Download to read offline
Uploaded byAnchises Moraes
IoT Fofoqueiro
The document discusses the concept of 'Internet of Gossip' (IoT fofoqueiros), referring to IoT devices that can access personal data without authorization, leading to privacy risks. It highlights various security issues related to IoT, including unauthorized data sharing and instances of misuse in devices like smart TVs and robotic vacuums. The text also provides basic security precautions for users to safeguard their IoT devices.
More Related Content
!["The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT Security](https://cdn.slidesharecdn.com/ss_thumbnails/01-shawnhenry-visionofiotsecurity20170412-170509161242-thumbnail.jpg?width=640&height=640&fit=bounds)
![5G Explained! A High Level Overview [Introduction]](https://cdn.slidesharecdn.com/ss_thumbnails/5gexplainedahighleveloverview-260119165306-cc137a3e-thumbnail.jpg?width=640&height=640&fit=bounds)
IoT Fofoqueiro
- 1.
- 2. IoF Internet of Fofoca (IoTsFofoqueiros) @anchisesbr @RSAFraud @Garoahc @BSidesSP @CSAbr
- 3.
- 4. IoT Fofoqueiro: s.m.Dispositivo IoT que tem acesso não autorizado a dados pessoais de seu usuário, permitindo o compartilhamentou indevido e/ou acesso por terceiros. Imagem: giphy
- 5. objetivo • Popularização daInternet das Coisas (IoT) Imagem: xkcd
- 6. objetivo • Problemas desegurança no mundo IoT Imagem: xkcd
- 7. Foco • Casos demau uso • Compartilhamento de dados pessoais Imagem: giphy
- 8.
- 9.
- 10.
- 12. “LIFX mesh network protocol waslargely unencrypted”
- 13.
- 14.
- 15.
- 16. Imagem: giphy “CEO ofiRobot has revealed that the robotic vacuum cleaner builds a map of your home while cleaning”
- 17.
- 18. Fonte: The HackerNews, Checkpoint https://www.youtube.com/watch?v=BnAHfZWPaCs
- 19.
- 20. “When connected toWi-Fi the doll was vulnerable to hacking, allowing him easy access to the doll’s system information, account information, stored audio files and direct access to the microphone.”
- 21.
- 22. “The police saidthey were able to extract data from Echo, though it's uncertain what they were able to uncover and how useful that data would be in their investigation.” Imagem: Amazon
- 23. “According to courtrecords, Bates' smart water meter shows that his home ran 140 gallons of water between 1 AM and 3 AM the night Collins was found dead in Bates' hot tub. The prosecution claims that the water was used to wash away evidence after he killed Collins. ”
- 24.
- 25. “In 2014, satelliteradio and telematics provider SiriusXM provided location information of a Toyota 4- Runner following a warrant by New York police (…). The warrant asked SiriusXM "to activate and monitor as a tracking device the SIRIUS XM Satellite Radio installed on the Target Vehicle" for ten days, and the company admitted to Forbes that it complied with the order. (…) The company simply turned on the stolen vehicle recovery feature of its Connected Vehicle Services technology on the target vehicle, (…).” ” The Hacker News
- 26. “In 2007, OnStarwas ordered to provide audio data from a Chevrolet Tahoe belonging to Gareth Wilson in Ohio. An emergency button in Wilson's car was automatically pushed without his knowledge, which allowed an officer from the Office of the Fairfield County Sheriff to listen to the conversation about a possible drug deal (…). After that, when the feds located and searched the car, they found marijuana. (…).” ” The Hacker News
- 28.
- 29.
- 30.
- 31. Imagem: Strava, TheGuardian
- 32.
- 33.
- 34.
- 35. Cuidados básicos • Altereas senhas padrão • Desativar o recurso Universal Plug-and- Play (UPnP) • Revisar restrições de Gerenciamento Remoto • Verifique as atualizações de software Fonte: The Hacker News
- 36.
- 37. Para saber mais... Artigo- Notícias sobre ameaças em IoT https://anchisesbr.blogspot.com/2018/02/seguranca-noticias-sobre-ameacas-em-iot.html Artigo – IoT Espião https://anchisesbr.blogspot.com.br/2017/03/seguranca-iot-espiao.html Security Guidance for Early Adopters of the IoT” https://cloudsecurityalliance.org/download/new-security-guidance-for-early-adopters-of- the-iot/ "Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products“ https://cloudsecurityalliance.org/download/future-proofing-the-connected-world/ @Internet of Shit https://twitter.com/internetofshit
- 38.
- 39. Participe! http://sp15.securitybsides.com.br 19 e 20/ Maio / 2018
Editor's Notes
- #2 Licença: http://creativecommons.org/licenses/by-sa/3.0/
- #3 Licença: http://creativecommons.org/licenses/by-sa/3.0/ IoT Fofoqueiro Nossos dispositivos IoT não sabem guardar um segredo! Nesta palestra vamos rever vários casos recentes sobre dispositivos de Internet das Coisas que, deliberadamente ou não, revelavam dados pessoais de seus usuários. A Internet das Coisas (do inglês Internet of Things, ou IoT) está cada vez mais presente em nosso dia-a-dia em dispositivos pessoais, computação vestível, automação residencial, carros inteligentes e muito mais. Conforme eles se proliferam, crescem tambem os casos de exposição de dados pessoais. Nessa apresentaçao vamos rever alguns casos interessantes de dispositivos IoT que não tinham os devidos cuidados com privacidade.
- #4 Pic source: https://giphy.com/gifs/iot-V5DdDPEPCd4wo
- #5 Pic source: https://giphy.com/gifs/yevbel-1AIhcW1oFvt3TsG2kp
- #6 Pic source: https://xkcd.com/1912/
- #7 Pic source: https://xkcd.com/1966/
- #8 Pic source: https://giphy.com/gifs/seal-mJJczeZNee3uw
- #9 Pic source:
- #10 Pic sources: https://xkcd.com/54/ https://xkcd.com/987/ https://xkcd.com/1989/ https://xkcd.com/927/ http://mitadmissions.org/blogs/entry/what-if-randall-munroe
- #11 https://giphy.com/gifs/alcrego-loop-eternal-yoJC2jbP1b6zgZ63zq
- #12 https://www.forbes.com/sites/leoking/2014/07/09/smart-home-these-connected-led-light-bulbs-could-leak-your-wi-fi-password/#2a6554c934d0
- #13 Context Information Security found that the LIFX mesh network protocol was largely unencrypted, allowing it to "easily dissect the protocol, crop messages to control the light bulbs and replay arbitrary packet payloads". By monitoring packets from the mesh network when adding new bulbs, it was able to identify those which contained Wi-Fi network credentials: when any new bulbs are added, messages are transmitted from the master bulb containing Wi-Fi details. PIC: https://www.lifx.com
- #14 Your TV now watching you too! LG Smart TV caught collecting owners' Habits and USB file names https://thehackernews.com/2013/11/your-tv-now-watching-you-too-lg-smart.html https://doctorbeet.blogspot.com.br/2013/11/lg-smart-tvs-logging-usb-filenames-and.html A UK blogger, developer and Linux enthusiast, known only as DoctorBeet has discovered that LG's smart TVs are sending personal information back to the company's servers about what channels you watch and viewing habits. Actually, LG conducts the data collection for its Smart Ad function, which advertisers can use to see when it is best to target their products at the most suitable audience.
- #16 Smart Vacuum Cleaners Making Map Of Your Home — And Wants to Sell It https://thehackernews.com/2017/07/irobot-roomba-vacuums.html
- #17 https://giphy.com/gifs/roomba-floof-floofin-hmGQKkNaUIgHS During an interview with Reuters, the CEO of iRobot, the company which manufactured Roomba device, has revealed that the robotic vacuum cleaner also builds a map of your home while cleaning — and is now planning to sell this data to third-party companies.
- #18 Hackers Could Turn LG Smart Appliances Into Remote-Controlled Spy Robot https://thehackernews.com/2017/10/smart-iot-device-hacking.html Check Point researchers discovered a security vulnerability in LG SmartThinQ smart home devices that allowed them to hijack internet-connected devices like refrigerators, ovens, dishwashers, air conditioners, dryers, and washing machines manufactured by LG. Hackers could even remotely take control of LG's Hom-Bot, a camera-equipped robotic vacuum cleaner, and access the live video feed to spy on anything in the device's vicinity.
- #19 https://www.youtube.com/watch?v=BnAHfZWPaCs
- #20 Hackers can hijack Wi-Fi Hello Barbie to spy on your children https://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children Security researcher warns hackers could steal personal information and turn the microphone of the doll into a surveillance device It connects to the internet via Wi-Fi and has a microphone to record children and send that information off to third-parties for processing before responding with natural language responses. But US security researcher Matt Jakubowski discovered that when connected to Wi-Fi the doll was vulnerable to hacking, allowing him easy access to the doll’s system information, account information, stored audio files and direct access to the microphone.
- #21 https://www.ebay.com/itm/Hello-Barbie-Doll-/322821871976
- #22 Police Ask for Amazon Echo Data to Help Solve a Murder Case https://thehackernews.com/2016/12/amazon-echo-murder.html
- #23 Collins died on November 21 last year while visiting the house of Bates, his friend from work, in Bentonville, Arkansas. The next morning, Collins' dead body was discovered in a hot tub, and Bates was charged with first-degree murder. As part of the investigation, authorities seized an Amazon Echo device belonging to Bates, among other internet-connected devices in his home, including a water meter, a Nest thermostat, and a Honeywell alarm system. However, due to its always-on feature, it's usual for The police said they were able to extract data from Echo, though it's uncertain what they were able to uncover and how useful that data would be in their investigation.the Echo to activate by mistake and grab snippets of audio that users may not have known was being recorded. Picture: https://www.amazon.co.uk/Amazon-Echo-2nd-Generation-Charcoal-Fabric/dp/B06Y5ZW72J
- #24 Collins died on November 21 last year while visiting the house of Bates, his friend from work, in Bentonville, Arkansas. The next morning, Collins' dead body was discovered in a hot tub, and Bates was charged with first-degree murder. As part of the investigation, authorities seized an Amazon Echo device belonging to Bates, among other internet-connected devices in his home, including a water meter, a Nest thermostat, and a Honeywell alarm system. However, due to its always-on feature, it's usual for The police said they were able to extract data from Echo, though it's uncertain what they were able to uncover and how useful that data would be in their investigation.the Echo to activate by mistake and grab snippets of audio that users may not have known was being recorded.
- #25 Court Documents Reveal How Feds Spied On Connected Cars For 15 Years https://thehackernews.com/2017/01/cartapping-connected-cars.html
- #26 https://thehackernews.com/2017/01/cartapping-connected-cars.html
- #27 https://thehackernews.com/2017/01/cartapping-connected-cars.html
- #28 WikiLeaks: The CIA is using popular TVs, smartphones and cars to spy on their owners https://www.washingtonpost.com/news/the-switch/wp/2017/03/07/why-the-cia-is-using-your-tvs-smartphones-and-cars-for-spying/
- #29 http://www.wired.co.uk/article/cia-files-wikileaks-vault-7 https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.html
- #30 https://www.youtube.com/watch?v=P2_ZWKwM5Bw Published on Mar 9, 2017
- #31 Fitness tracking app Strava gives away locate https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-baseson of secret US army bases
- #32 Sensitive information about the location and staffing of military bases and spy outposts around the world has been revealed by a fitness tracking company. The details were released by Strava in a data visualisation map that shows all the activity tracked by users of its app, which allows people to record their exercise and share it with others. The map, released in November 2017, shows every single activity ever uploaded to Strava – more than 3 trillion individual GPS data points, according to the company. The app can be used on various devices including smartphones and fitness trackers like Fitbit to see popular running routes in major cities, or spot individuals in more remote areas who have unusual exercise patterns.
- #33 E aí, eu pergunto....
- #34 Fonte: http://giphy.com/gifs/design-tech-dogs-cXJ24Lb6zdk1G
- #35 https://www.facebook.com/photo.php?fbid=10102910644965951&set=a.612287952871.2204760.4&type=3&theater https://anchisesbr.blogspot.com.br/2016/06/seguranca-tampem-suas-cameras-e-seus.html https://pt.aliexpress.com/item/Nova-Webcam-Capa-Ultra-Fina-Slide-Tampa-Da-C-mera-Protetor-de-Privacidade-Para-O-Port/32842031705.html https://www.amazon.com/dp/B01LPQJGA2/?coliid=I3IJ8L3Y9LF7N&colid=21MF02T3NN81A&ref_=lv_ov_lig_dp_it&th=1
- #36 Fonte: https://thehackernews.com/2016/10/ddos-attack-mirai-iot.html