Disclaimer

All information contained on this site is strictly for educational purposes.  Do not conduct security assessments on devices you do not own or have explicit permission to test.

About

Craig Young is a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT). He has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, Apple, and others. His research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame. Craig’s presentations on Google authentication weaknesses have led to considerable security improvements for all Google users. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers. His research into iOS WiFi problems more recently exposed CVE-2015-3728 that could allow devices to inadvertently connect to malicious hot spots. Craig has also successfully employed fuzzing techniques to find flaws in a variety of open source software including a memory corruption in MatrixSSL that could be used to achieve code execution on at least 100,000 Internet gateways.

Training

Brainwashing Embedded Systems

Learning the secret incantations to make embedded systems carry out your will is not as hard as one might think. In the world of IoT, the hardened system is rare and most times a firmware image is more than enough to find and exploit weakness. Embedded devices are flooding corporate and home networks with limited insight into product security.

Brainwashing Embedded Systems teaches students techniques for evaluating device security and identifying vulnerabilities.  The class focuses on lab exercises using a provided virtual machine containing virtualized components of several embedded devices and an online learning portal.

Techniques in this class have been successfully employed by the author to identify over 100 CVEs on embedded/IoT devices as well as to win the 0-day and CTF tracks in the DEF CON 22 SOHOpelessly Broken router hacking competition.

The class can be offered as a quick 4-hour overview, a full day workshop, or a two day class.

Conferences

DEF CON

2013 (21): Android WebLogin: Google’s Skeleton Key (Video | Slides)
2014 (22 – Wireless Village): Pineapple Abductions (Video)
2015 (23): How To Train Your RFID Hacking Tools (Video | Slides | WP)
2015 (23 – IoT Village): Smart Home Invasion (Video | Slides)
2016 (24): Brainwashing Embedded Systems (4-hr Workshop)
2017 (25): Brainwashing Embedded Systems (4-hr Workshop)

BSides SF

2013: Google-Jacking (Video | Slides)
2014: A Day In The Life (Of a Security Researcher) (Slides)
2016: Fuzz Smarter, Not Harder (An afl-fuzz Primer) (Video | Slides)

SECtor

2015-2017: Tripwire VERT IoT Hack Lab (Link)
2016-2017: Brainwashing Embedded Systems (8-hr Workshop)

AusCERT

2016: Brainwashing Embedded Systems (8-hr Workshop)

Infosec Europe

2015 Intelligent Defence: Smart Home Invasion (Clip | Slides)

BSides London

2014: A Day In The Life (Of a Security Researcher) (Video | Slides)

JOINSec

2014: Exploiting Trust In the Google Ecosystem (Clip)

Vulnerabilities

CVE

CVE  Product
CVE-2017-13099 WolfSSL (ROBOT)
CVE-2017-1000385 Erlang (ROBOT)
CVE-2017-13098 Bouncy Castle (ROBOT)
CVE-2017-12373 Cisco ASA (ROBOT)
CVE-2017-17428 Cisco ACE (ROBOT)
CVE-2017-17427 Radware Alteon (ROBOT)
CVE-2017-17382 Citrix NetScaler (ROBOT)
CVE-2017-6168 F5 Networks (ROBOT)
CVE-2017-2339 Juniper ScreenOS
CVE-2017-2338 Juniper ScreenOS
CVE-2017-2337 Juniper ScreenOS
CVE-2017-2336 Juniper ScreenOS
CVE-2017-2335 Juniper ScreenOS
CVE-2017-12934 PHP Unserialize() #3
CVE-2017-12933 PHP Unserialize() #2
CVE-2017-12932 PHP Unserialize() #1
CVE-2016-6892 MatrixSSL
CVE-2016-6891 MatrixSSL
CVE-2016-6890 MatrixSSL
CVE-2016-10050 ImageMagick
CVE-2016-1000216 Ruckus Zone Flex APs
CVE-2016-1000215 Ruckus Zone Flex APs
CVE-2016-1000214 Ruckus Zone Flex APs
CVE-2016-1000213 Ruckus Zone Flex APs
CVE-2015-5878 Apple OS X
CVE-2015-5447 HP StorOnce
CVE-2015-5446 HP StorOnce
CVE-2015-5445 HP StorOnce
CVE-2015-3728 Apple iOS
CVE-2014-9700 MiOS MiCasa Vera Lite (media)
CVE-2014-9699 Makerbot Replicator 5th Gen 3D Printer
CVE-2014-9698 Makerbot Replicator 5th Gen 3D Printer
CVE-2014-9064 Samsung SmartThings Hub
CVE-2014-9063 MiOS MiCasa Vera Lite (media)
CVE-2014-9062 MiOS MiCasa Vera Lite (media)
CVE-2014-9061 MiOS MiCasa Vera Lite (media)
CVE-2014-9011 Wink Hub (media)
CVE-2014-9010  Wink Hub (media)
CVE-2014-9009  Wink Hub (media)
CVE-2014-9008 Belkin NetCam Wi-Fi Camera (TV demo)
CVE-2014-9007 Stratus ftServer BMC
CVE-2014-8007 Stratus ftServer BMC
CVE-2014-8006 Stratus ftServer BMC
CVE-2014-8005 Stratus ftServer BMC
CVE-2014-8004 Stratus ftServer BMC
CVE-2014-8003 Stratus ftServer BMC
CVE-2014-8002 Stratus ftServer BMC
CVE-2014-8001 Stratus ftServer BMC
CVE-2014-8000 Stratus ftServer BMC
CVE-2014-7973 QNAP Turbo 4.1.1
CVE-2014-7972 QNAP Turbo 4.1.1
CVE-2014-7964 QNAP Turbo 4.1.1
CVE-2014-7963 QNAP Turbo 4.1.1
CVE-2014-7962 QNAP Turbo 4.1.1
CVE-2014-7961 QNAP Turbo 4.1.1
CVE-2014-7160 LANDesk 9.5.1 for OS X
CVE-2014-6447 Pineapple WiFi
CVE-2014-6446 Pineapple WiFi
CVE-2014-6445 Pineapple WiFi
CVE-2014-6444 Pineapple WiFi
CVE-2014-6442 Application Crash Reporter for Android
CVE-2014-6441 HBO Go Android App
CVE-2014-6226 Pineapple WiFi
CVE-2014-6225 Pineapple WiFi
CVE-2014-6224 Pineapple WiFi
CVE-2014-6223 Pineapple WiFi
CVE-2014-5486 Belkin N900
CVE-2014-5485 Belkin N900
CVE-2014-5484 D-Link DIR-865L
CVE-2014-5483 TrendNET TEW-812DRUV2
CVE-2014-5482 NETGEAR Centria
CVE-2014-5481 NETGEAR Centria
CVE-2014-5480 NETGEAR Centria
CVE-2014-5479 NETGEAR Centria
CVE-2014-5478 Linksys EA6500
CVE-2014-5477 Uber Android App
CVE-2014-5476 Pineapple WiFi
CVE-2014-5475 NETGEAR WNDR4700
CVE-2014-5474 Asus RT-AC66U
CVE-2014-4426 Apple OS X
CVE-2014-4016 Zencart
CVE-2014-4015 Zencart
CVE-2014-2641 HP System Management Homepage
CVE-2014-2566 PHONE for Google Voice & GTalk
CVE-2014-2530 Hyundai BlueLink App
CVE-2014-1954 Zoneminder
CVE-2014-1953 Zoneminder
CVE-2014-1952 Zoneminder
CVE-2014-1951 Zoneminder
CVE-2014-1920 Cisco CHS 435HDC DVR
CVE-2014-1919 NETGEAR WNR2000v3
CVE-2014-1918 Linksys WRT110 v8
CVE-2014-1917 Linksys WRT110 v8
CVE-2014-1898 Tenda A5 Travel Router
CVE-2014-1897 Tenda A5 Travel Router
CVE-2014-1857 Precor Elliptical 1110 E
CVE-2014-1856 Loftek (and others)
CVE-2014-0570 Adobe ColdFusion
CVE-2013-7150 Asus RT-N16
CVE-2013-7056 NETGEAR WGR614v9
CVE-2013-7037 Zoom 5341J Cable Modem
CVE-2013-7036 Zoom 5341J Cable Modem
CVE-2013-6115 NETGEAR ReadyNAS
CVE-2013-5982 NETGEAR ReadyNAS
CVE-2013-5981 NETGEAR ReadyNAS
CVE-2013-5949 Asus RT-N16
CVE-2013-5948 Asus RT-N16
CVE-2013-5947 Asus RT-N16
CVE-2013-5928 Linksys E1200
CVE-2013-5927 Asus RT-N16
CVE-2013-5926 D-Link DIR-615
CVE-2013-5925 EnGenius ESR1750
CVE-2013-5924 EnGenius ESR1750
CVE-2013-5923 Linksys E1200
CVE-2013-5922 Linksys E1200
CVE-2013-5921 Linksys E1200
CVE-2013-5737 Asus RT-N16
CVE-2013-5736 Asus RT-N16
CVE-2013-5735 Asus RT-N16
CVE-2013-5734 D-Link DIR-615
CVE-2013-5733 D-Link DIR-615
CVE-2013-5732 D-Link DIR-615
CVE-2013-5731 D-Link DIR-615
CVE-2013-5682 NETGEAR Many Models
CVE-2013-5681 NETGEAR Many Models
CVE-2013-5577 NETGEAR Many Models
CVE-2013-4796 Review Board
CVE-2013-4795 Review Board
CVE-2013-4052 IBM WebSphere
CVE-2013-3683 Arcor-Easy Box A 300
CVE-2013-3682 Arcor-Easy Box A 300
CVE-2013-3568 Linksys/Cisco WRT110
CVE-2013-3547 Motorola VT2442 Router
CVE-2013-3546 Motorola VT2442 Router
CVE-2013-3545 Motorola VT2442 Router
CVE-2013-3314 Loftek (and others)
CVE-2013-3313 Loftek (and others)
CVE-2013-3312 Loftek (and others)
CVE-2013-3311 Loftek (and others)
CVE-2013-3293 NETGEAR WNDR3700v2
CVE-2013-3292 NETGEAR WNDR3700v2
CVE-2013-3291 NETGEAR WNDR3700v2
CVE-2013-2752 NETGEAR ReadyNAS
CVE-2013-2751 NETGEAR ReadyNAS
CVE-2013-2745 miniDLNA
CVE-2013-2739 miniDLNA
CVE-2013-2738 miniDLNA
CVE-2013-2600 MiniUPnPd
CVE-2013-2209 Review Board
CVE-2013-0544 IBM WebSphere
CVE-2013-0542 IBM WebSphere
CVE-2012-6466 Cloudshark
CVE-2012-6458 SilverStripe e-commerce Module
CVE-2012-6457 phpScheduleIt
CVE-2012-6455 Cloudshark
CVE-2012-6297 DD-WRT v24-sp2
CVE-2012-6296 miniDLNA / ReadyNAS
CVE-2012-6295 miniDLNA / ReadyNAS
CVE-2012-6294 miniDLNA / ReadyNAS
CVE-2012-6293 mt-daapd / ReadyNAS
CVE-2012-6292 mt-daapd / ReadyNAS

CVE Unavailable

PCRE Stack Corruption
WordPress SmartyWP Plugin