Reverse Engineering the OBi200 Google Voice Appliance: Part 2

In part 1 of this post, I wrote about analyzing the firmware of the OBi200 and getting a root shell leveraging an existing RCE vuln. In this post, I’ll cover the process of identifying the serial port pins and connecting them to get console access to the device. Protocol Recall the serial interface listening at …

Reverse Engineering the OBi200 Google Voice Appliance: Part 1

The OBi200 by Obihai is a VoIP gateway for home/SOHO that integrates with Google Voice. It supports most standard VoIP features out of the box and can integrate with virtually any “bring your own device” SIP service. I purchased one earlier this year to act as a landline in my home (without monthly fees) and …

Bright City: A Highly Insecure Police and Municipal Government App

Earlier this year I received a Nextdoor message from my County Police Department announcing a “Property LockBox App” they’d released (purchased) for citizens. There was no previous communication regarding this app that I could find, so I was interested in learning more about it. As the app description states, Bright City is “[a] 2-way, dedicated mobile application for cities …

XSS over SMS: Hacking Text Messages in Verizon Messages

Verizon Messages (Message+) is a group of software clients available for mobile, desktop, and web aimed at enhancing/unifying the VZW text messaging experience across multiple devices. While it has a few additional features outside of SMS, I was most interested in activating it for its web app client when at a desktop/laptop. After I installed the Android app and …

Rave Panic Button: Vulnerabilities in a Nationwide Emergency Alert System

A few months ago an article in the local news covering the launch of the Rave Panic Button caught my attention. I hadn’t heard of it before but the idea seemed interesting: efficiently coordinate emergency 9-1-1 notifications across multiple involved parties, i.e. emergency dispatch, on-site employees, and first responders. The system can also share important data about an affected location such as floor plans, emergency contacts, and even surveillance …

Persistent XSS in Verizon’s Webmail Client

I’ve previously written about a server-side vulnerability in Verizon’s webmail client, but I thought it was also worth covering a couple of interesting client-side vulns I discovered that would’ve allowed an attacker to compromise a victim’s entire email account. I started by attempting to identify the allowed HTML elements/attributes in the webmail client. Although there’s probably a better way to …

Why I Helped Draft State-Level Vulnerability Disclosure Legislation (Delaware SB 283)

The adoption of bug bounty programs, or vulnerability disclosure programs, has increased rapidly over the past few years, even extending to industries outside of the technology sector — United Airlines, GM, and the Pentagon are great examples. From enormous organizations like Google and Facebook, to small startups with a handful of employees, companies of all sizes seem to be …

Critical Vulnerability Compromising Verizon Email Accounts (Again)

I have worked with Verizon numerous times in the past while reporting serious security vulnerabilities, including a critical vulnerability in their MyFiOS app’s API that exposed the email accounts of all users. While I was recently researching the Verizon webmail portal, I discovered multiple vulnerabilities of varying severities — some of which I will likely write about in the …

Widespread Vulnerable Ads Part Two: Flash Edition (Facebook’s LiveRail, Akamai, Adobe products affected)

Shortly after my recent blog post concerning widespread XSS in ad network code, I discovered similar vulnerabilities in Flash video ads (and other Flash products/components), resulting in a substantial industry-wide mitigation of XSS in Flash-to-JavaScript communication. Perhaps most interestingly, these vulnerabilities presented risks similar to my previous findings except that, in most cases, Ad-Block solutions employed by the …

Compliance Strikes Again: Multiple Vulnerabilities in Worldpay’s Merchant Portal

I had almost forgotten about my experience with Worldpay’s Merchant Portal from just over a year ago, but my recent post regarding another payment processor helped to refresh my memory. I occasionally help one of my family members’ small business with almost anything technology-related, including their e-commerce solution. In this case, I was helping them switch their payment gateway …