IoT Village: Hacking The Internet of Things
An immersive, technical, one-day IoT Security workshop hosted by Independent Security Evaluators (ISE)
October 15th, 2018 | 9:00am - 5:00pm
About IoT Village
Organized by security consulting and research firm Independent Security Evaluators (ISE)
IoT Village delivers advocacy for and expertise on security advancements in Internet of Things devices. IoT Village hosts talks by expert security researchers who dissect real-world exploits and vulnerabilities and hacking contests consisting of off-the-shelf IoT devices.
The workshop is broken down into two sessions, to first learn about IoT hacking and then gain hands-on experience. Throughout the day, students are taught how to use a range of software-based tools that are integral to device analysis.
The minimum requirements for this workshop are a laptop that can connect to the network via either ethernet or WiFi and a good attitude with the eagerness for problem solving! Additional recommended requirements include Kali Linux or your preferred Linux distribution (you can run one in a VM). If you would rather use a different distribution, please ensure that you have common *NIX utilities such as binutils, grep, hexdump, file, nc, curl, ssh, and python and a web proxy such as Burpsuite.
Session One: Lecture
9:00am - 1:00pm
The morning will consist of an introduction to Hacking IoT. This four hour lecture-style presentation session teaches students about secure design principles, effective use of hacking tools, and strategies & tactics best utilized to be successful in the hacking contest. Students will learn how to discover and exploit vulnerabilities in IoT devices.
Session Two: CTF - Hands-On Hacking Contest
1:00pm - 5:00pm
The remainder of the day is focused on this highly interactive, hands-on competition, trying to find and exploit vulnerabilities in a range of connected devices. Students who can find vulnerabilities in devices known to be vulnerable win points; whoever obtains the most points wins an award! Instructor subject matter experts will be actively engaging with students with on-the-spot coaching to help students learn and compete.
Tools You Will Learn
- Packet capturing utilities
- Burp Suite
- Browser developer tools (both built-in and extensions or plug-ins)
- Spike and other fuzzers
- GDB and other debuggers
ABOUT THE INSTRUCTORS
Instructed by the security researchers who have published research hacking everything from cars to medical devices to smartphones to routers and more, this course teaches both principles as well as tactical execution… from a hacker’s perspective!
Josh Domangue serves Independent Security Evaluators (ISE) as Security Analyst. At ISE, Mr. Domangue works on various projects involving application security, network security, and reverse engineering. As one of the main organizers of the SOHOpelessly Broken CTF at IoT Village, Mr. Domangue has continued to improve the IoT hacking challenges and overall quality of the contest. Outside of work, he enjoys participating in security competitions, particularly CTFs. He also organizes and presents lectures at various venues on a wide range of topics within the field of information security.
Ian Sindermann is an Associate Security Analyst at Independent Security Evaluators (ISE), where he conducts rigorous security assessments of various computer hardware and software products. With a primarily self-taught education and prior experience as a wannabe sysadmin, his background lies in web application security, IoT devices, and *NIX systems. Insatiable curiosity has led to a variety of other interests including mainframes, legacy systems, hardware hacking, and whatever tech obscurities he can get his hands on.
- Understand the process of finding vulnerabilities within IoT devices.
- Understand common classes of vulnerabilities which plague IoT devices, how to exploit them, and what developers can do to mitigate them.
- Gain hands-on experience with exploiting IoT devices.
- Fundamentals of IoT security (aka “Why most IoT devices are vulnerable”)
- IoT Threat modeling
- How to identify & resolve vulnerabilities in Internet of Things technologies
- Approaches to and best practices for securing IoT products
- Hands on experience finding and exploiting vulnerabilities
WHO SHOULD ATTEND
You will benefit most from this workshop if you have a technical or engineering background and want to better understand how IoT devices get exploited, and what to do about it or if you are:
- A programmer interested in learning how to build security into solutions
- A technology professional who wants to retool their skill set and/or learn new tools
- A software or hardware engineer working for a company that may expand into the connected device space
- A technology professional working at the intersection of software and hardware
- A technology professional working in an environment that may be impacted by “connected devices” especially in regard to issues such as user provisioning, access controls, rights management, network management, security information management, etc.
BENEFITS OF ATTENDING
As an Attendee
- Learn a viable methodology for conducting application security assessments and network penetration testing
- Learn how embedded systems get hacked, and how to make them more resilient.
- Acquire a valuable skill set: security assessment and testing.
- Learn from actual practitioners and get hands-on experience, not just slides and theory
For your Employer
- Broaden employees’ security awareness from I.T. to physical assets.
- Empower employees to better identify, assess and protect your mission-critical assets.
- Prepare your employees to defend against new threats that come with IoT adoption.
- Better understand how adversaries will leverage vulnerabilities in IoT devices to undermine the security of your organization.
ABOUT INDEPENDENT SECURITY EVALUATORS
Independent Security Evaluators (ISE) is an independent security consulting firm headquartered in Baltimore, Maryland dedicated to securing high value assets for global enterprises and performing groundbreaking security research. Using an adversary-centric perspective driven by our elite team of analysts and developers, we improve our clients’ overall security posture, protect digital assets, harden existing technologies, secure infrastructures, and work with development teams to ensure product security prior to deployment.