37C3 - Finding Vulnerabilities in Internet-Connected Devices

Security

Discover how researchers found vulnerabilities in internet-connected devices, including command injection and authentication flaws, and learn tips for beginners on fuzzing and reverse engineering to improve device security.

Key takeaways

  • Fuzzing is an effective technique for finding vulnerabilities in internet-connected devices, especially those with unsafe memory operations.

  • Coverage-guided fuzzing can be used to improve the chances of finding bugs.

  • Bufuzz is a go-to tool for simple and basic fuzzing.

  • Business logic vulnerabilities can be exploited by using devices in a way that developers did not think about.

  • Reverse engineering can be used to understand how software and hardware systems work.

  • Palo Alto and Christoph did research on vulnerabilities in Polycom devices, including the Puli conference speakers and telephone systems.

  • They found vulnerabilities in the command injection and authentication processes.

  • The vulnerabilities allowed for remote code execution and could potentially be used to take over the devices.

  • They demonstrated the vulnerabilities using various tools and techniques, including Bufuzz and Java decompilers.

  • They also demonstrated the impact of the vulnerabilities, including taking over the devices and executing arbitrary code.

  • They emphasized the importance of testing for vulnerabilities in devices and the need for developers to think about the security of their devices.

  • They also provided tips for beginners on how to get started with fuzzing and reverse engineering.

  • They discussed the importance of coverage-guided fuzzing and the use of tools like Bufuzz.

  • They also discussed the importance of understanding the business logic of devices and the potential for vulnerabilities in the command injection and authentication processes.

  • They provided examples of the types of vulnerabilities they found, including command injection and remote code execution.

  • They also discussed the importance of testing for vulnerabilities and the need for developers to think about the security of their devices.

  • The presentation included a demonstration of the vulnerabilities and the impact of the vulnerabilities.

  • The presentation also included tips for beginners on how to get started with fuzzing and reverse engineering.

  • The presentation emphasized the importance of testing for vulnerabilities and the need for developers to think about the security of their devices.

  • The presentation also included a discussion of the potential for vulnerabilities in the command injection and authentication processes.

  • The presentation provided examples of the types of vulnerabilities they found, including command injection and remote code execution.

  • The presentation also discussed the importance of coverage-guided fuzzing and the use of tools like Bufuzz.

More talks

Houston, We Have a Problem: Analyzing the Security of Low Earth Orbit Satellites

37C3 - Fuzz Everything, Everywhere, All at Once

What's a front-end dev doing writing Go and why is the FBI here? - Kevin Centeno

SAINTCON 2023 - Philip Kemp & Scott Henderson - Beyond the Annual Penetration Test

37C3 - Unlocking Hardware Security: Red Team, Blue Team, and Trojan Tales

Securing the Supply Chain for Your Java Applications by Thomas Vitale

DjangoCon Europe 2023 | Squeezing Django performance for 14.9 million users on WhatsApp

SAINTCON 2023 - Jesse Harris - DNS as a Security Tool