The workshop will start with a brief presentation covering our research to date with Fitbit’s Aria scales; what we’ve found, what we’ve learned, where we’ve got stuck, and what we’ve guessed at. We will discuss a few vulnerabilities that we have discovered and help get you started on finding some more. Once we’ve set the scene the workshop can begin. This is really a 101 on logic probing and hardware analysis, so we’ll share some basic techniques for logic probing; UART, SPI, Flash etc.

We will be bringing a number of sacrificial Fitbit Aria scales for you to work on yourselves, plus several sets of logic probes with us for you to use, with guidance from us if you’d like it. If you would like to borrow our probes for the session, please make sure you have installed Logic from Saleae, or use your favorite logic analyzer. If you’re bringing your own Fitbit Aria scales we advise that you check they are at firmware version 36 or below.

Tasks for the session:

• Push old firmware to the Aria
• Modify the startup display on the Aria LCD (‘hack me fat!’)
• Turn the scales in to a network implant

Bio’s:
Dave and Ken have enjoyed a good few years in security, probably more than 40 years between them. They work at Pen Test Partners in England and spend plenty of research time picking holes in things, finding flaws, and disclosing them responsibly. Twitter: @tautology0 @TheKenMunroShow

Blog Post

Mark Stanislav @markstanislav

ABSTRACT:
This presentation will discuss research performed against nine IoT baby monitors on the market. Details of research methodologies and vulnerability findings will be presented to give attendees insight into what security flaws were found within the intricate combination of mobile applications, protocols, services, and hardware running these devices. A custom scoring system will be used to provide an apples-to-apples view of how each device faired in holistic security versus the other devices.

REASON:
This talk will give a broad look at IoT security using connected baby monitors as a case study. By comparing products on the market, discussing new vulnerabilities never previously released, and showing how the research was conducted, this talk will provide an exciting look into IoT security research for those who are technologists, hackers, software engineers, or even those just concerned with safety and privacy of children.

Hugo Fiennes,Tom Byrne, Gino Miglio, and Zandr Milewski of @electricimp

Where am I? (find and connect to an open network, use google wifi geolocation API to tell a remote server where the device has been: just uses an imp and a 9v battery)

• bacnet sniffer (connect to and dump building area control networks)
• modbus sniffer (connect to and dump MODBUS RTU traffic)
• uart sniffer (connect to and dump UART traffic)

Tobias Zillner & Sebastian Strobl of @Cognosec

BIO:
Tobias works as Senior IS Auditor at Cognosec in Vienna. He conducts information systems audits in order to assess compliance to relevant internal and external requirements. Furthermore, Tobias evaluates and assures security of IT by performing webapplication and web service penetration tests, source code analysis as well as network and infrastructure penetration tests. He has a BSc in Computer and Media Security, a MSc in IT Security and a MSc in Information Systems Management.


Seabstian Strobl manages the delivery of Cognosec GmbH’s auditing services. He has over 8 years practical experience in the areas of information security, IT governance, compliance, risk management, and information systems auditing. He is a certified professional in information systems, PCI DSS and application security auditing, and has a master’s degree in Information Management and Computer Security. Prior to his role at Cognosec GmbH he was leading information systems audits for organisations in the online gaming and finance industry, providing a strong background in the online payment and gaming value chain, the underlying technology thereof, and industry specific regulations. He has an extreme depth of knowledge in security tools, technologies, and industry best practices, and is recognised for delivering top-level, value-adding IT audits. He is also responsible for the creation and deployment of innovative solutions to mitigate risks by protecting networks and application systems, safeguarding information assets and ensuring business continuity. He specialises in delivering effective assurance and consultancy services, focusing on application and web-security architecture, as well as the integration with payment processing value chains.

ABSTRACT:
More and more devices are communicating with each other and are becoming connected to IP networks, sometimes even directly to the Internet. This innovation should improve our quality of life and make our every day life easier, but this trend does not only bring advantages; it also introduces a lot of new challenges and threats. These challenges arise with every new product development in the area of Internet of Things. Especially products in the area of home automation and smart homes are getting increasingly popular and therefore consumers become an interesting target group for attackers. Today’s home automation systems are also following the global trend and move from wired bus systems to wireless radio communication. To face these arising challenges, new protocols and standards beside the world of TCP/IP were created and are currently being developed. However, it is not just the security of the standards and protocols themselves that are important, but it’s also the correct implementation and integration into products that is a challenge for every single vendor.

Sofiane Talmat of @IOActive

BIO:
Sofiane Talmat has more than 10 years' experience performing security assessments and reverse engineering engagements, identifying vulnerabilities and developing exploits for IOActive's clients. He has proven skills in design, implementation, enhancement, testing, maintenance, and support of myriad software instances; and can both test software as well as assist development teams with the implementation of software protection mechanisms.

ABSTRACT:
New generation Set Top Boxes (Satellite receivers) are embedded linux boxes joining the IoT for many reasons mainly for IPTV and cardsharping for pay tv channel decryption. We will talk about design flaws, protocols used and different modules and plugins for cardsharing and iptv We will focus on the technical part of reverse engineering protocols, cardsharing plugins and satellite receiver software identifying both vulnerabilities on the Satellite receiver box and remote IPTV service vulnerabilities that are accessible by the DVB receiver

Lyon Yang @l0Op3r

What it is:
My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed – in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts.
Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a ‘hack-along-with-us’ workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop.

• Kali Linux
• Basic knowledge or interest in IoT
• Reverse engineering and exploit development knowledge

Chase Shultz @f47h3r_B0

Abstract
Ever wondered how people get shells via hooking up to chips or pins on a board? Or how to dump the firmware off a device you own at home? How chips that send those bits, bytes, and nibbles flying across traces on a board can be analyzed for profit? The Pwning IoT Devices via Hardware Attacks workshop is focused on a hands-on learning experience, of how people use hardware attacks to get initial access IoT Devices for security research. This workshop is designed for people new to hardware hacking, looking to have fun exploiting the Internet of (broken) Things. So come on out if you're looking to join the embedded system & IoT exploitation party!

Bio:
Chase "f47h3r" Schultz is a Senior Security Consultant at Independent Security Evaluators. During his day job, Chase helps companies find and remediate vulnerabilities in their systems. At night, f47h3r dawns his Phantom of the IoT Opera mask, and pumps the dark organ of exploitation, resounding in the root shells he uncovers.

Daniel Miessler @DanielMiessler

BIO:
Daniel Miessler is Practice Principal with HP Fortify based out of San Francisco, California with a 15-year background in penetration testing and vulnerability assessment. He leads the Fortify on Demand security research team, and is a project leader on the OWASP IoT and OWASP Mobile Top Ten projects.

ABSTRACT:
Securing the Internet of Things is a difficult task for many reasons, but the most important may be the fact that IoT is actually a collection of spaces instead of a space of its own. IoT is made up of networks, web applications, mobile applications, and cloud components--all assembled together to produce a usable system designed for maximum connectivity. What could go right?

The OWASP Top 10 Project starts the IoT security scope conversation by defining the 10 primary attack surface areas for the Internet of Things, and by giving prescriptive guidance on how testers, manufacturers, developers, and consumers can make better security decisions, when creating, evaluating, and implementing IoT technologies.

Attendees will learn about the 10 surface areas from the penetration testing perspective, including the common vulnerabilities found in each surface area and how to avoid them. Examples will be given from research on real-world devices conducted by the speaker's team.

A handout will be given as a tangible reference for the 10 attack surface areas.

REASON:
Everyone's talking about IoT, but nobody's talking about how to properly address IoT security as a whole, in a practical and tangible way.
This talk gives practical and tangible guidance that will help attendees the very next time they're asked to assess an IoT system.

BIO:
Wesley Wineberg is a Senior Security Research Engineer at Synack. Prior to Synack, Wes spent six years testing the security of SCADA, Smart Grid, Medical, and other “critical infrastructure” technologies. Wes enjoys black box analysis, pen testing, software, firmware and hardware reverse engineering.

ABSTRACT:
It is easy to find poorly designed devices with poor security, but how do the market leading devices stack up? Are they more secure than a Linux-powered rifle? This presentation documents our effort to assess the state of security of top selling Internet of Things Devices.

We procured 14 of the leading “connected home” IoT devices and tore them down, all the way from software to hardware and compared their relative security. This talk will demonstrate techniques useful for assessing any IoT device, while showing how they were applied across a wide range of devices.

Attend for stories of device rooting, SSL interception, firmware unpacking, mobile app vulnerabilities and more. Stay to find out why your favorite new gadget might just be a backdoor into your home. If you own (or are considering buying) one of the following devices, come and find out how secure it actually is!

Devices:

1. Dlink DCS-2132L
2. Dropcam Pro
3. Foscam FI9826W
4. Simplicam
5. Withings Baby Monitor
6. Ecobee
7. Hive
8. Honeywell Lyric
9. Nest Thermostat
10. Nest Protect
11. Control4 HC-250
12. Lowes Iris
13. Revolv
14. SmartThings
15. Samsung Smart Refrigerator (model RF28HMELBSR)
16. Samsung LED Smart TV (model UN32J5205AFXZA)

Brian Knopf @DoYouQA

BIO:
Brian Knopf has 20 years of experience in IT, dev, QA/QE, & security. He has led QA, automation, security, and development teams for companies including Belkin, Linksys, Rapid7, MySpace, Youbet.com, eUniverse, and VeriTest. Currently Brian is the Principal Security Advisor & Researcher at Wink Inc. There he is responsible for SDL, PSIRT, security research, pentesting, training, bug bounty and researcher programs, and threat modeling for Wink products and partner integrations.

ABSTRACT:
Using small or almost non-existent budgets as an excuse for not running application and product security programs is not acceptable. The rapid growth of low margin IoT devices from startups changed the way security teams have to operate. Instead, learned to leverage external researchers by incentivising them with free products, thanking and embracing researchers for their help, and promising transparency into our direction and enhancements, with the goal of secure consumer devices for everyone.

This talk will walk through the creation of two successful application and product security teams built in organizations without many resources or large budgets. Those programs included regular threat modeling, bug bounty programs, proactive engagement with researchers, security analytics monitoring, and vuln research. Even with the budgetary and staffing constraints, the teams were able to deliver increasingly more secure products that continue to push the boundaries of consumer device security in a market where consumers refuse to pay more for the cost of securing them. This discussion is not about the companies themselves, but instead as a model any startup company can adopt to deliver solid products, rather than using excuses to defer action.

REASON:
Without the resources internally to find major vulns, we were able to identify a critical vuln from a researcher on the bug bounty that had the ability to greatly affect all customers homes. It was patched within 24-hours. That is a perfect example of why this program is critical to the security and privacy of consumers and why every IoT manufacturer should follow this program. There were multiple other vulns discovered with the program that also make the same point.

BIO:
Aaron is a Pen Tester for Belkin in his day job, but is also a Board member for the Open Web Application Security Project (OWASP) Los Angeles chapter, Cloud Security Alliance Socal chapter and the President for the High Technology Crime Investigation Association of Southern California(HTCIA SoCal). Aaron evangelizes application security by leading open source projects, participating in standard organizations and giving talks at conferences.

ABSTRACT:
The notion of "secure by design” or "privacy by design” for IoT devices has been a perspective for standard organizations. Legislative entities from both the US and EU recognize the impact these "things" can effect lives and the enterprise. To better understand a secure design, we will explore the supply chain and development lifecycle of these IoT devices and discuss how our roles as security professionals and researchers.

REASON:
From a manufacturing perspective, I see things a little differently than most. I would like to enlighten others on the real SDLC processes that happen in house and external.

Craig Young @craigtweets

BIO:
Craig is a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT). He has identified and disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, and others. His research has resulted in numerous CVEs and recognition in the Google Application Security Hall of Fame. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers.

ABSTRACT:
Smart home technology has been a dream for many perhaps inspired by the likes of George Jetson. Unfortunately the technology is in its infancy still and the question remains as to whether vendors can demonstrate the ability to make our homes smarter without simultaneously introducing new risks to personal safety and privacy. In an effort to answer this question, Tripwire VERT conducted a security assessment of the three top-selling ‘Smart Home Hub' products available on Amazon. The research revealed 0-day flaws in each product allowing an attacker to control smart home functionality. This presentation will reveal some of the findings from this study including vulnerability discoveries. If not addressed, smart home flaws can give rise to a new type of ‘smart criminal' able to case victims without being seen. Once a target is chosen, it is possible to unlock doors and disable security monitoring.

REASON:

1. Each product I tested had 0-day flaws
2. Two of the three products evaluated contained 0-day flaws allowing a remote attacker to gain root access with limited to no user-interaction required.
3. I will be demonstrating a PoC which determines the local IP address and searches for the vulnerable device.
4. The PoC described in #3 is still 0-day in official firmware, the latest RC firmware, and possibly in the latest beta firmware.

Networked smart appliances can reduce energy costs and provide detailed situational awareness. However, the same remote access used for benevolent command and control can be leveraged by an adversary for reconnaissance and to cause real world kinetic effects if security is compromised. In this talk, we exploit a commercially available smart fridge to evaluate its sensor capabilities and to demonstrate the potential for delivering kinetic cyber effects. As a proof of concept, we use the fridge ambient humidity sensor to reveal its geographic location and nearby human activity. We also quantify the potential for intentional flooding. Finally, the fridge compartments are heated by abusing the compressor and defrosters to evaluate the potential for damaging temperature-sensitive medical supplies. We demonstrate that within two hours the refrigeration compartment and freezer can be raised above 30 °C (86 °F) and 20 °C (68°F), respectively, remotely via the Internet.

We highlight the interesting things that an attacker can do with network access to a smart fridge. How hot can the fridge get when the attacker turns off cooling and blasts the defrosters? How much water per hour can be released out of the fridge door? We answer these questions and more. We also show that the fridge ambient humidity sensor is sensitive enough to tell whether or not it is raining outside, which reveals geographic location. Hell, we will even give away hardware to the crowd.

Bio’s:
Kevin Cooper is a computer scientist with a passion for network security. He frequently competes in CTF exercises and has extensive experience with reverse engineering, digital forensics, and network penetration testing.

Coauthor: Ben Ramsey, PhD, CISSP, has been building and breaking networks for over a decade. He specializes in embedded system security and low-rate wireless protocols, such as ZigBee, Z-Wave, and Bluetooth Low Energy. He has published in academic journals and presented his research at multiple conferences, including GLOBECOM, MILCOM, SenseApp, and ShmooCon.

The consumer benefits of the IoT are anticipated to be exceedingly large with 5G wireless technologies underpinning much of the evolving IoT landscape. However, IoT will also greatly expand the cyber attack surface for consumer appliances. This session will discuss the FCC’s initiatives to better posture the telecommunications sector to combat cyber threats to the communications critical infrastructure and solicit attendee participation in developing appropriate FCC policy objectives for 5G.

This is not a typical government monologue; this talk is an interactive, engaging, informative discussion of the FCC’s cybersecurity risk reduction initiatives to combat the most pressing threats to the communications critical infrastructure that would undermine the integrity and deployment of the IoT. It will explain the unique vulnerabilities inherent in 5G and explore opportunities to design 5G in a manner that reduces risk for the IoT.

Bio:
Rear Admiral (ret.) David Simpson was appointed Chief of the FCC’s Public Safety and Homeland Security Bureau in November 2013. He brings to this role more than 20 years of ICT experience supporting the DoD, working closely with other agencies to provide secure communication services and improve cyber defense readiness. Simpson is a native of Burbank, CA and a 1982 graduate of the United States Naval Academy. He earned a master's degree in systems technology from the Naval Postgraduate School.

Many Bluetooth Low Energy (BLE) enabled deadbolts and padlocks have hit the market recently. These devices promise convenience and security through smartphone control. We investigated sixteen of these products from multiple vendors and discovered wireless vulnerabilities in most of them. Using a $50 antenna, we successfully picked vulnerable locks from over 400 meters away. In this presentation we introduce open source tools to crack each of the vulnerable BLE locks. Furthermore, after surveying the open source Bluetooth hacking tools currently available, we find very little support for BLE. So, to make discovering and range finding to BLE devices easier, we introduce a new open source warwalking tool compatible with both Bluetooth Classic and BLE

These locks are being relied upon by consumers to protect their homes and property and they need to be fully aware of the risks. By revealing the security vulnerabilities in BTLE locks from multiple vendors and by releasing open source tools to crack them wirelessly, we hope to put pressure on companies to improve security in future products. Plus, we will perform live demos of two of our tools.

Bio's:
Anthony Rose is an electrical engineer with five years of network security experience. His prior work includes traffic and quality optimization for wireless video protocols. Currently he focuses on Bluetooth security and wireless penetration testing.

Ben Ramsey, PhD, CISSP, has over a decade of experience in network security research. His work focuses on critical infrastructure protection and low power wireless protocols, such as ZigBee, Z-Wave, and Bluetooth Low Energy. He has published in several academic journals and has presented research at multiple conferences, including GLOBECOM, MILCOM, SenseApp, and ShmooCon.

Marc Newlin, Bastille Networks, Security Researcher @marcnewlin

Matt Knight, Bastille Networks, Software Engineer & Security Researcher @embeddedsec

Reverse engineering wireless protocols is not as difficult as you might think! Join us and collaborate as we reverse engineer the RF protocol used by an AirHogs drone, from start to finish. You are invited to bring your own gear and follow along, or sit back and enjoy the spectacle.

What to Expect:
We will start with some basic RF fundamentals and introduce the tools we will be using. Next, we will collect open source intelligence about the drone from Google and the FCC website. Armed with our OSINT, a SDR, and GNU Radio, we will reverse engineer the packet format and protocol used by the drone. Using a SDR, we will implement a transceiver capable of communicating with the drone. Bringing it all together, we will go airborne (with a killswitch ready should the proverbial shit hit the fan).

What to Bring:
If you want to get some hands on RF reverse engineering experience, we encourage you to bring a laptop running GNU Radio, your 2.4GHz capable software defined radio, and an AirHogs Fury Jump Jet!

Bio's:
Marc is a security researcher at Bastille Networks, where he focuses on RF/IoT threats present in enterprise environments. He has been hacking on software defined radios since 2013, when he competed as a finalist in the DARPA Spectrum Challenge. In 2011, he wrote software to reassemble shredded documents for the DARPA Shredder Challenge, finishing the competition in third place out of 9000 teams. Matt Knight is a software engineer and security researcher with Bastille Networks, where he seeks to discover vulnerabilities in the ubiquitous wireless interfaces that connect embedded devices to the Internet of Things.

Stephen Chavez @redragonx

We are going to exploit a Sunrise Quickie Rhythm power wheelchair that uses the CAN BUS protocol with Arduino/Raspberry PI hardware. We will show how easy it is to inject standard CAN messages to take full control of the chair and block all user input from the main joystick controller. And in addition, provide some basic open source tools to allow people to customize their chairs more easily.

Power wheelchairs have become increasingly sophisticated both for increasing their capabilities and for connecting users to the world at large. Some include Bluetooth functionality, which can be an easy way to attack chairs. It is time to teach people to understand how their chairs work, and show them the current status of software security on the chairs.

Special thanks to:
Steven Beaty, my professor who helped me get organized for DEFCON 24. I thank him for doing a ton of meetings with me. Solid State Depot, a hacker space in Boulder, Colorado. This hackerspace has some of the coolest people I ever met in my life. They allowed me to use their tools and they fully supported me in hacking power wheelchairs. Metropolitan State University of Denver, they paid all of my expenses for DEFCON.

Bio's
Stephen specializes in Linux, security, and programming languages such as Java, Go, Python, Rust, PHP, C, C++ , JavaScript, and C#. He has experience in Linux server administration (Apache, Postfix, Dovecot, BIND, NGINX, etc.) as well as software engineering and web design. Stephen has been programming for 10+ years and knows a quite a lot about a wide range of subjects. In his spare time, Stephen is a researcher in the field of computer and internet security and is knowledgeable about hacking, cryptography, and network attacks.
Also presenting: Specter is an awesome hardware hacker that loves to sniff protocols.

Denis Makrushin, Kaspersky Lab, Global Research and Analysis Team @difezza

• How easy it is to compromise a terminal in the park?
• What can hackers steal from there?
• What can be done with hacked device?
• How can the internal network of the installer organization be penetrated?
• How to protect public devices from attacks?
• How to protect public devices from attacks?

• Parking and ticket terminals
• Information terminals in museums/cinemas/whatever else
• Hotels infrastructures
• Airport infrastructure
• Road Cameras/speed radars

• Methodology for security analysis of public IoT
• Post-exploitation scenarios
• Methodology for improving the security of these devices
• Non-trivial protection for non-trivial device

Exclusive research of non-trivial IoThings, a lot of proofs with video-demonstration. "Watch Dogs" in real life.

Bio:
Denis Makrushin is an expert of the Global Research and Analysis Team at Kaspersky Lab. He graduated from the Information Security Faculty of National Research Nuclear University. Specializes in analysis of possible threats and follows the Offensive Security philosophy. At this time, he continues his researches “Targetted Attack detection based on Game Theory methods” in graduate school of MEPhI. Social media links if provided. Also presenting, Vladimir Daschenko.

Joseph Needleman @spiceywasabi

Ever want your very own pwnlight, pwnpot, or pwntoaster?
Sure those are silly names, but in this world of embedded devices and development, let's try something different. We will be focusing on taking those fun, innocuous devices that are making people's lives smarter and turning them into our own useful embedded [attack] platforms. We will be covering what devices work best for different situations, when and where and what to embed, and provide ways of building out persistence directly on your new pwning platform.

Bio:
Joe is a security researcher who loves to experiment with embedded devices, signals, and really anything with electrical signals. He lives in a server room and would love to be let out from time to time. When not stuck in a server room or being electrocuted he also dabbles with cloud research.

Ken Munro @TheKenMunroShow

PenTest Partners@PenTestPartners

An introductory presentation followed by a demonstration covering hardware hacking topics such as reverse engineering, firmware analysis, remote code execution, even abusing OTA updates. Attendees will come away with a practical understanding of reverse engineering and attacking these devices. We will also go through a PoC IoT ransomware attack specifically for thermostats.

Attendees will see a breakdown of the technology, with a demo showing precisely how thermostats can be compromised. Finally a workshop will give attendees a solid and in-depth understanding of the security profile of many IoT devices, using readily available home heating thermostats. After that we then run a workshop so that everyone can get to have a free reign to hack their own. We’ll provide a range of IoT thermostats and tools so it’ll be as accessible as possible to all who want to participate.

Typically, access to embedded functionality in thermostats is via their JTAG ports so we will provide a primer on those as well as giving attendees the devices and tools to enable them to fully access the device and create their own hardware attack. Specifically, we want people to come away with a practical, hands-on understanding of IoT reverse engineering and enhanced hardware hacking skills.
30 mins for the demo, and 60 mins for the workshop.

Bio:
Ken has been working in IT security for over 15 years. He writes for various newspapers and industry magazines, and regularly advises the broader press and news broadcasters. He works at Pen Test Partners who specialize in helping organizations understand and quantify risk to their business. In an effort to get beyond the unhelpful FUD put about by many security vendors Ken speaks widely on computer security, the Internet of Things, and takes great pleasure in highlighting vulnerabilities.

Elvis Collado, Praetorian, Senior Security Researcher @b1ack0wl

After seeing the process of exploiting both the hardware and software stack of embedded devices it's time to put those new skills to the test! Bring a device or even team up with someone and find some vulnerabilities! Exploit development assistance will be provided.

I'll be bringing my Saleae Logic-8 logic analyzer, Shikra, and FT232H Adafruit breakout board. I only have 1 of each.
People should bring a device w/ the power adapter or pick one out from the Village device table, laptop, and an ethernet adapter (if they need it for their laptop.)

If you have other questions for what to bring please contact Elvis on Twitter.

Elizabeth Wharton @LawyerLiz

Connected devices provide a new playground of attack and vulnerability vectors to implement, test, and protect. Launching a home-built drone to test wireless access points, for example, may require authorization from the Federal Aviation Administration and the Federal Communications Commission. Testing connected car software? There’s a new Digital Millennium Copyright Act exemption carve out for research but be wary of the Computer Fraud and Abuse Act dangers. Before incorporating connected technology as part of your research, know where to find the regulatory traps and ways to minimize their legal impact. This presentation will provide an overview of federal privacy, security, and safety regulations triggered by IoT research and a breakdown of recent federal enforcement actions. Gain knowledge of the potential research risks and a sense of when to run, change an approach, or abandon if avoiding breaking the law while breaking IoT matters

Research is hard enough and companies whose products are being tested don't always welcome vulnerability disclosures. Solid research shouldn't be rewarded with threats of lawsuits or hiring defense lawyers. Minimize the risks, spend the money saved on beer or more gear.

Bio:
Elizabeth is a technology-focused business and public policy attorney and host of the national radio show "Buzz Off with Lawyer Liz." She's presented on the privacy, research, and risk management issues surrounding unmanned aircraft and information security before legislators and conferences including Security BSides Las Vegas and F3Expo. Elizabeth also serves as a mentor adviser for CyberLaunch accelerator’s information security and machine learning focused early stage startup companies.

Damien Cauquil, Digital Security (CERT-UBIK), Senior Security Researcher @virtualabs

The BtleJuice framework provides all the features to perform Man-in-the-middle attacks on devices using Bluetooth Low Energy (also known as Bluetooth Smart) and requires no expensive hardware nor SDR device. This talk will discuss most of its features, how to use it to assess the security of smart devices and find vulnerabilities, including live demos. The framework source code will be released just before the talk.

Bio:
Damien Cauquil is a senior security researcher at Digital Security (CERT-UBIK), a French security company focused on IoT and related ground breaking technologies. He spoke at various international security conferences including Chaos Communication Camp, Hack.lu, Hack In Paris and a dozen of times at the Nuit du Hack (one of the oldest French security conferences).

Terrell McSweeny, Federal Trade Commission, Commissioner @TMcSweenyFTC

Learn about the FTC’s efforts to push for improvements in IoT security, including our law enforcement actions challenging inadequate data security in devices like webcams and routers, upcoming workshops on emerging technology issues including drones and smart TVs, our Start with Security business education initiative, and the expansion of the agency’s in-house research and investigation capabilities. In January 2015 the FTC issued a report on the IoT, finding a troubling lack of security in many IoT products. We’ll provide an update on the agency’s enforcement and policy activities since then, tips for how to bring issues to the FTC’s attention, and a review of some of the challenges that remain.

Bio’s:
Terrell McSweeny is a Commissioner of the Federal Trade Commission and this is her third time at DEF CON. When it comes to tech issues, Commissioner McSweeny has focused on the valuable role researchers and hackers can play protecting consumer data security and privacy. She opposes bad policy and legislative proposals like mandatory backdoors and the criminalization of hacking. She believes that enforcers like the FTC should work with the researcher community to protect consumers.

Joe Calandrino, PhD is the Research Director of the Federal Trade Commission’s Office of Technology Research and Investigation. With a PhD in computer science focused on security and privacy from Princeton, Dr. Calandrino is personally motivated to see the work and views of the security community drive educated government action and policy. From personal experience uncovering vulnerabilities in voting machine source code, contributing to the cold-boot attack on disk encryption (for which he won a prestigious Pwnie Award!), or revealing ways that recommendations can leak information, he has seen how security research can teach valuable lessons and make us safer. His goals at the FTC include continuing to build both its internal technical expertise and its bonds with the larger security community.

In this talk I'm going to cover the basics of how snmp works and how we can use it to take control over several IoT devices with R/W permissions remotely, we are going to abuse the bad configuration issue in order to turn on/off traffic lights systems, discover ATMs, power supplies, and several industrial equipment.
Also I'm going to demonstrate how a remote attacker can retrieve the password of networking devices like Huawei and Cisco equipment.

Several devices are exposed in the public internet running snmp agents with R/W permissions, this talk is going to covert how a bad management could lead to a potential attack in the IoT field with bad consequences in real life, the talk is for hackers, network engineers and security researchers and people concern about security in the IoT field.

Bio:
Bertin Bervis is security researcher from san jose costa rica, he is the co-founder of the NetDB project, a certificate/fingerprint device search engine, he has been speaker in several technical security conferences like DEFCON, in latin america EKOPARTY, DragonJar and the OWASP Latin tour. Formerly is a network engineer and software developer.

Elvis Collado, Praetorian, Senior Security Researcher @b1ack0wl

This talk will go over the following: How all of this research got started, the critical vulnerabilities I personally discovered in modern devices, the challenges and failures I personally had with techniques like blind fuzzing, the challenges I had with not having the knowledge or funds to get into hardware hacking, figuring out how to build an exploit for a vulnerability without the need of using UART or a remote debugger, how to get started into hardware hacking once you've exhausted all means on the software side of things, how to build an effective but cheap IoT hacking lab, how to create your own low-cost 'JTAGulator' with an Arduino nano, how to cross compile and disassemble to quickly figure out CPU architectures that a person may be unfamiliar with, discussion of the open source project "Damn Vulnerable Router Firmware", and how to put this all together quickly so everyone can start finding vulnerabilities in the products they own. Also, the talk has been recently updated with comparisons of crafting exploits on x86 vs MIPS vs ARM. Before I only had x86 vs MIPS.

Note: There will be no vendor shaming. All Vendors will be renamed to “Vendor A, Vendor B, Vendor C…etc”

Bio:
Elvis Collado is a Senior Security Researcher for Praetorian with a main focus in embedded electronics. Elvis got into electronics ever since he discovered his first vulnerabilities in some of the devices he personally owned. He decided to migrate his research from the desktop space to the embedded space and wants to share what he has learned with everyone.

This talk covers the reverse engineering and exploration of the Trane ComfortLink thermostats. These devices are manufactured and produced by Trane, a popular heating and cooling company offering Zwave and WiFi enabled thermostats packaged with their appliances. This talk covers a previously unreleased vulnerability in the Trane ComfortLink thermostats that allows for remote manipulation and information extraction by an attacker. The devices are vulnerable by default and this talk addresses the physical dangers posed by this vulnerability to customers. The tools and methods used in finding this vulnerability are also discussed at-length in the presentation along with a video demonstration of the exploit in action.

Bio:
Jeff Kitson is a Security Researcher with the Vulnerability Assessment Team of Trustwave SpiderLabs. His career began with full-stack web development before moving into system administration and eventually vulnerability and security research. His current work includes maintaining and developing vulnerability tools within Trustwave. His research interests include IOT devices and extracting information with software defined radio.

Aaron Guzman, Principal Penetration Tester @scriptingxss

The vast playground of IoT, and all its problems, will surely transfer from Consumer homes over to the Enterprise. Various studies have shown the effect of consumer IoT adoption in the enterprise, resulting in rouge connections into a trusted network. Items such as Smart TVs, drones, home security devices, and even connected vehicles are now being discovered in corporate networks. Industry professionals and board rooms are struggling to keep up with the growth of IoT due to the various interfaces introduced. We will discuss the many IoT attack surfaces and provide proactive security controls that are easily implemented by consumers, enterprises, and manufactures alike.

What is constantly being shared throughout the industry is how IoT is broken, vulnerable, and insecure. Various testing methodologies and guidance cheat sheets have been released without discussions on how to protect against the threats discovered. As a technical editor for an upcoming IoT security book, as well as a contributor for various security guidance documents on IoT, this talk will give practical defense guidance that attendees and manufacturers can implement.

Bio:
Aaron is a Principal Penetration Tester in the Los Angeles area with expertise in Application Security, IoT, Mobile, Web, and Network Penetration testing. He volunteers his time as a Chapter Board Member for the OWASP Los Angeles, President for Cloud Security Alliance SoCal, and a Technical Editor for Packt Publishing . Aaron is a contributor for various IoT guidance documents from CSA, OWASP, Prpl, and others. He has held roles with companies such as Belkin, Linksys, Dell and Symantec.

The Infusion Pumps Market is expected to be worth $10.84 Billion USD by 2021 per "Market and Markets" forecast. The Infusion Pump is a costly and sensitive medical device used to deliver fluids, medications, blood and blood products to adult, pediatric or neonatal patients in a manual or automated way, yes, automated way, any malfunction either intended or unexpected could severely harm humans.
We did the investment and bought an IV Pump Unit and IV Pump module made by Bectron since it is one of the leaders in the market and therefore expected to be used in the major Hospitals worldwide!

The research on this talk is intended to show the audience:

1. The internals of this type of devices (Architecture, PCB components, ENEA RTOS details)
2. How to dump the Flash Memory
3. Firmware update to bypass security checks and get access to restricted configuration
4. How to Backdoor the pump by gaining code execution
    a. Inside into the pump: Processes running, configuration files, etc.
5. DEMO on stage!
6. Takeaways: Recommendations to prevent these attacks from happening again

Bio:
Dan Regalado is a Principal Security Researcher with Zingbox (IoT Security Company) and former FireEye and Symantec reverse engineer. Daniel is the lead author of famous Gray Hat Hacking Book 4th Edition and known in the security world as the “ATM guy” responsible for the latest discoveries of these type of threats worldwide.

Disclosing vulnerabilities to a vendor, especially one that doesn't seem to prioritize security the same way we do, can be a source of pain. We may even find ourselves viewing the product vendor as an enemy during this process. But we are faced with a future in which people will interact with connected devices whether they intend to do so or not. Imagine worrying about the security of a connected "smart" showerhead in your hotel room. Silly, isn’t it? Yet such devices will be increasingly prevalent, and vulnerable.
For this reason, this keynote advocates for why we as security researchers should reframe our relationships with vendors from what is sometimes an adversarial one to a collaborative one. To achieve a better security posture in this industry, this talk offers strategies and tactics for how to improve our methods of working with vendors.

Bio:
Rick Ramgattie @RRamgattie is a Security Analyst at Independent Security Evaluators (ISE), where he conducts high-end, custom security assessments of computer hardware, software products, and manages a team of security researchers. Growing up in the city of Bayamón, Puerto Rico, speaker Rick Ramgattie recognizes that it isn't all that easy to get into the information security community. In a self-taught manner he strived to learn what he could, before attending college in the mainland and then migrating to Baltimore. Now, as someone who appreciates the art of reverse engineering, he has taken part in hands-on security assessments of complex systems, IoT devices, and many different native and mobile applications. Rick enjoys reverse engineering, occasional CTFs, and reading.

This topic covers researches made by Critical Infrastructure Defense Team, Kaspersky Lab regarding vast variety of different serious vulnerabilities in popular wanna-be-smart industrial control systems. We found 80+ 0day vulnerabilities and reported to vendors. Some of them are patched already (CVE-2016-5743, CVE-2016-5744, CVE-2016-5874…). However, for most of the bugs it potentially takes more time to fix.
Bugs are good, but what can be better? Yes, backdoors! Let’s take a closer look on the backdoor techniques found in one interesting vendor: they do some stuff for industrial IoT and for general IT technologies (banking, telecommunication providers, crypto solutions etc). The backdoor is not the whole story – we will show how this vendor reacts and fixes critical bugs (SPOILER: silently fixes bug, no CVE assigned, no advisory published, sometimes impossible to patch, 7 month since the report). The most interesting thing is that this technique requires only legitimate software widely used everywhere.

Bios:
twitter @raka_baraka Vladimir graduated from Ural State Technical University with a degree in information security of telecommunication systems. He started his career as a security engineer at Russian Federal Space Agency. His research interests are pentesting, ICS, security audits, security of different unusual things (like smart toys, TVs, smart city infrastructure) and threat intelligence. Vladimir is a part of Critical Infrastructure Defense Team (CID-Team) and Kaspersky Lab ICS CERT in Kaspersky Lab
&
Sergey is an active member of Critical Infrastructure Defense Team (CID-Team) and KL ICS CERT in Kaspersky Lab. His research interests are fuzzing, binary exploitation, penetration testing and reverse engineering. He started his career as malware analyst in Kaspersky Lab. Sergey has OSCP certification.

Currently, all known IoT botnets harvest zombies through telnet with hardcoded or weak credentials. Once this bubble bursts, the next step will be exploiting other, more evolved vulnerabilities that can provide control over a large number of devices. In this talk, we'll take a glimpse into that future showing our research on a RCE vulnerability that affects more than 175k devices worldwide

Bio:
Alex is the Chief Security Researcher and Spokesperson for Bitdefender. His career is focused on Information Security, Innovation and Product Strategy, fields in which he has so far accumulated over 15 years of experience. He drove the vision for Bitdefender’s UNIX-based security solutions before kickstarting an ambitious project that would advance the company’s R&D department and steer a good part of the company’s focus towards technology and innovation

What Mirai missed:
Mirai was elegantly simple; using default telnet credentials to compromise large numbers of devices. However, in the quest for simplicity, the author missed numerous more significant vulnerabilities. We have spent the last few months researching the security of >30 DVR brands and have made discoveries that make the Mirai telnet issue seem almost trivial by comparison. We discovered multiple vulnerabilities which we will share, including wormable remote code execution. We may also disclose a route to fix Mirai-compromised DVRs remotely. However, this method has the side effect of being usable by malicious actors to make Mirai persistent beyond a power off reboot. Further, we will show HOW and WHY we believe XiongMai is at the root cause of these issues, regardless of the DVR brand. Finally, we'll show examples of DVRs using the same base chipset as those vulnerable to Mirai, but doing security well.
The camera dildo:
What started as a serious piece of research got hijacked by the press because it was “a bit rude”. The real story wasn’t just that it could be compromised, but the work that went into reverse engineering it to find hidden services, reused code (from a camera drone), and the command injection which can be used to compromise the video stream.
Samsung smart fridge:
Ripping and analysing the firmware from a Tizen-running smart fridge’s BGA chip, what did we find?

Bios:
@PenTestPartners
Andrew Tierney, Security Consultant, Pen Test Partners Andrew has many years of experience in security, mainly working with embedded systems. As the Internet of Things trend developed, he expanded his skills into the realms of web applications and mobile applications. Blogging and documenting his findings rapidly gained him exposure, and a number of high-profile UK companies approached him to test their devices and systems.
His previous work in the financial services IT world has prepared him well for customer-facing roles, and communicating complex issues to both management and developers alike. This has also given him a good grounding in working with enterprise IT systems and general sysadmin work. Since joining Pen Test Partners, Andrew has been expanding outwards into new and unfamiliar areas. He soon hopes to become a CREST Certified consultant and wants to develop his skills in infrastructure testing.
&
Ken Munro, Partner, Security Consultant, Pen Test Partners Ken is a regular speaker at the ISSA Dragon’s Den, (ISC)2 Chapter events and CREST events, where he sits on the board. He’s also an Executive Member of the Internet of Things Security Forum and spoke out on IoT security design flaws at the forum’s inaugural event. He’s also not averse to getting deeply techie either, regularly participating in hacking challenges and demos at Black Hat, 44CON, DefCon and Bsides amongst others.
Ken and his team at Pen Test Partners have hacked everything from keyless cars and a range of IoT devices, from wearable tech to children’s toys and smart home control systems. This has gained him notoriety among the national press, leading to regular appearances on BBC TV and BBC News online as well as the broadsheet press. He’s also a regular contributor to industry magazines, penning articles for the legal, security, insurance, oil and gas, and manufacturing press.

The FTC recently conducted a challenge competition aimed at facilitating security updates to home IoT devices. We'll share what we've learned from the challenge, and we hope to announce the winner. We will also give an update on efforts the FTC has taken in the past year to help protect consumers including efforts on Smart TVs and more.

Bios:
Aaron Alva (@aalvatar) is a lawyer (not yours) and hacker who works as a technologist at the Federal Trade Commission's Office of Technology Research and Investigation (OTech). He was a recipient of the NSF CyberCorps scholarship for his MS/JD work at the University of Washington. At the FTC, he explains technical issues to attorneys working on behalf of consumers, and conducts research on areas that impact us all. He fights to protect the future in which his daughter will grow, lead, and amaze.
&
Mark Eichorn is an Assistant Director in the FTC Bureau of Consumer Protection’s Division of Privacy and Identity Protection (DPIP), where he supervises privacy and data security matters. He joined DPIP in 2009 after serving as an attorney advisor for FTC Chairman (and previously Commissioner) Jon Leibowitz on consumer protection issues. After joining the Commission in 1998, Mark worked for many years as an attorney in the Division of Advertising Practices and served a stint in 2003 as an attorney advisor to FTC Commissioner Thomas B. Leary. Mark went to law school at the University of Virginia, and later clerked for Ninth Circuit Judge Robert Beezer before joining the Seattle firm of Mundt, MacGregor.

The “Internet of Things” (IoT) is taking over our lives, so we should be constantly questioning the security and integrity of these technologies. As an IoT researcher, this is precisely what I do. During this presentation, I will be sharing details of my day-to-day research, covering the various processes and methodologies around researching (attacking) various IoT technologies that we all use every day. I will be discussing the various structures of an IoT ecosystem and showing how each segment of that ecosystem can be compromised to impact the overall security of a product. Using live demonstration, I will show several of the security issues discovered during my research over the past 12 months and how we worked with the manufacturers to get these issues mitigated.

Bio:
Deral Heiland , serves as a Research Lead (IoT) for Rapid7. Deral has over 20 years of experience in the Information Technology field. Deral’s career has focused on security research, penetration testing, and consulting. Deral also conducted security research on a numerous technical subject, releasing white papers, security advisories, and has presented the information at numerous security conferences including Blackhat, Defcon, Shmoocon,DerbyCon and Hack In Paris.

We all know how vulnerable IoT devices are - but do we know if our home or industrial IoT devices are being attacked or already compromised? This talk focuses on creating an Intrusion Detection System for IoT devices using Wi-Fi to connect to the Internet. We will look at how to automatically fingerprint our IoT devices over the air and detect attacks such as Honeypots, MAC spoofing, DoS etc. We will also see how to do deep packet inspection and learn device behavior over the network (which hosts do they usually connect to, which protocols?, traffic characteristics?, heartbeat mechanisms? etc.) using simple Machine Learning techniques. We will show how this allows us to detect compromised devices which might now be controlled by a remote attacker. Our IDS will use an external sensor which will be build using open source tools and off-the-shelf hardware. All code will be open sourced after the talk.

Bio:
Vivek Ramachandran is the Founder and Chief Trainer at Pentester Academy. He discovered the Caffe Latte attack, broke WEP Cloaking, conceptualized enterprise Wi-Fi Backdoors, created Chellam - the world's first Wi-Fi Firewall and Chigula - a Wi-Fi data mining and IDS framework. He is also the author of multiple five star rated books on Wi-Fi Security. He has spoken/trained at top conferences around the world including Black Hat USA, Europe and Abu Dhabi, Defcon, Hacktivity, Brucon and others.

As the previous Director of Security at companies like Linksys, Belkin, and Wink, I learned hard lessons about the pitfalls of PKI. This was especially true on IoT devices, where the responsibility was on consumers or site managers to update devices when security issues arose. I've experienced expired keys that killed device connections, private keys being accidentally dropped on consumer devices, and breaches that required replacing all keys on devices, servers, and user applications. That led me to create oneID, now called Neustar Trusted Device Identity (TDI), which is an open source framework that replaces PKI with one that has real-time revocation, key rotation, key reset/replacement, and individual identities for every device, server, service, and user. It starts with the premise that every server, service, network, device, and user will be compromised at some point, so we should start our security model with that assumption and build protection to limit that as much as possible. It specifically does not trust anything by default and trust continually has to be proven, rather than trusting and checking for revocation. It puts the SOC or NOC in control rather than the users or site managers.

Bio:
Brian Knopf is the Sr Director of Security Research & IoT Architect at Neustar working on replacements for PKI & other products to secure IoT devices. He also created the 5-Star IoT Security, Safety, and Privacy Rating. Previously he was Director of Product & Application Security at Linksys and Belkin, Principal Security Advisor for Wink, and the Principal Test Architect & QA Director at Rapid7. He has helped design & build over 40 different IoT devices from concept to production release.

The current state of security for IoT devices is alarming, with regular reports of vulnerabilities being disclosed. Adversaries are getting much more sophisticated and there's a growing need for such products to be secure by design. Thus, this briefing aims to present a compelling case for conducting adversarial modelling on such devices by showcasing a case study of a live vulnerable device.

Bio:
Pishu Mahtani has more than a decade of information security and assurance experience gained from working in diverse set of industries; from Banking and Financial Services, Government and Defence, and Technology Consulting. He currently has a concentrated focus in the area of application security where he's considered as a specialist in the areas of binary analysis, embedded firmware reverse engineering, IoT security and software bug discovery. He has contributed to the efforts in securing cyberspace through responsible disclosure of security vulnerabilities, his involvement in open source projects at The Center for Internet Security (CIS) and OWASP. He has recently spoken at security conferences such as DevSecCon Asia 2017 and GovWare 2016, on software and IoT security topics. He holds a Master of Science (MSc.) in Information Security from Royal Holloway, University of London and is a Certified Secure Software Lifecycle Professional (CSSLP).

We hear from people all the time who want to get into hardware hacking, but are scared to make the first steps.
We will have all the tools and devices – routers, DVRs, thermostats – so that you can learn the basics of hardware hacking and start finding vulnerabilities.

What we will cover:
· Identifying components and features on hardware
· Common interfaces and protocols used
· Working out the attack surface of the device
· Reading firmware with several different techniques
· Extracting firmware using binwalk

To participate, please bring:
· A laptop running Linux or able to run a Linux virtual machine
· Any devices you want to try hacking
· An inquisitive mind

What if I told you that Windows 3.x provided Data Execution Prevention and a crude form of Address Space Layout Randomization? The segmented memory model that made 16-bit x86 code difficult to program also complicates building an exploit. Blending nostalgia, retrofuturism, and plain curiosity into exploiting "weird" systems, I demonstrate what may be the first public writeup (try Googling for one) of a buffer overflow targeting a Windows 3.x application, complete with ROP chain and shellcode. Everyone loves a good exploit and demo or just shuffling program groups--so stop by for a look back into the four-megabyte era equipped with a copy of Visual Studio 1.52c and modern techniques.

Bio:
Jacob Thompson is a Senior Security Analyst for Independent Security Evaluators, where he specializes in high-end, custom security assessments of computer hardware and software products. With 10+ years’ experience, a propensity toward hands-on security assessment, and proficiencies in reverse engineering, DRM systems, cryptography, system and application security, and secure system design. Through his 5 years’ work with ISE, Mr. Thompson has partaken in multiple major vulnerabilities and assessments, customer visits, and progress presentations. He has presented his research at DEF CON, BSides DC, DERBYCON, and ToorCon.

Elvis Collado, Praetorian, Senior Security Researcher @b1ack0wl

This talk will go over the following: How all of this research got started, the critical vulnerabilities I personally discovered in modern devices, the challenges and failures I personally had with techniques like blind fuzzing, the challenges I had with not having the knowledge or funds to get into hardware hacking, figuring out how to build an exploit for a vulnerability without the need of using UART or a remote debugger, how to get started into hardware hacking once you've exhausted all means on the software side of things, how to build an effective but cheap IoT hacking lab, how to create your own low-cost 'JTAGulator' with an Arduino nano, how to cross compile and disassemble to quickly figure out CPU architectures that a person may be unfamiliar with, discussion of the open source project "Damn Vulnerable Router Firmware", and how to put this all together quickly so everyone can start finding vulnerabilities in the products they own. Also, the talk has been recently updated with comparisons of crafting exploits on x86 vs MIPS vs ARM. Before I only had x86 vs MIPS.

Note: There will be no vendor shaming. All Vendors will be renamed to “Vendor A, Vendor B, Vendor C…etc”

Bio:
Elvis Collado is a Senior Security Researcher for Praetorian with a main focus in embedded electronics. Elvis got into electronics ever since he discovered his first vulnerabilities in some of the devices he personally owned. He decided to migrate his research from the desktop space to the embedded space and wants to share what he has learned with everyone.

This talk covers the reverse engineering and exploration of the Trane ComfortLink thermostats. These devices are manufactured and produced by Trane, a popular heating and cooling company offering Zwave and WiFi enabled thermostats packaged with their appliances. This talk covers a previously unreleased vulnerability in the Trane ComfortLink thermostats that allows for remote manipulation and information extraction by an attacker. The devices are vulnerable by default and this talk addresses the physical dangers posed by this vulnerability to customers. The tools and methods used in finding this vulnerability are also discussed at-length in the presentation along with a video demonstration of the exploit in action.

Bio:
Jeff Kitson is a Security Researcher with the Vulnerability Assessment Team of Trustwave SpiderLabs. His career began with full-stack web development before moving into system administration and eventually vulnerability and security research. His current work includes maintaining and developing vulnerability tools within Trustwave. His research interests include IOT devices and extracting information with software defined radio.

Aaron Guzman, Principal Penetration Tester @scriptingxss

The vast playground of IoT, and all its problems, will surely transfer from Consumer homes over to the Enterprise. Various studies have shown the effect of consumer IoT adoption in the enterprise, resulting in rouge connections into a trusted network. Items such as Smart TVs, drones, home security devices, and even connected vehicles are now being discovered in corporate networks. Industry professionals and board rooms are struggling to keep up with the growth of IoT due to the various interfaces introduced. We will discuss the many IoT attack surfaces and provide proactive security controls that are easily implemented by consumers, enterprises, and manufactures alike.

What is constantly being shared throughout the industry is how IoT is broken, vulnerable, and insecure. Various testing methodologies and guidance cheat sheets have been released without discussions on how to protect against the threats discovered. As a technical editor for an upcoming IoT security book, as well as a contributor for various security guidance documents on IoT, this talk will give practical defense guidance that attendees and manufacturers can implement.

Bio:
Aaron is a Principal Penetration Tester in the Los Angeles area with expertise in Application Security, IoT, Mobile, Web, and Network Penetration testing. He volunteers his time as a Chapter Board Member for the OWASP Los Angeles, President for Cloud Security Alliance SoCal, and a Technical Editor for Packt Publishing . Aaron is a contributor for various IoT guidance documents from CSA, OWASP, Prpl, and others. He has held roles with companies such as Belkin, Linksys, Dell and Symantec.

Sixty percent of hackers don’t submit vulnerabilities due to the fear of out-of-date legislation, press coverage, and companies misdirected policies. This fear is based on socially constructed beliefs. This talk dives into the brain's response to fear while focusing on increasing public awareness in order to bring legislation that supports ethical hackers, ending black hoodie and ski mask imagery, and encourage organizations to support bilateral trust within their policies.

Bio:
Chloé Messdaghi is the VP of Strategy at Point3 Security. She is a security researcher advocate who strongly believes that information security is a humanitarian issue. Besides her passion to keep people safe and empowered online & offline, she is driven to fight for hacker rights. She is the founder of WomenHackerz & the President and cofounder of Women of Security (WoSEC), podcaster for ITSP Magazine's The Uncommon Journey, and runs the Hacker Book Club.

Smart sex toys are a huge topic – and we’re not talking about their size! The Internet of Things (IoT) has triggered many personal items to become connected and smart, watches, toothbrushes, glasses and even toilets, to name just a few. The adult toy market has not been left behind with new models of toys that include the opportunity to connect them to the Internet and allow them to be remotely controlled.
IoT devices and their vulnerabilities are frequently discussed in the media, and sex toys are not the exception. Many of them have holes in them. Keep focused, we mean holes and bugs in the software. This is despite the sensitivity of the extremely personal information they handle.
We analyzed the security of the Android applications that control the most frequently purchased models of connected sexual pleasure devices, to determine the extent to which the confidentiality of user data could be vulnerable. Our research revealed interesting security flaws derived from both the implementation of the application and the design of the device, affecting the storage and processing of information.
If you’re one of the many users who have a smart sex toy connected to the internet, or plan to buy one, you cannot miss this talk, it may have you shaking in your seat. Our presentation may make you reconsider connecting it ever again or not purchasing one at all.

Bio:
Denise Giusto Bilic is an Information Systems Engineer graduated from the National Technological University of Argentina. Nowadays she specializes in mobile and IoT security. Denise currently works as a Security Researcher at ESET, where part of her job is preparing technical and educational materials related to information security. She has participated as a speaker in many international security conferences. She is also a co-organizer of NotPinkCon Security Conference.

Name: Cecilia Pastorino
Bio:
Cecilia Pastorino currently works as a Security Researcher at ESET, where she creates material related to research and awareness activities regarding computer security. Cecilia studied Networks and Telecommunications at the University of Palermo and specialized in network architecture with the Cisco CCNA and CCNP courses and the Ethical Hacking Certification. Prior to joining ESET, she worked as a network analyst for different companies, always focusing on telecommunications security. She has successfully implemented ISMS and the subsequent certification of ISO 27001 for various companies. Currently, she represents ESET in all kinds of activities such as seminars, conferences, trainings and other public exhibition events. She participated as a speaker in different international security conferences. She is also a co-organizer of NotPinkCon Security Conference.

IoT device manufacturers have no idea what's running on their devices -- they really don't.
In 2002 then-US Secretary of Defense, Donald Rumsfield, brought public attention to a notion that information can be divided into three categories: known knowns, known unknowns, and unknown unknowns. As hackers, how can we apply this formulation to IoT vulnerabilities?
The known knowns: Vulnerabilities that have been explicitly discovered through scanning and testing. The known unknowns: Newly created software that has yet to undergo any application security testing. The unknown unknowns: Systems that the defender does not know about.
There is, in fact, a fourth dimension: unknown knowns, which comprise “that which we intentionally refuse to acknowledge that we know” or “do not like to know.”
The unknown knowns: Vulnerabilities that are known to exist, but that have not been associated with all the systems they actually affect.
In this talk, we report on IoT device vulnerability findings at massive scale, as a result of our firmware collection and analysis. For this research we have selected approximately 50k firmware images, representing over 7M files, 10k products, and 150 vendors, spanning many different architectures and operating systems. We will highlight some of the trends we've uncovered in supply chain vulnerabilities, and reveal specific examples of device backdoors, botnets, and vulnerabilities discovered in medical, home, and commercial device firmware.

Bio:
Parker Wiksell (@pwiksell) is a security researcher and engineer at Finite State, an IoT security research company, and is the author of the AFL-Unicorn fuzzer and the Patchwerk kernel patching framework. Parker has over 25 years industry experience, with the last 9 being focused primarily on software and hardware security research, presenting at several major conferences. When not geeking out on computers, Parker has been known to write the occasional musical composition professionally.

This talk discusses the rise of IoT botnets, the culture that surrounds them, and the vulnerabilities that enable their continued existence. I will discuss various analyses of major botnet families, discuss exploits and vulnerability classes in IoT devices, and examine the rapid growth of these botnets for commercial use. I will also discuss newer innovations in IoT malware, and outline some of the ways that vendors could reduce their impact moving forward.

Bio:
netspooky is a reverse engineer in the ICS and IoT space.

Once limited to the realm of science fiction, robotics now plays a vital role in many industries, including manufacturing, agriculture, and even medicine. Despite this, the kind of robot that interfaces with people directly - outside of the occasional toy or vacuum - threatens to remain an inhabitant of fiction for the foreseeable future. Teleconference robots, a rapidly growing niche, may help make that fiction a reality. Robots such as these have found use in consumer, enterprise, retail, and even medical environments and some are even capable of autonomous movement. It’s precisely these features, however, that make them a valuable target for hackers. Unlike a simple camera exploit, compromising such a device would grant an attacker mobility in addition to audio/video, greatly increasing their ability to spy on victims in the most private of situations - their homes, medical appointments, or workplaces.

Not knowing when to quit, McAfee Advanced Threat Research uncovered four 0-day vulnerabilities in a popular teleconference robot. We’ll show how an attacker armed with nothing besides the victim’s phone number could exploit these vulnerabilities to intercept or join an existing call, gain access to the robot’s camera and microphone, and even achieve “owner” privileges, granting the ability to remotely control the robot - all with zero authentication.

Bio:
Mark Bereza is a security researcher and new addition to McAfee's Advanced Threat Research team. A recent alumnus of Oregon State's Computer Science systems program, Mark's work has focused primarily on vulnerability discovery and exploit development for embedded systems. Mark previously presented at DEFCON 27, less than 6 months after graduating college.

When a wireless engineer decides to tune into hospitals to determine the state of COVID in the community, he finds detailed patient info being broadcast into thin air. By capturing, decoding, and analyzing the info, the true state of the pandemic is realized.

Bio:
Troy has been a RF and physical security hardware engineer for multiple manufacturers of access control, locks, and wireless security devices for over a decade. Troy holds multiple patents in areas of electronic security, energy harvesting, and wireless. Troy also hosts the YouTube channel for HackerWarehouse.TV and can be found on Twitter at @waveguyd.

Throughout this year, we had the chance to analyze two different models of electric scooters, three different models of smart locks, various kind of smart home devices and lastly one robot assistant which is in use at airports. During the analysis process, we have found some critical security vulnerabilities including privilege escalation, insecure communication and taking over the servers which these communications are being performed on. Additionally, we have identified two hard-coded secret keys and lastly one cryptographic key in the result of our analysis. In this presentation, we will be sharing the details of the vulnerabilities that we have identified during our analysis.

Bio:
Besim Altinok (@AltnokBesim) has been researching Wi-Fi security for over a decade. He created WiPi-Hunter project against Wi-Fi hackers. He is the author of a book on Wi-Fi security. Besim's work on wireless security has been published in ArkaKapi Magazine and others. He has also spoken at top conferences including BlackHat Europe, Blackhat ASIA, Defcon, and others. Besim ALTINOK works currently at a Private Company which is located in Ankara, Turkey

Name: Anil Celik
Bio:
Anil Celik (@ccelikanil) is a new graduate computer engineer who is highly interested in computers since his childhood. Along with the articles he's been publishing for the community on various topics, he is focused on Wireless & Network Security for a while and he's been currently working in this field at a Private Company, which is located in Ankara, Turkey

It was a crisp October evening as Nerdwell walked the streets of the Internet looking for juicy bugs. Suddenly, his attention was drawn to something that he could not ignore. ""Is that memory?"" He thought to himself, ""it sure is ... a whole heap of it!""

In this talk, Nerdwell will share the story of how a chance observation, along with healthy doses of curiosity and persistence, ultimately led to a high severity finding of unauthenticated remote memory disclosure in the Mitel MiVoice 6800 and 6900 series SIP Phones. Nerdwell will take us through the technical details of CVE-2020-13617 and demonstrate exploitation. He'll then share some of the insights gained along the way, including:

* Unexpected benefits of the emerging bug bounty industry upon IoT security in general;
* The roles of curiosity and creativity in the hacker's mindset, and how these traits influence security research; and
* Ways to use open source tools, like Shodan.io and GitHub, to select IoT devices for further research.


The talk will close with suggestions for future research and tips for new researchers looking to break into the field of IoT hacking.

Bio:
Matthew Byrdwell ("Nerdwell") is passionate about securing the Internet and helping others achieve their infosec career goals. He's been building and breaking IT systems for 20 years and currently works in Critical Infrastructure Protection. He enjoys doing cybersecurity research, both independently and through bug bounty programs, and contributes to the community as a Bugcrowd Ambassador.

Honeypots AND IoT security, all in one place? Yes, why YES I tell you, and this is it! Oh sure, honeypots are not new, but how they are used is what makes this talk just a little bit different. Presented for your viewing pleasure will be IoT specific honeypot configurations, some deployed with k8s (some not) and how they are used to not only trap attacks against your IoT devices but also detect attacks FROM a compromised IoT device.

Bio:
Based in Pittsburgh and a natural creature of winter, you can typically find me sipping Grand Mayan Extra Anejo whilst simultaneously defending my systems using OSS, magic spells and Dancing Flamingos. Honeypots & Refrigerators are a few of my favorite things! Fun Fact: I rescue Feral Pop Tarts and have the only Pop Tart Sanctuary in the Pittsburgh area.

Smart-devices are anywhere, connecting lights, AC, cameras and even heat-sensors. They present a weak spot in which hackers can hack and learn about internal network-configuration, change arbitrary controllers, and lead to high physical & software damage. In our scenario, thousands of HDL smart devices could have been exploited & remotely controlled in the wild. 4 unique vulnerabilities have been found and presented here - We show how they can be utilized by a sophisticated attacker to stealth-access smart-devices remotely, change, control and take advantage of their data. Also, we show how a full data-extraction of smart-devices managing accounts: private data and credentials could have been extracted as well. This unique attack scenario demonstrates the high-security impact of deploying IoT devices over any organization, especially when using dedicated IoT hardware and proprietary components which are interconnected and even remotely managed. A coordinated responsible disclosure was done and thankful to HDL responsiveness & approach - All was fixed.

Bio:
Barak Sternberg, Security Researcher at SentineLabs, is an Experienced Security Researcher who specializes in Offensive Security. Previously, he spent five years at Unit 8200, as an officer, PO and team leader of security researchers. Barak is highly-skilled in cyber-security, from vulnerabilities research in various areas (IoT, embedded devices, Linux and web apps) to analyzing malware in the wild. Barak also acquires MSC (in CS) focused on algorithms from Tel-Aviv University.

From smart home devices to smart cars, IoT actually gave us our “connected world”, but maybe not a “Safe” one. Imagine all your smart devices on your home network being controlled by someone on the other side of the world, your smart TVs, smart lights, baby monitors, routers, printers, workspace surveillance cameras, and literally everything else!
This talk explores how the methods of manipulating domain name resolution can be used to exploit and remotely take over most of the connected devices in a private network. We will talk about how it can be used to scan a private network externally for IoT devices, and how it can put even private devices open to the public!
We will cover some tools that can be used to takeover a device and exfiltrate the data of a victim under a minute with minimum user interaction. We demonstrate how the data can be exfiltrated and used to perform unwanted actions on the victim's devices from anywhere in the world.
We furthermore, talk about methods of prevention and best practices that a developer and product designer can consider to protect their devices against such attacks.
So if you're a pentester or a developer we've got something for everyone!

Bio:
Dewank Pant is a Security Engineer working with NCC Group Inc. He graduated from and worked at Johns Hopkins University under the Information Security Track. He is skilled in IoT Security, Radio Hacking, Bot Development, and penetration testing. He has published several CVEs and holds 3+ years of work experience in the industry.

Name: Shruti Lohani
Bio:
Shruti Lohani is a Computer Scientist working in IoT Research & Development in the sectors of Energy, Petrochemical, Aerospace, Automotive, etc. at Nexess, France. She completed her M.Sc. from EURECOM, France and has 3 years of experience in the IoT domain. Her expertise in IoT application and security is not limited to Smart homes, autonomous vehicles, indoor/outdoor Geolocation.

Webinar: Join to participate live!

Abstract: This learning session will focus on the subject of building an IoT hardware hacking lab. During this learning session various tools and technologies will be shown and discussed that are needed for physical disassembly, soldering, debugging, and analyzing. Covering the basic entry level to the more advanced lab equipment needed and used. After each learning objective we will have Q&A sessions

Speaker: Deral Heiland ([email protected])

Bio: Deral Heiland CISSP, serves as a Principal Security Research (IoT) for Rapid7. Deral has over 25 years of experience in the Information Technology and Security field. Over the last 15+ years Deral’s career has focused on security research, security assessments, penetration testing, and consulting for corporations and government agencies. Deral also has conducted security research on numerous technical subjects, releasing white papers, Blogs, security advisories, and has presented the information at numerous national and international security conferences including Blackhat, Defcon, Shmoocon, DerbyCon, RSAC, Hack In Paris. Deral has been interviewed by and quoted by multiple media outlets and publications including ABC World News Tonight, Cheddar TV, BBC, Consumer Reports, MIT Technical Review, SC Magazine, Threat Post and The Register.

Webinar: Join to participate live!

Abstract: This learning session will introduce attendees to the process of recovering file systems from data extracted from NAND flash chips. As part of this learning session we will be discussing and demoing the tools, methods and common processes for successfully recovering data. After each learning objective we will have Q&A sessions

Speaker: Deral Heiland ([email protected])

Bio: Deral Heiland CISSP, serves as a Principal Security Research (IoT) for Rapid7. Deral has over 25 years of experience in the Information Technology and Security field. Over the last 15+ years Deral’s career has focused on security research, security assessments, penetration testing, and consulting for corporations and government agencies. Deral also has conducted security research on numerous technical subjects, releasing white papers, Blogs, security advisories, and has presented the information at numerous national and international security conferences including Blackhat, Defcon, Shmoocon, DerbyCon, RSAC, Hack In Paris. Deral has been interviewed by and quoted by multiple media outlets and publications including ABC World News Tonight, Cheddar TV, BBC, Consumer Reports, MIT Technical Review, SC Magazine, Threat Post and The Register.

Webinar: Join to participate live!

Abstract: This learning session will guide the attendees through various concepts related U-boot including hacks to gain access to U-boot console, U-boot console commands and structure and various methods on using U-boot to exploit an embedded IoT systems. After each learning objective we will have Q&A sessions.

Speaker: Garrett Enochs ([email protected])

Bio: Garrett is a Security Consultant on Rapid7's Professional Services team and has been with Rapid7 for 4 years. Garrett has worked on projects related to product deployment and training, published several blogs, and currently working with Managed Service clients to onboard Rapid7's MDR Services. Specializing in taking things apart and figuring out how to put them back together again, you will find Garrett buried in one of several projects at home with raspberry pi's scattered around.

Webinar: Join to participate live!

Abstract: This learning session attendees will learn how to properly utilize a logic analyzer for examining, testing and decoding digital communication on embedded systems. Also, various logic analyzers from cheap models to the more expensive models will be shown and discussed. After each learning objective we will have Q&A sessions.

Speaker: Jonathan Stines ([email protected])

Bio: Jonathan is a Senior Security Consultant on Rapid7's Penetration Testing team and has 7 years of pen test and consulting experience. Jonathan has worked on a wide breadth of projects, ranging from hacking a regional bank's LAN network in Wales to breaking into a Chinese warehouse's wireless network in Guangdong. With a specialization in hacking IoT and embedded systems, Jonathan has a tendency of raiding local garage sales and thrift stores in search of the next gadget to tear into.

Under the best of circumstances, coordinating disclosure of vulnerabilities can be a challenge. At times it can feel like everyone involved in CVD has conflicting motivations. The truth is that all of us are aspiring to do the right thing for end-users based on our perspective. The panel will share experiences and show how researchers and technology companies can work together to improve the impact of disclosing vulnerabilities on the technology ecosystem. Join CRob (Red Hat), Lisa Bradley (Dell), Katie Noble (Intel), Omar Santos (Cisco), Anders Fogh (Intel) and Daniel Gruss (TU Graz) for an exciting and engaging dialog between security researchers and industry experts on the Joy of coordinating vulnerability disclosure.

Panelists:
Moderator CRob (Red Hat); panelists: Lisa Bradley (Dell), Katie Noble (Intel), Omar Santos (Cisco), Anders Fogh (Intel), Daniel Gruss (TU Graz)

Omar Santos is an active member of the security community, where he leads several industry-wide initiatives and standard bodies. His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructure. Omar is the author of over 20 books and video courses; numerous white papers, articles, and security configuration guidelines and best practices. Omar is a Principal Engineer of Cisco's Product Security Incident Response Team (PSIRT) where he mentors and lead engineers and incident managers during the investigation and resolution of security vulnerabilities. Omar has been quoted by numerous media outlets, such as TheRegister, Wired, ZDNet, ThreatPost, CyberScoop, TechCrunch, Fortune Magazine, Ars Technica, and more. Anders Fogh works as Senior Principal Engineer in the Security division at Intel. He has led numerous low-level engineering efforts and is a renowned expert on CPU security issues. Prior to his current position, Anders worked as a principle engineer for GDATA doing incident response and research. Since 1993, he has been an avid anti-malware hobbyist and has reverse engineering experience with operating systems from DOS to present day OSs, and devices ranging from DVD players to USB sticks. He holds a master’s degree

in Economics from the University of Aarhus. Anders was the first to publish on the Meltdown issue and his research has been published at industry and academic conferences such as Black Hat USA and ACM CCS. Daniel Gruss (@lavados) is an Assistant Professor at Graz University of Technology. He finished his PhD with distinction in less than three years. He has been involved in teaching operating system undergraduate courses since 2010. Daniel's research focuses on side channels and security on the hardware-software boundary. His research team was involved in several vulnerability disclosures, including Meltdown and Spectre. He has co-authored more than 20 top-tier academic publications in the past five years and received several prizes for his research.

Katie Noble serves as a Director of PSIRT and Bug Bounty at Intel. In her role, she leads the cyber security vulnerability Bug Bounty program, researcher outreach, and strategic planning efforts. Prior to joining Intel, Katie served as the Section Chief of Vulnerability Management and Coordination at the Department of Homeland Security, Cyber and Infrastructure Security Agency (CISA). Her team is credited with the coordination and public disclosure of 20,000+ cyber security vulnerabilities within a two-year period. During her government tenure, in roles spanning Intelligence Analyst for the National Intelligence Community to Senior Policy Advisor for White House led National Security Council Cyber programs, Katie’s work directly impacted decision making for government agencies in the United States, United Kingdom, Canada, and Australia. Christopher Robinson (aka CRob) is the Program Architect for the Red Hat Product Security Team. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals. CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He’s also been heavily involved in the Forum for Incident Response and Security Teams’ (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework.

Abstract: Security is one of the most dynamic and impactful landscapes in the regulatory sphere. Proposed initiatives and standards in IoT security specifically, are shaping the industry at a fast pace and on a global scale. With the potential for marked impact to the researcher community, this evolving landscape also serves as an opportunity for technology innovation and collaboration. This talk, a joint presentation from policy expert, Dr. Amit Elazari, and IoT platform architect, Anahit Tarkhanyan, will introduce the audience to a variety of regulatory concepts and baseline proposals shaping the future of IoT security. They’ll focus on recent trends including: NISTIR 8259, C2, international standards, supply chain transparency, researchers’ collaboration, proposed legislation, Coordinated Vulnerability Disclosure, and the innovative, technical capabilities that can support and enhance development from the foundation up.

Bios:
Dr. Amit Elazari is a Director, Global Cybersecurity Policy at Intel Corporation and a Lecturer at UC Berkeley’s School of Information Master in Information and Cybersecurity. She holds a Doctoral Degree in the Law (J.S.D.) from UC Berkeley School of Law and graduated summa cum laude three prior degrees. Her research in information security law and policy has appeared in leading technology law and computer science journals, presented at conferences such as RSA, Black Hat, USENIX Enigma, USENIX Security, BsidesLV, BsidesSF and DEF CON Villages, and featured at leading news sites such as The Wall Street Journal, The Washington Post and the New York Times. In 2018, she received a Center for Long Term Cybersecurity grant for her work on private ordering regulating information security, exploring safe harbors for security researchers. She practiced law in Israel.

Anahit Tarkhanyan is Platform Architect at Intel and leads IoT hardware-based security product architecture. She joined Intel in 2011 and has over 20 years of industry experience delivering security solutions to the market. Her area of expertise covers silicon-based Edge to Cloud systems security and AI/ML protection. Anahit is a recognized contributor to Intel’s hardware security and a trusted advisor for ecosystem partners. She has PhD in Distributed Computer Systems and Networks, holds several patents, and has publications in diverse security technology areas.

Abstract: Do you ever play iSpy with the smart devices around you and wonder how easy it is to hack shit and get CVEs? In the Zoomer era, smart devices are extremely accessible, generally cheap and not very security focused. In this talk, Sarda (a fellow Zoomer) will walk the audience through the basic methodology, tooling, exploitation, and disclosure process used when hacking an IoT device. This talk will include a “livish” demo of the exploitation of 5 CVEs, including remote code execution and telnet access, discovered while researching the Tenda AC1900 router—which can be chained to provide persistent root shell access to the device

Bio:
Sanjana Sarda is a Junior Security Analyst at Independent Security Evaluators and is a rising Electrical Engineering senior at UCLA. She is primarily focused on Cryptography, IoT and Hardware Security and hiding from her dog. Sarda has been researching various IoT devices and has discovered several CVEs. Her research has been covered by publications such as Motherboard, the Daily Swig, and ISMG. Omar Santos is an active member of the security community, where he leads several industry-wide initiatives and standard bodies. His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructure. Omar is the author of over 20 books and video courses; numerous white papers, articles, and security configuration guidelines and best practices. Omar is a Principal Engineer of Cisco's Product Security Incident Response Team (PSIRT) where he mentors and lead engineers and incident managers during the investigation and resolution of security vulnerabilities. Omar has been quoted by numerous media outlets, such as TheRegister, Wired, ZDNet, ThreatPost, CyberScoop, TechCrunch, Fortune Magazine, Ars Technica, and more. Anders Fogh works as Senior Principal Engineer in the Security division at Intel. He has led numerous low-level engineering efforts and is a renowned expert on CPU security issues. Prior to his current position, Anders worked as a principle engineer for GDATA doing incident response and research. Since 1993, he has been an avid anti-malware hobbyist and has reverse engineering experience with operating systems from DOS to present day OSs, and devices ranging from DVD players to USB sticks. He holds a master’s degree

in Economics from the University of Aarhus. Anders was the first to publish on the Meltdown issue and his research has been published at industry and academic conferences such as Black Hat USA and ACM CCS. Daniel Gruss (@lavados) is an Assistant Professor at Graz University of Technology. He finished his PhD with distinction in less than three years. He has been involved in teaching operating system undergraduate courses since 2010. Daniel's research focuses on side channels and security on the hardware-software boundary. His research team was involved in several vulnerability disclosures, including Meltdown and Spectre. He has co-authored more than 20 top-tier academic publications in the past five years and received several prizes for his research.

Katie Noble serves as a Director of PSIRT and Bug Bounty at Intel. In her role, she leads the cyber security vulnerability Bug Bounty program, researcher outreach, and strategic planning efforts. Prior to joining Intel, Katie served as the Section Chief of Vulnerability Management and Coordination at the Department of Homeland Security, Cyber and Infrastructure Security Agency (CISA). Her team is credited with the coordination and public disclosure of 20,000+ cyber security vulnerabilities within a two-year period. During her government tenure, in roles spanning Intelligence Analyst for the National Intelligence Community to Senior Policy Advisor for White House led National Security Council Cyber programs, Katie’s work directly impacted decision making for government agencies in the United States, United Kingdom, Canada, and Australia. Christopher Robinson (aka CRob) is the Program Architect for the Red Hat Product Security Team. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals. CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He’s also been heavily involved in the Forum for Incident Response and Security Teams’ (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework.

Abstract: Security is one of the most dynamic and impactful landscapes in the regulatory sphere. Proposed initiatives and standards in IoT security specifically, are shaping the industry at a fast pace and on a global scale. With the potential for marked impact to the researcher community, this evolving landscape also serves as an opportunity for technology innovation and collaboration. This talk, a joint presentation from policy expert, Dr. Amit Elazari, and IoT platform architect, Anahit Tarkhanyan, will introduce the audience to a variety of regulatory concepts and baseline proposals shaping the future of IoT security. They’ll focus on recent trends including: NISTIR 8259, C2, international standards, supply chain transparency, researchers’ collaboration, proposed legislation, Coordinated Vulnerability Disclosure, and the innovative, technical capabilities that can support and enhance development from the foundation up.

Bios:
Dr. Amit Elazari is a Director, Global Cybersecurity Policy at Intel Corporation and a Lecturer at UC Berkeley’s School of Information Master in Information and Cybersecurity. She holds a Doctoral Degree in the Law (J.S.D.) from UC Berkeley School of Law and graduated summa cum laude three prior degrees. Her research in information security law and policy has appeared in leading technology law and computer science journals, presented at conferences such as RSA, Black Hat, USENIX Enigma, USENIX Security, BsidesLV, BsidesSF and DEF CON Villages, and featured at leading news sites such as The Wall Street Journal, The Washington Post and the New York Times. In 2018, she received a Center for Long Term Cybersecurity grant for her work on private ordering regulating information security, exploring safe harbors for security researchers. She practiced law in Israel.

Anahit Tarkhanyan is Platform Architect at Intel and leads IoT hardware-based security product architecture. She joined Intel in 2011 and has over 20 years of industry experience delivering security solutions to the market. Her area of expertise covers silicon-based Edge to Cloud systems security and AI/ML protection. Anahit is a recognized contributor to Intel’s hardware security and a trusted advisor for ecosystem partners. She has PhD in Distributed Computer Systems and Networks, holds several patents, and has publications in diverse security technology areas.

Abstract: Do you ever play iSpy with the smart devices around you and wonder how easy it is to hack shit and get CVEs? In the Zoomer era, smart devices are extremely accessible, generally cheap and not very security focused. In this talk, Sarda (a fellow Zoomer) will walk the audience through the basic methodology, tooling, exploitation, and disclosure process used when hacking an IoT device. This talk will include a “livish” demo of the exploitation of 5 CVEs, including remote code execution and telnet access, discovered while researching the Tenda AC1900 router—which can be chained to provide persistent root shell access to the device

Bio:
Sanjana Sarda is a Junior Security Analyst at Independent Security Evaluators and is a rising Electrical Engineering senior at UCLA. She is primarily focused on Cryptography, IoT and Hardware Security and hiding from her dog. Sarda has been researching various IoT devices and has discovered several CVEs. Her research has been covered by publications such as Motherboard, the Daily Swig, and ISMG.

Welcome to the Online IoT Hacking Labs! These labs are a set of quick, hands-on, self-guided exercises developed to teach the tools and techniques for discovering and exploiting some of the common weaknesses found in IoT devices today. Whether you're a penetration tester that has never hacked IoT devices or even someone that has never hacked anything(!), these self-guided labs will walk you through all the steps from analyzing router firmware, finding hidden backdoors, enumerating devices and performing remote exploits. Students work at their own pace following our IoT Hacking guides, and instructors are available in the labs-support channel to provide assistance as needed and answer any questions.

You can access the labs here https://labs.iotvillage.org/

Currently Offline

In this 3 time DEF CON Black Badge CTF, players compete against one another by exploiting off-the-shelf IoT devices. These 20+ devices all have known vulnerabilities, but to successfully exploit these devices requires lateral thinking, knowledge of networking, and competency in exploit development. Exploit as many as you can during the con and the top three teams will be rewarded.

You can access the CTF here https://ctf.iotvillage.org/

Currently Offline

Prizes generously provided by eLearnSecurity

1st – 1 Full Pentesting Training Path includes 1 Pen Testing Student (PTS) Elite Edition, 1 Pen Testing Professional (PTP) Elite Edition and 1 Pen Testing eXtreme (PTX) Elite Edition (Value = $4100)

2nd Place – 1 Pentesting Training Package to include 1 Pen Testing Student (PTS) Elite Edition and 1 Pen Testing Professional (PTP) Elite Edition (Value = $2100)

3rd Place – 1 Pen Testing Student (PTS) Elite Edition (Value = $500)

While researching UPnP vulnerabilities I became frustrated with the currently available UPnP tools. Some devices that I knew had UPnP just weren't found with any of the tools I tried. Out of this frustration, came a new and improved BHunter extension for Burp Suite. In this lightning talk I'll go over some of the issues I found and the improvements made to it, and I'll give a demo of the tool in action.

Bio:
Trevor is the Founding Partner of Loudmouth Security, an elite penetration testing and red teaming company in Canada's National Capital. Trevor has a black badge from DefCon 26 and is co-organizer for IoT Village at conferences across the Canada and the US.