Generic placeholder image

Our Lab

Our team's research has been presented at some of the most recognized security conferences, attracting a large amount of media attention. Click here to see the list.

View details »

Generic placeholder image


Our staff is composed of professionals with industry experience in security consultancy, reverse engineering, exploit development, firmware vulnerability assessment and with a great passion for the analysis and improvement of new and old technologies.

View details »

Generic placeholder image


Stay with us and get the latest news on upcoming publications, research projects and public tools.

View details »

Software & Firmware Security Assessment.

Whether it is piece of hardware or new software or a service, Cubica Labs helps you identify the weak spots of your product or platform. How secure is your device? How easy would it be for an attacker or a piece of malware to compromise it? It is our mission to answer all these questions. We have the tools, the expertise and the passion to do it.

Generic placeholder image

Generic placeholder image

Penetration Testing. Think like the bad guys.

What would an attacker do? How could you react? Cubica Labs plays the red-team on your network, exposing the shortest paths to gain control of your environment.

Vulnerability Assessment. Uncovering flaws.

We can help you identify and priorize risks your organization is exposed to. Cubica Labs evaluates those risks and proposes mitigations and solutions to take action.

Generic placeholder image

Generic placeholder image

Our Lab. Security Research.

Cubica Labs is an independent information security company that renders more than 15 years of experience in security research, vulnerability assessment and cutting-edge hardware/software technology development to bring companies state of the art security solutions. Our team's research has been presented at some of the most recognized security conferences, attracting a large amount of media attention:

View full list »

Hack In The Box 2015 Amsterdam
Eight Ou Two Mobile

May 2015 - Amsterdam, NL

Broadcom wireless card for mobiles devices, specifically BCM4325/29/30/34 are the most common wireless cards found on the most popular smartphones & tables (iPhone, Samsung, Nokia and Motorola among others). Even with such an installed base and being a key client component in any wireless network -at least any wifi network where mobile devices participate- not much has been said about such cards. In a previous research collaboration with Andres Blanco, we presented an approach to modify the firmware to enable monitor mode and raw 802.11 traffic injection in popular smartphones. On that occasion most of our work was performed by static firmware reverse engineering. In this talk, we will describe how to get a more dynamic approach to analyse the behaviour of the firmware execution on the network card CPU.

Black Hat 2014
Computrace Backdoor Revisited

August 2014 Las Vegas, USA

This presentation includes a live demonstration of security flaws in modern anti-theft technologies that reside in firmware and PC BIOS of most popular laptops and some desktop computers. While the general idea behind anti-theft technology is good, improper implementation can render it useless as well as harmful, or even extremely dangerous. We have found several proofs of unauthorized activations of Absolute Computrace anti-theft software on our private and corporate computers and discovered that this software can be used as an advanced removal-resistant BIOS-based backdoor. While physical security and a lack of proper code validation have already been shown in prior research presented at Black Hat 2009 by Anibal Sacco and Alfredo Ortega from Core Labs, in our research we demonstrate network security flaws. Our demo will show how to own remote hosts running Absolute Computrace. And there is a cool extra surprise for those who have already heard about Computrace network issues.

Security Analyst Summit 2014
Hijacking and wiping an entire nation

February 2014 - Punta Cana, DO


RSA Conference 2013
BlackBerry Pwnage: The BlueJay Strikes

February 2013 - San Francisco, USA

We released the information we gathered regarding to the internals of a BlackBerry 6 native process. It was also described which devices were still at risk of being attacked by two-year old exploits. Unpublished aspects of a BlackBerry process were revealed. Some internal aspects, such as syscalls of BlackBerry OS was shown as well. On our journey to achieve code execution, a new tool arose, which was also released in this talk.

EuSecWest 2012
HTML5 Heap Sprays

September 2012 Amsterdam, NL

Heap spraying has been widely used for nearly 10 years by exploit writers. This very technique usually makes the difference between the impact of a vulnerability being or not massively exploited. However, there is a silent arms race being fought between exploit writers and the most security-conscious software vendors (browser and OS vendors, with others lagging), and the most popular heap spray technique have lost their lethality. In this talk we released and described the details of a new heap spray technique that takes advantage of the -so popular- HTML5 emerging stack. This fact makes the technique functional on the latest versions of most popular browsers (like Chrome, Firefox, IE9/10, Safari) not only in computers but also in smartphones in a reliable, fast and multi-threaded fashion. In addition, we disclosed several different methods to accomplish the same goal on some other widely used applications by leveraging weaknesses in its defense in-depth mechanisms. Finally, we will be able to avoid the heap spray protections of browsers by abusing a browser independent scheme and take advantage of the lack of protections on other software. We demonstrated our chops principally targetting browsers but also SQL engines, media centers and network devices.

Ekoparty 2012, 2012 - One Firmware To Monitor 'em All

September 2012 - Buenos Aires, AR -- October 2012 - Luxembourg

In the last years mobile devices usage has turned massive. These devices, in general, follow the IEEE 802.11 standard for wireless connectivity. Broadcom is one of the most important semiconductor companies in the wireless and broadband communication business. Some of their WiFi? solutions (BCM4325 and BCM4329 chipsets) are included in great part of the mobile devices market, including vendors like Apple, Samsung, Motorola, Sony, Nokia, LG, Asus and HTC. In this paper we describe the process of modification of the firmware program on these cards. The presented results could open new possibilities to the information security community such as access to baseband components without intervention of the operating system and the capabilities to store information within the network card's internal memory among others. As the reader explores the present work we go through the internals of the firmware program, our reverse engineering process and show, as a proof of concept, how to set these cards on monitor mode.

Open SecurityJam BA 2011
Apple ATSServer bug - the return of the evil charstrings

September 2011 - Buenos Aires

In this talk we described the exploitation of a vulnerability on a font format called CFF, when embedded on PDF files. The bug used was very similar the one used by "jailbreakme" famous exploit, but on Mac OS X leopard.

Black Hat 2009
Deactivate the Rootkit

August 2009 Las Vegas, USA

This is a report on our research into anti-theft technologies utilized in the PC BIOS. In particular, we have analyzed the Computrace BIOS agent and documented some design vulnerabilities that allow the agents reporting address to be controlled. Additionally, we outline an experimental method for re-setting the permanent activation/deactivation capability of the persistent agent in the BIOS to the default factory settings. We are certain that this available control of the anti-theft agent allows a highly dangerous form of BIOS-enhanced rootkit that can bypass all chipset or installation restrictions and reutilize many existing features ored in this kind of software.

SyScan 2009 - CanSecWest 2009
Persistent BIOS Infection

July 2009 - Singapore, SG -- March 2009, Vancouver, CA

When developing rootkits, one of the biggest problems resides on getting the malicious code executed always, surviving reboots and being undetectable. In this talk we demonstrated how malicious code can be injected into commercial BIOS firmware. Instead of other rootkit methods which make use of the ACPI specification, we have focused our work in a binary generic implementation independent of the installed OS.

ECI 2008
Bughunting: Exploiting Web Application Vulnerabilities

July 2008 - Buenos Aires, AR

How dangerous are SQL injection and Cross Site Scripting vulnerabilities? How can you discover them? How do you exploit them? On this talk we answered these questions and showed real-life examples.

AppSec DC 2009
User Input Piercing for Cross-Site Scripting Attacks

November 2009 - Washington DC, USA

This paper presents algorithms and techniques for performing user input piercing on a web application. We also introduce an heuristic to determine if a given cross-site scripting attack will effectively execute scripting code on the compromised browser. Besides, an algorithm to detect the need of encoding techniques was presented.

PythonDay SF 2007
Automated Security Testing

June 2007 - Santa Fe, AR

In this talk we described our work on automated attack planning for the purpose of penetration test. This work resulted on version 3 of Core Impact's Rapid Penetration Test feature.

US Patent 8365289 - System and method for providing network penetration testing

Issued October 16, 2008

A system and method for providing network penetration testing from an end-user computer is provided. The method includes the step of determining at least one of a version of a Web browser of a target computer, contact information associated with an end-user that uses the target computer, and applications running on the target computer. The method also includes the steps of determining exploits that are associated with the running applications and that can be used to compromise the target computer, and launching the exploits to compromise the target computer. Network penetration testing may also be provided by performing the steps of determining an operating system of a target computer, selecting one of a group of modules to use in detecting services of the target computer, and detecting the services of the target computer.

HITB Lab: Hardware Security – Buses, Protocols and Oscilloscopes A practical approach

Join @hannibals and @acid_ for another hardware hacking session to be held at the great Hack In the Box conference, on May 27. Oscilloscopes, logic-analyzers, and hardware challenges are waiting for you!

Generic placeholder image

Generic placeholder image

Our hardware hacking training is out! @hannibals joined forces with @_topo at @ekoparty To add some electrons to your hacking.

The training sold out early last Ekoparty. Contact us to receive information of the private onsite version of this training.

Keep spreading the NIC firmware love on mobiles with @tutter's. "Eight Ou Two Mobile" at #HITB2015AMS!

On May 29, Matias Eissler exposes again the phone's guts by describing how to do a more dynamic analysis of Broadcom's firmware execution on the network card CPU.

Generic placeholder image

Generic placeholder image

Don't miss our joint talk at Black Hat USA. It'll blow your mind.

On August, 6, Cubica Labs screams at Black Hat USA!. Anibal Sacco will show you how to abuse Absolute's Computrace using even more attack vectors, in this shocking joint talk with Vitaly Kamluk, from Kaspersky Lab.

Contact us. Get in touch.