Exhibitions & Events


19. September 2019

Cumulocity IoT Hacking Event 2019, Darmstadt

Interested in hacking an industrial internet of things cloud platform? Interested in winning awesome prizes? Then this is for you…

CTF-style hacking event. Search for 0-day vulnerabilities and solve interesting challenges.
September 19, 2019
Software AG Headquarters, Darmstadt
Teams compete against teams. Each team consists of three participants.
August 1, 2019 – September 8, 2019.

11.-13. September 2019

44CON 2019, London

44CON is an Information Security Conference & Training event taking place in London. Designed to provide something for the business and technical Information Security professional.
Our researchers Philipp Roskosch and Stephan Huber have a talk about VoiP phone security:

Dial V for Vulnerable: Attacking VoIP Phones

More and more everyday objects become “smart” and get connected to the internet. VoIP phones are among the oldest class of smart devices. Despite new phones being constantly released, most of these devices contain cheap hardware components and badly programmed software. Their state of security is often questionable, or worse. We show that most phones suffer from serious security flaws that allow attackers to gain full control of these devices. Such hijacked devices not only allow the attacker to eavesdrop on all communication, but can serve as an entry point for further attacks to the internal networks they are connected to.

VoIP phones can be found on each enterprise desk, in critical infrastructure buildings, at home and other places where phone communication is required. Therefore, security flaws on such a device can have far-reaching consequences, especially when transmitting sensitive or private information. We present critical vulnerabilities and various classes of security flaws that allow an attacker to fully compromise the respective device. We were able to cause a denial of service, to eavesdrop on conversations, and to gain remote code execution on the phone.

In our investigation, we focused on the web-based user interface that most phones provide for configuration and management purposes. We present different test setups for analyzing the software running on those phones, including emulation and live debugging. Furthermore, we reveal strategies and tools for finding these flaws.

To complete the presentation, we compare our manually detected vulnerabilities to results of different automated firmware security analysis systems. As we show, automated scanners are unable to find most of these vulnerabilities and leave systems widely unprotected.


08.-11. August 2019

DefCon 2019, Las Vegas

"I'm on your phone, listening - Attacking VoIP Configuration Interfaces" - talk of Stephan Huber and Philipp Roskosch:

If toasters talking to fridges is no joke to you, then you are aware of the big Internet of Things hype these days. While all kind of devices get connected and hacked, one of the oldest class of IoT devices seems to be forgotten even though it is literally everywhere - VoIP phones.

For configuration and management purposes, VoIP phones run a web application locally on the device. We found several critical bugs (reported CVEs) in the web application as well as in the webserver which enabled us to hijack the phones. Starting with simple XSS and CSRF issues, via command injections and memory corruptions right through to remote code executions, all popular vulnerability classes can be found on those devices.

We will present our findings together with the tools and strategies we used, and will enable you to do the same with your own phones and other IoT devices.

Further, we will provide helpful ARM shell code patterns, scripts and tricks which hackers can use to find bugs. We will conclude our talk by showing that automatic tools fail to discover such vulnerabilities. Therefore, manual IoT pentesting is still required.

If you think these management interfaces are not exposed to the internet, you are wrong. In a scan, we found thousands of reachable phones vulnerable to our exploits.


17.-19. June 2019

2019 Euro S&P - IEEE Symposium on Security and Privacy, Stockholm


15. March 2019

German-Israeli Business Forum on Cyber Security, Frankfurt

Israel has a leading role in research and development of cyber security solutions. At the German-Israeli Business Forum on Cyber Security Scientists and business representatives from both countries have the opportunity to exchange experiences. CRISP researcher Dr. Michael Kreutzer holds the keynote about "Safeguard Smart City Infrastructure".

Upcoming events

Job offers

Fraunhofer SIT seeks scientific staff, partly also for management positions

You will be responsible for planning, leading, executing and representing applied R&D projects, jointly with clients and partners from industry, government agencies and academia.