Date and Time:
Tuesday, March 19, 14:00 – 18:00

This workshop is hybrid (online and face-to-face).


The danger posed by vulnerable IoT devices lays in large part to its potential for widespread takeover, as was experienced in the infamous Mirai botnet formation that maintained over 200,000 compromised IoT devices exploited through, amongst other techniques, exploited server code. This workshop trains participants to investigate an exploitable IoT device, from firmware extraction to takeover. Participants will come to understand the utility of persistent storage devices such as NVRAM for transferring injected commands across binary boundaries for remote code execution and persistent device takeover.

The exercise involves a realistic training scenario where a router purchased by a company began to exhibit strange intervals of connectivity downtime. Employees suspected tampering and performed an NVRAM dump before completely unplugging the router in fear. Being a junior enterprise, they did not have the necessary network security infrastructure in place to monitor network traffic, and thus could not evidence whether the device was in-fact compromised, nor how.

The company assembled a group of specialists from around the world to investigate the situation and have thus provided the device, firmware version, and the NVRAM memory dump. The dump – a listing of key-value pairs revealing a particular state of persistent memory – is the only starting point available for investigation; all other contents were reset when the device was unplugged. Curious values appear in the dump, including suspicious configuration values. As forensic analysts, the question becomes, how did such a value arrive in NVRAM, what can it do, and is it sufficient evidence to lead our investigation to conclude device takeover?

By leveraging static analysis techniques including extracting binary file metadata, front-end interface DOM scraping, and implementing basic data-flow analysis in Ghidra, attendees will find the source of the attack and come to realize the potential methods and techniques taken by the attacker to achieve device takeover.

Preparation Details:

Participants will be provided with a pre-printed set of follow-along instructions, as well as a PDF-version. In addition, participants must download and load the provided VM image into virtualization software ahead of time if possible.

Workshop organiser:


Anthony Andreoli is a Ph.D. researcher at Concordia University’s Security Research Center in Montreal, Quebec, Canada. His work focuses on binary code understanding and pattern detection for vulnerability analysis, detection, and prevention. An experienced teacher and communicator of ideas, he has been teaching computer science related material for over 5 years to students at both the undergraduate and graduate levels. He spends his free time endlessly inquiring about the nature of existence and human behaviour, and has an extremely shrunken perception of time.

Anis Lounis is a Ph.D. student and dedicated member of Concordia University’s Security Research Center in Montreal, Quebec, Canada, focuses on advancing embedded system security. His expertise lies in uncovering vulnerabilities in IoT devices, complemented by a background in Malware Analysis.