- Sierra Wireless AirLink ES450 ACEManager upload.cgi Unverified Password Change Vulnerabilit
- Unlocking IAM’s Nokia G-240W-A router (Part 1)
- USBAnywhere:Virtual Media Vulnerability in BMC Opens Servers to Remote Attack
- Hacking microcontroller firmware through a USB
- VxWorks固件分析方法总结
- NOE77101固件后门漏洞分析
2018
- 《物联网安全白皮书(2018)》
- Domestic IoT Nightmares: Smart Doorbells()
- [DEF CON 26] Breaking Smart Speaker - Exploit Amazon Echo 如何黑入亚马逊Echo音箱——窃听、录音
- CVE-2018-3833: Insteon Hub PubNub Firmware Downgrade Vulnerability
- Toolbox for HPE iLO4 & iLO5 analysis
- Slide: Turning your BMC into a revolving door
- Backdooring your server through its BMC Slide
- Slide: Subverting your server through its BMC
- Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller
- Faxploit: Sending Fax Back to the Dark Age
- TP-Link TL-R600 VPN remote code execution vulnerabilities
- CVE-2018-10106: D-Link DIR-815 permission bypass and information disclosure 分析
- Security Notification – EVLink Parking
- Guardzilla IoT Video Camera Hard-Coded Credentials (CVE-2018-5560)
- TerraMaster NAS Vulnerabilities Discovered and Exploited
- TerraMaster OS exportUser.php Remote Code Execution
- Multiple Vulnerabilities in Sony IPELA E Series Camera
- Multiple Vulnerabilities in Samsung SmartThings Hub
- Hacking Swann & FLIR/Lorex home security camera video
- VDOO Discovers Significant Vulnerabilities in Axis Cameras
- Major Vulnerabilities in Foscam Cameras
- CVE-2018-11481:多款TP-LINK产品远程代码执行安全漏洞
- Who’s Watching the Watchers (Vol. II): Norton Core Secure WiFi Router
- Quest DR Series Disk Backup Multiple Vulnerabilities
- TalkTalk Router - WPS Exploit
- Backdoors in D-Link’s backyard (Multiple vulnerabilities in D-Link DIR-620 router)
- DrayTek Routers: CSRF & DNS Changed Web Interface Attacks
- CVE-2018-9995: Get DVR Credentials
- Rooting a Logitech Harmony Hub: Improving Security in Today’s IoT World
- Critical Vulnerability Found in Majority of LG NAS Devices 译文
- Critical RCE Vulnerability Found in Over a Million GPON Home Routers
- 巴西5000台路由器默认未设置Telnet密码,可被轻易劫持
- AVTECH IP Camera/NVR/DVR Devices - Multiple Vulnerabilities
- AXIS Camera App Malicious Package Distribution Weakness EXP
- DJI Drone Vulnerability
- Android蓝牙远程命令执行漏洞利用实践:从PoC到Exploit
- 移动基带安全研究系列之一 概念和系统篇
- PWN2OWN shannon基带破解之旅 Github
- PWN2OWN shannon基带破解之旅
2017
- Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1)
- HiSilicon DVR hack
- Femtocell Hacking: From Zero to Zero Day Silde
- CableTap: a wide array of critical vulnerabilities in ISP-provided, RDK-based wireless gateways and set-top boxes White Paper
- GoAhead远程代码执行漏洞(CVE-2017-17562)分析及实战
- Backdoor and root shell on ZTE MF286
2016
- Veralite UPnP Exploit
- Getting Root on Philips Hue Bridge 2.0 Silde1 Silde2
- TP-LINK TDDP Multiple Vulnerabilities
安全研究
- 针对进程设置路由规则
- Change USB VID & PID on Digispark
- Sniffing SSH Passwords
- Rootless Sniffing: Unix Domain Socket MITM
- Modifying Embedded Filesystems in ARM Linux zImages
- Repairing a Broken Huawei NAND Dump and Single-Bit Errors
- FLAW3D: Hiding a Trojan in an AVR Arduino Bootloader
- 固件提取系列-UBI文件系统提取以及重打包
- 通过tcpdump对Unix Domain Socket 进行抓包解析
- NFC竟也存在高危漏洞,看他如何分析
- BLECTF 低功耗蓝牙CTF挑战
- Overview of GLIBC heap exploitation techniques
- MISC study notes about ARM AArch64 Assembly and the ARM Trusted Execution Environment (TEE)
- A Beginner’s guide into Router Hacking and Firmware Emulation
- Starting Embedded Reverse Engineering: FreeRTOS, libopencm3 on STM32F103C8T6
- Reverse Engineering WiFi on RISC-V BL602
- USB Reverse Engineering: Down the rabbit hole
- ARM Exploitation: Return oriented Programming
- CWE Most Important Hardware Weaknesses
- Introducing Flash BASH(uboot Glitching)
- pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle
- How to Build a Low-Cost, Extended-Range RFID Skimmer
- Anti tamper real time clock (RTC) - make your embedded system secure
工具
- Flash Dump Made Easy With OFRAK
- nccgroup/Sniffle: A sniffer for Bluetooth 5 and 4.x LE
- Binbloom blooms: a tool to find the base address of any 32 and 64-bit architecture firmware
- Introducing Flash BASH
其他
标准
- 信息安全技术 物联网安全参考模型及通用要求
- 《物联网基础安全标准体系建设指南》(征求意见稿)
- EN 303 645 - V2.1.1 - CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements
- GB/T 38626-2020 信息安全技术 智能联网设备口令保护指南