Eric Sesterhenn

Talk Title

Smells like Teen Spirit - Internet of Teens

Abstract

Every year Millions of Internet of Things devices are produced and deployed. They range from tiny battery operated devices to more powerful, embedded systems with a steady power supply. Some are attached to internal networks, others create mesh networks and even more are facing the Internet. They have on thing in common, a high risk of issues - just like teens :-)

Analyzing several IoT Operating Systems (RIOT-OS, Apache Newt,...) uncovers a lot of common flaws, which are shared across platforms and can be abused by attackers to gain access to IoT devices.

A lot of talk is happening about IoT Security, but noone seems to take a look at the actual OS implementations. This talk is changing this. IoT will never be secure when its foundations are unsound. Presented will be bugs in the heap allocator and other common, reimplemented libc functions as well as other helper functions. Additionally, we will show fundamental issues regarding security when compared to an OS such as the Linux kernel.

This presentation will show common weaknesses in several IoT OS implementations, and how to find them effectively.

Vulnerabilities in RIOT-OS have been presented on the RIOT-OS Summit(https://www.x41-dsec.de/reports/Have-A-Secure-Riot.pdf), but this talks focusses on Apache Newt and the insight, which can be gained on a higher level, therefore it is submitted as new research.

Bio

Eric Sesterhenn is working as an IT Security consultant for more than 14 years, working mostly in the areas of penetration testing and source code auditing. His experience in the field of security includes finding vulnerabilities in various software projects including X.org the Linux kernel and the RIOT IoT OS, as well as numerous issues in proprietary and customer code.