Pen Test Partners

Ghidra is free, extensible, and helpful for reverse engineering firmware, but its learning curve is steep... In this blog post, Adam Bromiley (@OPSEC_failed) shares tips and tricks that make firmware reversing less painful, from finding the load address and interrupt vector table, through to defining a proper memory map and making better use of strings, scripts, LLMs, and more. It's a guide built from real research projects and a lot of hours spent in front of Ghidra’s UI. 📌Read here: pentestpartners.com/security-blog/… #ReverseEngineering #FirmwareSecurity #Ghidra #HardwareHacking #CyberSecurity

Some blog posts refuse to die. This is one of them. Back in May 2014, we published a guide on breaking out of Citrix and other restricted desktop environments. People have kept finding it, using it, and sending it around. So our Kieran Larking updated it with the newer breakout paths we see on modern Windows 10 and Windows 11 builds. Some old tricks no longer work. Others still do, just through different doors. The updated post pulls the techniques into one place and focuses on how people actually get out today. Bluetooth file transfer is one example of a newer angle that can matter on a physical endpoint. Dialog boxes and file pickers still get you to places they should not. From there, the practical pivots tend to be into whatever is still exposed, like PowerShell, Task Scheduler, Task Manager, and modern browser behaviour. It is less about one magic shortcut and more about chaining small gaps. If you run Citrix, VDI, or any restricted desktop setup, this is a useful checklist for hardening and for validating that your lockdown does what you think it does. 📌 pentestpartners.com/security-blog/… #RedTeam #PenTesting #CyberSecurity

EV batteries are becoming grid infrastructure. That brings real benefits for balancing short term peaks and troughs on the grid, but it also increases the impact of charger security failures. Our earlier EV charger research showed how compromised connected chargers could be switched on and off at scale to create disruptive spikes in demand. With bidirectional charging, the risk grows because chargers can switch between charging and discharging, which increases the power swing per device and creates a new impact for owners by remotely draining vehicle batteries. @TheKenMunroShow points out that as vehicle to home and vehicle to grid charging moves closer to wider rollout, secure design, secure defaults, and proper vulnerability handling need to be built in from the start. 📌Read here: pentestpartners.com/security-blog/… #Cybersecurity #EVCharging #SmartGrid #IoTSecurity #EnergySecurity

Ken Munro spoke at CISO 360 Americas in New York last week. His talk focused on discovering shadow tech. That means finding the smart devices in your buildings that can create back doors into an organisation. He also joined the “Quantum ready, AI resilient” panel on balancing innovation with trust, resilience, and human agency, alongside Rachael Sherman and Sounil Yu. #CISO360 #Cybersecurity #CyberResilience

@AlanMonie found that Shelly Gen 4 smart switches keep their default, open Wi-Fi access point enabled even after you join them to your home network. Anyone nearby can connect and trigger whatever the device controls. That includes garage doors, gates, lights, sprinklers and more... It also gives an attacker a foothold inside your network. From a compromised Gen 4 device, it is possible to ‘pivot’ and control other Shelly devices on the internal network, and in some cases send traffic to non Shelly devices too. The other problem is scale. These default Shelly SSIDs can be discovered and geolocated using wigle.net, which makes targeting much easier. Shelly initially engaged in disclosure and said firmware 1.8.0 would address it, then went quiet. After 120 plus days, we have published so owners can take action. The DIY fix is simple, but only if you know the access point is still on. 📌pentestpartners.com/security-blog/… #iotsecurity #smarthome #wifisecurity #physicalsecurity #vulnerabilitydisclosure #pentesting

Covert recording devices are cheap, easy to buy, and easy to use. That is what makes them risky. Tom Roberts bought an off the shelf audio bug for proof of concept work and found a concerning surprise. Several recordings were already on the device! The real risk is not a skilled attacker. It is everyday misuse, driven by frustration, curiosity, or spite. 📌 pentestpartners.com/security-blog/… #socialengineering #covertrecording #surveillance #infosec #cybersecurity

Ignoring the dodgy CGI, the l33t speak, and the questionable acting, our @TheKenMunroShow picks apart how much of Hackers (1995) would hold up in the real world today, and what we can learn from it. Some of it is nonsense. Some of it is surprisingly plausible. The most believable parts are the usually the least cinematic. Thirty years on, some of the security mistakes are still showing up. 📌pentestpartners.com/security-blog/… #cybersecurity #hackers #hackthegibson #otsecurity #HACKTHEPLANET

The EU Cyber Resilience Act applies to organisations that build, sell, import or distribute products with digital elements into the EU. That includes software, firmware, connected devices and embedded systems. It sets mandatory security requirements across the product lifecycle, covering secure defaults, vulnerability handling and update processes. From September 2026, reporting and vulnerability handling obligations apply. Full compliance is required by December 2027 for products to remain on the EU market. We break down what this means in practice and how teams should prepare. 📌pentestpartners.com/security-blog/… #CyberResilienceAct #ProductSecurity #EUCompliance #CyberSecurity #SecureByDesign

Our @AlanMonie reported a vulnerability to Carlsberg that exposed visitor videos and full names from its Copenhagen exhibition. The issue relied on low-entropy wristband IDs embedded in QR codes. There was no real authentication, and rate limiting wasn’t effective. With a bit of time and one laptop, it was possible to brute force access to other people’s photos and videos. Alan reported the issue through Carlsberg’s vulnerability disclosure program via Zerocopter. He waited. He retested when asked. After that, communication stopped, while the issue remained exploitable and disclosure was blocked. More than 150 days after the original report, we have published. This write-up walks through the technical details, the full disclosure timeline, and why responsible disclosure must include disclosure. 📌pentestpartners.com/security-blog/… #cybersecurity #carlsberg #responsibledisclosure #gdpr #vulnerabilitydisclosure #infosec

A single exposed secret led to compromise across AWS, GitHub, and Azure. There were no platform integrations and no shared identity architecture. The linkage existed entirely through reused, long-lived, overprivileged credentials. Once those secrets leaked, cloud boundaries stopped mattering. Each environment became a stepping stone to the next. This write-up breaks down the attack path and where small changes make a difference based off of lessons from testing. 📌 pentestpartners.com/security-blog/… #cloudsecurity #multicloud #cybersecurity #cloud #AWS #Github

As AI tools fill submission queues with low-value findings, VDP teams are being overwhelmed by trivial duplicates, automated XSS reports, and submissions that don’t help security teams fix real issues. As a result, important findings are increasingly delayed, missed, or buried in the noise. Our latest blog post by @TheKenMunroShow looks at what is going wrong in VDPs and gives practical ways teams can reduce noise, protect signal, and keep disclosure working as intended. 📌pentestpartners.com/security-blog/… #cybersecurity #vulnerabilitymanagement #VDP #AIsecurity #infosec #vulnerabilitydisclosureprogram

We investigated a macOS infostealer variant that, at the time, had not been recorded in the wild. Delivered via a single copy and paste terminal command disguised as a Homebrew installer, the malware harvested credentials, staged user data, and attempted exfiltration using only native macOS tooling. Network egress controls prevented data loss and contained the incident to one host. This case shows how quickly modern infostealers can operate without noisy tooling or exploits. Read the full breakdown of the fastest growing malware category in 2025 here: 📌 pentestpartners.com/security-blog/… #CyberSecurity #DFIR #ThreatResearch #MalwareAnalysis #macOSSecurity

Our Ross Donald took a look at Eurostar’s public AI chatbot and found four security issues, including guardrail bypass, prompt injection, weak conversation binding, and HTML injection. The chatbot UI suggested strong controls, but server side enforcement was incomplete. By modifying chat history and IDs, it was possible to influence model behaviour and extract internal details. This research shows that familiar web and API security failures still apply, even when an LLM sits in the middle. 📌 pentestpartners.com/security-blog/… #CyberSecurity #AIsecurity #LLM #ApplicationSecurity #AI #Chatbot #Eurostar

Smart devices make popular Christmas gifts. Some have shocking security flaws, though security in IoT is improving. Most of the time, it is not because of advanced attacks: Simple steps can make a real difference. 1. Strong passwords and MFA still matter. Set up a strong password using a password manager. 2. Turn on automatic updates, both for the app and the device itself. 3. Before you buy a new IoT device, check online to see if the manufacturer takes security seriously: Search the product name alongside “security” or “vulnerability” and see what turns up. Have they quickly fixed security bugs, or left owners at the mercy of hackers? Stay safe and secure this Christmas. #IoTSecurity #SmartDevices #CyberSecurity #ChristmasTech

One team, one brewery, and a year’s worth of stories to share at #PTPCON 2025. 🎉 #ptpcon #companyevent #cybersecurity #teamculture #alcoholfreeoptionsrock

We often find built-in Windows defences disabled or misconfigured during assessments. Those same controls can help stop credential theft, boot-level malware, and memory attacks when properly configured. In our latest blog post, Nicole walks through five Windows security features you should be using, explains what they do, why they matter, and how to check them on your systems. 📌pentestpartners.com/security-blog/… #windowssecurity #incidentresponse #endpointsecurity #cybersecurity #dfir

Android app testers and security engineers spend a lot of time dealing with Activities. The attack surface may look small, but a poorly configured Activities can expose data or let other apps do things they shouldn't. In this blog post, @tautology0 explains how exported and debug Activities, weak WebView settings, and missing window security flags can pose security concerns. 📌 pentestpartners.com/security-blog/… #androidsecurity #cybersecurity #appsec #mobile #pentesting #infosec #securitytesting

Our @cybergibbons gave his talk "Quick & Dirty" at CRESTcon yesterday about how to test hardware quickly and efficiently, all while managing system risk in safety-critical OT environments like oil rigs and cruise ships. #crestcon #cybersecurity #hardwarehacking #pentesting #infosec

Cloud compliance dashboards, CNAPP, and CSPM can all show green, but they don't show your entire attack surface. The issue is not with the dashboards, but with the blind spots that lie outside their view, such as leaked developer personal access tokens or overprivileged pipelines that do not appear as non-compliant. In this blog post, Joe Durbin looks at those gaps around tokens, pipelines, and third-party build services. He explains how human-led configuration reviews and custom threat actor simulations work alongside provider tools to show and test your actual attack surface. 📌pentestpartners.com/security-blog/… #cloudsecurity #cloudnative #devsecops #cnapp #cspm #cybersecurity