SlideShare a Scribd company logo
1 of 77
Download to read offline
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
IoT: Internet of T…
w w w. d i n o s e c . c o m
@ d i n o s e c
Raúl Siles
Founder & Senior Security Analyst
raul@dinosec.com
March 3, 2018
2
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
This presentation is inspired by true events.
All events, locations, characters, persons, companies, firms,
and IoT products J depicted in this presentation, even
those based on real devices, are fictitious.
Any resemblance to reality is purely coincidental and
unintentional.
3
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
4
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Disclaimer
• Real devices and details have been sanitized to minimize
the risk of vendor identification and massive exploitation.
• Live demonstrations and videos have to deal with and
overcome these constraints.
• Any resemblance of images, screenshots, text, code
snippets, and other details… to reality is purely
coincidental and unintentional.
5
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
IoT: Internet of T…
• IoT, Internet of Things
– Terror
– Traps, Tricks, Targets, Threats,
Turbulences, Toilets… J
– Trends
– Topics, Timers…
– …
• Internet of Testing
• Internet ot Trust
https://twitter.com/dinosec/status/954283251081928706 (Carles, Javier…)
6
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
IoT Security Analysis Methodology
Hardware components (+buttons/interfaces/ports...)•
Firmware•
"Cloud" services•
Mobile apps•
(Admin/Mgmt.) Web interface (& other services)•
Wireless/Radio communications•
Local storage•
"Análisis de los vectores de ataque del Internet de las cosas (IoT)"
https://www.ismsforum.es/estudioCEM
7
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
RootedCON 2016
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Target
9
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Advanced IoT Solutions: Parts List J
Central controller or hub•
Wireless peripheral devices•
Sensors–
Actuators–
"Cloud" services•
Mobile apps•
Web interface (& other services)•
10
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Target: Domotic IoT Solution
• Central controller or hub (plus remote controllers)
• Wireless peripheral devices: Sensors & Actuators
– Environmental control system
• Heating system
• Shutters
– Lighting system and power plugs
– Physical access (e.g. garage door)
• "Cloud" services, mobile apps, web interface…
(Smart) Home Automation
11
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Market(ing) vs. Real Needs
12
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Domotic IoT Solution: Technologies
• IoT: Internet (TCP/IP) of T…
• Radio/Wireless technologies (proprietary protocols)
– v1: 433 MHz (∼50m)
• Up to 6 paired transmitters (or channels)
– v2: 868 MHz (∼150m) + state feedback
• Up to 32 paired transmitters
• Transmitter, receiver (+ feedback) or transceiver
• USB expansion port: Z-Wave?…
• Absent wireless technologies: Wi-Fi, Bluetooth, ZigBee, etc.
13
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Target: Blueprint
14
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Finding the entry…
15
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Outline
Hardware components (+buttons/interfaces/ports...)•
Firmware•
"Cloud" services•
Mobile apps•
(Admin/Mgmt.) Web interface (& other services)•
Wireless/Radio communications•
Local storage•
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Hardware Teardown
17
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Target: Hardware
18
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Hardware Teardown
• Central controller or hub (Internet to radio/wireless)
• Remote control (up to 3/16 channels)
• Heating system (thermostat schedule)
– Heating controller (software), heater/boiler module (with state
feedback) and temperature sensor
• Lighting (e.g. indoor/outdoor bulbs, ceiling lights, lamps… anything)
– On/off or dimmer module, wall switch, motion or presence
detector, opening detector and power plugs (on/off or dimmer)
• Physical environment and access control
– Shutter module (with state feedback), and door or gate module
19
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Devices Classification
Transmitters (• ∼sensors)
Remote controller–
Wall switch–
(indoor/outdoor) Motion or presence detector–
(door/window) Opening detector–
Temperature sensor–
Receivers (• ∼actuators)
Heater/– boiler module
Shutter– module
Door or gate module–
Lighting– on/off or dimmer module
Power– plugs (on/off or dimmer)
Transceiver•
Central controller or hub–
20
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Hardware Hacking 101 J
Screwdriver hacking!•
Thanks to my father!
857/1 Z punta de horquilla o
punta para tornillo spanner
21
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Remote Controller
• 3 channels
• NDR433TS:
– NEDI SAW (surface-acoustic-wave) resonator
• Frequency stabilization at 433.920 MHz
• Radio chip: 611S21 * DA17DB
– Unknown (radio chip)
• Found a single Internet reference in
Norwegian for 433.92 MHz
• Google, www.findchips.com, etc.
22
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Shutter or Door/Gate
23
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Hub or Central Controller
24
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Temperature Sensor
Main• (and unique) chip
– …
25
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Heater / Boiler Module
26
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Power Plug
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Firmware
28
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Target: Firmware
29
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Firmware Updates
• No auto update capabilities
• Manual download from manufacturer website (or by
contacting support)
• Backup current configuration first J (…via cloud only L)
• Upload '<version>.bin' file via web interface
– Authentication required as "admin" (web interface details)
– No signature (build your own firmware version J and…)
• Restart
Use <a href="/upload">MPFS Upload</a> to program web pages... (strings)
30
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Firmware Analysis
31
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Firmware Analysis: Details
binwalk• : Firmware analysis tool
Found: MPFS v2.1 filesystem, images (PNG, GIF, JPEG, TIFF…),–
compressed data (gzip and Zlib), HTML documents, etc.
No encryption and just… some compression•
"strings is your friend…" (e.g. Google Maps API key)•
https://github.com/ReFirmLabs/binwalk
Version 3.5.2 autologin
Builddate Mar 3 2018 # login as user
Productmodel A8021 admin
FW-Version 186370035640 # login as admin
… usrpass 52d04dc20036dbd8
MPFS-2.1 setpass 7a57a5a743894a0e
32
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Firmware Analysis: Filesystem Format
MPFS (Microchip PIC File System)•
Indexed web files for auto tag expansion (e.g.– ~foo~)
Plain and compressed files–
Microchip TCP/IP Stack•
Microchip's– HTTP(2) web server – MPFS(2)
Internal memory or EEPROM•
https://books.google.es/books?id=V1wLsfO1114C
33
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Firmware MPFS Extraction
binwalk• custom plugin
Signature: known MPFS data signatures ("…/magic/filesystems")–
Starts with the string "MPFS{v}{s}• {f}" (version, subversion, file entries)
MPFS{byte}{byte}{– leshort} (byte: 8-bit integer; leshort: little endian 2-byte integer)
Extractor:– <missing>
MPFS extraction tools…• L
MPFS2 extraction tools•
mpfs2– -fsutil (--list & --extract)
https://– www.mjoldfield.com/atelier/
2007/12/mpfs2.html
https://github.com/ReFirmLabs/binwalk/wiki/Creating-Custom-Plugins
34
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Physical Firmware Extraction
• 4-pin JTAG interface
Joint– Test Action Group
PIC•
TMS, TDO, TCK, TDI–
Pins: 23, 24, 27, 28–
TMS (Test Mode Select)•
TDO (Test Data Out)•
TCK (Test Clock)•
TDI (Test Data In)•
TRST (Test Reset) optional•
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
"Cloud" Services
36
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Cloud Service
• User to cloud
– Direct access to the IoT environment through the cloud
– Web browser (traditional computer or mobile) and/or mobile app
– Registration process
– Backup / Restore capabilities
• Not available through local web server or via mobile app !!!!
• IoT to cloud
– Communication between the IoT environment and the cloud
– Proprietary protocol, enabled by default
37
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Target: User to Cloud
38
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
TCP/IP Port Mapping
What do you think of a critical cloud server that has…?•
21/tcp
22/tcp
25/tcp
53/tcp
80/tcp
110/tcp
143/tcp
443/tcp
465/tcp
587/tcp
993/tcp
995/tcp
3128/tcp
8080/tcp
8081/tcp
8090/tcp
… this list of open ports, and more!
39
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Cloud Passwords
At some point, you cannot log in again (web and mobile)•
After logging in, you should receive a Bearer Token•
(OAuth 2.0), used for API requests
Instead, you get a JSON error (interception proxy)•
Reason: After extensive research…•
Does the vendor even know it?–
If your password is greater than 25 characters (back– -end issue)
Have you heard about passphrases?–
{"code":503,"error":"server_error","error_description":"server_error"}
40
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Something Does Not Smell Very Well Here…
41
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Backup / Restore Capabilities
Is it possible to access other IoT environment's backups?•
Backups are saved in a proprietary plain text format–
Reverse engineer backup format to extract rooms, device IDs, MD5…•
Is it possible to make backups of other IoT environments?• J
Anonymously?•
42
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Target: IoT to Cloud
43
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
IoT to Cloud
Proprietary protocol similar to HTTP•
Enough to make standard HTTP(S) interception proxies fail–
Solution:– mitm_relay (or NoPE) + Burp (et. al.)
Custom port (1234/• tcp)
Enabled by default•
No encryption, no integrity, no…thing•
Discloses multiple device IDs: model, firmware version,•
MAC address, serial number, and message ID
https://github.com/jrmdev/mitm_relay
44
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
IoT to Cloud: Proprietary Protocol
JSON API
ABCD/1.0 CONNECT
Model: …
FW-Version: …
MAC: …
SN: …
Message-ID: …
ABCD/1.0 KEEP-ALIVE
Message-ID: …
45
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
IoT to Cloud: Admin Access
• Unencrypted: Cloud requesting admin access to IoT
hub…ABCD/1.0 API-REQUEST ABCD/1.0 API-RESPONSE
X-Token: …
Message-ID: … {…"msg":"API_NOT_AUTHED"}
Content-Length: …
god=admin
ABCD/1.0 API-REQUEST ABCD/1.0 API-RESPONSE
X-Token: …
Message-ID: … {…"msg":"SUCCESS"}
Content-Length: …
user=admin&pass=7a57a5a743894a0e&autologin=0&god=login&…
Full access to IoT hub and the associated IoT environment...
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Mobile Apps
47
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Target: Mobile Apps
48
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Mobile Apps
iOS and Android•
49
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Username Enumeration in iOS
• In the login page for the mobile app… L
• And as a bonus, if the username does not exist…
• Be careful with typos in your username J
POST /auth HTTP/1.1 (via HTTPS)
Host: cloud.example.com
...
{username: "monica", password: "0123456789abcdef"}
{"code":"101","error":"error","error_description":"Wrong Password"}
{"code":"100","error":"error","error_description":"User not found"}
POST /auth HTTP/1.1 (via HTTP)
Host: example.com
...
{username: "monica", password: "0123456789abcdef"}
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Web Interface
51
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Target: Web Interface
52
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Web Interface
Local administrative/management web interface•
Only port 80/• tcp open
HTTPS?–
Settings section (e.g. "/settings/") requires authentication•
Default password: admin– – no username?
Did I mention there is no encryption?–
Traditional or mobile access•
53
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Admin Web Interface (via Mobile)
54
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Admin Web Interface
• Login page simply requests a password, but…
• Change password…
<html>
<head><title Login</title>~inc:inc/header.inc~</head>
<body>
<div class="login"><h2 >Admin Login</h2>
<div class="login-form">
<input id="user" type="hidden" value="admin">
<input id="password" type="password" placeholder="password">
<button id="login">LOGIN</button>
</div>...
<input id="admin-pass" class="admin-pass" name="admin-pass" type="password"
maxlength="16" disabled>
var pwdvalidator = {required: true, rangelength: [4, 16]};
config('setpass', md5($('#admin-pass').val(), 16));
55
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Web Interface Passwords
• MD5-related passwords?
• Dynamic analysis
• Static analysis
• Firmware password-like strings…
Firmware:
usrpass 52d04dc20036dbd8
setpass 7a57a5a743894a0e
Usage: md5(<password>, 16)
File: md5.js
$ jsc getmd5.js – "IoT"
60a13f2f4c7e11c7
... if(h==16){return a.substr(8,16)} ...
81dc9bdb52d04dc20036dbd8313ed055 --> 1234
21232f297a57a5a743894a0e4a801fc3 --> admin
56
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Firmware Upload Capabilities
• Without authentication (obtained via firmware strings…)
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Wireless/Radio Communications
58
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Target: Wireless/Radio Communications
59
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Wireless Communications
• Adding new wireless devices (pairing)
– Pairing 433 & 868 MHz devices
– Wireless devices classification
• Digital modulation for 433 & 868 MHz signals
• Replaying 433 & 868 MHz signals
• Decoding 433 & 868 MHz signals
60
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
HackRF One OperaCake
61
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
OperaCake: Auto-Antenna Selection
62
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Wireless Devices Classification
Receivers•
Grab signals and store them in memory (learning function)–
Transmitters•
Generate signals (static or dynamic– J)
Transceivers•
Both (e.g. receivers with state feedback)–
Hub•
Legitimate replay attacks– J
Hardware Components
63
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Digital Modulation for 433 MHz Devices
64
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Digital Modulation for 868 MHz Devices
65
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Playing with Wireless/Radio Signals
Replaying 433 & 868 MHz signals•
"script– -kiddie" attacks
Decoding 433 & 868 MHz signals•
Digital demodulation (reverse engineering radio signals)–
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Internet of T…
67
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
68
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
69
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
70
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Heater Module: GRC
71
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Heater Module: rfcat script
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Conclusions
73
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
IoT: Internet of T…
• Internet of Troubles
• Internet of Testing
• Internet ot Trust
74
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Spanish Collection of Proverbs
"Cada uno en su
casa… y
DiOs
en la de todos"
todo
75
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Credits
– Produced by:
– Sponsored by:
– Casting by:
– Supported by:
– Music & visuals by:
– Costume designer:
Raúl Siles
Mónica Salas
E & E
IoT vendors
My parents, et. al.
Siletes
DinoSec
w w w.d in o s e c .c o m
@ d in o s e c
R a ú l S ile s
r a u l@ d in o s e c .c o m
77
2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Questions?
w w w.d in o s e c .c o m
@ d in o s e c

More Related Content

What's hot

Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Sergey Gordeychik
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkLeszek Mi?
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk   apt, cyber espionage threat(130119) #fitalk   apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Luca Bongiorni
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsPriyanka Aash
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedPriyanka Aash
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android BotPriyanka Aash
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]RootedCON
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...RootedCON
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02PacSecJP
 

What's hot (20)

Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk   apt, cyber espionage threat(130119) #fitalk   apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
China Cyber
China CyberChina Cyber
China Cyber
 
Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android Apps
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities Revisited
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakes
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android Bot
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 

Similar to Raúl Siles - IOT: INTERNET OF T... [rooted2018]

UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdfUC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdfWlamir Molinari
 
Create a Data Encryption Strategy using ADE
Create a Data Encryption Strategy using ADECreate a Data Encryption Strategy using ADE
Create a Data Encryption Strategy using ADERocket Software
 
Security from sensor to sunset. “How to approach the security in the IoT ecos...
Security from sensor to sunset. “How to approach the security in the IoT ecos...Security from sensor to sunset. “How to approach the security in the IoT ecos...
Security from sensor to sunset. “How to approach the security in the IoT ecos...Data Driven Innovation
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor FiorimTI Safe
 
ADRecon BH ASIA 2018 : Arsenal Presentation
ADRecon BH ASIA 2018 : Arsenal PresentationADRecon BH ASIA 2018 : Arsenal Presentation
ADRecon BH ASIA 2018 : Arsenal Presentationprashant3535
 
Open Source for Industry 4.0 – Open IoT Summit NA 2018
Open Source for Industry 4.0 – Open IoT Summit NA 2018Open Source for Industry 4.0 – Open IoT Summit NA 2018
Open Source for Industry 4.0 – Open IoT Summit NA 2018Benjamin Cabé
 
Securing the Internet of Things - Hank Chavers
Securing the Internet of Things - Hank ChaversSecuring the Internet of Things - Hank Chavers
Securing the Internet of Things - Hank ChaversWithTheBest
 
Diamond offshore drilling transforms control infrastructure from target to ce...
Diamond offshore drilling transforms control infrastructure from target to ce...Diamond offshore drilling transforms control infrastructure from target to ce...
Diamond offshore drilling transforms control infrastructure from target to ce...IntelligentManufacturingInstitute
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...Cristian Garcia G.
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud AttacksImperva
 
Content is King - Symantec
Content is King - SymantecContent is King - Symantec
Content is King - SymantecHarry Gunns
 
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2016
 
Io t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425cIo t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425cCharles Li
 
Digital Security for the IoT Presentation
Digital Security for the IoT PresentationDigital Security for the IoT Presentation
Digital Security for the IoT PresentationVera Ho
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Honeywell
 
Protecting your Organisation from the Internet of Evil Things
Protecting your Organisation from the Internet of Evil ThingsProtecting your Organisation from the Internet of Evil Things
Protecting your Organisation from the Internet of Evil ThingsZeshan Sattar
 

Similar to Raúl Siles - IOT: INTERNET OF T... [rooted2018] (20)

MASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoTMASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoT
 
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdfUC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
 
Create a Data Encryption Strategy using ADE
Create a Data Encryption Strategy using ADECreate a Data Encryption Strategy using ADE
Create a Data Encryption Strategy using ADE
 
Sensor expo 2018 keynote
Sensor expo 2018 keynoteSensor expo 2018 keynote
Sensor expo 2018 keynote
 
Security from sensor to sunset. “How to approach the security in the IoT ecos...
Security from sensor to sunset. “How to approach the security in the IoT ecos...Security from sensor to sunset. “How to approach the security in the IoT ecos...
Security from sensor to sunset. “How to approach the security in the IoT ecos...
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 
ADRecon BH ASIA 2018 : Arsenal Presentation
ADRecon BH ASIA 2018 : Arsenal PresentationADRecon BH ASIA 2018 : Arsenal Presentation
ADRecon BH ASIA 2018 : Arsenal Presentation
 
Hima cyber security
Hima cyber securityHima cyber security
Hima cyber security
 
Open Source for Industry 4.0 – Open IoT Summit NA 2018
Open Source for Industry 4.0 – Open IoT Summit NA 2018Open Source for Industry 4.0 – Open IoT Summit NA 2018
Open Source for Industry 4.0 – Open IoT Summit NA 2018
 
Securing the Internet of Things - Hank Chavers
Securing the Internet of Things - Hank ChaversSecuring the Internet of Things - Hank Chavers
Securing the Internet of Things - Hank Chavers
 
IoT Security: Cases and Methods
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and Methods
 
Diamond offshore drilling transforms control infrastructure from target to ce...
Diamond offshore drilling transforms control infrastructure from target to ce...Diamond offshore drilling transforms control infrastructure from target to ce...
Diamond offshore drilling transforms control infrastructure from target to ce...
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud Attacks
 
Content is King - Symantec
Content is King - SymantecContent is King - Symantec
Content is King - Symantec
 
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
 
Io t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425cIo t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425c
 
Digital Security for the IoT Presentation
Digital Security for the IoT PresentationDigital Security for the IoT Presentation
Digital Security for the IoT Presentation
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
 
Protecting your Organisation from the Internet of Evil Things
Protecting your Organisation from the Internet of Evil ThingsProtecting your Organisation from the Internet of Evil Things
Protecting your Organisation from the Internet of Evil Things
 

More from RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRootedCON
 

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
 

Recently uploaded

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 

Recently uploaded (20)

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 

Raúl Siles - IOT: INTERNET OF T... [rooted2018]

  • 1. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com IoT: Internet of T… w w w. d i n o s e c . c o m @ d i n o s e c Raúl Siles Founder & Senior Security Analyst raul@dinosec.com March 3, 2018
  • 2. 2 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com This presentation is inspired by true events. All events, locations, characters, persons, companies, firms, and IoT products J depicted in this presentation, even those based on real devices, are fictitious. Any resemblance to reality is purely coincidental and unintentional.
  • 3. 3 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com
  • 4. 4 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Disclaimer • Real devices and details have been sanitized to minimize the risk of vendor identification and massive exploitation. • Live demonstrations and videos have to deal with and overcome these constraints. • Any resemblance of images, screenshots, text, code snippets, and other details… to reality is purely coincidental and unintentional.
  • 5. 5 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com IoT: Internet of T… • IoT, Internet of Things – Terror – Traps, Tricks, Targets, Threats, Turbulences, Toilets… J – Trends – Topics, Timers… – … • Internet of Testing • Internet ot Trust https://twitter.com/dinosec/status/954283251081928706 (Carles, Javier…)
  • 6. 6 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com IoT Security Analysis Methodology Hardware components (+buttons/interfaces/ports...)• Firmware• "Cloud" services• Mobile apps• (Admin/Mgmt.) Web interface (& other services)• Wireless/Radio communications• Local storage• "Análisis de los vectores de ataque del Internet de las cosas (IoT)" https://www.ismsforum.es/estudioCEM
  • 7. 7 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com RootedCON 2016
  • 8. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target
  • 9. 9 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Advanced IoT Solutions: Parts List J Central controller or hub• Wireless peripheral devices• Sensors– Actuators– "Cloud" services• Mobile apps• Web interface (& other services)•
  • 10. 10 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: Domotic IoT Solution • Central controller or hub (plus remote controllers) • Wireless peripheral devices: Sensors & Actuators – Environmental control system • Heating system • Shutters – Lighting system and power plugs – Physical access (e.g. garage door) • "Cloud" services, mobile apps, web interface… (Smart) Home Automation
  • 11. 11 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Market(ing) vs. Real Needs
  • 12. 12 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Domotic IoT Solution: Technologies • IoT: Internet (TCP/IP) of T… • Radio/Wireless technologies (proprietary protocols) – v1: 433 MHz (∼50m) • Up to 6 paired transmitters (or channels) – v2: 868 MHz (∼150m) + state feedback • Up to 32 paired transmitters • Transmitter, receiver (+ feedback) or transceiver • USB expansion port: Z-Wave?… • Absent wireless technologies: Wi-Fi, Bluetooth, ZigBee, etc.
  • 13. 13 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: Blueprint
  • 14. 14 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Finding the entry…
  • 15. 15 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Outline Hardware components (+buttons/interfaces/ports...)• Firmware• "Cloud" services• Mobile apps• (Admin/Mgmt.) Web interface (& other services)• Wireless/Radio communications• Local storage•
  • 16. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Hardware Teardown
  • 17. 17 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: Hardware
  • 18. 18 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Hardware Teardown • Central controller or hub (Internet to radio/wireless) • Remote control (up to 3/16 channels) • Heating system (thermostat schedule) – Heating controller (software), heater/boiler module (with state feedback) and temperature sensor • Lighting (e.g. indoor/outdoor bulbs, ceiling lights, lamps… anything) – On/off or dimmer module, wall switch, motion or presence detector, opening detector and power plugs (on/off or dimmer) • Physical environment and access control – Shutter module (with state feedback), and door or gate module
  • 19. 19 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Devices Classification Transmitters (• ∼sensors) Remote controller– Wall switch– (indoor/outdoor) Motion or presence detector– (door/window) Opening detector– Temperature sensor– Receivers (• ∼actuators) Heater/– boiler module Shutter– module Door or gate module– Lighting– on/off or dimmer module Power– plugs (on/off or dimmer) Transceiver• Central controller or hub–
  • 20. 20 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Hardware Hacking 101 J Screwdriver hacking!• Thanks to my father! 857/1 Z punta de horquilla o punta para tornillo spanner
  • 21. 21 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Remote Controller • 3 channels • NDR433TS: – NEDI SAW (surface-acoustic-wave) resonator • Frequency stabilization at 433.920 MHz • Radio chip: 611S21 * DA17DB – Unknown (radio chip) • Found a single Internet reference in Norwegian for 433.92 MHz • Google, www.findchips.com, etc.
  • 22. 22 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Shutter or Door/Gate
  • 23. 23 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Hub or Central Controller
  • 24. 24 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Temperature Sensor Main• (and unique) chip – …
  • 25. 25 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Heater / Boiler Module
  • 26. 26 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Power Plug
  • 27. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Firmware
  • 28. 28 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: Firmware
  • 29. 29 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Firmware Updates • No auto update capabilities • Manual download from manufacturer website (or by contacting support) • Backup current configuration first J (…via cloud only L) • Upload '<version>.bin' file via web interface – Authentication required as "admin" (web interface details) – No signature (build your own firmware version J and…) • Restart Use <a href="/upload">MPFS Upload</a> to program web pages... (strings)
  • 30. 30 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Firmware Analysis
  • 31. 31 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Firmware Analysis: Details binwalk• : Firmware analysis tool Found: MPFS v2.1 filesystem, images (PNG, GIF, JPEG, TIFF…),– compressed data (gzip and Zlib), HTML documents, etc. No encryption and just… some compression• "strings is your friend…" (e.g. Google Maps API key)• https://github.com/ReFirmLabs/binwalk Version 3.5.2 autologin Builddate Mar 3 2018 # login as user Productmodel A8021 admin FW-Version 186370035640 # login as admin … usrpass 52d04dc20036dbd8 MPFS-2.1 setpass 7a57a5a743894a0e
  • 32. 32 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Firmware Analysis: Filesystem Format MPFS (Microchip PIC File System)• Indexed web files for auto tag expansion (e.g.– ~foo~) Plain and compressed files– Microchip TCP/IP Stack• Microchip's– HTTP(2) web server – MPFS(2) Internal memory or EEPROM• https://books.google.es/books?id=V1wLsfO1114C
  • 33. 33 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Firmware MPFS Extraction binwalk• custom plugin Signature: known MPFS data signatures ("…/magic/filesystems")– Starts with the string "MPFS{v}{s}• {f}" (version, subversion, file entries) MPFS{byte}{byte}{– leshort} (byte: 8-bit integer; leshort: little endian 2-byte integer) Extractor:– <missing> MPFS extraction tools…• L MPFS2 extraction tools• mpfs2– -fsutil (--list & --extract) https://– www.mjoldfield.com/atelier/ 2007/12/mpfs2.html https://github.com/ReFirmLabs/binwalk/wiki/Creating-Custom-Plugins
  • 34. 34 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Physical Firmware Extraction • 4-pin JTAG interface Joint– Test Action Group PIC• TMS, TDO, TCK, TDI– Pins: 23, 24, 27, 28– TMS (Test Mode Select)• TDO (Test Data Out)• TCK (Test Clock)• TDI (Test Data In)• TRST (Test Reset) optional•
  • 35. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com "Cloud" Services
  • 36. 36 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Cloud Service • User to cloud – Direct access to the IoT environment through the cloud – Web browser (traditional computer or mobile) and/or mobile app – Registration process – Backup / Restore capabilities • Not available through local web server or via mobile app !!!! • IoT to cloud – Communication between the IoT environment and the cloud – Proprietary protocol, enabled by default
  • 37. 37 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: User to Cloud
  • 38. 38 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com TCP/IP Port Mapping What do you think of a critical cloud server that has…?• 21/tcp 22/tcp 25/tcp 53/tcp 80/tcp 110/tcp 143/tcp 443/tcp 465/tcp 587/tcp 993/tcp 995/tcp 3128/tcp 8080/tcp 8081/tcp 8090/tcp … this list of open ports, and more!
  • 39. 39 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Cloud Passwords At some point, you cannot log in again (web and mobile)• After logging in, you should receive a Bearer Token• (OAuth 2.0), used for API requests Instead, you get a JSON error (interception proxy)• Reason: After extensive research…• Does the vendor even know it?– If your password is greater than 25 characters (back– -end issue) Have you heard about passphrases?– {"code":503,"error":"server_error","error_description":"server_error"}
  • 40. 40 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Something Does Not Smell Very Well Here…
  • 41. 41 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Backup / Restore Capabilities Is it possible to access other IoT environment's backups?• Backups are saved in a proprietary plain text format– Reverse engineer backup format to extract rooms, device IDs, MD5…• Is it possible to make backups of other IoT environments?• J Anonymously?•
  • 42. 42 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: IoT to Cloud
  • 43. 43 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com IoT to Cloud Proprietary protocol similar to HTTP• Enough to make standard HTTP(S) interception proxies fail– Solution:– mitm_relay (or NoPE) + Burp (et. al.) Custom port (1234/• tcp) Enabled by default• No encryption, no integrity, no…thing• Discloses multiple device IDs: model, firmware version,• MAC address, serial number, and message ID https://github.com/jrmdev/mitm_relay
  • 44. 44 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com IoT to Cloud: Proprietary Protocol JSON API ABCD/1.0 CONNECT Model: … FW-Version: … MAC: … SN: … Message-ID: … ABCD/1.0 KEEP-ALIVE Message-ID: …
  • 45. 45 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com IoT to Cloud: Admin Access • Unencrypted: Cloud requesting admin access to IoT hub…ABCD/1.0 API-REQUEST ABCD/1.0 API-RESPONSE X-Token: … Message-ID: … {…"msg":"API_NOT_AUTHED"} Content-Length: … god=admin ABCD/1.0 API-REQUEST ABCD/1.0 API-RESPONSE X-Token: … Message-ID: … {…"msg":"SUCCESS"} Content-Length: … user=admin&pass=7a57a5a743894a0e&autologin=0&god=login&… Full access to IoT hub and the associated IoT environment...
  • 46. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Mobile Apps
  • 47. 47 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: Mobile Apps
  • 48. 48 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Mobile Apps iOS and Android•
  • 49. 49 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Username Enumeration in iOS • In the login page for the mobile app… L • And as a bonus, if the username does not exist… • Be careful with typos in your username J POST /auth HTTP/1.1 (via HTTPS) Host: cloud.example.com ... {username: "monica", password: "0123456789abcdef"} {"code":"101","error":"error","error_description":"Wrong Password"} {"code":"100","error":"error","error_description":"User not found"} POST /auth HTTP/1.1 (via HTTP) Host: example.com ... {username: "monica", password: "0123456789abcdef"}
  • 50. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Web Interface
  • 51. 51 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: Web Interface
  • 52. 52 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Web Interface Local administrative/management web interface• Only port 80/• tcp open HTTPS?– Settings section (e.g. "/settings/") requires authentication• Default password: admin– – no username? Did I mention there is no encryption?– Traditional or mobile access•
  • 53. 53 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Admin Web Interface (via Mobile)
  • 54. 54 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Admin Web Interface • Login page simply requests a password, but… • Change password… <html> <head><title Login</title>~inc:inc/header.inc~</head> <body> <div class="login"><h2 >Admin Login</h2> <div class="login-form"> <input id="user" type="hidden" value="admin"> <input id="password" type="password" placeholder="password"> <button id="login">LOGIN</button> </div>... <input id="admin-pass" class="admin-pass" name="admin-pass" type="password" maxlength="16" disabled> var pwdvalidator = {required: true, rangelength: [4, 16]}; config('setpass', md5($('#admin-pass').val(), 16));
  • 55. 55 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Web Interface Passwords • MD5-related passwords? • Dynamic analysis • Static analysis • Firmware password-like strings… Firmware: usrpass 52d04dc20036dbd8 setpass 7a57a5a743894a0e Usage: md5(<password>, 16) File: md5.js $ jsc getmd5.js – "IoT" 60a13f2f4c7e11c7 ... if(h==16){return a.substr(8,16)} ... 81dc9bdb52d04dc20036dbd8313ed055 --> 1234 21232f297a57a5a743894a0e4a801fc3 --> admin
  • 56. 56 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Firmware Upload Capabilities • Without authentication (obtained via firmware strings…)
  • 57. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Wireless/Radio Communications
  • 58. 58 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: Wireless/Radio Communications
  • 59. 59 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Wireless Communications • Adding new wireless devices (pairing) – Pairing 433 & 868 MHz devices – Wireless devices classification • Digital modulation for 433 & 868 MHz signals • Replaying 433 & 868 MHz signals • Decoding 433 & 868 MHz signals
  • 60. 60 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com HackRF One OperaCake
  • 61. 61 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com OperaCake: Auto-Antenna Selection
  • 62. 62 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Wireless Devices Classification Receivers• Grab signals and store them in memory (learning function)– Transmitters• Generate signals (static or dynamic– J) Transceivers• Both (e.g. receivers with state feedback)– Hub• Legitimate replay attacks– J Hardware Components
  • 63. 63 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Digital Modulation for 433 MHz Devices
  • 64. 64 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Digital Modulation for 868 MHz Devices
  • 65. 65 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Playing with Wireless/Radio Signals Replaying 433 & 868 MHz signals• "script– -kiddie" attacks Decoding 433 & 868 MHz signals• Digital demodulation (reverse engineering radio signals)–
  • 66. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Internet of T…
  • 67. 67 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com
  • 68. 68 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com
  • 69. 69 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com
  • 70. 70 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Heater Module: GRC
  • 71. 71 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Heater Module: rfcat script
  • 72. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Conclusions
  • 73. 73 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com IoT: Internet of T… • Internet of Troubles • Internet of Testing • Internet ot Trust
  • 74. 74 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Spanish Collection of Proverbs "Cada uno en su casa… y DiOs en la de todos" todo
  • 75. 75 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Credits – Produced by: – Sponsored by: – Casting by: – Supported by: – Music & visuals by: – Costume designer: Raúl Siles Mónica Salas E & E IoT vendors My parents, et. al. Siletes DinoSec
  • 76. w w w.d in o s e c .c o m @ d in o s e c R a ú l S ile s r a u l@ d in o s e c .c o m
  • 77. 77 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Questions? w w w.d in o s e c .c o m @ d in o s e c