IoT RCE, a Study With Disney

ShmooCon XIV - 2018

Presented by: Lilith Wyatt
Date: Saturday January 20, 2018
Time: 10:00 - 10:50
Location: Main Room
Track: Bring It On

As desktop and server security keeps raising the baseline for successful exploitation, IOT devices are still stuck in the 1990’s, despite their ubiquity in every home network. This, coupled with the trend of “monitor your devices from anywhere!”, is creating a time-bomb situation, in which millions of households are left vulnerable, regardless of any network security posture.

These topics will be examined using the “Circle with Disney” and Foscam devices as case studies. During the course of the vulnerabilty testing of these devices, over 50 CVEs were discovered, out of which, discussion will focus on the more novel attack techniques seen, including:

Finally, there will be discussion IOT device’s use of traditionally offensive tools (arp-poisoning, backdoors, and payload beaconing) for central functionality.

Lilith Wyatt

Lilith Wyatt is a Research Engineer with the Talos Security Intelligence and Research Group at Cisco. She’s done open source and closed source research on a variety of products, resulting in CVEs on products from vendors including Vmware and Zabbix, and has also done internal research on Cisco devices. She’s OSCP and OSCE certified, and previously to her first real security job with Cisco ASIG, she was a Network Engineer, Boxer, and an Android app/firmware patcher.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats