Practical String Comparison Timing Attacks
Embedded systems are often slow and resource constrained. This makes them the perfect target for network-based string-comparison timing attacks, which allow an attacker to attack credentials one character at a time (like in the movies), rather than brute-forcing the entire value at once. We will discuss how timing attacks work, how to optimize them, and how to handle the many factors which can prevent successful exploitation. We will also demonstrate attacks on at least one popular device. After this presentation, you will have the foundation necessary to attack your own devices, and a set of scripts to help you get started.
Paul McMillan is a security engineer at Nebula. He also works on the security teams for several open source projects. When he's not building or breaking the internet, he enjoys cocktails and photography.