IoT thoughts: “Too Much Access Points – Exploitation Roundup” (2010)


Recent DDoS cases and the release of the Mirai botnet source code made clear, if needed at all, that insecure IoT devices can be a threat not only for their owners, but for the whole connected ecosystem.
Many security researchers were already aware of these potential threats, even before the “IoT wave” of the latest years.
The “wave” brought a name change from “network-connected embedded devices” to “IoT devices” and a constantly increasing frequency of “IoT threats” mentions. To the point that they have become a sort of a “mantra” in the security community and marketing departments.

The talks I gave in 2010 on Access Points exploitation already explored, in the context of APs, some of the advantages an attacker might gain when in control of such devices. With the proliferation of IoT devices now, those considerations are even more relevant and certainly not limited to APs only.
I realized that, although that research from 2010 is now outdated and fixes have been provided, those presentations might still be interesting for a glance into embedded exploitation and provide some insights which might still be useful today.
Unfortunately, they are not easily found on conference sites anymore. So, I decided to fill the gap and make them available here.

This posting also comes with an inner smile in seeing how and how much I personally evolved since those times.
Six years are definitely a significant amount of time.
…but I guess this happens to anybody peeking a bit back into his own past. 🙂

The slides of my presentation at Confidence 2010 can be found here:
CONFidence_2010_Too _much_Access_Points_-_Exploitation_Roundup_1.1
A condensed version of such slides has been presented in a 15-minutes lightning talk at HITB Amsterdam 2010.

The talk at SyScan 2010 encompassed the same topics, but demonstrated how remote exploitation of an internal LAN device could be performed by pivoting on a smartphone. URL shortening services and Social Networks perfectly fitted in the picture for such an attack scenario.
The slides of SyScan 2010 can be found here:
Syscan_10_Taipei_- _Too _much_Access_Points_-_Exploitation_Roundup

..and if you are still curious on these topics, you can dive in the posts of this blog, which provide further technical details.

Have fun!

Categories : IoT  Security

Mobile Security Lab @HITB Amsterdam 2010


My close friends from Mobile Security Lab will be at HITB Amsterdam, presenting further extensions to our “Hijacking Mobile Data Connection” work, named Hijacking Mobile Data Connections: State of the Art.

It has already been shown how such an attack could become pervasive by itself here and here.
Exploiting the implicit trust that each mobile user has with its own Mobile Operator and leveraging the richness of the protocols based on the SMS bearer, that, unfortunately, are not backed up by robust SMS sender authentication mechanisms, can be an interesting attack point for determined attackers.
Understanding how large the attack surface might be, is one of the possible, natural, questions that may arise in such a context.
The talk aims at presenting the state of the art of the techniques for carrying on the attack, and will provide insights on how the attack surface might be extended.

So, see you in A’dam.. as I’ll probably be there myself 🙂

Speaking at CONFidence 2010!


After some months spent working and performing research on embedded devices, I’m now able to present some of the results..

My submission for CONfidence 2010 has been accepted and I have been selected as a presenter for the conference, where I will be speaking on the security of access points in a talk named “(Too much) Access Points – Exploitation Roundup”.
As widely known, research on wireless devices has been focused on finding vulnerabilities, mostly, at the communication or configuration level, but not so much material is available on the actual exploitation of these devices, or, more generally, on the exploitation of embedded devices.
The talk focuses on the execution of arbitrary code on the selected targets by exploitation of binary level vulnerabilities on the Linux/MIPS platform, that is broadly used in networking embedded devices. Live demonstration of specific attack scenarios will be also provided.

Further details on the talk are available on the CONFidence 2010 website:

..but for the real juice I suggest to come to CONFidence 2010, where lots of interesting talks will be presented, that I’m eager to attend myself 🙂
See you in Krakow!

Categories : Security