IoT Hacking – Brainwashing Embedded Systems (Advanced)

Learning the secret incantations to make embedded systems carry out your will is not as hard as one might think. In the world of IoT, the hardened system is rare and most times a firmware image is more than enough to find and exploit weakness. Embedded devices are flooding corporate and home networks with limited insight into product security.

These sessions teach attendees how to evaluate IoT devices regularly deployed on enterprise networks. Learning the techniques utilized by attackers will help enterprise admins vet devices intended for deployment while also helping companies that develop these devices identify how attackers operate.

Participants will be provided with a virtual machine pre-loaded with IoT analysis tools and configured to emulate several embedded devices. Students will learn how to analyze and exploit these devices through a series of hands-on lab exercises designed to demonstrate some of the key concepts involved in IoT hacking. Upon completion of each lab, students will be given the opportunity to test their exploits against live devices.

These techniques have been successfully employed by the author to identify over 100 CVEs on embedded/IoT devices as well as to win the 0-day and CTF tracks in the DEF CON 22 SOHOpelessly Broken router hacking competition.

For the first time ever, we’re offering this advanced IoT Hacking – Brainwashing Embedded Systems course. If you’ve not completed the IoT Hacking course at SecTor 2016 or 2017, or not experienced in embedded exploit dev or proficient in shell, we recommend you take our 2018 IoT hacking introductory course.

Trainer: Craig Young (Tripwire)
Max participants: 30
Cost: $499 (Full Conference Attendee)
/ $599 (Expo Attendee)


This course is recommended for:

  • Alumni of SecTor 2016 and 2017 IoT Hacking – Brainwashing Embedded Systems course
  • Anyone with past experience in embedded exploit development and proficiency with a shell

Attendees must be competent with BASH and have a working knowledge of the HTTP protocol. Example solutions for exercises in the class will include a mix of Python, JavaScript, and C. Attendees should have some familiarity with these technologies.

Technical Requirements:

Attendees will receive an OVA formatted virtual machine image prior to the class and are expected to have the virtual machine (VM) installed before the class begins. The VM requires:

  • 64-bit AMD or Intel processor with hardware virtualization enabled in the BIOS or UEFI as needed
  • Minimum of 4GB (8GB preferred) RAM to allocate for the virtual machine
  • 20+ GB of available disk space

Please refer to VMWare KB article 1003944 for additional information on 64-bit virtualization support.

Attendees will find their day divided into three sections covering everything needed to become an IoT Security Expert.


Whether you notice it or not, many connected devices expose embedded HTTP servers to the local network. Obviously, an adversary on the local network can directly attack this server, but users often overlook the fact that many HTTP exposed vulnerabilities can be exploited remotely. In this section, attendees will build a web page which uses the victim’s browser to seek out and exploit a targeted device on the victim’s network. Finally, we will explore the impact of DNS rebinding on IoT security.


Real-world adversaries are not satisfied by simply getting a shell. Attacks of scale require automation and generally this is best achieved by loading new tools onto a target. In this section, attendees will learn how to build software suitable for running on various embedded Linux.


Device emulation enables researchers to study the security of a device without actually having it. Unfortunately, the variety in hardware and firmware designs means that there is no ‘one size fits all’ approach to firmware emulation but with a little knowledge of the tools involved and sometimes a lot of patience, it is often possible to virtualize device components or even complete firmware images. This final lab of the day guides attendees through some examples of this process.

Agenda: Monday Oct 1, 2018

10:00 – 10:30 Introductions and setup
10:30 – 10:40 CSRF, SOP, and DNS Rebinding (Lab 1 Intro)
10:40 – 10:50 Break
10:50 – 12:20 Drive-By Device Exploits (Lab 1)
12:20 – 12:30 Lab 1 Recap
12:30 – 13:15 Lunch
13:15 – 13:25 Embedded Tool Building (Lab 2 Intro)
13:25 – 14:35 Making Better Payloads (Lab 2)
14:35 – 14:45 Lab 2 Recap
14:45 – 14:55 Break
14:55 – 15:05 QEMU* and Firmadyne at 50,000 ft (Lab 3 Intro)
15:05 – 16:45 Emulating Devices (Lab 3)
16:45 – 16:55 Lab 3 Recap
16:55 – 17:00 Closing Remarks

Meet Your Trainer

Craig Young

Craig Young is a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT). He has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, Apple, and others. His research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame. Craig’s presentations on Google authentication weaknesses have led to considerable security improvements for all Google users. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers. His research into iOS WiFi problems exposed CVE-2015-3728 that could allow attackers to force devices onto malicious hot spots. Craig has also successfully employed fuzzing techniques to find flaws in a variety of open source software including memory safety issues in PHP, Apache, Perl, Ruby, MatrixSSL, and more. Most recently, Craig was part of the team disclosing the ROBOT attack which affects products from F5, Citrix, Cisco, and others.