Content

Things That Go Bump In The Network: Embedded Device (In)Security

I’ve been giving and maintaining this talk all year and most recently gave it at SANS NS2008, which was an absolute blast! I OutOfService.jpgtaught the one-day “Up and Running With The Metasploit Framework” course, participated in the SEC560 penetration testing course, and got to lead a team of attackers in a three night hacking challenge. More on all that later, as I also presented on how embedded devices continue to be a threat. The goal of this talk was to raise awareness about the inherent insecurities in embedded systems, understand some example vulnerabilities and associated “exploits”, and identify defenses. I covered just how easy it is to “karmetasploit” the iPhone and some of the implications, an SSID script injection vulnerability in DD-WRT, and some interesting things I found on an Axis web camera.
As a side note, I was leaving Las Vegas early in the morning while people were coming out of the clubs, which was an interesting site to say the least. I happened to be standing next to Trent from www.i-hacked.com who stated how nice it would be run Karmetasploit as people were “under the influence” enough to click on anything (I suppose one could argue that people will click on anything even while not drinking). It got me thinking how interesting it would be to take over an iPhone and download all of the pictures stored on the phone, especially after a wild night in Vegas… In any case, you can download the latest (and final) slides here:
Things That Go Bump In The Network: Embedded Device (In)Security
Note: A previous version of this talk, including the audio version of the presentation, can be found here
The EeePC I was using seemed to pique the interest of many during the demo section of the talk. Below is some information about my EeePC setup:
* Eee PC 4G Surf Rev 701
* Madwifi drivers (I’m using this one) with the Karma patches from DigiNinja (I highly recommend these drivers over the ones in Backtrack, they seem to work far better)
* Metasploit 3.1-latest
* A copy of “evilap.sh” from the Backtrack CD with some modifications, primarily to make it work with dhcpd on Ubuntu (Example can be found in Episode 114’s show notes)
I believe this talk served its purpose, many have commented that they were going to bring this knowledge back to their respective organizations and begin to think about embedded system security differently. Mission accomplished? I’m not quite sure, while I believe that many have taken embedded systems security more seriously as end-users of the products, the vendors still have some work to do. I’d like to see more of:
* Vendors allowing the user to create the initial password(s) and security certificate
* Doing their own security evaluations before the product is released to the market
* Using secure protocols for management (SSL, SSH, SNMPv3, etc…)
With respects to defense and active scanning/penetration testing of your internal network, well, more on that later…

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more.

Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable.
In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. Paul grew Security Weekly into a network of security podcasts spanning multiple topics, such as application security and business. It has been estimated that Paul has conducted over 1,000 interviews with security professionals and hosted more than 1,000 podcast episodes in cybersecurity. In 2020 Security Weekly was acquired by the Cyberrisk Alliance.

Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python, telling everyone he uses Linux as his daily driver, poking at the supply chain, and reading about UEFI and other firmware-related technical topics.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.