Automated Black-box Security Testing of Smart Embedded Devices

Discover an innovative approach to automated black-box security testing of IoT and embedded devices in this 50-minute conference talk from the Hack In The Box Security Conference. Learn about the limitations of traditional black-box fuzzing and companion app-based techniques when applied to IoT devices. Explore a novel method that leverages "fuzzing triggers" within companion apps to generate optimal fuzzing inputs, bypassing app-side validation while maintaining valid input formats. Gain insights into Diane, a black-box fuzzer that combines static and dynamic analysis of Android apps to automatically identify and utilize fuzzing triggers for both WiFi and Bluetooth-connected devices. Examine the results of testing 11 popular IoT devices, including the discovery of 9 zero-day vulnerabilities. Investigate additional applications of this approach for identifying vulnerable update mechanisms and auditing trusted execution environments in embedded devices.

#HITB2023AMS D2T2 - Automated Black-box Security Testing Of “Smart” Embedded Devices - A. Continella