Video thumbnail (Frame 0) Video thumbnail (Frame 989) Video thumbnail (Frame 2876) Video thumbnail (Frame 4185) Video thumbnail (Frame 5114) Video thumbnail (Frame 7916) Video thumbnail (Frame 10155) Video thumbnail (Frame 15403) Video thumbnail (Frame 17778) Video thumbnail (Frame 18846) Video thumbnail (Frame 20031) Video thumbnail (Frame 20884) Video thumbnail (Frame 22529) Video thumbnail (Frame 23286) Video thumbnail (Frame 23893) Video thumbnail (Frame 24578) Video thumbnail (Frame 25561) Video thumbnail (Frame 26172) Video thumbnail (Frame 26880) Video thumbnail (Frame 27970) Video thumbnail (Frame 30017) Video thumbnail (Frame 31300) Video thumbnail (Frame 40436) Video thumbnail (Frame 41139)
Video in TIB AV-Portal: ICS VILLAGE - TOR for The IOT (TORT Reform)

Formal Metadata

Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Exploitation is a given. Unwanted parties will gain access eventually whether it is through technical, physical, or social means. The only other certainty is they will continue to come up with new ways to innovate. They have to blend in to succeed so how do they balance those two competing influences? More than just the inconvenience, at worst, of taking over simple I/IOT or the creepiness of your home webcam. We will begin by analyzing the attacks that have happened and how they worked. Then, we will build our own. I will walk through how an attacker doesn’t just attack you, but can easily build a mass attack campaign to take over thousands. Once they do, I show how instead of that inconvenience, they can laterally take over the house and hop to steal interesting things like embarrassing photos, social security numbers, bank account information, intellectual property, and tax returns for profit. If you cannot keep them out what can you do? For starters, let’s understand how they communicate including some unique ideas for protocols (Google Suite) and infrastructure (traditional smokescreen for non-attribution to re-purposing I/IoT devices). This is the attacker’s vulnerability: They have to use your connectivity. Finding them on endpoints is fairly difficult because they have numerous ways to evade. But, on the wire… the options are limited to just blending in. This talk is aimed to provide something to both offense and defense. For offense, demonstration of basic (orientation of concepts) to novel approaches for traffic protocols and infrastructure. For defense, awareness of traffic patterns along with protocol analysis with experiential detail (wireshark) helps them learn to fish (
Simulation Roundness (object) Process (computing) Different (Kate Ryan album) Internet der Dinge Position operator Computing platform
Point (geometry) Computer icon Enterprise architecture Channel capacity Weight Multiplication sign Reflection (mathematics) Mathematical analysis Bit Mass Drop (liquid) Mereology 10 (number) Neuroinformatik Embedded system Type theory Type theory Different (Kate Ryan album) Internet der Dinge Quicksort Physical system
Data model Computer icon Integrated development environment Open source Plastikkarte Endliche Modelltheorie Hacker (term) Mereology
Axiom of choice Multiplication sign Decision theory Disk read-and-write head Order of magnitude Number Product (business) Inclusion map Internetworking Different (Kate Ryan album) Single-precision floating-point format Bus (computing) Internet der Dinge Data conversion Information security Mobile Web Special unitary group Line (geometry) Connected space Internetworking Integrated development environment Logic Right angle Internet der Dinge Quicksort Communications protocol
Webcam Point (geometry) Polar coordinate system Android (robot) Scripting language Code State of matter Multiplication sign Cellular automaton Combinational logic 1 (number) Perspective (visual) Order of magnitude Neuroinformatik Revision control Different (Kate Ryan album) Internetworking Operating system Factory (trading post) Endliche Modelltheorie Information security Firmware Fingerprint Default (computer science) Multiplication Link (knot theory) Android (robot) Electronic mailing list Independence (probability theory) Bit Staff (military) Cryptography Exploit (computer security) Proof theory Category of being Data mining Message passing Integrated development environment Personal digital assistant Enumerated type Password Right angle Internet der Dinge Cycle (graph theory) Remote procedure call
Integrated development environment Divisor System programming Nominal number Right angle Divisor Information security Physical system
Webcam Goodness of fit Password Right angle Videoconferencing
Default (computer science) Internetworking Googol View (database) Password Password Website
Webcam Point (geometry) Information Software Mereology Perspective (visual) Personal identification number (Denmark) Form (programming) 10 (number)
Revision control Enumerated type Hacker (term) Auditory masking Endliche Modelltheorie Hacker (term) Perspective (visual)
View (database) Phase transition Hacker (term)
Internetworking Key (cryptography) Server (computing) Public key certificate
Point (geometry) Information Password Combinational logic Musical ensemble Hacker (term)
Mathematics CAN bus Freeware Firewall (computing) Patch (Unix) Control flow Buffer overflow Default (computer science)
Scripting language Default (computer science) Slide rule Service (economics) Service (economics) Code Server (computing) Combinational logic Exploit (computer security) Computer network Control flow IP address Neuroinformatik Proof theory Root Software Password Remote procedure call Hacker (term) Routing
Webcam Computer file Information Shared memory Combinational logic Directory service Mereology Data dictionary Derivation (linguistics) Digital photography Software Different (Kate Ryan album) Password Pattern language Filesharing-System Hacker (term) Family Window
Object-oriented programming Key (cryptography) Multiplication sign Password Gastropod shell Right angle Family Form (programming) Neuroinformatik Number
Webcam Point (geometry) Group action Vapor barrier Sweep line algorithm Multiplication sign Firewall (computing) System administrator Ultraviolet photoelectron spectroscopy Rule of inference Number Frequency Object-oriented programming Hacker (term) Different (Kate Ryan album) Internetworking Energy level Router (computing) Information security Default (computer science) Default (computer science) Dependent and independent variables Axiom of choice Firewall (computing) Patch (Unix) Uniqueness quantification Sound effect Maxima and minima Pivot element 10 (number) Mathematics CAN bus Virtual LAN Spring (hydrology) Integrated development environment Software Password Website Right angle Internet der Dinge Resultant
Axiom of choice Context awareness Group action Thread (computing) Open source Multiplication sign Rule of inference Mathematics Root Cuboid Förderverein International Co-Operative Studies Router (computing) Information security Scripting language Area Addition Standard deviation Matching (graph theory) Information Expert system Independence (probability theory) System call Proof theory Software Integrated development environment Password Self-organization Moment <Mathematik> Right angle
my name is Bryson port the founder of a start-up called scythe which I just found out this week we completed our seed round race so if you've never been in that position before there's like no better feeling than when you finally get to complete stop having to ask people for money and then like just start doing the job so you could round of applause for that that's cool so when I'm not building a tax simulation platforms I'm a co-founder of the ICS village so right over there hope you have a come and check us out and today's talk I'm going to be talking about some different issues around Internet of Things then probably you've heard before so the agenda we'll start
off by painting what is the landscape the different kinds of attack types and two priests this got translated over drop my letters yes dizzy anta pre this is this is where the IOT is and how to defend against yes so what we're gonna be showing is by by working from what we've seen one of the things that I'm going to take with my research a step further is showing how easy it is to build a mass attack campaign so not just going after a particular IOT device but showing how to build no pun intended the fishing net to go after tens of thousands at a time and then the reason for the name of the talk was then I wanted to talk about how to turn all those IOT devices into your own tour has anybody ever had to give a talk before and you like running down to the deadline to complete your research you know that feeling and then you don't finish your research so that parts can be a little conceptual I think didn't quite get all the way through it turns out putting the village together took a little bit more time than I'd hoped but I will set up the concept and I will continue to publish that research as I actually do complete it alright so who
has IOT devices alright this is where we all raise our hands it's the thing about this Internet of Things is they're ubiquitous they're everywhere I mean it is not we are not far away from this these computers being embedded in our clothes and you start thinking about that computerized underwear that's coming it's happening and that that's a reflection of the fact that computing has finally reached this point where it is so cheap that we can mass-produce it and we can push computation anywhere and that has phenomenal use when we start thinking about its purposes in our daily lives or in manufacturing industrial control systems is delivery that there's ability to collect that data and then to bring some sort of automated intelligence analysis to drive something it's fantastic but then we start to think well what else could it be used for and all that computational capacity is sitting out there just waiting for somebody to do something with it so we
have across as a part of the CTF what we call howdy neighbor and that's a model smart house and this is one of the
things that we're going to be pushing out in the coming weeks is we actually have an IOT workshop for those of you who want to stand up your own piece to demonstrate what I'm going to be going through in today's research so we're gonna push that on github so stay tuned and that'll show you everything you need to do to set it up yourself we'll push out the builds you don't even need to have your own environment we'll provide the environment and from the comfort of your own home you'll be able to walk through everything that I'm going to be demonstrating today so CES which is
actually here in Vegas and is about six times the size of DEFCON I've never seen two hundred thousand people together before I was there giving a talk on automotive of mobility and so I went with a journalist and we walked to the floor and of course the the set up here as we went to all to see all the new IOT devices that were coming out and if you can imagine the discussions on security as we walked the floor nobody had given any thought to it this was my favorite though so this this is this engineered umbrella this umbrella literally could do everything it had built-in solar power that fueled the battery down here it had just about every single communication protocol I'd ever heard of I mean it did your homework for you it followed the Sun around it was incredible and I start thinking to myself well why why did we need to put all of these things in there and then I thought of the second question which is how much does that cost and so fortunately I was lucky this l was there and he was kind enough to to come up and she's like just yes how much do you think this umbrella costs what 350 whoa now you're like a magnitude off you look like you raise your hands I'm gonna pick on you anyway guess the number above 350 50,000 well it's not a Porsche Porsche of umbrellas right here but 9,000 9,000 right so yes so of course the logical question is who's the demographic who buys a 9,000 umbrella I was lucky again that I was talking to the CEO because she informed me she was buying ten of them for her vineyard I don't own a vineyard so I summed up my
experience on CES with two things if it could be interconnected it was and everybody now wants to talk to everything so you now have the choice because they are putting voices into everything so it's no longer just gonna be in your head everything you can be interacting with you'll be able to talk to it and it'll talk back now there is a really interesting public quote I think was about two years ago and I'll throw the company on the bus LG and they were releasing their new product line of all consumer appliances and the vice president or whatever of products gets up at this press conference and this is what he says he's like we are putting the internet and everything and of course the logical question from somebody in the audience was why he's like well because and they're right and so they came up with idea like well like a toaster does a toaster need to be Internet connected he's like I'm no but we're doing it seriously you can look this up this guy this was the conversation this guy had in public all right so we've heard what IOT we know about IOT in an industrial Internet of Things it's basically the inclusion of that ubiquitous computing so that we can drive decisions for all sorts of interesting things besides what is in the consumer environment I point this out because this talk I'm using consumer devices to demonstrate it but it applies just as easy to your house as it applies to the fluor as it applies to lots of different uses of critical infrastructure so the
state of affairs these are the three kinds of things that we've seen we have seen Brian Krebs get ddosed by hundreds of thousands of Internet of Things devices we have seen ransomware start to appear and ransomware lands on an IOT device and locks it down that says send me bitcoins and then crypto jackin crypto jackin is the fact that now that bitcoin is actually worth something that I can take advantage of those computational cycles that are free to me as the bad guy and use your spare cycles to go mining cryptocurrency now if you look at all of this how does this affect you the end consumer right these devices are in your home so it might be a little bit of an inconvenience that you're using a little bit more electricity certainly the ransomware might be an issue but that hasn't been that widespread and then ddossing Brian Krebs doesn't really affect you right so it might be a bit creepy that I'm on your web camera but I haven't really done anything to bother you and so we get a little carried away because our community we really love zero days but we staff to really start to think about what does it matter right zero dang a nest thermostat am I really going to do that research so that I can play with your temperature like I don't want you to have 68 I want to be 70 there's no money in that so we need to put it in perspective of what in fact is the security breach research accomplishing so a history of attacks these follow two basic models so Mirai what they did is the fact that most people don't change their passwords and there are about ten default password combinations that work on just about everything and so the vendors push those out to you and the default password works so what Mariah did was just scan the internet anything that it saw that talked back to it it through those ten password combinations at it guess what that worked Reaper and IO troop took it up a step further they went and identified because security researchers like us are constantly identifying these things and let's say that even a security researcher who's doing the right thing contacts the vendor privately gives time to push a patch out and then releases the research well they really set research as a proof of concept so that code is there for somebody who can just copy it down and use it now assuming that the patch has been applied that's great that doesn't work how many folks actually go around applying patches to their IOT devices and where the smart ones right we even know what a computer is for the rest of the world is black voodoo magic and they never even considered what a patches and so what Reaper and IO troop did was I'm just going to enumerate about 65 to 70 devices across multiple categories match those to known exploits because I just pull down those proof of code the proof of concept code the enumerate enumerate is where I fingerprint a device so I know exactly what it is because you can't just go throw exploits willy-nilly they don't won't work they work on certain models and certain firmware versions and so same case here I have to make sure it is the device that I think it is I matched that up against my list and then I'm going to launch that proof of concept code and automatically take it over the difference here is up here if you change your password this won't work here it doesn't matter if the patch isn't there then the device will be compromised so phone pact history
everyone has a phone who's heard of stage fright you remember stage fright what was stage fright yeah that's right stage fright it's like a punk so it was a it was a SMS attack where I just had to send a text message to your phone independent of you doing anything and I got remote code execution SMS and so that of course was a really big deal because that works on both Android and Apple you didn't even need to participate I just sent some text whom I got you so of course that was a critical failure they pushed out patches nine months after it was discovered these are these are countries doesn't matter which ones but fundamentally you just look at the red versus the blue nine months after the patch was pushed out into the population and cellphones are actually fairly easy to update compared to IOT devices which you usually have to go manually download something and then figure out how to interact with your device this was how much of the world was still vulnerable nine months after a patch of that critical magnitude yeah I mean that's scary right this is our environment did you know that you only are supported for so long by your operating system vendors on phones you have to buy a new phone there's just going to be a point where you're on your own and that is of course much shorter than what we see on traditional PCs so the set up what we're
going to show for this demonstration like I said this is a commercial demonstration but the same thing would apply to any similar embedded system device in any other kind of environment is that our consumer in our smart house they want enhanced security alarm systems are expensive why am I going to spend 99 bucks a month for ADT I want to secure my house cost is a factor as it often is consumers are primarily driven by two things function I want to do something cost I don't want to pay a lot and so people are used to buying security cameras so this is just a nominal security camera that we're gonna use and put into our house all right
let's see if I can get this going so our customer has bought his camera or her camera and he or she what okay that's
bad you do it still works all right
so we are logging in we are setting up our web camera and we're in all right at
least it tells me I should change my password that's a good start so I'm putting in a really good password I'm gonna follow basic principles here oh all right well no I don't want special characters so it's actually going to try to make me less secure thanks so this is enforcing me trying to do the right thing and it won't let me do it as far as I want so nope still making it hard all right we got there okay so our cameras set up you can
actually go and see the view from the
house across in the ICS village we set up port forwarding so that we're able to access this from the internet because of course or an internet security camera
this is something that I'm going to be using when I'm away from home okay and
let's see what our password was it's applesauce bang now remember we tried to make a harder password but he wouldn't let us but we're still ahead of the game because we've built we've changed the default password and we're we're step up
alright so what we're going to do is we're going to show the attacker perspective now our consumers set up their IOT device and what we're going to do is we're gonna go from reconnaissance to identifying what is everything we can see on the world because the starting point from a an attacker perspective particularly when I'm looking at how to attack thousands to tens of thousands of devices around the world is to find them and I can only I can only affect what I can touch enumerate I want to make sure that I'm dealing with what exactly I think I'm going to that works with my exploit I'm going to compromise and then this is a part where we're gonna make it more interesting I'm gonna use that IOT device not because it's the IOT device itself right I'm not interested in creeping on you in the webcam I am interested in your personal information your social security number your bank accounts your tax forms and that's what we're going to do we're gonna show how to pivot through the network to take over other devices eventually working my way to something that is interesting and stealing interesting information off that so first reconnaissance and
enumeration so like we talked about the cameras connected in sense this is just another version of show Dan so we look out there for the model of camera that we're interested in from an attacker perspective and we just happen to coincidentally pick the camera that matches what this consumers put in and by quick search we can immediately see 2700 cameras around the world that are available on port 80 so unencrypted and now we get to play Z hackus and of
course we always have to have a picture when we demonstrate the hackers of two items that do not go together to demonstrate that we're doing bad things so I hope all of you are you know wearing your masks and carrying a hair camera when you are hacking away and so
now we're gonna demonstrate the attacker view of how he's going - all right so
first we're gonna start with our
reconnaissance phase so we're going into
census which like I said is a showed and equivalent and we're going to pair
together just the keys to identify that camera against port 80 we like port 80 because it's just open
without any certification and here we
get back all of the cameras that match that around the world
probably have elevator music during this part okay so we see there's a lot and
the point of this is that this can be scripted alright so we click on a specific one and we see that through this we automatically can get a lot of information alright so now we're going to try to get in and we're gonna start off with the mirai approach which is we are going to try to do all of the password combinations see if we can get
in and we failed score one for the home
all right so now we're gonna take it a step further
no they're you told me this be easy I'm
not good with computers all right so now
we just saw the Mariah approach where we try the default combinations and that failed because we did change the password and so now here is the code where we're gonna launch a known end day
that we've identified that was the slide I just skipped over quickly I apologize there's the proof of concept code for the end day that's out there no technical knowledge all I have to do is copy paste that down and then my script here essentially goes to all the IP addresses that I pulled down from Census and launches that known end day against all of them and we're on route so even though we changed the password of course that was irrelevant we have remote code execution so now what I'm going to do is I'm going to enumerate the network for services so this is the initial scan to identify what else can I see now I'm
looking for file shares of course file shares locally are where we post interesting information and I find a window share so we try brute-forcing that one of the advantages also if you think about it since now remember our user initially changed the password on their web camera so they were trying to do the right thing how often do we reuse passwords so when I use my exploit to land on that camera I'm going to of course have access to your password file and I'm going to take that password and I'm going to try it against everything that I can see so that part of what I enumerate into that Network is I'm now going to add that into a dictionary attack in different combinations because most of us tend to follow patterns of reusing passwords or derivative passwords and I'm going to try that now on everything that I see and that's how we get access into the windows file share and so of course we do a directory run to see what we can get we see some photos you pull all those back because we're gonna start with the fun stuff so what kind of photos do we get the Grimm family if you go look
inside the house you can actually see the family portraits so like I said this
is creepy but yeah not that interesting let's see what else we can find on the computer so we're now gonna start looking for documents and try to find things of interest again keep in mind that the key to all of this is that this would be scripted so the automated capability to do this walking through each of those steps is what makes this interesting right how am i doing this times thousands not that I'm actually hands on shell right there so we take all the documents and in those documents we get all your passwords check with your bank account routing number and your tax forms yeah oops somebody say
so what can I do let's go back to the first principle does anybody remember what it is can it attack or just do anything right I can only do something to what I can touch so starting point place it behind a firewall some things should not be internet accessible unless absolutely necessary and putting it behind a firewall you can create some state-based rules that will allow to restrict that traffic so that it doesn't just do that changing default credentials we saw that that worked against the initial kind of attack it's not necessarily about that I have to be faster than the bear but I just have to be faster than somebody else running away from the bear as long as folks continue to fall behind on these basic rules attackers are not going to change their mindset they will continue to run the sweeps that work because that produces results when all of us start to establish a higher level then that's what's gonna require them to shift by definition hackers are lazy right what's the bare minimum that I need to do to get the effect that I need patches applying patches right this is the pain of the ass thing because every IOT device is going to be pulling from a different place each vendor is not is going to have its own approach and we're going to talk about this at the end of the talk about things that the manufacturing community could do better because this should not this burden should not be on us the consumer as much as it is but my recommendation now just like every year you have to do your taxes every year find some time like spring cleaning make an inventory of your devices go to the manufacturer website for each of those devices and try to identify the latest patch and install it and then finally segregating your wi-fi's on to VLANs so in that previous attack everything was on the same network which is what allowed me to see it all of your IOT devices should be on their own segregated VLAN at least and then the important things like the PC that you're using to do your tax's or to access your bank account should be on its own VLAN by itself now granted this only ups the ante because those VLANs are just of course virtual LANs that are all going back to a common router and just the same issue that our web camera had routers can have that same problem they have em days that are published and you can exploit that and get past this barrier but again you're stepping it up to at least a higher level who's heard of the concepts of herd immunity what is it sir so like IOT devices this is the threat that we're facing it's not individual IOT devices it's not even the damage or nuisance of how I could do some damage to particular a group of folks in a consumer environment the risk is that there are every day more and more of these coming into our environment I mean I don't know what the number is but I can't imagine it's not less than tens of thousands that are being introduced into our internet every day and we talked about the fact that while it might be inconvenient that these things be reused for malicious purposes to someone else it's actually decreasing the security of the overall environment in ways that we hadn't thought because it's no longer oh okay you know the web camera got taken over we've already started to see how that web camera is a pivot point to other things that would have been more secure had that not been in the environment IOT devices are putting us in the same kind of challenge where we're going to increase our probability of a different kind of outbreak in our environment I mean in this country in the world because we're continuing to introduce this capability that's unsecured by itself it's a nuisance adding it the fact that all these devices are connected we are increasing our overall risk so call to action manufacture accountability has anyone ever seen a manufacturer punished for putting out an insecure device there are no consequences there none we've already seen how difficult it is to apply a patch we've seen that they can push out something where everything has default credentials it does not take a lot of engineering to have a unique password pair supplied to each i/o T device that's issued to that consumer so your own admin password has already changed for you and is unique to your device that would solve a large percentage of the problems that we're seeing that is on the manufacturer the other piece of course is I don't think it's reasonable to expect any vendor to come to push out a completely secure device right is anybody ever seen anything that's unhackable I mean except for John McAfee but you know besides him and he got quickly proved wrong because nothing is unhackable so it's not a question no can I push out something that is absolutely completely secure particularly when it cost 39 but why can't we demand that they have planned for a security lifecycle right it's not that you made sure that's secure tomorrow but that it's very easy to secure down the road you have a disclosure policy that allows independent researchers to identify things to you and you have a time period that you're required to turn down turn around a response push out a patch right push out a patch make that patch available make it easy for the consumer to take it and supply it we are all dealing with this problem because the manufacturers have no incentive to change and the burden is being pushed on us to solve it so references for more
information obviously the ICS village we pushed a lot of this there's also the IOT security foundation and then I am the cavalry these are all independent organizations nonprofits pushing security education and awareness around this problem this is things that all of us as volunteers do just this is our passion because I think it takes the experts to identify the problems push for calls to action highlight the issues and try to drive a change so I talked
earlier about the fact the reason this was originally called torque The Onion Router approach for IOT that's going to be my upcoming research that I did not get in time for today so I'll be pushy I'll be pushing that out that are becoming the two future areas as well as the home hacking lab which will have a build environment and a set up for you to be able to demonstrate and build the scripts to automatically attack not illegally but in the comfort of your own home with something that you own so to be able to prove this yourself so we'll be pushing that out and github in the future I think I have time for like one question anybody has any questions yes sir so the original idea there for the complex password that you were forced to change every 30 days and you know cannot match the prior 12 passwords and must be at least 14 characters long we all experience that okay the guy who created that this standard back in 2003 has now apologized to all of humanity he was wrong there is tar and there's feather I don't know he apologized there because that's not necessary right if you look at what the thread is here certainly if somebody is already on your network theoretically you changing access to something like that could cause an issue but chances are having done this kind of research for 20 years I'll tell you if that was me I've already got root on your box you change your password I already know what it's gonna be every time you change it because I'm root I'm gonna be there hanging out you what you're changing is up here so it doesn't actually you haven't shifted anything and those passwords you forget them that's the reason why passwords usually are so derivative on the same because that's easier to remember the password was the worst invention in the history of mankind but we have no other choice and then that rule was just proof that there is hell the devil does exist so I apologize I'm my time is up I'll be over at the ICS village for the rest of the day if you have any more questions and follow so you can see the additional open source stuff we'll be pushing out thank you [Applause]