Big Bugs Podcast Episode 3: $15K for IoT Device Takeover

Today we published the third episode of our podcast series ‘Big Bugs’ hosted by me. In this episode, embedded in this post and available on SoundCloud, I am joined by special guest Adam Hartway of Digital Safety (DiSa) to explore a $15K bug uncovered in their winner takes-all bug bounty program.

About the DiSa Bug Bounty Program:

DiSa is the global leader in Digital Protection for products in the retail channel, taking current analog loss prevention solutions and converting them to a digital format. In order to stand up against physical theft, however, DiSa products must also stand up against digital bypasses. To test their strength against hackers, DiSa shipped out DiSa secured tablets to a sample of security researchers to see if they could bypass the authetication steps and take over the device. Listen to the podcast to hear about the results.

Additional Resources:

• Mobile security resources:
  • OWASP Mobile Top Ten
  • OWASP iOS Testing Guide
  • JSSec Secure Coding for Android
• Helpful Mobile Testing/Learning Targets
  • iOS- http://damnvulnerableiosapp.com/
  • Android- http://carnal0wnage.attackresearch.com/2013/08/want-to-break-some-android-apps.html
• IoT security resources:
  • OWASP IoT Surface Areas project
• Helpful IoT Testing/Learning Targets
  • Damn Vulnerable Router Firmware

Have questions for me? Continue the discussion on our forum and subscribe below to get monthly episodes of this podcast. You can also subscribe to the Bugcrowd podcast RSS feed.