Member Spotlight – CENSUS Labs

Who are CENSUS Labs?

CENSUS Labs are an internationally acclaimed Cybersecurity services provider through cutting-edge IT and OT security research, CENSUS delivers state-of-the-art services supporting the needs of public and private organizations worldwide, including defence primes, system integrators, and intelligence & defence agencies. CENSUS services include IT & OT Security Assessments, Security by Design, Product Security, Secure Systems Development Lifecycle, Threat Modelling, and Vulnerability Research. Built upon its leading research, CENSUS provides high quality InfoSec services for embedded systems, PLCs & SCADA Systems, RTOs and hardware components. 

Activity over the last 18 months

CENSUS Labs has been exceptionally busy during the last 18 months, identifying two vulnerabilities in Facebook’s WhatsApp Messenger Android application and identifying vulnerabilities in embedded systems.  

Facebook’s WhatsApp Messenger vulnerability

CENSUS LABS identified two vulnerabilities in Facebook’s WhatsApp Messenger Android application. The weaknesses concerned prior versions of 2.21.4.18, allowing third-party applications to access TLS protocol cryptographic material. By installing a malicious application, or by exploiting a vulnerable application (or Android component), located on a user’s WhatsApp mobile device, attackers could collect the victim’s TLS cryptographic secrets. Consequently, they could perform a man-in-the-middle attack on WhatsApp communications. CENSUS LABS showed that this could allow the attacker to execute arbitrary code on the victim’s device, which could intercept the cryptographic keys of the Noise and Signal protocols and monitor user conversations. 

More information about CENSUS Labs work be found here.  

Vulnerability detection in Embedded Systems and Software Development Kits

Embedded systems are part of numerous devices that are used in daily life, such as washing machines, TVs, and video game consoles, to provide efficiency, flexibility, and effectiveness. An embedded system may carry security vulnerabilities either due to design, component, or software issues. Vulnerability detection is important for ensuring security and privacy of user data. Two vulnerabilities in SDKs have been detected by CENSUS; the first one was in the library that is part of the standard SDK provided by Microchip and is used to drive the operation of cryptographic co-processors sold by the vendor, such as the ATECC608A. The second vulnerability enveloped several problems in functions of Microchip ASF4 framework that is used for the Microchip microcontrollers firmware’s development. 

The potential attacks that can exploit the vulnerabilities in embedded systems may affect users and companies as well. For example, integrity violation of data and code, information leakage, illegitimate access and financial loss are some of the effects. However, it is challenging to secure an embedded system due to its limitations. The most effective manner to provide security to these systems is by employing proactive approaches. 

Finally,

If you’d like to find out more about CENSUS Labs services and offerings, please visit: https://census-labs.com/  

CENSUS Labs are also exhibitors at DSEI 2021 and can be found at stand H2-813.