Workshop Track 3
Friday, November 12, 2021
I would like to propose an Escape Game workshop on IoT security. This Escape Game is based on my opensource project DVID (dvid.eu) which I’m the creator.
To present you the context, the main objective of the DVID project is to provide to all interested people a designed vulnerable board to improve their skill in IoT Hacking. Composed by simple component like Atmega328p, AT-09 and ESP8266, each training (available for free on Github) offers a specific vulnerable environment to learn to exploit well known vulnerabilities.
In my workshop, I will organize it in two parts : in the first one I would like to present quickly the DVID project, its timeline (conception, building, manufacturing and shipping) and give useful tips to exploit BLE and MQTT vulnerabilities (both protocol need to be exploited in the Escape Game). After this introduction, on the second part, I will present game rules that denial of service is absolutely useless and hack out of scope is forbidden. All attendees, will have one hour to find vulnerabilities and try to save the world.
About the Escape Game storyboard, the company Copernic Industries has developed an industrial system to monitor the temperature of high sensitive area. The name is : TMS (Temperature Monitor System). The system is installed on a secured datacenter and monitor the temperature of racks. The system is composed by a sensor (the DVID board), an appliance (local monitor ouside the secured area) and a cloud service for alert.
The mission is simple : Your CISO is asking you to investigate about a security failure on the temperature monitor system, your subcontractor seems to have been hacked and a backdoor might be installed. You have one hour to investigate and, if a backdoor is found, try to defuse it.
ATTENDEES: Please bring a laptop with Kali Linux, VM or native.
Should you pay ransomware or not? Does the scenario make a difference? Run through varied circumstances in this workshop and make decisions on how to deal with ransomware and extortionware incidents, then work out how to deal with not only the corporate, but the human fallout of the choices you have made.