Jan 3, 2018
M. Carlton joined us to talk
about being part of leading professional reverse engineering team
at Senr.io. We discussed her Embedded Systems talk about
IoT and in particular Devil’s Ivy (Check out the important
ROP video to better
understand the key concept ). In this particular case, they found
that the M300 camera model using GSOAP (SOAP) parse for buffer overflow.
Not only did this issue allow
spread quickly as a DOS among the M300 cameras but over 200 other
Axis cameras (Hurray for code-reuse) due to using the third party
M. uses several tools in her
- Debuggers like gdb
- Multimeters and oscilloscopes
She had some excellent
suggestions for improving the odds of NOT getting
- Put a
password on any consoles and let it be changeable.
- Anticipate issues by performing security
wary of any third party libraries you use. If there are updates to
these libraries, prepare to update quickly.
sure your systems are field patchable/updateable,
surface area. Limit the ability for others to analyze your system
by removing/disabling consoles, UARTs, features, and JTAG
more gates/obstacles on how easily any found exploits can be used
in the system.
- Unearth any default credentials used in your
system and resolve.
In the worse case, plan in
advance for a security breach to expedite deployment.
Have comments or suggestion
names for us? Find us on twitter @unnamed_show, or email us at firstname.lastname@example.org.
Music by TeknoAxe