What critical vulnerability in a well-known IoT device was found by our researchers? Join us at Hack Summit 2023

14.09.2023

Marek Janiszewski and Jan Adamski have prepared two speeches for this year’s Hack Summit. Together, they will present more information about a critical vulnerability in the API of one of the manufacturers of popular IoT devices, or present the methodology and conclusions of security testing of IoT devices. It all depends on the status of the CVD process, but we encourage you to attend today!

With the Coordinated Vulnerability Disclosure (CVD) process completed by the time the Hack Summit begins, the presentation by NASK SCIENCE researchers will focus around the presentation of a critical vulnerability discovered in the API of one of the popular IoT/Smart Home device producers. This vulnerability allows a device to be remotely (via the Internet) added to a user’s own account and controlled remotely, without any authorization. Marek Janiszewski and Jan Adamski will present details of the vulnerability, the research process that allowed it to be discovered, and a full PoC with a video example of how the vulnerability was exploited in practice. They will then discuss countermeasures that would effectively eliminate the vulnerability. In the event that the CVD process is not completed, their talk will present the methodology developed in the LaVA project for testing IoT devices and the lessons learned. During the talk, they will discuss the security problem of some everyday devices connected to the Internet. They will present the critical security areas defined in the methodology for IoT devices, along with research methods for modeling attack scenarios and then verifying their feasibility. They will also present minor vulnerabilities reported to date to manufacturers of Internet of Things equipment.

Marek Janiszewski
Experienced in conducting security audits and penetration testing, as well as consulting projects in building ICT infrastructure, administering IT systems and managing development projects. He holds industry certifications, including: OSCP (Offensive Security Certified Professional) and CEH (Certified Ethical Hacker). At NASK, he is responsible for the conceptualization, design, development and implementation of new cyber security tools and participates in international and national research projects. His research interests include issues related to cyber security in its broadest sense, including: research on the effectiveness and reliability of trust and reputation management systems, development and evaluation of vulnerability detection tools and methods, and security assessment in the Internet of Things.

Jan Adamski
Graduate of Telecommunications at the Faculty of Electronics and Information Technology, Warsaw University of Technology. Infected with passion for modern technologies from a young age. Since 2022 employed at NASK in the Department of Information Security Systems as a Software Engineer, before that he worked at the American startup Cerebre in the same position. Particularly involved in the LaVA project in the area of mobile applications. After hours a sports enthusiast and football referee.

https://thehacksummit.com/#agenda