Embedded Device Vulnerability Analysis Case Study Using TROMMEL

ShmooCon XIV - 2018

Presented by: Madison Oliver, Kyle O’Meara
Date: Sunday January 21, 2018
Time: 10:00 - 10:50
Location: Near Room
Track: Build It

Researching embedded devices is not always straightforward, as such devices often vastly differ from one another. Such research is difficult to repeat and results are not easily comparable because it is difficult to conceive a standard approach for analysis. This document proposes an initial research methodology for vulnerability analysis that can be applied to any embedded device. This methodology looks beyond preliminary research findings, such as open ports and running services, and takes a holistic, macro-level approach of the embedded device, to include an analysis of the firmware, web application, mobile application, and hardware. In addition, TROMMEL, an open source tool, was also created to help researchers during embedded device vulnerability analysis.

This presentation provides security researchers with a repeatable methodology to produce more comprehensive and actionable results when analyzing embedded devices for vulnerabilities. As a case study, we analyzed a Wi-Fi camera as a class of embedded devices to demonstrate this methodology is more encompassing than standard research. This methodology can be applied to all embedded devices and should be expanded as the landscape of embedded device evolves.

Madison Oliver (@iqmadddyqi) is a Vulnerability Team Intern at the Software Engineering Institute (SEI) CERT Coordination Center (CERT/CC) currently pursuing a Master’s degree in Information Security Policy and Management at Carnegie Mellon University. She has been studying Information Technology for five years.

Kyle O’Meara

Kyle O’Meara (@cool_breeze26) is a Senior Member of the Technical Staff at the SEI CERT/CC and an Adjunct Faculty and Faculty Advisor at Carnegie Mellon University. He has been in information technology for 12 years, most, if not all, with a cyber security focus. Much of his current work focuses on research and analysis of embedded systems and exploits.

Madison Oliver


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats