From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices

Presented at DEF CON 25 (2017), July 27, 2017, 11 a.m. (45 minutes)

Stringing together the exploitation of several seemingly uninteresting vulnerabilities can be a fun challenge for security researchers, penetration testers, and malicious attackers. This talk follows some of the paths and thought processes that one researcher followed while evaluating the security of several new "out of the box" Industrial Control System (ICS) and Internet of Things (IoT) devices, using a variety of well known exploitation and analysis techniques, and eventually finding undocumented, root-level, and sometimes un-removable, backdoor accounts.

Presenters:

• Patrick DeSantis - Senior Security Research Engineer, Cisco Talos
  Patrick DeSantis is a security researcher with Cisco Talos and focuses his efforts on discovery and exploitation of vulnerabilities in technologies that have an impact on the physical world, such as Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), Internet of Things (IoT), and anything else that looks like it's asking to be hacked. Patrick's background includes work in both the public and private sectors, as well as a pile of information security certifications and a few college degrees. @pat_r10t

Links:

• https://defcon.org/html/defcon-25/dc-25-speakers.html#DeSantis
• https://infocon.org/cons/DEF CON/DEF CON 25/DEF CON 25 video and slides/DEF CON 25 - Patrick DeSantis - From Box to Backdoor.mp4
• https://infocon.org/cons/DEF CON/DEF CON 25/DEF CON 25 video and slides/DEF CON 25 - Patrick DeSantis - From Box to Backdoor.srt (subtitles)

Similar Presentations:

• AppSec USA 2017 / Practical Hands-on Internet of Things Hacking - 2017 Edition (1 of 2 days)
• REcon 2023 / A Backdoor Lockpick
• DEF CON 23 (2015) / I Hunt Penetration Testers: More Weaknesses in Tools and Procedures