[Gerardo Iglesias Galván] decided he wanted to try his hand at bug-bounty hunting — where companies offer to pay hackers for finding vulnerabilities. Usually, this involves getting a device or accessing a device on the network, attacking it as a black box, and finding a way in. [Gerrado] realized that some vendors now supply virtual images of their appliances for testing, so instead of attacking a device on the network, he put the software in a virtual machine and attempted to gain access to the device. Understanding the steps he took can help you shore up your defenses against criminals, who might be after more than just a manufacturer’s debugging bounty.
The device he attacked tried to secure itself. The bootloader was protected. The filesystems were encrypted. Did he get in? Read the story for yourself and find out.
As more projects connect to the Internet, there’s more opportunity for bad mischief. It wasn’t from hacking, but look how much trouble shutting down everyone’s Nest thermostats caused, not to mention the major internet outage caused by hacked cameras. We’ve talked about hardening Raspberry Pi projects before using things like two-factor authentication. Might not be enough, but its a start.