Finding and Preventing Software Security Bugs at the Lowest Level

okay for everybody in the room just now we have don't get caught embedding embeddable in bed yeah don't get caught in bed finding and preventing software security clocks at its lowest level with our Agustin thank you hello everyone pretty pretty big room here I'm going to take a little kind of a poll endemic gauge interest or or background so who in here has done I'd say hardware hacking we start there ashlyn we have some people how about liking firmware reversing okay so we're gonna go through a lot of that how about application security in general mobile web okay cool a lot of apps sec its people okay I'm gonna go ahead and get started look at

my name is Aaron Guzman my twitter handle on my research was around mobile I LTE embedded as well spoken at Def Con I would see village the last couple years again on IOT and hopefully this year I have some car hacking research that I that I did over in a vacuum februari some cool stuff so hopefully we'll see me there again look at their beak on as well it's also a technical editor for practical interesting security a book muscle riding a IOT pentesting book right now for a packet publishing so sometime in the summer should be published I'm hoping I've also spoken at RSA most of our the organizers for apps at California so I'm also on

the board for a los Los Angeles so absolute California is basically we have a conference on the beach last week of January so if any of the guys you know want to get away from the cold the cloudiness you know we have ton of great speakers like a lot of on a blog for example like a job Dava serialization book came out of our conference 10 degree people / guys want to volunteer imagine volunteers that's free way to get in muscle on the board for a cloud security alliance Southern California previous president as well and previous employer using it for belkin and linksys Cecily securities for linksys anybody hear their links it's the floor linksys

routers okay that's all so I was managing the the networking like the routers and the cameras on the security side and infrastructure that's kind of how I got wrapped up and embedded in Iowa t type of space now i am working with security i actually have an office here in edinboro a great company obviously you know I'm here from Los Angeles so they definitely promote community involvement so you guys are pen testers you know a great place to be we also have any more like a song for example managed services but you know to get started to jumping in you know what is you know embedded technology you know kind of a broad term not you know it's

not really definition what about embedded who's routers obviously we have connected vehicles cameras basically small devices that have a small footprint and memory and storage as well you have doorbell video doorbells those are fun lights you can traffic like even you know some cities are completely ran over obviously a bit of technology but even wireless as well parking meters cities like San Francisco in the face ton of parking meters even in Los Angeles medical devices smart TVs so this is nothing you guys are probably already familiar with but just to kind of set the stage there and kiosk as well and of course ICS systems which are which are fun and interesting and different type of beasts but still

embedded different rating systems as well with that so generally embedded in Internet of Things except you know network connectivity is just a difference so you know let's to get wrapped up in the semantics of embedded but again other people do better as I'll see you now it's not now we're connected over the internet so I mean obviously you're not supposed to read all this but I mean just to get an idea of the IOC landscape you know so many different different spaces with connected vehicles and industrial Internet enterprise and yet telecom you have platforms you know obviously you know everyone's writing code what everyone's touching this one piece of small device you know starts from you know the hardware down to the

firmware to the mobile apps to the web applications as well so huge space obviously is only getting bigger and it's inevitable worldwide so don't worry about squinting it's not just obviously really really big fake so again that's about kind of you know how devices are being made so like with the supply chain of IOT devices you have a TCB you know hardware designs in the beginning you want to you want to map out your peripherals and also have your BSP so that's usually so like calm the device driver makers to connect the hardware and software broadcom amor eval even with like say your Wi-Fi chip Senor your PC's usually you'll say like Marvel for example they're also pretty common

clicking with broadcom there was a zero-day research from google i think last week on slc for for broadcom basically a remote code execution so that's that's kind of where it stems from a driver makers bsd if you have to choose who supports the peripheral is your device you know it's going to be featured you have odm 0 DM is basically the biggest problem and embedded in IOT space and I say usually sometime long because they're usually some Taiwan I wasn't like you know several different calls for product design with with linksys and you're speaking with companies you know 10 to 15 you know five or six of my project managers you have three different developers who

write you know either you I and then some C C++ but whatever you hear a bugs like saying d-link netgear even belkin they're all effective for this one type of firmware or bug for example it's because using the same odm they have the right to repackage that software and distribute of any other third party that's an oem will support here so like to back up a bit the cloud you have also have a cloud service provider who provides you know remote access for example so it's usually like the Amazons though is yours not really digital ocean but those are usually the most common even even connected vehicles that connected vehicles that have tested they're usually running off of Amazon which is

pretty interesting so again the OEM supports basically the whole supply chain from beginning to end even if there's an issue with the odm the odium like i said it's a small team so they're also a dime a dozen meaning that the cheapest odm who's able to supply code for the OEM is going to win because the margin is so small and these devices to make money and OEM okay so say that there is a bug that gets published on a 10 year old camera but the odm is no longer in business usually what the odeon does it apply a binary over to the OEM and it just has to pass a number of unit tests in order for the audience to

accept it and now the odm is in a business who's going to fix it you know there's no like 10 setting rules for its a consumer devices but even for commercial devices as well so it's kind of crucial here is odm the guy in the middle who's providing you know much of the code that the OEM is supporting and just building upon so no am to be nest it could be a number of different other manufacturers manufacturers but again just the the the embedded or iot type of supply chains just kind of how it looks and from my experience again i think this guy is a key player and he's the one or he or she is the one who's

causing a lot of issues that you see an internet is from the ODN side so what these devices commonly run on embedded Linux is probably the most common for non-commercial devices you know some of them are even base class of Android and really old Carol's I still see new products being deployed with 2.6 kernels when we're up for like three points with four or something clicks on something like that even with Android I'll also a Kickstarter this supposed to be iose security device that has android 4.4 running which is ancient you have real-time operating system are tossed those are usually licensed in commercials you have vxworks and nqx and green hills but you have Windows

Embedded I'm obviously not a windows guy Windows IOT core these two are not so common here so just to discuss you know a little bit of what happened in 2016 obviously more and more medical device research or more insulin pumps and even basically sensors that are being triggered in everybody's body to kind of collect metadata you have a lot of clear text communications you have you know consulting and testing companies who are doing this research you know to basically analyze the state of the medical field whether in hospitals or devices themselves you have consumer ton of backdoors hard coded credentials command injection everywhere definitely this is how people I think one of the speakers from you later on today one of

the keynote I think he presented it at Def Con IOT village where based off of command injection they were able to upload their own firmware and then provide ransomware so a thermostat which was pretty cool but that's what you can do this the power power of command injection Mariah you get to the mirai that basically took down our country connected vehicles take the google research obviously a ton you have tesla spoken a little bit of up about my research but there's a ton you know obviously year after year it's gonna get more more common you have you have them bug bounty programs with you know book crowd for example commercial cameras and ransomware as well even with

the hotel you know gives it about the hotel where everyone's got locked in locked in their rooms looks pretty funny ICS systems same thing there's always if you look at ICS alerts you know Google ICS alerts or advisories there's ton it's all the same examples of clear text communications for CBS that get published as well as back doors not router Becker's which is general back door and meaning hard coded credentials and even accounts that can be used to bypass authentication so again talk go to passwords so again where I was feels like i said it's basically took down our East Coast thing we live in the west coast oh yeah so basically you know d

das you know dime dns but again it's pretty huge I think it was over a terabyte it was said to be over a terabyte the biggest he tossed in history I'm only gonna get bigger these were all you know obviously taking advantage from insecure coating of devices for cameras and routers básicas consumer devices were we're taking advantage of and settings were changed and it was able to you know obviously overload dine servers so I mean think about how you know that's you know obviously the biggest lead us but I think the scale of it is nothing's gonna be you know it's going to continue to grow but also you know a new type of viscosity ransomware and also these

devices I can only I can only imagine you know a lot of these mom and pop places that have cameras installed they have installers put it in and they don't know you know the IP address they don't know how to upload the firmware change the form or whatever it may be now there a lost and even you know there's a couple recordings of the so called the calculators who created Mariah that whenever they would lose a connection from a device let's say someone reset their router or the reset their chatters they would just rerun there sniffing and add more notes simple as that of a ransomware problem would probably be a different situation it's going to be

interesting even with the connected car type of environment you know you don't have to lock out the electric car but if something comes up in your so tainted system that you know you drive in you know on the highway or whatever it may be and you know it says you know pay you know however much money or your car is going to break and stop you know i'm pretty sure i'll stop even I don't know what's going on with still kind of different methodology or type of perspectives with with embedded devices and I'll see in general so 400 contact as you are doing this you know Shurmur I nothing answer about the whole get into

if you don't know it so this is the attackers from Mirai whenever they rerun the script get more nodes speech account by the way so emerging technology the stuff that's interesting in this space we already talked about the things you guys already know but you know what is emerging technology humans nanotechnologies we're going to talk about carbon-based I know technology little small you know nanometer you know size of a fiber type of embedded devices they're not device but I mean it's still still product size of a hair I think in February's is when MIT release research where they're actually able to upload code and has input and output to run this code and again carbon fiber so it's

durable and strong it's basically created to collect data for a long period of time for patients and monitoring and isn't language it's called bear log it'sit's HT I'll type of language but they have web applications to automate the the code base off DNA sequences so and they call it the language of cells it's also a thoughtful standard i forgot what standard might have here I should believe 1364 2005 so it's been around it's been around since the nineties even but this is the official standard in 2005 so attacking humans right that's pretty you know obviously even RT that's kind of the new you know you're bridging technology and human safety in life in line but you know nanotechnology

obviously you can probably cause some you know some more some more damage even if you're collecting data but what about injecting so again it's literally a programming language for bacteria is what bear log is this is a professor from MIT text based language just like its programming computer then you take the technique of pilots minister DNA sequence and you put into the cell and the circuit runs inside the cell crazy right so previously it would take years to build these types of circuits now you just hit the button and immediately get a DNA sequence to test so that got me out a little rabbit hole for a while and I found basically the little web app

that they use for verilog and it's almost like a c.c looking type of programming language but I created test account here and just put it around i don't know i'm not you know biologists I don't know DNA sequences but I'll just kind of throwing things in there and this is what it this is what it a output here but obviously you have to have some sort of nano you know hardware to to load that firmware on an order for it to run but again obviously this is going to be the platform that they're going to be using to again upload the firmware up you know have become run in someone's someone's body and just by you know

probably injecting something in the web application you know my costume some severe you know bet because what I'm thinking so here it is tiny tiny fibers open new Windows into the brain 3m 13 on one design allows genetic chemical optical and electrical inputs and outputs that was februari 21st i delete this just past Debra wary so being used they're testing it right now that has a new the new type of targets and things that that we're going to continue to see as far as embedded technology and even network connectivity even so this was just kind of the usage of it make it possible to leave implants in place and have them retain their functions over much longer periods and

currently possible with typical stiff metallic fibers enabling more extensive data collections kind of what I've terrify us earlier so kind of taking a different approach and you know how can we secure you know these types of the meta devices not even not with verilog language but specifically what I'm going to focus on is embedded Linux since it's mostly common and what you see in a you know forum where and drones things like that consumer consumer wise some of the best practices are buffer a stacker stacked on personal protection injection protection so the TV command injection it could be you know cross-site scripting for example still very alive and well for more updates and cryptographic signatures medical devices

should be using this and even even drones I think you know there's there certain regulations to you know not fly within Airport ranges to be able to repackage firmware and upload that to bypass those controls a few cryptographically signed and verify that wouldn't be possible securing sensitive information identity management hardening in the framework and your sea bass tool chain also the usage of debugging code and interfaces so that could be hardware as well as backdoors i'm going to go to each of these right now TLS you know communications in the application or the embedded device and usage of data collection and storage privacy and third-party code and components because it's based off of some research a

research project that that I i leave for owasp called the embedded application security project and we just released version 1 and now again it's based on submit and Linux but the next versions going to iterate with our task and also Windows IOT or Windows Embedded so thank you guys have any expertise in those areas please know the more people the better to view these best practices you want manufactures to see them we want people to be aware and there's practical examples basically non compliant and compliant examples of you know what causes you know we'll go through them in a second but what causes command injection what's a good example what's a bad example usually now you'll have for

example like there's plenty of research and guidance documents on how to how to reverse engineer or attack these devices or firmware but there's not much on how a developer can really protect some these and their language they get handed a PDF okay you know very finest in fact Matt injection with words you know they want to see code examples so that was kind of what I aim to do that's the link to the github I get book of the best practices so buffer and stack overflow protection prevent usage of dangerous key functions this is exactly you know a basic you know if you have the code in front of you if you working for manufacture a basic find and gret for

some of the vulnerable functions is just so you know there's a whole list of them which you can you can also search for but it's just an example you can use I can use safety equivalent functions for known wearable functions well that sounds really weird so yeah so there are equivalent to where you know some of these third copy sterling you can use alternatives also check the bounds of the buffer for example here someone gets f get is one example is there's loads of them ensure that the compiler has the correct flag so like stack protection and sometimes even the build system for these devices can automatically input these compiler flags so against text detection that you know what bill drew

and yasu you can you can do this literally a menu that you can select stack protection to enable when building your your firmware here's an example that's all it is you know and why you know why don't manufacture is do that it's pretty simple there's obviously a ton of other things you can enable what some enable stack protection again pretty straightforward you don't have to do much again listen to bill through here let's just free a lot of people views this for their firmware this is for a stroll copy stick a glance at that I respect myself expires DC you spin us and you sprint after the decision you can never take back that's one waiting

till I'm older and there's a string handling function that's right for me so injection prevention you know you can whitelist except the command you can also map them map commands except the commands to like a numbering format and number two command I've seen that it's usually pretty successful as well Yuri quickly avoid user data and system commands as well dynamic system commands and getting embeded so easy to kind of use shell commands usually they have in a v sh sh and a few other different shells you can use but people obviously go to system just to make things easier just like a lot of people may be here you stash instead of using some other

language that's uh you know you can use on every or any other platform for example about a user input that's obviously huge context outputting codes and characters so whether it's hitting the system or it's replying back to or responding back to the user interface the web you know so encoding outputting coding HTML output encoding JavaScript or any type of other characters let's say for the system was trying to you know execute some sort of shell command and again command addictions are really really huge one thing I forgot to mention is i'm working with FCC over in the state's the attorney of FTC i'm using this guidance documents or negligent manufacturers and trying to get that

over here to see you know again right now there's not really much guidance to the point you know okay you know here's here's a clear guidance on how you know to ingest to prevent some command injections let me see this is just a snippet there's a lot more stay within the get book but but obviously getting some support for some support from FCC which is pretty huge there's this a basic example of of see a supportable see example initializing the buffer getting some input in the buffer size and you have any command and the command from the interpreter % s and again validating handle the error but obviously you have a system command here that's not executing any command without

any validation it doesn't handle any error is good or safely then you're just adding a user simple simple semicolon there as if you're in the shell so that's not cool depending on what type of device it is it could be you know the impact in the safety that it can cause on the user could be could be larger than let's say a light bulb if it's a medical device obviously the severity is much higher but again you know this basic basic principle stuff that's been around nothing's really new as far as how to prevent some of these bugs they've been around for you know since the beginning of time 90s 80s since you know see was born stepping along over to

for more updates update over TLS you know schedule update for like medical devices you don't want to you know do a reboot when someone's walking you know their pacemaker for example but other devices that aren't critical for functioning let's say anything within at home you could auto update and again I talked about medical devices even force update and in certain severity cases when they're in their higher critical and implement some sort of outside downgrade function that won't let you use previous previously vulnerable firmware an essence I validating cryptographically signing the the former images so you can you could just sign and basically invalidate older older firmware images and even encrypt those and some sort of archives and

require a password so what I've seen I think dealings does that now it won't let you install older son work I tried to for one of the demos hero only get this you know look at look for a see Vee and look for a backdoor demo another require a password which is interesting I'm not some other dental to do that as well and not just dealings and again change logs that includes whatever security fixes that were made usually you know security improvements very over viewers and the change logs but these are also within the build you know building for example the build systems they have three already predetermined packages that they pull from repositories not so you have to download

manually so those drop-down menu there the menu configuration they so again they have their own packages within their repository so they can have older version thats a upnp for example there's vulnerable versions of you can t loads of them actually and if you don't check the tolls log of what version that bill dube has obviously your device is going to be vulnerable but you PMP in general is very vulnerable but as an example i miss tippet from from our documentation and how to verify the st. colonel obviously there's there some sort of infrastructure involves in order for you to have tpg but obvious things are scoring the private key on the device this we learned at belcan when I was

there that was fun but yeah so when you're downloading when you're verifying DPG you have to you know it's called web of trust validate out of an for example when you're grabbing the keys but matrix basic w get up the Colonel's again this is just a basic example but validating that the the kernel image is you know the integrity is still intact and again just decompressing and verifying the signature here there's many different ways to do it but again it requires a little bit of infrastructure and some people to understand you know what gpg is and how to verify and validate again it's done wrong and it's not much documentation on it and we have

different different examples and our guidance document on how to do it and we're looking for more so if anybody has other other feedback we're definitely looking for contributors all the time securing sensitive information hard coding anything really any type of secret passwords tokens personal identifiable information very very common unfortunately and if you have you know are storing that within your file system typically right now no embedded devices use like secret light databases store this this type of information and o routers do from my experience you know storm and some sort of if the device has the capability of a success secur security alemeth or a trusted execution environment if it's based off of armed definitely viable and do not store

secrets and unprotected storage locations like an eeprom for example flash storage SD card there are devices that have SD cards free readable and writable and with be problems you can just stick a SOI c clips on top pull the firmware and pull whatever running and you can see any type of secret that's there and even if it's in different partitions that's a file system done you can still pull it so if we think that it's an attacker or you think that you can hold different partition that's outside of the firmware and it will be safe it's not you could still pull it I get any trauma class that's kind of common sense you would think but a lot of these guys

who wrote C C++ and who are writing for for these embedded embedded device with manufacturers they've been right they've been writing you know clothes for 10-15 years and they've never used web technologies and frameworks that we currently have that already auto escape and prevent the type of issues and even have other libraries everything's kind of manual you have to think about it but still again has to starting the requirement phase of building a device but it seems common sense right there's an example of dealing having a hard-coded let's say back door every time you send a user agent with this string here you bypass authentication and get access to the to the device so that's that's awful right just recently

um the FCC kind of milk you know pinpointed while asus last year and also dealing for basically advertising easily secure you know advanced security and everything else everything's over HTTP they're storing data and clear tags when there's things like even friends or android apps they were using every other restoring credentials with in a chair file shared preferences and xml files they're texting you give the key store for example but for us over in the states this is kind of huge this is the first time the regulations got involved and that kind of capacity for the basically the impact of safety for consumers again hard-coded login credentials and the password was guest and it was enabled by default so

insecure defaults is what they got slapped in the hands for but they also got charged and find a lot of money sending asus to have something to have to go under twenty twenty years of having pentest like i have to show that so that's pretty pretty interesting so I didn't heed management over TLS and notice I'm not saying ssl a really low secure way to do ssl if you can move everything up to TLS leaving this you know moving over to like iOS the embedded device uses iOS iOS is pushing all apps tease TLS 1.2 with app Transport Security see you guys are kind of where you have to manually disable that and your apps configuration file

the employed oculus is what it is separate the separate accounts for internal web management console access remote web management remote console access a session IDs usually see and the URLs you know that's awful just good to see him and you know as a header cookies as well and as you could you know obviously just a string that you input for the browser you know input secure flags over if it's over HTTPS hopefully HTTP only flags and randomized and invalidate the session IDs and cookies upon logout so many times and these devices that I see that their tokens or cookies are not expired either I'm a device ID or on the server side if you know their rents and a manufacturer so

you know token grieve is kind of a term that's that's thrown around password policies you know password 123 admin admin is pretty common admin passwords so we're trying to push manufacturers to go this route rather than rather than not so yeah I've had so many arguments with management / when I was over at I linksys to cut to try to push you know they can do this for wpa2 right WTF phase appreciate keys but they can do with username and passwords and it was only because the deployment script that they have to validate for production is the reason why they had to change the process and it's going to taste changing processes but again this is what we're

looking for and trying to push manufacturers to do and then you know add input to a complex passwords to the eeprom and jtag for the heart the hardware interfaces that get access to the console and sometimes you will come across you are passwords but usually again they're past 12 degree or they're in the user manual so what's the use of that so go through frame work hardening you know don't use things like taunus SSH remove unused languages interpreters you know python Lewis pretty common Ruby I've seen in some devices it's because the development version they think but it's they push it to production without without realizing and they have different interpreters obviously the attack surface is not much

you that much bigger remove dead code from unused libraries usually for firmware the developers are trying to minimize as much code as possible because the the footprint is small but if its larger than what they would normally put firmware wise or what they have available they get messy and they leave vulnerable libraries or code that they're not using but again obviously that that expands new tax versus first of all shell interpreters the different ones that are available remove what's not being used legacy Damon's telnet FTP tftp and I say it or threat models I think that's very important for hardening of frameworks and operating systems because if you don't know all the libraries that have been used all

the code that's ran and all the possible threats and impact and how you're going to properly secure it or even tested for example from the attacker perspective and again here's the example for build root how to enable the different shell environments you have dash dash and the dsh there's more depending on the different version of builder the other screenshot i have 2016 assisted of the 15 different versions of bills roof they have different options and again simple end of an ftp it's all just to drop down and auto business for you for your firmware see the social dozen 16

so you know you should give debugging code this again this is back door code if the privileges talked about the the user agent header and usually their excuse in we used it for customer support and get access to change whatever services for grandma or grandpa for example and again debugging for developers you need to get access to a real production device and they hard code this into the former image that's the excuse i've heard in that field and they think it's justifiable from product perspective but for us security oriented minds obviously it's a red flag and it's pretty you think it's common sense but different type of beasts and people in that field they think the you know the

firewall stoking up detective but anyways third-party libraries SDKs environment need review like I was saying odm basically Passover pioneering images and files libraries over to the manufacturers oems I think there was a big USB USB I believe it was called that was a third party and every every SMB and USB capability and routers for example that's another third-party firm who's creating that code and passionate over to an oem so now all you have oh D mu have this other third-party company who's providing they say like 20 media services for example and they're like I said the USB the net USB that's a distance provider and all in itself and binary codes are giving it to them not

necessarily they don't have the source code but they need to be reviewed and there's new products that are coming out I'm not going to name drop the companies but that can basically auto reverse engineer and extract the file system to review these type of you know binary files and implement some sort of liability and service agreement and to you know the between the OEM and odm you know making liable for whatever type of security incident they can have someone on staff that has you know some security expertise and knowledge security certification just a baseline fun things to kind of you know point the finger in a way make any other third party as well and this is something that

we did over at balcony linksys as well so trying to push that type of culture and make someone liable because if there's a bug you know the big gray area but if you incorporate that into a unique product and service agreement then obviously someone's how liable and they sign it and again super common to have these back doors and all because of the ODMs because what I'm thinking is what I see actually in the wild this is usually what they say when they threw the unit test at stevie wonder he's blind let me take a step back and only have like 15 minutes here and give an example how easy it is to this would

look through an image a binary image a little binary image for our image using something like bin wach you guys heard a good Watson floor few people okay basically extract stretch the file system for you it looks kind of weird it's brought on that out so where I'm at i'm using the SH here I'm in a firmwares directory and obviously you know a resource a lot of firmware so we have d-link we have a couple linksys router former images and I already extracted them the one with underscore underscores are already extracted file systems and all I did was been washed key and the form where from where image and it auto extracted it pretty simple not every

image firmware image is going to be like that but what I do so I'm ready in wrt 1280 the router firmware and i extracted the file system has been walked and now I'm in the file system what is usually what I do is Brett for passwords to forgotten passwords and keys left it out first thing and but I already know I just found this out earlier this morning I usually liquid a configuration file but you also see like comments and funny things going on like to do's but one thing i found was the password and I was like hey what's that password so let's go take a look here so guess this is where weird uses this is the shell

command that he uses that password here didn't know that to sell my right now again I saw this this morning at sea system defaults

Templeton throwing up oh I backed up the to the wrong one here let's go into non one because i also find any different from the image now that I'm I know where it's at cdse

here it is looks like they use Amazon like there's a user and I was actually able to login the good thing is with amazon i'm still working with this you have to whitelist accepted email so i found one and i was trying to make it look like i was i was uh you know coming from linksys to send an email out to somebody so I'm working on that obvious i just found out this morning but it's been a couple of their former images we can also do the same thing i was there dealing for my image but again pretty simple it's almost like you know you can even understand the you know the function of what's being used obviously

you have you know rock queries for example you can check that out different ways different ways its use and it's stored dynamically as well but pretty simple I like I said you know Ben what kind of does the heavy lifting for you and there's more is more examples in here but an interest of time you have ten minutes well kidding can you present excuse me Stevie Wonder alright cool so I so pls i will stop about using one point to a high as possible validate this is a public key hostname a certificate chain this is hardly ever done especially in embedded devices commercial devices a little bit even deploy your own your own cert i'm

sure using a new you know hashing algorithm for signing you know the chief sha-1 md5 very very old disabled difficult XL versions and all of them if you can until at one point to certain cipher suites are vulnerable like client-side attacks left too high in severity on the weeks after caswell or null ciphers disable those and then in case they're you know or wins the certificate does expire make sure there is some sort of way a function or mechanisms that you can update that that certificate there's examples like a manufacturer where it was a hub IOT hub where the certificate expired and they got locked out of other products inside their house and they had back the

device back to the manufacturer to update another certificate you know that's pretty awful yes let that really has happened and simple things to verify you can use nmap you can use different ms scripts ssl can assess allies test ssl server or its public ssl labs oh

awesome got to put in it so there's a new it out there c sharp cool thank you yeah just look at that kind of the way I feel and obviously if you guys have never used em Matt but the example for more test device I have you can saw one and some vulnerable you know sslv3 vulnerable inherently and there's also some vulnerable you know triple des des rc4 horrible cipher suites beta collisional stories privacy by design is kind of what we're looking for which is acquired the least data as you can for operational functions so don't require eight if you don't need it transparency making sure that the users are aware how that data is being stored I know you

know over here and EU is a little bit different as far as the requirements but even so I know the same manufacturers who sell in the states and sell overhears or not a by D abiding by certain privacy regulations I even being transparent about them and then allow the device owner to reset their their personal data and have the ability to basically erase it which again is not being incorporated by a lot of manufacturers but who is doing it people like it like you know androids and iPhones are doing this I go on occasionally and just reset my advertising identifier you know to basically switch up that unique ID and they get andrew has the same function

but just as an example who's doing who's doing things like this so third-party code and components we already discussed a little bit of OD inside with Bill of Materials take again horrible databases and then there's tons of free tools to help with libraries from the framework aspect front end you have jobs you have retired they ass lips standard four oxys into your build system you get off the building to a continuous integration most of these have the ability to plug into continuous integration environment and some of the most of these manufacturers are in a CI environment if you use NFC soon ljs Linus geyser that's a free tool for hardening and also checks for different kernel versions and

as CVEs are published four different libraries and curls as well then for dynamic testing say for web or mobile do something like no laws that use the rest api to scan every build like in a CR environment they're very easy and kick off like sequential steps and then again review change levels of school teams software packages and libraries and we talked about that with building injector and then it's possible because you can also utilize package managers that something is firmware usually when there's you know a lot of honorable library people think you have to reflash the whole thermal image you can also use package managers updated but again it takes some testing and they have the

ability within yahoo and builder to do that and i know if you guys have used like Wi-Fi pineapple or anybody use lots of pineapple yeah they use you know I think we use opkg both of these right going to use both of them on again it's the same type of device you can do that you know and run certain scripts from the manufacturer side you don't necessarily have to he was depending on what library being used or what needs to be updated has to you have to reflash the whole forum or use the package manager so again you know for insanity each of these from buffer buffer pool prevention to command injection all the way down to the third-party components

here and review so continuous threat models is key from the embedded size a mobile side the website difference exercise as well continuous testing update as much as possible if you can for any of these devices from the consumers aspect and even from manufacturer auto update if you can have some sort of feature we check the box because certain regulations require the user to be aware that their devices being updated with their consent and have a disclosure policy get involved in the communities and sort of third-party collaboration these news platforms like blood crowd to know like hey you know we care I think netgear is one of them they're doing pretty well as far as being open to the community and some

closing thoughts let's keep breaking things I know me I love getting devices and when reversing them I'm for a summer on the stacey has some good news back in October that security research for us and it might be similar here I'm not sure and then you guys have a copyright regulation as well but this exempt security research for consumer devices if you have rightfully owned the device like participa device and also use it with with goodwill so you're not trying to hurt people with it with your research thing this is lawfully acquired here good faith security research and must be conducted in a controlled setting avoids to harm individuals on the public select car research during

the garage there's a park or something what I did well good news for us I mean anybody to and again let's just keep breaking things like this guy looks pretty happy right and that's it there any last questions you have a few minutes no questions no on okay thank you guys