We procured 14 of the leading connected home IoT devices and tore them down, all the way from software to hardware and compared their relative security. This talk will demonstrate techniques useful for assessing any IoT device, while showing how they were applied across a wide range of devices.
twitter @raka_baraka Vladimir graduated from Ural State Technical University with a degree in information security of telecommunication systems. He started his career as a security engineer at Russian Federal Space Agency. His research interests are pentesting, ICS, security audits, security of different unusual things (like smart toys, TVs, smart city infrastructure) and threat intelligence. Vladimir is a part of Critical Infrastructure Defense Team (CID-Team) and Kaspersky Lab ICS CERT in Kaspersky Lab
Aaron Guzman, Principal Penetration Tester
I will be demonstrating a PoC which determines the local IP address and searches for the vulnerable device.
Some fun remotely operated analysis tools:
This topic covers researches made by Critical Infrastructure Defense Team, Kaspersky Lab regarding vast variety of different serious vulnerabilities in popular wanna-be-smart industrial control systems. We found 80+ 0day vulnerabilities and reported to vendors. Some of them are patched already (CVE-2016-5743, CVE-2016-5744, CVE-2016-5874). However, for most of the bugs it potentially takes more time to fix.
This talk will give a broad look at IoT security using connected baby monitors as a case study. By comparing products on the market, discussing new vulnerabilities never previously released, and showing how the research was conducted, this talk will provide an exciting look into IoT security research for those who are technologists, hackers, software engineers, or even those just concerned with safety and privacy of children.
The notion of secure by design or privacy by design for IoT devices has been a perspective for standard organizations. Legislative entities from both the US and EU recognize the impact these things can effect lives and the enterprise. To better understand a secure design, we will explore the supply chain and development lifecycle of these IoT devices and discuss how our roles as security professionals and researchers.
A handout will be given as a tangible reference for the 10 attack surface areas.
My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts.
Without the resources internally to find major vulns, we were able to identify a critical vuln from a researcher on the bug bounty that had the ability to greatly affect all customers homes. It was patched within 24-hours. That is a perfect example of why this program is critical to the security and privacy of consumers and why every IoT manufacturer should follow this program. There were multiple other vulns discovered with the program that also make the same point.
Ever wondered how people get shells via hooking up to chips or pins on a board? Or how to dump the firmware off a device you own at home? How chips that send those bits, bytes, and nibbles flying across traces on a board can be analyzed for profit? The Pwning IoT Devices via Hardware Attacks workshop is focused on a hands-on learning experience, of how people use hardware attacks to get initial access IoT Devices for security research. This workshop is designed for people new to hardware hacking, looking to have fun exploiting the Internet of (broken) Things. So come on out if youre looking to join the embedded system & IoT exploitation party!
The workshop will start with a brief presentation covering our research to date with Fitbits Aria scales; what weve found, what weve learned, where weve got stuck, and what weve guessed at. We will discuss a few vulnerabilities that we have discovered and help get you started on finding some more. Once weve set the scene the workshop can begin. This is really a 101 on logic probing and hardware analysis, so well share some basic techniques for logic probing; UART, SPI, Flash etc.
More and more devices are communicating with each other and are becoming connected to IP networks, sometimes even directly to the Internet. This innovation should improve our quality of life and make our every day life easier, but this trend does not only bring advantages; it also introduces a lot of new challenges and threats. These challenges arise with every new product development in the area of Internet of Things. Especially products in the area of home automation and smart homes are getting increasingly popular and therefore consumers become an interesting target group for attackers. Todays home automation systems are also following the global trend and move from wired bus systems to wireless radio communication. To face these arising challenges, new protocols and standards beside the world of TCP/IP were created and are currently being developed. However, it is not just the security of the standards and protocols themselves that are important, but its also the correct implementation and integration into products that is a challenge for every single vendor.
The PoC described in 3 is still 0-day in official firmware, the latest RC firmware, and possibly in the latest beta firmware.
Aaron Guzman is a Security Consultant from the Los Angeles area with expertise in web app security, mobile app security, and embedded security. He has spoken at a number of conferences worldwide which include Defcon, AppSec EU, AppSec USA, HackFest, Security Fest, HackMiami, AusCERT as well as a number of BSides events. Aaron leads the OWASP Embedded Application Security project; providing practical guidance to address the most common firmware security bugs to the embedded and IoT community. Follow Aarons latest research on twitter at @scriptingxss
This presentation will discuss research performed against nine IoT baby monitors on the market. Details of research methodologies and vulnerability findings will be presented to give attendees insight into what security flaws were found within the intricate combination of mobile applications, protocols, services, and hardware running these devices. A custom scoring system will be used to provide an apples-to-apples view of how each device faired in holistic security versus the other devices.
Follow both ISE(@ISEsecurity)and IoT Village(@IoTvillage)on Twitter for updates on talks, contests, and giveaways.
Elvis Collado, Praetorian, Senior Security Researcher
Bugs are good, but what can be better? Yes, backdoors! Lets take a closer look on the backdoor techniques found in one interesting vendor: they do some stuff for industrial IoT and for general IT technologies (banking, telecommunication providers, crypto solutions etc). The backdoor is not the whole story we will show how this vendor reacts and fixes critical bugs (SPOILER: silently fixes bug, no CVE assigned, no advisory published, sometimes impossible to patch, 7 month since the report). The most interesting thing is that this technique requires only legitimate software widely used everywhere.
Today, most vehicle manufacturers in the US connect their vehicles to a type of network and delegate controls to mobile or web applications upon vehicle purchasing. Thankfully, security research for consumer devices are now exempt from DMCA which enables us to audit and assess our connected vehicles. Like many devices in the IoT space, a single software bug in connected vehicles can compromise the entire ecosystem.
Sergey is an active member of Critical Infrastructure Defense Team (CID-Team) and KL ICS CERT in Kaspersky Lab. His research interests are fuzzing, binary exploitation, penetration testing and reverse engineering. He started his career as malware analyst in Kaspersky Lab. Sergey has OSCP certification.
6. Takeaways: Recommendations to prevent these attacks from happening again
Security of Wireless Home Automation Systems – A World Beside TCP/IP
In this talk, we will demonstrate the methodology used to discover and remotely exploit vulnerabilities in Subarus STARLINK remote vehicle services, as well as discuss how car manufacturers can learn from these mistakes. After all, who needs car keys when your vehicle is connected?
1. The internals of this type of devices (Architecture, PCB components, ENEA RTOS details)
Each product I tested had 0-day flaws
Ripping and analysing the firmware from a Tizen-running smart fridges BGA chip, what did we find?
Jeff Kitson, Trustwave SpiderLabs, Security Researcher
Daniel Miessler is Practice Principal with HP Fortify based out of San Francisco, California with a 15-year background in penetration testing and vulnerability assessment. He leads the Fortify on Demand security research team, and is a project leader on the OWASP IoT and OWASP Mobile Top Ten projects.
Using small or almost non-existent budgets as an excuse for not running application and product security programs is not acceptable. The rapid growth of low margin IoT devices from startups changed the way security teams have to operate. Instead, learned to leverage external researchers by incentivising them with free products, thanking and embracing researchers for their help, and promising transparency into our direction and enhancements, with the goal of secure consumer devices for everyone.
It is easy to find poorly designed devices with poor security, but how do the market leading devices stack up? Are they more secure than a Linux-powered rifle? This presentation documents our effort to assess the state of security of top selling Internet of Things Devices.
New generation Set Top Boxes (Satellite receivers) are embedded linux boxes joining the IoT for many reasons mainly for IPTV and cardsharping for pay tv channel decryption. We will talk about design flaws, protocols used and different modules and plugins for cardsharing and iptv We will focus on the technical part of reverse engineering protocols, cardsharing plugins and satellite receiver software identifying both vulnerabilities on the Satellite receiver box and remote IPTV service vulnerabilities that are accessible by the DVB receiver
Where am I? (find and connect to an open network, use google wifi geolocation API to tell a remote server where the device has been: just uses an imp and a 9v battery)
Attend for stories of device rooting, SSL interception, firmware unpacking, mobile app vulnerabilities and more. Stay to find out why your favorite new gadget might just be a backdoor into your home. If you own (or are considering buying) one of the following devices, come and find out how secure it actually is!
What Do You Mean, Patch? A Shared Vision of IoT Security Updates
DEF CON 23 2015= Workshops & Presentations =
Medical Device Security Considerations: Case Study
***Props to Fitbit who are providing a number of Aria scales to work on***
Aaron is a Pen Tester for Belkin in his day job, but is also a Board member for the Open Web Application Security Project (OWASP) Los Angeles chapter, Cloud Security Alliance Socal chapter and the President for the High Technology Crime Investigation Association of Southern California(HTCIA SoCal). Aaron evangelizes application security by leading open source projects, participating in standard organizations and giving talks at conferences.
His previous work in the financial services IT world has prepared him well for customer-facing roles, and communicating complex issues to both management and developers alike. This has also given him a good grounding in working with enterprise IT systems and general sysadmin work. Since joining Pen Test Partners, Andrew has been expanding outwards into new and unfamiliar areas. He soon hopes to become a CREST Certified consultant and wants to develop his skills in infrastructure testing.
uart sniffer (connect to and dump UART traffic)
modbus sniffer (connect to and dump MODBUS RTU traffic)
Unexpected IoTSolar Panels Compromise
The Connected World Has Been Disconnected: Survival Guide in IoThreats Era
From DVR worms, to fridges, via dildos, the sins of the IoT in 50 minutes
For this reason, this keynote advocates for why we as security researchers should reframe our relationships with vendors from what is sometimes an adversarial one to a collaborative one. To achieve a better security posture in this industry, this talk offers strategies and tactics for how to improve our methods of working with vendors.
Damien Cauquil, Digital Security (CERT-UBIK), Senior Security Researcher
4. How to Backdoor the pump by gaining code execution
IoT – the gift that keeps on giving
Smart home technology has been a dream for many perhaps inspired by the likes of George Jetson. Unfortunately the technology is in its infancy still and the question remains as to whether vendors can demonstrate the ability to make our homes smarter without simultaneously introducing new risks to personal safety and privacy. In an effort to answer this question, Tripwire VERT conducted a security assessment of the three top-selling Smart Home Hub products available on Amazon. The research revealed 0-day flaws in each product allowing an attacker to control smart home functionality. This presentation will reveal some of the findings from this study including vulnerability discoveries. If not addressed, smart home flaws can give rise to a new type of smart criminal able to case victims without being seen. Once a target is chosen, it is possible to unlock doors and disable security monitoring.
Brian Knopf has 20 years of experience in IT, dev, QA/QE, & security. He has led QA, automation, security, and development teams for companies including Belkin, Linksys, Rapid7, MySpace, , eUniverse, and VeriTest. Currently Brian is the Principal Security Advisor & Researcher at Wink Inc. There he is responsible for SDL, PSIRT, security research, pentesting, training, bug bounty and researcher programs, and threat modeling for Wink products and partner integrations.
IoT Village Keynote – Friends, Not Foes: Rethinking the Researcher-Vendor Relationship
Inside the IV Pump, not too much medication por favor!
Dan Regalado is a Principal Security Researcher with Zingbox (IoT Security Company) and former FireEye and Symantec reverse engineer. Daniel is the lead author of famous Gray Hat Hacking Book 4th Edition and known in the security world as the ATM guy responsible for the latest discoveries of these type of threats worldwide.
Mirai was elegantly simple; using default telnet credentials to compromise large numbers of devices. However, in the quest for simplicity, the author missed numerous more significant vulnerabilities. We have spent the last few months researching the security of
This talk gives practical and tangible guidance that will help attendees the very next time theyre asked to assess an IoT system.
Tobias works as Senior IS Auditor at Cognosec in Vienna. He conducts information systems audits in order to assess compliance to relevant internal and external requirements. Furthermore, Tobias evaluates and assures security of IT by performing webapplication and web service penetration tests, source code analysis as well as network and infrastructure penetration tests. He has a BSc in Computer and Media Security, a MSc in IT Security and a MSc in Information Systems Management.
bacnet sniffer (connect to and dump building area control networks)
Ransomware, Drones, Smart TVs, Bots: Protecting Consumers in the Age of IoT
Terrell McSweeny, Federal Trade Commission, Commissioner
Two of the three products evaluated contained 0-day flaws allowing a remote attacker to gain root access with limited to no user-interaction required.
The OWASP Top 10 Project starts the IoT security scope conversation by defining the 10 primary attack surface areas for the Internet of Things, and by giving prescriptive guidance on how testers, manufacturers, developers, and consumers can make better security decisions, when creating, evaluating, and implementing IoT technologies.
We did the investment and bought an IV Pump Unit and IV Pump module made by Bectron since it is one of the leaders in the market and therefore expected to be used in the major Hospitals worldwide!
a. Inside into the pump: Processes running, configuration files, etc.
The Infusion Pumps Market is expected to be worth $10.84 Billion USD by 2021 per Market and Markets forecast. The Infusion Pump is a costly and sensitive medical device used to deliver fluids, medications, blood and blood products to adult, pediatric or neonatal patients in a manual or automated way, yes, automated way, any malfunction either intended or unexpected could severely harm humans.
Alex is the Chief Security Researcher and Spokesperson for Bitdefender. His career is focused on Information Security, Innovation and Product Strategy, fields in which he has so far accumulated over 15 years of experience. He drove the vision for Bitdefenders UNIX-based security solutions before kickstarting an ambitious project that would advance the companys R&D department and steer a good part of the companys focus towards technology and innovation
This talk will walk through the creation of two successful application and product security teams built in organizations without many resources or large budgets. Those programs included regular threat modeling, bug bounty programs, proactive engagement with researchers, security analytics monitoring, and vuln research. Even with the budgetary and staffing constraints, the teams were able to deliver increasingly more secure products that continue to push the boundaries of consumer device security in a market where consumers refuse to pay more for the cost of securing them. This discussion is not about the companies themselves, but instead as a model any startup company can adopt to deliver solid products, rather than using excuses to defer action.
Samsung Smart Refrigerator (model RF28HMELBSR)
30 DVR brands and have made discoveries that make the Mirai telnet issue seem almost trivial by comparison. We discovered multiple vulnerabilities which we will share, including wormable remote code execution. We may also disclose a route to fix Mirai-compromised DVRs remotely. However, this method has the side effect of being usable by malicious actors to make Mirai persistent beyond a power off reboot. Further, we will show HOW and WHY we believe XiongMai is at the root cause of these issues, regardless of the DVR brand. Finally, well show examples of DVRs using the same base chipset as those vulnerable to Mirai, but doing security well.
Andrew Tierney, Security Consultant, Pen Test Partners Andrew has many years of experience in security, mainly working with embedded systems. As the Internet of Things trend developed, he expanded his skills into the realms of web applications and mobile applications. Blogging and documenting his findings rapidly gained him exposure, and a number of high-profile UK companies approached him to test their devices and systems.
Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a hack-along-with-us workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop.
We will be bringing a number of sacrificial Fitbit Aria scales for you to work on yourselves, plus several sets of logic probes with us for you to use, with guidance from us if youd like it. If you would like to borrow our probes for the session, please make sure you have installed Logic from Saleae, or use your favorite logic analyzer. If youre bringing your own Fitbit Aria scales we advise that you check they are at firmware version 36 or below.
Hide Yo Keys, Hide Yo Car – Remotely Exploiting Connected Vehicle APIs and Apps
Attendees will learn about the 10 surface areas from the penetration testing perspective, including the common vulnerabilities found in each surface area and how to avoid them. Examples will be given from research on real-world devices conducted by the speakers team.
Organized by security consulting and research firm Independent Security Evaluators(ISE), IoT Village delivers advocacy for and expertise on security advancements in Internet of Things devices. IoT Village hosts talks by expert security researchers who dissect real-world exploits and vulnerabilities and hacking contests consisting of off-the-shelf IoT devices.
Wesley Wineberg is a Senior Security Research Engineer at Synack. Prior to Synack, Wes spent six years testing the security of SCADA, Smart Grid, Medical, and other critical infrastructure technologies. Wes enjoys black box analysis, pen testing, software, firmware and hardware reverse engineering.
Currently, all known IoT botnets harvest zombies through telnet with hardcoded or weak credentials. Once this bubble bursts, the next step will be exploiting other, more evolved vulnerabilities that can provide control over a large number of devices. In this talk, well take a glimpse into that future showing our research on a RCE vulnerability that affects more than 175k devices worldwide
Securing the Internet of Things is a difficult task for many reasons, but the most important may be the fact that IoT is actually a collection of spaces instead of a space of its own. IoT is made up of networks, web applications, mobile applications, and cloud components–all assembled together to produce a usable system designed for maximum connectivity. What could go right?
From a manufacturing perspective, I see things a little differently than most. I would like to enlighten others on the real SDLC processes that happen in house and external.
Ken and his team at Pen Test Partners have hacked everything from keyless cars and a range of IoT devices, from wearable tech to childrens toys and smart home control systems. This has gained him notoriety among the national press, leading to regular appearances on BBC TV and BBC News online as well as the broadsheet press. Hes also a regular contributor to industry magazines, penning articles for the legal, security, insurance, oil and gas, and manufacturing press.
Also featuring IR capture/replay well also bring along the
Turn the scales in to a network implant
Dave and Ken have enjoyed a good few years in security, probably more than 40 years between them. They work at Pen Test Partners in England and spend plenty of research time picking holes in things, finding flaws, and disclosing them responsibly. Twitter:
While we have published the high level findings from assessing these devices, this talk will include full technical details on how to attack each of these devices, and full tech details on any of the vulns which we found. Those details have not yet been released, and will be of interest to anyone who owns or wants to hack any of these devices.
Modify the startup display on the Aria LCD (hack me fat!)
Everyones talking about IoT, but nobodys talking about how to properly address IoT security as a whole, in a practical and tangible way.
Craig is a computer security researcher with Tripwires Vulnerability and Exposures Research Team (VERT). He has identified and disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, and others. His research has resulted in numerous CVEs and recognition in the Google Application Security Hall of Fame. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers.
The research on this talk is intended to show the audience:
The best thing about this talk is that it covers a large number of devices, all devices which are among the industry leaders for their category.
Ken Munro, Partner, Security Consultant, Pen Test Partners Ken is a regular speaker at the ISSA Dragons Den, (ISC)2 Chapter events and CREST events, where he sits on the board. Hes also an Executive Member of the Internet of Things Security Forum and spoke out on IoT security design flaws at the forums inaugural event. Hes also not averse to getting deeply techie either, regularly participating in hacking challenges and demos at Black Hat, 44CON, DefCon and Bsides amongst others.
Samsung LED Smart TV (model UN32J5205AFXZA)
Disclosing vulnerabilities to a vendor, especially one that doesnt seem to prioritize security the same way we do, can be a source of pain. We may even find ourselves viewing the product vendor as an enemy during this process. But we are faced with a future in which people will interact with connected devices whether they intend to do so or not. Imagine worrying about the security of a connected smart showerhead in your hotel room. Silly, isnt it? Yet such devices will be increasingly prevalent, and vulnerable.
Rick Ramgattie @RRamgattie is a Security Analyst at Independent Security Evaluators (ISE), where he conducts high-end, custom security assessments of computer hardware, software products, and manages a team of security researchers. Growing up in the city of Bayamn, Puerto Rico, speaker Rick Ramgattie recognizes that it isnt all that easy to get into the information security community. In a self-taught manner he strived to learn what he could, before attending college in the mainland and then migrating to Baltimore. Now, as someone who appreciates the art of reverse engineering, he has taken part in hands-on security assessments of complex systems, IoT devices, and many different native and mobile applications. Rick enjoys reverse engineering, occasional CTFs, and reading.
3. Firmware update to bypass security checks and get access to restricted configuration
What started as a serious piece of research got hijacked by the press because it was a bit rude. The real story wasnt just that it could be compromised, but the work that went into reverse engineering it to find hidden services, reused code (from a camera drone), and the command injection which can be used to compromise the video stream.
IoT Villages contests are brought to you bySOHOpelessly Broken, the first-ever router hacking contest at DEF CON. The ISEresearchthat inspired the SOHOpelessly Broken™ contests delivered56 CVEsto the infosec community. Over the years at DEF CON, IoT Village has served as the platform to showcase and uncover 113 new vulnerabilities in connected devices.
Chase f47h3r Schultz is a Senior Security Consultant at Independent Security Evaluators. During his day job, Chase helps companies find and remediate vulnerabilities in their systems. At night, f47h3r dawns his Phantom of the IoT Opera mask, and pumps the dark organ of exploitation, resounding in the root shells he uncovers.
Mark Stanislav is a Sr. Security Consultant for Rapid7. He has presented at over 100 events internationally including RSA, DEF CON, ShmooCon, SOURCE Boston, Codegate, and THOTCON. Marks security research and initiatives have been featured by news outlets such as the Wall Street Journal, The Register, The Guardian, and Forbes. Mark is the co-founder of the IoT security initiative, BuildItSecure.ly. He is also the author of a book titled, Two-Factor Authentication, published by IT Governance.
Sofiane Talmat has more than 10 years experience performing security assessments and reverse engineering engagements, identifying vulnerabilities and developing exploits for IOActives clients. He has proven skills in design, implementation, enhancement, testing, maintenance, and support of myriad software instances; and can both test software as well as assist development teams with the implementation of software protection mechanisms.
Seabstian Strobl manages the delivery of Cognosec GmbHs auditing services. He has over 8 years practical experience in the areas of information security, IT governance, compliance, risk management, and information systems auditing. He is a certified professional in information systems, PCI DSS and application security auditing, and has a masters degree in Information Management and Computer Security. Prior to his role at Cognosec GmbH he was leading information systems audits for organisations in the online gaming and finance industry, providing a strong background in the online payment and gaming value chain, the underlying technology thereof, and industry specific regulations. He has an extreme depth of knowledge in security tools, technologies, and industry best practices, and is recognised for delivering top-level, value-adding IT audits. He is also responsible for the creation and deployment of innovative solutions to mitigate risks by protecting networks and application systems, safeguarding information assets and ensuring business continuity. He specialises in delivering effective assurance and consultancy services, focusing on application and web-security architecture, as well as the integration with payment processing value chains.
Want to help, get updates or just show your interest?
Cameras, Thermostats, and Home Automation Controllers – Hacking 14 IoT Devices
Pwning the Industrial IoT: RCEs and backdoors are around!