Security Research Labs

We are SRLabs, a hacking research collective and consulting think tank. Follow us to stay on top of the latest hacking research.

Security Research Labssrlabs@infosec.exchange
2025-07-01

Unveiled at #TROOPERS25 - Hexagon fuzzing unlocked

Hexagon is the architecture in Qualcomm basebands - they power most of the world's leading smartphones.

Until now, this baseband was out of reach.

We released the first open-source toolchain for system-mode Hexagon fuzzing, presented by Luca Glockow (@luglo), Rachna Shriwas, and Bruno Produit (@bruno) at @WEareTROOPERS

Full post: srlabs.de/blog-post/hexagon-fu

How we opened up mobile firmware in 3 steps:
1. Boot real iPhone basebands with a custom QEMU fork
2. Rust-powered fuzzer controls execution via JSON configs
3. Ghidra integration maps coverage across threads

This brings full visibility to Qualcomm’s 4G/5G/GPS stacks.

Reproducible. Extendable. Open source.

Hexagon’s no longer off-limits - mobile security just got a lot more transparent.


🔗 Try it yourself: github.com/srlabs/hexagon_fuzz
📚 Docs: github.com/srlabs/hexagon_fuzz
🖥️ Slides from Troopers25: github.com/srlabs/hexagon_fuzz
🛠️ Issues, ideas, or contributions? PRs welcome.

Security Research Labssrlabs@infosec.exchange
2025-04-16

Currently available Go fuzzing tools were missing critical features - some don’t play well with the latest Go toolchain. So we set out to change that.

@bruno, Nils Ollrogge, and colleagues explored more powerful ways to fuzz Go binaries. By tapping into Go’s native instrumentation — which is compatible with libFuzzer — we enabled effective fuzzing of Go code using LibAFL.

We’ve documented our approach and shared insights in our latest blog post: srlabs.de/blog-post/golibafl--

Repo: github.com/srlabs/golibafl

Security Research Labs boosted:
chris@strafpla.netchris@strafpla.net
2025-01-30

Ein sehr schönes Video von #veritasium, @srlabs und #LinusTechTips zu #SS7-Hacking, in dem sie gut verständlich demonstrieren, wie SMS und Gespräche unbemerkt vom Opfer zu beliebigen Dritten in der Welt umgeleitet werden können und wie jedes Mobiltelefon weltweit getrackt werden kann.

youtube.com/watch?v=wVyu7NB7W6

Security Research Labs boosted:
Security Research Labssrlabs@infosec.exchange
2024-09-18

It has long been known that timing analyses are a *theoretical* attack on Tor. By distributing the circuits across different jurisdictions, the goal was to make these attacks impractical to implement:

Only a "global adversary" should be able to break the anonymity by correlating the traffic from entry and exit nodes. Correlation becomes even easier if delays or content can be actively introduced into the traffic pattern.

Just as we could (theoretically) become a "global adversary" by renting enough servers, law enforcement agencies can (practically) achieve this through close cooperation, especially since Tor nodes are not evenly distributed across jurisdictions but tend to cluster in certain regions.

Western law enforcement agencies seem to have reached the "global adversary" level through collaboration (in isolated cases and certainly with significant effort). What is problematic for Tor is that other "law enforcement agencies," whose focus is on dissidents, whistleblowers, and journalists, could do the same.

So, it is finally time for cover traffic and random delays: nodes in the Tor network would introduce a random traffic background noise as well as random delays to make targeted correlations more difficult. This would make Tor even slower. This is probably why it has been avoided until now.

In conclusion, we would like to emphasize that there is no reason for regular users of the Tor browser to worry about their anonymity. These are highly targeted attacks on individual accounts of the messenger "Ricochet" over extended periods of time. Because the messenger, unlike a browser, is also reachable, it naturally has an increased attack surface for timing analyses.

tagesschau.de/investigativ/pan

Security Research Labssrlabs@infosec.exchange
2024-09-18

It has long been known that timing analyses are a *theoretical* attack on Tor. By distributing the circuits across different jurisdictions, the goal was to make these attacks impractical to implement:

Only a "global adversary" should be able to break the anonymity by correlating the traffic from entry and exit nodes. Correlation becomes even easier if delays or content can be actively introduced into the traffic pattern.

Just as we could (theoretically) become a "global adversary" by renting enough servers, law enforcement agencies can (practically) achieve this through close cooperation, especially since Tor nodes are not evenly distributed across jurisdictions but tend to cluster in certain regions.

Western law enforcement agencies seem to have reached the "global adversary" level through collaboration (in isolated cases and certainly with significant effort). What is problematic for Tor is that other "law enforcement agencies," whose focus is on dissidents, whistleblowers, and journalists, could do the same.

So, it is finally time for cover traffic and random delays: nodes in the Tor network would introduce a random traffic background noise as well as random delays to make targeted correlations more difficult. This would make Tor even slower. This is probably why it has been avoided until now.

In conclusion, we would like to emphasize that there is no reason for regular users of the Tor browser to worry about their anonymity. These are highly targeted attacks on individual accounts of the messenger "Ricochet" over extended periods of time. Because the messenger, unlike a browser, is also reachable, it naturally has an increased attack surface for timing analyses.

tagesschau.de/investigativ/pan

Security Research Labs boosted:
2024-07-11

CCC researchers had live access to 2nd factor SMS of more than 200 affected companies - served conveniently by IdentifyMobile who logged this sensitive data online without access control.
You had one job.

ccc.de/en/updates/2024/2fa-sms

Security Research Labssrlabs@infosec.exchange
2024-06-27

Our Red Team regularly challenges Fortune 500 defenses. Often times, a decent ADCS honeypot could have stopped us.

So we built one.

Blog post: srlabs.de/blog-post/certicepti

Source code: github.com/srlabs/Certiception

Presentation at @WEareTROOPERS, including a strategic guide to deception: github.com/srlabs/Certiception

Security Research Labs boosted:
2024-06-17

In the red team at @srlabs we became increasingly frustrated with ineffective detection and response for the late stages of our hacking attacks.

The frustration became high enough to develop an internal honeypot / deception strategy that would be good enough to catch us.

It's finally ready and together with my colleague Niklas van Dornick, I'll be at @WEareTROOPERS next week to present it!

We'll tell you why expensive deception tooling is often a waste of money and how we developed an internal honeypot that looks too juicy to ignore for attackers.

PS: implementation is _almost_ done, see you next week :)

Security Research Labssrlabs@infosec.exchange
2024-05-14

@maikel @xtaran Look, we’ll be honest here: We tried to fix something in prod ;) and then we had to…

Security Research Labs boosted:
2024-05-08

Der @kantorkel und sein Team waren mal wieder auf Datenreise.

Zeit, Guardian und Le Monde berichten über #bogusbazaar, das Fake Shop Netzwerk as a service mit Millionenumsätzen auf Zehntausenden Domains.

Zeit für ein @lnp Spezial ;)

From: @srlabs
infosec.exchange/@srlabs/11240

Security Research Labs boosted:
2024-05-08

#bogusbazaar

The Guardian: Chinese network behind one of world’s ‘largest online scams’
theguardian.com/money/article/

Le Monde: Arnaques en ligne : dans les coulisses du plus grand réseau de faux sites marchands au monde
lemonde.fr/pixels/article/2024

Die Zeit: Fake-Shops von der Stange
zeit.de/2024/21/gefaelschte-on

SRLabs: BOGUSBAZAAR: A CRIMINAL NETWORK OF WEBSHOP FRAUDSTERS
srlabs.de/blog-post/bogusbazaa

Kudos, @kantorkel and team!

Security Research Labssrlabs@infosec.exchange
2024-05-08

New Research – #BogusBazaar, a sprawling criminal fake webshop network:

• 75,000+ domains
• 450,000+ credit cards
• 1 million fraud cases
• USD 50+ million in fake orders

We publish our insights together with an international team of journalists from Die Zeit (Germany), The Guardian (United Kingdom), and Le Monde (France).

srlabs.de/blog-post/bogusbazaa

Security Research Labssrlabs@infosec.exchange
2024-05-07

After months of intensive research, we are ready to drop new insights on yet another criminal group.

You might want to pick up a copy of Die Zeit (German), The Guardian (English) or Le Monde (French) tomorrow ;)

Stay tuned for updates!

Security Research Labssrlabs@infosec.exchange
2024-02-20

SRLabs joins Allurity!

We joined Allurity, a group of seven cyber pioneers across Europe. Starting SRLabs Chapter 2 today!

Over the past decade, our team of SRLabs hacking wizards helped clients all over the world push the envelope on hacking resilience.

In Allurity, we found a partner with a shared vision of how IT security should be done. Very happy to join forces with some of Europe’s greatest in our mission to bring effective security to innovation leaders.

Together, we continue fusing hacking with consulting, while exploring technology through research – just a bit more of everything.

A special thank you to our SRLabs teammates and alumni who made SRLabs Chapter 1 an ever-exciting journey!

Looking forward to the next chapter – together with our Allurity sisters!
@CSIS @Securix @Aiuken @IDNorth @Arcticgroup @cloudcomputing

allurity.com/cybersecurity-gro

Security Research Labssrlabs@infosec.exchange
2024-01-15

Unlocked - Ransomware edition 🔓🔧

Our colleague Tobias rocked the stage at #37C3 releasing your free decryptor for Black Basta – Germany's "second most used ransomware."

Watch the full talk including cryptographic kung fu: media.ccc.de/v/37c3-11903-unlo

You can find the decryptor on Github: github.com/srlabs/black-basta-

For a closer look at our Black Basta research, stay tuned for a detailed blog post!

Bust Black Basta with the Black Basta Buster, basta!

Security Research Labssrlabs@infosec.exchange
2023-10-25

Meet @iyskierka Security Consultant at SRLabs! Watch her video where she shares her work experiences and OSCP study tips. 🔒💻
youtu.be/AzoZ1gnIo9Y?si=2zYbXt

Security Research Labs boosted:
The Hacker‘s Choicethc@infosec.exchange
2023-10-21

Updated the article at srlabs.de/blog-post/advanced-f because I accidentally added a partial corrupted seed in the middle of the campaign that made it easier for the fuzzer to find the bug. Sorry I fucked that up! Luckily I released my corpus otherwise this error would not have been discovered. Imho it is important to be transparent about results so they can be independently verified as well as to be truthful if you made a mistake :)

Security Research Labs boosted:
The Hacker‘s Choicethc@infosec.exchange
2023-10-21

The blog post about the libwebp vulnerability fuzzing is up, it explains how I set up the experiment, how the crash was found and why oss-fuzz was not able to find it: srlabs.de/blog-post/advanced-f #fuzzing

Security Research Labssrlabs@infosec.exchange
2023-09-05

We have 6 solves so far on our SRLabs hacking challenges!🔓
As expected, the #telco challenge is the hardest to crack.

Do you want to hack a telco network or try the crypto and pwn categories?
hackingchallenge.srlabs.de

Running until 21.09
Discord: discord.gg/vusPXQzhVa

#ctf

Security Research Labssrlabs@infosec.exchange
2023-08-21

Our SRLabs CTF is now live! Clean your displays, stretch your fingers and get ready to hack 👾

hackingchallenge.srlabs.de

🚀 Crypto, Pwn, and Telco challenges
💻 CTF runs: 21.08.2023 - 21.09.2023
👤 Solo or team play

Earn Hall of Fame, goodies and get to know our team 🏆

Hop on the Discord for questions, finding a team and maybe even some Memes: discord.gg/vusPXQzhVa

SRLabs Hacking Challenge!

Below three challenge categories are illustrated:

Crypto - forge a RSA signature
Pwn - hack an ARM CGI webserver
Telco - hack a Telco, spy on a call

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst