ID.IOT Or… The ID(ea) Of IoT by Righard Zwienenberg

seems that we will continue right away I'm happy to be here by the way back in Dublin after so many years I was even more thrilled when I heard that they are putting me in the Gibson because the Gibson for me is actually well I was thinking I was going through the super computer Gibson from the movie hackers well it was a hotel and actually I've seen my talkers about iot and then they put me in this hotel stay it connect connects to what to to the USBs uh the plugs into the wall socket is anybody using that I hope not because you never know what really happens with that so I'm not that idiot that is using those sockets uh idiot ID or iot or the ID of iot um and actually I have to learn my manners first I have to say hi welcome this high is also the closing slide not right now but in the end and then the highest a completely different meaning you will see that but let me first introduce myself my name is Richard I'm a senior research fellow with ESET I'm also on The Advisory Group of europols EC3 European cyber crime Center I'm on the board of several organizations uh a great conference papers and there's always one thing and that is my name I call myself Richard which is easier but there's always miswritten so I actually have made sure that here you can really see how it is written just to introduce myself yeah good with a G and the funny thing is my parents call me Richard and they gave me this name yeah so I want to start off at the whole problem with iot devices with the movie now the movie is in Dutch the the what was being said is irrelevant this is the Secretary of State Eric vanderberg from immigration and this was with a lot of people the refugees coming to the Netherlands and they needed housing so where do they where do we put them and this is a public debate on television and he's a secretary of state so what is what is being said is in Dutch but you will get it in the moment two cleaners also now in the pros do the stuff of reading approaches um is foreign I can tell you this is not not the government's phone they don't have like the the assistant enabled actually they don't even have an iPhone there and it is a really secured phone this is a surprise that Tony is actually putting it on top of the government's phone now the question is why does he have his assistant on does she also have that phone with him when the government is like talking about new laws or having their their weekly meetings or in a top secret meeting I mean why did he do that that was interesting so I decided to do a little experiment when I was in Belgium and uh also doing a presentation with smart speakers so let's try that here okay Google count to one million hey Siri call home hey Alexa tell me a joke no I hear nothing which is really good that means you all have it and disabled when I was actually in Belgium in Antwerp uh there was one journalist a tech journalist and his watch started to talk back to this slide and I actually brought one of those Surprises with me pretty small people I of course to turn it back on slide the switch on the back of Google home I will the mic's back on okay Google tell me a joke what do clouds wear under their shorts thunderpants yeah that's my bet I didn't offer a good joke um but nowadays we have all those iot devices we actually saw that at the previous presentation and in the beginning there were lots of them but they were sort of regulated and consumer and Industrial iot that was really separated nowadays it's a much bigger mesh everything is used everywhere the smart home example we just saw like in the previous presentation it is also used in offices and yeah it's really starting to become a problem so let's look at the views of the internet how how do you think about iot and the internet and there's actually like four different ones you can uh you can identify the Industrial Automation automation which stocks that was mentioned already that's how that started smart Health the FDA actually approved a pill with a sensor in it to be swallowed by people who are not completely healthy so that you can actually monitor that the medicines were being taken which is of course really nice because that doesn't mean that the doctor has to physically be there but he can see like on the machine like on the tablet if the patient really took the pill uh well smart home I don't have to explain that we have seen that already in the previous presentation and of course a smart City well the smart city is really nice and actually is one in the United States San Diego is really implementing that and it really helps with congestion it really has censored and seen how busy it is everywhere but they are all connected to the internet uh and and that is a big problem um now where did iot start does anybody have a clue when it really started which year how about 1970 it's a bit of a stretch Because the Internet wasn't there but this is on the Commodore 64 and the Commodore 128 a device which you could actually connect and control all the different rooms in your house light whatever you wanted and um you had to connect to that device with a modem an analog mode and remember because at that time we didn't even have digital lines um and this network because nobody could really hack into it and many people didn't even have a modem and you had to have to you need to know the phone number Etc uh but then I said okay this was really nice but I hear so much of iot that there's a lot of failures going on and failures people don't even realize it is an iot failure like the smartphone the original iPhone from 2007 in 2009 it was actually hacked by a Dutch guy that's why it's called the Dutch hack and what he actually did is uh install uh it will only work from jail broken phones and he's misusing the SSH password but what he did is like change the wallpaper well I can read this for you if you can't read it from on the screen your iPhone has been hacked because it's really insecure please finish it and secure your iPhone right now and the wallpaper states he actually charged five euros to remove it so that was basically the First ransomware on an iPhone that when Apple tells you no malware on iPhones okay so I looked up the same thing for the very first Android phone uh the the well the the misuse it was a fake player and actually you could only get it as a fake media player if you went to a certain Russian uh adult site uh when you connected to the site with the player it started to send sms's to premium rate numbers so you're really retraining your telephone account yeah then other things like smart watches uh I wear one nowadays they are much better but there's so many of them out there and so many of them are really weak and they store a lot of information every step I make it's being recorded in this watch but where does the data go to that is an important thing and actually one hacker has been able to export smart watches to steal an a uh the pin or a code of your bank card and how he did that was remarkable he was actually using the gyroscopes in the Smartwatch and when you type in the PIN code your arm is moving and with a 90 certainty on the first try he could actually repeat the PIN code so how many of you still do spin coats everybody's using pencils with Ben cars right do you use do you use your army to watch for that or the other arm I'm I'm actually right extra what is the right we're two-handed but I use my right hand to type in the PIN codes just to make sure this one is not recording it and uh two years later this was 2017 uh like an Israel ADV Searcher he actually found uh an incredible amount of uh zero day exploits in Tyson's OS so it keeps continuing and I have most of these examples like a smarty fish that we are being hacked uh from Samsung it was really nice uh when you get like a ransomware note uh because it could be misused now now we're going to into the more bizarre things and there are no children in the audience which is good mattresses iot and mattresses like uh it's not these mattresses this was just a data the world championship soccer and the Belgium team they had this picture online and it showed actually for all the different players which mattress they had they all had their own mattress with like their own suspension but that is not what I'm talking about I'm talking about this iot mattress the smartest with lost detection systems and you think it's a joke now actually you can buy this one in Spain it's from the company called duramat uh the smartest and you can you can even find it online if you Google for it it's really nice it tells you exactly what it will do how does it work it sends an alert to your mobile phone whenever someone is using your bet oh in a questionable way depends of course where the mattress is being located because in some facilities it is the proper way to use it um how it is constructed and it actually has like a sensor in there and it is actually using a 4G GPRS module to transmit that so think about this so I mean I was just in the Gibson Hotel connect I don't know what they recorded on me and then actually ladies here as well so the smart hair brush I mean it actually is counting the how many times you are stroking your hair and recording that like not only that but they're sending the data to the cloud um a smart fork it's actually how long it took to eat your meal the amount of fork servings intervals between forking servings like yeah I don't know it says each slowly lose weight feel great I mean to be honest if you eat slow my steak gets cold um smart toaster this is a special one uh it was at the CES in 2017 um where this was being promoted by the company Griffin and lots of people went to the stand but never saw this toaster and the next day actually when you went there to the webpage you couldn't even find that social online it does it didn't exist it was actually a trick from them to get you to the stand so that was a kind of a failure to Smart toys no no I see some people smiling it's not those stories like from the bats these are really for kids um my friend Kayla Princess Kayla those that for children and you can talk to them and they respond except everything is being recorded um in in Germany it's actually illegal to have this doll right now because everything is being recorded and sent to the Cloud store somewhere it is always on so imagine your daughter has been playing with one of these dolls and she's now in bed and you are going to do your bank account or you'll have to look into a website what was my password again oh yes one two three four five six that is being recorded as sent to the cloud and it's not only that there was a lot of things it happens more and more the reason I am including this slide is um for this sentence here without parental consent according to a complaint sent to the FTC this week the Federal Trade committee and they are actually now on this and for the Federal Trade committee to really well to look into those I mean it is a serious case and it just not only that because you have many of them like teddy bears that leaked millions of recordings connecting with Bluetooth to the internet and it's just a message you can hug yeah and later you get hacked by the message when it returns to you uh because you don't know what is really being stored there sometimes it is okay like in the health industry like the FDA approved pill that it is being used but it can also go wrong like uh in a hospital a smart pump to deliver IV could be hacked through Wi-Fi go figure that that if you have to get your antibiotics or your pain killing and somebody is changing that I'm pretty sure if it's the morphine dripping and you you get more morphine you're happy but essentially will die or this one the the the firmware and the software for pacemakers had to be updated for a lot of people because and because they were collectible and reachable through the internet which is weird really stupid things like eye kettles who's connecting an eye cattle does somebody have an eye kettle you can I mean people are lazy I guess you can start boiling water by using your the app on your phone but at the same time this one actually is leaking the Wi-Fi password anybody could connect to it and see the Wi-Fi password um so you see there's a lot of connectivity with Internet of Things uh where it can really go wrong and one of the like there are actually two movies I'm going to show you they're not that long uh this is actually on the highway it was not on the highway but it was like on the parking lot but it would happen on the highway and somebody took over the brakes of a Jeep [Music] it's not fun to have your two-ton SUVs brakes hacked just as you're parking in front of a ditch okay hold on tight hold on oh that's what I've learned from Charlie Miller and Chris valasek a pair of hackers who have spent the last year developing a piece of software that can wirelessly sabotage this 2014 Jeep Cherokee so they could do for the entire key just using Wi-Fi and if you think that Wi-Fi or Bluetooth is useful it is everybody's using it but think about this this is an East skateboard and I've seen actually many of them here in Dublin also those little pets I don't know how you call them the steps a similar thing um another movie uh this is a short movie but it goes really quick but the you can imagine what happens it turns out those electric skateboards could be even more dangerous than they look backers have found a way to control them remotely leaving a rider in the Lurch so the next time you're driving one of those little steps and you see a guy with a laptop on the pavement be careful um yeah so a Boeing 757 in August 2016 they are not made anymore but in 2016 finally somebody was able to actually take control of a Boeing 757 remotely being on the ground because with radio frequency Communications now they are not being made anymore but myself I have another experience with this plane the A380 I actually came from the United States on one of the first flights with an A380 with British Airways and then in 2018 I I had I have devices which I need to charge and I charge them and they were like USB charging ports this is nice and I put them in there and some of the emails my screen in British Airways the little screen you have in front of you changed into this whoa I got an IP number I got like a database number okay I'm in the United States and I want to go home let's not continue right now but I mean I'm pretty sure that if you give this to a pen tester they could do really nice things with it uh the problem is how do you park address 380 in your parking lot or in your garden to do that so these are all like iot devices so if we really look at it from 2011 to 2020 there's an increasing number of connected devices uh 2011 there were six billion in 2020 there were 24 billion uh they are generating an incredible amount of uh money for the operators for the the mobile network operators because all the traffic is com is using bandwidth and that that earns the money um now the really thing is the real thing is that in 2008 the number of uh things connected to the internet already exceeded the number of people on Earth and by by 2020 there were 50 billion connected devices already there are no new numbers yet because well kofit got in the way so people stopped like monitoring that uh but it is significant and as you now know that like even in businesses like Enterprises and at hosts everything is interconnected so specifically since covet and people started to work from home you connect from your home to the office but your home network has like iot devices connected to it are they suddenly able to get into the Enterprise Network so when you when you look at that like it started to be mixed you you cannot just protect your home or just your your SMB or your Enterprise because nowadays everybody is calling in like yeah it is safe it's through VPN yes but your house is not safe you have iot devices on your network and yes you are vpning in but even on your own laptop which you are using or desktop you may have things installed that gets information sent somewhere which suddenly is also able to connect to the uh the company Network now I always hope that somewhere some governments are taking control and My Hope actually was settled for the uh European committee or the European Union uh when they actually in 2015 uh had this initiative the alliance for Internet of Things innovation uh it started out really nicely there were some really nice documents uh the the last three years not much new except for a new logo I guess that is what you do if you are not really working uh you make a new logo um yeah so iot stocks that was already the first one and we have heard that but since 2014 the attentional the critical infrastructure is really On The Rise and we have seen that many many times uh one of the things is in Destroyer which was in Ukraine before the war started where actually at Christmas there was a blackout and it turns out that the the industrial industrial controllers were all reachable through the internet and they were actually be able to take be taken over by in this case we assume like the Russians a year later they did it again by the way also during Christmas so was that already a trial uh like like invading the Ukraine we never know of course there's speculation and if you look at how you can find all these things showed on everybody no Showdown uh you can find a lot of connected devices that way and it's also interesting to see that the majority is basically Europe and the United States there's it's everywhere but not as dense as in our regions um so after the 2014 incident I actually made this map uh and these are all industrial control assistants from Power grids in the United States and yes you could actually connect to them I didn't do that I still want to go to the US and return home then I'm pretty sure they will allow me in then but not out but it's scary that so many things are being detectable and this was just showed on but right now we have more than a showroom we have a census zumai for uh ooh I forgot the name of that one binary Edge and they are all able actually to really look for devices and binary Edge if you don't know that one I suggest you really look into it because it has something really unique it is actually programmable you can actually have your own scripts in there so you can extend your search capacity and that is really needed if you really want to look for something this one is also really great gray noise it is not uh finding everything but uh it is monitoring the internet for like suspected activity coming from iot devices so if you have that running in your house it's free where you can actually see what is happening now actually actually this is from yesterday men didn't actually published a report about course cosmic energy again they found something new uh where actually they could switch off like electricity and that is interesting because I don't know if if you recognize this these are solar panels I'm getting 17 of these on my roof this Saturday actually today so when I'm getting back home they're there are getting an app and I can see all of them I can actually also control them with the app but the power company can control them too because if the grid is overloaded by too many people generating power they will switch them off if the power company can switch them off remotely other people can do too so I'm really going to look into how that is protected and of course this is well I mean the iotv 5 is everybody at home has these routers really bad these were the high-end routers and because of a book in like a script security script from French micro business embedded in the device they were really going down and you only had to reboot that was okay but still it it caused a lot of inconvenience so basically we can say that we