Hackers of India

Offensive Embedded Exploitation : Getting hands dirty with IOT/Embedded Device Security Testing

By  Kaustubh Padwad  on 07 Oct 2020 @ Rootcon


Presentation Material

Abstract

The world is moving towards smart culture everything nowadays is smart, and mostly all are those smart devices are basically embedded devices with internet connectivity or some provision to connect with the internet. Since these devices are booming in market this also tempting lots of people/groups for hacking.

In this 1 hour talk we will discuss how to test the embedded/IoT devices, it would give you a methodology for assessment, how to perform firmware analysis, identifying vulnerable components, basic approach for reverse engineering the binaries to discover potential remote code execution, memory corruption vulnerabilities by looking for native vulnerable functions in C or bad implementation of functions like System, popen, pclose etc.

After conducting static analysis,firmware analysis we will move towards dynamic testing approch which include web application testing, Underlying OS security testing, identifying vulnerabilities and misconfiguration in device. At last we will move towards fuzzing the device via web application parameters and installing aproppriate debugger on device to identify memory corruption vulnerabilities.