Outside the box: pwning IoT devices through their applications - Alexei Kojenov
Speaker
Alexei Kojenov
Salesforce, Lead Product Security Engineer
Description
We often think of AppSec and IoT as two separate infosec disciplines. Sure, the domain knowledge, attack vectors, and threat mitigation are not exactly the same in those two worlds. At the same time, as the hardware continues to evolve, we see more and more tiny general purpose computers around us. Many of these tiny computers nowadays run software that is written in a conventional programming language, listen on network ports, process data inputs, and communicate with the outside world. These devices can be attacked just like any other application running on a desktop, on a server, or in the cloud.
In this talk, I am going to tell you a story about my hacking journey that unexpectedly took me from device configuration settings to software reverse engineering, vulnerability discovery, and six new CVEs. Together, we’ll go step by step through firmware analysis, decompiling, code review, and vulnerability demos. I’ll also share my experience with the responsible disclosure process. I hope this talk inspires you to apply your application security knowledge to new areas such as IoT, even if you’ve never done that before.
Managed by the OWASP® Foundation
https://owasp.org/
Видео Outside the box: pwning IoT devices through their applications - Alexei Kojenov канала OWASP Foundation
Alexei Kojenov
Salesforce, Lead Product Security Engineer
Description
We often think of AppSec and IoT as two separate infosec disciplines. Sure, the domain knowledge, attack vectors, and threat mitigation are not exactly the same in those two worlds. At the same time, as the hardware continues to evolve, we see more and more tiny general purpose computers around us. Many of these tiny computers nowadays run software that is written in a conventional programming language, listen on network ports, process data inputs, and communicate with the outside world. These devices can be attacked just like any other application running on a desktop, on a server, or in the cloud.
In this talk, I am going to tell you a story about my hacking journey that unexpectedly took me from device configuration settings to software reverse engineering, vulnerability discovery, and six new CVEs. Together, we’ll go step by step through firmware analysis, decompiling, code review, and vulnerability demos. I’ll also share my experience with the responsible disclosure process. I hope this talk inspires you to apply your application security knowledge to new areas such as IoT, even if you’ve never done that before.
Managed by the OWASP® Foundation
https://owasp.org/
Видео Outside the box: pwning IoT devices through their applications - Alexei Kojenov канала OWASP Foundation
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
WebAuthn: Strong Authentication vs Privacy vs Convenience - Suby Raman
Gobal AppSec Dublin: Server Side Prototype Pollution - Gareth Heyes
AppSec EU15 - Nicolas Gregoire - Server-Side Browsing Considered Harmful
Mobile DevSecOps 5 Tips from Building Mobile Apps Used by Millions Brian Reed
OWASP DefectDojo Project - Timo Pagel & Stefan Fleckenstein
Topics of Interest: Common NGINX Misconfigurations That Leave Your Web Server Open ... - S. Pearlman
Deserialization Vulnerability Remediation with Automated Gadget Chain Discovery - Ian Haken
All our APIs are belong to us - Jad Boutros - AppSec California 2016
AppSec EU15 - Martin Knobloch, Tobias Gondrom - Opening ceremony
AppSec EU15 - Luca De Fulgentis - Windows Phone App Security For Builders And Breakers
OWASP Flagship Projects: OWASP Dependency Track - Steve Springett
Threat Model-as-Code - Abhay Bhargav - AppSecUSA 2018
AppSecEU 16 - Arne Swinnen - The Tales of a Bug Bounty Hunter - 10 Interesting Vulnerabilities
OWASP Flagship Projects: OWASP Dependency-Check - Jeremy Long![[In]secure Deserialization, And How [Not] To Do It - Alexei Kojenov](https://i.ytimg.com/vi/Y0QxwRyqlh8/default.jpg)
[In]secure Deserialization, And How [Not] To Do It - Alexei Kojenov
Creating a Security Policy Framework That works Isaac Painter
Everything You Wanted to Know About Client side CSRF But Were Afraid to Ask - Soheil Khodayari
OWASP Juice Shop Project - Björn Kimminich
Federated Login CSRF - AppSecUSA 2017
Global AppSec Dublin: Developer Driven Security In High-Growth Environments - Jakub Kaluzny
OWASP AppSec Europe 2014 - DevOps Track