October 25-28, 2017!! We’re going to have so much fun! Hopefully you can join us!
Back To Schedule
Friday, October 27 • 16:00 - 16:45
Peakaboo - I own you: Owning hundreds of thousands of devices with a broken HTTP packet

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Imagine that you've purchased your small a cheap IP security camera to feel just a little better with your own physical security. Now imagine that the people who designed that camera know nothing about secure programming, security or programming at all. Imagine that your precious camera can be hijacked into a botnet with only one broken HTTP packet. Now stop imagining. In the end of 2016, my fellow researcher Yoav Orot and I published our research paper about hundreds of thousands of white labeled IP security cameras being vulnerable to a simple attack that allows an attacker to gain complete control of the camera, including code execution as root without any ability to patch. Our research was published in dozens of website and was even covered by security blogger Brian Krebs. We did not publish any technical details yet since we had to wait for the vendor's answer. This talk will dive deeply into the product, our research process and into the vulnerabilities themselves. I will walk through all of the steps in our research (from hardware hacking to firmware dumping and just plain old reversing) and demo the exploits and explain, step by step, where the developers went wrong, what could have been done to avoid this situation and why this problem is so severe. There will be root shells, there will be exploits, there will be tears. Attendees of this talk will leave with some insights about IoT security and embedded device hacking.

avatar for Amit Serper

Amit Serper

Principal Security Researcher, Cybereason
Amit leads the security research at Cybereason's Boston HQ. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering on Windows, Linux and macOS. He also has extensive experience researching , reverse engineering, and exploiting IoT... Read More →

Friday October 27, 2017 16:00 - 16:45 MDT
Pinecrest B