[ picture stolen from the polite politie ]
Unlike the German Oktoberfest in Munich which already started in September, the Oktoberfest in The Hague started on 2nd October.
In spite of this competing event the decision going to the last day of the hardwear.io Conference definitely paid off.
Day 2 started with the Keynote from Harald Welte (the father of Osmocom) and his view about Telecom Security for the last few years. His observation is that nothing has changed so far – we still suffer from a lack of tools and monoculture throughout the industry.
Veysel Özer followed afterwards with his talk “1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs”, which actually says everything. A management interface which allows you to ring the server bell with unprintable characters in the username.
Sofiane Talmat showed us with “Hacking Satellite TV receivers: Are those IoT devices secure?” his findings on SAT-receivers. The fun part is, there are still devices out there which run every process as root, don’t even have a password set and allow you to watch Pay-TV.
The second talk on HDD-security was held by Raphael RIGO and Joffrey CZARNY (Attacking hardware for software reversers: Analysis of an encrypted HDD). These devices look so scarily insecure, and storing decryption keys on the drive itself doesn’t seem like a good idea.
It is hard for me to tell what Michael Leibowitz was talking about with his BLINKERCOUGH. I mean what’s VGA, and why would you want to use it to talk i2c and exfiltrate data via infrared? The hosts of hardwear.io were well prepared and only provided HDMI cables.
Lucian showed us in “From off-the-shelf embedded devices to research platforms. Two case studies: a PLC and a SSD” how to dump firmware and achieve code-execution on a ssd. He started to collect information about various chips and everyone is welcome to contribute.
With “Advanced IC Reverse Engineering Techniques: In Depth Analysis of A Modern Smart Card” Olivier Thomas showed us how to reverse an IC in one month. I emphasize ONE MONTH – insane.
Last man standing was our own Florian Grunow with his talk about the security of medical devices. Throughout the talk it was obvious that most of the devices weren’t designed with security in mind. Replay attacks and the injection of fancy music-videos were easily possible on patient monitors. But what surprises me the most is the deficit of operational security in German hospitals. It doesn’t seem rare that everything that you might not want on a network is actually attached to it.
The conference ended with standing ovations for the whole hardwear.io crew and supporters.
All in all, I think the hosts did a great job, everything went smoothly and the talks as well as the trainings were very well selected.
With these impression I’ll end my series and I’m excited to see how hardwear.io is evolving the next years.
Edit 2015-10-18: Slides can be found at http://hardwear.io/archives/.