IoT Firmware Exploitation

IoT Firmware Exploitation
Event on 2017-10-16 09:00:00
CPE/ECE Credits: 40 Course Description This course is designed for hackers, tinkerers, and hobbyists with limited experience and an interest in embedded systems analysis and firmware evaluation techniques. It starts with a basic introduction to electronics, using a series of hands-on lab exercises to give the student a comfortable foundation using various embedded analysis tools and techniques, including exercises in extracting and analyzing flash images from live hardware. Students will learn how to identify and extract critical data in the firmware, and perform basic vulnerability analysis on embedded code. The course continues with advanced emulation and exploitation techniques against MIPS Linux systems, including stack overflows, return to libc and return oriented programming. Students will develop buffer overflow exploits against live MIPS Linux devices using only a firmware update image – no hardware required! The course culminates with students identifying, exploiting, and patching 0-day vulnerabilities in a real-world embedded device. At the end of the course, students will have the knowledge and experience to perform hardware and firmware analysis of commercial off-the-shelf embedded systems. Prerequisites You will need the following to succeed in class: Intimate familiarity with the Linux operating environment Knowledge of common networking protocols (TCP/IP, HTTP) Experience with programming/scripting languages (C and Python in particular) Familiarity with any assembly language Familiarity with IDA Pro Experience with PC vulnerability analysis and exploitation Experience using binwalk would be helpful, but not necessary Course Length 5 days Day 1 Introduction to embedded systems Identifying hardware Finding and interfacing with hardware debug ports Dumping firmware Firmware analysis and extraction Introduction to MIPS assembly Day 2 Finding and exploiting logic flaws Firmware emulation and debugging Day 3 Introduction to MIPS stack overflows Finding and exploiting real-world overflows Writing return-to-libc MIPS exploits Day 4 Bypassing MIPS stack protections MIPS shellcode execution Day 5 Exploit laboratory Cross-compiling tools for your target Instructor Bios Steve Sem practices offensive cyber operations in his day job. In his spare time he enjoys long walks on the beach as an elven lord in World of Warcraft. Steve has been a Reverse Engineer with Tactical Network Solutions for five years. Craig Heffner is a Vulnerability Researcher and has 15 years experience analyzing embedded systems – 10 actually paid while 5 were just “exploring” on his own. He’s also the creator of binwalk, and he operates the /dev/ttyS0 blog which is dedicated to firmware hacking topics. He has presented at events including Blackhat and DEFCON. His skin has never been exposed to sunlight and is bioluminescent at 200 meters (656 feet) below sea level. Private, on-site training is available. Call +1 (443) 276–6990 or email us at

at Tactical Network Solutions
8825 Stanford Blvd
Columbia, United States

no comment

Leave a Reply