Tweet
Title: Stepped on a Nail
Description:
It was a crisp October evening as Nerdwell walked the streets of the Internet looking for juicy bugs. Suddenly, his attention was drawn to something that he could not ignore. "Is that memory?" He thought to himself, "it sure is ... a whole heap of it!"
In this talk, Nerdwell will share the story of how a chance observation, along with healthy doses of curiosity and persistence, ultimately led to a high severity finding of unauthenticated remote memory disclosure in the Mitel MiVoice 6800 and 6900 series SIP Phones. Nerdwell will take us through the technical details of CVE-2020-13617 and demonstrate exploitation. He'll then share some of the insights gained along the way, including:
* Unexpected benefits of the emerging bug bounty industry upon IoT security in general;
* The roles of curiosity and creativity in the hacker's mindset, and how these traits influence security research; and
* Ways to use open source tools, like Shodan.io and GitHub, to select IoT devices for further research.
The talk will close with suggestions for future research and tips for new researchers looking to break into the field of IoT hacking.
Speaker(s): Matthew Byrdwell
Location: IoT Vlg / IOT Vlg
Discord: https://discord.com/channels/7082082...34565604655114
Event starts: 2020-08-08 18:00 (06:00 PM) PDT (UTC -07:00)
Event ends: 2020-08-08 18:45 (06:45 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-08T03:04 (UTC).
Description:
It was a crisp October evening as Nerdwell walked the streets of the Internet looking for juicy bugs. Suddenly, his attention was drawn to something that he could not ignore. "Is that memory?" He thought to himself, "it sure is ... a whole heap of it!"
In this talk, Nerdwell will share the story of how a chance observation, along with healthy doses of curiosity and persistence, ultimately led to a high severity finding of unauthenticated remote memory disclosure in the Mitel MiVoice 6800 and 6900 series SIP Phones. Nerdwell will take us through the technical details of CVE-2020-13617 and demonstrate exploitation. He'll then share some of the insights gained along the way, including:
* Unexpected benefits of the emerging bug bounty industry upon IoT security in general;
* The roles of curiosity and creativity in the hacker's mindset, and how these traits influence security research; and
* Ways to use open source tools, like Shodan.io and GitHub, to select IoT devices for further research.
The talk will close with suggestions for future research and tips for new researchers looking to break into the field of IoT hacking.
Speaker(s): Matthew Byrdwell
Location: IoT Vlg / IOT Vlg
Discord: https://discord.com/channels/7082082...34565604655114
Event starts: 2020-08-08 18:00 (06:00 PM) PDT (UTC -07:00)
Event ends: 2020-08-08 18:45 (06:45 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-08T03:04 (UTC).