New York City information security consultancy Carve Systems presented a simple hardware hacking technique to root IoT devices at the DefCon security conference. In lab testing, Carve senior consultant Brad Dixon found that roughly half of the tested devices were vulnerable to the “pin2pwn” technique, which gives an attacker toinstant root access. How simple is it? All that is required is a sewing needle.
“Obtaining root access is step one in any device assessment that we perform,” said Dixon, adding that “pin2pwn is a shortcut that speeds up our ability to get root and move on to the important parts of an assessment: finding remotely exploitable bugs.”
On the fact that the “pin2pwn” technique works so often, Carve CEO Mike Zusman said, “Our results underscore the reality that IoT developers often don’t pay attention to edge-case scenarios that impact device security. When we test Internet-of-Things devices for clients, pin2pwn is an easy way to get root access. Root access makes it easier to find dangerous vulnerabilities that give attackers remote access to other devices, applications, and network services in the device ecosystem.”
Along with details on the IoT devices attack, the company described simple techniques that hardware developers can implement to prevent “pin2pwn.”
Visit www.carvesystems.com for more information and news.