OWASP Global AppSec US 2021 has ended
Back To Schedule
Friday, November 12 • 3:00pm - 4:00pm
Outside the box: pwning IoT devices through their applications

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
We often think of AppSec and IoT as two separate infosec disciplines. Sure, the domain knowledge, attack vectors, and threat mitigation are not exactly the same in those two worlds. At the same time, as the hardware continues to evolve, we see more and more tiny general purpose computers around us. Many of these tiny computers nowadays run software that is written in a conventional programming language, listen on network ports, process data inputs, and communicate with the outside world. These devices can be attacked just like any other application running on a desktop, on a server, or in the cloud.

In this talk, I am going to tell you a story about my hacking journey that unexpectedly took me from device configuration settings to software reverse engineering, vulnerability discovery, and six new CVEs. Together, we’ll go step by step through firmware analysis, decompiling, code review, and vulnerability demos. I’ll also share my experience with the responsible disclosure process. I hope this talk inspires you to apply your application security knowledge to new areas such as IoT, even if you’ve never done that before.

avatar for Alexei Kojenov

Alexei Kojenov

Lead Product Security Engineer, Salesforce
Alexei began his career as a software developer. A decade later, he realized that breaking code was way more fun than writing code, and decided to switch direction. He is now a full-time application security professional, with several years of assisting engineering teams in delivering... Read More →

Friday November 12, 2021 3:00pm - 4:00pm PST

Attendees (8)