Overview
Explore the intersection of AppSec and IoT security in this 45-minute conference talk by Alexei Kojenov, Lead Product Security Engineer at Salesforce. Dive into a hacking journey that begins with device configuration settings and progresses through software reverse engineering, vulnerability discovery, and the responsible disclosure of six new CVEs. Follow along as Kojenov guides you through firmware analysis, decompiling, code review, and vulnerability demonstrations, showcasing how application security principles can be applied to IoT devices. Gain insights into the evolving landscape of tiny general-purpose computers and learn how to approach them from an AppSec perspective. Discover the similarities between attacking IoT devices and conventional applications, and be inspired to expand your security expertise into new domains.
Syllabus
Intro
Common perception
Requirements
IoT Top 10
The proper venn diagram
March 2020
What is live streaming
Hardware encoder
Fixing color balance
Port scan
Firmware backup
Password file
Password hash
Demonstration
Application Security Assessment
Authentication
Backdoor
HTTP Request
Code Review
Find
Multipart data
File upload
PNG upload
Buffer overflow
RTSP
Denial of service
Showdown
Responsible disclosure
Cert Coordination Center
Huawei
Ten months later
Summary
Taught by
OWASP Foundation