About me / Services

I'm Ruben Santamarta, a European security researcher with +20 years of experience.

During all these years I've found and published dozens of vulnerabilities in common desktop software, Industrial Control Systems, SCADA software, IoT devices, RF controllers, satellite, maritime or avionics systems. I've also presented my research projects multiple times at international security conferences such as BlackHat USA or Ekoparty.

My main areas of expertise are reverse engineering, source code analysis, embedded security and Industrial Control Systems.

If you want to contact me, please send a connection request specifying the reason via https://www.linkedin.com/in/rubensantamarta/

Connection requests without a message won't be accepted.

SATCOM terminals under attack in Europe: a plausible analysis.

------ Update 03/12/2022 Reuters has published new information on this incident, which initially matches the proposed scenario. You can find the update at the bottom of this post. ------ February 24th: at the same time Russia initiated a full-scale attack on Ukraine, tens of thousands of KA-SAT SATCOM terminals suddenly stopped working in several european countries: Germany, Ukraine, Greece, Hungary, Poland...Germany's Enercon moved forward and acknowledged that approximately 5800 of its wind turbines, presumably those remotely operated via a SATCOM link in central Europe, had lost contact with their SCADA server . In the affected countries, a significant part of the customers of Eutelsat's domestic broadband service were also unable to access Internet. From the very beginning Eutelsat and its parent company Viasat, stated that the issue was being investigated as a cyberattack. Since then, details have been scarcely provided but few days ago I came across a really inter

VIASAT incident: from speculation to technical details.

34 days after the incident, yesterday Viasat published a statement providing some technical details about the attack that affected tens of thousands of its SATCOM terminals. Also yesterday, I eventually had access to two Surfbeam2 modems: one was targeted during the attack and the other was in a working condition. Thank you so much to the person who disinterestedly donated the attacked modem. I've been closely covering this issue since the beginning, providing a plausible theory based on the information that was available at that time, and my experience in this field. Actually, it seems that this theory was pretty close to what really happened. Fortunately, now we can move from just pure speculation into something more tangible, so I dumped the flash memory for both modems (Spansion S29GL256P90TFCR2 ) and the differences were pretty clear. In the following picture you can see 'attacked1.bin', which belongs to the targeted modem and 'fw_fixed.bin', coming from t

De-Anonymization attacks against Proton services

In November 2021 YesWeHack invited me to participate in a private bug bounty program organized by Bug Bounty Switzerland on behalf of Proton AG. The scope of the program was quite interesting and heterogeneous, as it covered most of the applications and services offered by Proton, such as ProtonMail and ProtonVPN. As a result, multiple technologies and codebases were in scope, ranging from typescript, in the open-source part of Protonmail, to .NET/Swift used by ProtonVPN apps for Windows and macOS respectively. Proton is well-known for its privacy-driven services offer, so they are based on Switzerland where the legislation seems to match Proton's requirements to provide that kind of services: thus maximizing the privacy of their communications, minimizing the amount of data they log from their users while keeping a law-abiding status. It wouldn't be realistic to think of Proton users as an homogenous group; you may be using Proton because you're genuinely worried

Reversemode

Search This Blog