David Sopas

web security researcher

David Sopas – Web Security Researcher
START READING
23/10/18 Meetings , My Events # , , , ,

Semana Informática and BSides Lisbon

So I scheduled my last talks for this year.

At 31 October, I’ll be at FEUP in Semana Informática to present – Breaking IoT!
And for the third time, I’ll have the honor to be at BSides Lisbon on 29th and 30th November giving a talk with my friend and collegue Pedro Umbelino – Exfiltrate all the things!

If by any chance you’ll be in one of these events feel free to approach me and say Hi!

no responses
17/10/18 Hardware , IoT # , , ,

Opening a fingerprint + BLE smartlock – the smart way!

I got my hands on a smartlock that costs around 35€ on Amazon which unlocks using the fingerprint or app (using BLE).
In reality I don’t know the brand and model but this is not something that I really care. What I wanted to check was – how hard was breaking this smartlock?

After a quick inspection I noticed that this lock had something covered below the USB port (which is used to power the battery). Using a sharp knife I scrubbed the thing up and… a screw appeared 🙂

C’mon… Really? I opened it and start disassembling the device.

I needed to scrub also some parts because this lock was supposed to be waterproof so they covered some wires.

In the end, we got a small PCB with a connected fingerprint sensor. Didn’t saw any spring like other locks and can’t manage to open it by shimming. But I saw a motor which was connected by a white and yellow wire to the PCB.

I already played with some motors and other devices like that on Arduino and they usually only need some power to rotate. In this case, I’m guessing that connecting the 3.7V battery to the PCB wires it will rotate (or open).

I grabbed a couple of wires to prevent soldering or damaging the lock and connected them to the lock battery. Than connected the wires to the PCB part that connected to the motor.

And the lock opened. No fingerprint or BLE needed.

Check out the small video that I did – https://www.youtube.com/watch?v=VEjwV3LsLJ0

So I guess you take around 5 second to open this lock using a direct connection to the motor.
The vendor claims its a strong lock… Anyone can break it in 5 seconds.

Screwdrivers rule! 🙂

no responses
10/10/18 Hardware # , , , ,

micro:bit password generator

So I got a new toy – micro:bit. I initially bought three of these devices so I can sniff BLE traffic using btlejack. After playing with it, I decided to learn more about this hardware.

It’s pretty simple to use, specially if you decide to use Microsoft MakeCode, but also support MicroPython. I went with this last one and created something that is still in testing because of hardware limitations.

I decided to create a simple password generator. You have two buttons. Button A (left side) and Button B (right side).
Button A generates “randomly” and displays on the small leds a 4 digit pin number. Button B generates a 12 length char password that will consist in numbers, some letters (some letters don’t display well on the leds) and a couple of symbols.

Why I did this? Well because usually you need something to generate a fast pin or password. Some of my clients NEED this. Nothing is recorded and if you don’t catch the pin or password, click to generate another one.

Next step… Battery. Implement a CR2032 battery with a on/off button. Also, improve the code a bit and share it on github.

Check the video here – https://www.youtube.com/watch?v=M3CO_OvSO4w

no responses
16/08/18 Interesting Readings , News # , , ,

Checkmarx Security Research Team latest work

Some of our work was published and I would like to share it here:

More coming soon in a web near you 🙂

no responses
16/08/18 Bug Bounty , Tools # , , ,

h1-search tool

h1-search tool

Me and Paulo Silva wrote a simple golang tool to check full disclosures on HackerOne. Why?

  • You can filter the results
  • You can see ALL the results (H1 has page limitations – 25 results)
  • Its coded in Go 😀

So if you guys want to give it a try, feel free to install it and participate – https://github.com/dsopas/h1-search

no responses
20/04/18 Tools # , , , ,

RFD Checker and Security Assessment Mindset

I recently published two repos on my Github account. One is RFD Checker, which I did with my colleague Paulo Silva, where it scans for Reflected File Download vulnerabilities and the other one is a security mindmap (you can also have other formats). This last one had pretty good success just because it a mindset for helping infosec peers and bug bounty hunters on their assessments.

Feel free to share it and participate on any of the projects. They are open-source and with the help of the infosec community they can become a better tool to your arsenal.

 

no responses
20/04/18 My Events , News # , ,

Reflected File Download webinar

Reflected File Download webinar

On 13th March I did a webinar for Checkmarx showing in around 30 minutes what is and how you can exploit the web vector Reflected File Download.

You can still watch the recorded version at RFD: Still Threatening the Biggest Names on the Web.

Had a lot of fun doing it because it was my first webinar 🙂 ‘Til next time!

no responses
29/12/17 Papers # , , , ,

BLE Driving 101

I’m writing this article on my path of becoming a better researcher on IoT devices.
My goal was to create a portable device that I could use to scan BLE (aka Bluetooth Low Energy) devices and improve future tasks – like pentesting IoT for clients.

Disclaimer: No harm or malicious activities have been done to any device. Don’t use this type of information to do illegal stuff.

I used bleah (props to evilsocket) to record all the BLE devices on a car drive. Keep in mind that BLE has a max. range of around 100 meters (on open space) but the cheap adapter that I used had a range of 20 to 50 meters.
So first things first right? Modify my dongle.

I had the HUGE help of kripthor and we started by disassembling the device and identify where the antenna was.

We removed the connection and, after a few tries, we connected the external antenna of a old IP cam. Because the PCB was too small and the wires could break when we connect the device, we used a solder wire plastic holder (as a case) to have it all together and connected everything with chinese glue gun 🙂

This was the final result.

On the left you have a original dongle and in the right the mean mother f*cker dongle!

What I noticed… Better range and signal. I did a couple of tests using my own wearable and than my friend Paulo enters the scene to hold his watch in a open space.

Original dongle
80 meter range didn’t detect it
60 meter range -117dBm (sometimes didn’t detect it)
30 meter range -84dbm
10 meter range -76dbm

Mean mother f*cker dongle
100 meter range -92 dBm
60 meter range -84dBm
30 meter range -76dbm
10 meter range -71dbm

Now that I have a better dongle 😀 I had it to my portable configuration:

1x CSR 4.0 bluetooth adapter
1x Raspberry Pi 2 model B with a acrylic case (running Raspbian)
1x Powerbank

Devices found

Vendors that allowed connections ✓:
53x Unknown vendors
10x Samsung Electronics Co.
4x Apple
2x Polar Electro Oy
2x Samsung Electro-mechanics(thailand)
1x Texas Instruments
1x Google
1x Huawei Technologies Co

Totalling 74 devices in a 2.4km car drive across the city. On the unknown vendors I saw a couple of chinese wearables, Tiles, Bike GPS, etc:

Next step is to check popular areas, eg: running or bikes race events. That would pick lots of BLE devices.

2 responses
1 2 3 4 10