Cyber Controller drives real RF-attack, flashing, and anti-forensic hardware. It is built for authorized security testing, education, and CTF use only (see the disclaimer). The codebase is hardened accordingly.
Email lxveace@proton.me with details and reproduction steps. Please do not open public issues for security-sensitive reports. You will receive an acknowledgement; coordinated disclosure is appreciated.
- Authenticated WebSockets — the SocketIO
connecthandler rejects any unauthenticated session and validates a per-session CSRF/connection token; everysubscribe_serial/send_commandevent re-checks the session and validates the target port against the device registry. - Local by default — binds
127.0.0.1; LAN exposure requires the explicitCC_WEB_ALLOW_LAN=1opt-in, and TLS viaCC_WEB_CERT/CC_WEB_KEYis encouraged. - No default credentials — a strong one-time password is generated and printed if
CC_WEB_PASSis unset. Credentials are verified in constant time against a salted scrypt hash. - CSRF tokens on state-changing POSTs and the socket handshake; per-IP rate limiting on auth
and command/flash actions; CORS allowlist (never
*);SameSite=Strict+HttpOnlycookies; stable file-persisted (0600) secret key; strictContent-Security-Policyand security headers; request body size cap. - XSS-safe rendering — over-the-air scan data (SSIDs/MACs) is rendered via DOM
textContent, neverinnerHTMLstring concatenation.
- SSRF-safe downloads — pinned to an HTTPS GitHub host allowlist with redirect validation (a 302 cannot bounce the downloader to a metadata/LAN endpoint); body size-capped.
- Path-traversal guards on every remote asset / bundle filename, with realpath containment.
- SHA-256 integrity pinning — profiles may pin
firmware_sha256; a mismatch hard-fails and the download is deleted. The arbitraryassets[0]fallback was removed (name-matched.binrequired). - TOCTOU-safe bundle flashing — Suicide-Marauder bundles are verified per file, staged into a
0700tempdir, and re-hashed before a single atomicwrite_flash; suicide-schema bundles refuse to flash without a SHA-256 for every file (no trust-on-first-use downgrade).
- AES-256-GCM (scrypt KDF) is the only cipher and fails closed — there is no unauthenticated
XOR fallback, and
cryptographyis a mandatory dependency. - Secret-bearing files are written with
0600permissions (owner-only NTFS ACL on Windows).
- Optional access gate (admin password and/or physical USB key) is enforced once at startup, before any UI or device bootstrap, and fails closed: a denied/cancelled gate exits the process, and if an encrypted vault is present but the gate config is missing the app refuses to start (so removing the gate config cannot be used to skip the opening sequence — the data stays encrypted).
- Boot/startup-bypass resistance: modifying an already-configured gate (change password, add a key, change policy, clear the gate) requires passing the existing gate first — it can't be reset or disabled pre-authentication. Protected data lives in a gate-keyed vault that is ciphertext on disk until the supplied factor(s) open it for the session.
- Brute-force hardening: failed unlocks increment a counter persisted in the ACL'd gate state (survives restart) with an exponential-backoff lockout window; password comparison is constant-time.
- Opt-in duress self-wipe: after a configurable number of consecutive failed unlocks, the app can securely wipe its own footprint (vault, keys, config, secure container). Off by default, set knowingly from the setup UI. Honest scope: best-effort secure-overwrite-then-delete of the app's own data — it defeats casual/seizure access, not a forensic lab on modern wear-leveled SSDs.
- Secure container (opt-in): when enabled, app-internal saves (e.g. recorded command sessions) are
encrypted at rest under
~/.cyber-controller/securewith a key held only inside the unlocked vault, so the container is sealed and unreadable while the gate is locked. Ciphertext is written directly (no transient plaintext), GCM-authenticated (tamper fails closed). Files the user explicitly exports to share (e.g. a WiGLE CSV) stay plaintext by design.
SerialConnection.writerejects embedded newlines/control characters so one logical command can never expand into many.AutoRoutersubstitutes only fixed{mac}/{ssid}/{channel}placeholders (nostr.formaton untrusted data) and sanitizes/validates over-the-air values before they reach the serial port.
- A tamper-evident SHA-256 hash-chain audit trail records flash, serial-command, and auth events.
The release binaries are not code-signed yet, so Windows SmartScreen may warn and a few antivirus
engines may show a heuristic false positive — the normal pattern for an unsigned PyInstaller build.
Every release publishes SHA-256 checksums (SHA256SUMS.txt) so you can verify the download, the files
are scanned on VirusTotal, and the project is open source so you can build it yourself. See
docs/WINDOWS-SECURITY.md for the full explanation and verification steps.
The latest master is the supported version. Security fixes are applied to master.