Revenge Is Best Served Over IoT - Chris Kubecka

all right so before I start this talk I got to give you a brief disclaimer one of the reasons why we we kind of decided not to put the title of this talk up on the website was because the first time and last time I did this talk uh there were some very angry people uh angry people associated with the Iranian government who threatened the facility and myself so yay who doesn't like pissing off governments like the Iranian government right come on now so this is Revenge is best served over iot uh if you don't know me I do a lot of weird wonderful things I like to hack lots of stuff I've been involved in some

of the largest cyber warfare incidents uh I also do some policy analysis as the distinguished child of the Middle East Institute um and also yeah I I end up going to a lot of weird and wonderful places uh yes somebody's got to do it why have a boring infoset career when you can get shot at by the vagna group right awesome so give you a bit of background I think we all realize that there's been a lot of back and forth going on with Iran and nuclear Ambitions and cyber stuff and they've got cool names such as Charming kitten and things like that which is fantastic um if you follow the news Iran loves nuclear uh whatever their

Ambitions might be it could be just electricity even though they have been caught enriching uranium to almost weapons grade um back in the day gosh 11 years ago now God feels like forever uh they got hit with uh something called Stu net I heard maybe a Western Government did that to take out their enrichment um they like to disrupt a lot of things around the world uh even as far as earlier this year I was going to be in burino Faso to investigate and talk about uh the fact that the Iranians are selling their operational Playbook when it comes to propaganda to a an Islamic extremist group and terrorist group uh that they have been supporting

with arms and now they seem to be supporting them with cyber Weaponry so they like to do a lot of this kind of stuff uh they also want to be a big player in the Middle East and Northern African region and want to make sure that they stay relevant it kind of reminds me of this other country that wants to stay relevant on the world stage while doing some very awful things so th this this is an interesting Journey because it started in 2016 somewhere around there and I got this uh LinkedIn message they were like hey I'm so and so and we are looking for penetration testing training now at the time I was doing a lot of training you

know in the before times before the plague and I was like oh this this kind of sounds like a vanilla request yeah no big deal right so I get some more information um and it was quite funny because at the time I was getting uh interesting offers for illegal drugs uh one of my CVS is uh in Chinese so you would not believe how many Chinese folks were trying to give me to participate in the fentanyl trade over LinkedIn amazingly LinkedIn still has a terrible reporting process for going hey LinkedIn somebody just offered to sell me drugs they're like we have no way for you to report that um and still they have kind of denied

that they have a proper reporting process when this was reported over and over again the activity that I'm going to talk about to uh LinkedIn so one of the things I did uh a few years back because part of my background is in control systems I kind of like the fact that you can use digital technology to move things right that's that's pretty cool right we got the Battle Bots and everything going on but on a larger scale my background is also the nuclear industry so I've been to every uh British uh nuclear industry or excuse me power plant or enrichment facility that I'm aware of uh to do lecturing for gchq cpni which is center for the protection

of national infrastructure I love all these acronyms and what they were looking for was a Hands-On course for penetration testing and um IC I'm like oh well you know I could do that too you know no big deal you know I've already done it before uh then as the relationship was lasting um the term that they use is an agent Handler so this particular person tried to uh act as an agent Handler to start recruiting me and he was like well actually what we really need is we would like you to come to Iran and teach us how to hack uh critical infrastructure with a focus on nuclear facilities sounds exciting right yay not really right uh because then you

know found out that uh this person worked for the Iranian government um as these things started to get a bit dodgy they were like by the way we will throw you a chunk of money now who doesn't want a hundred grand a month that that's a lot of money right right that's lifechanging money I got bills man I could so use that money right now uh it was a pretty good offer you know however um you know with that offer uh the likelihood is that I would never be able to leave Iran they even offered to take me on a vvip tour and meet and greet some of the Iranian uh revolutionary guard and have pictures

taken shaking their hand sounds like a good deal for 100 grand takers on the stream any takers um so during this time uh luckily or unluckily um I had gotten very very ill uh from visiting an a country um and so I had to do a lot of surgery something like 19 major surgeries and you know fouryear time period it was not pleasant and this agent Handler kept on with this relationship trying to be very nice to me trying to form a friendship while uh little did he know I was taking down all the names the people that I met with and I was sending that to uh someone in the FBI unfortunately that person in the

FBI did not do their job and they were an idiot so with this particular campaign of trying to come off very friendly uh they uh for the benefit of myself set up a bunch of fake websites that was nice of them uh after this was done and dusted and an investigation was started I kind of felt like I was I was loved I mean who doesn't want to be loved by the Iranian government right uh they set up a whole bunch of what we call sock personas so fake social media and so forth and all of these uh not Val valid IDs and so forth and they could pick up my background both from the news and from

various conference websites because I had spoken at uh a nuclear cyber uh conference in the past as well so it wasn't like it was secret knowledge at all which is not a big deal unless you're dealing with the Iranian government so over the years that this was going on I had tried to reach out to various governments and government entities and got hit with a lot of government bureaucracy unfortunately right um when I tried the CIA tip line it had a recorded message saying that it was actually instead of the tipline but the pr and comms Department of the CIA then with another message giving you a number so I kept trying to follow up I

heard nothing from the CIA uh I had tried with the FBI the particular agent that I knew um didn't do his job at all and never followed up uh because of the fact that I was dealing with a sanctioned country I tried the department of the treasury and they just ignored me um I had mentioned the activity while I was trying to contact the authorities and two different presentations and it was only by chance I was at one of my friends retirement ceremonies as West Point Academy and I get this message on my phone from WhatsApp because I love using WhatsApp and it says you know hey Chris hope you're doing well listen I want your

home address so I can send you a gift who wants a gift from the Iranian government all right nobody here put their hand up streamers if you put your hand up it's okay you never know if that's ticking that that particular gift so at this point I thought oh well this just must be normal must not be a big deal because no one in the US government seems to give a stuff right so I start laughing and next to me we're having drinks and a guy's like oh what are you laughing at thinking that I'm going to show them a funny meme right you know maybe a dog on a skate board or something and I'm like no the Iranian

government wants my home address so they can send me a gift and he wasn't laughing and it turns out that he worked with a bunch of three-letter agencies and got his team to start investigating uh I heard back shortly that uh due to everything going on the FBI finally reached out to me uh were very nice informed me while I was at a conference uh where actually this WhatsApp message was included uh that the Iranian government had murdered several Exiles in the Netherlands and they thought that my life was in danger and to not engage in any sort of communication with them again so with this again they love what'sapp um so I brought up the fact

that you know doing business dealings how is my ass going to get paid he's like well you know we can't do business with you directly or EU companies directly but we still do business with these EU companies um and alluding to the fact that uh they openly skirt sanctions to the Iranian government who wants to skirt sanctions and end up in jail again nobody that's just not my thing so I uh unfortunately turned down this gift we even looked at trying to arrange uh something to be delivered with another address uh but they could uh not get the FBI and the Netherlands Dutch government to agree to a potential you know exploding gift to be delivered because

of security reasons uh so that was interesting still wonder what that gift was I have gotten gifts from uh various uh intelligence agencies from uh other governments that had to get checked through and make sure that wasn't poisonous or ticking or a surveillance uh apparatus so and 2020 and the Before Time still oh I remember those times uh I ended up going public with this and going hey you know you're R in government been trying to recruit me journalist checked it out Sean Gallagher shared all the messages with them that I had and so he uh wrote up an article because it was kind of unusual I mean they were trying for years to recruit

me um it's it's really not the type of love that I want or need I'm just putting that out there so once this article came out uh someone took uh pictures of where I live and docks me on several we'll say uh extremist Islamic websites uh in Europe and had to contact those Count's computer emergency response teams uh and they actually removed the content uh from the websites and by the way great tip make friends at conferences because that's how I met most of these people who helped me through this journey to try to keep me safe so I'm like huh can I curse you want to [ __ ] with me I'm G to

[ __ ] with you right all right so I have a background in the Middle East right I work for the Middle East Institute I spent a lot of time in the Middle East and so I read on a recent law that they had passed in Iran and it said that all mixed gender entertainment and restaurant facilities had to have a camera pointing back at the religious portion of their police now I'm thinking hm cameras at all these restaurants all these entertainment facilities going back to One Source I wonder if they have security because the s in iot stands for security right um I also realized that because of sanctions they could only purchase uh

Hardware from certain places like China um we had uh the chat from Rapid 7 yesterday describing some of the modules some of those in there are for some of the Chinese technology that I found because that's all they can use so I'm like well you put me under surveillance I'm going put you under surveillance so I created a sensus dork if you haven't used census uh I do believe it's kind of like showan on steroids uh they do not pay me I wish they did and um so I created some ways to find over 10,000 cameras all over Iran and of course they were all exploitable credentials what is that come on now and um I could even adjust the resolution

turn on the audio you know little things so at another conference that I attended uh it's called The Joint Services Academy cyber security Summit uh the top 75 uh people in the United States get invited so uh I I get invited and I had met the chief strategist to the director of the NSA and uh we became friends his name is George that's all I'll tell you that might not be his real name and so I gave this information over to the US government and to my friend George uh because you know quite frankly it's a perfect opportunity for the US to track people to do facial recognition all sorts of things again [ __ ] with me I will [ __ ]

with you so I I do perhaps look at Iran a lot and this is just an overview of some of the more we'll say exploitable things that are hanging on their uh internet access accessible devices so I just picked the ones that are very open and as we can see a lot of embedded devices they are also and many times uh iot devices they can be printers they can be anything like that usually they have little to no security if they have a log on page uh they've never been tested for cross- site scripting or anything like that they're very easy to pop FTP I would not recommend FTP RDP means I own your system uh all the way down to

some of the control system protocols like mod bus and S7 S7 is from Seamans and that was uh some of the equipment that was hacked in stucknut they're actually not allowed to have S7 because of sanctions or any Seaman equipment so I found those and modbus um the reason for its popularity in the control world is when it was put out it was basically their version of an open source you could use it without license but also will take a command and heximal if you know what you're doing um from anywhere without authentication fantastic protocol to hack yay lots of SMB DNS open resolvers there was a talk uh track two on DNS taking over you didn't

even have to bother with uh his way of doing it you could just you know grab their DNS so fantastic and so uh they they uh tried to persist um so I started getting other threats because they got pissed that their their stuff was taken down from the website my personal information contacted a good friend up in Scotland used to be a private investigator for uh some of your interesting Intel agencies and interesting places um I will say uh always try to go for best friends when you're doing this type of stuff and you think that uh a government wants to possibly kill you uh you have to make sure that you have trust in that

individual um and last year uh after I thought okay this is this is finally died down because I'd already had to flee my house on several occasions on a previously um so this Business Insider uh news article came out in I think it was February last last year where I was quoted in it saying revenge is best served over iot uh talking about how I turned their surveillance State against them and then on WhatsApp I get an angry message and they put the link I'm not clicking the link in their WhatsApp message uh to the story uh trying to uh say oh well um in the story you mentioned that we were asking about sa ramco I I know about

Saud ramco I helped them recover from a very devastating cyber warfare attack that the Iranians did 10 years ago uh we have nothing against them oh blah blah blah blah blah we don't like you I'm pissed off that was the gist of the conversation uh so um contacted the authorities um they took the messages as a credible threat and so uh last year I spent 7 months away from my house uh between various types of police protection uh staying with friends in the middle of nowhere uh trying to uh keep myself safe uh speaking with the Dutch police the FBI etc etc and wherever I traveled I the Dutch police would uh speak with those folks like I

had to go to London and so they suggested I stayed a hotel right next to Scotland Yard they were notified that there was a risk um last year when I had to go to NATO's Southern operations and Naples they had to pick me up and drop me off at the airport with an armed guard and when this talk was announced whilst I was leaving Naples to go to Vienna uh the uh vienes police had to be notified as as well and again [ __ ] with me I will [ __ ] with you so I had some friends look at the phone number that the angry messages came from and they determined that that phone number had been used to uh

purchase a domain I looked up the domain and the IP address where it was hosted in Germany and it was an entire operation of Iranian fake news sites and propaganda so I contacted the FB I and it got taken down and the guy [ __ ] an entire operation by sending me ex angry messages over WhatsApp yeah so just before my um my talk in Vienna at Deep SEC and if you haven't heard of deepsec uh they have two conferences one for regular folks like us and also deep Intel which is only for Intel folks I have to tell them that uh I'm willing to do a talk there later this year and just before my

talk I started getting some uh interesting uh tweeted uh death threats uh and also there were threats against the conference hotel and the conference they had to arrange for me to be put under another name for the hotel all you know super Secret Squirrel all this kind of stuff um and while I was on my way to Vienna uh and I was waiting at the airport with the police uh got contacted by an Israeli friend who said one of my friends just got doxed on Iranian National TV with his home address pictures of him holding his dog on social media saying that he was uh attacking Iran which was completely false that's actually not what he does

he's a very charitable person who runs a not for-profit so in this field we have to be on the lookout for governments who want to do nefarious things late last year uh the Iranian government they sent people here in the UK to pretend to be academics to then try to hack into uh colleges they hacked a couple of websites and to try to get private Communications between Middle East focused Think Tank people and academics uh and try to find out dissident information and so forth because the Iranian government they like to kill people as well we've had bombs go off in Europe we've had contract killings Etc and when you think oh man I'm I'm I'm just you

know I'm just doing a vulnerability analysis or I'm just doing this red team thing um but you have special skills that they would like um and it may be tempting that 100 Grand a month God I would so use that money um but you will never be able to leave the country of Iran um your Communications will never be private again and if you do return you will be put in jail which again it's not the greatest thing to end up um trying to report these things it is a pain in the ass I have no idea why it took so long and it was just by happen stance that uh it actually got investigated um

so governments out there if anybody works for any of these particular agencies that might be interested in information like this I highly suggest they put a functioning tip line up on their website and engage with people who uh believe that they might be uh down the recruiting path and also do not accept gifts do not do even the smallest thing that uh could could be perceived as something illegal or unethical because they will use that tiny thing that you do on their behalf when you think it might be vanilla and they will get you to go deeper in the rabbit hole and suck you in and spit you out and when it comes to the Internet of

Things hack away where it's legal uh the laws that I operate on are the Dutch laws uh so I try to stick to those I'm not a lawyer so I don't know if I always stick to them just saying that Dave I heard he had legal training so um you have fantastic abilities and if you are unable to get your government's attention when somebody's trying to do something Dodge you like I don't know want to be taught how to hack a nuclear facility um and it's legal to do exploitation or exploratory research revenge is best served over iot and smile while you're hacking the [ __ ] out of them so I want to give a big shout out

to besides Newcastle um I had a uh quite a few people who helped out with this um also if you buy my book I might be able to get Christmas dinner or I need a job so I'm your person if you are investigating iron thank you so much for having me and showing up so early with the coffee stand being closed we are jealous of you on the stream because you have access to coffee at home thank you so [Applause] much well as my attorney I think you should follow up with that see nothing that was so cool I I'm always slightly terrified standing near you well I did survive an assassination attempt a couple of years

ago this is fine I've got a blanket it's all good just wrap me up in John oh that was very cool another round of applause first of all I think we might have some questions indeed I'm ready to run around and put da in the audience I can't see bright who had tequila last night do we have any questions for Chris it's early isn't it I of course you mentioned about the uh you're living in the Netherlands so you're operating under in quotes Dutch law uh what what actually is there um view on sort of like almost call it offensive research that you seem to be doing so the rules are and I'm paraphrasing and

not a lawyer um we actually have a a PDF in English put up by R ncsc where it has our some of our most famous hackers dressed up in funny costumes describing the law and the law basically says few things um if you find an exploitable condition you can prove it as long as it is not destructive uh or too destructive if you come across a database you might take a sample but not download the entire database um you have to try to reach out and contact uh the people the organizations uh that are involved in a secure manner you cannot sell or resell that information uh which makes sense um and also uh if you're a Dutch

organization which is worth uh above a certain amount or has a certain number of employees you also have to have a vulnerability disclosure mechanism for people to contact you and if you find a vulnerability or an exploitable condition in the Dutch government and you report it to the ncsc and it is true they will give you a t-shirt that says I hacked the Dutch government and all I got was this lousy t-shirt um an organization cannot sue you like they can in the United States for mentioning AT&T and how terribly weak and poor their cyber security is um because that's considered censorship so we don't have a concept of What's called the slap lawsuit uh slap lawsuit if you

want to watch a funny John Oliver look up slap lawsuit and watch Mr squirrel um so as long as you do those things then you are not breaking the law uh good example is a good friend of mine uh whose name is Victor Victor haers um 2006 before the election in the United States um he got a hold of a 2012 uh LinkedIn password leak and him and some friends used the password from Donald Trump's LinkedIn from 2012 and was able to get into his Twitter account and uh you know they they followed Dutch law they they were not arrested you know the Dutch prosecutor said you know you tried to alert Twitter and the you know campaign everything

like that the US government it's right before the last election he was like you know I wonder if I can still get into Trump's Twitter account now of course Twitter said o all special blue check people have to have multifactor authentication and we have so much cyber security at Twitter um so he used um password guessing and on I think the second or third try um what was it Maga uh 2020 exclamation and uh don't worry the original password he got in uh the group got in 2016 was you're fired um so he was able to get in there was no two-factor authentication on his Twitter account and uh the Dutch prosecutor uh did investigate and said yes you know you

you followed the law uh the hack did occur even though Twitter paid some Dodges journalists some of which are kind of famous to say that oh Twitter security is so good this guy must be lying uh we have uh the best high-tech crime unit in the world the Dutch high-tech crime unit um so we know what we're doing we have a special segment they investigated and uh said yeah the hack occurred but we will not be prosecuting Victor because he followed the letter of the law when it comes to our ethical hacking laws so if that gives you an idea there you go so there's got to be more questions I think I have time yep come on who wants

to ask a question Dan do you have a question remember your face is not being broadcast so it's okay I have a question what's your home address it is Buckingham Palace nice yeah yeah it's G to cost a fortune to heat this [Laughter] year too soon all right she's in sandam