Successfully reported this slideshow.

Let's Hack a House

1

Share

1 of 29
1 of 29

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Let's Hack a House

  1. 1. Let’s hack a house. Tony Gambacorta tony@synack.com
  2. 2. I’m supposed to scare you.
  3. 3. Distance Ratio Physical Access Same WiFi Darkest Peru One-to-One One-to-Many
  4. 4. When is a WebCam not a WebCam?
  5. 5. Coffee Cup Ambush
  6. 6. WebCam Compliance Security A consumer sees… Peace of Mind
  7. 7. WebCam Linux Server Network Access Microphone Camera A geek sees…
  8. 8. WebCam Ability to inject data Eyes and ears inside Attack platform A bad actor sees…
  9. 9. Variations on a theme… Let’s hack some stuff!
  10. 10. Pro Tip: You’ll probably break something your first time. Plan accordingly.
  11. 11. UART
  12. 12. This adapter just lets my laptop’s USB talk to other devices
  13. 13. }I’ll do all this stuff when I’m booting up.
  14. 14. Coffee Cup Ambush
  15. 15. Eyes and Ears Inside • See who comes and goes • Listen to conversations Ability to inject data • Edit live video • Delete video Attack Platform • Scan internal networks • Distribute malware • APT toe-hold
  16. 16. Bedtime Reading Key Takeaway: Everything is just parts connected to other parts.
  17. 17. Distance Ratio target-centric 1:1 ratio physical access{ } vulnerability-centric 1 : many ratio remote access{ }
  18. 18. Forget Alice. Any Brady will do.
  19. 19. Enumerate the Widgets.
  20. 20. That’s funny… Your URL: https://FG-59301.iotco.com S/N = XX-00000 26 * 26 * 10 * 10 * 10 * 10 * 10 67.6 Million Possibilities
  21. 21. 67.6 Million Possibilities 3,380,000 active hosts That’s funny…
  22. 22. 123456 password 12345 12345678 qwerty Nope. Nope. Nope. Nope. Nope. Nope. Nope. Nope. Nope. We’re in! Nope. Nope. Nope. Nope. Nope. We’re in! Nope. Nope. Nope. Nope. 123456789 LOCKED. Common Passwords Average Success Rate: 3-5% Think sideways
  23. 23. That’s (not so) funny… 3,380,000 Active Hosts 1% Success Rate 33,800 Compromised Devices
  24. 24. The one-offs are enough to make the news.
  25. 25. Bedtime Reading Key Takeaway: Statistically, if I know who your users are, you’re gonna have a bad time.
  26. 26. So What? • We’ve seen all of these attacks before, at scale • Learn from the lessons of fraud • Every once in a while, get your hands dirty
  27. 27. Thanks!

×