Outside the box: pwning IoT devices through their applications - Alexei Kojenov
Speaker
Alexei Kojenov
Salesforce, Lead Product Security Engineer
Description
We often think of AppSec and IoT as two separate infosec disciplines. Sure, the domain knowledge, attack vectors, and threat mitigation are not exactly the same in those two worlds. At the same time, as the hardware continues to evolve, we see more and more tiny general purpose computers around us. Many of these tiny computers nowadays run software that is written in a conventional programming language, listen on network ports, process data inputs, and communicate with the outside world. These devices can be attacked just like any other application running on a desktop, on a server, or in the cloud.
In this talk, I am going to tell you a story about my hacking journey that unexpectedly took me from device configuration settings to software reverse engineering, vulnerability discovery, and six new CVEs. Together, we’ll go step by step through firmware analysis, decompiling, code review, and vulnerability demos. I’ll also share my experience with the responsible disclosure process. I hope this talk inspires you to apply your application security knowledge to new areas such as IoT, even if you’ve never done that before.
Managed by the OWASP® Foundation
https://owasp.org/
Видео Outside the box: pwning IoT devices through their applications - Alexei Kojenov канала OWASP Foundation
Alexei Kojenov
Salesforce, Lead Product Security Engineer
Description
We often think of AppSec and IoT as two separate infosec disciplines. Sure, the domain knowledge, attack vectors, and threat mitigation are not exactly the same in those two worlds. At the same time, as the hardware continues to evolve, we see more and more tiny general purpose computers around us. Many of these tiny computers nowadays run software that is written in a conventional programming language, listen on network ports, process data inputs, and communicate with the outside world. These devices can be attacked just like any other application running on a desktop, on a server, or in the cloud.
In this talk, I am going to tell you a story about my hacking journey that unexpectedly took me from device configuration settings to software reverse engineering, vulnerability discovery, and six new CVEs. Together, we’ll go step by step through firmware analysis, decompiling, code review, and vulnerability demos. I’ll also share my experience with the responsible disclosure process. I hope this talk inspires you to apply your application security knowledge to new areas such as IoT, even if you’ve never done that before.
Managed by the OWASP® Foundation
https://owasp.org/
Видео Outside the box: pwning IoT devices through their applications - Alexei Kojenov канала OWASP Foundation
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
WebAuthn: Strong Authentication vs Privacy vs Convenience - Suby RamanGobal AppSec Dublin: Server Side Prototype Pollution - Gareth HeyesAppSec EU15 - Nicolas Gregoire - Server-Side Browsing Considered HarmfulMobile DevSecOps 5 Tips from Building Mobile Apps Used by Millions Brian ReedOWASP DefectDojo Project - Timo Pagel & Stefan FleckensteinTopics of Interest: Common NGINX Misconfigurations That Leave Your Web Server Open ... - S. PearlmanDeserialization Vulnerability Remediation with Automated Gadget Chain Discovery - Ian HakenAll our APIs are belong to us - Jad Boutros - AppSec California 2016AppSec EU15 - Martin Knobloch, Tobias Gondrom - Opening ceremonyAppSec EU15 - Luca De Fulgentis - Windows Phone App Security For Builders And BreakersOWASP Flagship Projects: OWASP Dependency Track - Steve SpringettThreat Model-as-Code - Abhay Bhargav - AppSecUSA 2018AppSecEU 16 - Arne Swinnen - The Tales of a Bug Bounty Hunter - 10 Interesting VulnerabilitiesOWASP Flagship Projects: OWASP Dependency-Check - Jeremy Long[In]secure Deserialization, And How [Not] To Do It - Alexei KojenovCreating a Security Policy Framework That works Isaac PainterEverything You Wanted to Know About Client side CSRF But Were Afraid to Ask - Soheil KhodayariOWASP Juice Shop Project - Björn KimminichFederated Login CSRF - AppSecUSA 2017Global AppSec Dublin: Developer Driven Security In High-Growth Environments - Jakub KaluznyOWASP AppSec Europe 2014 - DevOps Track