Talk

Live Hack: Demonstrating Common IoT Security Weaknesses

Watch Now

31:21

EOC 2022

Login to Watch

Joe Hopper

Joe Hopper is a Principal Security Consultant (Professional Ethical Hacker) for Fracture Labs, a technology security company with a strong focus on securing embedded systems and the Internet of Things. Prior to starting Fracture Labs, Joe spent 15 years in various engineering roles (application, infrastructure, and security) with Fortune 500 companies. He has hacked devices from smart lights and security systems to industrial vehicles and airplanes.

View full profile

Topics Covered

IoT Security

Talk

Live Hack: Demonstrating Common IoT Security Weaknesses

Joe Hopper

31:21 EOC 2022

Joe Hopper

31:21

How would hackers attack your IoT device? Joe Hopper, Principal Security Consultant at Fracture Labs, will demonstrate several complex hacks against off-the-shelf IoT devices to shed light on the design and implementation weaknesses seen across the industry. He will walk through common attacks such as: finding and connecting to hidden serial consoles, boot process hijacking, memory analysis, firmware extraction, password cracking, and more to gain unauthorized access to IoT devices and customer information.

By using the same approach hackers use against your devices, you will walk away with a better understanding of where and how you need to tighten security controls.

1 / 4

Please log in or create an account to test your knowledge and see the answers.

When you find an unlabeled three-pin header on an IoT board and want to determine whether it is a UART serial console, what did Joe Hopper demonstrate as the correct first approach?

A Hook up a USB FTDI cable immediately and try different baud rates until you see readable output.

B Use a multimeter to locate ground and a logic analyzer to capture signals during power-up, then apply a serial decoder to identify UART traffic.

C Assume the middle pin is VCC based on the board layout, probe it with power to see if it powers the board.

D Desolder the chip connected to the header and read its datasheet to confirm the interface type before making any connections.

E Only rely on silkscreen labels or module datasheets without doing any live signal capture.

What specific technique did the speaker use in U-Boot to bypass normal authentication and obtain a root shell on the device?

A Reset the device to factory defaults using a U-Boot command.

B Brute-force the root password at the login prompt until it succeeds.

C Append a '1' to the bootargs to drop the kernel into single-user mode and then boot.

D Remove the init=/linuxrc bootarg so the system never starts init and instead gives a shell.

E Exploit a buffer overflow in U-Boot remotely to spawn a shell.

When an exposed SPI flash chip is present on an IoT board, what extraction method did Joe recommend as faster and preferable to dumping memory over UART?

A Dump the firmware by letting U-Boot print the flash contents over the UART console and capture the entire session.

B Use a logic analyzer to record the SPI lines during normal operation and reconstruct the ROM contents from the trace.

C Attach a SOIC clip to the SPI flash and use a flash programmer (e.g., flashrom) to read the chip directly.

D Scan the device from the network with nmap and download firmware via open services.

E Physically remove the processor and read internal memory with a microscope technique.

According to the talk, what is the most appropriate way to protect secrets stored on IoT devices so attackers who extract firmware or access hardware cannot recover sensitive credentials?

A Rely solely on strong, complex passwords stored in the filesystem because cracking will be slow.

B Store secrets in the filesystem but obfuscate them (simple encoding) to deter casual inspection.

C Protect secrets with hardware-backed solutions like a TPM, secure element, TrustZone, or secure vault, and lock flash so extraction is blocked.

D Disable debugging interfaces only during manufacturing and leave them enabled in production for convenience.

E Assume attackers won't have physical access, so protect only network interfaces and ignore hardware protections.

Formatting help

italics	surround text with asterisks
bold	surround text with two asterisks
hyperlink	[hyperlink](https://example.com) or just a bare URL
inline code	surround text with single `backticks`
code block (multi-line)	wrap on its own lines with three backticks: ``` your code here ```
~~strikethrough~~	surround text with ~~two tilde characters~~
quote	prefix with >

Upvotes Newest Oldest

Jordan

Score: 1 | 4 years ago | no reply

Thanks for the awesome talk Joe, I learned so much that I'm now afraid to connect any wireless device in my house ha. But seriously there are some great examples in this talk about how devices can be exploited, and how easily it can happen. It has really openned my eyes a lot more to IoT security.

Partners & Sponsors

Percepio

Edge Impulse

STMicroelectronics

Renesas

Amazon AWS

The Qt Company

NXP

TUXERA

XMOS

Timesys

Saleae

Become a Sponsor