The document discusses various Internet of Things (IoT) devices and security issues related to them. It describes how IP cameras, industrial equipment, Bluetooth devices, and smart meters can often have default passwords or be directly exposed to the internet, making them vulnerable to hacking. The document warns that while most consumer IoT devices pose little risk if not directly connected to the internet, industrial systems and public cameras aggregated with location data could become serious problems if exploited by bad actors. Overall, the document advocates being aware of the security shortcomings of IoT technologies and properly isolating devices to reduce risks.
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
CONFidence2015: The (Io)Things you don't even need to hack. Should we worry? - Slawomir Jasek
1. The (Io)Things you
don’t even need to
hack.
Should we worry?
Sławomir Jasek
Confidence, 26.05.2015
2. Pentester / security consultant.
Assessments and consultancy
regarding security of various
applications - web, mobile,
embedded, ...
Since 2003 / over 400 systems and
applications
Sławomir Jasek
3. What is IoT?
Things you don’t even need to hack:
IP cameras
Industrial equipment
Bluetooth low energy devices
Smart meters
Should we worry? How can we help?
Agenda
5. Another buzzword (?).
Several definitions and a bit of confusion.
Just like a few years back „cloud”, „big data” or
„mobile”.
Let's simplify: network-connected devices with
embedded processing power.
Add the mobile, cloud and big data, of course ;)
What is „Internet of Things”?
11. The best-priced IP camera with
PoE and ONVIF
Management standard (was
supposed to) assure painless
integration of the video in my
installation.
Camera
27. The same most probably applies to your
smart TV, home installations, refrigerators,
microwaves, babysitters, keylocks,
toothbrushes, internet-connected sex
toys...
PWN-ing these kind of devices does not
involve „hacking” and does not impress.
This is boring, obvious and well-known for
years. Aka „junk hacking”.
Also frequently used to spread FUD by
some antivirus companies.
„Junk hacking”
h"p://seclists.org/dailydave/2014/q3/52
33. That depends on the device and usage scenario.
For most - you are supposed to be aware and treat the
devices accordingly:
• just don’t connect this type of hardware directly to
the Internet via public IP.
• and monitor the outgoing traffic, too.
But should we care about the others?
Should we worry?
36. Self-powered and lens-less cameras for IoT
h"p://www.cs.columbia.edu/CAVE/projects/
self_powered_camera/
Image sensors that can not only
capture images, but also generate
the power needed to do so.
h"p://www.rambus.com/documentaaon/emerging-
soluaons/lensless-smart-sensors
Replace the lenses with ultra-miniaturized diffractive
sensor, extract the image with computation:
extremely small, low-cost „camera”
44. Indexed „public” cameras (rough IP-based
geolocation)
+
exact location (crowdsource?)
+
Cloud, Big Data (face recognition?)
=
PROBLEM?
And what if someone connects the dots?
h"ps://www.flickr.com/photos/opensourceway
46. Thousands of interfaces publicly available.
Trivial to discover, already scanned & catalogued
likewise cameras.
Modbus-TCP, Serial-TCP, default passwords or
password-less web management interfaces...
I won’t reveal the links here ;)
Industrial insecurity
55. The incoming vehicles are also traditionally verified by
security staff.
The device is available in restricted LAN only.
The tag can also be scanned from the truck itself.
BUT: you have to be aware of the technology
shortcomings and not to alter the above conditions!
Should we worry?
57. Bluetooth Smart != Bluetooth 3
Completely different stack –
from RF to upper layers.
Designed from the ground-up
for low energy usage.
Network topology
a) Broadcaster + Observer
b) Master + Peripheral
63. Additional info on products based on precise location.
Rewards for visiting places.
Indoor guide, help to navigate the blind etc.
Your home or toys can automatically react to you.
Be warned that your bike or car is no longer in the
garage.
Beacons – some example usage scenarios
69. 1. Buy SDK+devices from selected vendor (Nordic,
TI...)
2. Import ready-to-use sample code.
3. Add your bright usage scenario (and sometimes a
bit of hacking).
4. Create convincing bootstrap webpage + videos.
5. Run successful Kickstarter campaign.
6. Profit!
How to make your own BLE device?
70. Electric plugs, lightbulbs, locks, kettles,
sensors, wallets, socks, pans, jars,
toothbrushes, bags, plates, dildos,
sitting pads, measuring your farts
devices, calorie-counting mugs...
„It was just a dumb thing. Then we put
a chip in it. Now it's a smart
thing.” (weputachipinit.tumblr.com)
Crowdfunding: a new kind of celebrity.
Too often ridiculous meets big money.
Beacons are just the beginning...
www.myvessyl.com
71. They have been assured the communication is unbreakable because they use
AES.
I showed an intruder may approach the unsuspecting victim’s phone once (even
with autounlock feature off), to be able to get full control over the car for
consecutive times without consent of the victim.
Other BLE devices
www.loxet.io
78. Smart meter: BLE broadcast
12 82 07 00 f4 2f 12 00 dc 05 02 0a 08
12 82 06 00 01 30 12 00 dc 05 02 0a 08
12 82 24 00 49 30 12 00 dc 05 02 0a 08
12 82 06 00 50 30 12 00 dc 05 02 0a 08
Temp. impulses
Total number of impulses
79. In fact, we didn’t even have to.
Wow, we can sniff the power
usage of a victim!
That looks like a serious
vulnerability, doesn’t it?
But is it really?
OMG! We have „hacked” it!
h"ps://www.flickr.com/photos/viirok/2498157861
80. Conditions to exploit:
- distance 5-10 m from my house
The impact:
- A „not so anonymous” intruder can monitor my power
usage and deduce e.g. my presence at home.
But: my presence at home is also perfectly visible from
5.3 km distance.
And I can detect the intruder, too ;)
BLE Broadcast smart meter - risk
81. You can also reset this
device – I haven’t bother
to set the password ;)
As well as take a brick
and break my window,
but I honestly hope you
won’t.
BTW
h"ps://www.flickr.com/photos/memestate/2840195/
83. Additional head mounted on the
water meter transmits the
indication wirelessly to mobile
collectors.
Several hundred thousands
(and counting) installed in
Poland.
Wireless smart meters
84. RTL DVB-T USB stick ~ 40 PLN
Free software (e.g. GNU Radio)
Great beginner’s video tutorial:
http://greatscottgadgets.com/sdr/
Hacking wireless: Software Defined Radio
90. 1. The data is transmitted clear-text or without proper encryption.
2. The precision of transmitted data is higher than needed for billing.
3. Be in the range of wireless transmitter - max few hundred meters.
4. (A not-so-common-yet knowledge of wireless signals decoding)
Risk for the end-user – conditions to exploit
Image: h"p://www.taswater.com.au/Customers/Residenaal/Water-Meters
91. (this meter just broadcasts the indication)
Presence?
- it would be easier to observe e.g. parked cars or lights.
Personal habits?
- when does he bath (or not?), make laundry
- whether has a dishwasher,
- how big is the family...
Emulate tampering alarm signal for the bad neigbour?
Risk for the end-user – impact
92. If the device would broadcast too detailed indication, a
regulation could prohibit it.
(there are actually such regulations for energy meters)
How much would it cost to replace several hundred
thousand devices?
Risk for the operator?
93. Risk for the operator?
868 Mhz transmi"er 8 PLN
Arduino 30 PLN
6 x 3 = 18 PLN
TOTAL: 56 PLN
96. It depends.
The risk is not always obvious. An intruder may hack
the thing, but in the end it may not matter. But you may
also implement seemingly safe use scenario that may
dramatically increase the risk.
The physical presence condition does reduce the
attack possibilities significantly.
The risk may increase in time – new tools, exploits,
adoption of technology.
Should we worry?
97. Wanna-be-hackers
• Act in good faith to reduce potential for harm.
• You won’t impress us with hacking speaking dolls to say
naughty words or teledildonics to vibrate abnormally ;)
• Please do take real risk into consideration, and the impact on
involved parties, too.
Pentesters
• Adapt new skills, labs for the emerging market
• Sometimes it’s just enough to RTFM
Enthusiasts, hackers, pentesters, consultants...
98. Confront your ideas with security professionals.
Startups:
• Bugcrowd www.bugcrowd.com
• Free consultancy www.securing.pl/konsultacje (form in PL),
contact us for EN. Drop us your device and we’ll see what we
can do in our spare time.
Proactively predict the future compliance (the FCC, EU,
governments are working on).
Educate the users, design secure by default devices – e.g. enforce
non-default passwords.
Vendors, inventors, entrepreneurs...
99. Understand the technology and associated risks – be
aware of it’s shortcomings and secure usage scenarios.
Depending on risk (e.g. industrial, urban, government,
medical...), consider security assessment of your
configuration.
Get used to the loss of privacy. You are no longer in
control of your data – no matter if you use the
technology or try to avoid it.
Demand the security.
End-users