Using cloud implementations to hack IoT. A practical guide working on multiple vendors
2020-09-03, 14:00–14:40, Main stream

Using cloud implementations to hack IoTs. A practical guide that works on multiple vendors
Abstract (short): With all IoT vendors moving to cloud management, we felt it necessary to have a look at some of those implementations. In this talk, we'll showcase our latest findings on 4 popular vendors and their cloud implementations, starting with authentication bypasses, device tampering and even RCE relayed by the cloud and popping connect-back shells


With all IoT vendors moving to cloud management, we felt it necessary to have a closer look at their implementations. Starting with analyzing app - cloud - device communication, impersonations, authentication bypasses and even RCE. Our team has been publishing papers and talking about IoT cloud secuerity for the better part of the last 5 years and this talk is the latest installment in a series, showing our latest findings on 4 vendors. Here's a teaser: most cloud implementations don't actually use traditional authentication between the management app and the device. And virtually all the binaries we analyzed do not use ASLR. This talk will provide full details on how to get started with IoT cloud security research as well as 4 recent examples of vulnerabilities we identified and exploited on platforms hosting millions of devices

Alex (Jay) Balan is the Chief Security Researcher and Spokesperson for Bitdefender. His career is focused in the fields of information security, innovation and product strategy, which he has accumulated over 15 years of experience. Balan drove the vision for Bitdefender's UNIX-based security solutions before kickstarting an ambitious project that would advance the company's R&D department and steer a good part of the company's focus towards technology and innovation