Discover an innovative approach to automated black-box security testing of IoT and embedded devices in this 50-minute conference talk from the Hack In The Box Security Conference. Learn about the limitations of traditional black-box fuzzing and companion app-based techniques when applied to IoT devices. Explore a novel method that leverages "fuzzing triggers" within companion apps to generate optimal fuzzing inputs, bypassing app-side validation while maintaining valid input formats. Gain insights into Diane, a black-box fuzzer that combines static and dynamic analysis of Android apps to automatically identify and utilize fuzzing triggers for both WiFi and Bluetooth-connected devices. Examine the results of testing 11 popular IoT devices, including the discovery of 9 zero-day vulnerabilities. Investigate additional applications of this approach for identifying vulnerable update mechanisms and auditing trusted execution environments in embedded devices.
Automated Black-box Security Testing of Smart Embedded Devices
Hack In The Box Security Conference via YouTube
Overview
Syllabus
#HITB2023AMS D2T2 - Automated Black-box Security Testing Of “Smart” Embedded Devices - A. Continella
Taught by
Hack In The Box Security Conference
Related Courses
-
CI - CD With SAST And DAST For Embedded Devices
-
Advanced Mutation Fuzzing Method for Wireless Protocols
-
Securing the Internet of Things - IoT Through Security Research and Vulnerability Analysis
-
Automated Dynamic Firmware Analysis at Scale - A Case Study on Embedded Web Interfaces
-
Gattacking Bluetooth Smart Devices - Introducing a New BLE Proxy Tool
-
Embedding Security in Embedded Systems
