All Your Solar Panels belong to Me
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 93 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/36236 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 2471 / 93
4
6
7
11
15
20
26
33
34
35
36
39
40
46
49
53
58
62
63
66
68
72
79
90
92
93
00:00
DatenbankKreisprozessPerspektiveSoftwareSpieltheorieProdukt <Mathematik>Kategorie <Mathematik>AuswahlaxiomEinfach zusammenhängender RaumGatewayLeistung <Physik>Lokales MinimumMereologiePhysikalisches SystemPhysikalismusWiederherstellung <Informatik>WinkelDatensichtgerätGrundsätze ordnungsmäßiger DatenverarbeitungKonfigurationsraumServerInternetworkingAusnahmebehandlungSerielle SchnittstelleATMPunktQuaderOffene MengeAuthentifikationInstallation <Informatik>DatenmissbrauchSpielkonsoleClientBootenPasswortAbgeschlossene MengeWeb SiteDifferenteMicrosoft dot netTouchscreenBenutzerbeteiligungInterface <Schaltung>Figurierte ZahlGewicht <Ausgleichsrechnung>
08:24
PasswortVerzeichnisdienstWeb-SeiteRechnernetzRippen <Informatik>EnergiedichteNabel <Mathematik>DatenverwaltungPhysikalisches SystemService providerWurzel <Mathematik>DateiverwaltungKonfiguration <Informatik>BitForcingInjektivitätRechenschieberE-MailServerVerzeichnisdienstSystemverwaltungWurzel <Mathematik>RoutingNabel <Mathematik>Codierung <Programmierung>AuthentifikationWeb-SeiteReverse EngineeringAbschattungSkriptspracheElektronische PublikationPasswortWeb SiteNeuroinformatikTouchscreenURLJSONXMLUML
11:11
DatenverwaltungInformationNichtlinearer OperatorWurzel <Mathematik>Prozess <Informatik>RechnernetzTermKonfigurationsraumSoftwareDateiverwaltungProzess <Informatik>MultiplikationsoperatorGüte der AnpassungOffene MengeElektronische Publikation
12:47
InformationComputersicherheitDatenverwaltungExogene VariableE-MailEnergiedichteEINKAUF <Programm>Physikalisches SystemGeradeE-MailIntelligentes NetzComputersicherheitInstallation <Informatik>MultiplikationsoperatorRechter WinkelComputeranimation
13:52
EnergiedichteExogene VariablePhysikalisches SystemInformationSinusfunktionWurzel <Mathematik>EINKAUF <Programm>Leistung <Physik>KonstanteVirtuelles privates NetzwerkOffene MengeLESSoftwareentwicklerMathematikBildschirmfensterHintertür <Informatik>TelekommunikationBootenPasswortDatenbankE-MailAdressraumFormale SpracheInformationSoftwareTelekommunikationDateiverwaltungGebäude <Mathematik>Produkt <Mathematik>AggregatzustandGeradeMereologiePhysikalisches SystemGrundsätze ordnungsmäßiger DatenverarbeitungVersionsverwaltungExogene VariableProzess <Informatik>BinärdatenStrategisches SpielWurzel <Mathematik>ComputersicherheitNachbarschaft <Mathematik>Nabel <Mathematik>PunktSystemzusammenbruchElektronische PublikationLoginMultiplikationsoperatorSoftwareentwicklerServerEinfache GenauigkeitBenutzerbeteiligung
18:39
ComputersicherheitRechnernetzKontrollstrukturQuelle <Physik>RoboterSoftwareSoftware EngineeringMereologieRechenschieberProgrammfehlerComputersicherheitMultiplikationsoperatorGanze FunktionCoxeter-GruppeComputeranimation
19:44
ComputersicherheitRechnernetzKontrollstrukturQuelle <Physik>SoftwareAggregatzustandFamilie <Mathematik>Stochastische AbhängigkeitFirmwareDatenmissbrauchBitrateWhiteboardPartikelsystemMultiplikationsoperatorMessage-PassingSoftwareentwicklerDatenverwaltungPhysikalischer EffektErwartungswertInternet der Dinge
21:19
Erwartungswert
Transkript: Englisch(automatisch erzeugt)
00:05
first thing I need to record my selfie. Thank you guys. Whatever the outcome is, I have
00:34
evidence it was a success. So my success. Um. Excellent. You guys are working on that?
00:57
Okay. Le français. Allez. Qui avieux un dine et con. Bienvenue à mon dine. Uh for
01:08
the yeah sorry closed captioning. Sorry folks. A wonderful day. Thank you guys. French movie um called The Dinner Game. Very dark French humor. Um. Who has solar panels?
01:22
Who cares about their privacy? Yeah. You didn't um raise your hand? Get out. There's an EFF talk I think next door. You can ask about privacy. Still nothing. Is it working on that side? Yeah. Who's seen War Games? Excellent movie. It hasn't aged a minute. I did. Um but
01:51
even if uh Lishfield was cool I was much more serious about my craft. Serious enough not to have distraction of a girlfriend. By choice of course. Um. This quote is excellent.
02:04
It is actually what I believe I am. Trying to take things opening them up and figuring out ways to make them better. Isn't that why you're all here? It's not happy hour yet. Hey by
02:21
the way I need my speaker shot. I could use two actually. Thank you. So we're going to talk solar. Um this is a system by Tygo. I brought the little part that is the only
02:43
piece that we're going to look at today which is the connection between the solar array and the internet. It's really cool because not only does it upload config uh production data to the internet it also downloads configuration of the panels. Things like
03:06
maximum uh power, voltage, maximum temperature of the panels and things like that. Of course over the internet. Um what it does is gives the installer the ability to
03:25
monitor remotely the production of my system. Why? Because they have an SLA and they actually guarantee production of my array and they'll pay me back if it doesn't produce what it's expected to. Yes indeed. Um I could. I would not. Just think about it.
03:47
About 9000 kilowatt hours a year of production. This says 15 cents. Yes I could score a thousand two thousand bucks but I would get busted for it because this is not the only
04:02
thing that reports my production. So that angle you can have fun uh not with me. This is what it's what started it all. You know how you take your nest and or any IOT device when you initially power it it starts advertising an access point uh you connect to it
04:25
configure it tell it this is my home network and then it shuts down and becomes just a wifi client. Not this one. It connects both to my network as well as the open access point. Um that really really bugged me. So started to need to figure I needed to
04:47
figure out how to fix that problem and started inventorying all of the attack surfaces I had uh at my disposal. We talked about the access point. A little HTTP server that
05:02
we'll talk about later. SSH cool. Yeah except there's a built in uh defense in depth maybe. It crashes after 1500 tries. I have to repower the uh power cycle of the device. So quickly it was no longer funny. Um serial to TCP. I never got it to work
05:24
unfortunately but it had a nice little UI do you want the uh the console to be tunneled through TCP or the display this little guy or the gateway that it controls through um through uh serial port. From a physical perspective of course I opened that box.
05:45
Remember what I told you? I take a screwdriver to anything. Um nicely labeled at the bottom left of the screen. You see a little uh silkscreen of console. Guess what? You plug in
06:01
your um serial to USB connector and it works. So I had a nice console interface which unfortunately required authentication so back to square one. U-boot. So this is the excellent. Maybe I could boot it in recovery mode. Fix the password. No unfortunately they
06:23
put a password on the uh on the boot loader and now I have a confession. I live in California. This was October. The middle of winter. This device is outdoors. It was too hard for me to take so I had to look at an easier path and more comfortable. Um so
06:49
behind this access point there is a website as I mentioned. That website has properties. If you use Shodan you'll find out that actually twelve or so uh very courageous people,
07:07
maybe ignorant, decided to have that device also internet accessible. Guys this is where you're supposed to laugh. Thank you. Um thanks to Shodan I was able to verify that my
07:26
findings, actually no. My lawyer's not present so do what you want with the Shodan findings. Um remember the open access point? It has an SSID. So I went to those
07:41
wonderful folks at wiggle dot net and uh looked at their database. Guess what? I'm not the only one who detected those. Uh they're all over the world and they're captured for posterity. You now have GPS coordinates of all of those devices or some of those
08:01
devices. Um who wardrives? Thank you. Keep doing it. Upload to wiggle uh because it's a treasure trove of data about people that I can't say f up no mess up. Let's go back to the web server. That's it. My talk is over. Thank you. Um there's an authentication
08:28
screen. We can't do much about it. Can we? Of course not. It's funny how I've seen other slide decks today that also use a password file called rock you dot txt. Who's used
08:42
it in the past? Oh come on guys. If you didn't raise your hand, that's the best password file on earth. Uh so I ran my brute force. Thirty six hours later yeah I know I know I'm lazy but it was thirty six computers uh computer hours not mine. Uh turns out
09:06
admin support works very well. Okay where do we go from there? Looking around the little website on the server there's a nice little page that caught my attention. No
09:24
what happens when you put a file there? Um for those of you who don't have their uh URL decode option on Google glasses, this is what it looks like. Copy shadow file into that location. What would happen? Yeah I might break my twenty thousand dollar solar array
09:45
by putting something there. Um but I didn't. By the way this MD5 I tried to brute force it. I failed. If you ever get to it I believe it is still on those devices. Uh please
10:05
send me an email. I would appreciate it. So that that route didn't work out. Um I needed something easier. Remember I can I can essentially run a script through that injection. Um so PS all. Oh guess what? The HTTP server is running under root.
10:28
Bingo. Also the manufacturer nice enough has Netcat already on the device. Ooh. By the way I won't admit that in public but it still took me four to six hours to get my
10:42
reverse shell working. But I didn't say that. Um I did eventually get it working. I had root on that device. What do you do with root? I know what I didn't do. I didn't get a copy of the file system. So once I was locked out I no longer had anything to work on. But
11:04
after a little bit of uh kung fu with the drive uh mount. Come on. I know I know. It
11:22
feels good to pretend I'm that good. Um what I did was not rocket science I just had the time to do it. Clearly that manufacturer picked the wrong customer to sell a device to. I'm sure they're still regretting that move. Um it probably cost them a
11:44
lot more in uh cleanup than it did in uh profits. So anyhow looking around the file system something caught my attention. Actually not the file system. The running processes. Open VPN. You guys know what open VPN is for? A VPN tunnel. Guess what?
12:04
That VPN tunnel was on at all times on the device. I didn't do it. And I swear this is not a joke. I did not scan that VPN subnet. The manufacturer confirmed that all of its little
12:22
siblings are on that subnet. Of course nowhere was it mentioned in any of the documentation that nobody ever reads that there was a VPN. Remember that device is still on my home network. I was trusting it even though it didn't appear trustable. I was still
12:44
doing that. Um so let's move on to me trying to get something done about the device. So I try politely in October to get their attention. Hey guys there might be a problem. You
13:00
know I'd like to talk to someone who actually understands security. Yeah by the way in the back if the font size is too small next time remember Defcon is all about linecon. Get early to the talk. So a few emails later um while still trying to reach to people uh
13:26
might understand me through LinkedIn my and clueless installer and his contacts I got nowhere. Actually it got even worse. We're now in mid December. Are you the owner of this
13:43
device? Do you have the right to do what you're doing? Yeah I've seen that play out not that well. Um they actually already had my full name, my email address, my everything. They already knew everything about me but they couldn't find me in the
14:03
database. Um this was the icing on the cake. For those in the back I will read what is highlighted or I'll I'll paraphrase. We can help you get access to the system. Do I need access to the system at that point? No I can help myself. Um and I I I need to
14:26
read that one. Quote info of system installed on your roof is always kept as confidential since it was installed. Apparently before it is installed not guaranteed and you know English is my second language. I don't I don't understand that sentence. So time to
14:48
state to change strategy. Clearly I'm getting nowhere. I've been at it for two months already. Uh I'm talking to the wrong kind of support. So I send this email. What I'm
15:04
saying is remember the root picture? Here's a picture. The last line doesn't belong there. Forward this to whoever is in charge. I don't want to talk to you no more. Remember the VPN tunnel? Within an hour they were logging in on that device and they were starting
15:23
cleaning up. Not not security cleaning up. Damage control cleaning up. Disabling my account, shutting down the web server uh and things like that in the process yeah disabling my entire array went offline for for six hours. Um I was not done helping guys.
15:43
Please! I was trying to be nice. Um thankfully I didn't tell them about one thing I had found while browsing the file system. In that cgi bin folder there was also a file called shell. So I got back in and uh told them the next day about it and repeat. So
16:08
that's the best part. Once I got to talk to someone in charge of their product development. Great guy. Um his first response was there's a problem. This is not a production device. What? I bought a Tesla at the Tesla price and the autopilot crashes on
16:31
me because it's a debug version I have. No sorry Tesla guys. I'm just jealous. Everybody in my neighborhood has one except for me. So if you guys are thankful for the
16:41
talk don't hesitate. Thank you. Um so six months later I'm pretty sure they were actually not lying. It was a very convenient excuse but they happened to ship me a development build and uh a few thousand others uh throughout the world. What they did
17:12
well. Once I had a line of communication with Tygo they were actually very welcoming of my finding and relatively forthcoming with sharing the insider information. Like for
17:26
example telling me oh all of those devices are on the same subnet through the VPN tunnel. Um that would have been preferable for not them not to tell me that. Um one
17:41
shipping. Especially for the one oh this is a very important question guys. Who in the audience is a black hat versus a white hat? Come on raise your hands. Oh my god there's not a single hand up. Yeah okay. Um so next time you go in a system you're not
18:03
authorized to think about disconnecting it from the network before. Because this guy ships its logs every half an hour. And boy was I noisy. Of course there was nobody looking thank god. But uh it's it's important to realize that even small IOT devices have
18:25
that capability and uh you might trigger a few alerts if you're not too careful. So we got root. I made fun of the vendor. Why am I talking about this? And this is
18:41
actually the most important slide of the entire presentation. Yeah I could remotely see this little red button. The software behind it. I could remotely shut down any of those thousands of solar arrays. I could be a pain to people off the grid. Maybe. I don't
19:03
have there's not enough electricity production for it to be meaningful yet. It will be in a few years but not today. What's more important is this is a bot. I could have a thousand of those remotely controlled on your home network spying on your home activity. You know.
19:26
Oh shoot my my kid is here so I can't say prawn. But things like that. Um the biggest part the part that bugs me the most is even though as a software engineer I'm
19:41
been a security practitioner for a long time. Only after this device being on my network did I realize I really needed two networks. My home personal network and a completely independent IOT network. On which I have of course this guy now. He was the first
20:05
candidate. But the nest um a few development boards. Who's played with this guy? Who's played with the particle photons? Yay! Those are excellent devices. Uh but just like this guy don't trust them. Um my security cameras. You know those cameras that I
20:26
bought on Alibaba with that Chinese firmware. It is apparently very chatty. Uh I won't go further. So yeah. Is your mom or your brother or your family expected to have a
20:42
two networks at home and to be able to manage those? No. There is no way that even us handle it. There is no way that customers of IOT's can be expected to actually protect themselves from those devices. That is a very sad state and I hope that message comes
21:07
out of Def Con as much as possible. Because it is time that we have a UL rating of devices uh that also takes into account your privacy. Cause we all have that expectation. You
21:21
don't buy a car without seat belts. Yes. Responsible disclosure is hard. Yes. Don't give up. Please follow responsible disclosure. And finally thank you to all IOT devices
21:43
for so much entertainment. Thank you to quite a few people. My wife for tolerating my late nights. Uh Rafel where are you? Stand up. Keep doing your packet storming. And Tigo for
22:09
not suing me. Thank you. Uh you got me scared there. Guys thank you.