The workshop will start with a brief presentation covering our research to date with Fitbit’s Aria scales; what we’ve found, what we’ve learned, where we’ve got stuck, and what we’ve guessed at. We will discuss a few vulnerabilities that we have discovered and help get you started on finding some more. Once we’ve set the scene the workshop can begin. This is really a 101 on logic probing and hardware analysis, so we’ll share some basic techniques for logic probing; UART, SPI, Flash etc.

We will be bringing a number of sacrificial Fitbit Aria scales for you to work on yourselves, plus several sets of logic probes with us for you to use, with guidance from us if you’d like it. If you would like to borrow our probes for the session, please make sure you have installed Logic from Saleae, or use your favorite logic analyzer. If you’re bringing your own Fitbit Aria scales we advise that you check they are at firmware version 36 or below.

Tasks for the session:

• Push old firmware to the Aria
• Modify the startup display on the Aria LCD (‘hack me fat!’)
• Turn the scales in to a network implant

***Props to Fitbit who are providing a number of Aria scales to work on***

Bio’s:
Dave and Ken have enjoyed a good few years in security, probably more than 40 years between them. They work at Pen Test Partners in England and spend plenty of research time picking holes in things, finding flaws, and disclosing them responsibly. Twitter: @tautology0 @TheKenMunroShow

Blog Post

Mark Stanislav @markstanislav

BIO:
Mark Stanislav is a Sr. Security Consultant for Rapid7. He has presented at over 100 events internationally including RSA, DEF CON, ShmooCon, SOURCE Boston, Codegate, and THOTCON. Mark’s security research and initiatives have been featured by news outlets such as the Wall Street Journal, The Register, The Guardian, and Forbes. Mark is the co-founder of the IoT security initiative, BuildItSecure.ly. He is also the author of a book titled, "Two-Factor Authentication", published by IT Governance.

ABSTRACT:
This presentation will discuss research performed against nine IoT baby monitors on the market. Details of research methodologies and vulnerability findings will be presented to give attendees insight into what security flaws were found within the intricate combination of mobile applications, protocols, services, and hardware running these devices. A custom scoring system will be used to provide an apples-to-apples view of how each device faired in holistic security versus the other devices.

REASON:
This talk will give a broad look at IoT security using connected baby monitors as a case study. By comparing products on the market, discussing new vulnerabilities never previously released, and showing how the research was conducted, this talk will provide an exciting look into IoT security research for those who are technologists, hackers, software engineers, or even those just concerned with safety and privacy of children.

Hugo Fiennes,Tom Byrne, Gino Miglio, and Zandr Milewski of @electricimp

Grab a free Electric Imp dev kit!

Where am I? (find and connect to an open network, use google wifi geolocation API to tell a remote server where the device has been: just uses an imp and a 9v battery)

Some fun remotely operated analysis tools:

• bacnet sniffer (connect to and dump building area control networks)
• modbus sniffer (connect to and dump MODBUS RTU traffic)
• uart sniffer (connect to and dump UART traffic)

Also featuring IR capture/replay we'll also bring along the internet of cowbell.

Tobias Zillner & Sebastian Strobl of @Cognosec

BIO:
Tobias works as Senior IS Auditor at Cognosec in Vienna. He conducts information systems audits in order to assess compliance to relevant internal and external requirements. Furthermore, Tobias evaluates and assures security of IT by performing webapplication and web service penetration tests, source code analysis as well as network and infrastructure penetration tests. He has a BSc in Computer and Media Security, a MSc in IT Security and a MSc in Information Systems Management.


Seabstian Strobl manages the delivery of Cognosec GmbH’s auditing services. He has over 8 years practical experience in the areas of information security, IT governance, compliance, risk management, and information systems auditing. He is a certified professional in information systems, PCI DSS and application security auditing, and has a master’s degree in Information Management and Computer Security. Prior to his role at Cognosec GmbH he was leading information systems audits for organisations in the online gaming and finance industry, providing a strong background in the online payment and gaming value chain, the underlying technology thereof, and industry specific regulations. He has an extreme depth of knowledge in security tools, technologies, and industry best practices, and is recognised for delivering top-level, value-adding IT audits. He is also responsible for the creation and deployment of innovative solutions to mitigate risks by protecting networks and application systems, safeguarding information assets and ensuring business continuity. He specialises in delivering effective assurance and consultancy services, focusing on application and web-security architecture, as well as the integration with payment processing value chains.

ABSTRACT:
More and more devices are communicating with each other and are becoming connected to IP networks, sometimes even directly to the Internet. This innovation should improve our quality of life and make our every day life easier, but this trend does not only bring advantages; it also introduces a lot of new challenges and threats. These challenges arise with every new product development in the area of Internet of Things. Especially products in the area of home automation and smart homes are getting increasingly popular and therefore consumers become an interesting target group for attackers. Today’s home automation systems are also following the global trend and move from wired bus systems to wireless radio communication. To face these arising challenges, new protocols and standards beside the world of TCP/IP were created and are currently being developed. However, it is not just the security of the standards and protocols themselves that are important, but it’s also the correct implementation and integration into products that is a challenge for every single vendor.

Sofiane Talmat of @IOActive

BIO:
Sofiane Talmat has more than 10 years' experience performing security assessments and reverse engineering engagements, identifying vulnerabilities and developing exploits for IOActive's clients. He has proven skills in design, implementation, enhancement, testing, maintenance, and support of myriad software instances; and can both test software as well as assist development teams with the implementation of software protection mechanisms.

ABSTRACT:
New generation Set Top Boxes (Satellite receivers) are embedded linux boxes joining the IoT for many reasons mainly for IPTV and cardsharping for pay tv channel decryption. We will talk about design flaws, protocols used and different modules and plugins for cardsharing and iptv We will focus on the technical part of reverse engineering protocols, cardsharing plugins and satellite receiver software identifying both vulnerabilities on the Satellite receiver box and remote IPTV service vulnerabilities that are accessible by the DVB receiver

Lyon Yang @l0Op3r

What it is:
My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed – in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts.
Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a ‘hack-along-with-us’ workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop.

Requirements:

• Kali Linux
• Basic knowledge or interest in IoT
• Reverse engineering and exploit development knowledge

Chase Shultz @f47h3r_B0

Abstract
Ever wondered how people get shells via hooking up to chips or pins on a board? Or how to dump the firmware off a device you own at home? How chips that send those bits, bytes, and nibbles flying across traces on a board can be analyzed for profit? The Pwning IoT Devices via Hardware Attacks workshop is focused on a hands-on learning experience, of how people use hardware attacks to get initial access IoT Devices for security research. This workshop is designed for people new to hardware hacking, looking to have fun exploiting the Internet of (broken) Things. So come on out if you're looking to join the embedded system & IoT exploitation party!

Bio:
Chase "f47h3r" Schultz is a Senior Security Consultant at Independent Security Evaluators. During his day job, Chase helps companies find and remediate vulnerabilities in their systems. At night, f47h3r dawns his Phantom of the IoT Opera mask, and pumps the dark organ of exploitation, resounding in the root shells he uncovers.

Daniel Miessler @DanielMiessler

BIO:
Daniel Miessler is Practice Principal with HP Fortify based out of San Francisco, California with a 15-year background in penetration testing and vulnerability assessment. He leads the Fortify on Demand security research team, and is a project leader on the OWASP IoT and OWASP Mobile Top Ten projects.

ABSTRACT:
Securing the Internet of Things is a difficult task for many reasons, but the most important may be the fact that IoT is actually a collection of spaces instead of a space of its own. IoT is made up of networks, web applications, mobile applications, and cloud components--all assembled together to produce a usable system designed for maximum connectivity. What could go right?

The OWASP Top 10 Project starts the IoT security scope conversation by defining the 10 primary attack surface areas for the Internet of Things, and by giving prescriptive guidance on how testers, manufacturers, developers, and consumers can make better security decisions, when creating, evaluating, and implementing IoT technologies.

Attendees will learn about the 10 surface areas from the penetration testing perspective, including the common vulnerabilities found in each surface area and how to avoid them. Examples will be given from research on real-world devices conducted by the speaker's team.

A handout will be given as a tangible reference for the 10 attack surface areas.

REASON:
Everyone's talking about IoT, but nobody's talking about how to properly address IoT security as a whole, in a practical and tangible way.
This talk gives practical and tangible guidance that will help attendees the very next time they're asked to assess an IoT system.

BIO:
Wesley Wineberg is a Senior Security Research Engineer at Synack. Prior to Synack, Wes spent six years testing the security of SCADA, Smart Grid, Medical, and other “critical infrastructure” technologies. Wes enjoys black box analysis, pen testing, software, firmware and hardware reverse engineering.

ABSTRACT:
It is easy to find poorly designed devices with poor security, but how do the market leading devices stack up? Are they more secure than a Linux-powered rifle? This presentation documents our effort to assess the state of security of top selling Internet of Things Devices.

We procured 14 of the leading “connected home” IoT devices and tore them down, all the way from software to hardware and compared their relative security. This talk will demonstrate techniques useful for assessing any IoT device, while showing how they were applied across a wide range of devices.

Attend for stories of device rooting, SSL interception, firmware unpacking, mobile app vulnerabilities and more. Stay to find out why your favorite new gadget might just be a backdoor into your home. If you own (or are considering buying) one of the following devices, come and find out how secure it actually is!

Devices:

1. Dlink DCS-2132L
2. Dropcam Pro
3. Foscam FI9826W
4. Simplicam
5. Withings Baby Monitor
6. Ecobee
7. Hive
8. Honeywell Lyric
9. Nest Thermostat
10. Nest Protect
11. Control4 HC-250
12. Lowes Iris
13. Revolv
14. SmartThings
15. Samsung Smart Refrigerator (model RF28HMELBSR)
16. Samsung LED Smart TV (model UN32J5205AFXZA)

REASON:
The best thing about this talk is that it covers a large number of devices, all devices which are among the industry leaders for their category.

While we have published the high level findings from assessing these devices, this talk will include full technical details on how to attack each of these devices, and full tech details on any of the vulns which we found. Those details have not yet been released, and will be of interest to anyone who owns or wants to hack any of these devices.

Brian Knopf @DoYouQA

BIO:
Brian Knopf has 20 years of experience in IT, dev, QA/QE, & security. He has led QA, automation, security, and development teams for companies including Belkin, Linksys, Rapid7, MySpace, Youbet.com, eUniverse, and VeriTest. Currently Brian is the Principal Security Advisor & Researcher at Wink Inc. There he is responsible for SDL, PSIRT, security research, pentesting, training, bug bounty and researcher programs, and threat modeling for Wink products and partner integrations.

ABSTRACT:
Using small or almost non-existent budgets as an excuse for not running application and product security programs is not acceptable. The rapid growth of low margin IoT devices from startups changed the way security teams have to operate. Instead, learned to leverage external researchers by incentivising them with free products, thanking and embracing researchers for their help, and promising transparency into our direction and enhancements, with the goal of secure consumer devices for everyone.

This talk will walk through the creation of two successful application and product security teams built in organizations without many resources or large budgets. Those programs included regular threat modeling, bug bounty programs, proactive engagement with researchers, security analytics monitoring, and vuln research. Even with the budgetary and staffing constraints, the teams were able to deliver increasingly more secure products that continue to push the boundaries of consumer device security in a market where consumers refuse to pay more for the cost of securing them. This discussion is not about the companies themselves, but instead as a model any startup company can adopt to deliver solid products, rather than using excuses to defer action.

REASON:
Without the resources internally to find major vulns, we were able to identify a critical vuln from a researcher on the bug bounty that had the ability to greatly affect all customers homes. It was patched within 24-hours. That is a perfect example of why this program is critical to the security and privacy of consumers and why every IoT manufacturer should follow this program. There were multiple other vulns discovered with the program that also make the same point.

BIO:
Aaron is a Pen Tester for Belkin in his day job, but is also a Board member for the Open Web Application Security Project (OWASP) Los Angeles chapter, Cloud Security Alliance Socal chapter and the President for the High Technology Crime Investigation Association of Southern California(HTCIA SoCal). Aaron evangelizes application security by leading open source projects, participating in standard organizations and giving talks at conferences.

ABSTRACT:
The notion of "secure by design” or "privacy by design” for IoT devices has been a perspective for standard organizations. Legislative entities from both the US and EU recognize the impact these "things" can effect lives and the enterprise. To better understand a secure design, we will explore the supply chain and development lifecycle of these IoT devices and discuss how our roles as security professionals and researchers.

REASON:
From a manufacturing perspective, I see things a little differently than most. I would like to enlighten others on the real SDLC processes that happen in house and external.

Craig Young @craigtweets

BIO:
Craig is a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT). He has identified and disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, and others. His research has resulted in numerous CVEs and recognition in the Google Application Security Hall of Fame. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers.

ABSTRACT:
Smart home technology has been a dream for many perhaps inspired by the likes of George Jetson. Unfortunately the technology is in its infancy still and the question remains as to whether vendors can demonstrate the ability to make our homes smarter without simultaneously introducing new risks to personal safety and privacy. In an effort to answer this question, Tripwire VERT conducted a security assessment of the three top-selling ‘Smart Home Hub' products available on Amazon. The research revealed 0-day flaws in each product allowing an attacker to control smart home functionality. This presentation will reveal some of the findings from this study including vulnerability discoveries. If not addressed, smart home flaws can give rise to a new type of ‘smart criminal' able to case victims without being seen. Once a target is chosen, it is possible to unlock doors and disable security monitoring.

REASON:

1. Each product I tested had 0-day flaws
2. Two of the three products evaluated contained 0-day flaws allowing a remote attacker to gain root access with limited to no user-interaction required.
3. I will be demonstrating a PoC which determines the local IP address and searches for the vulnerable device.
4. The PoC described in #3 is still 0-day in official firmware, the latest RC firmware, and possibly in the latest beta firmware.

Networked smart appliances can reduce energy costs and provide detailed situational awareness. However, the same remote access used for benevolent command and control can be leveraged by an adversary for reconnaissance and to cause real world kinetic effects if security is compromised. In this talk, we exploit a commercially available smart fridge to evaluate its sensor capabilities and to demonstrate the potential for delivering kinetic cyber effects. As a proof of concept, we use the fridge ambient humidity sensor to reveal its geographic location and nearby human activity. We also quantify the potential for intentional flooding. Finally, the fridge compartments are heated by abusing the compressor and defrosters to evaluate the potential for damaging temperature-sensitive medical supplies. We demonstrate that within two hours the refrigeration compartment and freezer can be raised above 30 °C (86 °F) and 20 °C (68°F), respectively, remotely via the Internet.

We highlight the interesting things that an attacker can do with network access to a smart fridge. How hot can the fridge get when the attacker turns off cooling and blasts the defrosters? How much water per hour can be released out of the fridge door? We answer these questions and more. We also show that the fridge ambient humidity sensor is sensitive enough to tell whether or not it is raining outside, which reveals geographic location. Hell, we will even give away hardware to the crowd.

Bio’s:
Kevin Cooper is a computer scientist with a passion for network security. He frequently competes in CTF exercises and has extensive experience with reverse engineering, digital forensics, and network penetration testing.

Coauthor: Ben Ramsey, PhD, CISSP, has been building and breaking networks for over a decade. He specializes in embedded system security and low-rate wireless protocols, such as ZigBee, Z-Wave, and Bluetooth Low Energy. He has published in academic journals and presented his research at multiple conferences, including GLOBECOM, MILCOM, SenseApp, and ShmooCon.

The consumer benefits of the IoT are anticipated to be exceedingly large with 5G wireless technologies underpinning much of the evolving IoT landscape. However, IoT will also greatly expand the cyber attack surface for consumer appliances. This session will discuss the FCC’s initiatives to better posture the telecommunications sector to combat cyber threats to the communications critical infrastructure and solicit attendee participation in developing appropriate FCC policy objectives for 5G.

This is not a typical government monologue; this talk is an interactive, engaging, informative discussion of the FCC’s cybersecurity risk reduction initiatives to combat the most pressing threats to the communications critical infrastructure that would undermine the integrity and deployment of the IoT. It will explain the unique vulnerabilities inherent in 5G and explore opportunities to design 5G in a manner that reduces risk for the IoT.

Bio:
Rear Admiral (ret.) David Simpson was appointed Chief of the FCC’s Public Safety and Homeland Security Bureau in November 2013. He brings to this role more than 20 years of ICT experience supporting the DoD, working closely with other agencies to provide secure communication services and improve cyber defense readiness. Simpson is a native of Burbank, CA and a 1982 graduate of the United States Naval Academy. He earned a master's degree in systems technology from the Naval Postgraduate School.

Many Bluetooth Low Energy (BLE) enabled deadbolts and padlocks have hit the market recently. These devices promise convenience and security through smartphone control. We investigated sixteen of these products from multiple vendors and discovered wireless vulnerabilities in most of them. Using a $50 antenna, we successfully picked vulnerable locks from over 400 meters away. In this presentation we introduce open source tools to crack each of the vulnerable BLE locks. Furthermore, after surveying the open source Bluetooth hacking tools currently available, we find very little support for BLE. So, to make discovering and range finding to BLE devices easier, we introduce a new open source warwalking tool compatible with both Bluetooth Classic and BLE

These locks are being relied upon by consumers to protect their homes and property and they need to be fully aware of the risks. By revealing the security vulnerabilities in BTLE locks from multiple vendors and by releasing open source tools to crack them wirelessly, we hope to put pressure on companies to improve security in future products. Plus, we will perform live demos of two of our tools.

Bio's:
Anthony Rose is an electrical engineer with five years of network security experience. His prior work includes traffic and quality optimization for wireless video protocols. Currently he focuses on Bluetooth security and wireless penetration testing.

Ben Ramsey, PhD, CISSP, has over a decade of experience in network security research. His work focuses on critical infrastructure protection and low power wireless protocols, such as ZigBee, Z-Wave, and Bluetooth Low Energy. He has published in several academic journals and has presented research at multiple conferences, including GLOBECOM, MILCOM, SenseApp, and ShmooCon.

Marc Newlin, Bastille Networks, Security Researcher @marcnewlin

Matt Knight, Bastille Networks, Software Engineer & Security Researcher @embeddedsec

Reverse engineering wireless protocols is not as difficult as you might think! Join us and collaborate as we reverse engineer the RF protocol used by an AirHogs drone, from start to finish. You are invited to bring your own gear and follow along, or sit back and enjoy the spectacle.

What to Expect:
We will start with some basic RF fundamentals and introduce the tools we will be using. Next, we will collect open source intelligence about the drone from Google and the FCC website. Armed with our OSINT, a SDR, and GNU Radio, we will reverse engineer the packet format and protocol used by the drone. Using a SDR, we will implement a transceiver capable of communicating with the drone. Bringing it all together, we will go airborne (with a killswitch ready should the proverbial shit hit the fan).

What to Bring:
If you want to get some hands on RF reverse engineering experience, we encourage you to bring a laptop running GNU Radio, your 2.4GHz capable software defined radio, and an AirHogs Fury Jump Jet!

Bio's:
Marc is a security researcher at Bastille Networks, where he focuses on RF/IoT threats present in enterprise environments. He has been hacking on software defined radios since 2013, when he competed as a finalist in the DARPA Spectrum Challenge. In 2011, he wrote software to reassemble shredded documents for the DARPA Shredder Challenge, finishing the competition in third place out of 9000 teams. Matt Knight is a software engineer and security researcher with Bastille Networks, where he seeks to discover vulnerabilities in the ubiquitous wireless interfaces that connect embedded devices to the Internet of Things.

Stephen Chavez @redragonx

We are going to exploit a Sunrise Quickie Rhythm power wheelchair that uses the CAN BUS protocol with Arduino/Raspberry PI hardware. We will show how easy it is to inject standard CAN messages to take full control of the chair and block all user input from the main joystick controller. And in addition, provide some basic open source tools to allow people to customize their chairs more easily.

Some electronic wheelchairs use the same signaling bus as cars do: the Controller Area Network (CAN). But they use a specialized commutation protocol like RNET that leverages CAN BUS signaling. The Quickie Rhythm chair uses RNET electronics that we studied inside and out. And it turns out many other chairs use RNET electronics as a standardized protocol. RNET is also closed and proprietary, but we reverse engineered the protocol which will allow people customize their chairs.

Power wheelchairs have become increasingly sophisticated both for increasing their capabilities and for connecting users to the world at large. Some include Bluetooth functionality, which can be an easy way to attack chairs. It is time to teach people to understand how their chairs work, and show them the current status of software security on the chairs.

Special thanks to:
Steven Beaty, my professor who helped me get organized for DEFCON 24. I thank him for doing a ton of meetings with me. Solid State Depot, a hacker space in Boulder, Colorado. This hackerspace has some of the coolest people I ever met in my life. They allowed me to use their tools and they fully supported me in hacking power wheelchairs. Metropolitan State University of Denver, they paid all of my expenses for DEFCON.

Bio's
Stephen specializes in Linux, security, and programming languages such as Java, Go, Python, Rust, PHP, C, C++ , JavaScript, and C#. He has experience in Linux server administration (Apache, Postfix, Dovecot, BIND, NGINX, etc.) as well as software engineering and web design. Stephen has been programming for 10+ years and knows a quite a lot about a wide range of subjects. In his spare time, Stephen is a researcher in the field of computer and internet security and is knowledgeable about hacking, cryptography, and network attacks.
Also presenting: Specter is an awesome hardware hacker that loves to sniff protocols.

Denis Makrushin, Kaspersky Lab, Global Research and Analysis Team @difezza

Scare stories around the Internet of Things (IoT) conjure up images of bad guys in hoodies, living for hacking and making the lives of other people harder, inventing millions of ways to infiltrate your life through your gadgets. Probably nobody cares about his smart-home security, but what about Smart-City threats, which affect billions people? A huge number of public IoT devices are vulnerable for potential abuse, potentially endangering users’ data, networks of companies they belong to, or both. Based on research of various public devices, such as terminals and cameras, we offer a methodology for security analysis of these devices, which would answer the following questions:

• How easy it is to compromise a terminal in the park?
• What can hackers steal from there?
• What can be done with hacked device?
• How can the internal network of the installer organization be penetrated?
• How to protect public devices from attacks?
• How to protect public devices from attacks?

This topic is the unique opportunity to hear about real cases of public device hacking and see the process of compromising the different terminals from the beginning to the end:

• Parking and ticket terminals
• Information terminals in museums/cinemas/whatever else
• Hotels infrastructures
• Airport infrastructure
• Road Cameras/speed radars

Topic includes:

• Methodology for security analysis of public IoT
• Post-exploitation scenarios
• Methodology for improving the security of these devices
• Non-trivial protection for non-trivial device

Exclusive research of non-trivial IoThings, a lot of proofs with video-demonstration. "Watch Dogs" in real life.

Bio:
Denis Makrushin is an expert of the Global Research and Analysis Team at Kaspersky Lab. He graduated from the Information Security Faculty of National Research Nuclear University. Specializes in analysis of possible threats and follows the Offensive Security philosophy. At this time, he continues his researches “Targetted Attack detection based on Game Theory methods” in graduate school of MEPhI. Social media links if provided. Also presenting, Vladimir Daschenko.

Joseph Needleman @spiceywasabi

Ever want your very own pwnlight, pwnpot, or pwntoaster?
Sure those are silly names, but in this world of embedded devices and development, let's try something different. We will be focusing on taking those fun, innocuous devices that are making people's lives smarter and turning them into our own useful embedded [attack] platforms. We will be covering what devices work best for different situations, when and where and what to embed, and provide ways of building out persistence directly on your new pwning platform.

Bio:
Joe is a security researcher who loves to experiment with embedded devices, signals, and really anything with electrical signals. He lives in a server room and would love to be let out from time to time. When not stuck in a server room or being electrocuted he also dabbles with cloud research.

Ken Munro @TheKenMunroShow

PenTest Partners@PenTestPartners

An introductory presentation followed by a demonstration covering hardware hacking topics such as reverse engineering, firmware analysis, remote code execution, even abusing OTA updates. Attendees will come away with a practical understanding of reverse engineering and attacking these devices. We will also go through a PoC IoT ransomware attack specifically for thermostats.

Attendees will see a breakdown of the technology, with a demo showing precisely how thermostats can be compromised. Finally a workshop will give attendees a solid and in-depth understanding of the security profile of many IoT devices, using readily available home heating thermostats. After that we then run a workshop so that everyone can get to have a free reign to hack their own. We’ll provide a range of IoT thermostats and tools so it’ll be as accessible as possible to all who want to participate.

Typically, access to embedded functionality in thermostats is via their JTAG ports so we will provide a primer on those as well as giving attendees the devices and tools to enable them to fully access the device and create their own hardware attack. Specifically, we want people to come away with a practical, hands-on understanding of IoT reverse engineering and enhanced hardware hacking skills.
30 mins for the demo, and 60 mins for the workshop.

Bio:
Ken has been working in IT security for over 15 years. He writes for various newspapers and industry magazines, and regularly advises the broader press and news broadcasters. He works at Pen Test Partners who specialize in helping organizations understand and quantify risk to their business. In an effort to get beyond the unhelpful FUD put about by many security vendors Ken speaks widely on computer security, the Internet of Things, and takes great pleasure in highlighting vulnerabilities.

Elvis Collado, Praetorian, Senior Security Researcher @b1ack0wl

After seeing the process of exploiting both the hardware and software stack of embedded devices it's time to put those new skills to the test! Bring a device or even team up with someone and find some vulnerabilities! Exploit development assistance will be provided.

I'll be bringing my Saleae Logic-8 logic analyzer, Shikra, and FT232H Adafruit breakout board. I only have 1 of each.
People should bring a device w/ the power adapter or pick one out from the Village device table, laptop, and an ethernet adapter (if they need it for their laptop.)

If you have other questions for what to bring please contact Elvis on Twitter.

Elizabeth Wharton @LawyerLiz

Connected devices provide a new playground of attack and vulnerability vectors to implement, test, and protect. Launching a home-built drone to test wireless access points, for example, may require authorization from the Federal Aviation Administration and the Federal Communications Commission. Testing connected car software? There’s a new Digital Millennium Copyright Act exemption carve out for research but be wary of the Computer Fraud and Abuse Act dangers. Before incorporating connected technology as part of your research, know where to find the regulatory traps and ways to minimize their legal impact. This presentation will provide an overview of federal privacy, security, and safety regulations triggered by IoT research and a breakdown of recent federal enforcement actions. Gain knowledge of the potential research risks and a sense of when to run, change an approach, or abandon if avoiding breaking the law while breaking IoT matters

Research is hard enough and companies whose products are being tested don't always welcome vulnerability disclosures. Solid research shouldn't be rewarded with threats of lawsuits or hiring defense lawyers. Minimize the risks, spend the money saved on beer or more gear.

Bio:
Elizabeth is a technology-focused business and public policy attorney and host of the national radio show "Buzz Off with Lawyer Liz." She's presented on the privacy, research, and risk management issues surrounding unmanned aircraft and information security before legislators and conferences including Security BSides Las Vegas and F3Expo. Elizabeth also serves as a mentor adviser for CyberLaunch accelerator’s information security and machine learning focused early stage startup companies.

Damien Cauquil, Digital Security (CERT-UBIK), Senior Security Researcher @virtualabs

The BtleJuice framework provides all the features to perform Man-in-the-middle attacks on devices using Bluetooth Low Energy (also known as Bluetooth Smart) and requires no expensive hardware nor SDR device. This talk will discuss most of its features, how to use it to assess the security of smart devices and find vulnerabilities, including live demos. The framework source code will be released just before the talk.

Bio:
Damien Cauquil is a senior security researcher at Digital Security (CERT-UBIK), a French security company focused on IoT and related ground breaking technologies. He spoke at various international security conferences including Chaos Communication Camp, Hack.lu, Hack In Paris and a dozen of times at the Nuit du Hack (one of the oldest French security conferences).

Terrell McSweeny, Federal Trade Commission, Commissioner @TMcSweenyFTC

Learn about the FTC’s efforts to push for improvements in IoT security, including our law enforcement actions challenging inadequate data security in devices like webcams and routers, upcoming workshops on emerging technology issues including drones and smart TVs, our Start with Security business education initiative, and the expansion of the agency’s in-house research and investigation capabilities. In January 2015 the FTC issued a report on the IoT, finding a troubling lack of security in many IoT products. We’ll provide an update on the agency’s enforcement and policy activities since then, tips for how to bring issues to the FTC’s attention, and a review of some of the challenges that remain.

Bio’s:
Terrell McSweeny is a Commissioner of the Federal Trade Commission and this is her third time at DEF CON. When it comes to tech issues, Commissioner McSweeny has focused on the valuable role researchers and hackers can play protecting consumer data security and privacy. She opposes bad policy and legislative proposals like mandatory backdoors and the criminalization of hacking. She believes that enforcers like the FTC should work with the researcher community to protect consumers.

Joe Calandrino, PhD is the Research Director of the Federal Trade Commission’s Office of Technology Research and Investigation. With a PhD in computer science focused on security and privacy from Princeton, Dr. Calandrino is personally motivated to see the work and views of the security community drive educated government action and policy. From personal experience uncovering vulnerabilities in voting machine source code, contributing to the cold-boot attack on disk encryption (for which he won a prestigious Pwnie Award!), or revealing ways that recommendations can leak information, he has seen how security research can teach valuable lessons and make us safer. His goals at the FTC include continuing to build both its internal technical expertise and its bonds with the larger security community.

In this talk I'm going to cover the basics of how snmp works and how we can use it to take control over several IoT devices with R/W permissions remotely, we are going to abuse the bad configuration issue in order to turn on/off traffic lights systems, discover ATMs, power supplies, and several industrial equipment.
Also I'm going to demonstrate how a remote attacker can retrieve the password of networking devices like Huawei and Cisco equipment.

Several devices are exposed in the public internet running snmp agents with R/W permissions, this talk is going to covert how a bad management could lead to a potential attack in the IoT field with bad consequences in real life, the talk is for hackers, network engineers and security researchers and people concern about security in the IoT field.

Bio:
Bertin Bervis is security researcher from san jose costa rica, he is the co-founder of the NetDB project, a certificate/fingerprint device search engine, he has been speaker in several technical security conferences like DEFCON, in latin america EKOPARTY, DragonJar and the OWASP Latin tour. Formerly is a network engineer and software developer.

Elvis Collado, Praetorian, Senior Security Researcher @b1ack0wl

This talk will go over the following: How all of this research got started, the critical vulnerabilities I personally discovered in modern devices, the challenges and failures I personally had with techniques like blind fuzzing, the challenges I had with not having the knowledge or funds to get into hardware hacking, figuring out how to build an exploit for a vulnerability without the need of using UART or a remote debugger, how to get started into hardware hacking once you've exhausted all means on the software side of things, how to build an effective but cheap IoT hacking lab, how to create your own low-cost 'JTAGulator' with an Arduino nano, how to cross compile and disassemble to quickly figure out CPU architectures that a person may be unfamiliar with, discussion of the open source project "Damn Vulnerable Router Firmware", and how to put this all together quickly so everyone can start finding vulnerabilities in the products they own. Also, the talk has been recently updated with comparisons of crafting exploits on x86 vs MIPS vs ARM. Before I only had x86 vs MIPS.

Note: There will be no vendor shaming. All Vendors will be renamed to “Vendor A, Vendor B, Vendor C…etc”

Bio:
Elvis Collado is a Senior Security Researcher for Praetorian with a main focus in embedded electronics. Elvis got into electronics ever since he discovered his first vulnerabilities in some of the devices he personally owned. He decided to migrate his research from the desktop space to the embedded space and wants to share what he has learned with everyone.

This talk covers the reverse engineering and exploration of the Trane ComfortLink thermostats. These devices are manufactured and produced by Trane, a popular heating and cooling company offering Zwave and WiFi enabled thermostats packaged with their appliances. This talk covers a previously unreleased vulnerability in the Trane ComfortLink thermostats that allows for remote manipulation and information extraction by an attacker. The devices are vulnerable by default and this talk addresses the physical dangers posed by this vulnerability to customers. The tools and methods used in finding this vulnerability are also discussed at-length in the presentation along with a video demonstration of the exploit in action.

Bio:
Jeff Kitson is a Security Researcher with the Vulnerability Assessment Team of Trustwave SpiderLabs. His career began with full-stack web development before moving into system administration and eventually vulnerability and security research. His current work includes maintaining and developing vulnerability tools within Trustwave. His research interests include IOT devices and extracting information with software defined radio.

Aaron Guzman, Principal Penetration Tester @scriptingxss

The vast playground of IoT, and all its problems, will surely transfer from Consumer homes over to the Enterprise. Various studies have shown the effect of consumer IoT adoption in the enterprise, resulting in rouge connections into a trusted network. Items such as Smart TVs, drones, home security devices, and even connected vehicles are now being discovered in corporate networks. Industry professionals and board rooms are struggling to keep up with the growth of IoT due to the various interfaces introduced. We will discuss the many IoT attack surfaces and provide proactive security controls that are easily implemented by consumers, enterprises, and manufactures alike.

What is constantly being shared throughout the industry is how IoT is broken, vulnerable, and insecure. Various testing methodologies and guidance cheat sheets have been released without discussions on how to protect against the threats discovered. As a technical editor for an upcoming IoT security book, as well as a contributor for various security guidance documents on IoT, this talk will give practical defense guidance that attendees and manufacturers can implement.

Bio:
Aaron is a Principal Penetration Tester in the Los Angeles area with expertise in Application Security, IoT, Mobile, Web, and Network Penetration testing. He volunteers his time as a Chapter Board Member for the OWASP Los Angeles, President for Cloud Security Alliance SoCal, and a Technical Editor for Packt Publishing . Aaron is a contributor for various IoT guidance documents from CSA, OWASP, Prpl, and others. He has held roles with companies such as Belkin, Linksys, Dell and Symantec.

The Infusion Pumps Market is expected to be worth $10.84 Billion USD by 2021 per "Market and Markets" forecast. The Infusion Pump is a costly and sensitive medical device used to deliver fluids, medications, blood and blood products to adult, pediatric or neonatal patients in a manual or automated way, yes, automated way, any malfunction either intended or unexpected could severely harm humans.
We did the investment and bought an IV Pump Unit and IV Pump module made by Bectron since it is one of the leaders in the market and therefore expected to be used in the major Hospitals worldwide!

The research on this talk is intended to show the audience:

1. The internals of this type of devices (Architecture, PCB components, ENEA RTOS details)
2. How to dump the Flash Memory
3. Firmware update to bypass security checks and get access to restricted configuration
4. How to Backdoor the pump by gaining code execution
    a. Inside into the pump: Processes running, configuration files, etc.
5. DEMO on stage!
6. Takeaways: Recommendations to prevent these attacks from happening again

Bio:
Dan Regalado is a Principal Security Researcher with Zingbox (IoT Security Company) and former FireEye and Symantec reverse engineer. Daniel is the lead author of famous Gray Hat Hacking Book 4th Edition and known in the security world as the “ATM guy” responsible for the latest discoveries of these type of threats worldwide.

Disclosing vulnerabilities to a vendor, especially one that doesn't seem to prioritize security the same way we do, can be a source of pain. We may even find ourselves viewing the product vendor as an enemy during this process. But we are faced with a future in which people will interact with connected devices whether they intend to do so or not. Imagine worrying about the security of a connected "smart" showerhead in your hotel room. Silly, isn’t it? Yet such devices will be increasingly prevalent, and vulnerable.
For this reason, this keynote advocates for why we as security researchers should reframe our relationships with vendors from what is sometimes an adversarial one to a collaborative one. To achieve a better security posture in this industry, this talk offers strategies and tactics for how to improve our methods of working with vendors.

Bio:
Rick Ramgattie @RRamgattie is a Security Analyst at Independent Security Evaluators (ISE), where he conducts high-end, custom security assessments of computer hardware, software products, and manages a team of security researchers. Growing up in the city of Bayamón, Puerto Rico, speaker Rick Ramgattie recognizes that it isn't all that easy to get into the information security community. In a self-taught manner he strived to learn what he could, before attending college in the mainland and then migrating to Baltimore. Now, as someone who appreciates the art of reverse engineering, he has taken part in hands-on security assessments of complex systems, IoT devices, and many different native and mobile applications. Rick enjoys reverse engineering, occasional CTFs, and reading.

Today, most vehicle manufacturers in the US connect their vehicles to a type of network and delegate controls to mobile or web applications upon vehicle purchasing. Thankfully, security research for consumer devices are now exempt from DMCA which enables us to audit and assess our connected vehicles. Like many devices in the IoT space, a single software bug in connected vehicles can compromise the entire ecosystem.
In this talk, we will demonstrate the methodology used to discover and remotely exploit vulnerabilities in Subaru’s STARLINK remote vehicle services, as well as discuss how car manufacturers can learn from these mistakes. After all, who needs car keys when your vehicle is “connected”?

Bio:
Aaron Guzman is a Security Consultant from the Los Angeles area with expertise in web app security, mobile app security, and embedded security. He has spoken at a number of conferences worldwide which include Defcon, AppSec EU, AppSec USA, HackFest, Security Fest, HackMiami, AusCERT as well as a number of BSides events. Aaron leads the OWASP Embedded Application Security project; providing practical guidance to address the most common firmware security bugs to the embedded and IoT community. Follow Aaron’s latest research on twitter at @scriptingxss

This topic covers researches made by Critical Infrastructure Defense Team, Kaspersky Lab regarding vast variety of different serious vulnerabilities in popular wanna-be-smart industrial control systems. We found 80+ 0day vulnerabilities and reported to vendors. Some of them are patched already (CVE-2016-5743, CVE-2016-5744, CVE-2016-5874…). However, for most of the bugs it potentially takes more time to fix.
Bugs are good, but what can be better? Yes, backdoors! Let’s take a closer look on the backdoor techniques found in one interesting vendor: they do some stuff for industrial IoT and for general IT technologies (banking, telecommunication providers, crypto solutions etc). The backdoor is not the whole story – we will show how this vendor reacts and fixes critical bugs (SPOILER: silently fixes bug, no CVE assigned, no advisory published, sometimes impossible to patch, 7 month since the report). The most interesting thing is that this technique requires only legitimate software widely used everywhere.

Bios:
twitter @raka_baraka Vladimir graduated from Ural State Technical University with a degree in information security of telecommunication systems. He started his career as a security engineer at Russian Federal Space Agency. His research interests are pentesting, ICS, security audits, security of different unusual things (like smart toys, TVs, smart city infrastructure) and threat intelligence. Vladimir is a part of Critical Infrastructure Defense Team (CID-Team) and Kaspersky Lab ICS CERT in Kaspersky Lab
&
Sergey is an active member of Critical Infrastructure Defense Team (CID-Team) and KL ICS CERT in Kaspersky Lab. His research interests are fuzzing, binary exploitation, penetration testing and reverse engineering. He started his career as malware analyst in Kaspersky Lab. Sergey has OSCP certification.

Currently, all known IoT botnets harvest zombies through telnet with hardcoded or weak credentials. Once this bubble bursts, the next step will be exploiting other, more evolved vulnerabilities that can provide control over a large number of devices. In this talk, we'll take a glimpse into that future showing our research on a RCE vulnerability that affects more than 175k devices worldwide

Bio:
Alex is the Chief Security Researcher and Spokesperson for Bitdefender. His career is focused on Information Security, Innovation and Product Strategy, fields in which he has so far accumulated over 15 years of experience. He drove the vision for Bitdefender’s UNIX-based security solutions before kickstarting an ambitious project that would advance the company’s R&D department and steer a good part of the company’s focus towards technology and innovation

What Mirai missed:
Mirai was elegantly simple; using default telnet credentials to compromise large numbers of devices. However, in the quest for simplicity, the author missed numerous more significant vulnerabilities. We have spent the last few months researching the security of >30 DVR brands and have made discoveries that make the Mirai telnet issue seem almost trivial by comparison. We discovered multiple vulnerabilities which we will share, including wormable remote code execution. We may also disclose a route to fix Mirai-compromised DVRs remotely. However, this method has the side effect of being usable by malicious actors to make Mirai persistent beyond a power off reboot. Further, we will show HOW and WHY we believe XiongMai is at the root cause of these issues, regardless of the DVR brand. Finally, we'll show examples of DVRs using the same base chipset as those vulnerable to Mirai, but doing security well.
The camera dildo:
What started as a serious piece of research got hijacked by the press because it was “a bit rude”. The real story wasn’t just that it could be compromised, but the work that went into reverse engineering it to find hidden services, reused code (from a camera drone), and the command injection which can be used to compromise the video stream.
Samsung smart fridge:
Ripping and analysing the firmware from a Tizen-running smart fridge’s BGA chip, what did we find?

Bios:
@PenTestPartners
Andrew Tierney, Security Consultant, Pen Test Partners Andrew has many years of experience in security, mainly working with embedded systems. As the Internet of Things trend developed, he expanded his skills into the realms of web applications and mobile applications. Blogging and documenting his findings rapidly gained him exposure, and a number of high-profile UK companies approached him to test their devices and systems.
His previous work in the financial services IT world has prepared him well for customer-facing roles, and communicating complex issues to both management and developers alike. This has also given him a good grounding in working with enterprise IT systems and general sysadmin work. Since joining Pen Test Partners, Andrew has been expanding outwards into new and unfamiliar areas. He soon hopes to become a CREST Certified consultant and wants to develop his skills in infrastructure testing.
&
Ken Munro, Partner, Security Consultant, Pen Test Partners Ken is a regular speaker at the ISSA Dragon’s Den, (ISC)2 Chapter events and CREST events, where he sits on the board. He’s also an Executive Member of the Internet of Things Security Forum and spoke out on IoT security design flaws at the forum’s inaugural event. He’s also not averse to getting deeply techie either, regularly participating in hacking challenges and demos at Black Hat, 44CON, DefCon and Bsides amongst others.
Ken and his team at Pen Test Partners have hacked everything from keyless cars and a range of IoT devices, from wearable tech to children’s toys and smart home control systems. This has gained him notoriety among the national press, leading to regular appearances on BBC TV and BBC News online as well as the broadsheet press. He’s also a regular contributor to industry magazines, penning articles for the legal, security, insurance, oil and gas, and manufacturing press.

The FTC recently conducted a challenge competition aimed at facilitating security updates to home IoT devices. We'll share what we've learned from the challenge, and we hope to announce the winner. We will also give an update on efforts the FTC has taken in the past year to help protect consumers including efforts on Smart TVs and more.

Bios:
Aaron Alva (@aalvatar) is a lawyer (not yours) and hacker who works as a technologist at the Federal Trade Commission's Office of Technology Research and Investigation (OTech). He was a recipient of the NSF CyberCorps scholarship for his MS/JD work at the University of Washington. At the FTC, he explains technical issues to attorneys working on behalf of consumers, and conducts research on areas that impact us all. He fights to protect the future in which his daughter will grow, lead, and amaze.
&
Mark Eichorn is an Assistant Director in the FTC Bureau of Consumer Protection’s Division of Privacy and Identity Protection (DPIP), where he supervises privacy and data security matters. He joined DPIP in 2009 after serving as an attorney advisor for FTC Chairman (and previously Commissioner) Jon Leibowitz on consumer protection issues. After joining the Commission in 1998, Mark worked for many years as an attorney in the Division of Advertising Practices and served a stint in 2003 as an attorney advisor to FTC Commissioner Thomas B. Leary. Mark went to law school at the University of Virginia, and later clerked for Ninth Circuit Judge Robert Beezer before joining the Seattle firm of Mundt, MacGregor.

The “Internet of Things” (IoT) is taking over our lives, so we should be constantly questioning the security and integrity of these technologies. As an IoT researcher, this is precisely what I do. During this presentation, I will be sharing details of my day-to-day research, covering the various processes and methodologies around researching (attacking) various IoT technologies that we all use every day. I will be discussing the various structures of an IoT ecosystem and showing how each segment of that ecosystem can be compromised to impact the overall security of a product. Using live demonstration, I will show several of the security issues discovered during my research over the past 12 months and how we worked with the manufacturers to get these issues mitigated.

Bio:
Deral Heiland , serves as a Research Lead (IoT) for Rapid7. Deral has over 20 years of experience in the Information Technology field. Deral’s career has focused on security research, penetration testing, and consulting. Deral also conducted security research on a numerous technical subject, releasing white papers, security advisories, and has presented the information at numerous security conferences including Blackhat, Defcon, Shmoocon,DerbyCon and Hack In Paris.

We all know how vulnerable IoT devices are - but do we know if our home or industrial IoT devices are being attacked or already compromised? This talk focuses on creating an Intrusion Detection System for IoT devices using Wi-Fi to connect to the Internet. We will look at how to automatically fingerprint our IoT devices over the air and detect attacks such as Honeypots, MAC spoofing, DoS etc. We will also see how to do deep packet inspection and learn device behavior over the network (which hosts do they usually connect to, which protocols?, traffic characteristics?, heartbeat mechanisms? etc.) using simple Machine Learning techniques. We will show how this allows us to detect compromised devices which might now be controlled by a remote attacker. Our IDS will use an external sensor which will be build using open source tools and off-the-shelf hardware. All code will be open sourced after the talk.

Bio:
Vivek Ramachandran is the Founder and Chief Trainer at Pentester Academy. He discovered the Caffe Latte attack, broke WEP Cloaking, conceptualized enterprise Wi-Fi Backdoors, created Chellam - the world's first Wi-Fi Firewall and Chigula - a Wi-Fi data mining and IDS framework. He is also the author of multiple five star rated books on Wi-Fi Security. He has spoken/trained at top conferences around the world including Black Hat USA, Europe and Abu Dhabi, Defcon, Hacktivity, Brucon and others.

As the previous Director of Security at companies like Linksys, Belkin, and Wink, I learned hard lessons about the pitfalls of PKI. This was especially true on IoT devices, where the responsibility was on consumers or site managers to update devices when security issues arose. I've experienced expired keys that killed device connections, private keys being accidentally dropped on consumer devices, and breaches that required replacing all keys on devices, servers, and user applications. That led me to create oneID, now called Neustar Trusted Device Identity (TDI), which is an open source framework that replaces PKI with one that has real-time revocation, key rotation, key reset/replacement, and individual identities for every device, server, service, and user. It starts with the premise that every server, service, network, device, and user will be compromised at some point, so we should start our security model with that assumption and build protection to limit that as much as possible. It specifically does not trust anything by default and trust continually has to be proven, rather than trusting and checking for revocation. It puts the SOC or NOC in control rather than the users or site managers.

Bio:
Brian Knopf is the Sr Director of Security Research & IoT Architect at Neustar working on replacements for PKI & other products to secure IoT devices. He also created the 5-Star IoT Security, Safety, and Privacy Rating. Previously he was Director of Product & Application Security at Linksys and Belkin, Principal Security Advisor for Wink, and the Principal Test Architect & QA Director at Rapid7. He has helped design & build over 40 different IoT devices from concept to production release.

The current state of security for IoT devices is alarming, with regular reports of vulnerabilities being disclosed. Adversaries are getting much more sophisticated and there's a growing need for such products to be secure by design. Thus, this briefing aims to present a compelling case for conducting adversarial modelling on such devices by showcasing a case study of a live vulnerable device.

Bio:
Pishu Mahtani has more than a decade of information security and assurance experience gained from working in diverse set of industries; from Banking and Financial Services, Government and Defence, and Technology Consulting. He currently has a concentrated focus in the area of application security where he's considered as a specialist in the areas of binary analysis, embedded firmware reverse engineering, IoT security and software bug discovery. He has contributed to the efforts in securing cyberspace through responsible disclosure of security vulnerabilities, his involvement in open source projects at The Center for Internet Security (CIS) and OWASP. He has recently spoken at security conferences such as DevSecCon Asia 2017 and GovWare 2016, on software and IoT security topics. He holds a Master of Science (MSc.) in Information Security from Royal Holloway, University of London and is a Certified Secure Software Lifecycle Professional (CSSLP).

We hear from people all the time who want to get into hardware hacking, but are scared to make the first steps.
We will have all the tools and devices – routers, DVRs, thermostats – so that you can learn the basics of hardware hacking and start finding vulnerabilities.

What we will cover:
· Identifying components and features on hardware
· Common interfaces and protocols used
· Working out the attack surface of the device
· Reading firmware with several different techniques
· Extracting firmware using binwalk

To participate, please bring:
· A laptop running Linux or able to run a Linux virtual machine
· Any devices you want to try hacking
· An inquisitive mind

What if I told you that Windows 3.x provided Data Execution Prevention and a crude form of Address Space Layout Randomization? The segmented memory model that made 16-bit x86 code difficult to program also complicates building an exploit. Blending nostalgia, retrofuturism, and plain curiosity into exploiting "weird" systems, I demonstrate what may be the first public writeup (try Googling for one) of a buffer overflow targeting a Windows 3.x application, complete with ROP chain and shellcode. Everyone loves a good exploit and demo or just shuffling program groups--so stop by for a look back into the four-megabyte era equipped with a copy of Visual Studio 1.52c and modern techniques.

Bio:
Jacob Thompson is a Senior Security Analyst for Independent Security Evaluators, where he specializes in high-end, custom security assessments of computer hardware and software products. With 10+ years’ experience, a propensity toward hands-on security assessment, and proficiencies in reverse engineering, DRM systems, cryptography, system and application security, and secure system design. Through his 5 years’ work with ISE, Mr. Thompson has partaken in multiple major vulnerabilities and assessments, customer visits, and progress presentations. He has presented his research at DEF CON, BSides DC, DERBYCON, and ToorCon.

Elvis Collado, Praetorian, Senior Security Researcher @b1ack0wl

This talk will go over the following: How all of this research got started, the critical vulnerabilities I personally discovered in modern devices, the challenges and failures I personally had with techniques like blind fuzzing, the challenges I had with not having the knowledge or funds to get into hardware hacking, figuring out how to build an exploit for a vulnerability without the need of using UART or a remote debugger, how to get started into hardware hacking once you've exhausted all means on the software side of things, how to build an effective but cheap IoT hacking lab, how to create your own low-cost 'JTAGulator' with an Arduino nano, how to cross compile and disassemble to quickly figure out CPU architectures that a person may be unfamiliar with, discussion of the open source project "Damn Vulnerable Router Firmware", and how to put this all together quickly so everyone can start finding vulnerabilities in the products they own. Also, the talk has been recently updated with comparisons of crafting exploits on x86 vs MIPS vs ARM. Before I only had x86 vs MIPS.

Note: There will be no vendor shaming. All Vendors will be renamed to “Vendor A, Vendor B, Vendor C…etc”

Bio:
Elvis Collado is a Senior Security Researcher for Praetorian with a main focus in embedded electronics. Elvis got into electronics ever since he discovered his first vulnerabilities in some of the devices he personally owned. He decided to migrate his research from the desktop space to the embedded space and wants to share what he has learned with everyone.

This talk covers the reverse engineering and exploration of the Trane ComfortLink thermostats. These devices are manufactured and produced by Trane, a popular heating and cooling company offering Zwave and WiFi enabled thermostats packaged with their appliances. This talk covers a previously unreleased vulnerability in the Trane ComfortLink thermostats that allows for remote manipulation and information extraction by an attacker. The devices are vulnerable by default and this talk addresses the physical dangers posed by this vulnerability to customers. The tools and methods used in finding this vulnerability are also discussed at-length in the presentation along with a video demonstration of the exploit in action.

Bio:
Jeff Kitson is a Security Researcher with the Vulnerability Assessment Team of Trustwave SpiderLabs. His career began with full-stack web development before moving into system administration and eventually vulnerability and security research. His current work includes maintaining and developing vulnerability tools within Trustwave. His research interests include IOT devices and extracting information with software defined radio.

Aaron Guzman, Principal Penetration Tester @scriptingxss

The vast playground of IoT, and all its problems, will surely transfer from Consumer homes over to the Enterprise. Various studies have shown the effect of consumer IoT adoption in the enterprise, resulting in rouge connections into a trusted network. Items such as Smart TVs, drones, home security devices, and even connected vehicles are now being discovered in corporate networks. Industry professionals and board rooms are struggling to keep up with the growth of IoT due to the various interfaces introduced. We will discuss the many IoT attack surfaces and provide proactive security controls that are easily implemented by consumers, enterprises, and manufactures alike.

What is constantly being shared throughout the industry is how IoT is broken, vulnerable, and insecure. Various testing methodologies and guidance cheat sheets have been released without discussions on how to protect against the threats discovered. As a technical editor for an upcoming IoT security book, as well as a contributor for various security guidance documents on IoT, this talk will give practical defense guidance that attendees and manufacturers can implement.

Bio:
Aaron is a Principal Penetration Tester in the Los Angeles area with expertise in Application Security, IoT, Mobile, Web, and Network Penetration testing. He volunteers his time as a Chapter Board Member for the OWASP Los Angeles, President for Cloud Security Alliance SoCal, and a Technical Editor for Packt Publishing . Aaron is a contributor for various IoT guidance documents from CSA, OWASP, Prpl, and others. He has held roles with companies such as Belkin, Linksys, Dell and Symantec.