You missed Insomni'hack?
You shouldn't have: although there are now something like 700 attendees, it's still a friendly and well organized hacking conference with an interesting mix between wild hackers, CTOs, and CISOs (some being hackers and CISOs at the same time ;).
As usual when there are several tracks, you end up with the difficult dilemma of which talks to attend. That's what happened to me when I had to choose between a talk on connected medical devices (close to my own research topics, but probably not very technical) and an excellent talk on crypto.
Let me review a few of the talks I attended:
I finally attended the connected medical devices talk (I am the cavalry).
So what did I learn? I have usually seen medical devices from my point of view - security threats, including malware - and more generally speaking, from a technical point of view. However, this talk convinced me I am wrong, and that the first issue is politics, business and economics. Technology only comes after. Because of that, the work of I am the cavalry is absolutely commendable.
Yet now, enough talk. I'd love some 'action' and real research and/or hacking results on a connected medical device. If not, I'll have to add that to my own to-do list ;)
8 security lessons from 8bit games - Florian Hammers
How disappointing. I'm sure the audience expected so much from this talk: cool hacks, retro-gaming, demos etc. True, Florian made a good effort to match great old school screenshots ... but unfortunately with commonplace security ideas :(
Mind you, the talk would have been perfect at college or high school, but in my opinion it didn't work at Insomni'hack where people are 'experts' on security.
Reversing Internet of Things from mobile applications - Axelle Apvrille
That's my own talk, and the room was packed! Several CTF teams like dragon sector or mushd00m attended. I'm honored. Thanks!
My slides are available here
Ransomware coming to IoT devices? - Candid Wueest
It was a good surprise to have another talk on Internet of Things: Candid Wueerst was replacing Sylvain Maret (sick) with a talk on ransomware on IoT. Had I known beforehand, we could probably have synchronized ourselves, but nevertheless, I feel that it was an excellent follow-up talk to my own.
Candid's point is that ransomware on IoT will come sooner or later, and I absolutely agree with the idea. There's inconvenience (impossible to use the device), mock apps (pay the attacker to delete an embarrassing video footage) etc.
He illustrated his ideas & predictions with several precursor cases:
- Nest suffered a DoS in Sept 2015
- a Samsung fridge leaves open access to google accounts
- (NB. this is different from the case where a fridge was claimed to send spam. In reality, this was probably wrongly attributed to the fridge as the source of spam).
By the way, I don't know if people noticed, but I loved the small quotes at the bottom of each slides, like:
"it is true hard work never killed anybody, but I figure, why take a chance?"
"money talks but all mine ever says is good bye" :))
Besides conference talks, conferences are a good place to meet fellow researchers and make new connections. At Insomni'hack, this is absolutely true, and here is a small sample of what I learned:
- there will be AREA41 this year and the CFP is still open, ’til the end of the month
- The organizers of GreHack are also starting to get prepared.
- to make password bruteforcing more difficult, some devices re-implement the standard implementations of salted MD5 etc.
- there's an NFC security analysis tool project on Kickstarter. Looks cool, and it’s already fully backed.
- Connected basketball shoes are also used for TV companies to detect when a given player is about to jump in order to focus and slow the action.
- There is a firmware on camera bodies, but also on the lenses. In some cases, the firmware is quite big (~10M)!
-- the Crypto Girl