No IOUs with IoT

better look here it's not work keep nothing

there you go those are all the conferences we're considering with the ICS village I hate way it does that because it goes like one like slide over I didn't I don't know why it does it but it does it

oh is it it's a static camera yeah that's alright so be parts or I'm off camera oh no I I go into the audience I like interaction one of the gags that I do because you know I like the audience to participate well what's the best way to participate you don't have a rota might do you know I do okay just right up in the face and

yeah I'm going to be among the people I know if you've seen some of my talks that's what happened is all of a sudden you'll just see me disappear don't hear this disembodied voices the video is on the screen you hear some laughter occasionally reappear it's usually nervous laughter

to be seen this one before

I've been given this for three years I think that's the thing well the thing that's funny about it is so this shows the the emphasis I had on this is consider like it likes O'Day it's like you don't have to do anything to find out a new IOT that's [ __ ] joke but so my whole point is it that's not the point of IOT anyway but you're gonna hear this in the talk so what I did is I focused on demonstrating lateral movement at a mast level like how'd you do this time that wasn't such devices easily with no code required like just go to get up so and then the Russians got caught using this technique in

August so that was the thing that Microsoft out them yeah so I show the limitations of that attack because it doesn't work on this particular device which is why they were focusing on the enterprise level and then I show what they did and then actually mine requires less memory so it's even more effective than what they were doing

look at this empty front row

if you saw my very contact this is called the splash zone hello Ruby says DC hello hey that's that's better than I expected for a post lunch crowd front rows open yeah people move move forward he likes to talk to people in the crowd so come on up prime seat right there this guy how we go out here nice to you you're in the military aren't you okay you just you have the haircut and you do exactly people tell you it's interesting oh yeah come come front row front row right here Kai right here I just cleaned this seat see look alright now that the now that the front row is not empty we can get

started ladies gentlemen put your hands together for a man in a unicorn onesie yeah once you see my background you're gonna like what the [ __ ] went wrong there how do you end up like this maybe I'll turn this into a career talking this is like what not to do so where the the neighbor talk is no io u--'s with IOT who came here expecting like the traditional Def Con presentation of amun to drop some eau de anza my ot anybody kind of why kind of because I don't look like I'm technically competent what's that walked in air maybe he's honest I like heckling so a good job but I will fire back I owe t is not hard if you

want to feel like one of those leat rock stars that you see on Twitter on YouTube drop into o day go do it with IOT you can literally look at this stuff and it'll fall over it's that bad so we're not going to do that all right so just in terms of expectation management both clearly in mic technical capabilities and mental faculties are apparent as you what's your name by the way as Josh rightly pointed out so we're not gonna do that so isn't me I founded Grimm I co-founded the ICS village who knows the ICS village who's done any of our CTF really how'd you do the neighborhood Oh howdy neighbor so how do you neighbor is

actually a Grimm exhibit that we built so but it's a part of the ICS village CTF hack the planet right so we've done that we've been at DEFCON now for I don't know lost count six seven years we are at multiple conferences the ICS village John thanks man we are a 501 C 3 non-profit we even have our own conference is ever heard of hack the Capitol you're the only person I haven't met that has apparently been in my conference I guess hi Bryson Derek Derek nice to meet you oh you know Monty Monty Monty is a better speaker than I am I do not acta capital is Wiberg so the the nonprofit mission we do education

awareness on critical infrastructure and it occurred to us since i'm locally based wow it's like the US government is based here and they're incompetent and they don't know things maybe we should try to give them some education or critical infrastructure so we created our own conference called hack the capital its annually in May we're hosted inside the rows of the Reagan Building so we're actually on federal government space and we do a lot of stuff but we bring members of Congress we bring congressional staffers we bring think tanks so it's essentially their chance to meet with the technical community to learn how to do their [ __ ] jobs so please come to that conference if you're

interested it's free our nonprofit pays for everything and then last year I launched a company called scythe so that's now my full-time job I'm now a commercial software vendor [ __ ] and this is what I do for a living and on top of that I'm a fellow at the National Security Institute and on the board of advisors for the army cyber Institute alright so we're going to be talking through what is IOT the landscape types we're going to do a demonstration if you saw the preface for this I'm going to provide you with the take home lab so what I'm going to demonstrate here today you can go and do in the comfort of your

own home I'm going to emphasize it here and I'll emphasize again later in the talk what you do in the comfort of your own home not on anybody else's home I

like a collaborative style I think that I am NOT the smartest person in the room or the world clearly and together we can all be smarter if you have questions if you have comments if you want to be like Josh and try to heckle you can do that and I'm a former army officer so my approach to things is you can voluntarily do things or I will volunteer you lack of eye contact or eye contact will have the same results for you so there's nowhere to hide as long as you're in this room Sean's laughing because he's seen this before all right Consumer Electronics Show last year anybody heard of the Consumer Electronics Show yes this is where the industry around

the world gets together two hundred thousand people descend on Las Vegas and all pitch to each other all the wonderful ways that they're all going to send us to hell in a handbasket security wise I mean sell you things you want so I went around with Rob beggar ro who at the time was writing for Yahoo Finance and what we did is we went to different vendors that struck our interest and of course the set up is bring what looks like a security expert to one of these vendors and start asking them security questions how do you think that went like I said it was a setup mostly it would be salesperson like blinking furiously like wait you're not trying to

like bot what I don't understand and then usually a manager would come over and like handle me away my favorite vendor though is the shade craft umbrella who has heard of the shade craft umbrella before you have really go around you around here tell us what you know it moves it moves it does wait I ran all the way over here for that that's all you got you got something else right does it doesn't you think it blocks the shade at least try it tries what's your name Jim that was very disappointing but you all saw that well I'm not on keto clearly and that's as far as my aerobic capability last oh I'm gonna

have to do that this thing's hot this is fleece if I'm gonna run I went a little better okay you now know a standard Jim you got it set the standard that's the bottom I'm the demonstration in the bottom you just kind of like literally you could like trip over it the shade craft umbrella talks pretty much every communication protocol you can imagine it does move so it's solar-powered because there's a battery in the base and it follows the Sun it can do everything but your homework pretty much so the first question is how much do you think it costs too much well of course the answer is too much see I don't mind being as

disappointed because I didn't have to run over here for that answer can you put a number - too much sir or are there things I can sell you five thousand or so five thousand or something okay what do you think too high too low too high too low keep going you're drinking Starbucks you like overpaying for things 2500 now more we're going the other way you also don't listen because I said 5000 was to bow go up what no above 5000 [Laughter] what oh did you say 7500 I'm in [ __ ] okay to be fair I got in from South Dakota after midnight last night but I apologize you are correct Mia culpa not

7,500 still too low but I'm an idiot 8 grand so it was just under over that it was like eighty seven hundred nine thousand dollars so the first question is who wants the nine thousand dollar umbrella rich folks who said that Oh see that was a good answer excuse me coming through watch the tail watch the tail boom boom that was awesome oh it's easier to go around that way sort of so the demographic like I told you if I talk to sales people I would find the manager come over to handle me I was lucky that I met a Silicon Valley CEO who happened to be there with shade craft she informs me that she was buying

ten for her vineyard I'm not making that up that's not a punchline that's actually what she told me they of course had zero concept of security and this was the best example not only of an overpriced product but one that was rightful of all sorts of opportunities to do something with if you can have one takeaway on security the more you have in code or function means exponentially greater surface area for compromise do we know what surface area is what surface area you're on your computer what are you doing I'm taking copious notes oh hey that's okay I took a note to send that conference that you mentioned surface areas opportunity to exploit something okay

yeah so surface area is what establishes access right I can't do something unless I can touch it hackers are not omniscient and omnipotent I can't hack it if I can't find some way to interact with it surface area is that technical purchase where I'm able to go get into the code get onto the machine and do something that I want to take aways if it could be internet connected if it could be internet connected if it could be voice enabled why is voice enabling a problem now we know internet connected we just talked about I can't hack what I can't touch why is voice enabling an issue good secretly well is it really secret you're

actually paying for it you can order [ __ ] so yes your kids can now you know reorder the dildo that you just got but when we say secretly record [ __ ] what do we actually mean it's not covert you paid for it you said I like the fact I can ask Alexa to do something yes so that's the problem because it's always on so it's always on listening but then where does it go the cloud right so we're going to be covering shortly why IOT devices have to be cloud connected and Internet connected but now with voice enabling we have privacy concerns because they're always on and we tend to forget that they're there

when we're like Mantes boss or during sex toys which by the way sex toys our IOT render man yes what was that Cassie you can control them via bluetooth yeah and hack them ddossing now imagine some of you men in this room using what passes for some of those sex toys and you get ransom weird yeah it's funny it's going to happen and it won't be funny then think about it think about what will happen like yeah yeah I mean John Wayne Bobbitt through the internet yeah I was like that's it was funny until it was dark don't go check what you have at home right away okay stay for the rest of the talk it's

dumb to be smart did you know that a smart TV now costs you less as a consumer to buy than a smart TV why services what about those services they're spying on you they are collecting data on your habits and they're monetizing you as the viewer you as the consumer of being monetized by these devices there is a phenomenal study and now I'm being facetious that came out from McKinsey in 2015 60 pages that they privately released to all the auto manufacturers on them saying here's how you can monetize drivers now who's ever read an end-user License Agreement a EULA well Shawn you do weird things for Ars Technica that's technically the press right okay you do

things that people don't normally do I also do it but it's unadvised when I do it but go on

if you haven't read the EULA when you buy something you giving you're giving them the permission to collect data on you essentially in many of these licenses but that's that's in claim and plain and simple language on page one right no it's usually buried around page 94 yes none of the rest of us have ever read a EULA I've asked that question at a conference of entirely lawyers they were honest too one hand went up I'm like oh you're the person who writes those so buried in that I agree click-through is where we are signing our privacy away they're monetizing you as the consumer but they're charging you less because they're making money on you another way

right this is the lesson we as society learned from Facebook besides the next lesson we've learned from Facebook besides the lesson we're currently learning from Facebook does anybody know Mark Zuckerberg can we like just like have a talk with him no like really like he's he's harming all of us bad but you know people who work for him know what if I asked again no worth a shot his eyes said yes though his mouth said no all right so who has IOT devices if you're not raising your hand you're just choosing not to participate yes that's you thank you so we all have them now here's the question Suchi how many IOT devices do you have

SUCI one that is a lie we don't tend to know even how many I have we're all aware of the problem of asset discovery in enterprise because we talk about that all the time we have the same problem as consumers we don't know how many devices are in our homes I really don't know even like I've never really kept count of it it's just there's sort of there and you kind of think about them and occasionally it tells me to patch it or not we'll be covering that later so IOT versus IOT I mean excuse me IT versus IOT so now we're talking and our enterprise so first problem we have with where enterprise is bring-your-own-device

so who has a cellphone do you bring that to work do you do work mail on that so we have a few knows but most of us yes is there an enterprise policy on you doing that some places yes some places no the challenge that you have at the enterprise level is it's very easy for employees to bring their Apple watches or Andrew smart watches or their phones or whatever other things they have into that environment it's difficult to control so this is where we get the problem of rogues how many of you are engineers how many of you like it when somebody tells you what you can't do seriously kai why do you like being

because you do it anyway so he was just like I would appraise my hand because I don't mind it and [ __ ] you it's gonna happen anyway the rest of you just feel like [ __ ] you it's gonna happen anyway that's the engineering mindset I'm not gonna let somebody who's like what do you like a deputy editor chief of staff or like you're like important you're my you're my nominal executive wearing a hoodie to blend in when Sean tells his staff no actually you're better when you tell Monse what he can or can't do yeah exactly why would you even bother funny thing about corporations is they think that they're drones all do what

they tell them though they do there is an expectation there are people with starched shirts I've seen them they exist we ignore them on top of that in the enterprise we have vendors vendors need to do maintenance on their things whether that sensors whether that's HVAC temperature control if you're in a critical infrastructure environment you're gonna have an even greater chain there and then as we've seen the same problem that we have in the consumer world these things have a cloud back-end by definition IOT is really two things cheap computing with limited resources some level battery life maybe that's why they're proliferating they need the cloud back-end to be truly functional because we now have reached this point

where we can trust that I can have a wireless connection to somewhere else in the world and then I can have my big iron there to do all the heavy thinking and then signatures so this is the hard part where you're an enterprise this environment is fragmented there are so many different types so if you think about that from a technical perspective how do I even identify what's on my network unless I physically put it there and if we have this problem of users with BYOD or Kai doing the rogue thing you can't even figure out what it is let alone where it is enterprise challenges oh yeah this next slide who is responsible for updating the

security or the patches on a consumer IOT device a company that went out of business that's for them to provide it so we do have the Chinese you know company that's there for three months or Taiwanese company and all the sudden it appears and they disappear and you're done but let's assume they've lived longer than three months right the patch is there who's responsible for updating it us or in the bottom right corner Putin will do it for you what do you think of this security model so far this is the security model yeah Wow this is why we're all [ __ ] in one slide I could talk the entire presentation to this one slide users are

responsible well let's see how our users do it updating things anybody remembers stage fright yep yes yes and that's why I got an iPhone I didn't know that users stagefright was I don't even when it was it was severed whoo all right you're really gonna have the answer cuz I'm walkin cuz I'm not gonna run again this I am starting to get hot you know what I mean so stage fright was a vulnerability in a library that the iOS and Android used the Vernor ability was the way it read images and then so that ended up being a buffer overflow and then you can end up writing exploit code into that how did I deliver that

exploit we were sending someone a pitcher all I had to do was send you a text did you even have to open the text no you did all I had to do was be able to read that text that's it so it was a very simple Oh day and it went out very quickly so all I have to do is send you a text all I needed your phone number I have your whole phone no user interaction required going back to I can't hack what I can't touch all I need your phone number that is the patching across the world nine months after the patch was available is there any easier device that you know

of then your phone to update it literally comes to you and says update me please do it update me why haven't you updated me yet nine months across the world all of that red in that eye chart is users not having patched that critical vulnerability which is literally there is no worse case other than some mental telepathy where I can just say I have your phone that is like the ultimate Silver Bullet for compromise it worked across all platforms and it required nothing more than just being able to know where you were done on top of that it turns out your phones are not indefinitely supported you have to buy a new phone hi Sophia or

you're just showing me a phone so you know you're owed yeah John and Suchi Sophia and Jesse are right there Jesse you didn't wave hi you have to buy a new phone because the manufacturers only supports you for a limited period of time Android three years Apple five years let alone if your battery life got you that far because your batteries are degrading the second you buy them it's a scam says the guy who knows Facebook people yes next up social engineering a country so heard him unique who's heard of the concept of herd immunity Wow I was just in South Dakota I feel like more people would have known it there than here raise those hands again all

right you look cool mitigation through to quantity two more people who are immune to something the slower it spreads so if we think about this in a ceiling and a floor right what is that what would how would that concept apply well there's like a top percentage and a bottom percentage to the population most people if more people are immune the more people that are immune the the less likely something is to pop up one and work with their immune the less likely it is to spread who knows where the concept of herd immunity originated vaccines epidemiological studies of cattle answered why this matters to us in this conversation is the same principle applies to the challenge we

have with IOT so earlier when I talked about more function more availability more surface area now let's apply that to if we think about all of the computing devices in our ecosystem and by the way all of our ecosystems interact right all the way from our personal ecosystem as a consumer to organization and this is where I could make my critical infrastructure joke and air gap is not an air gap is not an air gap nobody got that it's gonna be that kind of day all right herd immunity is the fact that we just showed the security model users we show how well users do it on the biggest problem we've ever seen and now let's

tie this to I can pull like a CES graph up of what do you think the adoption rate is for IOT devices it's like a freddy mercury pose so we're Freddie Mercury ourselves ooh that could mean a lot of things any moment so IOT devices are vectors to other things this is now what we're going to demonstrate through this talk the IOT device isn't actually the problem what is on an IOT device does an IOT device have your credit card information no does it really have much of anything most of the time no the problem is that they are proliferating in the environment we talked about the security model so they are this increasing exponential number of vectors

to things we do care about what are some things we care about what is something you care about besides beard oil privacy privacy so this is the they're different examples some of which we covered one of the ones that I want to point out is a red herring people are afraid of webcams because they think that somebody out there is looking to find you does that happen because I'm talking to engineer so you're going to be specific yes is that the primary threat model no there are weirdos out there what not in here Oh in here are you one two yes thank you for self-identifying I was feeling lonely guy sit over there by you what

are we eating okay so besides privacy what do you think is another concern we should have about the fact that these can vector into something else staging staging staging what no staging to other devices that have private information okay like what kinds of private information well like things that have social security numbers and credit cards and that sort of thing PII and pH I financial information taxes that's what we're going to demonstrate we're also going to show how easy it is because again our very preface was you don't have to be very technical to do any of this stuff key example all you have to do is just know how to find it and run some code well fortunately the

world is kind at giving us this so we have seen four kinds of attack campaigns in threat landscape distributed denial-of-service is anybody in here Brian Krebs so you're not worried about that okay ransomware Shawn I feel like you have an opinion about ransomware anything you would like to share or I won't pick on you on this one so ransomware is that one thing that will get you no matter what if you have more than one person on your network because somebody's naturally going to click on something if you don't have you haven't patched if you haven't have the devices that have an attack surface at all that and you have email connected to them in

some way or you're on its a device on a network that has a vulnerability that can be remotely scanned and exploited you will find ransomware on your network and it will make your life very not happy Baltimore found out its Baltimore found out you so what what happened in Baltimore if you could summarize in two sentences or less sure so somebody in Baltimore clicked on an attachment an email and this ransomware called Robin Hood deployed itself across the entire network took down the water billing software for the city as well a number of other servers including servers that allowed people to do real estate transactions and basically wiped out the city's ability to collect money

for over a month and a half about how many ransomware incidents have we seen across the United States in the last 12 months against cities municipalities water plants it's in the hundreds if not thousands at this point publicly thank you John what is it you do for a living again I didn't mean to pick on you that way John's an Intel analyst that's why he actually thinks about the second-order effect so this is already happening to us if you haven't seen it in the news which I can't imagine any of you haven't one of the primary problems that we've had the issue that we've had here is because again all these things were internet connected the obscurity of them

didn't matter and also by the way the fact that something might have been like a small city or a small County or even like a water utility that might not be what we would consider like a primary thing to target but what if I don't have to think about it real hard to just hit lots of things at the same time then it's just pretty much anything below that water line that's vulnerable is going to get caught and this is where ransomware is really getting us Texas is a great example they had 23 and they hit an MSP and they used the MSP to to spread crypto jackin anybody no crypto jacking is is that no okay it's using

the end users compute power to do Bitcoin computation for your own profit yep so we have all of these cycles one nest thermostats not going to be able to mine a whole lot for me right by definition it doesn't have a lot of computational capacity we've got a million nests what about that times what is Bitcoin going for these days does anybody know 100 120 what wait one bitcoins worth $120,000 9300 I was about to say cuz I was about to quit my talk and walk out like hey I'm done I don't have to do this anymore I don't have to perform for your amusement like I could quit my life see you in the Caymans this became a thing

because of two factors one there's a lot more devices and the bitcoins will someday be worked at but they became worth something they were like this they were like this and then they shot up from what I've seen over the last couple years is it sort of in between eight and ten thousand dollars but put those two factors together this what we've seen and then recently so I've been giving this talk for over two years updating it modifying it and doing lots of different things and when I first started doing this with my entire focus on that it's not the IOT device but it's the vector to something else I was the only person saying that in well never say that

because it's always untrue I was one of the few people who was highlighting that aspect does anybody know what just got what happened in August Microsoft caught somebody doing something that's also very vague but tied specifically to lateral vector don't worry about it we'll come back to it but now recently a common thing and we will talk through that later so history of attacks there are two major attack types that we've seen the first is Mirai Mirai said every device that gets pushed out in IOT pretty much has a default username and password and go back to our user model very few of us update them so all I have to do is try a

handful of combinations and anything I can see I just try those and work because do IOT devices typically timeout if I try too hard nope are any of you monitoring what's connecting to your IOT devices and a 24-7 sock nope we don't do that at home Mirai boom of a million devices then we have the more sophisticated ones like Reaper an i/o troupe they said there's a lot of published code because we're constantly finding vulnerabilities and then we're very kind as the security community that we share the proof of concept of how those work even if we're doing that with possible disclosure which we should we go back to the problem of when does the

patch actually come out when do users actually put them in play so all I have to do is know what your device is match it to proof of concept code that's going to be able to compromise it done so they just had a catalogue of 65 POC end days and any device that matched those they just threw that and took it the other public example we have and this is attributed to Iran is there is a fish tank in casino in Las Vegas going back to our vendors the vendor was had a sensor had sensors in the think tank to manage the temperature to remotely and that was what was compromised they used that as a lateral vector jump into the

casino and I could also be in the Caymans if that had been me so here's the setup we're gonna run through this quickly we've got about 12 minutes remaining the setup is we are an average consumer we are bringing in a webcam in this particular example it's this version of geo vision webcam I'm not picking on geo vision I'm not picking on webcams any IOT device would be suitable for this demo so first up we as the user are going to configure the web cam so we log in with the default credentials and it kindly prompts us to change the password that's actually a above-average feature so we're going to try to change the password nope

you want to know if there's proof that there's evil in the world it's any web page that does that to you so we got in eventually just trying to change the password here and we're in we canal for security reasons in this case we can now keep an eye on our baby so we've configured it we want this to be internet because accessible of course and we have our new password what is our new password

applesauce exclamation point because it made it hard for us to do something different exclamation point 70% of the time is the symbol that every user does in their password so tie that to a dictionary attack oh we get out no not start again go to the next slide let me go to the next slide there we go so now we're going to demonstrate this from the attack perspective so we're going to do reconnaissance enumeration enumeration is I have to fingerprint that exact device to make sure it works compromise pivot steal that's the fun stuff need an arbitrary stupid picture to demonstrate hackers so he's wearing about klava he's wearing a bandana he's holding an implement that has nothing to do with

the computer and a computer alright so first up we're going to try the mirai style of attack we are going to try we are going to try okay so first question will this work it should not why shouldn't it because we changed the defaults what about other accounts that aren't showing for the purpose of this demonstration we're assuming there's only one account on the machine but you bring up a great example particularly when we're talking about Linux devices that they come with multiple default roles many of which are never exposed to the user in the interest of time what we're going to show here is has everyone heard of census does everyone heard of showed an

okay show it into a smaller brother this is our Oh cent platform where all I have to do is plug in the particular device that I'm looking for and what protocol it talks and it already has an open database of all of those around the world I don't have to go anywhere that's what showed and does that's where everybody gets look really cool be like look at all the things I can hack look at all the things I can hack so that's what we've got here we've now got our list of everything that is vulnerable to the code we're about to throw and I didn't have to do anything as a user as a hacker other than that just go to a

website that already has an open-source database for me to do all of that and it already tells me what's vulnerable to my code like I don't even have to worry about that so we got our numeration we've defined the environment you can get all sorts of interesting information in here and then the next part of this demo is we show the brute force attack which of course doesn't work and in the interest of time we're moving on this is the actual code that we're throwing so it's available out there it's free open-source you don't have to know anything all these details are in the lab this morning I took a look on github to see how many code commits there were

for geo vision on github there are 30,000 503 as of this morning of people out there updating code for you to use now this is the fun part now we're going to try that code so the Reaper IO troop method of this isn't patched there's published code all I have to do is all those IP addresses I have throwed that code against every single one of them so in this case we're only doing this against one webcam but how hard is that to write a simple script with a few lines to now do thousands not so we're in we have administrative access because we use to compromise so I now own the machine which means I can also figure

out what that password was from that we're going to enumerate what else can we see again because I'm probably going to be how much time do I have left eight okay we can do this so imma numerating all never file shares from this why do I want to do that I find a real computer that has a network file share so in this case we see a Windows file share that's can be interesting that's their home computer what do we have on that machine well first up we find family photos so we're gonna download all those and take a look this is the fun part where we're just demonstrating how what's fun as a hacker

when you get to do this so we pull those down we take a look at them that's a hipster okay but that's not really interesting and again keep in mind that this can be automated even though we're demonstrating this manually so what do we really want we want anything that looks like passwords money bank accounts taxes blackmail we already saw the blackmail that was the pictures there so what do we got well we've got there some people saved their passwords and text files on the computer don't do that Oh bank account information and taxes all things that you use your personal computer for at home

so now the Russians this is what happened August this was against corporate enterprise versus us as individuals one of the reasons that he did this is the attack approach that they took would not work on this particular device because consumer IOT tends to not have a lot of memory their approach was they ran TCP dump if you ran TCP dump on anywhere that has more than a few devices you're gonna suddenly be overwhelmed and we're already like pivoting into like how much space is left because there are two devices are cheap right they don't have a lot of resources so we're kind of like thinner you know just fitting in that little bit of space that just

happens to be available TCP dump would not work on a consumer device but it does work on say a corporate printer which could have gigabytes of RAM because it's meant to handle multiple cron jobs cron jobs across multiple users versus say what you're gonna see in a consumer environment so this doesn't work on our consumer device but they got caught by Microsoft trying to do that where they use the exploitation method and then they use TCP dump to try to identify their next step for lateral movement I'm going to be continuing down the research here because I am going to find a consumer device that this will work on you saw a much simpler approach

that is more effective because knowing that I'm only going to be looking for say like Windows file shares or a Linux file share if I limit what my campaign wants to do I use a lot less memory and I can get away with a lot more so their technique was not quite as effective as what we're doing this works against printers that video decoders and VoIP phones we talked about that will skip that let's get that alright so what can we do at home how do we defend ourselves 5 first of all I can't hack what I can't touch firewall do we have firewalls everybody has a firewall first problem firewalls are also vulnerable as devices

but we can't solve all the problems we can be though faster than the bear and the person running away from the bear wait just the person running away from the bear you just have to be faster than other users we can't beat the bear now that that's the Russians like we kind of fit that metaphor together the fancy bear cozy bear don't any of you read CrowdStrike propaganda yes yes you do grab strike propaganda I love you Dimitri hi oh sorry that could have oh I love you to meet you a pair of itch change the default credentials that should be obvious patching okay they don't make it easy for us this is where it's incumbent on us just like every

year we have to do our taxes just like every year we have to do things we don't want to do patch go to each manufacturer site for each thing that you have pull and you're going to have to most likely a lot of these cases manually like through like a USB stick install the patch and update it but it is incumbent on us as users to do that because that currently is the model and then we can segregate these things your router at home allows you to create virtual LANs I can segment my network why is my PC talking on the same where I do my taxes on the same VLAN as where I'm managing temperature control for

example very simple to just create a specific VLAN for IOT devices and have your PC's only on their own thing can that be defeated as well yes of course but again we're changing the environment because still most users don't do this call to action so this is since this is a day I am the cavalry track everybody knows I am the cavalry right no okay I am the cavalry is a loose organization of a bunch of independent security researchers where we're trying to pressure policy and manufacturing changes so that we can improve the environment so the first is manufacturers should be accountable for putting insecure devices into our environment now what is an insecure device is kind of in the eye of the

beholder and there is no such thing as anything that is unhackable right so some best practices being embedded to start is good first of having a public disclosure POC somewhere if we find something we can easily be able to report that to the manufacturer to be able to manage that then expectations for them to take that seriously look at those triage those and push out patches so that we are improving the environment it's the life cycle that's the most important part of this less something being published that's just secure hence we should have a release plan how do we easily get the patches to the consumers why isn't that something that's a part of the device

and then finally this idea came out of something that I saw being debated in France I don't know if it ultimately passed but when a manufacturer goes out of business or a manufacturer decides to end-of-life a product why don't we have them open source that code one that's an incentive for them not to end-of-life or two if they do it at least gives us the opportunity for the independent security research community to still pick up the mantle and push those patches out so some other options that are out there anybody seen this what are they doing in 2020 what is Japan doing in 2020 the Olympics so them recognizing the challenge they're going to do this for

their citizens stay tuned some other options this just came out this a couple of days ago so the five eyes essentially the five english-speaking countries have now agreed I thought it was very kind of on their webpage to provide their signatures so that was cool they've made a commitment and I think I show this on the next slide but basically that that first part where I said this is what we should do they've all made a commitment of five countries that day as governments are going to be pushing toward those standards if you want to be a part of that because this was a call to action then I went out one of the organizers and actually Harley Geiger is

local but Jen Ellis both of them are at rapid7 they do a lot of policy work so if you're interested in trying to make the world a better place reach out so happening here there has been bipartisan legislation that has been languishing for over two years now so both Republicans and Democrats both in the House and the Senate have agreed as sponsors to this idea and they're not even pushing it on consumer devices they're only pushing it for government agencies to just follow these principles and this still hasn't passed but fundamentally they say hey NIST tell us what to do OMB make it happen and audit it do the things that we just said and then US

government contractors who are part of that procurement process should follow through as well still hasn't passed this is something that you can also as individuals in terms of call to action write your Congressman write your senator what the [ __ ] dude

Sarah and Peter's echo started CIT l what they are doing is and there's the website for it is they are evaluating a bunch of IOT manufacturers across do they have basic safety features as a part of the device so ASL our stack guards and a non-executable stack guess what do you think most of them meet those standards one of them actually responded to the press when they were when Sarah did an interview in August and said what we don't think those are important dad true story like you can't make this stuff up references for more info obviously I mentioned my nonprofit the ICS village in addition the IOT security foundation.org I am the cavalry of

course which just a loose confederation of like-minded individuals trying to make the world better for specific guidance NIST 800 - 183 CSA publishes security guidance for critical areas of focus version 3.0 that's a mouthful and then at the bottom is the lab so this is your ability to this is your ability to take this home and do this safely only in your own home I will not bail you out of jail look at me I don't have money questions yes sir I was wondering is that like is that because more users in those countries just did it or was that like a government policy that made so why was it so bad why was I'm not sure I'm

following know so I was looking at the graph I think was like Morocco Saudi Arabia and Algeria they had the highest right right so why were certain countries a little bit better than others obviously it's very hard to know the specific trends at a macro level most likely a lot of those folks are actually much more invested in the mobile infrastructure than we are so that is what I'm assuming was the case there are a lot of folks over there they don't have any pcs everything they do is off of a phone and a lot of places they've completely replaced currency by using phones for payments like the entire economy in the way that their way

of life is on phones I'm guessing that's why there was the higher uptake any other questions yes sir are there any brands that are doing no next question how is Google doing it wrong actually so yes Google is doing a very good job I love my Google pixel the reason I chose Google actually just because that kind of tied to this piece is if you look at the Android platform Google owns that operating system and so anytime a patch is pushed out to a vulnerability it immediately goes to anything that is running native Google OS Android all of the other manufacturers though have skinned their own things on top of it which means you know have some period of delay between

Google has pushed out something and then you know Samsung decides to do something our LG etc but yeah Google is one of the better ones and Plus Google also has their project zero program which is probably worth calling out on that note where it's just a bunch of Google security researchers and the company is pretty much just given the money and time and they are allowed to go out and VR anything they want they do competitor products and they go and do responsible disclosure to those vendors to help improve the ecosystem so I will give specific credit to Google let alone from my my joke of saying no thank you for your time [Applause]

tests