SirepRAT: RCE as SYSTEM on Windows IoT Core

Dor Azouri


Windows IoT Core is Microsoft's go on embedded and IoT devices, and already runs in enterprise environments and commercial handheld products, as well as in cool DIY projects. Windows IoT Core shares much of Windows 10 kernel, but it cannot be identical, right? Right! It needs to be efficient resources-wise, it should forget irrelevant features, and it must surely add new IoT-oriented features. Moreover, it is set to be deployed on various boards and sets of hardware, so a low-level access for developers is better be provided, to make it dev-friendly.

The following RCE method presented here shows how dev-friendly == hacker-friendly: Along with known remote interfaces (SSH, WEB...), Windows IoT Core exposes a less-known interface, used by HLK for driver/HW tests. We examined this service & protocol, and will release a tool called SirepRAT that exploits them for RCE as SYSTEM, requiring no auth.

Full internals of this proprietary protocol will be presented, that show how it undeliberately exposes a remote command interface for attackers, including RAT abilities such as get/put files on arbitrary locations and obtaining system information. While other dev interfaces are password protected, this method shows a new way to control the device bypassing any authentication.


Dor Azouri is a security professional, having 7+ years of unique experience in the sec field. Currently doing research @SafeBreach, previously serving in various sec positions @IDF. His experience involved security from many angles: starting with data analysis, to network research, and now mostly software research. Dor likes to investigate all types of creatures - the bad ones such as malware and ransomware, and the good ones like windows components. Dor presented at DEFCON, Hackfest, DeepSec and OWASP AppSec IL.

Ham Hacks: Breaking into Software Defined Radio

Kelly Albrink


RF Signals are all around us: unlocking doors, carrying our phone calls, and sending our data. What if you could intercept and listen to these signals? Would you search for spy planes flying over your home? See if your baby monitor is leaking your private conversations to your neighbors? Or maybe just listen to the emergency services radio?

In this talk we'll cover how to get started with Software Defined Radio (SDR) in an InfoSec context. First, we will cover some of the basics of radio communications. Next, we'll go over the hardware and software aspects you need to understand to get started intercepting signals. Finally, we'll share some amazing stories of how people have used SDR to hack into doors, phones, and planes.


Kelly Albrink (CCNA CyberOps, GCIH, GSEC, OSCP, GWAPT, Sec+) is a Security Analyst at Bishop Fox. In this role, she focuses on red teaming, network penetration testing, and hardware security.

Kelly has presented at a number of Bay Area events including Okta's inaugural security conference, Okta Rex, Day of Shecurity, and the DeadDrop San Francisco Meetup. She is a recipient of the SANS CyberTalent Immersion Academy scholarship, and is an active CTF participant. Kelly has competed in the NetWars Tournament of Champions, a national invite-only competition that admits only those who have placed highly in regional CTFs. In addition, she volunteers with her local hackerspace, Noisebridge, where she organizes Infosec Lab Nights and mentors aspiring penetration testers.

Kelly holds a Bachelor of Arts from New York University with a major in Literature.

Being Q. Designing Hacking Gadgets

Kentaro / @elkentaro

Extracting Information from Academia

Brittany / @Straithe

Getting information in and out of the academic sphere can be a daunting task, especially if you aren't familiar with how academia works at higher levels. The knowledge you seek may be hidden behind paywalls, may be delayed by severe lag in the academic process, or it may just be difficult to find. Whether you are looking for specific papers, graduate level course materials, or are nurturing your curiosity, this presentation promises to provide you with a myriad of ways to access that information so you can learn, be inspired, and do some research!


Brittany (@Straithe) is a recovering academic that has recently started working for GRIMM as a Computer Systems Analyst. Her research is often a combination of human-computer interaction, social robotics, embedded systems, privacy, security, or some subset of these topics. She is always excited to see pictures of robots that you've seen, if you've got any available!

An Introduction to IoT Penetration Testing

Charles Sgrillo / @libertyunix


IoT devices are one of the biggest challenges for security professionals now and will continue to be in the future. The security of these devices is critical as more of these insecure devices come to market. As professional we need to have an idea how these devices effect our organization. In this talk we will explore the basic principles of IoT security, wireless communications, reverse engineering, and an introduction Software Defined Radio.


With 10+ years' experience in Information Technology, Charles has held positions in the field such as Principal Consultant, IP Security Systems Specialist, Systems Engineer, and Penetration Tester. Charles is a Certified Ethical Hacker, a Certified Information Systems Security Professional, and has extensive experience in offensive security techniques and defensive strategies. Charles is currently a doctoral student at Capella University researching cyber and information security. His research has explored topics such as digital forensics, red team penetration testing, deep learning, IoT, and software defined radio. His graduate research thesis demonstrated the effects physical security systems can play in penetration testing and security assessments.

The "Art" of The BEC - What Three Years of Fighting Has Taught Us

Ronnie Tokazowski / @iheartmalware

Senior Threat Researcher with Agari, has been fighting and trolling BEC scammers for over three years with the help lots of friends. Like, more than 600 of them, and many are feds, too! The industry has started to gain a deep understanding with all of the intricate parts of BEC, such as romance scams, lottery scams, real estate scams, account takeover, wire fraud, W2 fraud, IRS scams, gift card scams, and direct deposit scams, just to name a few. How are all of these related and what can you do to start protecting yourself? And as always, #NotAVendorPitch


Maria Enokian / mr.potato head

This session will introduce and demo the capabilities of the search engine of internet of things. This will show different techniques on how to find devices that are vulnerable throughout the internet.

We will go over the basic functionality, demo a real live device that is in the system that is insecure, how to navigate and execute data in the exploit database, find databases and so on.

This is a beginner course on how to do the basics of penetration testing through a very simple yet powerful tool.


Mr. Potatohead is a "Security Professional" , that has had an avid interest in security since she was a little girl. The greatest accomplishment is jumping into a fire of uncertainty and not becoming a baked potato. Now has achieved becoming the Director of an organization, Mr.PotatoHead strives for greater achievements to come.

Hiding In Plain Sight

Carson Owlett / @5C4R48

As long as people have been sending messages, they have been finding ways to hide them. With the era of the computer, older methods such as invisible ink and knitting may have been phased out but modern equivalents have sprung up in their place. Join 5C4R48 in a journey through the methods employed by spies in the old days and techniques employed by hackers in the modern world.


Hacking The Human Body With Off The Shelf Parts

c00p3r / @c00p3r_7

Seeking my own DIY Evolution grinding as it were through ‘off the shelf parts' and creating my own shadow run as it were, what started as a wearable for a red-teamer now is becoming an implant for a professional magician as a commissioned project. C00p3r talks about the trials of this build and what he has learned to go into the 2nd gen build already being planned now.


c00p3r has a background in varied tech support and security roles which have provided him experience in Linux, Mac and Windows environments. His own entry to the ‘cyborg' Biohacker culture has been by augmenting his body with both NFC and RFID chips through ‘Dangerous Things' products which were available at the BdyHaxCon in Austin, TX. His curiosity about the technology has led him to found the Dangerous Minds Podcast which has become a vehicle to dig deeper into the subjects of biohacking, grinding, implantable technology, locksport, and network security by interviewing leaders in these fields and learning from their experience, for more information about this go to . Since DMP's founding c00p3r has gone on to partner with dangerous things and vivokey to help promote the technology and assist people in acquiring new upgrades for their own grind.

One Man Army – How to be the first Security Engineer at a company

Kashish Mittal

How often have you heard that ‘Early stage startups don't care much about Security because if there is no product, there is nothing to secure?' Although there is merit in the argument that startups need to build product so as to sustain and grow, it often puts the person in charge of securing them in a tricky position. For most startups, this person is the first Security Engineer who can be somewhere between the 10th to 300th employee. By the time the first Security Engineer is on-boarded the attack surface has usually become quite large and he or she faces an uphill battle to go about securing the organization. In such cases, the Security Engineer needs to perform as a ‘one-man army' keeping the attackers at bay.


Kashish Mittal is a Security Researcher and Engineer. He currently leads the Security initiative at MileIQ, a Microsoft startup. He has worked for companies such as Elevate Security, Duo Security, Bank of America, Deutsche Bank etc. By choice, he is an ethical hacker and an addicted CTF player. He is a member of PPP (CMU's elite CTF group). Prior to joining Duo, he did Security Research at Cylab, Pittsburgh. He has a BS and a MS from Carnegie Mellon University with a focus on Security.He is passionate about delivering Security awareness and training for employees, college students and high schoolers etc. He has presented his research and work at various Security conferences.

InfoSuck: The Nasty Bits Of The Industry We Want To Tell Noobs But Aren't Allowed To In Polite Company

Danny Akacki / @rand0h

There are hundreds of blogs, papers, tweets, etc that give the lowdown on "How to break into Infosec." There aren't any that help to guide these poor sheep past the offer letter. We're not allowed to talk about getting laid off or fired. We're told to not discuss our salaries with each other because its "impolite". We're discouraged from discussing these things for fear of being blacklisted or being thought of as "unprofessional", damaged goods.

Well, fuck all that.

Why do you want to hear about this stuff from me? I've been through all of it. I've been RIF'd (Reduced in Force) 3 times, fired once, managed out, re-org'd, etc and still figured out how to feed my family. You want to hear me talk about it because someone needs to let these poor noobs know how to navigate an industry that preaches loyalty & attachment with one hand, then slaps you with the other when the balance sheets don't shake out. These are war stories about all the stuff we're not allowed to talk about in polite company.

Function Hooking 101 - A Crash Course On Hooking


"The term hooking covers a range of techniques used to alter or augment the behavior of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components." - Wikipedia

This give us the ungodly ability to read/modify a function's argument(s)/return's value, detour execution flow, and "replace" a function's logic. A crash course on how to achieve this power, how to detect it, and how to fix it - all the while breaking an EDR product.

A Hacker's Guide to Military Grade Anonymity

Alejandro Caceres/ _hyp3ri0n

Don't you just hate that feeling when you look out your window and see a party van on the other side of the road? Let's rewind the tape a bit and take a look at some of the things you could have done to avoid special attention from the fuzz.

This talk will cover some of the tricks of the trade employed by hackers that are facing real world adversaries including anonymizing payments, setting up an anonymized connection to the clear net, and anonymizing your communications.


Alex is an exploit developer and security-focused software developer. He owns Hyperion Gray working on DARPA-funded research projects. When not doing that he's doing security research, climbing, lifting, watching movies, or reading comic books with co-owner/wifey Amanda and their dogs Kali and Danger and cat Aurora.