Josep Pi Rodriguez
Madrid y alrededores
894 seguidores
Más de 500 contactos
Acerca de
Currently focused in Hardware/Embedded hacking, reverse…
Actividad
-
We just published some cool new research! Owning a Bitcoin ATM. PS: I think I have thick fingertips haha https://lnkd.in/dmhhEfz4
We just published some cool new research! Owning a Bitcoin ATM. PS: I think I have thick fingertips haha https://lnkd.in/dmhhEfz4
Recomendado por Josep Pi Rodriguez
-
I've just published "Finding vulnerabilities in Swiss Post's e-voting system: part 3" https://lnkd.in/e4rDTbpU
I've just published "Finding vulnerabilities in Swiss Post's e-voting system: part 3" https://lnkd.in/e4rDTbpU
Recomendado por Josep Pi Rodriguez
Experiencia
Educación
-
University of learn stuff by yourself
Licencias y certificaciones
-
Vulnerability development master class Exodus intelligence (Amsterdam)
Exodus Intelligence
Expedición: -
GIAC SANS Exploit researcher and advanced penetration tester
GIAC
ID de la credencial GIAC GXPN -
Offensive Security Certified Expert (OSCE)
Offensive Security
ID de la credencial OSCE
Publicaciones
-
Defcon31 Contactless overflow: code execution over nfc in point of sales and ATMs
We conducted a research to assess the current security of NFC payment readers that are present in most of the major ATM brands, portable point of sales, gas stations, vending machines, transportation and other kind of point of sales in the US, Europe and worldwide. In particular, we found code execution vulnerabilities exploitable through NFC when handling a special application protocol data unit (APDU) that affect most NFC payment vendors. The vulnerabilities affect baremetal firmware devices…
We conducted a research to assess the current security of NFC payment readers that are present in most of the major ATM brands, portable point of sales, gas stations, vending machines, transportation and other kind of point of sales in the US, Europe and worldwide. In particular, we found code execution vulnerabilities exploitable through NFC when handling a special application protocol data unit (APDU) that affect most NFC payment vendors. The vulnerabilities affect baremetal firmware devices and Android/Linux devices as well.
After waiting more than 1 year and a half once we disclosed it to all the affected vendors, we are ready to disclose all the technical details to the public. This research was covered in the media by wired.com but without the technical details that we can share now
https://www.wired.com/story/atm-hack...point-of-sale/
Some of the affected vendors are:
IDtech - https://idtechproducts.com/
Ingenico - https://www.ingenico.com/
Verifone - https://www.verifone.com/
CPI - https://www.cranepi.com/
BBPOS - https://www.bbpos.com/
Wiseasy - https://www.wiseasy.com/
Nexgo - https://www.nexgoglobal.com/
In this presentation we will describe the vulnerabilities and also demo how the readers can be compromised, using a special Android app we created, by just tapping an Android phone to the reader. We will discuss the consequences such as financial impact in reader’s users/owners and card data stealing once the firmware is compromised. Also, we will show how to compromise the host that is connected to the reader through USB by manipulating the reader’s firmware, chaining stack buffer overflow vulnerabilities in the SDK provided by the vendor that is running in the host. -
Defcon26 Breaking Extreme Networks WingOS: How to own millions of devices running on Aircrafts, Government, Smart cities and more.
Extreme network's embedded WingOS (Originally created by Motorola) is an operating system used in several wireless devices such as access points and controllers. This OS is being used in Motorola devices, Zebra devices and Extreme network's devices. This research started focusing in an access point widely used in many Aircrafts by several worldwide airlines but ended up in something bigger in terms of devices affected as this embedded operating system is not only used in AP's for Aircrafts but…
Extreme network's embedded WingOS (Originally created by Motorola) is an operating system used in several wireless devices such as access points and controllers. This OS is being used in Motorola devices, Zebra devices and Extreme network's devices. This research started focusing in an access point widely used in many Aircrafts by several worldwide airlines but ended up in something bigger in terms of devices affected as this embedded operating system is not only used in AP's for Aircrafts but also in Healthcare, Government, Transportation, Smart cities, small to big enterprises... and more.
Based on public information, we will see how vulnerable devices are actively used (outdoors) in big cities around the world. But also in Universities, Hotels,Casinos, Big companies, Mines, Hospitals and provides the Wi-Fi access for places such as the New york City Subway.
In this presentation we will show with technical details how several critical vulnerabilities were found in this embedded OS. First we will introduce some internals and details about the OS and then we will show the techniques used to reverse engineering the mipsN32 ABI code for the Cavium Octeon processor. It will be discussed how some code was emulated to detect how a dynamic password is generated with a cryptographic algorithm for a root shell backdoor. Besides, it will be shown how some protocols used by some services were reverse engineered to find unauthenticated heap and stack overflow vulnerabilities that could be exploitable trough Wireless or Ethernet connection.
Idiomas
-
Inglés
Competencia profesional completa
Más actividad de Josep
-
In mid January I'll be visiting Brussels and Vienna. For any research/work related hint/discussion feel free to hit me up. In Belgium I'll be…
In mid January I'll be visiting Brussels and Vienna. For any research/work related hint/discussion feel free to hit me up. In Belgium I'll be…
Recomendado por Josep Pi Rodriguez
-
Here is the YouTube video of my defcon31 talk. Hacking point of sales and ATMs over NFC. Already 63.000 views! https://lnkd.in/ekA-t3Ys
Here is the YouTube video of my defcon31 talk. Hacking point of sales and ATMs over NFC. Already 63.000 views! https://lnkd.in/ekA-t3Ys
Publicado por Josep Pi Rodriguez
-
🔐 Exciting News! Join us this Thursday for HACK::SOHO, our monthly cybersecurity event at our London, UK office! 🌐💼 🔒 This month, we're thrilled…
🔐 Exciting News! Join us this Thursday for HACK::SOHO, our monthly cybersecurity event at our London, UK office! 🌐💼 🔒 This month, we're thrilled…
Recomendado por Josep Pi Rodriguez
-
It is always nice to catch up with friends and colleagues in defcon. I had the pleasure to present again at defcon this year and as always , it was…
It is always nice to catch up with friends and colleagues in defcon. I had the pleasure to present again at defcon this year and as always , it was…
Compartido por Josep Pi Rodriguez
-
Join us for the next hack::soho at our London office on 31st August. As always, we'll have a great presenter and an informative talk. Our next…
Join us for the next hack::soho at our London office on 31st August. As always, we'll have a great presenter and an informative talk. Our next…
Recomendado por Josep Pi Rodriguez
-
I've just published the paper "Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible…
I've just published the paper "Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible…
Recomendado por Josep Pi Rodriguez
-
IOActive Principal Security Consultant Joesp Pi Rodriguez has a presentation at this year's DEFCON 31 in Las Vegas. "Contactless Overflow: Code…
IOActive Principal Security Consultant Joesp Pi Rodriguez has a presentation at this year's DEFCON 31 in Las Vegas. "Contactless Overflow: Code…
Recomendado por Josep Pi Rodriguez