All information contained on this site is strictly for educational purposes. Do not conduct security assessments on devices you do not own or have explicit permission to test.
About
Craig Young is a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT). He has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, Apple, and others. His research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame. Craig’s presentations on Google authentication weaknesses have led to considerable security improvements for all Google users. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers. His research into iOS WiFi problems more recently exposed CVE-2015-3728 that could allow devices to inadvertently connect to malicious hot spots. Craig has also successfully employed fuzzing techniques to find flaws in a variety of open source software including a memory corruption in MatrixSSL that could be used to achieve code execution on at least 100,000 Internet gateways. More recently, Craig has turned his attention to flaws in TLS/HTTPS implementations. Refer to ROBOT, Zombie POODLE, and GOLDENDOODLE for more details.
Training
IoT Hack Labs
Over the years, I’ve found dozens of vulnerabilities affecting a wide array of embedded devices including routers, cameras, baby monitors, televisions, and various home automation products. In 2015, I began documenting the tools and techniques which worked best for me and developed a series of hands-on labs to teach the fundamental skills of software based device hacking.
My training sessions and workshops have taught hundreds of students about how to find and exploit bugs. All classes focus on lab exercises using a provided VM along with an online learning portal. Most lab exercises make use of virtualized vulnerable components from real-world devices that I have found vulnerabilities in.
This year, I will be doing things a little differently by having a stronger focus on building the fundamental Linux skills needed to perform effective security audits.
Black Hat USA
Title: An Introduction To IoT Pentesting with Linux
Dates: August 5-6, 2019 (Las Vegas, USA)
Register Here
The goal of this class is to help students of all backgrounds learn how to better use Linux for vulnerability research with an emphasis on IoT. This two-day, comprehensive training covers topics ranging from basic router hacking all the way to sophisticated DNS rebinding exploitation. Students will learn fundamental Linux concepts needed to effectively analyze, emulate, and exploit devices. Each lesson concludes with a walkthrough of different vulnerabilities from initial analysis and discovery through exploitation.
Topics include:
- Firmware component emulation
- Router authentication bypass and password disclosure
- HTTP command injection
- UPnP API vulnerability
- CSRF with automated target discovery
- DNS rebinding
Students will learn about technologies and tools including:
- QEMU
- Binwalk
- BASH
- cURL
- Python
- JavaScript
SecTor 2019
Title: Brainwashing Embedded Systems Deep Dive
Dates: October 7-8, 2019 (Toronto, ON)
Registration Not Yet Open
Conferences
2018 : Return of Bleichenbacher’s Oracle Threat (ROBOT) (Slides | USENIX)
2018 (training) : A Guided Tour of Embedded Software Hacks
2019 : Zombie POODLE, GOLDENDOODLE & How TLSv1.3 Can Save Us All
2013 (21): Android WebLogin: Google’s Skeleton Key (Video | Slides)
2014 (22 – Wireless Village): Pineapple Abductions (Video)
2015 (23): How To Train Your RFID Hacking Tools (Video | Slides | WP)
2015 (23 – IoT Village): Smart Home Invasion (Video | Slides)
2016 (24): Brainwashing Embedded Systems (4-hr Workshop)
2017 (25): Brainwashing Embedded Systems (4-hr Workshop)
2013: Google-Jacking (Video | Slides)
2014: A Day In The Life (Of a Security Researcher) (Slides)
2016: Fuzz Smarter, Not Harder (An afl-fuzz Primer) (Video | Slides)
2015-2017: Tripwire VERT IoT Hack Lab (Link)
2016-2017: Brainwashing Embedded Systems (8-hr Workshop)
2016: Brainwashing Embedded Systems (8-hr Workshop)
2015 Intelligent Defence: Smart Home Invasion (Clip | Slides)
2019 Geek Street: The Art of DNS Rebinding
2014: A Day In The Life (Of a Security Researcher) (Video | Slides)
JOINSec
2014: Exploiting Trust In the Google Ecosystem (Clip)
Vulnerabilities
This page is a partial listing of vulnerabilities I’ve found in recent years.
CVE
| CVE | Product |
| CVE-2019-10081 | Apache httpd: mod_http2, read-after-free in h2 connection shutdown |
| CVE-2019-10082 | Apache httpd: mod_http2, memory corruption on early pushes |
| CVE-2019-0196 | Apache httpd: mod_http2+scoreboard, Use-After-Free (READ) |
| CVE-2019-5592 | FortiOS SSL Deep Inspection TLS Padding Oracle Vulnerabilities (GOLDENDOODLE and Zombie POODLE) |
| CVE-2019-6593 | CBC padding oracles on F5 products (GOLDENDOODLE and Zombie POODLE) |
| CVE-2019-6485 | CBC padding oracles on Citrix products (GOLDENDOODLE and Zombie POODLE) |
| CVE-2018-20783 | PHP Heap Overflow in PHAR access |
| CVE-2018-10549 | PHP Heap Overflow in Exif |
| CVE-2018-1333 | Apache HTTP2 DoS |
| CVE-2017-13099 | WolfSSL (ROBOT) |
| CVE-2017-1000385 | Erlang (ROBOT) |
| CVE-2017-13098 | Bouncy Castle (ROBOT) |
| CVE-2017-12373 | Cisco ASA (ROBOT) |
| CVE-2017-17428 | Cisco ACE (ROBOT) |
| CVE-2017-17427 | Radware Alteon (ROBOT) |
| CVE-2017-17382 | Citrix NetScaler (ROBOT) |
| CVE-2017-6168 | F5 Networks (ROBOT) |
| CVE-2017-2339 | Juniper ScreenOS |
| CVE-2017-2338 | Juniper ScreenOS |
| CVE-2017-2337 | Juniper ScreenOS |
| CVE-2017-2336 | Juniper ScreenOS |
| CVE-2017-2335 | Juniper ScreenOS |
| CVE-2017-12934 | PHP Unserialize() #3 |
| CVE-2017-12933 | PHP Unserialize() #2 |
| CVE-2017-12932 | PHP Unserialize() #1 |
| CVE-2016-6892 | MatrixSSL |
| CVE-2016-6891 | MatrixSSL |
| CVE-2016-6890 | MatrixSSL |
| CVE-2016-10050 | ImageMagick |
| CVE-2016-1000216 | Ruckus Zone Flex APs |
| CVE-2016-1000215 | Ruckus Zone Flex APs |
| CVE-2016-1000214 | Ruckus Zone Flex APs |
| CVE-2016-1000213 | Ruckus Zone Flex APs |
| CVE-2015-5878 | Apple OS X |
| CVE-2015-5447 | HP StorOnce |
| CVE-2015-5446 | HP StorOnce |
| CVE-2015-5445 | HP StorOnce |
| CVE-2015-3728 | Apple iOS |
| CVE-2014-9700 | MiOS MiCasa Vera Lite (media) |
| CVE-2014-9699 | Makerbot Replicator 5th Gen 3D Printer |
| CVE-2014-9698 | Makerbot Replicator 5th Gen 3D Printer |
| CVE-2014-9064 | Samsung SmartThings Hub |
| CVE-2014-9063 | MiOS MiCasa Vera Lite (media) |
| CVE-2014-9062 | MiOS MiCasa Vera Lite (media) |
| CVE-2014-9061 | MiOS MiCasa Vera Lite (media) |
| CVE-2014-9011 | Wink Hub (media) |
| CVE-2014-9010 | Wink Hub (media) |
| CVE-2014-9009 | Wink Hub (media) |
| CVE-2014-9008 | Belkin NetCam Wi-Fi Camera (TV demo) |
| CVE-2014-9007 | Stratus ftServer BMC |
| CVE-2014-8007 | Stratus ftServer BMC |
| CVE-2014-8006 | Stratus ftServer BMC |
| CVE-2014-8005 | Stratus ftServer BMC |
| CVE-2014-8004 | Stratus ftServer BMC |
| CVE-2014-8003 | Stratus ftServer BMC |
| CVE-2014-8002 | Stratus ftServer BMC |
| CVE-2014-8001 | Stratus ftServer BMC |
| CVE-2014-8000 | Stratus ftServer BMC |
| CVE-2014-7973 | QNAP Turbo 4.1.1 |
| CVE-2014-7972 | QNAP Turbo 4.1.1 |
| CVE-2014-7964 | QNAP Turbo 4.1.1 |
| CVE-2014-7963 | QNAP Turbo 4.1.1 |
| CVE-2014-7962 | QNAP Turbo 4.1.1 |
| CVE-2014-7961 | QNAP Turbo 4.1.1 |
| CVE-2014-7160 | LANDesk 9.5.1 for OS X |
| CVE-2014-6447 | Pineapple WiFi |
| CVE-2014-6446 | Pineapple WiFi |
| CVE-2014-6445 | Pineapple WiFi |
| CVE-2014-6444 | Pineapple WiFi |
| CVE-2014-6442 | Application Crash Reporter for Android |
| CVE-2014-6441 | HBO Go Android App |
| CVE-2014-6226 | Pineapple WiFi |
| CVE-2014-6225 | Pineapple WiFi |
| CVE-2014-6224 | Pineapple WiFi |
| CVE-2014-6223 | Pineapple WiFi |
| CVE-2014-5486 | Belkin N900 |
| CVE-2014-5485 | Belkin N900 |
| CVE-2014-5484 | D-Link DIR-865L |
| CVE-2014-5483 | TrendNET TEW-812DRUV2 |
| CVE-2014-5482 | NETGEAR Centria |
| CVE-2014-5481 | NETGEAR Centria |
| CVE-2014-5480 | NETGEAR Centria |
| CVE-2014-5479 | NETGEAR Centria |
| CVE-2014-5478 | Linksys EA6500 |
| CVE-2014-5477 | Uber Android App |
| CVE-2014-5476 | Pineapple WiFi |
| CVE-2014-5475 | NETGEAR WNDR4700 |
| CVE-2014-5474 | Asus RT-AC66U |
| CVE-2014-4426 | Apple OS X |
| CVE-2014-4016 | Zencart |
| CVE-2014-4015 | Zencart |
| CVE-2014-2641 | HP System Management Homepage |
| CVE-2014-2566 | PHONE for Google Voice & GTalk |
| CVE-2014-2530 | Hyundai BlueLink App |
| CVE-2014-1954 | Zoneminder |
| CVE-2014-1953 | Zoneminder |
| CVE-2014-1952 | Zoneminder |
| CVE-2014-1951 | Zoneminder |
| CVE-2014-1920 | Cisco CHS 435HDC DVR |
| CVE-2014-1919 | NETGEAR WNR2000v3 |
| CVE-2014-1918 | Linksys WRT110 v8 |
| CVE-2014-1917 | Linksys WRT110 v8 |
| CVE-2014-1898 | Tenda A5 Travel Router |
| CVE-2014-1897 | Tenda A5 Travel Router |
| CVE-2014-1857 | Precor Elliptical 1110 E |
| CVE-2014-1856 | Loftek (and others) |
| CVE-2014-0570 | Adobe ColdFusion |
| CVE-2013-7150 | Asus RT-N16 |
| CVE-2013-7056 | NETGEAR WGR614v9 |
| CVE-2013-7037 | Zoom 5341J Cable Modem |
| CVE-2013-7036 | Zoom 5341J Cable Modem |
| CVE-2013-6115 | NETGEAR ReadyNAS |
| CVE-2013-5982 | NETGEAR ReadyNAS |
| CVE-2013-5981 | NETGEAR ReadyNAS |
| CVE-2013-5949 | Asus RT-N16 |
| CVE-2013-5948 | Asus RT-N16 |
| CVE-2013-5947 | Asus RT-N16 |
| CVE-2013-5928 | Linksys E1200 |
| CVE-2013-5927 | Asus RT-N16 |
| CVE-2013-5926 | D-Link DIR-615 |
| CVE-2013-5925 | EnGenius ESR1750 |
| CVE-2013-5924 | EnGenius ESR1750 |
| CVE-2013-5923 | Linksys E1200 |
| CVE-2013-5922 | Linksys E1200 |
| CVE-2013-5921 | Linksys E1200 |
| CVE-2013-5737 | Asus RT-N16 |
| CVE-2013-5736 | Asus RT-N16 |
| CVE-2013-5735 | Asus RT-N16 |
| CVE-2013-5734 | D-Link DIR-615 |
| CVE-2013-5733 | D-Link DIR-615 |
| CVE-2013-5732 | D-Link DIR-615 |
| CVE-2013-5731 | D-Link DIR-615 |
| CVE-2013-5682 | NETGEAR Many Models |
| CVE-2013-5681 | NETGEAR Many Models |
| CVE-2013-5577 | NETGEAR Many Models |
| CVE-2013-4796 | Review Board |
| CVE-2013-4795 | Review Board |
| CVE-2013-4052 | IBM WebSphere |
| CVE-2013-3683 | Arcor-Easy Box A 300 |
| CVE-2013-3682 | Arcor-Easy Box A 300 |
| CVE-2013-3568 | Linksys/Cisco WRT110 |
| CVE-2013-3547 | Motorola VT2442 Router |
| CVE-2013-3546 | Motorola VT2442 Router |
| CVE-2013-3545 | Motorola VT2442 Router |
| CVE-2013-3314 | Loftek (and others) |
| CVE-2013-3313 | Loftek (and others) |
| CVE-2013-3312 | Loftek (and others) |
| CVE-2013-3311 | Loftek (and others) |
| CVE-2013-3293 | NETGEAR WNDR3700v2 |
| CVE-2013-3292 | NETGEAR WNDR3700v2 |
| CVE-2013-3291 | NETGEAR WNDR3700v2 |
| CVE-2013-2752 | NETGEAR ReadyNAS |
| CVE-2013-2751 | NETGEAR ReadyNAS |
| CVE-2013-2745 | miniDLNA |
| CVE-2013-2739 | miniDLNA |
| CVE-2013-2738 | miniDLNA |
| CVE-2013-2600 | MiniUPnPd |
| CVE-2013-2209 | Review Board |
| CVE-2013-0544 | IBM WebSphere |
| CVE-2013-0542 | IBM WebSphere |
| CVE-2012-6466 | Cloudshark |
| CVE-2012-6458 | SilverStripe e-commerce Module |
| CVE-2012-6457 | phpScheduleIt |
| CVE-2012-6455 | Cloudshark |
| CVE-2012-6297 | DD-WRT v24-sp2 |
| CVE-2012-6296 | miniDLNA / ReadyNAS |
| CVE-2012-6295 | miniDLNA / ReadyNAS |
| CVE-2012-6294 | miniDLNA / ReadyNAS |
| CVE-2012-6293 | mt-daapd / ReadyNAS |
| CVE-2012-6292 | mt-daapd / ReadyNAS |