xIoT Hacking Demonstrations & Strategies to Disappoint Bad Actors

I’ll demonstrate several hacks against xIoT (Extended Internet of Things) devices. Bad actor & defender stories will be shared. Research from over six years & millions of devices will be explored. Steps organizations can take to mitigate xIoT risks will be outlined.

We’ve unleashed our dark allies from the nightmare dimension on an unholy crusade to demonstrate cyberattacks for your enlightenment. If you love seeing devices compromised as much as we do, join us for some hacking demonstrations, detailed security research findings, and threat mitigation techniques that will disappoint bad actors. Share your new knowledge around the water cooler, apply these preventative security strategies within your own organization, and become the cool person at the office party everyone wants to hang out with regardless of that cat sweater you insist on wearing.

We’ll demonstrate several hacks against xIoT, or Extended Internet of Things, devices. For those who would say, “But they’re just security cameras monitoring the parking garage, wireless access points in the cafeteria, or PLCs controlling robotic welding arms; what harm can they cause?” - this will illuminate that harm.

We’ll share stories from the trenches involving cybercriminals, nation-state actors, and defenders. Our presentation will detail findings from over six years of xIoT threat research spanning millions of production devices in enterprises and government agencies around the world. We’ll identify various steps organizations can take to mitigate risk while embracing a Things-connected world.

xIoT encompasses three disparate but interrelated device groups that operate with purpose-built hardware and firmware, are typically network-connected, and disallow the installation of traditional endpoint security controls. The first group contains enterprise IoT devices such as VoIP phones, security cameras, and printers. The second group includes operational technology such as PLCs, building automation systems, and industrial control systems. The third group consists of network gear such as switches, load balancers, and wireless access points.

There are over 50 billion xIoT devices in operation worldwide. Most of these devices run well-known operating systems like Linux, Android, BSD, and various real-time operating systems like VxWorks. Additionally, many xIoT devices have open ports, protocols, storage, memory, and processing capabilities similar to your laptop. But there is a major difference. Even though most enterprises and government agencies have tens to hundreds of thousands of these devices in production, they go largely unmanaged and unmonitored.

These xIoT devices typically operate with weak credentials, old, vulnerable firmware, extraneous services, and problematic certificates. This massive, vulnerable xIoT attack surface is being successfully exploited by bad actors engaging in cyber espionage, data exfiltration, sabotage, and extortion, impacting xIoT, IT, and cloud assets.

Nation-states and cybercriminals have shifted their focus to xIoT attacks. Why? Because they work. Military-grade xIoT hacking tools are in use, cybercrime for hire that’s predicated on compromised xIoT devices has been monetized, and organizations worldwide are already “pwned” without even knowing it.

Bad actors are counting on you being passive by not mitigating xIoT security risks. They want you to fail so they can continue to evade detection and maintain persistence on your xIoT devices. Disappoint them! Take your xIoT devices back by understanding how to hack them, recognizing where they’re most vulnerable, and employing strategies to successfully protect them at scale.

I don’t require any special technical resources outside of a projector/LCD to present on.

This is an interesting, unique and fun presentation with clear takeaways that audience members can apply within their own organizations - much of which can be done without buying any special tools or services.

I believe I’m the best person to speak on this subject because I’ve been involved in researching xIoT security for many years, I’ve worked with a team mitigating xIoT security risks for the same amount of time, I’ve published unique research on this topic, I’ve been interviewed by industry press regarding it, and I’ve give speeches on it worldwide.