The player is loading ...
Sign up to get updates from us
Episode 98: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner sits down with Sharon,to discuss his journey from early iOS development to leading a research team at Claroty. They address the differences between HackerOne and Pwn2Own, and talk through some intricacies of IoT security, and some less common IoT attack surfaces.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Sponsor - ThreatLocker: Check out Network Control!
https://www.criticalthinkingpodcast.io/tl-nc
And AssetNote: Check out their ASMR board (no not that kind!)
Today’s Guest: https://sharonbrizinov.com/
Resources
The Claroty Research Team
Pwntools
https://github.com/Gallopsled/pwntools
Scan My SMS
Gotta Catch 'Em All: Phishing, Smishing, and the birth of ScanMySMS
https://www.youtube.com/watch?v=EhNsXXbDp3U
Timestamps
(00:00:00) Introduction
(00:03:31) Sharon's Origin Story
(00:21:58) Transition to Bug Bounty and Pwn2Own vs HackerOne
(00:47:05) IoT/ICS Hacking Methodology
(01:10:13) Cloud to Device Communication
(01:18:15) Bug replication and uncommon attack surfaces
(01:30:58) Documentation tracker, reCaptcha bypass, and ScanMySMS
Justin Gardner (00:00.778)
All right, dude, I am looking at this doc and we have a banger today, dude. There's so much good content in here. So I'm super excited. Sharon, welcome to the podcast,
Sharon (00:01.298)
Yeah, let's go!
Sharon (00:11.274)
Thank you very much. Yeah, I'm really happy to be here today.
Justin Gardner (00:13.956)
Dude, and right before the episode, were just talking about our hacker swag in the background. For those of you following on YouTube, and we got the Pwn to Own trophy right behind you there.
Sharon (00:19.574)
Yeah. Yeah, yeah, we have it right here.
Justin Gardner (00:27.125)
My gosh, dude. All right, that's on my list dude. That is on my list. I got to get one of those I got a got a hacker one MVH I got a Google MVH and then I got to get I got to get one of those pontoon trophies man. That's that'll
Sharon (00:38.666)
Yeah, you'll get it. I'm sure you'll get it one day.
Justin Gardner (00:41.274)
Well, dude, we'll definitely talk a little bit more about that. I just, so let me give a little context here, okay? So one of the problems that I see with the bug bounty world right now is that there's a decent amount of segmentation, right? There's like the hacker one bug crowd squad, and then there's like the Pwn2Own squad, and then there's a bunch of other little sub communities like Google has their own researcher base, Meta has their own researcher base, that sort of thing.
And as I've been, you know, sort of living in the Hacker One bug crowd integrity space for a long time, I started getting a little bit interested in some of these other, you know, bug bounty niches like Pwn2Own and stuff. And so we did an episode with Synsynology, which was amazing. And then at this live hacking event, this Hacker One live hacking event, I see this random guy that just comes onto the stage, you know.
does this amazing show and tell, extremely technically dense, amazing performance, and that is you, sir. And that started the deep dive. That started the research. And then I say, who's the Charon guy? And then I start looking into it. I start finding all of your write-ups and stuff. And holy crap, dude. Like, what a portfolio. So I guess, man, where do we even start? I guess, can you give me a little bit of background for...
for how you got to this point as a researcher where you're competing in Hacker One Live hacking events and taking away awards, competing in Pwn to Own, and then somehow solving phishing in Israel on the weekends, like give me a little context.
Sharon (02:18.938)
Well, I'm embarrassed. I'm blushed. Thanks, man. Yeah, you know, I started pretty early. mean, today there are a lot of eight-year-old kids that are building iOS applications. But my journey started actually with the first iPhone. So I got this present. My mom didn't want my dad to buy it.
the first iPhone not because she told him it's it's too luxury but It decided to buy buy me the first iPhone. I really remember this it was the 2010 2011 I think maybe earlier and I got the iPhone and
Justin Gardner (02:49.296)
You
Sharon (03:04.662)
I started to develop iOS applications for the first time. I remember the day that the app store was born and I submitted my app. I was very anxious and it got submitted. So this is, I was around the age of 16, but, and I submitted the first app and I started to do some money out of iOS applications in the very early days. the first app that I had was a reminder application was
Justin Gardner (03:12.677)
Mm-hmm.
Justin Gardner (03:26.05)
Mmm. Wow.
Sharon (03:34.57)
completely crap, but the thing is I was intrigued to develop, was incentivized and I got motivated to learn computers. So I owe this to my father, to be honest. So yeah, yes.
Justin Gardner (03:35.941)
Mm-hmm.
Justin Gardner (03:49.072)
Dude, that's amazing. When you get started early like that, I think it's a different world. It's something that becomes a part of you really, really core on early in the process. I did want to say just really quick, your mic is little bit, it's maxing out just a little bit. Can you turn it down a little bit? Yeah. Because I think we both get a little excited. Maybe that'll be a little bit better.
Sharon (04:09.695)
yeah, maybe like this.
Hahaha.
Sharon (04:18.358)
Perfect, perfect.
Justin Gardner (04:19.14)
But yeah, so you start in the iOS development, I get the iOS world, and then where do we go from there? How do we turn into the hacker that we are today?
Sharon (04:24.682)
Yeah.
Sharon (04:29.12)
So I started as developer, had Hackintosh, so I did not have enough money to buy a Mac computer. So I did a lot of Google to understand how do I create a Hackintosh VM. It was a thing back then. So because I had no money, I had to do some hacking in order to create like a virtual Mac OS X, which is Hackintosh. And this is how I started to develop applications.
Justin Gardner (04:38.35)
Mm-hmm.
Justin Gardner (04:52.921)
Nice.
Sharon (04:58.41)
learn some computer stuff. I needed to gain some knowledge in order to do certain stuff. So for example, I had to use some kind of a database. I did not know what a database is. I just knew I need to store some information. So I think my hacking knowledge was built layer by layer by myself needed to do something.
Justin Gardner (05:16.142)
Right, right.
Sharon (05:26.066)
So I started as developer and then I started to do some website development and then I did some kind of hacking, I would say. I tried to do web hacking and try to understand what is JavaScript and client side and their service side.
Justin Gardner (05:40.496)
Mm.
Okay, so you did start in the web world a little bit, right? Yeah, okay. All right, because that's one of the things that I'm like, as primarily a web guy, I look at a lot of these potent to own stuff and I'm like, wow, this is like so much time and effort put into these exploits in this research, right? And so it's cool to see, especially if somebody started in the web arena and then shifted into that more low level exploitation.
Sharon (05:45.878)
Just a little bit, yeah, just a little bit.
Sharon (06:01.204)
Yeah.
Justin Gardner (06:10.928)
you know, afterwards, because that shows, you know, the continued commitment to depth, depth, depth. Yeah, I think one of the things that is a common thread that I've seen across a lot of hackers, though, is that sort of like, not really hacking, but sort of hacky past, right? Where it's like, you know, I had to build this whole like, you ecosystem to do the thing that I wanted to do. And it wasn't really like hacking, but it was hacky, you know?
Sharon (06:27.2)
Yeah.
Justin Gardner (06:37.584)
I think that's pretty consistent across the board and I think it sets you up for the right kind of mentality going into hacking long term.
Sharon (06:44.884)
Yeah, I agree. I think that hackers, would say, you know, folks that did not start from educational background, you know, from university or something like that, they started from a place where they wanted to build something and then acquire the knowledge to do that layer by layer. This is the hacker mentality that you're talking about.
Justin Gardner (06:48.036)
Mmm. Yeah.
Justin Gardner (07:00.772)
Mm-hmm.
Right.
Justin Gardner (07:07.792)
Totally agree, yep.
Sharon (07:09.27)
So yeah, I did some applications and then a little bit web, especially because I needed to build the backend for my applications. So that's where I started with most of PHP and then a little bit of Python. But then I to be exposed to the CTF world.
Justin Gardner (07:19.152)
Mmm.
Justin Gardner (07:24.138)
Classic, classic.
Justin Gardner (07:37.136)
Mmm.
Sharon (07:37.186)
And then I started to do CTFs. And this is where I really started kind of my actual gaining knowledge into binary exploitation and actually hacking competitions. So I did a lot of CTFs. I'm still doing when I have time and when my wife is not mad at me because...
Justin Gardner (07:50.704)
Mmm.
Justin Gardner (07:56.62)
Yeah, I'm like, what do mean when you have time? You're like doing all this IOT research, you're doing web hacking stuff, you're doing, my gosh, dude, that's crazy. Do you remember how you first got that exposure to CTFs though? I'm wondering if that was like through university or something you just found online or what?
Sharon (08:06.676)
Yeah.
Sharon (08:14.454)
I think that one of my friends told me, hey, there is this Google hacking competition. I think it was Google. I'm not sure. And I was, wow, it sounds cool. I really wanted to be a hacker. And then I signed up for the CTF, and I did not understand nothing. I I didn't understand what is a binary exploitation, what is a stack buffer overflow. I mean, I knew nothing. And this is a great.
Justin Gardner (08:21.136)
Justin Gardner (08:27.962)
Yeah.
Justin Gardner (08:33.392)
Yeah.
Justin Gardner (08:38.552)
Right, right.
Sharon (08:41.056)
great starting point for someone who is very curious to see a lot of different terminology and cool stuff that they want to do, but they don't understand or they do not know it. And this is a great starting point to start learning about this stuff. So that's my kind of my journey. I saw something that I really wanted to get experience with and understand and I knew nothing. And so I started
Justin Gardner (08:58.384)
Absolutely.
Sharon (09:09.008)
Bit by bit, all the starting CTFs and little competitions, this is a great place to start.
Justin Gardner (09:19.13)
Well, you learn the things to Google too, right? Like you're like, I didn't even know what binary exploitation was or like what a stack overflow was or whatever, right? And so, you then you come out of that CTF and you're like, okay, now I know I gotta go home and I gotta figure that out, you know? And I think that's how we grow. No, that's a great story. And I think it's clear, you know, the kind of...
Sharon (09:34.26)
Exactly.
Justin Gardner (09:45.314)
academic motivation or intellectual motivation that a lot of the hackers bring to the table where it's like, I don't understand this thing. I'm not gonna give up on that. I'm gonna just keep on pounding it until I freaking understand that, because I am gonna become a hacker. Yeah, I love that, man. Okay, so fast forwarding a little bit, we've got a black badge. We're SANS, Institute Researcher of the Year. We're winning live hacking events left and right.
Sharon (09:57.18)
Exactly.
Justin Gardner (10:13.806)
Yeah, dude, it's amazing. So tell me a little bit about the day job now and how you participate in Bug Bounties currently.
Sharon (10:21.204)
Yeah, so fast forward today, I'm managing the research department in a company called Clarity. So Clarity as a company develops ITS for SCADA networks. This means we have a really good understanding in kind of esoteric protocols that are very popular among the SCADA networks. So I started in Clarity as a protocol
Justin Gardner (10:29.477)
Mm-hmm.
Justin Gardner (10:35.376)
Mm.
Sharon (10:50.582)
Analyst, you can call it, I guess. Yeah, so I mean, my journey in this company started where we needed to add more support in more protocols that are not open, right? So they're closed systems and somehow we needed to add support into our product to understand how these protocols work.
Justin Gardner (10:52.835)
Dude, what a freaking cool name, protocol analyst. That's amazing.
Justin Gardner (11:09.904)
Mmm.
Justin Gardner (11:18.808)
you know, there was like some product, I saw this from one of your talks, but there's like some product, right, where, or some protocol where, you know, it's connecting to all of these different SCADA devices, right? And it's pulling all this data in together. And I think one of the major problems with this, you know, sort of SCADA industry is that there are a bunch of proprietary protocols and nothing talks to each other, right? I see, okay.
Sharon (11:41.088)
Exactly, that's the main problem. So a company like Clarity and its competitors were born because of this spaghetti of protocols and devices that nobody could keep follow. Because in the past, scanning networks were air gapped. Nobody could talk to them. So there was not a security problem because nobody could reach out to these environments.
Justin Gardner (11:58.448)
Mm. Mm. Right. Right.
Sharon (12:08.5)
because of convergence, IT and OT kind of convergent, now you can access your OT devices from the internet from, yeah, that's scary. the asset owners needed a solution to understand what do they have in their network and how can they protect. So that's kind of how or why Clarity was born.
Justin Gardner (12:16.462)
Yeah.
Justin Gardner (12:26.66)
Mm.
Sharon (12:32.073)
Fast forward to my role, I needed to add support in different protocols that nobody knew how they work and we only had the equipment in our lab. So we have a cool lab in Tel Aviv where we buy and plug in all the devices and we need to research how these devices work and how the protocol works.
Justin Gardner (12:42.032)
Mm. Mm.
Justin Gardner (12:51.29)
Dude, I'm totally geeking out right now about how amazing that job is. What a breeding ground for a hacker, right? You're just constantly reverse engineering protocols, and it's like, my gosh, that's amazing.
Sharon (13:01.098)
Yeah, for sure, I mean that's-
Sharon (13:07.222)
Exactly. I mean, this is where my curiosity reached its peak because I needed to understand how a black box device that is managing, I don't know, let's say water utilities or our gas pipelines, is super cool, how these devices controllers work and how I can operate these devices with these is a Turk protocols. And I need to understand the protocols real good. So I did a lot of bunch of
Justin Gardner (13:21.157)
Yeah.
Sharon (13:36.806)
reverse engineering into firmware and embedded devices and protocol analysis and blind protocol analysis where you have like these streams of bits and bytes and you need to understand, okay, this is the header, this is the command. So that's really cool. So I started, you know, really from the hands-on to understand how this protocol works. And, you know, while doing reverse engineering into the main functions of firmware, I started to see some
buffer overflows potentials. So I kind of, I created like a small POC Python script that overflows the stack and suddenly the device crashed. And we're talking about controllers that actually transform or responsible for generation of electricity. I mean, that's super scary. This controller like move up and down the elevator. So.
Justin Gardner (14:08.272)
Mmm.
Justin Gardner (14:26.138)
Gosh dude. Yeah.
Justin Gardner (14:31.408)
my gosh, dude. Talk about like impact, right? Like, we talk about like, yeah, you your database is gonna see like a, you know, performance deficit and they're like, your elevator will literally drop. you know, like, that's crazy. Yeah.
Sharon (14:35.859)
Exactly, sir.
Sharon (14:45.236)
Yeah, I mean, I can shut down and I did this before. I can shut down like entire building. So modern cities and modern buildings have this tons of BMS system, building machine, building management systems. So the HVAC is fully controlled. All the doors are fully remotely controlled. All the gas and pipelines and the water, everything is managed by, you know,
Justin Gardner (14:54.981)
Yeah.
Yeah.
Mm.
Justin Gardner (15:04.442)
Mm-hmm.
Sharon (15:14.75)
ethernet protocols and I had the chance, the opportunities to shut down an entire building. Nobody can go up or down the elevator or nobody can exit the doors. Yeah, yeah, that's crazy.
Justin Gardner (15:26.85)
my God, dude. This is like, have you ever seen the movie National Treasure with Nicolas Cage? Yeah, okay, so this is like you. This is like, so when I was a kid, I was like, man, like I see this guy Riley, you know, or whatever, the guy, the hacker in that movie, right, that like helps the dude steal the Constitution or whatever. And I was like, that's the guy that I wanna be, you know, he's like, all right, I'm in the system, I'm like locking the doors, and that's exactly what you're doing.
Sharon (15:33.22)
Yeah, yeah, yeah, yeah, yeah.
Sharon (15:50.92)
Exactly. And you'd be surprised. And you'd be surprised. You know, the only thing that prevents you from doing that is getting access to these platforms, which is very expensive. But since I work in this company that, you know, our forte is those systems, I get access to these type of systems. And there are tons of bugs over there, tons of bugs from web bugs to binary exploitation bugs to, you know,
Justin Gardner (16:12.314)
Dude.
Sharon (16:19.552)
There are tons of bugs that are just waiting for researchers to find because nobody can access this equipment because it's expensive. So yeah.
Justin Gardner (16:28.74)
Dude, I have to say, normally when I think about my job, I don't have a lot of job envy. I'm like, man, professional live hacking event participant, self-employed, doing this podcast is exactly what I wanna be doing. That is really cool. That actually gives me a little bit of job envy right there where you just got this whole playground of toys that are used to control real buildings and real physical systems that you get to hack. Wow, dude.
Sharon (16:56.694)
Yeah, I mean, it's cool. It's cool. I've been doing this for a long time. maybe we'll get back to the story. So I started as as a protocol analyst. I did a lot of reverse engineering into firmware is to understand how these protocol works. And, you know, I added, visibility into our product. means, okay, we see this stream stream of bytes. This actually means move the elevator one level up. Right. So
Justin Gardner (17:00.75)
Yeah. Yeah.
Justin Gardner (17:19.728)
Mmm, mmm.
Sharon (17:20.97)
You can take it to BMS, Building and Management Systems. You can take it to oil and gas, like open the valve, close the valve. So every physical command has its equivalent in the network protocol. And this is what I needed to understand. So it was very cool. I learned a lot from it, most of my embedded knowledges from this type of work.
Justin Gardner (17:28.816)
Hmm.
Sharon (17:46.238)
As I said, with time, I started to understand, OK, this is the main switch of all the commands, right? So if it's 0x0f, this means this is a moved elevator app. But then I see, OK, if there is more data in the packet than the buffer is allocated, you can achieve buffer overflow and then take control over some kind of flow, the code flow, like the instruction pointer of the device.
Justin Gardner (17:50.49)
Mm-hmm.
Justin Gardner (18:10.468)
Hmm. Hmm.
Sharon (18:14.216)
and then you can achieve remote code execution. So I started to notice a lot of this because, again, no researcher ever looked at these devices. These type of bugs are not complicated. Exactly, untouched, like a blue ocean, virgin territory. So I just started to report these bugs to Siemens, to Rockwell, to Schneider, to ABB, to all the great names that actually
Justin Gardner (18:23.374)
Right, untouched, yeah.
Justin Gardner (18:28.576)
Mm-hmm. Yeah. Yeah.
Sharon (18:42.066)
are the majority of the critical infrastructure vendors of the modern times. And they started to fix it. So with time, I reached to like 30 CVs, 50 CVs. And again, just because I had the opportunity to work on this in this unfamiliar territory that nobody looked
Justin Gardner (18:55.312)
Wow, dude.
Sharon (19:05.654)
before. And so I opened the vulnerability research team with Claritin with the main focus of, okay, here's the lab, go over all the devices, find all the bugs you can, report it to the vendors and work with them to issue patches because eventually our customers are using these products and we want our customers to be secure.
Justin Gardner (19:09.552)
Mmm.
Justin Gardner (19:18.96)
Hmm.
Justin Gardner (19:24.9)
Yeah, so at the end of the day, know, okay, so it went from you originally reverse engineering these protocols to integrate it into the product to now we're running the research team, the security team, because our customers are using these products and they need to be secured. Wow, dude, that is amazing. I got goosebumps a little bit, man. That's amazing. Now that is super cool.
Sharon (19:37.436)
Exactly. Exactly.
That's like the transition I was fortunate enough to experience. now, know, the vulnerability research grew and grew and grew. Now I'm managing the department of research. We call ourselves Team 82. This is like our external brand name of the research team. do a lot of
OT hacking, is a skydome. I can deep dive into OT if you'd like. And we also do IoT because we grew and grew with time. So now we do more devices, like medical devices. For example, we're writing exploits to hack a patient monitor to change the heartbeat.
Justin Gardner (20:09.572)
Hmm. Yeah.
Justin Gardner (20:18.042)
Yeah.
Justin Gardner (20:24.208)
Dude, no, no, that's crazy. I saw one of your demos, you know, live, I think on a stage with your hacking a medical device that was like literally connected to your arm.
Sharon (20:33.662)
Yeah, yeah, that's cool. mean, again, it's not complicated. And I think the fact that it's not very complicated pushed me into bug bounties.
Justin Gardner (20:39.109)
Hmm.
Justin Gardner (20:45.028)
Yeah, so that's what I wanted to ask as well. okay, I've said my, I've fanboyed enough a little bit now. I'll try not to give you too big of a head, but that is really cool. But yeah, let's talk about the nuts and bolts of it, right? So you're in this environment, you keep on saying, okay, a lot of times these SCADA systems are untouched, right? They're not really vetted for security problems, right? And so obviously that's the opposite of what you experience whenever you work on like a,
Sharon (20:51.542)
Yeah, thank you, man.
Justin Gardner (21:15.352)
a Bug Bounty program that's hardened, you know? So what brought you into the Bug Bounty world and how has that been going from something that's very low level and very black box to something that is definitely very hardened?
Sharon (21:15.574)
True, right.
Sharon (21:28.714)
Yeah, yeah, it's good question. I mean, with time that you exploit a lot of different devices, you start to understand the pattern, like how the device and the firmware and the logic is built. Like what crossed through the developer's mind when they built the product and what kind of checks they're doing and what kind of checks that are probably missing. So I think if you take
Justin Gardner (21:33.06)
Mm-hmm.
Justin Gardner (21:40.697)
Mm-hmm.
Sharon (21:58.454)
this experience from kind of a gray box testing, know, black box, white box, you don't have the full code, but you can do some reverse engineering of the firmware, you start to understand the patterns that you're looking for in other platforms. And so I think the transition is kind of makes sense when you kind of understand or at least think that you understand what types of checks are usually overlooked.
Justin Gardner (22:13.392)
Mm.
Justin Gardner (22:26.16)
Mm-mm.
Sharon (22:26.386)
And you start from these points that you try to poke at different areas of the platform or the logic to try to do it black box wise.
Justin Gardner (22:35.504)
Mm.
Justin Gardner (22:39.712)
Yeah, that makes sense. And so then, you know, when you're moving into something like Pwn2Own, you know, are you seeing, what is the difficulty level differential there? Like, because you said before, a lot of these are untouched, and then you go into something like Pwn2Own, where there's a lot of researchers hacking on the same stuff, you know, that difficulty level goes up a lot, I'd imagine.
Sharon (23:01.046)
So I agree with you. So what happened is we did in our team, we did a lot of exploitation of scatter devices and a little bit of IOT devices. And then we saw Pong2Own. this was a great opportunity for us to start trying the real world stuff. Like, OK, here in our lab, we have these devices that probably nobody touched. But let's try to take a real challenge into devices that targets that
Justin Gardner (23:09.508)
Mm.
Justin Gardner (23:21.647)
Right.
Justin Gardner (23:25.998)
Yeah.
Sharon (23:30.932)
ZDI, Zero Day Initiative, are specifically targeting because they're popular, because everybody are looking at them. And we had a great success. So Pong2Hon, let's talk a little bit about Pong2Hon. So Pong2Hon has this three or four themes of competitions. The first one is the classic one where they have the operating system and browsers competition, which we're not competing yet. And then they...
Justin Gardner (23:33.104)
Hmm.
Justin Gardner (23:37.433)
Right. Right.
Justin Gardner (23:41.92)
Yeah,
Justin Gardner (23:49.168)
Mm.
Justin Gardner (23:53.424)
Mm.
Justin Gardner (23:57.038)
Yeah, that's very intense. Yeah. Yeah.
Sharon (23:58.62)
Yeah, that's super intense. And then they have the IoT competition, the ICS competition, which they stopped doing. And they also now started with the automotive competition. So we mainly focused on the other three. So the automotive, IoT, and the ICS or OT. By the way, just for terminology, OT, operational technology, ICS, industrial control systems. So we're talking about
Justin Gardner (24:05.104)
Hmm.
Justin Gardner (24:18.832)
Mm. Mm.
Justin Gardner (24:26.254)
Hmm. Yeah, I didn't, I didn't know OT. That's interesting. Okay. Yeah.
Sharon (24:28.416)
these two
Sharon (24:32.01)
Yeah, operational technology, this is like, it's like IT, but with operational with something physical. So we're talking about scatter like devices that have some kind of interface with the physical world. Exactly. So we focused mostly on the ICS and IoT and we had a great success. And if we're getting back to your question, like how difficult it is. So yeah, it's much more difficult.
Justin Gardner (24:38.126)
Sure.
Mm.
Justin Gardner (24:46.34)
Physical interface with the world. Yeah, okay. That makes sense.
Justin Gardner (25:00.739)
you
Sharon (25:00.97)
The attack surface is very limited and many eyes review it a lot of times. But still we had some success, which was great. And we actually did five times of different PwnTones. Yeah, it is a lot of fun. Showing your exploit live is really cool.
Justin Gardner (25:16.612)
Wow, man, that's so fun. That's so fun. So, dude, that's gotta be really nerve wracking too if it's like this one moment of like, does the exploit work? Does the exploit not work? my gosh, dude. Okay, so then let's kind of talk about pwn to own versus the Hacker One Live hacking events and then we'll rewind a little bit into some of your bug bounty experience before that. So, you know.
Sharon (25:29.314)
Yeah, everything comes down into one.
Sharon (25:41.098)
Yeah. Sure.
Justin Gardner (25:45.028)
You said at these Pwn2Own competitions, ZDI is selecting these targets that are specifically used because they're, or specifically selected because they're popular, right? And these are gonna be more hardened, because more eyes have been on them naturally. And so, you know, there's more time required for these events. And that's one of the things that I've seen between HackerOne's live hacking events and Pwn2Own's competitions is that there's a massive time component that
difference, right? Hacker one, it's normally you've got like two weeks to hack these companies or these devices or whatever. And then ZDI, you know, I don't even know how far in advance did they do it? Three months, wow. Okay. And I mean, can you give me a little bit of a timeline on how that works? I mean, I'm sure it varies from product to product, but do you spend three months focusing on one product? Do you do one month, one month, one month? Or like, how does that work?
Sharon (26:25.342)
Usually three months. Yeah.
Sharon (26:40.458)
Yeah, it's great question. So usually I'm doing Pwn2Own with my team. So usually we're three to five, depends on availability. And yeah, so three months ahead of time, Pwn2Own or ZDI, they released the target list. let's say we're talking about the IoT competition. So you have like the router category and you have the...
Justin Gardner (26:50.179)
Okay.
Sharon (27:08.574)
NAS devices category, and you have, smart, smart cameras category. different categories and you have a bunch of, devices with a price tag. So if you are able to exploit a IP camera remotely specific one, you get, 30 K for example. So what
Justin Gardner (27:16.112)
Hmm.
Justin Gardner (27:29.143)
Mm, mm, mm.
Sharon (27:31.926)
myself and my team are doing, we're taking this list and we're starting to do some OSSint on all the devices. How easy it is to get the firmware, how many previous CVEs and bugs were reported, how many times this device was targeted in previous Pwn2Ons. And we have these metrics where we decide on what targets we want to focus on.
Justin Gardner (27:42.544)
Mmm.
Justin Gardner (27:59.268)
Have you actually quantified it like that? Like you've got this matrix and it's like, all right, it's been targeted at one point to own. So that's like a, you know, 0.8 multiplier or something like that.
Sharon (28:03.638)
Yeah. Yeah, I mean, it's not very mathematical, but yeah, we have these categories or parameters you can call. So what's the price tag? How easy it is to get the device? How easy it is to extract the firmware, which is a really important factor, to be honest. And how many times was it targeted before and how many CVs you have? So I'm running this random.
Justin Gardner (28:10.287)
Yeah.
Justin Gardner (28:16.495)
Love that.
Justin Gardner (28:30.862)
I love that. I love that that it's actually like you have metrics for this and you're making a choice based off of a procedure.
Sharon (28:35.242)
Yeah, yeah, yeah, we do. We must have this because you have like 20 or 30 targets and you have to be very specific because you can spend like a year on a target. For example, the guys that are doing the Tesla components, ECUs, are spending like a year on these exploits. And we want to be very focused because we have three months and we want to get as much as devices as we can. And usually,
Justin Gardner (28:46.576)
Mm.
Justin Gardner (28:54.896)
Mm-hmm.
Sharon (29:01.364)
we're able to get like five or six devices in this timeframe. So we have to be very focused.
Justin Gardner (29:05.572)
So let me ask you this. So there's a sort of a problem that I run into with these live hacking events, which is sometimes I want to win the live hacking event and I want to come in first, right? And sometimes I want to make as much money as I can. those don't necessarily collide always, right? For example, on the HackerOne live hacking events, when it's multi-target,
Sharon (29:16.887)
Sometimes. Yeah.
Justin Gardner (29:34.884)
To get the MVH, you kind of have to hack both targets. But if you want to make the most money, in my experience, it's best to pick one target, go super deep, destroy it. Find a bunch of criticals and that sort of thing. So when you're going into the Pwn2Own competitions, what is your team's goal typically for these things?
Sharon (29:47.37)
Yeah, I agree.
Sharon (29:57.44)
Yeah, so typically we are taking into consideration the amount of money and points because point to one are separating the points and the money and the winner is the one with the most points and not money. So that's exactly the kind of the questions that the competitors are pondering. Like we want more points or more money. So we usually tend to
Justin Gardner (30:12.067)
Mm-hmm.
Justin Gardner (30:19.47)
Mm-hmm. Mm-hmm.
Sharon (30:26.966)
to towards the points, like we want to get higher on the table rather than money. But I guess it changes, it fluctuates between competitions. Yeah.
Justin Gardner (30:39.8)
And is this something you're doing as a part of Team 82, like as a part of your job, or is this something you're doing sort of after hours with the team for more?
Sharon (30:48.534)
So yeah, it's kind of a mix I'd say we're doing this as as Timothy to we're competing as Timothy to But during these times of the year, we are spending a lot of more time than usual and and we also need to do our like day-to-day job like usual job so it's always like over time I'd say like
Justin Gardner (30:51.002)
Mm.
Justin Gardner (30:54.608)
Mm. Right.
Justin Gardner (31:07.723)
Mm-mm.
Justin Gardner (31:12.6)
Well, it's good PR for the company as well, know, if you guys are going out there destroying those targets. then I guess I wonder how much, so the prize money then, does that go to the company or does that go to the team?
Sharon (31:14.964)
Yeah, of course.
Sharon (31:19.53)
Of course, of course.
Sharon (31:26.954)
So we're kind of splitting it through the team, but evenly because we're all putting the same amount of effort into the targets, into the research. Sometimes we're building custom tools for that. So yeah.
Justin Gardner (31:29.07)
Yeah. Okay, nice.
Justin Gardner (31:40.82)
Mm, mm. Yeah, I imagine you're doing a lot of building custom tools when you have these proprietary protocols and like that sort of thing.
Sharon (31:47.348)
Yeah, yeah, we have to, we have to, because, you know, just like, let's take an example from the web hacking, you know, sometimes you have like a target that you want to scan it across the entire internet and you want to do some kind of specific logic. And so it's kind of the same with firmware. Sometimes you want to poke the firmware. You want to, for example, ask questions about all the functions, like what kind of functions contain this specific code flow.
Justin Gardner (31:53.872)
Mm-mm.
Justin Gardner (31:58.224)
Mm.
Sharon (32:13.642)
that I might abuse somehow. So yeah, we're building custom scripts, custom tools to ask and answer these specific questions.
Justin Gardner (32:16.517)
Mm.
Justin Gardner (32:23.662)
Okay, so let me double click into that for a second. So what is your go-to language and some packages that you use for a lot of this stuff?
Sharon (32:32.79)
So I usually exclusively use Python and Bash for scripting. It's the fastest way to move forward. And I'd say that for kind of packages for Python, you have the Pwn, the Pwn one, which is great. Yeah, Pwn tools, you know, for...
Justin Gardner (32:36.96)
Mm-hmm. My man, my man. Okay, I love it, I love it.
Justin Gardner (32:45.082)
Mm.
Justin Gardner (32:51.332)
Hmm. Yeah, the Pwn Tools or whatever, yeah.
Sharon (32:59.452)
easy interaction with the targets, I'd say, know, sending payloads, receiving payloads, stuff like that.
Justin Gardner (33:02.64)
Mm-hmm.
Yeah, I'll drop that in the notes for those people that are interested in that. Yeah, no, I've seen that and I haven't used it super much. done a lot of, guess most of the binary stuff that I've done has only been very limited. So I haven't had the chance to use it extensively, but it seems very, very useful. Yeah.
Sharon (33:22.934)
It's very useful. just contains all the, the, you know, go to functions, you know, conversion between, different, big in the end, the till in the on, and you have a, hacks for a month. It's very convenient to use it very easy.
Justin Gardner (33:36.526)
Yeah, that seems to be the case. So one of the questions we put in the doc here was like, all right, give me the Charon breakdown on what HackerOne is doing right with the live hacking events and what they're doing wrong versus what PwnTone is doing, right? So let me get your opinion on that and then we'll talk about a couple of those as well.
Sharon (33:53.408)
Yeah.
Sharon (33:58.454)
Yeah, sure. again, these type of competitions are completely different. So in HackerOne, live hacking events, you have two weeks of preparation, and then the live event is 48 hours max for hacking. So you don't have a lot of time to go very deep. So for me at least, it's more of a social event. It's more of a community-wise.
Justin Gardner (34:03.098)
Mm-hmm.
Justin Gardner (34:13.121)
Mm-hmm. Yeah.
Justin Gardner (34:19.984)
Mm-hmm.
Mm-hmm.
Mm.
Sharon (34:25.902)
You get to know a lot of different people and maybe to do some collabs with them. So it's really great to know a lot of people from the industry. While Pwn2Own, so you spend three months by yourself at home alone.
Justin Gardner (34:36.023)
Mm. Mm.
Justin Gardner (34:43.081)
Right in the dark in the dungeon
Sharon (34:44.878)
In the dark. And then you go for one or two days and just show your exploit and that's it. So it's much less of a community event, much less of a of a social event. I mean, you do get to know people there, but it's much less focused on community, but it's much more deep dive. So we have one target, like one device or two devices, and you do a deep dive into that. You know all the firmware.
Justin Gardner (34:59.46)
Yeah. Yeah.
Sharon (35:12.906)
by heart, all the functions, all the interfaces, all the attack vectors on it. So it's much, much more deep dive. in Pwn2Own, so ZDI folks are running Pwn2Own. And they are super technical. They're hackers themselves, and they do a lot of hacking themselves. So they understand the research that you provide them really good. And they will fight for you with the vendor.
Justin Gardner (35:37.168)
That's so cool.
Justin Gardner (35:40.868)
Mm-mm.
Sharon (35:41.354)
This is amazing. So for example, let's say that I was able to demonstrate a successful exploit at point one. And for some reason, the vendor does not agree with that. So ZDI will fight for you. They will shove it into the vendor and will tell them you need to fix it no matter what. And this is great because it really pushes the entire industry. The entire industry.
Justin Gardner (35:48.204)
Mm-hmm. Mm-hmm.
Justin Gardner (36:00.186)
Yeah.
Justin Gardner (36:06.852)
Mm.
Sharon (36:08.862)
forward because ZDI puts a lot of pressure into vendors to make things right and they fight for their researchers and I really appreciate that.
Justin Gardner (36:17.048)
Mm. Just, it just warms the heart, doesn't it? When you see like your advocate out there being like, no, this is fire. This is a great X-flame. You need to fix this. Yeah.
Sharon (36:24.106)
Yeah, you know, I'll give you a contra for that. So sometimes I'm submitting bugs to H1 and it's like, it feels to me like a flip of a coin that it will be, I'm submitting it, it's critical and it will be closed as informative. So when I submit bugs to ZDI and Pwn2One, I know they will get it. I know they will do the right thing and push the vendor.
Justin Gardner (36:31.568)
Mm, mm.
Justin Gardner (36:39.46)
Yeah, yeah.
Justin Gardner (36:48.802)
One of the most challenging things with HackerOne and Bug Crowd Integrity is like, have to, they have so much volume that they have to, this massive triager problem to solve, right? And the triagers burn out pretty quickly, so it's hard to keep like, you know, high quality triagers on the team and stuff like that, so you do run into those issues. And I will say, I haven't experienced the pontoon side, and I'm sure that would be so heartwarming to see them fighting for your bug. But I have had a couple experiences with HackerOne.
Sharon (36:56.148)
Exactly.
Sharon (37:13.898)
Yeah, yeah.
Justin Gardner (37:17.04)
once you, I think it's like maybe the top 300 researchers or something like that on HackerOne, get access to this thing called an HSM, Hacker Success Manager, and they're the person that I ping when I run into that sort of problem, right? Like, my report got closed as informative. Hey man, this is not informative. Can you like take care of that? And then, you know, and it happens. And when it does, I'm like, I'm so pleased by that. That just makes me so happy. It feels so appreciated. So, yeah.
Sharon (37:25.088)
Uh-huh.
Sharon (37:43.914)
Yeah, exactly. So the problem is volume. I totally agree. I mean, when you have a lot of volume, especially new hackers coming in and just pushing bugs without understanding. But I think that I understand the HSM thing, but I think that hackers with more credibility to their name and more mileage, their assessment of bugs needs to be a little bit different.
Justin Gardner (37:47.248)
Mm.
Justin Gardner (37:51.12)
Mm.
Justin Gardner (38:05.188)
Mm-hmm. Yeah. Mm.
Justin Gardner (38:13.008)
I totally agree. wish there was, I mean obviously there's the reputation metrics and stuff like that, but that doesn't correlate with hackers that are new to the HackerOne platform, but very experienced hackers. So there needs to be some sort of, I guess, premium onboarding or something like that for hackers that have experience on other platforms or in other competitions or something like that. Yeah.
Sharon (38:13.116)
That's my take on it.
Sharon (38:22.898)
Exactly. Exactly.
Sharon (38:34.326)
Yeah, I had a case. mean, it's very interesting one. I had a case when I submitted a bug as high, I think. And it was closed by the triager. It was closed as informative. He told me it's not in his thing. And then,
Justin Gardner (38:40.72)
Mm. Mm.
Mm.
Justin Gardner (38:49.731)
Can you just, I can feel my pulse just like, mm, that just gets you in the heart, doesn't it, when they do that?
Sharon (38:56.278)
Yeah, you know, so I was new on the platform and then I wrote like, I'm sorry, I will not submit this type of bug anymore. And then the vendor reopened the case, assigned it as high and paid the bounty. And that was like, wow, okay. That's, that's crazy.
Justin Gardner (39:10.006)
Yeah. Yeah. Well, I love your response, dude. Your response is like, okay, my bad, my bad. You know, I'll just take this high or critical exploit and just, you know, okay, I it's not real. no, you gotta fight. You gotta fight. And that's what I tell people when they're, when they go to these live hacking events is like, that's one of the best things about being in person at the live hacking events is like, if you've got some bug that's being, you know, incorrectly, the severity assigned to it. Yeah. Classified then.
Sharon (39:36.448)
classified.
Justin Gardner (39:38.914)
you can just go knock on the triage door and say like, you know, hey, I need to talk to somebody from the team or from triage and I need to explain how this bug works. And you can just sit down with them in person and be like, hey, here's the exploit. Clearly this is a problem. know, like, yeah. so, yeah. Yeah, it's definitely tricky. It is. Let me talk about this, because there's two main things that I think.
Sharon (39:41.13)
Right, right.
Sharon (39:52.276)
Yeah, it is, is, it is. But again, I do understand the volume issue. mean...
It is what it is.
Justin Gardner (40:06.916)
I'd like to discuss about Pwn2Own versus HackerOne here that we've got left. One is that Pwn2Own only does pre-auth RCE. And I think that leaves a lot on the table. What are your thoughts on that, having been in the HackerOne environment now where other types of exploits are also appreciated?
Sharon (40:26.07)
So again, Pwn2Own is very exclusive competition. want to do kind of a POC or get the fuck out, right? So they want pre-auth RCE. They want you to run code on this device, preferably as root, or it's not interesting. mean, why it's not interesting? Because this is not part of the competition, the Pwn2Own. Pwn2Own, you need to own the device, right? That's the competition.
Justin Gardner (40:29.296)
Mm-hmm.
Justin Gardner (40:35.704)
Mm-hmm. Mm-hmm. Mm-hmm.
Justin Gardner (40:41.728)
Mm-hmm. Mm-hmm. Mm-hmm.
Justin Gardner (40:49.514)
mmm... Pone? Yeah, exactly. Right, yeah.
Sharon (40:56.054)
While they do understand there is a lot of attack surface and, know, while we're targeting five devices when we're preparing for bone to own, and, you know, we have like five pair of RCS, we have like 50 different bugs that are not included in the competition. And we're submitting that later on to ZDI and they accept them, they process them and they make the vendor fix them. So that's, that's fine. I mean, that's part of the competition. But
In the competition itself, they only want pre-authority because that's the rules of the competition. Hacker 1, live hacking events, they have this range, low, medium, critical, because they understand that actual targets have different attack surface and they want all of it.
Justin Gardner (41:40.88)
Mm.
Justin Gardner (41:46.336)
So yeah, and that is the case. I'm wondering if you were to build your perfect live hacking competition, what would you do? Would you, given the opportunity, say, okay, Pwn2Own should accept something like arbitrary account takeover, where you can just get into any device and take over people's account, or like DOSes that take down the whole service, right? The device becomes inaccessible.
Those are very impactful bugs and I'm wondering whether you think those should be, like what happens to those bugs? Because inevitably you stumble upon them when you're trying to find these pre-auth RCEs. So I mean you just report them to the vendor and you don't get any money for them?
Sharon (42:32.608)
So you can, so if you have bugs that you found and you did not use them through Pwn2Own, you can still submit them to ZDI. can actually, so ZDI are purchasing bugs. That's the kind of their business model. They pay for vulnerabilities because ZDI are owned by Trend Micro, the AAV company or ADR now, I'm not sure.
Justin Gardner (42:34.852)
Hmm. Hmm.
Justin Gardner (42:45.806)
Mm-hmm. Mm-hmm.
Justin Gardner (42:55.908)
Mm-hmm. Yeah. Yeah. Mm-hmm.
Sharon (43:02.014)
ZDI wants to get the new exploits, the new bugs, the new vulnerabilities, and they will purchase them from researchers and they will submit them to the vendors. And this is where they really useful in fighting with the vendors and push them into fixing the security vulnerabilities. And then Trend Micro will develop detection. So this is kind of their business model. So if you find bugs that are not pre-authorized, you can still use them. You can still sell them to ZDI.
Justin Gardner (43:08.656)
Mm-hmm.
Justin Gardner (43:29.986)
Okay, okay, that's cool. And do they pay out all right?
Sharon (43:33.642)
Yeah, yeah, they pay great. mean, they don't have like a predefined metrics table for pricing, the bounty table. Yeah, but they pay great. And they also have tiers. So you can move forward with reputation and as long with more bugs that you're selling them and more reputation, you actually move forward just like a freaking flyer. Yeah.
Justin Gardner (43:39.45)
like a bounty table or whatever, okay.
Justin Gardner (43:57.525)
Mm-hmm sure Wow
Sharon (43:59.678)
So we have like silver, bronze, I forgot the tiers, but and you get multipliers. So yeah, they have a great program for that.
Justin Gardner (44:08.762)
Dang, that sounds pretty awesome. I wasn't aware of that aspect to it. I think I gotta look into that a little bit more. Do you ever run into scenarios where you're hacking a target and you just find an absolute shit ton of mediums and highs that are not pre-auth RCE, or even criticals that are not pre-auth RCE, right? And then those earnings from reporting those bugs to ZDI outweigh the money that you make from submitting the pre-auth RCEs?
Sharon (44:36.192)
So myself, I mean, that's not the case for myself at least, but I do know some other folks that are doing a lot of fuzzing and they're fighting a lot of lows and mediums by fuzzing different file types and protocols. And yeah, they do a bunch of money for that.
Justin Gardner (44:38.048)
Mm. Mm.
Justin Gardner (44:43.088)
Mm-mm.
Mm.
Yeah.
Justin Gardner (44:52.56)
That's interesting, That's interesting. That's really interesting. Yeah, I gotta think about that. Okay, we spent a good amount of time on the live hacking event flow and that whole thing now, so let's jump a little bit more into your methodology, okay? So, obviously, you've got this IoT, ICS hacking side, and you've got this web hacking side. How do you...
The one I'm more interested in picking your brain on is this IoT hacking side. So what is the overall methodology when you get a new device? How important is getting firmware, getting a dynamic debugger, that sort of thing? And what is your approach?
Sharon (45:32.448)
Yeah, cool. So whenever you research IoT or OT devices, controllers and stuff like that, the most important thing is obviously to get the firmware. And getting the firmware, there are multiple ways to get the firmware. If it's super easy, sometimes you can download it from the vendor's website because they offer it to their customers. In most cases, it's not plain text, so it's encrypted.
Justin Gardner (45:35.734)
Mm-hmm. Mm. Right.
Justin Gardner (45:44.048)
Mm.
Sharon (46:02.358)
And then you have like different methodologies of how to handle that. Sometimes the vendor offers to download previous versions of the firmware too. And then you go one by one until you find an encrypted one, decrypted one. And inside the transition firmware will contain also the algorithm and the key for the encrypted one, right?
Justin Gardner (46:27.056)
Dude, is a good tip right there. So at some point if they switch from non-encrypted to encrypted, go back to the last version. Wow.
Sharon (46:32.916)
Yeah, exactly. Because somehow the current firmware needs to understand how to install the encrypted one, how to decrypt and install the new firmware, right? So we go one by one until we found this transition firmware and then we develop the decryption process ourselves. Sometimes if you are able to exploit a current device and research its binaries, and then you can
get root access to the device and then explore and research the binaries and you'll find the decryption procedure in these binaries. So we can take it to decrypt the firmware. And sometimes if you have no luck, you need to de-solder the flash chip and read the firmware out of the device itself. So.
Justin Gardner (47:09.988)
Mm-hmm. Mm.
Justin Gardner (47:25.136)
Dude, yeah, it's so much work to do that, right? That's one of the things with IoT devices that hurts me a little bit as a web hunter, because as a web hunter, I can go focus on some of these high dollar web paying programs and pop some bugs that are gonna pay really great bounties, or I can spend a week, you know, like, hmm.
Sharon (47:40.63)
Right. But think about it like this. What if you could spend a lot of time to get the source code of the server that you're trying to exploit? Exactly. Exactly. So if you get the thing where it's not a black box anymore, it becomes a gray box. So obviously, if you want to be successful with embedded devices,
Justin Gardner (47:49.274)
Mm.
my gosh, dude, it would be so worth it. It'd be so worth it. Yeah.
Justin Gardner (48:00.938)
Mmm. Mmm.
Sharon (48:07.082)
you need to get the firmware and usually these are the three methods like download from the vendors website, find the transition between the encrypted and decrypted, hack the device itself by finding kind of post of remote code executions, black box wise, sometimes it's possible, and then get the binaries, extract the decryption process and implement it or desolder the flash chip and read the firmware out of the device.
Justin Gardner (48:35.034)
Nice.
Sharon (48:35.112)
Once you have the firmware, you're in a great position to start researching the platform itself.
Justin Gardner (48:42.125)
So you've got the firmware, do you normally work on a live device or do you try to get that firmware emulated?
Sharon (48:48.182)
So it's great question. We usually start from emulation because sometimes the device, you cannot buy the device. It's expensive. It will take a lot of time to reach us. So we're starting from emulation because it helps us to get ourselves familiar with the environment. Like, what do we need to patch in order to make it work?
Justin Gardner (48:55.316)
Okay, that's cool.
Justin Gardner (49:02.192)
Mm-hmm.
Justin Gardner (49:12.976)
Mm.
Sharon (49:14.686)
What are the main binaries? How the operating system and the file system is arranged. So it gives us a lot of, it's a lot of hard work, hands on hard work, but it's worth it because after emulating the device, we in most cases understand really good the environment and how it works, like from the inside. But yeah, in many cases, we also purchase the device and we work on a real device.
Justin Gardner (49:34.871)
Mmm. Yeah.
Justin Gardner (49:44.41)
Yeah, dude, that's super badass, man. You know, like, I would love to have an emulated environment for some of these IoT devices that I've hacked on because it's such a pain when you mess something up and you're like, all right, I gotta unplug it and plug it back in and wait for it to reboot. And if I could just go boop, you know, just rewind it. Yeah. So the most experience that I've had with this is taking a binary, put it in QEMU and do a little bit of work on it because of the situation that we were in.
Sharon (49:57.364)
Yeah, exactly. Yeah, so we create Docker files and then you can just reboot it.
Justin Gardner (50:14.148)
So what does it look like to pull the firmware off of a device and have all these different partitions and you've got just like your IMG file or whatever, right? This like raw DD that you pulled off the device and then get that into an emulator and emulate all these different partitions and align everything so that the thing actually starts up when you boot it.
Sharon (50:36.138)
Yeah, so not necessarily you'll need all the file system. So sometimes you want only a specific binary that responsible for the main logic. Let's take example, IOT device, let's say a camera. Most of the camera's logic will be implemented in one binary and you don't need all the partitions and everything. You just need this one binary to work. what...
Justin Gardner (50:40.526)
Mm-hmm.
Justin Gardner (50:46.469)
Mm.
Justin Gardner (50:55.309)
Mm, mm.
Justin Gardner (51:00.012)
But doesn't it crash all the time if you don't have like maybe I'd imagine that's the case, but maybe that's not the case.
Sharon (51:02.654)
Yeah, so...
So you start from, OK, just the binary itself, and then it doesn't work. Why? Because it's looking for these and that library. OK, so you extract all the libraries, and you place it in the right place. And then you iterate through this process until the binary works. And you just work with one binary and all the peripherals. So you don't need all the file system in most cases, right?
Justin Gardner (51:09.902)
Hmm. Sure.
Justin Gardner (51:28.132)
Yeah, dude, that's, I guess that's one of those things that you just like, I wouldn't have tried because I would have assumed it's too, it's too like piecemeal where it's like, I got to get this piece. And then, you know, then I hit like this sub part of the application and it freaks out cause I'm missing this folder and you know, yeah.
Sharon (51:34.218)
Yeah, exactly.
Sharon (51:43.478)
Yeah, obviously, sometimes you need to patch the binary itself, because let's say it's looking for a very specific component, hardware component that you don't have because it's emulation and it's not implemented yet in QEMU. So you patch this part to just work, like return zero or something, if it's not important for the device itself.
Justin Gardner (52:04.612)
Yeah, wow, you really have to get in the weeds with that binary then and understand exactly what's happening.
Sharon (52:07.636)
Yeah, have to really understand what it's doing and you have to reverse and generate really good to understand what it's supposed to do, why. For example, let's talk about the patient monitor, for example. So for the main logic of the entire patient monitor, at least in the case that I researched, it was implemented in one binary. But this binary had a lot of communication, serial communication.
Justin Gardner (52:19.268)
Mm, yeah, yeah.
Sharon (52:32.31)
to peripherals of the patient monitor, the SP02, like the O2 levels of your blood. So we just patched all of these functions and the device thought, yeah, here is the O2 read. It's like 98 % all the time, right? It doesn't really matter for the research. Yeah, exactly, exactly. So by binary patching, you can actually skip a lot of the checks and a lot of the hurdles that a real device
Justin Gardner (52:36.858)
Yeah.
Justin Gardner (52:48.918)
This patient is super consistent, like they're just always at 98.
Sharon (53:01.974)
like simulating a real device,
Justin Gardner (53:04.909)
And when you're going about that, how are you doing these binary patches?
Sharon (53:10.026)
So usually you work with either GIDRA. So you just look at the functions and you see it's reading from a serial bus. Usually it's from a specific device or for example, from RS 245 or whatever. And you just patch this type of functionality.
Justin Gardner (53:12.673)
Mm. Mm.
Justin Gardner (53:32.237)
And does Gidra and Ida have functionality built into the applications to do that or are you just opening up in a hex header and then modifying it afterwards?
Sharon (53:40.86)
It doesn't really matter. I usually use a hex editor, I mean, yeah, both Gidra and Aida have this functionality to binary patch it. I'm just old school. I'm using a hex editor. Yeah.
Justin Gardner (53:49.274)
that functionality.
Yeah, that's the only thing I've done in with binary patching, just very limited hex editor. Let me modify this like string or tweak this one little, little flow.
Sharon (54:01.128)
It sounds, to be honest, it sounds intimidating, but in reality, it's very simple. You just skip a function. You just nope a function and that's it.
Justin Gardner (54:03.546)
Yeah.
Justin Gardner (54:09.678)
Yeah, yeah, no, that makes sense. It is intimidating, but it is doable. And I have to say, the scenario in which I did it was there was this binary that was being loaded up by a mobile app that I needed to modify a little piece of. And I was racking my head. was like, man, I can't get this to work with Frida. Why can't I hook it? it's in the native binary. this is such a pain. And then my buddy was like, man, you should just patch the binary, the .so file. And I was like.
Sharon (54:26.208)
Hahaha.
Justin Gardner (54:34.36)
You know, dude, that sounds really painful. And like 15 minutes later, it was done. You know, it's not that bad if you know exactly where you need to modify. So that is pretty rad. That is something you just gotta take the deep dive on and do it, I think.
Sharon (54:42.888)
Exactly.
Sharon (54:49.142)
Definitely, definitely. again, emulating devices, I think it's worth the time. Again, we're not emulating the entire device and not the entire peripheral, just the logic itself that we're focused on.
Justin Gardner (54:52.696)
Mm-hmm. Yeah. Mm-hmm.
Justin Gardner (55:01.156)
That's a great piece of advice. I think that's something that I'll try next time around is when I get the firmware off, I'll try to put it into, maybe I'll allocate a day to it or something like that of trying to get that, identify the main binary, the main functionality, and then just get all of the peripherals that it needs. I know this probably varies from project to project, from target to target, but how long does it take typically for you to, let's say you pulled firmware, how long does it take for you to get it
spun up in QMU or whatever.
Sharon (55:33.59)
So it really depends how complex the device is. So for example, the patient monitor that I talked about, it had a lot of peripherals. So we needed to patch it one by one and understand how it works one by one. So it took some time. It took a couple of days, but sometimes, especially if we're talking about routers, that QMU has some initial support for a lot of them, it's really easy. You can get a firmware and start working with QMU in a couple of hours.
Justin Gardner (55:46.362)
Mm-hmm. Mm.
Mm-hmm.
Justin Gardner (56:01.776)
Wow, dude, yeah, that's a good piece for the hacker one, know, people listening is like, you a lot of times if we're in the competitions, we don't have a lot of time and we're like, is this worth my time to actually get an emulation environment set up? But if you can get it set up in a couple hours, totally worth it, you know, for sure. And then you got dynamic debugging and it's like, it's beautiful.
Sharon (56:20.918)
Yeah, exactly. And you can reboot it at any time. You can change it. You can modify it. can patch some functionality that you're not interested in. You can bypass anti-debugging techniques. Yeah, it's great.
Justin Gardner (56:27.051)
Mm. Mm.
Yeah, set up some fuzzing easy. It's great. Okay, cool. those are some awesome takeaways. My favorite ones from that was the, the unencrypted version to the encrypted version and work backwards from that. I love that. That is great, man. Okay, so let's talk about, I guess, one of the main areas that you focus on, which is the IoT communications with the mothership, you know, with the cloud, so to speak.
Sharon (56:42.07)
The transition, yeah, transition version, yeah.
Justin Gardner (56:58.872)
That's something that we also had another researcher, Matt Brown, come on and talk about recently. so whenever I hear two hackers that I respect talk about the same thing at the same time, I'm like, look, this is something we need to really deep dive and understand thoroughly. So what does that process look like? How are you normally going about it, setting up middleman for those communications? And what kind of protocols and patterns do you see?
Sharon (57:11.382)
You
Sharon (57:22.848)
Yeah, so whenever we're researching a device, you, modern device, okay, we're talking about modern devices, they're not standalone. They usually communicate with some kind of a cloud. I call this a cloud, like a main server, a mothership, whatever you wanna call it. And they exchange data. What kind of data they exchange? For example, normally modern devices will be managed by a user account. So you have your account, you can log in from your mobile application and then through the cloud,
Justin Gardner (57:32.336)
Mm-hmm.
Justin Gardner (57:37.732)
Mm-hmm. Sure.
Sharon (57:52.768)
to device, you can control it. And we are very interested in this type of communication because if we could do account takeover or device takeover, the terminology is not invented yet, I guess.
Justin Gardner (58:08.527)
Yeah, these are new Vuln classes really in this scenario, yeah.
Sharon (58:11.626)
Yeah, so instead of controlling your device, you're actually controlling another device and then you can interact with it through the cloud. So you don't have to be in the same network, local area network with this device. And you can actually bypass firewalls and not segregation and control remote devices. So that's a very powerful primitive. Exactly.
Justin Gardner (58:31.344)
That's the end of the world, man. That is like the holy grail of like, and I think in one of your, I think it was one of your Defcon talks, you guys talked about a scenario with a couple devices actually, where you're able to like emulate, know, impersonate the device to the cloud, push a config up and then pull yourself out. So it pushes that config back down to the actual device. And it's like, my gosh, this is so bad.
Sharon (58:51.574)
Uh-huh, exactly. So I think in many cases, the device to cloud communication is overlooked by developers because they focus on the user to cloud functionality and they do a lot of checks over there. So are you accessing the right device, know, role permissions and account permissions and 32 character long password.
Justin Gardner (58:58.756)
Hmm. Yeah. Yeah.
Justin Gardner (59:04.997)
Yeah.
Justin Gardner (59:17.262)
Right,
Sharon (59:17.578)
that will not protect you from anything, but the device itself, the functionality that is loaded into the device that communicates to the cloud, in many cases, unfortunately, this is overlooked because developers are not considering this as a tag vector. Yeah, because they kind of say to themselves, guess, okay, what happens if someone impersonate a device? Nothing, right? But that's not the reality because if you can impersonate a device and you can actually tell the cloud,
Justin Gardner (59:31.098)
They don't expect you to see it. Yeah.
Justin Gardner (59:40.314)
Mm.
Sharon (59:46.166)
to change configuration about yourself as a device. In many cases, this could lead to a device takeover that you can actually add this device to your attacker's account and then take over devices that did not belong to you.
Justin Gardner (01:00:01.572)
Yeah, dude, that's awesome. And so I'm wondering, does that flow look like for you? How do get the man in the middle set up in place? I think Matt Brown has some script he runs, like midim router or something like that. Or some people use like a Wi-Fi pineapple. What are you using for that?
Sharon (01:00:20.393)
So again, it depends the project, but usually what I do is I have my own kind of router that I can fully control and I place it before the device itself. And then since I'm the router, I control the DHCP, I control the DNS, I control the traffic. And what I usually do is I do HTTPS downgrade attack. So usually I'm converting everything into HTTP.
Justin Gardner (01:00:22.224)
Mm-hmm.
Justin Gardner (01:00:26.884)
Mm-hmm. Mm-hmm.
Justin Gardner (01:00:36.718)
Mm-hmm.
Justin Gardner (01:00:44.304)
Mm.
Sharon (01:00:47.122)
And again, you can do it by multiple ways. For example, you can inject your CA into the device. can, if there is a cert being inside the logic, can patch it to accept your certificate, your CA. And basically what I try to do is I try to make sure that the communication is HTTP and HTTPS. And then it's really easy to do a man in the middle and intervene in the communication.
Justin Gardner (01:00:53.2)
Mm-hmm.
Justin Gardner (01:01:03.386)
Mm.
Justin Gardner (01:01:17.208)
So if you're doing a, I'm not super familiar with the flow for a downgrade attack. Are you doing something, patching something at the binary level to just make it HTTP rather than HTTPS? Or are you actually getting an HTTPS server that it trusts and you're man in the middle in that with a trusted certificate and then redirecting to HTTP?
Sharon (01:01:38.582)
So we can double down on that. So there are multiple scenarios. The first scenario is there is hard-coded, sorry, not hard, there is a configuration for the main binary that needs to communicate with the server, right? And you'd simply change in the configuration, you change the address from HTTPS cloud to HTTP cloud and you're done. And in other scenarios,
Justin Gardner (01:01:40.228)
Yeah,
Justin Gardner (01:02:00.663)
Mm. Mm.
Sharon (01:02:05.994)
This is not a configuration. This is actually being downloaded from the cloud as configuration. So you find a way to intervene maybe in the memory. Maybe you're doing some binary patching and change from HTTPS to HTTP. OK, that's fine. And in other scenarios, you can actually use HTTPS and you just add your CA to the trusted CA store inside the device.
Justin Gardner (01:02:11.792)
Mmm.
Justin Gardner (01:02:31.751)
yeah, of course, if you've got it emulated, you can just do that super easy.
Sharon (01:02:34.42)
And then you use the DNS server that you own to actually give the device whenever it requests to resolve the server, you give it your own address. And then since you are the server for the device right now and they trust your CA, then you can actually do SSL termination. And then the device communicates to your cloud, which is not a real cloud, with HTTPS. And then you do SSL termination and you actually, from your device,
Justin Gardner (01:02:52.624)
Mmm.
Justin Gardner (01:02:56.876)
Mm-hmm, sure.
Sharon (01:03:03.612)
your server, you communicate to the real cloud and then you kind of do a real man in the middle.
Justin Gardner (01:03:08.932)
Wow, cool. What kind of tools are you using for that SSL termination and that whole impersonation process?
Sharon (01:03:14.358)
So usually we have kind of Python scripts to do most of that. But again, you have ready-made tools like MN in the middle SSL is really great. But again, it really depends the project and how exactly how things are set up.
Justin Gardner (01:03:20.975)
Custom, custom stuff. Yeah.
Justin Gardner (01:03:33.86)
how things are set up.
Very cool, man. Okay, so you're men in the middle in that communication. What kind of protocols are you seeing for that communication? Is it typically just hitting an HTTP API or what?
Sharon (01:03:47.478)
Again, we're talking about a broad variety of devices, but in most cases, yeah, most cases it's HTTPS. And in some cases, you also have some proprietary protocols that are specific to some devices. But yeah, in most cases, it would be HTTPS and all the device to cloud communication will go over the HTTPS to transfer configuration.
Justin Gardner (01:03:49.872)
Yeah. Yeah.
Sharon (01:04:13.344)
to update, to do kind of keep alive, to update the firmware, to do over the year updates. So most of the communication will be over HTTPS.
Justin Gardner (01:04:23.408)
Gotcha, that makes sense. Yeah, dude, it sounds like so much fun, man. I think my favorite hacking experience overall was hacking an IoT device. I've just had so much fun with that. So I think for me, it's a little bit hard to focus on hacking those devices with the opportunity cost of web, and it being such my bread and butter, something that I can do pretty easily. But man, it's so fun when you...
Sharon (01:04:28.822)
It is, it is.
Sharon (01:04:51.83)
Yeah, obviously it's a different specialty. One thing that is interesting to say that in Pwn2Home, in the IoT theme competition, they have this cool smash up kind of feature, you can call it, where they offer you 100K if you are able to exploit from the one into a router and from the router exploit a local device, IoT device like a camera.
Justin Gardner (01:04:53.198)
on a device. Yeah.
Justin Gardner (01:05:00.73)
Mm.
Justin Gardner (01:05:04.878)
Hmm.
Sharon (01:05:21.812)
So if you're able to provide, to show, demonstrate a full exploit that you hack a router from the outside, from the one and from inside, do what you want to do and then hack and exploit a device, IOT device from the inside. And again, they have like a very specific target list for each LAN and one categories. They offer this, they offer you 100K.
Justin Gardner (01:05:41.456)
Mmm.
Justin Gardner (01:05:47.62)
Wow, dude, that's a pretty insane setup there. If you could literally just go from WAN to Shell on an internal device, that's nuts.
Sharon (01:05:50.901)
Yeah, it's.
Sharon (01:05:55.57)
Exactly. And they do this because they want, they want like the real experience. They want the real thing. And it's great. We've been doing this a couple of times. I know that other others since analogy did it also.
Justin Gardner (01:06:00.719)
Yeah.
Justin Gardner (01:06:06.936)
Yeah. How often, yeah, how often do people pull it off?
Sharon (01:06:12.983)
They started like, I think, a year ago. maybe five or 10-ish so far.
Justin Gardner (01:06:17.387)
Okay.
Justin Gardner (01:06:24.922)
gosh dude, that's crazy. I went to a local talk in Richmond. We have a conference here in Richmond, Virginia called RVASec and one of the guys, I think one of the tenable researchers who's actually done some PONDO and stuff I think was giving a presentation on like PONing all these routers that he does for his work stuff. And one of the things he was saying was that...
the WAN interfaces on these are a little bit wack sometimes because over IPv4, you know, you've got your firewalls in place. Dude, I was, my mind was blown when he presented that.
Sharon (01:06:53.386)
Yeah, I know this guy. did the IPv6 exploit. Yeah, I remember him. Yeah, this is one of the things that is usually overlooked by kind of a low tier router vendors that are not enterprise, the IPv6 one, because there is a different IP table for IPv4 and IPv6. And usually whenever you configure the router,
Justin Gardner (01:07:06.83)
Yeah. Right.
Sharon (01:07:20.182)
to block or to do something with the IP table, usually developers will go to the IPv4 and they forget to configure the IPv6. And that's why sometimes you can communicate with routers from the one using IPv6 even though it needs to be blocked. It is, it is.
Justin Gardner (01:07:28.313)
Mm-hmm.
Justin Gardner (01:07:37.786)
Terrifying. That is absolutely terrifying, man. That you might be exposing services on your WAN side via IPv6. my gosh.
Sharon (01:07:44.52)
Exactly, exactly. Think about kind of local only services that are supposed to be communicated only from the local area network are exposed on the one. Yeah, that's great.
Justin Gardner (01:07:55.866)
Terrifying, terrifying. Okay, so let's go back to that man in the middle. And I know we were shooting for an hour. We're going a little long here. Is that okay with you? Dude, I'm into it, man. I'm still getting a ton out of this. So talk to me a little bit about how it works for you to impersonate devices to the cloud. What is your approach there? Obviously you get the man in the middle in place. What kind of trends do you see that people make mistakes on when securing that cloud to device communication?
Sharon (01:08:03.54)
Yeah, yeah, I'm with you.
Sharon (01:08:25.418)
Okay, so the thing about impersonating devices is to collect enough information about the device that will gain us the ability to impersonate it in front of the cloud. Now, think about it this way. So there is a vendor that manufactures a lot of devices, right? And they need to keep track of these devices on how, whenever they leave the factory, on how the devices can communicate with the mothership, with the cloud.
Justin Gardner (01:08:54.71)
Mm. Mm.
Sharon (01:08:56.05)
So they have these unique identifiers that tells the cloud, yeah, device presents to the cloud this unique identifier. can call it a token, you can call it a serial, you can call a combination of serial and Mac, something that the cloud will be able to verify that, yes, this is a real authentic device that left our factory. And in some cases, these identifiers are not unique enough and are not
Justin Gardner (01:09:09.016)
Mm-mm.
Sharon (01:09:24.744)
are strong enough. So in some cases, can brute force them, you can guess them, or you can come up with your identifiers that the cloud will trust you to be an authentic device. Now, the thing is, what if you're able to get identifiers of another device that does not belong to you? Like your device is ABC, and you're able to get a device that is identifiers XYZ.
Justin Gardner (01:09:31.437)
Jeez.
Yeah.
Justin Gardner (01:09:48.302)
Hmm.
Justin Gardner (01:09:54.384)
Mm.
Sharon (01:09:55.05)
Then you can take these identifiers, you can even plug it into your device and then communicate to the cloud and the cloud will think, okay, this device is not ABC, this is XYZ. And it has this scenario that I'm describing, it has some implications on how the cloud is communicated to the device because right now the user of the device that owns XYZ will communicate to your device.
Justin Gardner (01:10:05.491)
my gosh.
Justin Gardner (01:10:22.778)
Mmm.
Sharon (01:10:23.978)
because the cloud thinks that XYZ is this device that just a moment before was ABC. And this cross interactions between different devices and different users, we found multiple ways to abuse this into device across account takeover. So I can give you a couple of examples. So for example, let's say the...
the device is identified in front of the cloud using a serial and Mac. This is very common. Now the problem with the serial and Mac is Mac is very easy to brute force because the three first bytes are the vendor OUI. And then you have left only three bytes to brute force or to guess. And you also have a lot of, for example, if you go on eBay, you'll see a lot of pictures of devices and you'll see the Mac address
Justin Gardner (01:11:09.497)
Mm-hmm.
Sharon (01:11:23.09)
and the serial on top of the device. So let's say you went on eBay, you saw a Mac address and a serial, or you saw some YouTube videos of folks doing kind of unboxing. Exactly, and you get the Mac and serial. So you take this Mac and serial, and it is being used like credentials to the cloud. And then you connect to the cloud. The cloud thinks that you are
Justin Gardner (01:11:24.752)
no, that's bad, yeah.
Justin Gardner (01:11:37.324)
unboxing or something. I love that attack vector. That's great.
Justin Gardner (01:11:51.855)
No.
Sharon (01:11:52.63)
the device XYZ. And what you can do with that is in some cases, you can, as the device, you can tell the cloud, I belong to this user, right? So what you do is you take the credential, the serial and make of some device, and then you tell it, yeah, I actually belong to the attacker's account. And then suddenly in the attacker's account, they get a new device. So this scenario,
Justin Gardner (01:12:19.415)
my gosh.
Sharon (01:12:21.366)
It sounds ridiculous, but unfortunately it's very common in IoT to do kind of a count takeover, device takeover.
Justin Gardner (01:12:29.166)
Yeah, device takeover and then correlate it with the account, that's with the attacker's account, that's a good flow. I'm wondering whether you think the correlation of these devices to your account and being able to do that from something that is on the outside of the box or on the outside of the router, is that always insecure because of this unboxing scenario? Because that's a great point. mean, these are influencers too, right?
Sharon (01:12:34.154)
Exactly.
Justin Gardner (01:12:58.084)
Like these are high value targets for attackers. And if they're showing, if they're flipping the device over and that sort of thing, and that sort of information can be leaked just from an external perspective of the device, that's a problem, I think, right? Yeah.
Sharon (01:13:08.31)
Right. It is a problem. And again, not all of the devices are insecure in that manner, but the modern devices, like the protected or secure devices, use strong identifiers that cannot, it's impossible to brute force or to guess or to view from the outside because they will use some kind of internal, in most cases, hardware-based identifier that cannot be guessed and cannot be used, like a private key.
Justin Gardner (01:13:14.233)
Mm-hmm.
Sharon (01:13:38.23)
that is embedded inside the device itself in a special storage that cannot be easily accessed. And even if it could be accessed, you'll need a lot of effort and physical access to the device in order to get it. And usually it will be burned into the device through the manufacturing process.
Justin Gardner (01:13:38.286)
Mm.
Justin Gardner (01:13:45.807)
Yeah.
Justin Gardner (01:14:01.174)
Mm-hmm and like some some sort of you know secure enclave or like What are the other other ways that they store this information? Yeah
Sharon (01:14:08.136)
Exactly. Secure and clear. Usually, a modern approach is OTP fuses. So it's like one-time programming fuse memory that is one-time programming, like written once, and that's it. You cannot write to it anymore. And only the device, the internal architecture of the device, can use this information as the identifier or kind of find internal configuration that identifies this device only.
Justin Gardner (01:14:13.328)
Mm.
Justin Gardner (01:14:34.576)
Wow, dude.
Sharon (01:14:34.666)
So actually device becomes instead of just logically just a serial and Mac, it actually becomes part of the device itself, like hardware wise. So you need the PCB with the components soldered to it in order to impersonate the device.
Justin Gardner (01:14:43.535)
Yeah.
Justin Gardner (01:14:50.202)
So that makes sense. And I've got one more question here before we switch over to some of your other bug bounty related stuff. The randomness that's required to secure these devices, right? Say you've got a string, maybe it's got like 900 million possibilities or whatever, If you've got a million devices, right? And you've got all the time in the world, that's still not
not secure enough, right? You need to have something that is massively random, especially if you've got a ton of devices in order. So I mean, if you see a hex string and it's just a hex string and it's not, you know, 20 characters long, then it's a problem. Yeah.
Sharon (01:15:24.724)
Right. Right.
Sharon (01:15:34.774)
It is, and that's why modern devices will use a private key, 2048, a bit long at least. That's impossible to impersonate.
Justin Gardner (01:15:38.704)
Mm.
Justin Gardner (01:15:45.212)
Yeah, wow, for my like bug bounty brain, that's a little bit tricky because a lot of the times, you know, for us, we're talking about things that can be enumerated pretty quickly or used for an exploit in that regard. when there's so many devices across the whole flow, that's different as well. Okay, so let's... Okay, great, I'll be on the lookout for that. So let's go into some of your...
Sharon (01:15:59.818)
Yeah, 24 bit is enough.
Justin Gardner (01:16:10.032)
let's jump over to some of your bug bounty stuff right now. And we put some questions in the doc here and man, you really delivered some awesome questions on this one and good tips in the prep here. So I'm really excited to break these apart. One of the things you say your secret is, is being able to like replicate a bunch of work done by others. you know, Sharron, I don't understand. How are you doing all this binary research?
and doing bug bounty and then also just on the side, casually reproducing all of the bugs that come through your pipeline here. Talk to me about that.
Sharon (01:16:47.478)
Yes, first of all, I'm flattered. Thank you. But first of all, I'm not young anymore. I'm 30 years old. So I have around 15 years of experience and a lot of time to try a bunch of different approaches and stuff.
Justin Gardner (01:16:53.796)
Yeah.
Justin Gardner (01:16:58.512)
Yeah. Mm.
Justin Gardner (01:17:07.802)
You're still actively replicating bugs though, right? To this day?
Sharon (01:17:11.124)
Yeah, so what I try to do, so I wrote kind of like many others, I wrote like a small bot that will scout the internet and find me articles and interesting bugs according to some parameters. And I tried at least once a day to read one or two articles in some topics, for example.
Justin Gardner (01:17:30.991)
Mm.
Sharon (01:17:34.024)
a new method for fuzzing, right? So not statically fuzzing, but network-wise fuzzing. And then I try to replicate it and use it in my line of work. So I take it and I try to think, how can I use it in our own lab research? And the way that I replicate this research is kind of aligns with the stuff that I normally do. So this way I'm able to
Justin Gardner (01:17:36.056)
Mm, mm.
Sharon (01:18:03.892)
I'll also do the work that I need to do, but also improve it with innovative ways that others are finding. So I think this is a, I'm not sure if to say this is my secret, but I try to be very up to date with all the techniques, all the methods, all the new research and try to implement it into my work.
Justin Gardner (01:18:11.865)
Well.
Justin Gardner (01:18:25.604)
You know, that's very different, man, than a lot of people. Because a lot of people, get to a certain point where they're having success, and then they just want to, they just like get addicted to that. And they're just like, just want to, I'm talking about myself as well. You know, I get addicted to finding these bugs in Bug Bounty and getting these, you know, big payouts and that sort of thing. And that's all I want to do with my time is plop, plop, plop, you know, keep on grabbing these idors and, and, you know, things like that. And I think you're, yeah. Well, I mean, there's a...
Sharon (01:18:49.78)
But I think you'll run out of iDoors eventually, right? Because everybody are...
Justin Gardner (01:18:54.938)
There's a lot of Bug Bounty programs out there, Sharron.
Sharon (01:18:57.494)
Yeah, okay, so you know, okay, so if you're talking about this, so maybe you automated somehow in a large scale, right? So you're still innovating and improve yourself because otherwise all the new bug bounty that they are doing some kind of automations will eat you.
Justin Gardner (01:19:01.082)
Hmm. Yeah. Yeah.
Justin Gardner (01:19:15.088)
Yeah, I think that's true. And we're always forced to grow as hackers. And that's one of the things that I like about my job here running this podcast is that I have the opportunity to sit down and talk to you about techniques you use and research all of these techniques as they're coming out and delivering that to the public. But I think that if you say once or twice a day, you're sitting down reading these write-ups and trying to replicate them as well. That's a big piece. You can read it.
Sharon (01:19:43.67)
Not all of them, not all of them, of course. But yeah, I'm trying to use new tools, new methods, new ideas. Yeah, I'm trying to implement all of them, not all of them, right? But a big portion of them in my line of work.
Justin Gardner (01:19:46.287)
Yeah, the cool techniques.
Justin Gardner (01:19:54.948)
Mm. Mm.
Let this be a notice to all of the hackers that are out there listening to this because even this guy is still doing all that. I think we could all use a little bit more of that. Okay, I've got a couple things here. I want to talk to you about the not so common attack surfaces that you like to go after. We covered sort of IoT devices and that sort of thing so far, but you've got some cool other things you like to go at in the bug bounty world.
Sharon (01:20:26.71)
Yeah, so I have like these two hats, right? I'm doing bug bounties and I also do binary exploitation and point to own. So if we're talking about specifically bug bounties, then I try to look at the not so common attack surface. So just like you said, usually most modern bug bounty hunters, I'd like to say for some reason are going directly to web and
Justin Gardner (01:20:31.939)
Mm-hmm.
Justin Gardner (01:20:39.365)
Mm.
Justin Gardner (01:20:44.464)
Mm.
Justin Gardner (01:20:53.904)
Mm. Mm-hmm.
Sharon (01:20:56.372)
Bug bounty is not just web, for some reason, it's like the terminology is mixed and bug bounty, when you say bug bounty, you usually refer to web. But I tried to look at other attack surfaces like DB to host escape. So sometimes applications will give you the ability to write into databases and databases are complex beasts.
Justin Gardner (01:20:58.563)
Amen.
Justin Gardner (01:21:24.176)
Mm.
Sharon (01:21:24.18)
So usually databases are very complex platforms, usually not like web platforms, but they're not just for storing data. They contain a lot of different features. And if you have the ability to control somehow even your own database, in many cases, you can leverage this into database to host escape and use some features, abuse some features of the database
Justin Gardner (01:21:39.056)
Mm-hmm.
Sharon (01:21:54.166)
to escape from the database realm into the OS platform and then from there to propagate and do maybe account takeovers, maybe get into other databases. It really depends the platform, but I'm trying to do a bunch of those.
Justin Gardner (01:22:05.274)
Yeah. Yeah.
Justin Gardner (01:22:12.816)
That is definitely an attack surface that not a lot of bug bounty hunters are going after. I think this also decreases your dupe ability. There's a much lower chance you're going to get dupes when you're going after these really crazy attack surfaces. I see another one that you have here on the dock is external scanning or attacking services that aren't necessarily HTTP based.
Sharon (01:22:28.297)
Exactly.
Sharon (01:22:37.375)
Right, exactly.
Justin Gardner (01:22:38.308)
That's a crazy one and just anecdotally, I remember one live hack came in with another great hacker, random deduction. She went after these UDP based protocols that were all over the place on this attack surface. most of the time, let's say there's most of the hackers that are just going after HTTP stuff and then there's percentage of hackers that are going after, okay, I'll take a look at some TCP based services that are not HTTP, right? Because I'm gonna be thorough here.
Sharon (01:23:05.75)
Mm-hmm.
Justin Gardner (01:23:08.1)
And then there's even smaller set that actually goes after anything UDP based. And she destroyed this target from some UDP based services. So I bet there is a lot of attack surface there that I and other primarily web based hackers look over a lot.
Sharon (01:23:13.142)
You
Sharon (01:23:22.612)
Yeah, for sure. So just like I said, almost all the bug bounty hunters are hunting web applications. But in many cases, you also find different protocols like TCP or UDP that are supported by the targets. And since I personally have a deep background into protocol analysis, yeah, exactly. I tried to hunt for other protocols other than HTTP.
Justin Gardner (01:23:34.272)
Mm-hmm. Mm.
Justin Gardner (01:23:40.629)
That's your bread and butter, yeah.
Sharon (01:23:50.166)
Sometimes, for example, doing stuff with NTP and distributed in out of service, like if you can create these loops with NTP or to do stuff with SNMP, which are great protocols to manage devices and they're implemented in almost any device that you can think of. The problem is whether they're exposed over the internet or not.
Justin Gardner (01:23:54.532)
Mm.
Justin Gardner (01:24:15.919)
Mm.
Sharon (01:24:17.594)
Since they're UDP based, NDP and SNMP, in many cases, again, not always, in many cases, they're overlooked in the firewall rules and firewall policies. And if you'll do these types of scans, or you'll use Shodan or it sends this to do these types of scans for you, you'll find a bunch of targets that are actually listening for esoteric protocols and esoteric
Justin Gardner (01:24:29.136)
Mm-hmm.
Sharon (01:24:46.87)
services that you can actually abuse and play with.
Justin Gardner (01:24:51.48)
dude, that sounds like a lot of fun. A lot of fun in those scripts. I'm wondering, have you ever looked at SIP protocol or I'm trying to remember what those names of those protocols are that are like the routing protocols surrounding SIP? I can't pull them off the top of my head. the majority of the experience that I've had with non-HGP-related protocol is SIP-related stuff. And I'm wondering if you found anything there.
Sharon (01:24:54.667)
It is.
Sharon (01:25:16.116)
Yeah, so SIP is actually very interesting. SIP is a signaling protocol. So SIP itself, SIP, because there is also CIP, which is a different protocol. But SIP, the signaling internet protocol, actually is the protocol that allows you to do the VoIP communication. So if I want to call to you over the internet, I'm most likely using a protocol suit.
Justin Gardner (01:25:19.392)
Mm-hmm. Mm-hmm.
Mm. Mm. Mm.
Justin Gardner (01:25:32.069)
Hmm.
Sharon (01:25:46.186)
that starts with a SIP. And SIP is a signaling. So I want to call you. So I basically ring or tell the server, I want to call Justin. And the server rings to you and you get these UDP packets, SIP UDP packets that tells you that Sharon wants to communicate with you. And then you do kind of a handshake and we communicate. And the interesting thing...
Justin Gardner (01:25:47.504)
Hmm.
Mm.
Justin Gardner (01:25:55.597)
Hmm.
Justin Gardner (01:26:05.583)
Mm.
Sharon (01:26:11.318)
with the SIP is that after we establish communication, in many cases, we transfer the information to communicate directly. So we move.
Justin Gardner (01:26:20.238)
Yeah, that's the interesting part, man. That's what I think would be really fun to play with.
Sharon (01:26:24.02)
Yeah, exactly. So we actually move from communicating over the cloud to direct communication. And the implementation for this, the reason, the logic is because we want to communicate directly without any interference. So we don't need the server anymore once we agree on ports to communicate. And once we agree on ports to communicate, we start to transfer media. And media is voice and video in most cases. So there are
Justin Gardner (01:26:38.052)
Hmm. Yeah.
Sharon (01:26:50.536)
are a bunch of different protocols. So you have a SDP to actually communicate what type of ports and what type of media. So for example, I'm telling you, yeah, I'm going to transfer to you audio in this and that format, AAC and whatever. And you have another protocol for transfer the RTP to transfer the actual media itself. So it's a bunch of protocols that eventually allows us to communicate over VoIP. And there is a lot of attack service over there. The problem is,
Justin Gardner (01:27:04.292)
Mm.
Sharon (01:27:20.082)
Most of the modern applications, so for let's say WhatsApp or Telegram, they're using protocol stacks, modern protocol stacks that have been scrutinized and looked and reviewed a lot of time in different directions. So it's very difficult to find bugs in those areas. The potential for bugs in those areas is only if you'll take a look at the glue between the library itself, the protocol stack itself, and the application. Maybe you'll find
Justin Gardner (01:27:46.256)
Mmm.
Sharon (01:27:50.172)
a bug over there. Yeah.
Justin Gardner (01:27:51.778)
Wow, I just want to tell the guests, this was not in the doc at all. We didn't mention anything about SIP beforehand. So that whole explanation about how SIP protocol works was just off the top of his head, which is just...
Sharon (01:28:04.926)
No, it's because I researched a couple of SIP protocol stacks and I actually found a bug or vulnerability actually. So I can call you and crush your application remotely over the server in one of the popular SIP stacks. So that's why I know about SIP specifically.
Justin Gardner (01:28:19.984)
Mmm.
Yeah.
Justin Gardner (01:28:28.304)
That's fun, man. Yeah, when I found some bugs in the SIP stuff, a lot of it was having to do with the extra layer of authentication on top of SIP. And so we got to a point where we were able to impersonate people and do like third party registration, which is a part of the SIP protocol, which was really fun. Yeah, all right. I'll let you go soon, Sean. I just wanna talk really quickly about...
the documentation tracker and the reCAPTCHA bypass stuff that you put in the doc. Yeah. But the thing that I did want to discuss was the documentation tracker and recapture bypass stuff. So how do you integrate that into your workflow?
Sharon (00:00.97)
Cool, cool, I'm with you.
Sharon (00:11.552)
Yeah, so when I work on, let's call it a long-term research, I try to be on top of things like new features, new updates, change logs, stuff like that. So for heavy targets, I'm writing, in most cases, I'm writing a kind of a documentation tracker. So a documentation tracker is a...
Justin Gardner (00:17.989)
Mm-hmm.
Justin Gardner (00:25.452)
Mm. Mm.
Sharon (00:37.558)
as a fluff name to say that I'm scraping the shit out of them. You know, documentation pages and release note pages and product pages and updates and the GitHub repositories. So I get all of this data and then I try to write what I call some modules. So for example,
Justin Gardner (00:42.841)
Yeah, exactly.
Sharon (01:02.486)
I have a module that summarize everything into what new versions are available. What is the difference between different versions of an application? Sometimes, for a very specific and focused targets, I also do kind of automatic installation and binary diffing. And again, this is all part of the automation.
Justin Gardner (01:26.361)
Hmm. Hmm.
Sharon (01:31.69)
But again, essence of it is to understand and be on top of things like what are the new APIs, what are the new versions, features, et cetera.
Justin Gardner (01:31.931)
This is bothering.
Justin Gardner (01:41.915)
Yeah, that's massive, man. think a lot of people think about automation as like, all right, let me do scanning. Let me see new assets that are popping up, sort of an ASM sort of scenario. But in my experience, doing documentation tracking and or JS file diffing, if you're looking at a specific web application over time, man, you get so much cool stuff out of that. And you're the first one to touch it too, because it just got pushed.
Sharon (01:57.524)
Right, Functions, yeah.
Yeah, you get all right. Exactly. And that's the key. That's the key. When you do bug bounty on scale, the key is to be first. And the way to do that is to get a notification the second there is a new version. Yeah, exactly.
Justin Gardner (02:18.515)
So how does this reCAPTCHA bypass thing work? Because I've done a lot of documentation tracking stuff, but I haven't ever integrated any reCAPTCHA bypass stuff to any of my workflows when creating accounts or anything.
Sharon (02:29.098)
Yeah, I mean, in many cases when I do mostly brute force or let's say account takeovers for different reasons, different reasons. It doesn't have to be specifically for scraping, but scraping is a good use case for it. You'd want to have a lot of accounts. And when I say a lot of accounts, I'm not talking about 10, I'm talking about like hundreds or thousands of accounts. And you can...
Justin Gardner (02:37.263)
Mm-hmm.
Mm-hmm.
Justin Gardner (02:56.539)
Mm.
Sharon (02:58.302)
in some cases do it manually, like go one by one and click I'm not a robot. But essentially you want to automate this because you want to it work fast in scale. there are some services online like tocapchat.com that allow you to bypass some of the CAPTCHAs, but they don't work.
Justin Gardner (03:04.826)
Mm.
Sharon (03:25.718)
in 100 % of the cases. So sometimes they won't work. And I found this super stupid, simple method to bypass the recapture by using GUI, automating my mouse clicks. I mean, it's a bit smarter. It's not like the XY coordinates of the mouse. It's like...
Justin Gardner (03:43.295)
no way.
Sharon (03:51.392)
hooking to components using specific classes or ID of the div or something like that in the DOM exactly. And then you move the mouse over there and you do clicks and you can automate it. There are a lot of different extensions to Chrome and Firefox to do that. For example, UI Vision is one of them. Yeah, I mean, you can just Google UI automation, Google Chrome extension and you'll find a bunch of them.
Justin Gardner (03:58.137)
in the DOM? Okay, gotcha.
Justin Gardner (04:08.507)
Mm.
Justin Gardner (04:12.635)
Mm, mm.
Sharon (04:21.342)
Surprisingly, they work, I wouldn't say flawlessly, but in a great percentage of the time, they work great. And you can just use it to open thousands of accounts. Now, you need different email accounts, right? So what I do is I just use Gmail with a plus at the end. And in most platforms, they will consider it as different accounts.
Justin Gardner (04:35.419)
Mm-mm.
Justin Gardner (04:40.889)
like a wild card? okay, nice.
Sharon (04:50.248)
And it will reach the same mailbox. So we just activate it by automation through your email account. And you use the automation to click and open all the accounts. And it just works. It's very simple to set up. And it works great.
Justin Gardner (05:03.429)
Dude, that's awesome, man. And it's pretty simple to set up. mean...
Justin Gardner (05:11.353)
Wow, that's super cool, man. Yeah, I haven't had to use that, but I can see that being super helpful for scraping or for hitting API rate limits or something like that, being able to have multiple accounts.
Sharon (05:21.492)
Yeah, API rate limits, scraping. If you want some time to brute force, OTPs, 42 account takeover, that's great too.
Justin Gardner (05:29.817)
Hmm. Yeah, no, that's that's perfect. Here's here's the last little little section and then I'll let you go. I'm sorry. I know I said that a couple of times, but you have such interesting stuff, man. Solving. So I want to move away from the bug bounty stuff. You've given us enough tidbits for a lifetime. And I want to talk about why are you like, what is this scan my SMS thing? And and like and like what what what makes you move from?
Sharon (05:36.854)
I love it being here.
Sharon (05:51.926)
okay, okay.
Justin Gardner (05:57.499)
protocol engineer, binary exploitation, bug bounty, and then all of a sudden, you know what? I'm just gonna solve phishing in Israel. So tell me about the project for the people.
Sharon (06:04.286)
Yeah, you know, so the best way to do something is to be scammed, like motivation, right? So the thing that will move you the most is if one of your close friends or family got hit by a scammer, then you know you have all these YouTube channels that they try to pay back to the scammers. So in Israel,
Justin Gardner (06:11.981)
Yeah.
Justin Gardner (06:22.021)
Yeah.
Justin Gardner (06:29.68)
Mm.
Sharon (06:32.726)
There is this, are a lot of scams via SMS, smishing, what we call smishing. And because nobody wants to take the responsibility and there is almost no money in it because the end user will almost never, will never pay for checking if something is phishing or not. Once my wife got,
Justin Gardner (06:41.502)
Mmm. Mmm.
Sharon (06:59.958)
scammed, decided that I want to create like a center place for people to be able to know if the SMS they received is legitimate or not. Because there are many services in Israel, organizations that are using SMS as a legitimate method to provide information and they send you this shorter, shortener links with the text. And obviously attackers and the bad guys try to
Justin Gardner (07:17.371)
Mmm.
Sharon (07:28.436)
are trying to imitate it and they just copy paste the text and replace it with another bitly kind of a shortener URL. And you have the citizen, the end user, I call this end user, but it's actually a citizen, has no way to understand or to know if it's a legitimate or not. So I just built an automation that actually scans these URLs actually.
Justin Gardner (07:36.057)
Mm-hmm.
Sharon (07:52.894)
keeps track of all the redirections and do some kind of analysis on the end website, like what type of text, HTML, what kind of images. So for example, if I identify images of financial institutions and the name of the website domain is not something that I know of, so probably it's a phishing, so I have this scoring mechanism.
Justin Gardner (08:14.713)
Wow, that's pretty technically advanced there. Wow, okay, cool.
Sharon (08:18.932)
Yeah, so I really wanted to provide a tool for citizens to be able to understand if the SMS they received is legitimate or not. And it actually caught. So in Israel, I wouldn't say everybody, but a lot of people are using this. And they're actually using this service, free service, for the public to understand if the SMS they received is legitimate or not.
Justin Gardner (08:21.424)
Thank
Mm.
Justin Gardner (08:31.408)
Yeah.
Justin Gardner (08:44.793)
Wow, dude, the Israeli government should buy this from you and host it on like government website because it's a massive problem and it's something that affects the whole citizen base, like you said. And wow, dude. so I guess this is using AI to check it out or is it actually hard code, all of it that reaches out to the backend and like runs through an analysis based off of like the HTML and stuff like that.
Sharon (09:12.342)
So, yeah, so we have a couple of different modules. I can talk about a few of them. So for example, we have AI that goes over the text to understand if it's a legitimate text or not. But again, since bad guys are copying and pasting the same text, in many cases, it's difficult for the AI to catch on it because it's a legitimate text, just that link, right? So most of the automation is focused on
Justin Gardner (09:16.123)
Mm-hmm.
Justin Gardner (09:24.315)
Mm-hmm.
Justin Gardner (09:29.402)
Mm.
Justin Gardner (09:36.538)
Right.
Sharon (09:40.906)
the scanning of the link itself, like unfolding, I think this is the right terminology, unfolding the link and keep track of all the redirections and then check for each redirection, all the certificates, all the authenticity of the website, we're checking the third party providers, like if it's in a bad blacklist kind of thing. And then for the final website, we're checking all the URLs in the final website. For example,
Justin Gardner (09:46.041)
Yeah, yeah it is. Yep.
Justin Gardner (10:03.63)
Hmm.
Sharon (10:10.07)
Scammers really like to send the, so they hate writing their own server backend. So they just use Telegram API to send the phishing data to the Telegram API. So in many cases, in many cases you'll find the phishing kits that they have no backend. just, whenever you fill all the details and click submit, right? Like here is my bank account, here's the password, yada, yada, yada, and click submit, it will.
Justin Gardner (10:17.465)
Mm, mm.
Justin Gardner (10:24.447)
Sharon (10:37.75)
all this information will be sent to a Telegram bot without any backend service. So we're looking at all these kind of indicators, as we call them, and we try to reach to a conclusion if it's phishing, if it's a scam, or if it's a legitimate website.
Justin Gardner (10:57.871)
Wow, wow, because I think it would have been so easy for you to say, we've got this new shiny toy AI that can detect the misspellings or give us it, yeah.
Sharon (11:00.264)
Yay.
Sharon (11:09.034)
But if we did that, we'll be part of the problem because the citizens do not know if the SMS they receive is legitimate or not because there are no tools to actually tell them, yeah, this is fully trusted or no, this is fully scam. And we wanted this binary result, true or false, scam or not scam. So we had to be a little bit more deterministic.
Justin Gardner (11:14.054)
Exactly.
Justin Gardner (11:18.811)
Mm.
Justin Gardner (11:34.693)
Wow dude, yeah, that's amazing. It's very cool to see you not get distracted by the shiny thing that is AI and also use a hard tech solution as well in conjunction with the AI to give you a higher signal, Boolean, or false, scam or not scam answer. Wow dude.
Sharon (11:52.662)
Yeah, and it all starts with a single event that triggers everything. Like my wife got scammed and I was pissed. That's the event. Yeah, just like when I was 16, I got the iPhone and this was the event that changed the course of what interests me and I wanted to learn more to write applications. So there is a single event that motivates you and then you just follow this path.
Justin Gardner (11:59.747)
Yeah. And the rage, the rage built up within you.
Justin Gardner (12:19.513)
Very cool, man. Very cool. All right, I will let you go. That was an amazing episode. Thanks for all of the details. Yeah, it's been great having you on, All right, peace.
Sharon (12:20.608)
Cool.
Sharon (12:25.066)
Thank you so much, Justin. Thank you so much.
