Organized by security consulting and research firm Independent Security Evaluators (ISE), IoT Village delivers advocacy for and expertise on security advancements in Internet of Things devices. IoT Village hosts talks by expert security researchers who dissect real-world exploits and vulnerabilities and hacking contests consisting of off-the-shelf IoT devices.
IoT Village's contests are brought to you by SOHOpelessly Broken™, the first-ever router hacking contest at DEF CON. The ISE research that inspired the SOHOpelessly Broken™ contests delivered 56 CVEs to the infosec community. Over the years at DEF CON, IoT Village has served as the platform to showcase and uncover 113 new vulnerabilities in connected devices.
Follow both ISE (@ISEsecurity) and IoT Village (@IoTvillage) on Twitter for updates on talks, contests, and giveaways.
Want to help, get updates or just show your interest?Get Involved
|ToorCon at The Westin San Diego, CA||CTF||Oct. 15-16, 2016|
|BSidesDC at the Renaissance in DC||Village CTF||Oct. 22-23, 2016|
|RSA Moscone Center San Francisco, CA||IoT Sandbox||Feb. 13-17, 2017|
|CypherCon DiscoveryWorld, Milwaukee, WI||Village CTF||March 30-31, 2017|
|BSidesCharm Convention Center Baltimore, MD||Village CTF||April 29-30, 2017|
|HackerLab Engine-4 Bayamón, Puerto Rico||CTF||May 20, 2017|
|DEF CON Caesar's Las Vegas, NV||Village Talks & Contests||July 28-30, 2017|
|ToorCon at The Westin San Diego, CA||CTF||Sept. 1, 2017|
|DerbyCon 7.0 Louisville Kentucky||CTF||Sept. 22, 2017|
|BSidesDC at the Renaissance in DC||Village CTF||Oct. 6-8, 2017|
= Presentation | = workshop | = Talk
|The Hand that Rocks the Cradle: Hacking IoT Baby Monitors||Mark Stanislav||10:00 am|
|"These are a few of our favorite (hardware) things"||Hugo Fiennes,Tom Byrne, Gino Miglio, and Zandr Milewski||02:00 pm|
|Security of Wireless Home Automation Systems - A World Beside TCP/IP||Tobias Zillner & Sebastian Strobl slides||04:00 pm|
|Hacking You Fat: The FitBit Aria||Ken Munro & David Lodge||10:00 am|
|Hacking Satellite TV Receivers||Sofiane Talmat||02:00 pm|
|Practical IoT Exploitation Workshop (MIPS/ARM)||Lyon Yang slides||04:00 pm|
|Pwning IoT with Hardware Attacks||Chase Schultz slides||10:00 am|
|SWEET SECURITY - Creating a Defensive Raspberry Pi||Travis Smith slides||11:30 am|
At Village Talks Room
|Cameras, Thermostats, and Home Automation Controllers - Hacking 14 IoT Devices||Wesley Wineberg slides||Friday @ 12:00 pm|
|Yes, You Can Walk on Water: Application & Product Security on a Startup Budget||Brian Knopf||Friday @ 05:00 pm|
|A Surface Area Approach to Pen-testing the IoT||Daniel Miessler slides||Saturday @ 12:00 pm|
|Securing the IoT World||Aaron Guzman slides||Saturday @ 05:00 pm|
|Smart Home Invasion||Craig Young slides||Sunday @ 10:00 am|
Bronze room 4 & 3
= Presentation | = workshop | = Talk
|Exploiting a Smart Fridge: a Case Study in Kinetic Cyber||Kevin Cooper||10:10 am|
|KEYNOTE||Paul Dant||11:30 am|
|FCC 5G/IoT Security Policy Objectives||Rear Admiral (ret.) David Simpson, FCC, Bureau Chief||12:10 pm|
|Picking Bluetooth Low Energy Locks from a Quarter Mile Away||Anthony Rose||2:00 pm|
|Live Drone RF Reverse Engineering||Marc Newlin, Matt Knight, Bastille Networks||5:00 pm|
|Hot Wheels: Hacking Electronic Wheelchairs||Stephen Chavez and Specter||10:10 am|
|How the Smart-City becomes Stupid||Denis Makrushin, Vladimir Daschenko, Kaspersky Lab||12:10 pm|
|Internet of Thieves (or DIY Persistence)||Joseph Needleman||3:30 pm|
|Thermostat Ransomware and Workshop||Ken Munro, Pen Test Partners||5:00 pm|
|0-day Hunting||Elvis Collado||10:00 am|
Village Talks in Bronze Room 1
|Sense & Avoid: Some laws to know before you break IoT||Elizabeth Wharton||Friday @ 1:00 pm|
|BtleJuice: the Bluetooth Smart Man In The Middle Framework||Damien Cauquil, Digital Security (CERT-UBIK), Senior Security Researcher||Friday @ 3:00 pm|
|Is Your Internet Light On? Protecting Consumers in the Age of Connected Everything||Terrell McSweeny, Federal Trade Commission, Commissioner||Friday @ 4:00 pm|
|SNMP and IoT Devices: Let me Manage that for you Bro!||Bertin Bervis||Saturday @ 1:00 pm|
|Reversing and Exploiting Embedded Devices||Elvis Collado, Praetorian, Senior Security Researcher||Saturday @ 3:00 pm|
|Tranewreck||Jeff Kitson, Trustwave SpiderLabs, Security Researcher||Saturday @ 4:00 pm|
|IoT Defenses - Software, Hardware, Wireless and Cloud||Aaron Guzman, Principal Penetration Tester||Sunday @ 11:00 am|
= Presentation | = workshop
|Inside the IV Pump, not too much medication por favor!||Dan Regalado @Danuxx slides||10:00 am - 10:50 am|
|IoT Village Keynote - Friends, Not Foes: Rethinking the Researcher-Vendor Relationship||Rick Ramgattie @RRamgattie slides||11:30 am - 12:00 pm|
|Hide Yo Keys, Hide Yo Car - Remotely Exploiting Connected Vehicle APIs and Apps||Aaron Guzman slides||1:00 pm - 1:50 pm|
|Pwning the Industrial IoT: RCEs and backdoors are around!||Vladimir Dashchenko @raka_baraka & Sergey Temnikov slides||2:40 pm - 3:30 pm|
|IoT - the gift that keeps on giving||Alex "Jay" Balan @Jaymzu slides||4:10 pm - 5:00 pm|
|101 hardware hacking workshop||Ken Munro @TheKenMunroShow||5:40 pm - 7:00 pm|
|From DVR worms, to fridges, via dildos, the sins of the IoT in 50 minutes||Andrew Tierney @cybergibbons & Ken Munro @TheKenMunroShow||10:00 am - 10:50 am|
|IoT updates to help protect consumers||Aaron Alva @aalvatar & Mark Eichorn of the FTC||11:30 am - 12:00 pm|
|The Internet of Vulnerabilities||Deral Heiland @percent_x slides||1:00 pm - 1:50 pm|
|IIDS: An Intrusion Detection System for IoT||Vivek Ramachandran @securitytube, Nishant Sharma, and Ashish Bhangale||2:40 pm - 3:30 pm|
|Redesigning PKI for IoT because Crypto is Hard||Brian Knopf @DoYouQA slides||4:10 pm - 5:00 pm|
|Manufactures Panel||TBA||5:40 pm - 6:30 pm|
|Intelligent Misusers: A Case for Adversarial Modelling on IoT Devices||Pishu Mahtani @pishumahtani||10:00 am - 10:30 am|
|*bonus*||From FAR and NEAR: Exploiting Overflows on Windows 3.x||Jacob Thompson @isesecurity||11:00 am - 11:30 am|
|slides||Unexpected IoT—Solar Panels Compromise||Fred Bret-Mounet|
|slides||Weaponizing IoT||Ted Harrington|
|slides||Medical Device Security Considerations: Case Study||Jeanie Larson|
|slides||What Do You Mean, “Patch”? A Shared Vision of IoT Security Updates||Dr. Allan Friedman|
|slides||The Connected World Has Been Disconnected: Survival Guide in IoThreats Era||Denis Makrushin|
|slides||Ransomware, Drones, Smart TVs, Bots: Protecting Consumers in the Age of IoT||Terrell McSweeny & Aaron Alva|
|slides||All Your Locks Are BLEong to Us||Anthony Rose|
|slides||IRL: Live Hacking Demos!||Omer Farooq & Rick Ramgattie|
|slides||IoT in Healthcare: Life or Death||Dr. May Wang|
RSAC is looking for 30 minute talks that demonstrate exploits in a visual manner and/or can illustrate the narrative of an attack and its impact on businesses/institutions. RSAC also wants to embrace any interactive elements you might be able to develop. Our area provides a more intimate space and possibilities for crowd engagement is high. Abstracts for work in progress are acceptable at this stage of submission. Creativity is welcome!
When you reach the Additional Comment section in the submission form, write in "IoT Sandbox" so they know this is for our stage.
DEADLINE September 28th, 2017
The so-called Internet of Things (IoT) is undergoing massive adoption. From locks and thermostats to televisions and refrigerators, many devices that have traditionally delivered analog functionality are rapidly gaining Wi-Fi connectivity and connecting to cloud-based, command-and-control centers for remote control and monitoring functionality. Some of these devices are built with security in mind, while others are simply analog devices with communication capabilities slapped on. The security and privacy implications introduced by any security vulnerabilities in these connected devices are tremendous.
To be at the forefront of addressing and minimizing these issues, we organized the first-ever IoT hacking village at DEF CON 23. That was a follow-up to the massively popular SOHOpelessly Broken™ router hacking contest, which debuted at DEF CON 22 and contributed 15 new 0-day discoveries to the research community, we hope to educate participants and the community about security vulnerabilities in these widely deployed devices and, in turn, shift toward better security in the IoT category.
The Zero-Day track is focused on the discovery and demonstration of new exploits (0-day vulnerabilities). This track relies on the judging of newly discovered attacks against embedded electronic devices. Devices that are eligible for the contest can be found here and you can start submitting entries now! The winners who score the highest on their judged entries will be rewarded with cash prizes.
Contestants will need to provide proof that they disclosed the vulnerability to the vendor.
A DEFCON 24 Black Badge ctf, players compete against one another by exploiting off-the-shelf IoT devices. These 15+ devices all have known vulnerabilities, but to successfully exploit these devices requires lateral thinking, knowledge of networking, and competency in exploit development. CTFs are a great experience to learn more about security and test your skills, so join up in a team (or even by yourself) and compete for fun and prizes! Exploit as many as you can over the weekend and the top three teams will be rewarded.