Pentesting an IOT based Biometric Attendance device
During one of the Red Team engagements, I got a chance to pentest a Biometric attendance device that the client often used to mark the attendance and restrict access to specific rooms. I did not pop any zero-days here, but several misconfigurations were leveraged that allowed me to achieve root access on the device. Following is the snapshot of the device I was testing. Starting with the assessment, I found that the device was connected to the network, and I was able to get its IP address from the device’s network settings....