Josep Pi Rodriguez
Greater Madrid Metropolitan Area
892 followers
500+ connections
About
Currently focused in Hardware/Embedded hacking, reverse…
Activity
-
We just published some cool new research! Owning a Bitcoin ATM. PS: I think I have thick fingertips haha https://lnkd.in/dmhhEfz4
We just published some cool new research! Owning a Bitcoin ATM. PS: I think I have thick fingertips haha https://lnkd.in/dmhhEfz4
Shared by Josep Pi Rodriguez
-
We just published some cool new research! Owning a Bitcoin ATM. PS: I think I have thick fingertips haha https://lnkd.in/dmhhEfz4
We just published some cool new research! Owning a Bitcoin ATM. PS: I think I have thick fingertips haha https://lnkd.in/dmhhEfz4
Liked by Josep Pi Rodriguez
-
I've just published "Finding vulnerabilities in Swiss Post's e-voting system: part 3" https://lnkd.in/e4rDTbpU
I've just published "Finding vulnerabilities in Swiss Post's e-voting system: part 3" https://lnkd.in/e4rDTbpU
Liked by Josep Pi Rodriguez
Experience
Education
-
-
Licenses & Certifications
-
Vulnerability development master class Exodus intelligence (Amsterdam)
Exodus Intelligence
-
GIAC SANS Exploit researcher and advanced penetration tester
GIAC
-
Offensive Security Certified Expert (OSCE)
Offensive Security
Publications
-
Defcon31 Contactless overflow: code execution over nfc in point of sales and ATMs
We conducted a research to assess the current security of NFC payment readers that are present in most of the major ATM brands, portable point of sales, gas stations, vending machines, transportation and other kind of point of sales in the US, Europe and worldwide. In particular, we found code execution vulnerabilities exploitable through NFC when handling a special application protocol data unit (APDU) that affect most NFC payment vendors. The vulnerabilities affect baremetal firmware devices…
We conducted a research to assess the current security of NFC payment readers that are present in most of the major ATM brands, portable point of sales, gas stations, vending machines, transportation and other kind of point of sales in the US, Europe and worldwide. In particular, we found code execution vulnerabilities exploitable through NFC when handling a special application protocol data unit (APDU) that affect most NFC payment vendors. The vulnerabilities affect baremetal firmware devices and Android/Linux devices as well.
After waiting more than 1 year and a half once we disclosed it to all the affected vendors, we are ready to disclose all the technical details to the public. This research was covered in the media by wired.com but without the technical details that we can share now
https://www.wired.com/story/atm-hack...point-of-sale/
Some of the affected vendors are:
IDtech - https://idtechproducts.com/
Ingenico - https://www.ingenico.com/
Verifone - https://www.verifone.com/
CPI - https://www.cranepi.com/
BBPOS - https://www.bbpos.com/
Wiseasy - https://www.wiseasy.com/
Nexgo - https://www.nexgoglobal.com/
In this presentation we will describe the vulnerabilities and also demo how the readers can be compromised, using a special Android app we created, by just tapping an Android phone to the reader. We will discuss the consequences such as financial impact in reader’s users/owners and card data stealing once the firmware is compromised. Also, we will show how to compromise the host that is connected to the reader through USB by manipulating the reader’s firmware, chaining stack buffer overflow vulnerabilities in the SDK provided by the vendor that is running in the host. -
Defcon26 Breaking Extreme Networks WingOS: How to own millions of devices running on Aircrafts, Government, Smart cities and more.
Extreme network's embedded WingOS (Originally created by Motorola) is an operating system used in several wireless devices such as access points and controllers. This OS is being used in Motorola devices, Zebra devices and Extreme network's devices. This research started focusing in an access point widely used in many Aircrafts by several worldwide airlines but ended up in something bigger in terms of devices affected as this embedded operating system is not only used in AP's for Aircrafts but…
Extreme network's embedded WingOS (Originally created by Motorola) is an operating system used in several wireless devices such as access points and controllers. This OS is being used in Motorola devices, Zebra devices and Extreme network's devices. This research started focusing in an access point widely used in many Aircrafts by several worldwide airlines but ended up in something bigger in terms of devices affected as this embedded operating system is not only used in AP's for Aircrafts but also in Healthcare, Government, Transportation, Smart cities, small to big enterprises... and more.
Based on public information, we will see how vulnerable devices are actively used (outdoors) in big cities around the world. But also in Universities, Hotels,Casinos, Big companies, Mines, Hospitals and provides the Wi-Fi access for places such as the New york City Subway.
In this presentation we will show with technical details how several critical vulnerabilities were found in this embedded OS. First we will introduce some internals and details about the OS and then we will show the techniques used to reverse engineering the mipsN32 ABI code for the Cavium Octeon processor. It will be discussed how some code was emulated to detect how a dynamic password is generated with a cryptographic algorithm for a root shell backdoor. Besides, it will be shown how some protocols used by some services were reverse engineered to find unauthenticated heap and stack overflow vulnerabilities that could be exploitable trough Wireless or Ethernet connection.
Languages
-
Inglés
Full professional proficiency
More activity by Josep
In mid January I'll be visiting Brussels and Vienna. For any research/work related hint/discussion feel free to hit me up. In Belgium I'll be…
Liked by Josep Pi Rodriguez
Here is the YouTube video of my defcon31 talk. Hacking point of sales and ATMs over NFC. Already 63.000 views! https://lnkd.in/ekA-t3Ys
Posted by Josep Pi Rodriguez
I'm very happy and proud to share that #IOActive has launched its new Silicon Security Services product line, and is featured on our homepage:…
Shared by Josep Pi Rodriguez
🔐 Exciting News! Join us this Thursday for HACK::SOHO, our monthly cybersecurity event at our London, UK office! 🌐💼 🔒 This month, we're thrilled…
Liked by Josep Pi Rodriguez
🔐 Exciting News! Join us this Thursday for HACK::SOHO, our monthly cybersecurity event at our London, UK office! 🌐💼 🔒 This month, we're thrilled…
Shared by Josep Pi Rodriguez
Join us for the next hack::soho at our London office on 31st August. IOActive Principal Security Consultant Josep Pi Rodriguez will present a…
Shared by Josep Pi Rodriguez
Join us for the next hack::soho at our London office on 31st August. As always, we'll have a great presenter and an informative talk. Our next…
Liked by Josep Pi Rodriguez
I've just published the paper "Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible…
Liked by Josep Pi Rodriguez
IOActive Principal Security Consultant Joesp Pi Rodriguez has a presentation at this year's DEFCON 31 in Las Vegas. "Contactless Overflow: Code…
Liked by Josep Pi Rodriguez
IOActive Principal Security Consultant Joesp Pi Rodriguez has a presentation at this year's DEFCON 31 in Las Vegas. "Contactless Overflow: Code…
Shared by Josep Pi Rodriguez
People also viewed
Explore collaborative articles
We’re unlocking community knowledge in a new way. Experts add insights directly into each article, started with the help of AI.
Explore More