37C3 - Finding Vulnerabilities in Internet-Connected Devices

Security

Discover how researchers found vulnerabilities in internet-connected devices, including command injection and authentication flaws, and learn tips for beginners on fuzzing and reverse engineering to improve device security.

Key takeaways

  • Fuzzing is an effective technique for finding vulnerabilities in internet-connected devices, especially those with unsafe memory operations.

  • Coverage-guided fuzzing can be used to improve the chances of finding bugs.

  • Bufuzz is a go-to tool for simple and basic fuzzing.

  • Business logic vulnerabilities can be exploited by using devices in a way that developers did not think about.

  • Reverse engineering can be used to understand how software and hardware systems work.

  • Palo Alto and Christoph did research on vulnerabilities in Polycom devices, including the Puli conference speakers and telephone systems.

  • They found vulnerabilities in the command injection and authentication processes.

  • The vulnerabilities allowed for remote code execution and could potentially be used to take over the devices.

  • They demonstrated the vulnerabilities using various tools and techniques, including Bufuzz and Java decompilers.

  • They also demonstrated the impact of the vulnerabilities, including taking over the devices and executing arbitrary code.

  • They emphasized the importance of testing for vulnerabilities in devices and the need for developers to think about the security of their devices.

  • They also provided tips for beginners on how to get started with fuzzing and reverse engineering.

  • They discussed the importance of coverage-guided fuzzing and the use of tools like Bufuzz.

  • They also discussed the importance of understanding the business logic of devices and the potential for vulnerabilities in the command injection and authentication processes.

  • They provided examples of the types of vulnerabilities they found, including command injection and remote code execution.

  • They also discussed the importance of testing for vulnerabilities and the need for developers to think about the security of their devices.

  • The presentation included a demonstration of the vulnerabilities and the impact of the vulnerabilities.

  • The presentation also included tips for beginners on how to get started with fuzzing and reverse engineering.

  • The presentation emphasized the importance of testing for vulnerabilities and the need for developers to think about the security of their devices.

  • The presentation also included a discussion of the potential for vulnerabilities in the command injection and authentication processes.

  • The presentation provided examples of the types of vulnerabilities they found, including command injection and remote code execution.

  • The presentation also discussed the importance of coverage-guided fuzzing and the use of tools like Bufuzz.

More talks

You Shall Not PASS - Analysing a NSO iOS Spyware Sample

Lets Talk About Privacy: To Know Or Not To Know Is The Question I Blockchain Futurist Conference

Go security pitfalls; 2 lessons from the battlefield at Grafana Labs - Jeremy Matos

Jenny Shen - Demystifying the Ruby package ecosystem - Rails World 2023

Q&A with Elviss Strazdiņš

BrokenMesh: New Attack Surfaces of Bluetooth Mesh

Sure, Let Business Users Build Their Own. What Could Go Wrong?

Deciphering the secrets of blockchain with angular | Stephen Fluin | ng- conf 2022