Discover an innovative approach to automated black-box security testing of IoT and embedded devices in this 50-minute conference talk from the Hack In The Box Security Conference. Learn about the limitations of traditional black-box fuzzing and companion app-based techniques when applied to IoT devices. Explore a novel method that leverages "fuzzing triggers" within companion apps to generate optimal fuzzing inputs, bypassing app-side validation while maintaining valid input formats. Gain insights into Diane, a black-box fuzzer that combines static and dynamic analysis of Android apps to automatically identify and utilize fuzzing triggers for both WiFi and Bluetooth-connected devices. Examine the results of testing 11 popular IoT devices, including the discovery of 9 zero-day vulnerabilities. Investigate additional applications of this approach for identifying vulnerable update mechanisms and auditing trusted execution environments in embedded devices.
Automated Black-box Security Testing of Smart Embedded Devices
Hack In The Box Security Conference via YouTube
Overview
Syllabus
#HITB2023AMS D2T2 - Automated Black-box Security Testing Of “Smart” Embedded Devices - A. Continella
Taught by
Hack In The Box Security Conference
Related Courses
-
DIANE- Identifying Fuzzing Triggers in Apps to Generate Under-constrained Inputs for IoT Devices
-
CI - CD With SAST And DAST For Embedded Devices
-
Advanced Mutation Fuzzing Method for Wireless Protocols
-
Breaking into Embedded Devices and IoT Security
-
Securing the Internet of Things - IoT Through Security Research and Vulnerability Analysis
-
A QEMU Black Box Escape Via USB Device
