Category: Misc

Misc
by Florian Bausch

Incident Response in GCP: Out of Scope – Ouf of Mind

We are regularly offering a GCP Incident Response and Analysis training. In this training, we analyze resources in GCP cloud together with our trainees that were successfully compromised by attackers, e.g., GCE instances and Cloud Build projects. Therefore, we need tooling that quickly detects misconfiguration of resources that helped the attacker during the compromise. During the analysis of different tools and different kinds of misconfiguration we realized that GCE instance access scopes are a blind spot of many (in fact all that we tested) security audit tools. In this blog post, we want to elaborate on the problems that arise from this behavior.

Continue reading “Incident Response in GCP: Out of Scope – Ouf of Mind”

Continue reading
Misc
by Dennis Heinze

Bluetooth Headphone Jacking: Full Disclosure of Airoha RACE Vulnerabilities


About six months ago we released a security advisory on this blog about vulnerabilities in Airoha-based Bluetooth headphones and earbuds. Back then, we didn’t release all technical details to give vendors more time to release updates and users time to patch their devices. Around the time of the initial partial disclosure in the beginning of June, Airoha put out an SDK release for their customers that mitigates the vulnerabilities. Now, half a year later, we finally want to publish the technical details and release a tool for researchers and users to continue researching and check whether their devices are vulnerable.

This blog post is about CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702.

Alongside this blog post, we also released a white paper. It contains some more technical details, as well as information on how to check whether your device might be affected.

Continue reading “Bluetooth Headphone Jacking: Full Disclosure of Airoha RACE Vulnerabilities”

Continue reading
Misc
by Tillmann Oßwald

Windows Hello for Business – Past and Present Attacks

Windows Hello for Business is a key component of Microsoft’s passwordless authentication strategy. It enables user authentication not only during system sign-in but also in conjunction with new and advanced features such as Personal Data Encryption, Administrator Protection, and Recall. Rather than depending on traditional passwords, Windows Hello leverages a PIN or biometric methods – such as fingerprint or facial recognition – to unlock cryptographic keys protected by the Trusted Platform Module (TPM).

Continue reading “Windows Hello for Business – Past and Present Attacks”

Continue reading
Misc
by Dennis Heinze

Using the Raspberry Pi Pico W as a Bluetooth Dongle

During our recent research, we experimented with different Bluetooth USB dongles. There are tons of options, and sometimes, it’s challenging to determine what chipset a dongle actually contains, what Bluetooth features it supports, and whether it works on Linux. Inspired by the recent ESP32 Bluetooth research, we wondered whether we could turn our Raspberry Pi Pico Ws into a functioning Bluetooth dongle. We had a few lying around, and the advantage here is that we know exactly which Bluetooth controller it uses – the Infineon CYW43439. It’s also very easy to get one. You can just buy the Pico W for a few bucks, even cheaper than some Bluetooth dongles. You also have a controller family that has been researched quite a bit in the internalblue project. However, there was one disadvantage. We did not find any code that exposes the CYW43439’s HCI interface via USB. So we had to write that on our own.

Continue reading “Using the Raspberry Pi Pico W as a Bluetooth Dongle”

Continue reading
Misc
by Florian Bausch

When Your Edge Browser Syncs Private Data to Your Employer

Recently, one of our customers contacted us to investigate the extent of some unwanted and unexpected behavior regarding browsing data of employees.

Employees started contacting IT support because private browser bookmarks, private login credentials etc. showed up on their work machines. All affected employees stated that they never created these bookmarks on work systems. And interestingly, the data seemed to have been collected over quite some time.

Our customer wanted to understand how private data ended up in their environment. Obviously, private employee data in the enterprise landscape could cause some data privacy trouble (GDPR).

Our customer suspected that Microsoft Teams might be related to this because the company’s employees are allowed to join Teams meetings from private devices. Since this option was often used in many companies during COVID-related work-from-home times, we suspect that a larger number of enterprises may be affected by this problem.

Continue reading “When Your Edge Browser Syncs Private Data to Your Employer”

Continue reading
Misc
by Justus Hoffmann

Jigsaw RDPuzzle: Piecing Attacker Actions Together

In a recent incident response project, we had the chance to virtually look over the attackers’ shoulder and observe their activities. The attackers used the Remote Desktop Protocol (RDP) for lateral movement within the compromized environment and beyond (MITRE techniques T1570, T1021). As a matter of fact, RDP creates cache files that contain tiles of the transferred screen recording data. While this fact is well-known and there are existing tools, we found it worth reporting because of two different aspects:

  • On the one hand, we want to raise awareness for this valuable piece of evidence, explain how it works, how tooling works and how it can be used. In this particular case, the analysis of those cache files yielded valuable insights into the attackers’ activity and allowed further measures.
  • On the other hand, we found it exciting to look over the attacker’s shoulder, see the desktop as they saw it, and the commands they typed. We want to share parts of those insights as far as we are able to show them publicly.

Continue reading “Jigsaw RDPuzzle: Piecing Attacker Actions Together”

Continue reading
Breaking, Misc
by Dennis Heinze

Part I: Bluetooth Auracast from a Security Researcher’s Perspective

Auracast, the new Bluetooth LE Broadcast Audio feature has gained some publicity in the past months. The Bluetooth SIG has introduced the LE Audio feature-set to the Bluetooth 5.2 Specification in 2019 and vendors are only now starting to implement it. Auracast facilitates broadcasting audio over Bluetooth LE to a potentially unlimited number of devices. It does not require pairing or interaction between the sender and the receivers.

We also presented this topic at 38c3. This blog post will contain similar contents albeit with some more details.

Continue reading “Part I: Bluetooth Auracast from a Security Researcher’s Perspective”

Continue reading
Misc
by Florian Grunow

Announcement: Progress / Kemp LoadMaster CVE-2024-7591

Hey everybody,

during a recent Red Teaming engagement Marius Walter from ERNW found a command injection issue in Progress (Kemp) LoadMaster. It was registered as CVE-2024-7591 and scores a CVSS of 10.0.

The vendor already has patches out, make sure to apply them as this is a high severe issue. You can find the official announcement and the patch references on the official support page.

Marius will follow up with a technical blog post on this issue once we think everybody had a realistic chance of applying the patches.

Continue reading