A Talk On IoT Devices Their Vulnerabilities And Potential Exploits - Beverley

hi I'm deputy Mackenzie I'm a PhD student at a potato University where I'm looking at blockchain and C and I am looking at whether not the consensus protocols behind blockchain sweep of work and all that stuff can be used to secure IMT devices there's my qualifications I dude my specialist areas minded masters at Royal Holloway and in that I looked at bombs and top of thee and if you need to contact me you can contact me at that time first of all I'm going to introduce you to the Internet of Things then I'm going to tell you what they can do why it's exploded right now how they work what their bomb abilities are what the

threats are and what you can do to protect yourself and what the easiest we should be doing to protect our sphere I'm also going to touch on some of the onion you've heard of some of the Mirai Messiah in Jannah you dummy which is the vigilante and see if switch is quite a button and Britney popped which is kind of scary Seska due to a need to know things we've all heard of it they're opening racks during the freight and when the boov are there they're in your children's toys and the industry has completely exploded with Internet of Things but there are some problems things that haven't been worked out the fact that it's I had to

do this network things don't work together there's no standardization so you have the interoperability problems that we'll touch on later then you have the security issue issue so from your academic point we've worked out this time was actually being ahead of the curve learn from the internet we've learned the problems that happen when you two exploded and there were security images from an academic point of view we know that you need integrity confidentiality authenticity in music Vienna team non-repudiation you can read them all to explain I can tell you directly you can use to implement them but industry doesn't seem to be interesting I just want to go there and they want to sell use it up

and in fact as of next year all the new cars would have IOT devices fitted into them which from my point of view is quite scary but that brings a whole new complexion to college a key I mean you can judge the car from in your house while sitting on the pants when that happens but they're going ahead with it that's where they want to go so why now it's kind of bit of a perfect storm they starts with howling speed I'm probably familiar with Moore's Law with regards memory memory SPE the and size and decrease an increase every year and right now capability of some of these devices the memory capabilities greater than the capability I had in my first

computer onboard 20 years ago so it's just they can do so much in such a small form then you've got my P vs. 6 which is being like coming on Wars forever you can sleep with my people I'm gonna go on to none of it but with IP version 6 you had enough I'm IP is available for every man woman child you can't have over a billion IP to themselves to everything in your house now can have its own address and then you've got the young lust he's going to get into everything or to 6000 sex life at this moment are being put up in the sky by evening mass which means everywhere on the planet now you

will be able to have us the internet which means the time is right it can be done right hi I intend on basically small all computers but very similar but they don't have a hard memory they decide and noise that and on picks memory is wiped every time you turn your computer off there's no standard so you network they use a mesh network but that mesh network will be unique to the organizational company that's built it they are and they just basically they store data but they switch that data when it's done so it's like an early computer I don't know how far that you up commendable I had a computer back in a day which hired and

be memory so I had quarter which was one card you put in a and B you'd have to switch out each time you wanted to load something which I thought was great but it didn't have any fixed memory yeah they just want it and that's similar to that but they have a couple of problems which can be dealt with because the memory is so great it can be done I hope they don't have fixed or no passwords I've got on a BT root in my house it does in salon strange things and there's a lot of strange traffic going on my trying to break into the X in my house and I've tried to fix it but

the password is fixed and whatever I do whatever is coming onto my router comes on and BT actually opens up the route to say they've got massive package in the country they allow traffic that's posted by to actually use your router in your own house but you've paid for which is like I just pay for that violation so they have you have no way of controlling these things over in your home they really have end-to-end security there's no time you there's no transport a lot of stuff that goes on is in tip clear text and you can't passion which means of that move fast and break something motto removes a lot of developers really can break something in the put recon

because you can't go back you can't change it so Devolder abilities was to two types of honor abilities that 92 device to BM stedy - there's the vulnerability that will affect you and there's one ability which they utilize infects everybody else so runner abilities that will affect you will be radio frequency ID blocking or wireless jamming oh can you imagine that they've owned the whole house eventually goes over to IMT and someone takes it down with ransomware that can take place because of that you want your home back if you want your electricity your fridge your Hoover your children's toy to work pay us money these are things that are coming into the future because they've

been put in and security is not there and then you have what you trust me the IOT hackers coming in at Lee and commanding controls are being set up using your int devices quite early on in army hackers realized about my ot neat devices were really really beautiful and denial service a distributed denial of service attacks and we have seen proof of concept that the mere i attack the posteriorly serving plantation these ones on say good attack designers loose please approve in the event i OT devices can and will be used to attack us let's just go back at infinity o leutis the fact that but the security is really poor I read a report for a month he a package

which was actually quite scary and the jump out thing was flat but 80% of IOT devices actually cars there are teeth light has now being used in planes have poor of no security that I got appointed and ten-year-old and II actually hadn't in cracked into mine and T device because he was bald that's how all the security is sixty tenth of a 92 they send your information out in plain text and I am my working security I've been in the field for 20 years and I am paranoid I shred anything I shred I shred barcodes on Amazon just in case of barcode to be decoding and it could come back to me my address but what's the

point if my IOT devices are telling everyone where I am what I've got what I'm doing what's the point of me trying to be secure so am I just paranoid security person is everybody present security I've been told substitute ooh a bit whatever and maybe maybe location tracking with GPS by your IOT devices won't happen because we didn't a lovely world people won't do that they won't profile on your profile child your privacy will never be violated and they will never ever be ransomware but I think it's coming I have T ransomware and those there has been pretty good concept things have started to happen in the IOT enum where identity that child told adoption hasn't happened to you

and hoping it will but children toys because a child's toy I'll talk about it built and in Germany I was a teddy bear and it could take pictures of your lovely child it was an IOT device and it was send that data to some place somewhere for some reason and it could listen to your child send that to exactly the same place and it had no encryption on the data the storage place that we were making the stored didn't have specific physical security and that was fine because it was encrypted and this was a big story in Germany about five years ago and that was the first piece of contract about how they were keep treating the data now

if I was a misprint or if I wanted to find a child with this information sliding out onto the Internet and it's not just happens in German between other pets loud toy English and I think there was an incantation of a Barbie that and I 90 that kind of got pulled off the shelf quite quickly because of security issue so this is happened over and over and over again it was called smartly fair but my favorite is that we've been angels I was a bit of a doctor who person and I really liked the weeping angels absolutely not sorry but um CRA and filling in my father decided to pull their resources and their knowledge and

exploit some peyote devices now I think it was just a proof-of-concept thing they did and what they did was they hacked into everyday citizens in America and do UK's TV and they started to record people just randomly the proof that could be done and they call the operation the weekend angel because don't blink and don't close your eyes come out the Doctor Who episode they chase them and then you had the hello bar the unitard Pez so I have to perfect that so let's just walk you through some of these things Mirai I presume you've all heard of it even me right yes no show pants one person book okay okay it was a perfect concept and it was thanks

it was the first time and that a DDoS attack from IOT was done and it was so successful that they thought they released the script and all the other stuff onto github and so since that point we've seen lots of different incantation of the me right but but what it did was because of poor password no password it was able to basically hijack your int devices and use them to create a denial of service attack on Gina Dino Dyn which was American that the DNS zone yeah DNS server company side effects of that was they brought down and github Netflix and other companies like that but if I was working down in there and sort of the onion

winter this would have been my proof of concept work before they started to sell my services and that's in my mind that's exactly what it did and quick on the heels once that code was pushed up you've had the soya it's so light and it did pretty much the same about it use a peer-to-peer so it jumped from one page to another pay because submission network you're in contact with it next thing on your networking under them and so it uses that to implement shrink everything in all house it moved around really quickly and and it use a mixed voice in there and cameras which to plug in play which leaves your pausing for them have access

to your network they open ports by the plug and pet place in a matter how many times you post port Bernie would be reopened yes thing I didn't mention on the right what was really interesting was at the fact that they chose not to hit the private networks attends one six eight and one twos and they chose not to hit them the defense which also showed me but these were people that would be quite honey and they were looking to purchase a product out there which would sort of an upset large organizations or the American which we United States defense which shows me that it was proof of concept but we come back to this one

this one used an exploit in cameras which a plug-and-play cameras open up the port's to send information and then close it down and that was quite interesting because you can't actually got that value people IOT cameras on your house which means let me do you have poor password but they've actually basically let the door open to your homes that people can come in and out and then the line it's nice I like this one because it showed another a monitor ization of what it shows the personalization that could be used by the masses and that was quite interesting that army was basically any system that had line it embedded in it could be used but

fundamentally they were going for Brutus and what they were doing was so monetizing and these lots of tax by getting cookies to your social network though you could then sell that some other people to crystallize it and likes their followings or whatever happens in those places and so people are gonna buying this and therefore it was another proof of concept to people who wanted to go down into the Onion Router but this actually could be you can make profit out of this I mean you can make them big profit out of this and finally I'm not finding hey Johnny you don't mean they call the vigilante I'm not sure I'm not sure but what he did was he was

interested in finding at me right so it was like a battle where we would find I you two devices that were affected by me right and then even would clean them up and leave you a nice message just telling you it was a white hat hacker improving the security people have earned also his colleague was are evils in ambit it wasn't as quickly he was actually someone who had an awful lot knowledge because he rewrote key most the code and and it was much more effective and in some ways if that code is actually caught by people on on the missile inside the practice then that could actually cause no problems and it's actually resolved his code was much more

Kenzi excuse me I finally finished Phoenix went back to the old and writ bonus and that was really interesting because easy cynics was just malicious there was no finding that there was no proof of concept this was just malicious where they used command like rm- our air they use your key lookup table your help and your network lookup table and then wiped out they make it an awful lot of stuff to just brick your bot which there's no there's no reasoning so this was just a malicious this will be something that might be used by a sort of nation state if they wanted to undermine the infrastructure or estate you could you could if you consider everybody's

electricity is now on IMT orders let Moscow on to as smart meters which use re ot and if you consider there are 23 million homes in the UK and you can see it some gun I decided it is we really fall down excuse me inside it was a really good idea to be able to disconnect you from central office if you need to be reconnected you need to go out someone's home to reconnect them but if you can break all these devices and disconnect them that's 23 million you would need to then send people out to 23 million households to reconnect wonder if you are going to do cyber war you can actually wipe the country out in

the middle of winter by just disconnecting the electricity there will be no way to reconnect you in time before a few millions you froze there a massive potential they stuck in when they built the women they informed us that we had to go on to these new electric meters now that that's just thought people taking you convention so how do we protect the buses what's really really frustrating as a security person is consuming has done his homework we've got the stuff though white papers out there I've written white papers on this I've gone and spoken about this in places in America in UK in various different parts in North Africa and it's simple integrity confidentiality or participate and

non-repudiation immutability these things are easy to do I can even like the program for you all right after I can go because my favorite program at the moment go line I could write the program for you and slide them in addition academia has identified this written paper but still the industry is choosing industry for profit motives of whatever motives are choosing not to implement to require security so that means you need to protect your own back there alone you do get informed I refused for the new electric meter in my home it's not happening I'm looking into I'm off great for water and off with the heating I live in the middle of nowhere so I'm off

grid and go off grid for lectures get informed don't get bullied you're paying a thousand pounds who then support and insecurity in your home were paid for the pleasure ten of us check things out don't buy cars which have IOT devices in but has no end to end security on them because if you crash and you claim your car wasn't working right acting right there's no black box and you're can't prove it was a software it will be down to you that you sure it will say what we've done to you there's no like blocking this or stop it from happening snow by both us get involved there are I 18 meetups all around the country are

okay I don't know if there's one around here but there's a few in Scotland in Edinburgh which is where I'm from there's some down London and Bristol involved with the int meetups because until the industry realized you know I'm a security I'll finance our children our homes who paid to have these things and we want them to be kept safe they need to keep it safe for us until the industry realize we're not given them more money to make us more insecure they will continue to fail to implement very simple security requirements so refused five o'clock poor security I'm not sure I'm not sure that it was around so the sieve early at the end of last year I

think it was unit last year Google or and some other people big players and ZigBee not 6lowpan which is strange but they all got together and they sat down and decided we're going to standardize things and they're promising us about by the end of this year they're going to standardize in so you've got interoperability problem to be gone but they're also going to take security series and it was a really good security setup in so be aware I mean if you get involved you know see what they're doing wrong and right now with our safety this is a is this not a magnet magnet to me [Music]

I'm never keen on the government getting involved into that I mean we have members of last Parliament trying to remove quick tog Rafi from thinking it's a really bad thing until they want to use whatsapp and hide behind it so I'm never very keen on the government get involved in security or legislating on it because I don't think they understand security don't understand cryptography cool hey this has got to be industry land and this is got to be people people that people have got to say we're not buying I mean if you went to a restaurant and they gave you really bad foods you wouldn't keep going back to get really bad food well if this is to do with our homes and

us our finance so we we are going to be the ones who actually move this in the right direction but now I'm not interested in the government also these man I think there's been 52 different initiatives so far on our two devices where we're going to do this they're going to do that the industry to come out made promises but they're broken and so my hope is I mean with the new initiative from the connected home over IP initiative because sorry I'm yet Microsoft has driven up the security lifecycle and when they now develop stuff then they've moved away from that you move fast and break something concept to more you have a security lifecycle in with your development

lifecycle so I'm hoping they continue that in their program and in what they put forward but it's also about us we're the only one in really care about are some real good ones who actually speak out against them anything else any more questions do you think without something to doomsday there we stand any chance at all with with users who post cable Dianetics still give all the details the Facebook we're top top mate which is still use them with the wedding mr. Palin to get product you know you saw the forget the name of the company now but you know the uk-based company that has a number of charges devices they've got breach they saw no drop in sales

it's not yeah just carried on yeah do you think the general populace okay if you know what I'm I think I use intrusion detection and intrusion protection on all my systems I'm kind of really paranoid I think the people that cover their butts will and care and they will do what's this but there will be the masses won't until they have to I mean until summer break is their home at then they will care but until it actually happens to them they won't care but I think there are sections of science and maybe do 2080 rolls usually predominant in rods things that there will be 20% of people who will put in the necessary security and

in 80% really will need to experience it before they realize what they need to do so for some will be a revolution and for some it will be me pollution yeah yeah I think it will I guess you know okay well this is actually my because blockchain does have role to play and you talking about private and public blockchain with centralization decentralization book where we come from I just put this out okay for this to work it will need to be by smart contracts and smart contracts have to be in a private lot during environment is you want confidentiality therefore there will need to be some form of centralization but then you still have some form of mesh network but

there will be like the contracts of smart contracts the way you validate different applications and vices will need to be centuryhouse the same sort of design that you have DNS is where going [Music] so I think you all have to have socialization to some extent but not like one body more just for authentication and using slang or centralization I can't see the time to express sorry thank you thanks for listening