IoT Hacking – Brainwashing Embedded Systems Deep Dive

Find and exploit weaknesses in connected devices with this year’s hands-on Brainwashing Embedded Systems deep dive training course at SecTor 2019.

This two-day course will focus on fundamental IoT security exploits before taking a deep dive into advanced techniques used by security researchers with hand-on exercises, live demos and take-aways thrown in the mix.

The software-based analysis techniques taught in this class are designed to find vulnerabilities with a emphasis on readily exploited logic errors and command injection, which form the basis of many attacks in the wild.

A Linux virtual machine (VM) will be provided to students preloaded with tools to emulate instances for running IoT software extracted from device firmware. Using this VM, students will be walked through a series of exercises using real vulnerabilities as case studies for different analysis or exploitation techniques.

In addition to exploiting the virtual IoT devices, students will have the opportunity to try several exploits within the classroom hack lab.

Topics include:

  • Firmware extraction and dynamic analysis
  • Enumerating unauthenticated attack surface
  • Finding and exploiting OS injection bugs
  • Using UPnP and SOAP APIs
  • Remote/browser-based exploitation

Students will learn about technologies and tools including:

  • Python
  • BASH
  • Binwalk
  • cURL

Students will be given a take-home lab exercise on day-two to go through the process of virtualizing something. We’ll encourage students to bring it to the IoT Hack Lab in the SecTor Expo (days following this course) for feedback and/or help.

Please note: the material in this course overlaps with materials used in previous SecTor pre-conference Brainwashing Embedded Systems courses.

Trainers: Craig Young, Tyler Reguly, Lane Thames (Tripwire)
Max participants: 50
Cost: $2000


This is a Two Day Course
October 7-8, 2019

Pre-Requisite Knowledge:

The class is designed to accommodate students with a wide-range of knowledge and experience. To participate in class, students must only be comfortable using a command shell, have some familiarity with the HTTP protocol, and preferably some past experience with programming or scripting.

Examples are primarily given in Python or BASH using techniques which are explained during the training.

Technical Requirements:

Attendees must bring and use their own device.

A download link for the student VM will be sent in the weeks leading up to SecTor. Students are expected to download and test that this VM boots before coming to class. Students who do not have the VM running before class, must have administrative/root access to their laptop along with any BIOS passphrase.

The VM requires:

  • 64-bit AMD or Intel processor with hardware virtualization enabled in the BIOS or UEFI as needed
  • Minimum of 4GB (8GB preferred) RAM to allocate for the virtual machine
  • 20+ GB of available disk space

Agenda: Monday Oct 7, 2019

09:00 -10:00 Doors open. Continental breakfast and networking
10:00 Start
12:15 – 13:00 Lunch (is provided)
14:35 – 14:45 Break
17:00 End

*Schedule subject to change

Agenda: Tuesday Oct 8, 2019

09:00 -10:00 Doors open. Continental breakfast and networking
10:00 Start
12:15 – 13:00 Lunch (is provided)
14:35 – 14:45 Break
17:00 End

*Schedule subject to change

Meet Your Trainer

Craig Young

Craig Young is a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT). He has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, Apple, and others. His research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame. Craig’s presentations on Google authentication weaknesses have led to considerable security improvements for all Google users. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers. His research into iOS WiFi problems exposed CVE-2015-3728 that could allow attackers to force devices onto malicious hot spots. Craig has also successfully employed fuzzing techniques to find flaws in a variety of open source software including memory safety issues in PHP, Apache, Perl, Ruby, MatrixSSL, and more. Most recently, Craig was part of the team disclosing the ROBOT attack which affects products from F5, Citrix, Cisco, and others.


Tyler Reguly

Tyler RegulyTyler Reguly is the Manager of Security Research and Development with Tripwire. At Tripwire, Reguly is a key member of VERT, Vulnerability and Exposure Research Team, where he focuses on web application security and vulnerability detection. He has also lent his expertise on various projects, including reverse engineering and web application security. He has been involved in industry initiatives, such as CVSS-SIG and WASSEC and has spoken at various security events, including RSA, SecTor, and OWASP Toronto. Additionally, he has contributed to the Computer Systems Technology curriculum at Fanshawe College in London, Ontario, by developing and teaching a number of security-related courses. He is also frequently quoted in industry trade press and is a prolific blogger.


Dr. Lane Thames

Dr Lane ThamesLane Thames is a senior security researcher with Tripwire’s Vulnerability and Exposure Research Team (VERT). As a member of VERT, Lane develops software that detects applications, devices, and operating systems along with vulnerability detection and management software. He also spends time looking for new vulnerabilities, contributing to the Tripwire State of Security blog, and understanding emerging cybersecurity threats. Lane received his PhD in Electrical and Computer Engineering from the Georgia Institute of Technology and has spent over 15 years working in information technology and software/hardware development.