The one-month countdown is on and I figured it was time for a reminder that Tripwire VERT will be at SecTor in the Expo area running an IoT Hack Lab. If you aren’t considering attending SecTor, you really should be. Even if you don’t want to attend the full conference, there’s an Expo Only admission that is free on their website until the start of the show. We’ve got quite the experience planned for everyone that stops by, so please come visit. In addition to a number of toys available for you to play with (TVs, WiFi outlets, and internet connected picture frames are just a few items I unpacked the other day), we’ll be running a number of 10-15 minute presentations over the course of the day. We’ll also be demonstrating some interesting tools and techniques that you can apply to the IoT devices in your home. The planned presentations, which will each take place multiple times over lunch and the breaks will include:
A Day in the Life of a Security Researcher
Ever wonder how to find vulnerabilities? In 2013 and 2014, I averaged 4-6 CVE assignments each month and in this presentation I will go over general tips and tricks I have found most effective at locating unknown vulnerabilities. Vulnerabilities explored will include web vulnerabilities (XS*, command-injection, SQLi, etc) and C/C++ application vulnerabilities (memory corruption, logic errors, etc).
To demonstrate the effectiveness of these techniques, I will provide examples vulnerabilities along with the path, which led me to finding them without the use of commercial analysis tools. I will also discuss some of my experiences working with vendors and developers to harden their products.
Smart Home Invasions
Smart home technology has been a dream for many perhaps inspired by the likes of George Jetson. Unfortunately, the technology is in its infancy still and the question remains as to whether vendors can demonstrate the ability to make our homes smarter without simultaneously introducing new risks to personal safety and privacy. In an effort to answer this question, Tripwire VERT conducted a security assessment of the three top-selling ‘Smart Home Hub' products available on Amazon. The research revealed 0-day flaws in each product, allowing an attacker to control smart home functionality.
This presentation will reveal some of the findings from this study, including vulnerabilities that have not been publicly discussed. If not addressed, smart home flaws can give rise to a new type of ‘smart criminal' able to case victims without being seen. Once a target is chosen, it is possible to unlock doors and disable security monitoring.
An Introduction to Industrial IoT
A transformative event is occurring where countless industrial devices, both old and new, are being interfaced with Internet Protocol (IP) communication technologies. We refer to these collections of IP-enabled industrial devices and associated networks as the Industrial Internet of Things (IIoT). The IIoT is at the very core of disruptive visions such as Industry 4.0 and other advanced manufacturing initiatives, and it promises to bring countless new value creation opportunities across all market sectors. However, cybersecurity and data privacy issues present major hurdles and roadblocks for adopters of IIoT technologies, and if these issues are not appropriately addressed, the true potential of the IIoT might not be met.
In this presentation, we hope to shed some light on this emerging technology and spread awareness of its benefits and risks. Securing IIoT environments poses unique challenges as compared to traditional IT, and the presentation will discuss these unique cybersecurity characteristics.
Good Home Security Hygiene
We're a long way from the days of the shared family computer – the one monopolized by your video game loving sibling until someone had homework due. Today's connected life means more devices, more connections, and more attack vectors. I sat down to think about the devices on my network and realized that I really didn't know what was connected. My router was no help; listing only MAC Addresses from vendors I wasn't aware existed. I decided it was time to inventory my network and identify how many connected devices exist in the "average" home.
On top of the toys and talks, we’ll have t-shirts, coins, and drones. The criteria for these various giveaways differ greatly but the possibility exists for anyone in attendance to walk away with something special. Finally, we just might give away a recently hacked TV at the end of the final day. I’ll be there, along with two other members of VERT that are flying up for SecTor. Stop by to chat, pick up some swag, or try your hand at hacking one of the available devices. It should be an awesome time. Title image courtesy of Shutterstock.com
