Hack the Planet

good morning b-sides oh all right I usually usually have to see the audience for the clapping so I don't know you that's great cool so I'm Bryson really it's an honor to be here i I think that b-sides is a lot of what's right in the world and in information security because it's conferences at the community level it's conferences where it's an opportunity for people who really have a passion to be here I mean it's Saturday and you're here great you chose to be here and the opportunity that's out there with the talks the workshops the CTF this is your chance to learn this is your chance to ask questions and there's a lot of also

really brilliant attendees I'll just point out to Jeff for example not mark who really bring a lot to the table so this is called half the planet who is expecting something about blockchain get out always a lieutenant why is that why is it why is over to the lieutenant because the movie hacked to plate at which movie hackers who've seen hackers hack the planet alright so where we got that name from is I'm the co-founder of the ICS build which is a nonprofit that does industrial control system security and awareness and at DEFCON we held a an official capture the flag that we called hack the planet and hack the planet was the slice of a smart city so we had

power generation transmission chemical water treatment plant we had part of it is actually with the grim exhibit where we had an integrated smart house and all of these things were connected together which gave the on the awareness side the opportunity to see the upstream and downstream effects of what would happen in that kind of environment with different impacts from the hacker side is the opportunity to make things happen at the up and downstream effectiveness things happening the reason I chose that for this talk is what I'm going to be going through is discussing how ubiquitous computing is in fact enabling us to not just hack the planet like zero cool but in fact to do so in a way that

impacts our lives this is the challenge that we have with computing is until recently computing was more of an abstract thing right oh the information economy and data all right you know I I feel bad for Brian Krebs when his website Kotak but it doesn't affect me doesn't change my life but as computing has become ubiquitous and has started to come or omission in our lives there's now a physical impact on what it can do to us and so that's where I came up the name hacker planet

it's always a plan B oh yeah by the way so I got swag to give out so former army officer I like being interactive and I also do that in the way that you can volunteer or I can volunteer you but I do have some carrots so you're you know threatened and cajoled both ways right so we're gonna talk through the threat landscape different attack types then we're gonna do an attack demonstration now how many stalks have you seen where somebody goes ooh look at this zero day look what I've done to this thing right have you seen that talk before yes oh yeah yes and at the end of it what have we accomplished wait you mean it's still

gonna be exploited there's gonna be yet another computer that's going to be exploited again and again and again except except by us this time what are you building

I believe more in the concept and pun intended that it's better to feed a person of fish I mean each person you know what I mean the point is this is not yet another here's an exploit look what it can do but more like this is what is publicly available these are the common attack types this is why it matters to us and this is how you build mass attack campaigns easily to go after thousands of things at a time and while you will always be able to repeatedly go after a thousand things at a time and then this is a being a security conference you're supposed to feel really really bad about that until the

very end when we'll talk through some things that we can do to make that better both at a tactical technical level and then at a strategic level

who has IOT who here in this room has IOT you're not raising your hand you're wrong yeah so why does everybody have it wait you talk to talk it likes it's it's everywhere I mean you can't avoid it but why why is it everywhere everybody's got a phone everyone's got a phone everybody's got a little raspberry prior but half people have red berry pie or you've got some kind of camera you've got video cameras somewhere computer fire stick fire stick chromecast fridge internet of things right we have all of these devices they are now one with us I would submit that the future of our identities is going to be the ecosystem of computers and devices that are around

us rather than our social security number our name and our date of birth think about that that ecosystem will be a much better indicator of who you are because of your natural behaviors both physically how you interact with things as well as behaviorally with what you do with those devices great example of that would be during World War two one of the ways that they were able to discern without decrypting the communications of the Germans they could pick up the particular fingerprints of operators sending signals and communications because there was a natural rhythm to how they each of them did it as a result you could pick up who was transmitting you could figure out what unit that was

and then you could triangulate those units to determine what was happening didn't even have to decrypt the message we physically have certain ways that we do things and I would argue that that's going to be a future of our identity so everyone has these which means everybody in this room theoretically cares because this affects you so we've got the what's in it for me to start everybody has IOT now that's consumer IOT but where else do we see IOT

Industrial what is industrial peyote

energy power plan I know it's awkward it's all-purpose energy powerplants do it yeah it's all good that's people hacking who else wants to try what PLC's you can go with which you want your your the spotlight is on you right now okay you feel it these basically sensors and

okay so we're starting to see sensors in different environments right medical devices who said medical devices I'll get to you in the back of the room don't think you're safe I got to work my way up and the fact that I'm like least to here with advancing my slides does give you an advantage but you're not out of it okay so to understand we have to start with why why are we here and there's two reasons for why one of course is the fact that we have a exponentially different form factor in computing that we did years ago everyone is I think seeing the metaphor of you have more on your phone than NASA had in

it for the entire program in the 1960s so and yes we did put somebody on the moon face anybody's still doubt on that so cost these things got a lot cheaper form factor they got a lot smaller energy consumption both the recombination of miniaturization of power generation or batteries as well as their ability to be more efficient with the use of it and then of course the ability for radio frequency so the ability to talk remotely in a lab a lot easier way which means this is why we have ubiquitous computing because now it is very easy to for computers everywhere and that's the way that I like to simplify when I think of Internet of Things is instead of

listening to specific devices just consider that it is computing capacity that I can quit anywhere storage doesn't matter as much it's the computing capacity

here's the other while PowerGrid what is the most significant shift in the power grid in the last couple of decades somebody in the back said something I was waiting for it smart meters smart meters why do we have smart meters so they don't have to pay people to walk out to your property to see how much you've used okay so that made it easier for me to track power consumption but what was the big shift that really changes how the power grid works what demand pricing both demand pricing to the smart meters we're out a lot smarter about understanding exactly what's happening in a dynamic way huge shift interconnection transmission deregulation who said renewable energy

the pause does make it more fun to you right

okay so what wipe renewable power so that you can push power into the system and the actual production bingo power used to be one way somebody produced it they transmitted it we consume your new directional because of things like renewable energy the power grid is now exponentially more complex because it is now bi-directional we can no longer presume that I as a residence I'm just going to power I can also generate power now that ties into a lot of the things where we're talking about deregulation we're talking about why smart meters matter we're talking about demand pricing all those are complex symptoms but the fundamental change I'm actually change the physics of the power grid

because a lot of the question is why are we introducing all this complex computing into this environment that's why we need more computing to be able to handle all the different challenges that come from a fundamental shift and how the power grid works unlike what we see in consumer IOT

so this is Consumer Electronics Show this year 2018 I walked the floor with the reporter and it was really it was a setup we were shooting fish in the barrel because we go to each of the latest and greatest IOT booths and haven't explained what they did and then we would ask a simple question so what about security you're not here to buy are you and it's some handler would come over and pull us aside so this was my favorite this umbrella the shade craft not that I'm picking on particularly but I am it is everything it follows the Sun solar charges it has a battery built in the base it talks just about every

protocol it did everything so the starting question of course is what do you think this shade craft umbrella costs the price is right 3 grands I heard 3 grands too low 5 grand too low a little bit more than $8,000 MSRP big seller so I asked the question because all these things don't start with technology these things start with the use case and the demographic and I'm curious who's the demographic for an $8,000 umbrella you know who that is which people who want to feel good about themselves for protecting the environment the chief operating officer of shade craft was kindly on hand to provide me a little bit better use case of that because you see she owns a vineyard and

it's very important that she has ten of these that's your demographic I know rich people what's with rich people this is the challenge in the world right what color did I pick do I look rich to you

actually I don't know what colors they came in and everything about it I didn't think about that but the Sun blue DPG I'm not upgrading for twenty-five dollars okay so if it could be internet-connected it was and the new thing for 2018 if it could be voice-enabled it was so why I jumped ahead to that from back here with the Y so we have a real reason for why there is a shift in computing in critical infrastructure and consumer electronics I feel like it is best summed up by the vice president of LG in 2015 or 2016 when he was unveiling this concept as the new product platform for LG Electronics says all of our consumer

appliances will be internet connected

including a toaster yes why I don't have an answer for that that's he actually he hadn't thought that proof this is the release of a major electronics platform and they're just like basic no one ever never thought about why we just we're going to do it this is our world so what catchword well they're doing a little bit more than a catch word they're introducing these by the millions and the billions into our environment you know I mean Gartner says lots of interesting and made-up things including the fact we'll have anywhere from 20 to a kajillion devices and the next X number of years the point is there's a lot they're coming in everyone in here has one and there's even more

coming in the environment critical infrastructure you have a reason why consumer electronics we're getting there but we love them my favorite of course because there's a heavy military crowd here is remember the challenge with the Fitbit Wow how about that for an object failure look it up if you haven't seen it alright so this is just a quick plug the lab that I'm going to be demonstrating today we are going to be pushing this out open source so the code the lab all you got to do is bring your own hardware and in the comfort of your own home you can do you can build your own legal on your own stuff demonstration so that'll be getting

pushed out on github and if it doesn't the Tommy out at the booth you can yellow him alright so the state of affairs there are three core attack campaigns that we've seen distributed denial-of-service where we create zombies out of a lot of IOT devices ransomware not as much but this is of course ransomware and crypto jacking or two sides of the same coin where the value of cryptocurrency has now made it worthwhile to steal computational cycles going back to the definition of IOT as just computation anywhere - ransomware which is the challenge of you try to use something and it's locked sending bitcoins here he thinks bitcoins are anonymous good they're not we can find you we can always find you but what

on the hard drive there's yeah there's a few of those there's some Bitcoin billionaires who can't find their wallet that's funny the best security is when you can't get to your own stuff because then neither can the attacker so these are the three common threads that we've seen up to date why do I care who the sponsors are no is the screen right here just a flashed up and it's now going to all the sponsors it's funny cuz I'm coming over here to look at my presentation I look at this and it's like thanks to these sponsors oh wait army cyber is only a Silver Sponsor okay all right Mariah and I are trooper these are the

two kinds of exploitation attacks that we've seen Mariah would never never never say never would not work as well in an enterprise environment what Mariah did was look and said there are about ten combinations of user ID and password that our default sent out and with each of these devices and all I have to do is try them and I'm in guess what network millions of times over because it's that easy how many of you have actually changed the default password on your router no that's not the whole room who here can actually tell me with 100% certainty how many IOT devices you actually own if he's an expert we don't know and the manufacturers they'll make

this any easier in fact that's why the things we're gonna show is the constraint to being able to even change the passwords the other one is much more complex so this is the reaper io troop approach where we put an end a is O'Day is where I find and exploit on a computer that nobody else knows about so therefore it can't be patched end day and has been publicly released which means that if everyone has followed proper vulnerability disclosure deadlines then we have a patch but having a patch and having it patched are two different things right we see this problem all the time why is it so hard to patch thing in general money downtime human takes

effort what kind of ever intelligent Jeff I knew I knew I mean you're in the front row for a reason intelligent it takes human effort it takes downtime yeah it takes effort so why does it take effort I mean Microsoft just releases a patch why can't I just push it because you might break things I might break things why might I break things because people don't test their patches on the company side or we don't trust them to we tend to build our own things the operating system is there to do its thing and then we depend on it for simple application and then of course we like to pay government contractors ridiculous amounts of money to build

things that don't work and then we have to custom develop I know that was probably a bad joke for this crowd wait a second okay that's my job I joke I joke we build custom things in our environment which means we can't just patch things now tie this into IOT where are they even releasing patches how do we even find out if they're releasing patches how do I consume those patches and put them in I'm probably not building much custom stuff on my IOT but we have an environment where the life cycle is not even supported to do that but the next time you ever hear it because this is a really popular thing we'll throw let's say the kids the end

of the bus just patch it that's what needs to be done in this environment why didn't people patch that quickly at all you have my permission to punch them in the nose you can say it was me they know me this a chart demonstrates this who's heard of stage fright who was listening to the keynote this morning what did you just get here okay so Dave mentioned stage fright stage fright was a weaponized text that I could send to a cell phone and automatically have remote exploitation on that cone it worked on Android they worked on Apple that's most of the phones in the world that is about the scariest thing that could possibly happen yeah you're all thinking what

kind of pictures do you have on your phone I know exactly you don't want those out there nine months after probably the scariest exploit in phones ever that blue is the only part of the world that actually got patched oh dear oh god yes and it can't be any easier to patch your phone they forced it on you you have to keep saying no tie that with the fact that you have to buy a new phone every period of time because they only support it for so long so a combination of user understanding and acceptance tied to manufacturer support this is the environment that's Republic of Korea that's the worst by the way no not that Korea the other one okay so the

setup here this is going to be the the case study we're going to walk through we are going to be an average consumer and we want to put some privacy and protective measures in place which we're going to get a webcam for now webcam is just essentially for our purposes a nominal IOT device this just sets up the news case these kinds of devices this could be a consumer device of any type this could be an industrial device of any type the principles are still the same but in this consumer why am I doing this well alarm systems are expensive and useless people want to secure their homes cost is a factor whose cheap all

right yeah I recalled you I'm not rich like I'm cheap again look yeah Oh being cheap and free t-shirts convenience yeah it's convenient and it's cheap and I don't want to pay a hundred bucks to pick random alarm company to come in so of course we're talking to a military audience so we're gonna make things simple

the funniest part from my view here is the fact the audience like each I could feel your like alright that's a joke it's not a joke [Laughter] it's good to feel awkward we're the good guys right bluh bad guys are over there the Internet is in between always be oriented bad guys what they can't touch so they have to get there so demonstration we're gonna walk through reconnaissance how do we find our targets enumeration how do I make sure that I know exactly what my target is because exploits don't just work across everything I need something to specifically work and I want to make sure I'm throwing it exactly what I think it is we're going to compromise

that device and then this is the part that's different where a lot of people don't realize about IOT we're gonna pivot so I mentioned the Brian Krebs situation earlier this is the challenge from a consumer perspective so you exploited my nest thermostat okay it is probably the same so you popped my nest thermostat I'm pretty confident that somebody somewhere else in the world is not trying to exploit my thermostat to play with my temperature what's that exactly where's the where's the true monetization in that approach not there and I is a consumer I'm not worried about that potentially there's the creep factor of you getting to my web camera but I mean that's only gonna take ten

seconds something you'll you'll be off of my web camera give it give it a second so unless again I'm Brian Krebs and you're ddossing my website I don't care but you should we're gonna show that and why because that leads us to our next bullet steal you'll things we're gonna show how to steal things again getting on the Nets thermostat interesting but by itself has no intrinsic value stealing things means I'm stealing something of value so we are our we want to install a web camera we're the home consumer well it's running here it's a great demo yeah that part that's cool all right so I don't know why that's not showing oh I do wait a minute

here we go okay so this is a young user perspective we are setting up our web camera they're kind enough to at least the lordís please change the default we're not better than about 80% of all manufacturers so we're going to at create a new password Oh still better than most manufacturers that's that

this is proof that there's evil in the world no no no how many web pages have you been to where they don't tell you the password policy and you've got to create an account with new password it just keeps resetting you while you try to guess what the password policy is there is evil in this world okay so we're setting it up we've changed our password we got to make sure of course that we can see this externally because security doesn't work if you're inside your home I need to be outside to see what's going over my web camera and we're in you password what is there any password applesauce bang

so we now have a functioning web camera for our security yes we're going to show this part in a second

so how do you know we're about to talk about hackers what's your clue the black mask is one we're holding something it has nothing to do with the computer this is how we know we're about to talk about the Z hat gals so it starts with reconnaissance and enumeration who's heard of show Dan right we've heard of census same thing open source intelligence almost all the intelligence I need is a hacker for literally any operation in the world seriously any operation not even this simple demo is available to me open source now I might have to iterate through my telogen scattering put everything I need to start is available you can probably take that statement and

tell your security officer that you've completed your counter espionage training for the year because that's all they're gonna do in 30 to 60 minutes and for them you're welcome to two seconds it's available and showed in and census have go around and collect constantly they're trolling the internet and just pulling all the information of everything they see anything that responds they pull have you seen those statements where some place is saying like we've stopped 3.5 million of talks today

the 3.5 million attacked three point four nine hundred and ninety nine thousand nine hundred and eighty are just one of these things just agent-based pinging the internet pulling information fingerprinting attack so it looks like this I get all of this in the database to query which I can query by protocol I can query by firmware version I can query by location lots of very useful information for me to start

the question is is the kitten falling or climbing Oh doctor perspective we're gonna try the brute-force method so we're gonna try the Mirai style is the Mirai style attacker to work on our web camera is the Mariah style attack I where guy Kara no why not cuz we change the password right so the defaults aren't going to work so we're brute-forcing this the rush grip it doesn't work yay but we've got an end day so we're just gonna launch the end day which is a proof-of-concept that's available to us

you gotta make it obvious so end a boom done because this thing hasn't been patched and of course it prompts us to change it so we're in now the best part about this is user change the password right

do I do feel like time it so you'll say yes at once yes yes so the user changed the password which means that I now have access to one of the passport combinations they use because how many times do you use the different passwords versus derivative right because the password is also proof that evil is in this world the stupidest ideas ever created they're all stuck way

okay so this is the proof of concept that is available that's out there for our end date right there on github do you need to be a technical expert to copy/paste something you said yes we do know he steep shaking his head yes sir you might be in the wrong conference

ctrl-c ctrl-v point is this is available this is easy I do not need technical depth to do this to use this so we now have this ability to we've seen how easy it is to gather lots of targeting around the world we've seen how easy it is for us to enumerate because we can segment that targeting by what we have available to us writing a script that just merely consumes those IP addresses and launches code takes no talent either twenty years ago we used to call that script kidding and we would look down on it it works it absolutely works and the thing is right I'm not targeting Jeff because that one that's not challenging but to

I'm not gonna go after a Jeff right I'm going after the entire net anything that matches the net that I'm trying to control with is what I'm going for you are not individually being targeted your devices because they fit a certain profile as all I care about and the fact that there are thousands of them or tens of thousands of them the only part that matters to me

the launch guy remote exploit

yeah we didn't call it control that one

so we got our Kinect back

so now what we want to do is of course see where we are and see what else we can see someone mentioned same deal and question is what is on that deal and of interest this of course matters to an enterprise environment just as much as it matters to the consumer environment who's aware of the fishtank act that took over a casino I heard of this one there was a fish tank they used IOT devices to manage it it just also happened to connect into the interesting part of the casino Dino board

all right so we're staging our situ

all right so here we are trolling the rest of everything we can see easy to build script to do this we find a window share now remember we have your password because you change your password people tend to use derivative passwords so we're in what do we got oh yeah somebody's look good well let's start with the fun part yeah so this is we've hacked into the Grimm house here so who lives in the grim house [Applause]

[Applause] hundred doesn't move the needle move the needle now

so taking all documents we see people tend to name documents things like password file taxes bank account [Applause]

that's work thank you

this is why you should care

Paul whose head falling are you divorced

so what can I do first of all like we said an attacker can't affect what they can't touch firewall is your starting point of being able to control both access as well as stateful connection change the default credentials Mirai is still the common attack that is circulating changing the credentials at least we'll put you above 97% hackers are lazy we go with what works you stop making it easy we'll have to change that patches yeah I know I already said like punch that guy in the nose you're welcome to try afterwards that was a joke my recommendation once a year just like where you do your taxes do the acid inventory of what you have do the

painful going to each manufacturer site to try to figure out if it can be patched and do it that the other piece then is segregate your VLANs all of your IOT devices should be on their own VLAN they should have their own dummy email account they should have something that has nothing to do with anything to do with who you are and the parts that matter where you do your bank account information and your taxes should be on a separate deal and it should be a segregated network from where you are doing your other things apply that into the enterprise environment and repeat

what's that last 31 networks yep this is why this matters we are introducing all of these devices into our environment and by environment I'm talking about the entire United States of America there is nothing preventing anybody from providing a network connected device with no security controls which we all will plug in the only thing we need is to find it interesting enough to do so the concept of herd immunity is where if I inoculate enough cattle in a herd outbreak is reduced there's a tipping point where if I inoculate enough then the probability of outbreak is reduced there's a tipping point where if it's below enough outbreak is increased I can have Fort Knox of cybersecurity sitting

here in a sea of unsecure devices and it will make Fort Knox less secure as a result because it adds more surface area it adds more vectors this is the problem that we have for the entire country in the entire world is we are not looking at this from a herd immunity problem we're looking at an individual level we are all being we are all we're soft for the approach that we're taking here call to action what can we do manufacture accountability accountability is a good place to start make those guys paint rocks break rock it works for a private like a company manufacturer accountability there needs to be consequences to the introduction and the abdication of responsibility but

what about that fly-by-night Chinese company that's going to build something it disappeared three months kind of hard but what we can force them is the design for the lifecycle if you're going to sell something in this country you're responsible for the support for the lifecycle starting point vulnerability disclosure you need a public interface for things that are found by the independent research community or found through operation somebody can throw it to you you can receive it you will triage it and you have a period of time to be able to respond and push out patches you will also consider how do we push out patches we should not all be guessing how each of you push out patches as a

manufacturer that should be provided to us particularly when you start thinking at the enterprise in the company level we're talking the context of consumers if you're running a power plant you have the same problem they don't make this easy so there are several of us who are working on this problem so the ICS village the nonprofit that I co-founded this is a challenge we're working we just held an event called hack to capital in September where we brought together policymakers congressional staffers several folks from Congress and think tanks to actually show them equipment and teach them the problem so they could start to learn about it IOT security foundation is another and then I am the cavalry is an independent

organization that we partner with that is also trying to advance an understanding at the policy maker level the point is we are technical experts here in this room we are trying to solve the problem with what's tactically in our hands we also need to change the way the ecosystem is looking at this to make it easier for all of us to make us more secure

I'm swag questions comments if you remark I don't want to run up there already tired just kidding now you can start talking while I slowly move to you and make it look funny do those actually work it's blinking red been exploited okay so most people normal people don't have a part switch or something that's feeling capable and they have no idea

so two parts to a childhood of expertise how do i implement a VLAN to a question of technology the ability to implement a VLAN I'm not aware of many or a home routers that don't have the ability to segment of VLAN more its problem of I think of expertise how do I do it that's something I think we could easily one I mean you search for how to do that there's lots of YouTube videos and Google pieces it starts with an awareness to want to do it from the average user but I think the resources are generally available for that

yeah that's a great idea what do you want for swag that's actually a very good idea it is dawn here dawn I got your books are you here good Dawn's a good guy these are good books I just wanted to pick on him yeah so what he was just saying is we were talking about certain levels of security why don't radically have default to prompt the user to put your crap here put your good stuff here that is a brilliant idea I'm stealing it what's the most effective way that you've found to get a manufacturer to respond or to change to a request like for instance expanding their password policy yeah so there's again yeah there's no one answer

to that this is part of where we have organizations that are trying to apply that pressure at a strategic level there is no regulatory enforcement there is no legal consequences so the best we've got is and this is where the independent security research community struggles with hey I found something at least it's not like ten years ago where they would threaten a lawsuit against us for finding something and that's why we're encouraging vulnerable disclosure so that there's at least a legal interface with some kind of safe harbor or being able to bring those things forward safe harbor is the concept that you do not bear liability for finding a vulnerability this has been the tension

with the hacker community and really the greater world writ large is that we were seen as the bad folks hey stop finding the problems there weren't problems before you found them so that that's really the best we got since we're running out of time you get to pick something yeah I'll see what okay so should the government be worried about Huawei or Kaspersky or which are Super Micro or it's let's answer that a little we are gonna say it war we are being constantly hi China attacking us Russia's happiness Iran attack against North Korea attacking us did you know that Vietnam fell has a sizable cyber force in the government you know consumer devices in private industry are

the battleground that this is happening the military is a hard target the soft underbelly the United States which is the number one economy in the world is the private industry and so far while the national cyber security strategy has said we the government are gonna be more offensive about this they actually haven't really come up with a protective mechanism for private industry you're on your own contrast this with the conversation of a software you guys last night where I was in China last month at the Internet security conference this was great we had China we had Russia talking and preaching to me about how they were there to protect Internet freedom it gets better the Great Firewall is there to make

their citizens more secure and safe technically it does they have a country firewall we don't have that mic to come out of time oh I've got one minute one minute Lightning question manufacturers I recommend the purchase Pro I I'm not allowed to answer that in any form [Applause] conflict of interest I apologize I can't answer that

there isn't one my point is that they would be forced to do that before they'd be allowed to sell here I believe I'm done okay I want to take a selfie with you guys in the background if that's cool wait wrong way I get IOT one two three IOT