- Webinar |
- Netherlands 2024 |
- USA 2024 |
- Netherlands 2023 |
- USA 2023 |
- Netherlands 2022 |
- USA 2022 |
- Netherlands 2021 |
- USA 2021 |
- Germany 2021 |
- Berlin 2021 |
- Netherlands 2020 |
- Virtual Con 2020 |
- Berlin 2020 |
- Netherlands 2019 |
- USA 2019 |
- Berlin 2019 |
- Netherlands 2018 |
- Berlin 2018 |
- Netherlands 2017 |
- Netherlands 2016 |
- Netherlands 2015
Carel van Rooyen
Security Analyst at Compass Security Schweiz AG
Philipp Promeuschel
Security Analyst at Compass Security Schweiz AG
Carel van Rooyen & Philipp Promeuschel
Workshop Title
Xtensa & Mongoose OS exploitation
Workshop Abstract
Debugging and inspection of Mongoose IoT on the ESP32
Mongoose OS is an open source operating system used as a framework for the rapid development of IoT projects with a variety of deployable hardware options. With the cost-effective BLE devices, they are ideal for IoT development, and Mongoose OS further eases entry for developers wanting to deploy /test / use such devices. This extra abstraction might bring an unawareness of the underlying device security-relevant issues inherent in hardware and software.
We inspect the underlying system, discuss the necessary tools for this, and how we approached researching the environment.
In the workshop, we will demonstrate our thought processes behind inspection, and perform a live demo on target devices, including:
- Setting up a Mongoose OS environment
- Crash inspection (dumps)
- Demos on live debugging
- Mongoose OS firmware layout
- A brief differentiation between X86 and Xtensa ISA exploitation considerations
- Further live demo
- Discussion on finding issues and patching the source
- Discussion of possible future work (live patching, exploitation approaches)
Keywords
esp32, debugging, firmware, mongoose OS
Duration
2 hours
Speaker Bio
Philipp Promeuschel is a security analyst at Compass Security Schweiz AG, interested in mobile and IoT security. Additionally he is a security course teacher (APT, mobile security, forensics, web application security) and volunteering for public IT Security events such as Cyber Security Austria 2013, Cyber Security Alpen Cup 2014, OWASP AppSec EU 2013, 2015-2017 as well as for the European Cyber Security Challenge 2015.
Carel van Rooyen is a computer systems engineer that has worked in security in three countries and is currently a security analyst at Compass Security Schweiz AG. Prior to his work as security researcher he spent years teaching web application development and network security principles.