Exploiting IoT devices through Physical Embedded Security

Presented at CactusCon 11 (2023), Jan. 27, 2023, 4:30 p.m. (60 minutes).

IoT devices are becoming increasingly common in our homes and workplaces. In 2022, it was estimated that over 50 million IoT devices were compromised. Is it any surprise that most of them were running telnet? IoT devices often rely on outdated and insecure protocols, which makes them easy targets for attackers. In this talk, we will explore some of the most common IoT protocols and how they can be exploited by adversaries. By understanding these protocols and their weaknesses, we can start to think like an attacker and better protect our IoT devices. I will also show you some of the common tools and techniques used by IoT hackers by demonstrating gaining a shell to the device, privilege escalation, and even fuzzing your own IoT binaries. This presentation will cover fundamentals in the following protocols: - Serial Peripheral Interface (SPI) - UART (Universal Asynchronous Transmitter and Receiver) - BLE (Bluetooth Low Energy) - Zigbee By the end of this talk, you will have a better understanding of IoT security and how to protect your devices from common threats and attacks. Whether you are looking to score your first IoT bug bounty or simply just gain more IoT security knowledge, this talk is for you!

Presenters:

• Ryan Jones - I am the one who codes
  Ryan Jones is a security professional with a specialization in the IoT and embedded sector. Industry experience includes enhancing the security presence of several embedded products through security engagements and responsible vulnerability disclosure. With more CVE’s and certifications than one knows what to do with, Ryan’s core mission is to help secure the unavoidable shift IoT will play in our lives. In Ryan’s free time, he is a frequent speaker at DC480, Phoenix 2600, and the Phoenix Committee of Foreign Relations (PCFR). He is currently a computer science graduate student at Georgia Tech and received his undergraduate in computer systems engineering from ASU. Ryan aims to make a bigger impact on the tech community by raising awareness for cybersecurity.

Links:

• https://cactuscon-11.sessionize.com/session/388062

Similar Presentations:

• TROOPERS17 (2017) / What happened to your home? IoT Hacking and Forensic with 0-day
• THOTCON 0xA (2019) / When Refrigerators Attack - Defending (and weaponizing) IoT
• Black Hat Europe 2019 / Sneak into Your Room: Security Holes in the Integration and Management of Messaging Protocols on Commercial IoT Clouds