This information is from a previous year. Please visit shellcon.io for up to date information.
Every day we hear about weak security of IoT devices, about vendors that don’t take security seriously and how using and not changing default passwords could lead to a leak of important and personal data. GPS trackers made with a default password and predictable serial numbers allow full control of the tracker and leak the user’s position. Due to heavy white labeling and use of the same cloud infrastructure the scale of the problem is huge. I’m going to show and discuss where the weaknesses are, what models and APIs are affected and how they can be exploited. Live demo included. The talk is by itself also a comprehensive guide on analyzing IoT device security, spanning from Android app to HW.