Seems like the world has completely changed in the last 12-24 months - * Multiple Global Conflicts * Launch of ChatGPT * CISO’s being held personally accountable for security breaches * Government Regulations on security * Economic Uncertainties (interest rates, layoffs)... All of these changes have played a major role in reshaping the security landscape. From adversaries with political motivations to another just trying to provide for his/her family. Security is no longer just your job, but you could actually be held personally liable. Oh and don’t forget that an adversary now has the ability to rewrite vulnerabilities with the click of a button, or can create deep fakes so real that a zoom call with multiple “people” was undetectable by a real person.

As cellular technologies continue to become more integrated into IoT devices, there has been a noticeable lag in comprehending potential security implications associated with cellular hardware technologies. Furthermore, the development of effective hardware testing methodologies has also fallen behind. Given the highly regulated nature of cellular communication and the prevalent use of encryption, it is imperative for security researchers to deepen their understanding of circuit design and the integration of cellular modems into IoT devices. In this presentation, I will introduce a wide-ranging testing and analysis methodology aimed at enhancing our understanding and evaluation of the security of IoT devices that currently rely on cellular communications. This methodology will encompass an examination of various cellular modem modules in use, their integration into circuit design, and hardware hacking techniques for interacting with communication circuits to control cellular modules, all for the purpose of security testing and analysis.

Once upon a time, there was a thriving community that sprung up around modding and tweaking Mazda's infotainment system. Then one day, Mazda decided to ruin everyone's fun by patching all the holes, restricting unauthorized access methods, and adding all manner of best-practice security measures. When device makers decide to get all modern and up-to-date, sometimes the only solution is to go primitive. In long neglected code meant to handle old legacy iPod devices lies a treasure trove of vulnerabilities that can still be used to get a foothold into an otherwise pretty well-secured device. In this talk, we will discuss what Mazda is doing to try to keep us out, and the old Apple device communication protocol that can be used to get us back in.

ATM security controls should protect critical functionality, financial data, and physical currency from unauthorized access. The financial institution ATM architecture is complex and often requires 3rd party license agreements to meet this security demand. Due to an expansive ecosystem of hardware and software components, compatibility requirements, and diverse approaches to ATM hardening, maintenance, and patching – significant security flaws can be continuously overlooked. These seemingly low-priority issues can lead to significant financial risk. Moreover, we have observed these ATM security controls to extend beyond the financial industry and are also present in the gaming/casino market. During this talk we will discuss our security research into 6 zero-day vulnerabilities, which bypass full disk encryption, security controls, and allow for full system compromise of a major ATM manufacturer.

This talk reveals stunning vulnerability findings in leading solar manufacturers that, when exploited, the stake is the grid. We'll explore three massive vulns in the management platform and discuss how they can be weaponized to become chilling nation security risks.

In recent years, the use of dash cams has surged, making them an essential component of modern vehicles. To enhance user convenience, many dash cams are now equipped with network connectivity. This growth in the dash cam market has heightened the importance of vehicle and personal data security. However, network-connected dash cams pose potential security risks to their availability and key functionalities. In this presentation, we will comprehensively analyze dash cams from various countries, including South Korea, the USA, Germany, and China, as well as built-in dash cams. During our analysis, we discovered numerous zero-day vulnerabilities (such as OS Command Injection, Logical Bugs, and insufficient authentication) that pose significant security threats. Vulnerabilities were primarily found during the dash cam boot process, configuration changes, and communications via custom protocols. We will detail the dash cam analysis process in the following sequence: [Analysis Process] - Acquiring firmware through official websites or apps - Extracting the file system to analyze the initial boot logic - Analyzing the boot logic to identify vulnerabilities or debugging ports to gain shell access - Utilizing the obtained shell for remote debugging of the main system Interestingly, our analysis of 10 different dash cams revealed that 4 devices used the same OEM board from a common manufacturer. These 4 devices shared similar vulnerabilities, and exploiting a vulnerability found in one device allowed us to successfully exploit all of them. Our research uncovered common security vulnerabilities across multiple dash cams, and we will discuss measures to prevent these vulnerabilities. We will particularly focus on analyzing the custom protocols used by dash cams and the security risks associated with them. This presentation aims to raise awareness of potential security threats in dash cams and encourage manufacturers to produce more secure products. We hope to drive industry standards and best practices to ensure the safety and security of these increasingly critical devices. By sharing our findings, we aim to highlight the importance of dash cam security and provide insights that can lead to more secure designs and implementations.

This presentation delves into the intricate process of generating a Software Bill of Materials (SBOM) for the Bob the Minions WiFi router by Davolink—a device whose firmware isn't publicly available. Traditional SBOM creation methods rely on readily accessible firmware, but Davolink's restricted release policies necessitated an unconventional approach. This talk covers the step-by-step journey of hardware disassembly, firmware extraction via SPI flash and JTAG/SWD interfaces, and the tools and techniques employed. Finally, we'll demonstrate how the recovered firmware is used to generate a comprehensive SBOM, highlighting any security vulnerabilities discovered and reported to the vendor. This session aims to provide attendees with practical insights into overcoming SBOM generation challenges in the IoT domain through hands-on hardware hacking, and leveraging the firmware and SBOMs for vulnerability discovery, as well as security improvement.

To make RFID access badges vendors in China have created eink badges where instead of printing a badge out you instead program the eink portion of the badge with an smartphone app and then program the RFID portion. At this time the ones that are sold are either black and white or black and white and red. There is no security implemented so all you need to do is download the app to reprogram the front of the badge. This makes anyone able to reprogram both the front and back of the badge.

Home surveillance technology is a modern convenience that has been made accessible to the masses through the rise of IoT devices, namely cloud-connected Wi-Fi cameras. From parents monitoring their infants to homeowners watching their entryways, these cameras provide users with access to instant, high definition video from the convenience of a mobile phone, tablet, or PC. However, the affordability of these devices and relative ease of cloud access generally correlates to flawed security, putting users at risk. We set out to explore the attack surface of various Wi-Fi camera models to gain a deeper understanding of how these devices are being exploited. In the end, we devised methods to gain local root access, uncovered user privacy issues, discovered a zero-day vulnerability within a prominent IoT device management platform that allows attackers to gain remote control of millions of cameras worldwide and access sensitive user data, and revealed how these devices may be vulnerable to remote code execution attacks through completely unauthenticated means thanks to an inherently flawed implementation of their underlying peer to peer networking protocol. Along with demonstrating our exploits against live cameras, we will highlight the methods used to obtain our most significant findings and provide guidance on remediating the issues we encountered so these devices can be used safely in your household. We will also invite audience members to probe and attack a camera during our talk and earn a prize in the process!

Yes, anyone can hack IoT devices and I’ll show you how! It doesn’t matter if you’re an experienced pen tester in other fields, completely new to cybersecurity or just IoT curious, by the end of this talk you’ll have the knowledge to hack your first device. You might be thinking - but I thought IoT was complicated, required knowledge of hardware, and expensive tools. In this talk, I’m here to dispel those myths by directly showing you the methodology, tools and tactics you can use to go and hack an IoT device today (or maybe when you get home). I’ll cover what IoT devices are best for beginners, what tools you need (and don’t need), how to build a small toolkit for <$100, common tactics to get a foothold into IoT devices and how to find your first vulnerability or bug.

From January to May 2024, a team of student researchers at Brigham Young University looked for 0days in a consumer-grade home router made by Vilo Living. By April 2024, they had found 9 zero days, 6 of which were critical. This presentation covers the process they went through from initial reconnaissance to hardware hacking to finding buffer overflows to reporting the bugs to the organization. Outline: Initial recon - OSINT on the company, previous vulnerabilities released (none), and black-box interactions with network services on the LAN Hardware hacking - identifying chips on the board, connecting to the UART interface, deciphering boot up info, dumping the flash memory (didn’t work), and observing reads/writes by the CPU to flash memory to obtain the firmware Cloud enumeration - discovering the AWS S3 buckets and IoT infrastructure, tracing cloud interactions (authenticating to the router remotely, retrieving MQTT certificates, etc.) Firmware enumeration - kernel + libc version, arch, how to emulate binaries on an x86 machine, compiling code to run on the router, what binary does what, etc. Vulnerability discovery - finishing reversing custom TCP protocol for mobile app->router interactions, searching for stack overflows, lack of authentication, command injection (and accidentally bricking 3 routers), info leaks, reviewing the 9 vulnerabilities we discovered, weaponizing and chaining some of the vulnerabilities, etc. Vendor disclosure - difficulty contacting the vendor in May 2024 with vulnerability details (they were almost dead), how the disclosure process went, filing for CVEs in June, publishing vuln details in August Conclusion - how stupid easy it is to hack IoT devices, how IoT vendors treat security issues, where future research can focus