Smart Devices, Dumb Resets:Testing Firmware Persistence in Commercial IoT
Matei Jose
DEF CON 33 (backfill) · Day 1 · Main Stage
In "Smart Devices, Dumb Resets," Matei Jose, a Senior Penetration Tester at Happening XYZ, delves into the critical security vulnerability posed by the inadequate sanitization of returned Internet of Things (IoT) devices by retailers. The talk highlights how readily available pre-owned or "repackaged" smart devices can harbor persistent, malicious firmware, even after users attempt "factory resets" or retailers conduct cursory checks. Jose's research demonstrates a clear pathway for attackers to backdoor consumer IoT devices, return them, and then have them resold to unsuspecting customers, creating a stealthy and scalable supply chain attack vector.
AI review
Competent, well-executed research that confirms a real and underappreciated supply chain risk in the IoT return/resale lifecycle. The methodology is clean and the 15-device empirical test gives it credibility, but the attack primitives — OpenWRT, TFTP flashing, squashfs modification, Binwalk — are well-worn tools applied to a known problem class. This lands as solid practitioner work, not a research breakthrough.