Let's Talk About SOAP, Baby. Let's Talk About UPNP

Presented at DEF CON 23 (2015), Aug. 9, 2015, 2 p.m. (60 minutes)

Whether we want it to be or not, the Internet of Things is upon us. Network interfaces are the racing stripes of today's consumer device market. And if you put a network interface on a device, you have to make it do something right? That's where a Simple Object Access Protocol (SOAP) service comes in. SOAP services are designed with ease-of-access in mind, many times at the expense of security. Ludicrous amounts of control over device functionality, just about every category of vulnerability you can think of, and an all-around lack of good security practice about sums it up. In this talk, I will discuss this growing attack surface, demonstrate different methods for attacking/fuzzing it, and provide plenty of examples of the many dangers of insecure SOAP/ UPnP interfaces on embedded and "smart" devices along the way.


Presenters:

  • Ricky Lawshae / HeadlessZeke - Security Researcher, HP TippingPoint   as Ricky "HeadlessZeke" Lawshae
    Ricky "HeadlessZeke" Lawshae is a Security Researcher for DVLabs at HP TippingPoint with a medium-sized number of years' experience in professionally voiding warranties. He has spoken at the DEF CON, Recon, Insomni'hack, and Ruxcon security conferences, and is an active participant in the extensive Austin, TX hacker community. In his meager spare time, he enjoys picking locks, reading comic books, and drinking expensive beers. Twitter: @HeadlessZeke

Links:

Similar Presentations: