Each year at DEF CON’s IoT Village, Rapid7 researchers showcase their skills in penetration testing, hardware hacking, and more. At DEF CON 33, Principal Security Researcher, IoT, Deral Heiland took attendees step by step through a brand-new, hands-on exercise that pushed past last year’s lessons and into fresh hardware territory.
This year’s target: a smart camera. The challenge: extract its firmware, manipulate the flash memory through a hexeditor, and ultimately gain root access. To do it, attendees got hands-on with tools like flashrom for reading SPI flash memory, the Tigard multi-protocol debug board, and hexedit.
Participants brought the device into single-user mode, mounted the correct partitions, and loaded the kernel modules to expose the camera’s flash memory. From there, they removed the root password hash, rebuilt the firmware, and wrote it back to the device — booting into full root access with no password required.
Why it matters
Exercises like this highlight real weaknesses in how consumer devices store and protect firmware and they help practitioners build the skills needed to evaluate and secure embedded systems in the real world.
We know not everyone could join us at DEF CON 33, which is why we’ve captured the entire exercise in a detailed whitepaper. Inside, you’ll find step-by-step instructions, tool walk-throughs, and insights that go even deeper than what was covered at the event.
So, whether you were in the room at IoT Village or you’re just now catching up, you can still experience the exercise for yourself. Read the full whitepaper here.