Posts on Jacopo Jannone - blog https://blog.jacopo.io/en/post/ Recent content in Posts on Jacopo Jannone - blog Hugo -- gohugo.io en © 2018-2024 Jacopo Jannone Sat, 26 Oct 2024 00:00:00 +0000 [Video] Exploring and Exploiting an Android “Smart POS” Payment Terminal https://blog.jacopo.io/en/post/smart-pos/ Sat, 26 Oct 2024 00:00:00 +0000 https://blog.jacopo.io/en/post/smart-pos/ <p>In this talk from No Hat 2024, I go through my exploration and reverse engineering of one of the most popular “Smart POS” credit card terminals currently in use worldwide. I present the research process that led me to the discovery of multiple software vulnerabilities, ultimately granting me persistent root access to the device&rsquo;s operating system.</p> Analysis of magnetic stripe tickets used for public transport in Lombardy, Italy https://blog.jacopo.io/en/post/sbme-dm/ Tue, 04 Jan 2022 00:00:00 +0000 https://blog.jacopo.io/en/post/sbme-dm/ <p>Una banda magnetica su un biglietto usa e getta potrebbe sembrare una cosa piuttosto noiosa e poco degna di essere studiata. Ogni tanto però la curiosità prevale, una scoperta tira l&rsquo;altra e in men che non si dica ci si trova a viaggiare non per lavoro o per diletto, ma per accumulare biglietti da analizzare. Ecco tutto ciò che ho scoperto sul mondo che c&rsquo;è dietro.</p> SPID and Google Authenticator: When Interoperability Is Intentionally Impeded https://blog.jacopo.io/en/post/spid-google-authenticator/ Tue, 09 Mar 2021 00:00:00 +0000 https://blog.jacopo.io/en/post/spid-google-authenticator/ <p>SPID is the Italian Public Digital Identity System, which enables citizens to access online services of the public administration. Citizens can choose among several identity providers. Most of them support two-factor authentication with proprietary authenticator apps, which are not interchangeable nor compatible with &ldquo;universal&rdquo; apps such as Google Authenticator. It turns out that all apps actually use the same algorithm, and the incompatibility is purely artificial.</p> Does Apple really log every app you run? A technical look https://blog.jacopo.io/en/post/apple-ocsp/ Sat, 14 Nov 2020 00:00:00 +0000 https://blog.jacopo.io/en/post/apple-ocsp/ <p>Apple&rsquo;s launch of macOS Big Sur was almost immediately followed by server issues which prevented users from running third-party apps on their computers. While a workaround was soon found by people on Twitter, others raised some privacy concerns related to that issue.</p> Vulnerabilities in ATM Milano's mobile app https://blog.jacopo.io/en/post/atm-app-vulnerability/ Tue, 18 Aug 2020 00:00:00 +0000 https://blog.jacopo.io/en/post/atm-app-vulnerability/ <p>Some design flaws left ATM Milano&rsquo;s mobile app vulnerable to attacks: anyone could access any users&rsquo; data and tickets by just knowing their e-mail address. Meanwhile, some apparent security features made the vulnerabilities harder to spot and to exploit.</p> Reverse engineering Trenitalia's mobile application https://blog.jacopo.io/en/post/trenitalia-reverse-engineering/ Mon, 24 Sep 2018 00:00:00 +0000 https://blog.jacopo.io/en/post/trenitalia-reverse-engineering/ <p>Trenitalia ha da poco rilasciato la nuova versione della sua app per iOS e Android. Avendo già avuto a che fare con i meravigliosi sistemi informatici delle Ferrovie dello Stato per lo sviluppo di <a href="https://trenitbot.jacopo.io" target="_blank"><strong>TrenItBot</strong></a> e per altri progetti, una sbirciata anche qui non poteva mancare.</p>