Security BSides San Francisco event is just around the corner, and we are featuring a few of the premier sessions slated, with the first three articles looking at Craig Young’s A Day in the Life of a Security Researcher, Ken Westin’s Telmex Email Security Hole – My Email was Indexed by Google and Lance Cottrell’s Using System Fingerprints to Track Attackers.
Next up is a session presented by Billy Rios (@XSSniper) titled ICS and Embedded Security Research – A Primer, which will examine vulnerability exploits targeting Industrial Control Systems (ICS), medical devices, and even automated car washes.
Rios is the Director of Vulnerability Research and Threat Intelligence at Qualys, who previously held positions at Google, Microsoft, and served in the military as an Officer in the US Marine Corps.
He has an MBA and a Master of Science degree in Information Systems, and has co-authored and contributed to several security-related books, as well as being a frequent speaker at a variety of security conferences.
Over the past few years, Rios and a colleague have been researching and exploiting various embedded systems, some of which led them to collaborate with the Department of Homeland Security and the FDA to improve security efforts and oversight.
“Usually after we present our research somewhere, one of the first questions we’re usually asked is how did you get into this stuff?” Rios said.
“For some reason, a lot of researchers feel as if embedded security research is out of their grasp. We want to show that most of it is actually pretty straightforward and many of the skills you learned as a traditional security researcher apply directly to the embedded world.”
Rios says most people don’t realize that embedded devices are all around us, like the ICS that run our critical infrastructure, the embedded devices that lock and unlock the doors to our corporate headquarters, and the medical devices that save lives every day.
“The number of embedded devices in our world continues to increase and the impact these devices have on our day to day lives is enormous,” Rios said. “The BSidesSF talk is primarily aimed at folks who already do security research, but we’re hoping the presentation becomes a reference guide for anyone interesting in the subject.”
Rios says he is hoping that those who have never done research on any embedded devices will decide to pick up a device and begin to tear it apart to see what they can learn about how it operates and whether there are any undiscovered vulnerabilities.
“If just one person does that after this talk, it’s a win,” Rios said. “Just like regular security research, it’s an addicting topic. You may even find yourself tearing apart devices that you probably shouldn’t.”
Rios is saving the details of the talk for the live session, but says that it is definitely designed as a primer. “We hope this talk becomes a reference for those looking to look at embedded devices for the first time. We hope someone takes this work and takes it to the next level,” Rio said.
“And we’ll be giving away some cool hardware during the talk!”
- The Cyber Security Framework and the Case for Platform IT
- NERC CIP Version 5: One Giant Leap
- SCADA and Me: A Children’s Book for Security Policy Makers
- NERC CIP: It Gets Worse Before it Gets Better
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock