"Well well well, if it isn’t the consequences of my own actions" - the time I got in the middle of 100,000 Linux machines and their fwupd/LVFS firmware updates 🙈 :: BSides Canberra 2025

"Well well well, if it isn’t the consequences of my own actions" - the time I got in the middle of 100,000 Linux machines and their fwupd/LVFS firmware updates 🙈
.ical

2025-09-26 11:30–12:25, Main Track

One from the vaults. In 2020, Justin had a serendipitous encounter with a dangling legacy AWS S3 bucket once owned by the Linux Vendor Firmware Service (LVFS). "What if I registered it," he thought. "What's the worst that could happen?" This is the story of how he wedged himself between 100,000 Linux machines and their firmware updates, stumbled upon a bypass in fwupd's PGP-based firmware update signature checking, traced the flaw back to its root cause, and ultimately returned the bucket to its original owner.

Justin Steven

Justin is a seasoned computer security professional with 13 years of experience across Incident Response and Software Security. As Tanto Security's Head of Research, Justin fosters the curiosity and ingenuity of our consultants, supporting them as they engage in their own research projects.

This speaker also appears in:

"Well well well, if it isn’t the consequences of my own actions" - the time I got in the middle of 100,000 Linux machines and their fwupd/LVFS firmware updates 🙈 .ical 2025-09-26 11:30–12:25, Main Track

"Well well well, if it isn’t the consequences of my own actions" - the time I got in the middle of 100,000 Linux machines and their fwupd/LVFS firmware updates 🙈
.ical

2025-09-26 11:30–12:25, Main Track