Cubica Labs is an independent information security company that renders more than 15 years of experience in security research, vulnerability assessment and cutting-edge hardware/software technology development to bring companies state of the art security solutions. Our team's research has been presented at some of the most recognized security conferences, attracting a large amount of media attention:
View full list »
Hack In The Box 2015 Amsterdam
Eight Ou Two Mobile
May 2015 - Amsterdam, NL
Broadcom wireless card for mobiles devices, specifically BCM4325/29/30/34 are the most common wireless cards found on the most popular smartphones & tables (iPhone, Samsung, Nokia and Motorola among others). Even with such an installed base and being a key client component in any wireless network -at least any wifi network where mobile devices participate- not much has been said about such cards.
In a previous research collaboration with Andres Blanco, we presented an approach to modify the firmware to enable monitor mode and raw 802.11 traffic injection in popular smartphones. On that occasion most of our work was performed by static firmware reverse engineering. In this talk, we will describe how to get a more dynamic approach to analyse the behaviour of the firmware execution on the network card CPU.
Black Hat 2014
Computrace Backdoor Revisited
August 2014 Las Vegas, USA
This presentation includes a live demonstration of security flaws in modern anti-theft technologies that reside in firmware and PC BIOS of most popular laptops and some desktop computers. While the general idea behind anti-theft technology is good, improper implementation can render it useless as well as harmful, or even extremely dangerous. We have found several proofs of unauthorized activations of Absolute Computrace anti-theft software on our private and corporate computers and discovered that this software can be used as an advanced removal-resistant BIOS-based backdoor.
While physical security and a lack of proper code validation have already been shown in prior research presented at Black Hat 2009 by Anibal Sacco and Alfredo Ortega from Core Labs, in our research we demonstrate network security flaws. Our demo will show how to own remote hosts running Absolute Computrace. And there is a cool extra surprise for those who have already heard about Computrace network issues.
Security Analyst Summit 2014
Hijacking and wiping an entire nation
February 2014 - Punta Cana, DO
RSA Conference 2013
BlackBerry Pwnage: The BlueJay Strikes
February 2013 - San Francisco, USA
We released the information we gathered regarding to the internals of a BlackBerry 6 native process. It was also described which devices were still at risk of being attacked by two-year old exploits. Unpublished aspects of a BlackBerry process were revealed. Some internal aspects, such as syscalls of BlackBerry OS was shown as well. On our journey to achieve code execution, a new tool arose, which was also released in this talk.
HTML5 Heap Sprays
September 2012 Amsterdam, NL
Heap spraying has been widely used for nearly 10 years by exploit writers. This very technique usually makes the difference between the impact of a vulnerability being or not massively exploited. However, there is a silent arms race being fought between exploit writers and the most security-conscious software vendors (browser and OS vendors, with others lagging), and the most popular heap spray technique have lost their lethality.
In this talk we released and described the details of a new heap spray technique that takes advantage of the -so popular- HTML5 emerging stack. This fact makes the technique functional on the latest versions of most popular browsers (like Chrome, Firefox, IE9/10, Safari) not only in computers but also in smartphones in a reliable, fast and multi-threaded fashion. In addition, we disclosed several different methods to accomplish the same goal on some other widely used applications by leveraging weaknesses in its defense in-depth mechanisms. Finally, we will be able to avoid the heap spray protections of browsers by abusing a browser independent scheme and take advantage of the lack of protections on other software. We demonstrated our chops principally targetting browsers but also SQL engines, media centers and network devices.
Ekoparty 2012, Hack.lu 2012 - One Firmware To Monitor 'em All
September 2012 - Buenos Aires, AR -- October 2012 - Luxembourg
In the last years mobile devices usage has turned massive. These devices, in general, follow the IEEE 802.11 standard for wireless connectivity. Broadcom is one of the most important semiconductor companies in the wireless and broadband communication business. Some of their WiFi? solutions (BCM4325 and BCM4329 chipsets) are included in great part of the mobile devices market, including vendors like Apple, Samsung, Motorola, Sony, Nokia, LG, Asus and HTC. In this paper we describe the process of modification of the firmware program on these cards. The presented results could open new possibilities to the information security community such as access to baseband components without intervention of the operating system and the capabilities to store information within the network card's internal memory among others. As the reader explores the present work we go through the internals of the firmware program, our reverse engineering process and show, as a proof of concept, how to set these cards on monitor mode.
Open SecurityJam BA 2011
Apple ATSServer bug - the return of the evil charstrings
September 2011 - Buenos Aires
In this talk we described the exploitation of a vulnerability on a font format called CFF, when embedded on PDF files. The bug used was very similar the one used by "jailbreakme" famous exploit, but on Mac OS X leopard.
Black Hat 2009
Deactivate the Rootkit
August 2009 Las Vegas, USA
This is a report on our research into anti-theft technologies utilized in the PC BIOS. In particular, we have analyzed the Computrace BIOS agent and documented some design vulnerabilities that allow the agents reporting address to be controlled. Additionally, we outline an experimental method for re-setting the permanent activation/deactivation capability of the persistent agent in the BIOS to the default factory settings. We are certain that this available control of the anti-theft agent allows a highly dangerous form of BIOS-enhanced rootkit that can bypass all chipset or installation restrictions and reutilize many existing features ored in this kind of software.
SyScan 2009 - CanSecWest 2009
Persistent BIOS Infection
July 2009 - Singapore, SG -- March 2009, Vancouver, CA
When developing rootkits, one of the biggest problems resides on getting the malicious code executed always, surviving reboots and being undetectable. In this talk we demonstrated how malicious code can be injected into commercial BIOS firmware. Instead of other rootkit methods which make use of the ACPI specification, we have focused our work in a binary generic implementation independent of the installed OS.
Bughunting: Exploiting Web Application Vulnerabilities
July 2008 - Buenos Aires, AR
How dangerous are SQL injection and Cross Site Scripting vulnerabilities? How can you discover them? How do you exploit them? On this talk we answered these questions and showed real-life examples.
AppSec DC 2009
User Input Piercing for Cross-Site Scripting Attacks
November 2009 - Washington DC, USA
This paper presents algorithms and techniques for performing user input piercing on a web application. We also introduce an heuristic to determine if a given cross-site scripting attack will effectively execute scripting code on the compromised browser. Besides, an algorithm to detect the need of encoding techniques was presented.
PythonDay SF 2007
Automated Security Testing
June 2007 - Santa Fe, AR
In this talk we described our work on automated attack planning for the purpose of penetration test. This work resulted on version 3 of Core Impact's Rapid Penetration Test feature.
US Patent 8365289 - System and method for providing network penetration testing
Issued October 16, 2008
A system and method for providing network penetration testing from an end-user computer is provided. The method includes the step of determining at least one of a version of a Web browser of a target computer, contact information associated with an end-user that uses the target computer, and applications running on the target computer. The method also includes the steps of determining exploits that are associated with the running applications and that can be used to compromise the target computer, and launching the exploits to compromise the target computer. Network penetration testing may also be provided by performing the steps of determining an operating system of a target computer, selecting one of a group of modules to use in detecting services of the target computer, and detecting the services of the target computer.