PentHerz blog

Articles, notes and feedbacks of our hardware and radio communication experiments.

Mobile IoT modules vulnerable to FOTA updates backdooring at scale

Embedded (E)GPRS/EDGE, 3G, 4G, and 5G modules are commonly used for a lot of purposes, including connected devices such as intercoms, alarms, automotive ECUs, In-Vehicle Infotainment (IVI) Systems, rental cars' unlocking boxes (e.g: Getaround connect unlocking system that uses Bluetooth LE but also a backup mobile connection), etc. During the lockdown, PentHertz accidentally found vulnerabilities on the device management process of some modules that could lead an attacker to backdoor FOTA updates of modules remotely at scale. This quick blog post introduces mobile modules, the FOTA attack vector as well as different vulnerability classes that could be found to target several modules of different vendors. Considering the risks of these threats, we also encourage all mobile module vendors we did not get the chance to reach to contact us at mobilethreats@penthertz.com in order to check modules as well as the used device management process security, and help them to fix identified or new vulnerabilities.

Read more

TEACHertz - A new service infrastructure for high-quality online hardware trainings

The beginning of this year is particularly tough for everyone socially and economically. As a circumstance, many habits changed, and businesses moved to a format we are more familiar with as known as remote work. Of course, this format is considered to be degraded for courses by many people, and will probably never replace the same experience in-person trainings. But this crisis makes us think about existing solutions and new ways of improvements to fit everyone's needs as much as possible. This is why PentHertz also evolved in that direction to respond to its customers by testing and then building various platforms for teaching and consulting, even for the radiocommunications and hardware areas that normally require a physical presence. In this small post, we will show the directions taken by PentHertz to provide not only high-quality and but also very interactive remote trainings. Moreover, we will also introduce the TEACHertz infrastructure that every professional can benefit from our services to provide its own high-quality trainings in software as well as in hardware.

Read more

An introduction to mobile network mobile intrusion from a mobile phone

With the introduction of the packet service, mobile user equipment (UE) are able to use the IP communication protocol. Without the right routing and filtering of UE communications, some sensitive assets on the operator’s infrastructure could be exposed, such as core network services. Mobile operators are generally aware of this kind of attack vector and apply the right mechanisms to avoid any risk from the subscriber context. Nevertheless, those mechanisms are different from an operator to another and their effectiveness varies. Research aspects in mobile networks are evolving a lot with the development of the SDR (Software-Defined Radio), as well as the SDNs (Software-Defined Networks), that introduce new kinds of architectures. These new architectures are mostly cloud-based systems and include also new features that need time to be fully understood and matured from the deployment perspective. In addition, with the research progress of SDR based 4G and 5G-NR NSA networks, new services also appeared to be used inside organizations like private mobile networks, but all security procedures and mechanisms are only provided by the organization itself. This post is an overview of previous assessments on private GPRS and LTE mobile network commercial and public solutions, but also 5G-NR NSA setups.

Read more

Testing LoRa with SDR and some handy tools

When assessing LoRa devices' security, like any other RF technology, we have to deal with unknown radio parameters, but also data/payloads we need to understand to complete our mission. The understanding of these parameters and data may help to find interesting issues to exploit (clear-text communication, weak keys, stack protocol vulnerabilities). In this post, we will briefly present LoRa and its different security modes, and then we will focus on RF techniques to detect, demodulate and decode LoRa signal. Additionally, we will introduce some scripts we have made to decode, generate LoRa PHY and MAC payloads, Bruteforce keys and finally fuzz some protocol stacks.

Read more