On This Page

A Guided Tour of Embedded Software Hacks

Craig Young, Tripwire VERT | August 4-5


This is a hands-on, example driven introduction to the fundamentals of IoT hacking. Learning the secret incantations to make embedded systems carry out your will is not as hard as one might think. In the world of IoT, the hardened system is rare and often a firmware image is more than enough to find and exploit weakness. This session explains in detail a process for going from zero-knowledge to zero-day on real-world devices without breaking a sweat or picking up a screwdriver.

Students will be provided a virtual machine image configured to emulate a selection of vulnerable devices. Attendees will be guided to rediscover vulnerabilities and then craft exploits for these virtual devices before finally testing on real hardware. This training is focused on identifying bug chains which are easily and reliably exploited over an IP network by an unauthenticated attacker using portable techniques.

Devices reviewed in this class include several WiFi routers and smart home products. Students will learn about common design choices made for these devices and where to look for weaknesses. The labs are designed to provide a foundation of techniques for enumerating HTTP attack surface and identifying vulnerabilities which can be remotely exploited (without device specific shellcode) to distribute malware. Students will also be given access to a wealth of additional information through an online portal. This online lab manual is updated over time and includes extended details beyond what is covered in this class.

The techniques taught in this course have been successfully employed by Craig Young to identify over 100 CVEs on embedded/IoT devices as well as to win the 0-day and CTF tracks in the DEF CON 22 SOHOpelessly Broken router hacking competition.

Who Should Take this Course

This class is intended for anyone wanting a hands on introduction to software based security analysis of devices running embedded Linux.

Student Requirements

  • Comfort in BASH
  • Basic knowledge of network protocols including HTTP and DNS
  • Examples will include Python, JavaScript, and C code

What Students Should Bring

You are required to bring a laptop that meets the following requirements:
  • 20+ GB available storage
  • 4+ GB RAM
  • 802.11 (wifi) adapter
  • Virtualization software capable of loading an x86_64 OVA (e.g. VirtualBox or VMWare)

What Students Will Be Provided With

Students will receive a Linux virtual machine image configured with tools for emulating and analyzing a selection of pre-loaded device firmware images.


Craig Young is a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT). He has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, Apple, and others. His research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame. Craig's presentations on Google authentication weaknesses have led to considerable security improvements for all Google users. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers. His research into iOS WiFi problems more recently exposed CVE-2015-3728 that could allow devices to inadvertently connect to malicious hot spots. Craig has also successfully employed fuzzing techniques to find flaws in a variety of open source software including memory safety issues in PHP, Apache, Perl, Ruby, MatrixSSL, and more. Most recently, Craig has researched popular TLS stacks to identify classic crypto bugs in products from F5, Citrix, and others.

Video Preview (Training Description Above - Top of Page)