No announcement yet.

Cotopaxi: IoT Protocols Security Testing Toolkit

  • Filter
  • Time
  • Show
Clear All
new posts

  • Cotopaxi: IoT Protocols Security Testing Toolkit

    Saturday from 10:00 – 11:50 in Sunset 3 at Planet Hollywood
    Audience: IoT, AppSec Jakub Botwicz

    Cotopaxi is a set of tools for security testing of Internet of Things devices using specific network IoT/IIoT/M2M protocols (e.g. CoAP, MQTT, DTLS, mDNS, HTCPCP). These tools will be used by penetration testers or security researchers to identify IoT services and verify security vulnerabilities or misconfigurations. Currently available tools used for security testing, like nmap or OpenVAS, do not support all new IoT protocols. So possibilities to test IoT products and discover such devices in tested networks are limited. We are working to fill this gap with Cotopaxi toolkit. Main features of our toolkit are:

    - Checking availability of network services for supported IoT protocols at given IPs and port ranges ("service ping")
    - Recognizing the software used by remote network server ("IoT software fingerprinting") based on responses for given messages using machine learning classifier
    - Discovering resources identified by given URLs ("dirbusting")
    - Performing black-box fuzzing of IoT protocols based on corpus of packets prepared using coverage-based fuzzer
    - Identifying known vulnerabilities in IoT servers
    - Detecting network traffic amplification.

    New features in release for Defcon27 are:

    - client-side versions of protocol fuzzer and vulnerability tester
    - support for new protocols: SSDP and HTCPCP.

    Jakub Botwicz
    Jakub Botwicz works as a Principal Security Engineer at the Samsung Poland R&D Center leading a team of security researchers. He has more than 15 years of experience in information security and previously worked in one of the worlds leading payment card service providers, Big4 consulting company and vendor of network encryption devices. Jakub holds a PhD degree from the Warsaw University of Technology and multiple security community certificates including: GWAPT, CISSP, ECSA. Currently, he works providing security assessments (static and dynamic analyses) of different mobile and IoT components. His hobbies are rock climbing and mountaineering (especially on volcanoes!).