Hands-On IoT Hacking: Rapid7 at DefCon IoT Village, Part 1

Hands-On IoT Hacking: Rapid7 at DefCon IoT Village, Part 1

This year, Rapid7 participated at the IoT Village during DefCon29 by running a hands-on hardware hacking exercise, with the goal of exposing attendees to concepts and methods for IoT hacking. Over the years, these exercises have covered several different embedded device topics, including how to use a Logic Analyzer, extracting firmware, and gaining root access to an embedded IoT device.

This year's exercise focused on the latter and covered the following aspects:

Interaction with Universal Asynchronous Receiver Transmitter (UART)Escaping the boot process to gain access to a U-Boot consoleModification of U-Boot environment variablesMonitoring system console during boot process for informationAccessing failsafe (single-user mode)Mounting UBIFS partitionsModifying file system for root access

While at DefCon, we had many IoT Village attendees request a copy of our exercise manual, so I decided to create a series of in-depth write-ups about the exercise we ran there, with better explanation of several of these key topic areas. Over the course of four posts, we'll detail the exercise and add some expanded context to answer several questions and expand on the discussion we had with attendees at this year's DefCon IoT Village.

The device we used in our exercise was a Luma Mesh WiFi device. The only change I made to the Luma devices for the exercise was to modify the U-Boot environment variables and add console=off to the bootargs variable to disable the console. I did this to add more complexity to the exercise and show a state that is often encountered.

Identify ..

Support the originator by clicking the read the rest link below.