3-4 April 2019 / Manchester Central

First Access >>

Tony Gee

Company: Pen Test Partners

Job Title: Security Consultant

Tony Gee

Tony has over 13 years of security experience, he has worked both as an internal blue team consultant within the finance industry and for the technology partner for the world leading Oyster card system and more latterly as an external security tester. He spends his time educating people about security issues affecting both businesses and individuals. He highlights key security risks that end users and staff face in their online life and how they can mitigate those risks in a simple and easy to understand way.

Alongside this, Tony is a regular speaker at national and international security and technology events, highlighting key risks with the internet of things, automotive and maritime and key payment systems. Tony illustrates and demonstrates critical issues in systems in a way the audiences of all levels can understand. He has spoken at PCI events in Europe and Asia, at the SC Congress in London, other technical conferences such as BSides and at state level at the US Congress and the European Parliament. 

Twitter LinkedIn

Tony Gee Seminars

  • The Pwned Office Thu 26th Apr 14:00 - 14:50

    The Pwned Office

    IoT devices are now in the hands of the hacker, who has the opportunity to reverse engineer these at leisure. From a smart lightbulb to a smart kettle, the technology is easy to come by and generally features low level security because of the price point of these peripherals. Even sanctioned enterprise-grade IoT deployments can be susceptible, allowing supposedly isolated devices to be accessed and used to compromise internal networks. For example, during a recent investigation into Building Management Systems (BMS) we found thousands of corporate HVAC controllers on the public internet. The problem wasn’t down to the security of the kit but rather the way these controllers had been installed by electricians and HVAC engineers with very little security knowledge. As a result some controllers were completely unprotected with their authentication bypassed and could easily be identified and located using the Shodan website. Some had already been hacked.

    Aside from poor installation, attacks can be performed against the IoT device itself by physically extracting key internal components such as the chipsets or SIM cards. These devices often have deep and often privileged access to the network and some components will automatically regard any form of access as trusted. Attempting to connect to them and forcing them to communicate with techniques such as running voltage through the chip can often reveal a treasure trove of information, including passwords, the servers the device is talking to, and how that information is relayed. IoT chips, for example, will often store secret keys in memory that are almost always unencrypted. Even if one can’t dump the firmware, readout is often possible direct from RAM. Simply pull the keys from memory and you can compromise the network. Having hacked one device it then becomes easy to compromise other linked devices before stepping onto the network proper.

    There are steps the enterprise can take to reduce these risks. First of all, devices need to be configured and installed securely and device passwords need to be long, complex and stored securely. The services your IoT device is controlling need to be segregated and you should also ensure that each device is also segregated to prevent chains of devices being taken over. From a management perspective, don’t rely on those overseeing the IoT implementation to verify its security and do test the deployment to identify any weaknesses. Assign responsibility for overseeing IoT security to specific individuals. Remember that BYOD policies need to include IoT devices and seek to educate users on the risks of installing that new smart kettle, plant feeder etc in the office environment. In the event that an IoT device becomes compromised, the problem becomes one of limiting its ability to impact other systems, at which point only segregation will save you.

    This session will use real hacking demonstration and recent research to illustrate the speaker’s points. It will aim to educate and inform the audience on the current types of vulnerability commonly found in the field. Plus it will look to arm the audience with some strategies on how to mitigate these risks.


    Tony Gee

    Tony GeeMore

    Time / Place

    Thu 26th Apr 14:00 to 14:50

    Cyber Hack