Disclaimer

All information contained on this site is strictly for educational purposes.  Do not conduct security assessments on devices you do not own or have explicit permission to test.

About

Craig Young is a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT). He has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, Apple, and others. His research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame. Craig’s presentations on Google authentication weaknesses have led to considerable security improvements for all Google users. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers. His research into iOS WiFi problems more recently exposed CVE-2015-3728 that could allow devices to inadvertently connect to malicious hot spots. Craig has also successfully employed fuzzing techniques to find flaws in a variety of open source software including a memory corruption in MatrixSSL that could be used to achieve code execution on at least 100,000 Internet gateways. More recently, Craig has turned his attention to flaws in TLS/HTTPS implementations. Refer to ROBOT, Zombie POODLE, and GOLDENDOODLE for more details.

Training

IoT Hack Labs

Over the years, I’ve found dozens of vulnerabilities affecting a wide array of embedded devices including routers, cameras, baby monitors, televisions, and various home automation products. In 2015, I began documenting the tools and techniques which worked best for me and developed a series of hands-on labs to teach the fundamental skills of software based device hacking.

My training sessions and workshops have taught hundreds of students about how to find and exploit bugs. All classes focus on lab exercises using a provided VM along with an online learning portal. Most lab exercises make use of virtualized vulnerable components from real-world devices that I have found vulnerabilities in.

This year, I will be doing things a little differently by having a stronger focus on building the fundamental Linux skills needed to perform effective security audits.

Black Hat USA

Title: An Introduction To IoT Pentesting with Linux
Dates: August 5-6, 2019 (Las Vegas, USA)
Register Here

The goal of this class is to help students of all backgrounds learn how to better use Linux for vulnerability research with an emphasis on IoT. This two-day, comprehensive training covers topics ranging from basic router hacking all the way to sophisticated DNS rebinding exploitation. Students will learn fundamental Linux concepts needed to effectively analyze, emulate, and exploit devices. Each lesson concludes with a walkthrough of different vulnerabilities from initial analysis and discovery through exploitation.

Topics include:

  • Firmware component emulation
  • Router authentication bypass and password disclosure
  • HTTP command injection
  • UPnP API vulnerability
  • CSRF with automated target discovery
  • DNS rebinding

Students will learn about technologies and tools including:

  • QEMU
  • Binwalk
  • BASH
  • cURL
  • Python
  • JavaScript

SecTor 2019

Title: Brainwashing Embedded Systems Deep Dive
Dates: October 7-8, 2019 (Toronto, ON)
Registration Not Yet Open

Conferences

Black Hat USA

2018 : Return of Bleichenbacher’s Oracle Threat (ROBOT) (Slides | USENIX)
2018 (training) : A Guided Tour of Embedded Software Hacks

Black Hat Asia

2019 : Zombie POODLE, GOLDENDOODLE & How TLSv1.3 Can Save Us All

DEF CON

2013 (21): Android WebLogin: Google’s Skeleton Key (Video | Slides)
2014 (22 – Wireless Village): Pineapple Abductions (Video)
2015 (23): How To Train Your RFID Hacking Tools (Video | Slides | WP)
2015 (23 – IoT Village): Smart Home Invasion (Video | Slides)
2016 (24): Brainwashing Embedded Systems (4-hr Workshop)
2017 (25): Brainwashing Embedded Systems (4-hr Workshop)

BSides SF

2013: Google-Jacking (Video | Slides)
2014: A Day In The Life (Of a Security Researcher) (Slides)
2016: Fuzz Smarter, Not Harder (An afl-fuzz Primer) (Video | Slides)

SECtor

2015-2017: Tripwire VERT IoT Hack Lab (Link)
2016-2017: Brainwashing Embedded Systems (8-hr Workshop)

AusCERT

2016: Brainwashing Embedded Systems (8-hr Workshop)

Infosec Europe

2015 Intelligent Defence: Smart Home Invasion (Clip | Slides)

2019 Geek Street: The Art of DNS Rebinding

BSides London

2014: A Day In The Life (Of a Security Researcher) (Video | Slides)

JOINSec

2014: Exploiting Trust In the Google Ecosystem (Clip)

Vulnerabilities

This page is a partial listing of vulnerabilities I’ve found in recent years. 

CVE

CVE  Product
CVE-2019-10081 Apache httpd: mod_http2, read-after-free in h2 connection shutdown
CVE-2019-10082 Apache httpd: mod_http2, memory corruption on early pushes
CVE-2019-0196 Apache httpd: mod_http2+scoreboard, Use-After-Free (READ)
CVE-2019-5592 FortiOS SSL Deep Inspection TLS Padding Oracle Vulnerabilities (GOLDENDOODLE and Zombie POODLE)
CVE-2019-6593 CBC padding oracles on F5 products (GOLDENDOODLE and Zombie POODLE)
CVE-2019-6485 CBC padding oracles on Citrix products (GOLDENDOODLE and Zombie POODLE)
CVE-2018-20783 PHP Heap Overflow in PHAR access
CVE-2018-10549 PHP Heap Overflow in Exif
CVE-2018-1333 Apache HTTP2 DoS
CVE-2017-13099 WolfSSL (ROBOT)
CVE-2017-1000385 Erlang (ROBOT)
CVE-2017-13098 Bouncy Castle (ROBOT)
CVE-2017-12373 Cisco ASA (ROBOT)
CVE-2017-17428 Cisco ACE (ROBOT)
CVE-2017-17427 Radware Alteon (ROBOT)
CVE-2017-17382 Citrix NetScaler (ROBOT)
CVE-2017-6168 F5 Networks (ROBOT)
CVE-2017-2339 Juniper ScreenOS
CVE-2017-2338 Juniper ScreenOS
CVE-2017-2337 Juniper ScreenOS
CVE-2017-2336 Juniper ScreenOS
CVE-2017-2335 Juniper ScreenOS
CVE-2017-12934 PHP Unserialize() #3
CVE-2017-12933 PHP Unserialize() #2
CVE-2017-12932 PHP Unserialize() #1
CVE-2016-6892 MatrixSSL
CVE-2016-6891 MatrixSSL
CVE-2016-6890 MatrixSSL
CVE-2016-10050 ImageMagick
CVE-2016-1000216 Ruckus Zone Flex APs
CVE-2016-1000215 Ruckus Zone Flex APs
CVE-2016-1000214 Ruckus Zone Flex APs
CVE-2016-1000213 Ruckus Zone Flex APs
CVE-2015-5878 Apple OS X
CVE-2015-5447 HP StorOnce
CVE-2015-5446 HP StorOnce
CVE-2015-5445 HP StorOnce
CVE-2015-3728 Apple iOS
CVE-2014-9700 MiOS MiCasa Vera Lite (media)
CVE-2014-9699 Makerbot Replicator 5th Gen 3D Printer
CVE-2014-9698 Makerbot Replicator 5th Gen 3D Printer
CVE-2014-9064 Samsung SmartThings Hub
CVE-2014-9063 MiOS MiCasa Vera Lite (media)
CVE-2014-9062 MiOS MiCasa Vera Lite (media)
CVE-2014-9061 MiOS MiCasa Vera Lite (media)
CVE-2014-9011 Wink Hub (media)
CVE-2014-9010  Wink Hub (media)
CVE-2014-9009  Wink Hub (media)
CVE-2014-9008 Belkin NetCam Wi-Fi Camera (TV demo)
CVE-2014-9007 Stratus ftServer BMC
CVE-2014-8007 Stratus ftServer BMC
CVE-2014-8006 Stratus ftServer BMC
CVE-2014-8005 Stratus ftServer BMC
CVE-2014-8004 Stratus ftServer BMC
CVE-2014-8003 Stratus ftServer BMC
CVE-2014-8002 Stratus ftServer BMC
CVE-2014-8001 Stratus ftServer BMC
CVE-2014-8000 Stratus ftServer BMC
CVE-2014-7973 QNAP Turbo 4.1.1
CVE-2014-7972 QNAP Turbo 4.1.1
CVE-2014-7964 QNAP Turbo 4.1.1
CVE-2014-7963 QNAP Turbo 4.1.1
CVE-2014-7962 QNAP Turbo 4.1.1
CVE-2014-7961 QNAP Turbo 4.1.1
CVE-2014-7160 LANDesk 9.5.1 for OS X
CVE-2014-6447 Pineapple WiFi
CVE-2014-6446 Pineapple WiFi
CVE-2014-6445 Pineapple WiFi
CVE-2014-6444 Pineapple WiFi
CVE-2014-6442 Application Crash Reporter for Android
CVE-2014-6441 HBO Go Android App
CVE-2014-6226 Pineapple WiFi
CVE-2014-6225 Pineapple WiFi
CVE-2014-6224 Pineapple WiFi
CVE-2014-6223 Pineapple WiFi
CVE-2014-5486 Belkin N900
CVE-2014-5485 Belkin N900
CVE-2014-5484 D-Link DIR-865L
CVE-2014-5483 TrendNET TEW-812DRUV2
CVE-2014-5482 NETGEAR Centria
CVE-2014-5481 NETGEAR Centria
CVE-2014-5480 NETGEAR Centria
CVE-2014-5479 NETGEAR Centria
CVE-2014-5478 Linksys EA6500
CVE-2014-5477 Uber Android App
CVE-2014-5476 Pineapple WiFi
CVE-2014-5475 NETGEAR WNDR4700
CVE-2014-5474 Asus RT-AC66U
CVE-2014-4426 Apple OS X
CVE-2014-4016 Zencart
CVE-2014-4015 Zencart
CVE-2014-2641 HP System Management Homepage
CVE-2014-2566 PHONE for Google Voice & GTalk
CVE-2014-2530 Hyundai BlueLink App
CVE-2014-1954 Zoneminder
CVE-2014-1953 Zoneminder
CVE-2014-1952 Zoneminder
CVE-2014-1951 Zoneminder
CVE-2014-1920 Cisco CHS 435HDC DVR
CVE-2014-1919 NETGEAR WNR2000v3
CVE-2014-1918 Linksys WRT110 v8
CVE-2014-1917 Linksys WRT110 v8
CVE-2014-1898 Tenda A5 Travel Router
CVE-2014-1897 Tenda A5 Travel Router
CVE-2014-1857 Precor Elliptical 1110 E
CVE-2014-1856 Loftek (and others)
CVE-2014-0570 Adobe ColdFusion
CVE-2013-7150 Asus RT-N16
CVE-2013-7056 NETGEAR WGR614v9
CVE-2013-7037 Zoom 5341J Cable Modem
CVE-2013-7036 Zoom 5341J Cable Modem
CVE-2013-6115 NETGEAR ReadyNAS
CVE-2013-5982 NETGEAR ReadyNAS
CVE-2013-5981 NETGEAR ReadyNAS
CVE-2013-5949 Asus RT-N16
CVE-2013-5948 Asus RT-N16
CVE-2013-5947 Asus RT-N16
CVE-2013-5928 Linksys E1200
CVE-2013-5927 Asus RT-N16
CVE-2013-5926 D-Link DIR-615
CVE-2013-5925 EnGenius ESR1750
CVE-2013-5924 EnGenius ESR1750
CVE-2013-5923 Linksys E1200
CVE-2013-5922 Linksys E1200
CVE-2013-5921 Linksys E1200
CVE-2013-5737 Asus RT-N16
CVE-2013-5736 Asus RT-N16
CVE-2013-5735 Asus RT-N16
CVE-2013-5734 D-Link DIR-615
CVE-2013-5733 D-Link DIR-615
CVE-2013-5732 D-Link DIR-615
CVE-2013-5731 D-Link DIR-615
CVE-2013-5682 NETGEAR Many Models
CVE-2013-5681 NETGEAR Many Models
CVE-2013-5577 NETGEAR Many Models
CVE-2013-4796 Review Board
CVE-2013-4795 Review Board
CVE-2013-4052 IBM WebSphere
CVE-2013-3683 Arcor-Easy Box A 300
CVE-2013-3682 Arcor-Easy Box A 300
CVE-2013-3568 Linksys/Cisco WRT110
CVE-2013-3547 Motorola VT2442 Router
CVE-2013-3546 Motorola VT2442 Router
CVE-2013-3545 Motorola VT2442 Router
CVE-2013-3314 Loftek (and others)
CVE-2013-3313 Loftek (and others)
CVE-2013-3312 Loftek (and others)
CVE-2013-3311 Loftek (and others)
CVE-2013-3293 NETGEAR WNDR3700v2
CVE-2013-3292 NETGEAR WNDR3700v2
CVE-2013-3291 NETGEAR WNDR3700v2
CVE-2013-2752 NETGEAR ReadyNAS
CVE-2013-2751 NETGEAR ReadyNAS
CVE-2013-2745 miniDLNA
CVE-2013-2739 miniDLNA
CVE-2013-2738 miniDLNA
CVE-2013-2600 MiniUPnPd
CVE-2013-2209 Review Board
CVE-2013-0544 IBM WebSphere
CVE-2013-0542 IBM WebSphere
CVE-2012-6466 Cloudshark
CVE-2012-6458 SilverStripe e-commerce Module
CVE-2012-6457 phpScheduleIt
CVE-2012-6455 Cloudshark
CVE-2012-6297 DD-WRT v24-sp2
CVE-2012-6296 miniDLNA / ReadyNAS
CVE-2012-6295 miniDLNA / ReadyNAS
CVE-2012-6294 miniDLNA / ReadyNAS
CVE-2012-6293 mt-daapd / ReadyNAS
CVE-2012-6292 mt-daapd / ReadyNAS

CVE Unavailable

PCRE Stack Corruption
WordPress SmartyWP Plugin