Getting Started in Firmware Analysis & IoT Reverse Engineering
ฝัง
- เผยแพร่เมื่อ 10 พ.ค. 2023
- j-h.io/bugprove || For blazing-fast automated IoT firmware analysis and zero-day discovery, you can use BugProve FOR FREE: j-h.io/bugprove
Kavishka Gihan's original Medium article: / iot-hacking-reversing-...
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
📗Humble Bundle ➡ j-h.io/humblebundle
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
Dark mode is on the roadmap, no worries.
This is cool, are you hiring😮? I'm an IOT noob tho😢. If you are hiring, ...after I finish my cpts I will be applying haha. So cool
You are insanely talented. You're super smart. I think people who reverse engineer firmware are some of the most intelligent among us and I aspire to be that spry. Have a nice day!
@@S0L4RW4V3 We are not hiring at the moment, BUT! IoT security is one of the most understaffed departments, so if this is your interest, and you pursue it, finding a job should be easy.
Do you guys keep copies of all the binaries uploaded? Are you guys hoarding a bunch of stolen firmware? 🤔
My favourite thing about John is not his elite computing skills, its his ability to slot 'hey' into each sentence and it go almost unnoticed because he does it so well. We need a hey counter John!
now am listening keenly 😂😂
I think I'm gonna plug his channel into a tool that searches caption data and search for 'hey' lol
It has only been recent years where we started arguing to clients that they had to replace legacy firewalls. It used to be we didn't do anything with them if they were still working but then several high profile vulnerabilities pushed us into a updating and replacing program. It is crazy as we had clients with 15 year old firewalls at one point.
Yay! Im an EE in embedded firmware, I love seeing you do this. Please more!
Was waiting for this for quite a while tbh.. thanks! :)
Glad you took time to read the article!
I really like how Cyber Security researchers are coming on TH-cam and teaching us stuff for absolutely FREE.
Thanks JH.❤️🔥
Absolutely amazing, thank you John!!
I'm still trying to process the three DNS powershell scripts that you analyzed recently. Watching you slice and dice those scripts was INSANE! Now I need to figure out how to get a text message when you create new content so I can pull my car to the side of the road and watch your stuff the second it comes out!
Awesome, wanna c more, keep up the good work
Please make a series about firmware analysis and bug hunting! Absolut cool stuff and would love to learn more about it!
Being able to push out a bad firmware update to networked devices, takes a lot of patience but if you like that type of thing... Router firmware typically is a small file, just getting familiar with that can be fun too. Knowing how to modify and package 'bad code' is another whole skill-set. Printers are also fun, PRET helps with that, a bit of an older tool now too. They never patch , smart devices are lucky if they get one update 2 tops before its forgotten and forever vulnerable. I'd keep the hardware part, and software separate if its a topic you are going to spend time on. I'd be happy to see you go through it lol , make my brain itch.
😊Lots of love from Nepal..!❤
*Whenever you make a video it is always helpful and I get to learn something new!*
I'll catch up on this on tiktok ;) seriously though. Thanks for all you do John!
Thanks for posting
Amazing. Might have to talk to my dad about changing our wifi password tho
I hope to see more similar content for hardware hacking
Woah BugProve looks cool
you're the only youtuber whose videos i have to slow down.
You Are The Best
Kavigihan is also a very good box creator on HTB 😉 Hi Kavi !
That would be pretty interesting. Opening a firmware to a forrest camera, and finding a bunch of stuff there.
Hey, there's this guy called save it for parts and basically he hacks hardware and firmware for just about anything, including reading satellites. Would think it would be pretty awesome for someone who's on the software side to team up with someone on the hardware side to do some bad ass hacks, ya know... for education and cuz people be broke... and omg cables be pricey
I see quite a few people upset cause its sponsored content so just wanted to come down here and say i thought the video was awesome. It brings to light an attac vector people often overlook and shows off a dope tool in the process.
Keep up the good work brother!
Ironically this video is seeding an attack vector. Consider the false sense of security this video provides to the viewers.
Security research is really fricking hard, these tools don't really help other than maybe give false sense of security or just make things way worse by amateurs using it to spam repositories with bogus CVEs.
I used telnet to connect to my router and netcat to dump all files and memory.
this ad for this video is longer than the content
yeah, John has done that before for example about some laptop. I was thinking maybe he'll show some reversing but no the whole video is just an ad.
Well thanks for writing this because TH-cam Vanced skips sponsorships and I was wondering why it skiped half of the video (litterally)
I was starting to get disappointed by the app but since you're saying that it really was a sponsorship then I guess it's normal
Pls show us how to use esp32 to manuclipate networks
Any link to binwalk or those tool developers like if the utility of the tools are usually this bit intense what about the tools creat? 😲😲😲😲
1:25 not using ublock origin?😜
If Jhon said " i don't know... " he's going to master the it😊👋
Nice
❤❤Super ❤❤❤❤
BugProve doesn't work for my embedded devices, but the idea is awesome.
Pretty fun commercial.
The guy's vocabulary burst 50 nerves in less than 1ns.
👍👍👍👍
Hello 👋
Entire video was just a sponsored ad for bug prove
😀😀
at least can we see the password?!
A big sponsor chunk
Openwrt
not great, just a long form ad lol
A bit of a stinker, John. You're normally not one to sucker viewers into videos that are basically an ad. It'd be great if you can hint to videos being ads in the title or image.
second
First
fuck :P
My GOD... TP-LINK in certain cases... leave me... open mouth.
TL;DR be weary of people promising easy buttons, there ain't no such thing...
I vomited at that sponsor.
There's a lot of bogus CVE claims and such automation tools presented as a solution is harmful to security in my opinion.
Security is hard, this could easily give someone who doesn't know much about it a false sense of security which in itself is bad and should be presented with those caveats mentioned rather than as a good tool.
We understand that security is complex and there are no easy solutions. BugProve is designed to assist security professionals by automating repetitive tasks, not to replace them. We take CVE claims seriously and strive to minimize false positives. Our goal is to educate users about the tool's limitations, ensuring it complements a broader security strategy.
Program analysis and automated vulnerability discovery are challenging, so some false positives are unavoidable. However, static analysis techniques like abstract interpretation and data flow analysis are well-regarded in academia for their effectiveness, despite their limitations. These methods help optimize and secure systems and are indispensable in many safety-critical domains such as aerospace and defense.
In less safety-critical domains, such as IoT, budget constraints have often left end-user and consumer security risks overlooked, creating a false sense of security. We're working to change that by equipping embedded developers and product security engineers with powerful tools to tackle these challenges. While we prioritize delivering an easy-to-use experience, we emphasize that maintaining a mature secure software development cycle, vulnerability management process, and secure coding practices in C and C++ is not easy.
We value your concerns and are committed to transparency and continuous improvement. I hope this addresses some of your concerns.
Best regards,
Attila, BugProve
Nice