Sometime in the first half of 2018 there was an explosion of “Dockless e-scooters” appearing all over the Bay Area. These devices are electric scooters that anyone can rent for a one-way trip and find/leave them (at the time) anywhere you want. As one could guess this led to lots of issues but they where convenient and I wanted one of my own so I did a little research onto how to acquire one for private use. ...

M365 Toolbox demonstrates a security vulnerability in the Xiaomi M365 electric scooter’s communication protocol. The Java application exploits weaknesses in the scooter’s Bluetooth Low Energy (BLE) authentication mechanism to bypass security controls and execute unauthorized commands. The proof-of-concept tool reveals how the scooter’s authentication can be circumvented through protocol manipulation, allowing remote control access without proper authorization. This research highlighted critical security flaws in IoT device communication protocols commonly found in consumer transportation devices.

A Go library and SOCKS5 proxy server that enables egress traffic from multiple IP addresses within a subnet. Stargate randomly distributes network connections across different IP addresses to avoid rate-limiting and provide load balancing across available IP ranges. The tool works best with subnets directly routed to the host and is particularly powerful for IPv6 subnet utilization. It supports both TCP CONNECT and UDP ASSOCIATE protocols and provides both a standalone proxy tool and a Go library for programmatic random IP networking. Requires specific network routing configuration and primarily supports Linux and FreeBSD platforms due to freebind networking capabilities.

Binary Analog Watch Face is an Android Wear watch face that combines analog time display with binary representation. The watch face uses binary digits to form the hour and minute hands, creating a unique visualization where time is displayed both analogically and in binary format. The watch face features Material Design aesthetics with customizable color themes and optional center complications. The implementation renders traditional analog clock hands using sequences of binary digits, inspired by Anthony Liekens’s Analog Binary Wall Clock concept.

This is the blog version of my DEFCON 26 talk Lost and Found Certificates: dealing with residual certificates for pre-owned domains, which I co-presented with Dylan Ayrey. You can learn more about BygoneSSL and see a demo at insecure.design. The Problem A Certificate can outlive the ownership of a domain. If the domain is then re-registered by someone else, this leaves with the first owner with a valid SSL certificate for the domain now owned by someone else. ...

CZDS is a Go library and CLI tool for interacting with ICANN’s Centralized Zone Data Service API. It handles authentication, zone file downloads, request submissions, and status monitoring for accessing top-level domain zone data. The implementation supports parallel downloads, request management, and provides both library interfaces for Go applications and standalone command-line functionality. The tool automates the process of requesting and retrieving DNS zone files from ICANN’s centralized service.

Certgraph is a tool I’ve been developing to scan and graph the network of SSL certificate alternative names. It can be used to find other domains that belong to an organization that may be several orders removed and not always obvious. Background The idea for this project came about after examining the SSL certificate for XKCD.com. If you look closely at the screenshot below you will see that the SSL certificate used on XKCD.com is also valid for many of domains which have no relationship to XKCD or Randall Munroe. ...

On most unrooted, stock, Android phones, enabling tethering will run a “Provisioning Check” with your wireless provider to ensure that your data plan allows tethering. This post documents Tethr, a way to bypass the provisioning check on Android devices prior to version 7.1.2. After discovering this method I reported it to the Android bug bounty fixing the issue and receiving CVE-2017-0554. Background The ability to tether is controlled by your device’s build.prop file, usually located at /system/build.prop. The default is to require the provisioning check before enabling tethering, but it can by bypassed by adding the following line: ...

Tethr is an Android application that demonstrates CVE-2017-0554, a vulnerability that allows bypassing carrier tethering provisioning checks on unrooted devices. The proof-of-concept app exploits system property manipulation to enable mobile hotspot functionality without carrier approval. The vulnerability affects Android versions prior to 7.1.2 by allowing modification of tethering-related system properties through reflection and system service manipulation. This research was conducted to highlight security weaknesses in Android’s tethering permission model.

For those of you not in the know, ambergris is defined as: a wax-like substance that originates as a secretion in the intestines of the sperm whale, found floating in tropical seas and used in perfume manufacture. However, that will not be what this post is about (sorry to disappoint). Instead, I’ll present what happens when building an image on Docker that contains a reverse shell in the Dockerfile. ...