Bug hunting scope

Below is the bug hunting target list in priority order

  • eavesdropping of the VPN connection / defeating encryption
  • obtaining VPN authentication RSA keys remotely from any product
  • remote root login / remote code execution in Lock / (Virtual) Central Lock from WAN interface
  • obtaining RSA keys or key material from a TOSIBOX® Key (token)
  • obtaining RSA keys or key material from Mobile Client app
  • obtaining RSA keys or key material from SoftKey
  • obtaining RSA keys or key material from a Lock 500
  • obtaining the password of a TOSIBOX® Key (token)
  • obtaining the password of a SoftKey
  • impersonation: making Lock / Key / SoftKey / Mobile Client / (Virtual) Central Lock connect with a fake end point
  • impersonating a TOSIBOX® device towards MatchMaking service
  • obtaining RSA keys or key material from Lock / (Virtual) Central Lock
  • remote root login / remote code execution in Lock / (Virtual) Central Lock from LAN / service port
  • root login on Lock with physical access to device

Moreover, physical tampering with the devices is allowed, however the tampering results are not in priority.