20 devices in 45 seconds: Automated Bug Hunting in IoT Devices
Security researchers tasked to review code or binaries – even aided by existing static analysis tools, fuzzers, and grep – face too much attack surface to effectively analyze for bugs in their 60 hours a week, or even their lifetime. This talk presents a novel program analysis tool tailored for embedded devices.
We explain the fundamentals of program analysis as it relates to vulnerability discovery and demonstrate the discovery of new vulnerabilities, as well as ones that were previously found by manual analysis, in 20 IoT devices.
Inspired by the theme of “20 Devices in 45 Minutes” by the exploitee.rs crew sharing their manual analysis of a number of IoT devices, we wanted to scale this via program analysis techniques. We’ll apply our tooling on some of those same devices to show how these known issues can be found automatically or even augment a human when triaging bugs.
Attendees will learn the importance of bug class patterns, variable range recovery, and information flow analysis as it relates to determining bug efficacy on embedded devices.
We will discuss challenges with architectures where the tooling support is weaker, such as lifting of MIPS binaries – and briefly cover some examples of the solutions we have contributed to improve these public tools as part of preparing for this talk.
Recognizing the challenges faced in conducting security evaluations at scale, we will discuss how both automated and augmented analysis is the future for helping empower companies to evaluate such issues effectively.
Ryan is a security researcher focused on embedded systems, low-power radio protocols, and automated analysis. He reverse engineers embedded systems to identify security issues and helps clients build more secure systems. He develops automated tooling to assist with finding vulnerabilities in embedded systems. Ryan has spoken at a number of conferences and published peer-reviewed articles, and edits for the journal PoC||GTFO.
Sophia develops automated tooling to assist vulnerability discovery. A graduate of RPI, Sophia earned her MS on exploiting CPU optimizations, which later assisted in the development of Spectre/Meltdown. Sophia has spoken at dozens of conferences, sits on the PC for WOOT and SummerCon, and is the NYU Hacker in Residence.