SlideShare uma empresa Scribd logo
1 de 58
Baixar para ler offline
IoT security is a nightmare. But
what is the real risk?
Camp++ 0x7e0
root@kali:~# whoami
Zoltán Balázs
root@kali:~# whoami
root@kali:~# whoami
I’m NOT a CEH
Creator of the Zombie Browser Toolkit
https://github.com/Z6543/ZombieBrowserPack
Creator of the HWFW Bypass tool
– Idea later(?) implemented by nation state attackers in Duqu 2.0
https://github.com/MRGEffitas/hwfwbypass
Creator of the Malware Analysis Sandbox Tester tool
https://github.com/MRGEffitas/Sandbox_tester
Invented the idea of encrypted exploit delivery via Diffie-Hellman key exchange,
to bypass exploit detection appliances
– Implemented by Angler and Nuclear exploit kit developers
https://www.mrg-effitas.com/generic-bypass-of-next-gen-intrusion-threat-breach-detection-systems/
How did I get into this?
I bought an IP camera
Found multiple high severity issues
Notified manufacturer, published blogpost
After one year, no patch available
The question is:
• Now what?
I wanted to solve this generic issue
Examples of terrible home IoT devices
– IP Camera
– Router
– Baby monitor
– Smart home
– Automated NAS ransomware
– Car hacked
Mandatory Shodan slide
https://www.shodan.io/search?query=nas
https://www.shodan.io/search?query=ipcam
Assumptions
For the next ~5-10 years, assume
– Your IoT device has horrible security holes
– It won’t receive any patches, ever
For the sake of this presentation, I assumed:
• The IoT device is not intentionally malicious
• Is not preloaded with malware
I know, I am an optimistic guy ¯_(ツ)_/¯
IoT Security Excuses
a.k.a #YOLOSEC
I am safe, I changed all IoT passwords
I am safe, I changed all IoT passwords
Vulnerabilities bypassing password protection
• Memory corruption issues (BoF, Format string, …)
• CSRF (later)
• Backdoor accounts
• Lack of brute-force protection
• …
I am safe, I regularly patch all of my IoT
devices
I am safe, I regularly patch all of my IoT
devices
Patches are late by years
Most IoT devices do not get a patch, EVER
Problems with direct IPv4 connection
If your IoT device has an Internet routable IPv4
address, without any firewall port filtering
Just prepare for apocalypse
Seriously, don’t do that
CCTV is OCTV today
The IoT device is only available in a
closed network
The IoT device is only available in a
closed network
(•_•)
<) )╯What
/ 
(•_•)
( (> The
/ 
(•_•)
<) )> fuck were you thinking???
/
The device is only exposed in my area
Physically nearby to open WiFi
The device is only exposed in my area
Physically nearby to open WiFi
The device is only exposed in my area
Smart rifle hacking – open WiFi
Full of FUD
– but still, interesting research based on the devices
you can expect to network connected
I am safe, home network, behind NAT
NAT is sneaky evil
Due to NAT:
• Users believe they are safe behind home router
NAT
• Developers created ways to connect devices behind
NAT, seamlessly
What could possibly go wrong?
https://youtu.be/v26BAlfWBm8
But, but NATs are good …
I am safe, home network, behind NAT
Think again
– UPNP
– IPv6
– Teredo
– Cloud
UPNP
IPv6
IPv6
Market for private IPv6
Timespan for private IPv6 addresses: ~1 day
ICMP means every device is reachable
• network stack hack possible
Predictable IPv6 addresses (mostly enterprise)
• ::0, ::1, ::2, ::service_port, ::IPv4, ::1000-::2000, ::100-::200, ::1.0-::1-2000,
::b00b:babe
Reverse DNS enumeration (mostly enterprise)- dnsrevenum6
Zone transfer … AXFR … (mostly enterprise)
DNSSEC chain walk (mostly enterprise)
DNS brute force (mostly enterprise) – dnsdict6
Recommended:
• Marc van Hauser: IPv6 insecurity revolutions
• THC IPv6
Teredo bubble
IPv4
Teredo client
1.
Teredo server
2.
Teredo NAT hole
IPv4 IPv6
Teredo client
Teredo relay
1.
2.
3.
4.
Teredo server
IPv6 peer
1ce:c01d:bee2:15:a5:900d:a5:11feFirewall
5.
2001:0000:53aa:064c:0055:6bbf:a67b:7887
Teredo in practice
According to a study by Arbor Networks, the 2008 adoption of IPv6 by µTorrent caused a
15-fold increase in IPv6 traffic across the Internet over a ten-month period.
IP camera cloud hack
IP camera cloud hack
This research is work in progress
– Lot of stuff to fine-tune, research
The camera has an Android app
The app can connect to the IP camera even when
it is behind NAT, no port forward
But how???
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Demo time
I am safe, none of these apply, my home
network is Sup3rFirewalled
I am safe, none of these apply, my home
network is Sup3rFirewalled
uBlock demo
uBlock is like Adblock, just better
I use two browsers, one for Internet access
And the other, only use to access internal network
I am safe, I changed the network range
from default (192.168.0.0/24)
I am safe, I changed the network range
from default (192.168.0.0/24)
WebRTC (Web Real-Time Communication) is an API
definition … that supports browser-to-browser
applications for voice calling, video calling, and P2P file
sharing …
WebRTC + STUN
Natively supported in
• Chrome (2012)
• Firefox (2013)
• Opera 18 (2013)
• Edge 21 (2015)
• Blackberry
Not in Safari, mobile Chrome, IE
IoT security is a nightmare. But what is the real risk?
BeEF demo
Same-Origin Policy (SOP)
“a web browser permits scripts contained in a first
web page to access data in a second web page,
but only if both web pages have the same
origin”
Port, protocol and host has to be the same
Goal
• an ad on webmail won’t be able to access the e-
mails
DNS rebind attack
It is (was) possible to bypass browser same origin
policy
One public and one private IP address for a domain
• Use the public IP in first request, deliver malicious
script
• Use the private IP later, malicious script can access
private IP, and leak data
Cat and mouse game started in 1996
https://www.usenix.org/conference/usenixsecurity13
/technical-sessions/presentation/johns
Filet – o – firewall
https://github.com/filetofirewall/fof/
Attackers and motives
Script-kiddies: for fun, point-and-click tool, annoy, prank or
extort ordinary people.
Political activists: Not important, unless operated by government
Organized criminals: for profit. Physical presence or no physical
presence. NAS ransomware attacks. Smart homes hacked by
burglers, internet connected IP-cameras hijacked before
burglary, smart-cars stolen via unsecured WiFi, etc.
Nation-state attackers: “collect everything”. domestic or foreign
surveillance, track and profile people, direct surveillance
(audio, video).
Bonus - Advertisment industry: smart devices will be sold either
exclusively, or at a cheaper price, profit for advertisers, more
targeted ads to the people
IoT development guideline in a Utopia
Secure by design
Tested for security
Patch released if security issues are found
Current IoT development guideline in
reality
Secure by design
Tested for security
Patch released if security issues are found
Cheap
Be the first on the market
Linux (Busybox ?) embedded
Webserver or VNC embedded
IoT security is a nightmare. But what is the real risk?
IoT Risks
Lessons learned for home users
Disconnect power cord/remove batteries if IoT is not needed 7*24
Patch (if possible)
Change passwords to complex, non-reused passwords
Disable direct inbound connections (check router)
Disable UPnP (check router)
Filter IPv6 (inbound default deny a’la NAT)
Disable Teredo
Monitor for tunneling protocols
Prevent CSRF from browser (see uBlock slide)
Scan your home network for new devices (LAN, Bluetooth, new AP, Zigbee, IrDA, FM)
Dedicated network for IoT devices (use old Wi-Fi router)
Separate your guests from your IoT network
Disable WebRTC in browser (Chrome: WebRTC Network Limiter)
Disable cloud connection (on device and/or router/firewall)
Prevent DNS rebind attack – see next slide
Moar tips for home users
Private IP addresses can be filtered out of DNS
responses.
– External public DNS servers with this filtering
e.g. OpenDNS
– Local sysadmins can configure the organization's
local nameservers to block the resolution of external
names into internal IP addresses.
– DNS filtering in a firewall or daemon e.g. dnswall
Firefox NoScript ABE feature
“Smart devices will make our life easier”
Maybe in ~2100, but until then, it will make our
life a nightmare
My best advice: don’t buy IoT devices ;)
Lessons learned for IoT vendors
SDLC
Continuous security testing and bug bounties
Seamless auto-update
Opt-in cloud
Lessons learned for goverments
Follow Federal Trade Comission FTC – fine
vendors who put users at risk to maximize profit
https://www.ftc.gov/news-events/press-
releases/2016/02/asus-settles-ftc-charges-
insecure-home-routers-cloud-services-put
References, interesting links
Best IoT Talk ever! 115 batshit stupid things you can put on the internet in as fast
as I can go by Dan Tentler
https://www.youtube.com/watch?v=hMtu7vV_HmY
https://github.com/mandatoryprogrammer/sonar.js/tree/master
https://www.youtube.com/watch?v=34GtH4tghjA
https://jumpespjump.blogspot.com/2015/08/how-to-secure-your-home-
against.html
https://jumpespjump.blogspot.com/2015/09/how-i-hacked-my-ip-camera-and-
found.html
http://www.theverge.com/circuitbreaker/2016/7/12/12159766/internet-of-
things-iot-internet-of-shit-twitter
IoT security is a nightmare. But what is the real risk?
Hack the planet! One computer at a time
…
zoltan.balazs@mrg-effitas.com
https://hu.linkedin.com/in/zbalazs
Twitter – @zh4ck
www.slideshare.net/bz98
Greetz to @CrySySLab, @SpamAndHex
Thx to Attila Bartfai for the conversation starter
JumpESPJump.blogspot.com

Mais conteúdo relacionado

Mais procurados

Chaos Engineering with Kubernetes
Chaos Engineering with KubernetesChaos Engineering with Kubernetes
Chaos Engineering with KubernetesArun Gupta
 
PHP7ではなくHack/HHVMを選ぶ理由
PHP7ではなくHack/HHVMを選ぶ理由PHP7ではなくHack/HHVMを選ぶ理由
PHP7ではなくHack/HHVMを選ぶ理由Yuji Otani
 
GraalVM の概要と、Native Image 化によるSpring Boot 爆速化の夢
GraalVM の概要と、Native Image 化によるSpring Boot 爆速化の夢GraalVM の概要と、Native Image 化によるSpring Boot 爆速化の夢
GraalVM の概要と、Native Image 化によるSpring Boot 爆速化の夢apkiban
 
ネットワーク自動化、なに使う? ~自動化ツール紹介~ (2017/07/21開催)
ネットワーク自動化、なに使う? ~自動化ツール紹介~ (2017/07/21開催)ネットワーク自動化、なに使う? ~自動化ツール紹介~ (2017/07/21開催)
ネットワーク自動化、なに使う? ~自動化ツール紹介~ (2017/07/21開催)akira6592
 
20220224台中演講k8s
20220224台中演講k8s20220224台中演講k8s
20220224台中演講k8schabateryuhlin
 
Knowledge Graphs and Generative AI_GraphSummit Minneapolis Sept 20.pptx
Knowledge Graphs and Generative AI_GraphSummit Minneapolis Sept 20.pptxKnowledge Graphs and Generative AI_GraphSummit Minneapolis Sept 20.pptx
Knowledge Graphs and Generative AI_GraphSummit Minneapolis Sept 20.pptxNeo4j
 
Git基礎介紹
Git基礎介紹Git基礎介紹
Git基礎介紹Max Ma
 
SRE Conf 2022 - 91APP 在 AWS 上的 SRE 實踐之路
SRE Conf 2022 - 91APP 在 AWS 上的 SRE 實踐之路SRE Conf 2022 - 91APP 在 AWS 上的 SRE 實踐之路
SRE Conf 2022 - 91APP 在 AWS 上的 SRE 實踐之路Rick Hwang
 
Amazon S3を中心とするデータ分析のベストプラクティス
Amazon S3を中心とするデータ分析のベストプラクティスAmazon S3を中心とするデータ分析のベストプラクティス
Amazon S3を中心とするデータ分析のベストプラクティスAmazon Web Services Japan
 
Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...
Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...
Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...whywaita
 
Windowsマシン上でVisual Studio Codeとpipenvを使ってPythonの仮想実行環境を構築する方法(Jupyter notebookも)
Windowsマシン上でVisual Studio Codeとpipenvを使ってPythonの仮想実行環境を構築する方法(Jupyter notebookも)Windowsマシン上でVisual Studio Codeとpipenvを使ってPythonの仮想実行環境を構築する方法(Jupyter notebookも)
Windowsマシン上でVisual Studio Codeとpipenvを使ってPythonの仮想実行環境を構築する方法(Jupyter notebookも)Daichi Kitamura
 
AWS Black Belt Tech シリーズ 2015 AWS Device Farm
AWS Black Belt Tech シリーズ 2015 AWS Device FarmAWS Black Belt Tech シリーズ 2015 AWS Device Farm
AWS Black Belt Tech シリーズ 2015 AWS Device FarmAmazon Web Services Japan
 
(旧版) オープンソースライセンスの基礎と実務
(旧版) オープンソースライセンスの基礎と実務(旧版) オープンソースライセンスの基礎と実務
(旧版) オープンソースライセンスの基礎と実務Yutaka Kachi
 
Writing the Container Network Interface(CNI) plugin in golang
Writing the Container Network Interface(CNI) plugin in golangWriting the Container Network Interface(CNI) plugin in golang
Writing the Container Network Interface(CNI) plugin in golangHungWei Chiu
 
KubernetesとSpannerで 進化し続けるコロプラのゲーム開発
KubernetesとSpannerで 進化し続けるコロプラのゲーム開発KubernetesとSpannerで 進化し続けるコロプラのゲーム開発
KubernetesとSpannerで 進化し続けるコロプラのゲーム開発Google Cloud Platform - Japan
 
root権限無しでKubernetesを動かす
root権限無しでKubernetesを動かす root権限無しでKubernetesを動かす
root権限無しでKubernetesを動かす Akihiro Suda
 
Achieving the Ultimate Performance with KVM
Achieving the Ultimate Performance with KVMAchieving the Ultimate Performance with KVM
Achieving the Ultimate Performance with KVMDevOps.com
 
Coscup2021 open source network os for datacenter
Coscup2021  open source network os for datacenterCoscup2021  open source network os for datacenter
Coscup2021 open source network os for datacenterDung-Ru Tsai
 
The Future of Service Mesh
The Future of Service MeshThe Future of Service Mesh
The Future of Service MeshAll Things Open
 
Accelerating Life Sciences with HPC on AWS - AWS Online Tech Talks
Accelerating Life Sciences with HPC on AWS - AWS Online Tech TalksAccelerating Life Sciences with HPC on AWS - AWS Online Tech Talks
Accelerating Life Sciences with HPC on AWS - AWS Online Tech TalksAmazon Web Services
 

Mais procurados (20)

Chaos Engineering with Kubernetes
Chaos Engineering with KubernetesChaos Engineering with Kubernetes
Chaos Engineering with Kubernetes
 
PHP7ではなくHack/HHVMを選ぶ理由
PHP7ではなくHack/HHVMを選ぶ理由PHP7ではなくHack/HHVMを選ぶ理由
PHP7ではなくHack/HHVMを選ぶ理由
 
GraalVM の概要と、Native Image 化によるSpring Boot 爆速化の夢
GraalVM の概要と、Native Image 化によるSpring Boot 爆速化の夢GraalVM の概要と、Native Image 化によるSpring Boot 爆速化の夢
GraalVM の概要と、Native Image 化によるSpring Boot 爆速化の夢
 
ネットワーク自動化、なに使う? ~自動化ツール紹介~ (2017/07/21開催)
ネットワーク自動化、なに使う? ~自動化ツール紹介~ (2017/07/21開催)ネットワーク自動化、なに使う? ~自動化ツール紹介~ (2017/07/21開催)
ネットワーク自動化、なに使う? ~自動化ツール紹介~ (2017/07/21開催)
 
20220224台中演講k8s
20220224台中演講k8s20220224台中演講k8s
20220224台中演講k8s
 
Knowledge Graphs and Generative AI_GraphSummit Minneapolis Sept 20.pptx
Knowledge Graphs and Generative AI_GraphSummit Minneapolis Sept 20.pptxKnowledge Graphs and Generative AI_GraphSummit Minneapolis Sept 20.pptx
Knowledge Graphs and Generative AI_GraphSummit Minneapolis Sept 20.pptx
 
Git基礎介紹
Git基礎介紹Git基礎介紹
Git基礎介紹
 
SRE Conf 2022 - 91APP 在 AWS 上的 SRE 實踐之路
SRE Conf 2022 - 91APP 在 AWS 上的 SRE 實踐之路SRE Conf 2022 - 91APP 在 AWS 上的 SRE 實踐之路
SRE Conf 2022 - 91APP 在 AWS 上的 SRE 實踐之路
 
Amazon S3を中心とするデータ分析のベストプラクティス
Amazon S3を中心とするデータ分析のベストプラクティスAmazon S3を中心とするデータ分析のベストプラクティス
Amazon S3を中心とするデータ分析のベストプラクティス
 
Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...
Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...
Development myshoes and Provide Cycloud-hosted runner -- GitHub Actions with ...
 
Windowsマシン上でVisual Studio Codeとpipenvを使ってPythonの仮想実行環境を構築する方法(Jupyter notebookも)
Windowsマシン上でVisual Studio Codeとpipenvを使ってPythonの仮想実行環境を構築する方法(Jupyter notebookも)Windowsマシン上でVisual Studio Codeとpipenvを使ってPythonの仮想実行環境を構築する方法(Jupyter notebookも)
Windowsマシン上でVisual Studio Codeとpipenvを使ってPythonの仮想実行環境を構築する方法(Jupyter notebookも)
 
AWS Black Belt Tech シリーズ 2015 AWS Device Farm
AWS Black Belt Tech シリーズ 2015 AWS Device FarmAWS Black Belt Tech シリーズ 2015 AWS Device Farm
AWS Black Belt Tech シリーズ 2015 AWS Device Farm
 
(旧版) オープンソースライセンスの基礎と実務
(旧版) オープンソースライセンスの基礎と実務(旧版) オープンソースライセンスの基礎と実務
(旧版) オープンソースライセンスの基礎と実務
 
Writing the Container Network Interface(CNI) plugin in golang
Writing the Container Network Interface(CNI) plugin in golangWriting the Container Network Interface(CNI) plugin in golang
Writing the Container Network Interface(CNI) plugin in golang
 
KubernetesとSpannerで 進化し続けるコロプラのゲーム開発
KubernetesとSpannerで 進化し続けるコロプラのゲーム開発KubernetesとSpannerで 進化し続けるコロプラのゲーム開発
KubernetesとSpannerで 進化し続けるコロプラのゲーム開発
 
root権限無しでKubernetesを動かす
root権限無しでKubernetesを動かす root権限無しでKubernetesを動かす
root権限無しでKubernetesを動かす
 
Achieving the Ultimate Performance with KVM
Achieving the Ultimate Performance with KVMAchieving the Ultimate Performance with KVM
Achieving the Ultimate Performance with KVM
 
Coscup2021 open source network os for datacenter
Coscup2021  open source network os for datacenterCoscup2021  open source network os for datacenter
Coscup2021 open source network os for datacenter
 
The Future of Service Mesh
The Future of Service MeshThe Future of Service Mesh
The Future of Service Mesh
 
Accelerating Life Sciences with HPC on AWS - AWS Online Tech Talks
Accelerating Life Sciences with HPC on AWS - AWS Online Tech TalksAccelerating Life Sciences with HPC on AWS - AWS Online Tech Talks
Accelerating Life Sciences with HPC on AWS - AWS Online Tech Talks
 

Destaque

Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Zoltan Balazs
 

Destaque (7)

Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
 
Sandboxes
SandboxesSandboxes
Sandboxes
 

Semelhante a IoT security is a nightmare. But what is the real risk?

Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchYury Chemerkin
 
OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016joebursell
 
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]RootedCON
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
 
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...CODE BLUE
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
 
Exfiltrating Data through IoT
Exfiltrating Data through IoTExfiltrating Data through IoT
Exfiltrating Data through IoTPriyanka Aash
 
Cybercon 2015 brandon kravitz
Cybercon 2015   brandon kravitzCybercon 2015   brandon kravitz
Cybercon 2015 brandon kravitzBrandon Kravitz
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoTVasco Veloso
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Minseok(Jacky) Cha
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
The Problem Of The Homeless Hotspot
The Problem Of The Homeless HotspotThe Problem Of The Homeless Hotspot
The Problem Of The Homeless HotspotAmy Bakewell
 
20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?T.Rob Wyatt
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014Brian Knopf
 
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxCIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxssuserfb92ae
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!Justin Black
 

Semelhante a IoT security is a nightmare. But what is the real risk? (20)

IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
 
OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016
 
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
 
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
 
Exfiltrating Data through IoT
Exfiltrating Data through IoTExfiltrating Data through IoT
Exfiltrating Data through IoT
 
Cybercon 2015 brandon kravitz
Cybercon 2015   brandon kravitzCybercon 2015   brandon kravitz
Cybercon 2015 brandon kravitz
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
The Problem Of The Homeless Hotspot
The Problem Of The Homeless HotspotThe Problem Of The Homeless Hotspot
The Problem Of The Homeless Hotspot
 
20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
 
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxCIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!
 

Mais de Zoltan Balazs

Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a matchZoltan Balazs
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveZoltan Balazs
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Hacking with Remote Admin Tools (RAT)
 Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)Zoltan Balazs
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitlandZoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking Zoltan Balazs
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012Zoltan Balazs
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitőZoltan Balazs
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’sZoltan Balazs
 

Mais de Zoltan Balazs (15)

MLSEC 2020
MLSEC 2020MLSEC 2020
MLSEC 2020
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a match
 
MIPS-X
MIPS-XMIPS-X
MIPS-X
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a five
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Hacking with Remote Admin Tools (RAT)
 Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
 

Último

LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSlesteraporado16
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Shubham Pant
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteMavein
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilitiesalihassaah1994
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
world Tuberculosis day ppt 25-3-2024.pptx
world Tuberculosis day ppt 25-3-2024.pptxworld Tuberculosis day ppt 25-3-2024.pptx
world Tuberculosis day ppt 25-3-2024.pptxnaveenithkrishnan
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdfShreedeep Rayamajhi
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsRoxana Stingu
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfmchristianalwyn
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024Jan Löffler
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpressssuser166378
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSedrianrheine
 
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptxA_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptxjayshuklatrainer
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxnaveenithkrishnan
 
Niche Domination Prodigy Review Plus Bonus
Niche Domination Prodigy Review Plus BonusNiche Domination Prodigy Review Plus Bonus
Niche Domination Prodigy Review Plus BonusSkylark Nobin
 

Último (15)

LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a Website
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilities
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
world Tuberculosis day ppt 25-3-2024.pptx
world Tuberculosis day ppt 25-3-2024.pptxworld Tuberculosis day ppt 25-3-2024.pptx
world Tuberculosis day ppt 25-3-2024.pptx
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpress
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
 
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptxA_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptx
 
Niche Domination Prodigy Review Plus Bonus
Niche Domination Prodigy Review Plus BonusNiche Domination Prodigy Review Plus Bonus
Niche Domination Prodigy Review Plus Bonus
 

IoT security is a nightmare. But what is the real risk?

  • 1. IoT security is a nightmare. But what is the real risk? Camp++ 0x7e0
  • 4. root@kali:~# whoami I’m NOT a CEH Creator of the Zombie Browser Toolkit https://github.com/Z6543/ZombieBrowserPack Creator of the HWFW Bypass tool – Idea later(?) implemented by nation state attackers in Duqu 2.0 https://github.com/MRGEffitas/hwfwbypass Creator of the Malware Analysis Sandbox Tester tool https://github.com/MRGEffitas/Sandbox_tester Invented the idea of encrypted exploit delivery via Diffie-Hellman key exchange, to bypass exploit detection appliances – Implemented by Angler and Nuclear exploit kit developers https://www.mrg-effitas.com/generic-bypass-of-next-gen-intrusion-threat-breach-detection-systems/
  • 5. How did I get into this? I bought an IP camera Found multiple high severity issues Notified manufacturer, published blogpost After one year, no patch available The question is: • Now what? I wanted to solve this generic issue
  • 6. Examples of terrible home IoT devices – IP Camera – Router – Baby monitor – Smart home – Automated NAS ransomware – Car hacked
  • 8. Assumptions For the next ~5-10 years, assume – Your IoT device has horrible security holes – It won’t receive any patches, ever For the sake of this presentation, I assumed: • The IoT device is not intentionally malicious • Is not preloaded with malware I know, I am an optimistic guy ¯_(ツ)_/¯
  • 10. I am safe, I changed all IoT passwords
  • 11. I am safe, I changed all IoT passwords Vulnerabilities bypassing password protection • Memory corruption issues (BoF, Format string, …) • CSRF (later) • Backdoor accounts • Lack of brute-force protection • …
  • 12. I am safe, I regularly patch all of my IoT devices
  • 13. I am safe, I regularly patch all of my IoT devices Patches are late by years Most IoT devices do not get a patch, EVER
  • 14. Problems with direct IPv4 connection If your IoT device has an Internet routable IPv4 address, without any firewall port filtering Just prepare for apocalypse Seriously, don’t do that CCTV is OCTV today
  • 15. The IoT device is only available in a closed network
  • 16. The IoT device is only available in a closed network (•_•) <) )╯What / (•_•) ( (> The / (•_•) <) )> fuck were you thinking??? /
  • 17. The device is only exposed in my area Physically nearby to open WiFi
  • 18. The device is only exposed in my area Physically nearby to open WiFi
  • 19. The device is only exposed in my area Smart rifle hacking – open WiFi Full of FUD – but still, interesting research based on the devices you can expect to network connected
  • 20. I am safe, home network, behind NAT
  • 21. NAT is sneaky evil Due to NAT: • Users believe they are safe behind home router NAT • Developers created ways to connect devices behind NAT, seamlessly What could possibly go wrong? https://youtu.be/v26BAlfWBm8 But, but NATs are good …
  • 22. I am safe, home network, behind NAT Think again – UPNP – IPv6 – Teredo – Cloud
  • 23. UPNP
  • 24. IPv6
  • 25. IPv6 Market for private IPv6 Timespan for private IPv6 addresses: ~1 day ICMP means every device is reachable • network stack hack possible Predictable IPv6 addresses (mostly enterprise) • ::0, ::1, ::2, ::service_port, ::IPv4, ::1000-::2000, ::100-::200, ::1.0-::1-2000, ::b00b:babe Reverse DNS enumeration (mostly enterprise)- dnsrevenum6 Zone transfer … AXFR … (mostly enterprise) DNSSEC chain walk (mostly enterprise) DNS brute force (mostly enterprise) – dnsdict6 Recommended: • Marc van Hauser: IPv6 insecurity revolutions • THC IPv6
  • 27. Teredo NAT hole IPv4 IPv6 Teredo client Teredo relay 1. 2. 3. 4. Teredo server IPv6 peer 1ce:c01d:bee2:15:a5:900d:a5:11feFirewall 5. 2001:0000:53aa:064c:0055:6bbf:a67b:7887
  • 28. Teredo in practice According to a study by Arbor Networks, the 2008 adoption of IPv6 by µTorrent caused a 15-fold increase in IPv6 traffic across the Internet over a ten-month period.
  • 30. IP camera cloud hack This research is work in progress – Lot of stuff to fine-tune, research The camera has an Android app The app can connect to the IP camera even when it is behind NAT, no port forward But how???
  • 35. I am safe, none of these apply, my home network is Sup3rFirewalled
  • 36. I am safe, none of these apply, my home network is Sup3rFirewalled
  • 37. uBlock demo uBlock is like Adblock, just better I use two browsers, one for Internet access And the other, only use to access internal network
  • 38. I am safe, I changed the network range from default (192.168.0.0/24)
  • 39. I am safe, I changed the network range from default (192.168.0.0/24) WebRTC (Web Real-Time Communication) is an API definition … that supports browser-to-browser applications for voice calling, video calling, and P2P file sharing … WebRTC + STUN Natively supported in • Chrome (2012) • Firefox (2013) • Opera 18 (2013) • Edge 21 (2015) • Blackberry Not in Safari, mobile Chrome, IE
  • 42. Same-Origin Policy (SOP) “a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin” Port, protocol and host has to be the same Goal • an ad on webmail won’t be able to access the e- mails
  • 43. DNS rebind attack It is (was) possible to bypass browser same origin policy One public and one private IP address for a domain • Use the public IP in first request, deliver malicious script • Use the private IP later, malicious script can access private IP, and leak data Cat and mouse game started in 1996 https://www.usenix.org/conference/usenixsecurity13 /technical-sessions/presentation/johns
  • 44. Filet – o – firewall https://github.com/filetofirewall/fof/
  • 45. Attackers and motives Script-kiddies: for fun, point-and-click tool, annoy, prank or extort ordinary people. Political activists: Not important, unless operated by government Organized criminals: for profit. Physical presence or no physical presence. NAS ransomware attacks. Smart homes hacked by burglers, internet connected IP-cameras hijacked before burglary, smart-cars stolen via unsecured WiFi, etc. Nation-state attackers: “collect everything”. domestic or foreign surveillance, track and profile people, direct surveillance (audio, video). Bonus - Advertisment industry: smart devices will be sold either exclusively, or at a cheaper price, profit for advertisers, more targeted ads to the people
  • 46. IoT development guideline in a Utopia Secure by design Tested for security Patch released if security issues are found
  • 47. Current IoT development guideline in reality Secure by design Tested for security Patch released if security issues are found Cheap Be the first on the market Linux (Busybox ?) embedded Webserver or VNC embedded
  • 50. Lessons learned for home users Disconnect power cord/remove batteries if IoT is not needed 7*24 Patch (if possible) Change passwords to complex, non-reused passwords Disable direct inbound connections (check router) Disable UPnP (check router) Filter IPv6 (inbound default deny a’la NAT) Disable Teredo Monitor for tunneling protocols Prevent CSRF from browser (see uBlock slide) Scan your home network for new devices (LAN, Bluetooth, new AP, Zigbee, IrDA, FM) Dedicated network for IoT devices (use old Wi-Fi router) Separate your guests from your IoT network Disable WebRTC in browser (Chrome: WebRTC Network Limiter) Disable cloud connection (on device and/or router/firewall) Prevent DNS rebind attack – see next slide
  • 51. Moar tips for home users Private IP addresses can be filtered out of DNS responses. – External public DNS servers with this filtering e.g. OpenDNS – Local sysadmins can configure the organization's local nameservers to block the resolution of external names into internal IP addresses. – DNS filtering in a firewall or daemon e.g. dnswall Firefox NoScript ABE feature
  • 52. “Smart devices will make our life easier” Maybe in ~2100, but until then, it will make our life a nightmare
  • 53. My best advice: don’t buy IoT devices ;)
  • 54. Lessons learned for IoT vendors SDLC Continuous security testing and bug bounties Seamless auto-update Opt-in cloud
  • 55. Lessons learned for goverments Follow Federal Trade Comission FTC – fine vendors who put users at risk to maximize profit https://www.ftc.gov/news-events/press- releases/2016/02/asus-settles-ftc-charges- insecure-home-routers-cloud-services-put
  • 56. References, interesting links Best IoT Talk ever! 115 batshit stupid things you can put on the internet in as fast as I can go by Dan Tentler https://www.youtube.com/watch?v=hMtu7vV_HmY https://github.com/mandatoryprogrammer/sonar.js/tree/master https://www.youtube.com/watch?v=34GtH4tghjA https://jumpespjump.blogspot.com/2015/08/how-to-secure-your-home- against.html https://jumpespjump.blogspot.com/2015/09/how-i-hacked-my-ip-camera-and- found.html http://www.theverge.com/circuitbreaker/2016/7/12/12159766/internet-of- things-iot-internet-of-shit-twitter
  • 58. Hack the planet! One computer at a time … zoltan.balazs@mrg-effitas.com https://hu.linkedin.com/in/zbalazs Twitter – @zh4ck www.slideshare.net/bz98 Greetz to @CrySySLab, @SpamAndHex Thx to Attila Bartfai for the conversation starter JumpESPJump.blogspot.com