Find and exploit weaknesses in connected devices with this year’s hands-on Brainwashing Embedded Systems deep dive training course at SecTor 2019.
This two-day course will focus on fundamental IoT security exploits before taking a deep dive into advanced techniques used by security researchers with hand-on exercises, live demos and take-aways thrown in the mix.
The software-based analysis techniques taught in this class are designed to find vulnerabilities with a emphasis on readily exploited logic errors and command injection, which form the basis of many attacks in the wild.
A Linux virtual machine (VM) will be provided to students preloaded with tools to emulate instances for running IoT software extracted from device firmware. Using this VM, students will be walked through a series of exercises using real vulnerabilities as case studies for different analysis or exploitation techniques.
In addition to exploiting the virtual IoT devices, students will have the opportunity to try several exploits within the classroom hack lab.
- Firmware extraction and dynamic analysis
- Enumerating unauthenticated attack surface
- Finding and exploiting OS injection bugs
- Using UPnP and SOAP APIs
- Remote/browser-based exploitation
Students will learn about technologies and tools including:
Students will be given a take-home lab exercise on day-two to go through the process of virtualizing something. We’ll encourage students to bring it to the IoT Hack Lab in the SecTor Expo (days following this course) for feedback and/or help.