Skip to main content

Posts

Showing posts from 2023

Some thoughts on e-Voting vulnerabilities.

I'm a little bit surprised about today's Schneier blog post " Security Vulnerability of Switzerland’s E-Voting System "  Just to add some context before continuing:  I've been researching into that specific e-Voting system since 2022.  I've reported quite a few vulnerabilities (I hold the  1st place  in the 'SwissPost e-Voting' Bug Bounty program), also publishing detailed  write-ups  for  some  of these security issues. Even today I got some really bad vulnerabilities still being reviewed. I understand, and support, all the precautions about e-Voting technologies security people usually express. That said, I can't understand the commonplace assertions that depict e-Voting as an unsolvable problem in general terms, which would irremediably leave us with just the 'paper' option.  However, the worst part is that the issue described in that article, that apparently sustains the subsequent reasoning, is not even a vulnerability but a malwar...

Reversing 'France Identité': the new French digital ID.

  -------------- Update from 06/10/2023 : following my publication, I’ve been in contact with France Identité CISO and they could provide more information on the measures they have taken in the light of these findings: We would like to thank you for your in-depth technical research work on “France Identite” app that was launched in beta a year ago and for which you were rewarded. As you know, the app is now generally available on iOS and Android through their respective app stores. Your work, alongside French cybersecurity agency (ANSSI) research, made us update and modify deeply the E2EE Secure Channel used between the app and our backend. It is now mostly based on TLS1.3. Those modifications were released only a few weeks after you submitted your work through our private BugBounty program with YesWeHack. That released version also fixes the three other vulnerabilities you submitted. From the beginning of “France Identite” program, it was decided to implicate cybersecurity communi...

"Seeing Through the Invisible" - research materials

  Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible Evidence of Fabrication After many months of intense research, I'm finally releasing the paper that contains full technical details and collected evidence. I presented this research at BlackHat USA 2023  a few days ago. Kim Zetter published on Wired a fascinating story about this research. She also wrote a piece on her Substack that brings additional details. I really appreciate the interest this research has generated among different people, also outside the security world. Hopefully, some day we will eventually see an official investigation into these events, which is what everyone is asking for. Paper (PDF)  https://drive.google.com/file/d/1Sxg7Do9DVs6xquv-j8gBUgN4RUZkMG2N/view?usp=sharing   SHA256 c143a35f7f6c43a80b21883dabe2e96edc1a724ac1b8c1061c1e318abd0dda38 (Preview is not possible due to the size of the file) Web Version https://www.reversemode....

Losing control over Schneider's EcoStruxure Control Expert

  During Q2 2022, in view of the geopolitical situation that unfolded after the Russian invasion of Ukraine, I decided that it wouldn't do any harm to kill some bugs in some of the main players within the ICS arena. I focused in those software frameworks that are running on the engineering workstations so, if compromised, attackers would be in a privileged position to manipulate controllers logic, thus enabling sophisticated attacks with a potential physical impact (i.e triton). I responsibly reported a bunch a unauthenticated remotely exploitable bugs to the corresponding vendors. In one case, after being ignored for months, I had to resort to the 'twitter, do your magic' approach and tweeted that I would be disclosing the issues if the situation persisted. It took just few hours for the vendor to get back to me. The positive side is that they found the bugs interesting and all that mess ended up in paid work.   This blog post covers a similar scenario in a different ven...