Assessing the Embedded Devices On Your Network

Presented at BSidesSF 2017, Feb. 12, 2017, 12:25 p.m. (30 minutes).

Embedded devices (including the so-called Internet of Things) pose unique problems for those responsible for managing and assessing their security.  The devices tend to be less transparent and more tightly integrated than typical software and generally lack the host-based security controls (privilege separation, host firewalls, etc.) found on desktop or server applications.  This talk will cover some of the unique constraints for threat modeling and assessing these devices, then walk through an assessment of a VoIP phone and discuss the issues found there, including potential mitigations that can be applied if a device cannot be updated.


Presenters:

  • David Tomaschik
    David has been breaking software and playing CTFs for years before making security a profession. He currently works on the Security Assessments team at Google, looking at a range of issues from embedded devices to customer-facing products.

Links:

Similar Presentations: