Skip to content ↓ | Skip to navigation ↓

I’m pleased to announce that next month, I will be offering the two-day training series A Guided Tour of Embedded Software Hacks at Shakacon X as well as at Black Hat USA in August. As a reminder, I will also be back at SecTor with reloaded material for a one-day Brainwashing Embedded Systems advanced class aimed at students who have already completed a Brainwashing Embedded Systems training at AusCERT, SecTor or DEF CON. Additionally, Tyler Reguly and Dr. Lane Thames will be running an introductory Brainwashing Embedded Systems class in parallel to the advanced class at SecTor.

The topics planned for this year are as follows:

    1. Exploiting embedded HTTP servers with curl
      Students will apply a dynamic firmware analysis technique to identify authentication bypass in a consumer router and use it to reveal the plaintext password. (The underlying logic flaw is very similar to the widely exploited CVE-2018-10561.)
    2. Finding and exploiting command injection within device firmware
      Find command injection in a smart home controller and learn how to analyze the source in order to craft a suitable request to exploit it and get a shell.
    3. Fuzzing for vulnerabilities with a Simple Object Access Protocol (SOAP) API
      We will walk through developing an exploit chain to get a root shell on a popular line of smart home devices (outlets, lighting, etc). This attack does not require firmware access.
    4. Building more advanced payloads
      This section is about developing more interesting exploits. Students will learn how to prepare CSRF attacks as well as producing useful bindshell binaries that will run on embedded devices.
    5. Running virtualized embedded device firmware
      Students will learn about and experiment with various device emulation techniques including QEMU cross-architectural chroot and faking device functionality via library preloading.
    6. Leveraging DNS rebinding to attack local IoT remotely
      Students will build upon provided tools to demonstrate an end-to-end DNS rebinding attack against an embedded device to achieve code execution.
    7. Drive-by Rick Rolling
      Students will explore attack surface on media devices like Smart TVs, Google Home and Google Chromecast. From this, students will learn how to exploit the DIAL protocol to remotely hijack screens.

For a taste of what you will learn in these classes, I’ve prepared a video which demonstrates parts of the dynamic firmware analysis contained in lesson #1:

Class Availability

Title Date Location Topics
A Guided Tour of Embedded Software Hacks August 4-5 Black Hat USA ALL
A Guided Tour of Embedded Software Hacks July 9-10 Shakacon X ALL
Intro to Brainwashing Embedded Systems October 1 SecTor 1-3
Brainwashing Embedded Systems (Advanced) October 1 SecTor 4-6