Global AppSec DC 2019

This talk is the result of a 6 month long person project of mine to automatically, unpack and analyze IoT firmware for common security issues, with a nice web GUI to boot. ByteSweep is a Free Software platform that automates a lot of the common steps I conduct manually when performing IoT pentests. ByteSweep utilizes the python libraries provides by binwalk to programatically extract filesystems from firmware images. In order to extract crypto keys and password hashes hard coded into firmware images, ByteSweep implements a custom strings regex search engine with configurable rules stored in a config file. Radare2's python r2pipe library is used to analyze extracted binaries for any unsafe function calls. (e.g. strcpy, sprintf, system, etc.) Version strings are extracted, using the strings regex search engine, from 3rd party components like open source programs and/or libraries. These version numbers are then compared against software version associated with CVEs by using the NVD JSON Data Feed.

My talk will feature live demos of the ByteSweep platform but I'll pre-record them all in case of failure.

ByteSweep Licensing:
* Web Frontend: AGPLv3
* Backend Worker: GPLv3