IATC - No IOUs with IOT - Bryson Bort

all right hello everyone welcome to b-sides we'd like to thank our sponsors without them event would not be possible these talks we will require everyone to silence your cellphone's make sure they are off and at the end if there are questions I will be passing around the microphone so just please make sure you raise your hand and I will come to you without further ado this is no io u--'s with IOT with Bryson board yeah the people who clapped have seen me talk before and so they know what I do to people who don't participate I have a little bit of a different presentation style yes you should flee quickly run where's the sound coming from because

I'm getting feedback I got a do you know where it's in the cloud see you is your mic on all right I will try to figure out where I'm supposed to stand to not cause problems so I'm Bryson we're gonna be talking about IOT so first of all who's expecting somebody to drop o day today if you want to be a rock star IOT is the place to start it's that easy it's a joke security is that bad and so what we're gonna do today is we're gonna talk through why it's that bad what we can do to fix it of course because this is and I am the cavalry track and we don't just preen and go for the fame we

actually try to [ __ ] fix something right Josh that's how we do it that's why he keeps bringing me back because I'm pretending to fix things we're also gonna do a demonstration so we're gonna walk through how to actually conduct an attack now one of the things that I can't plan because the Russians never listen to me is that has everyone seen in the news the russian iot hack I've been giving this talk for two years showing how it's not about the IOT device it's the fact that I get on the device establish a beachhead hi Odie and that I laterally move to something of interest that's what they just did this week it just came out

so for a couple of years now when I first came up with the idea it was something that was more like theoretical of what could be to make this of more importance than just hey sunny I'm gonna [ __ ] with your nest because I like to play with the temperature nobody cares as sexy as Bo is nobody is hacking into his web camera and watching him get out of the shower it's true I've done it what was that did I see the purple tiara do you have a purple tiara with feathers Lala do you do a them where am I supposed to stand right here I can't move people want to see me oh [ __ ] hi people at home I'm

sorry I move around right here okay that sucks circle of trust so why do you gotta oppress me with a circle can we do other shapes octagon personally I prefer the Pentagon yes so quick of Who I am I was an army officer I'm on the board of advisors of the army cyber Institute co-founder of the ICS village so who's going to Def Con better see you at the village or I hacked your phone for nothing I also founded a company called Grimm that's my nickname and I recently just launched a product called scythe so that's what I do that pays the bills and gets me free beer all right so we covered the agenda all right

Consumer Electronics Show takes place here in Vegas 190 to 200 thousand people to send you think it's busy now try imagining six times as many people here I'm in this I'm in a safe spot okay I mean you have like the dead body policy with your congressman right so you know how like how this works okay thank you does everybody know who Elliot phelp is [Laughter] so what did we learn from the commute Consumer Electronics Show what is the purpose of that show do you think it's about security no try it again do we think it's about security no what is it about LEDs selling [ __ ] right does anybody buy anything for security I mean held even

security products we're all just pretending we buy things because they're sexier because we want them right it makes our life easier makes us feel pretty it's mostly what Dan needs he needs to feel pretty so what do we see we saw first of all if it could be interconnect connected if it could be internet connected and if it could be voice enabled this was the new one it was so the problem with IOT is why we're going to hell in a handbasket is because these things are cheap computers got really cheap all of a sudden the last decade instead of it being something that was almost like a down payment you know and there was like one in the house

now everybody has them and we have multiple ones and we're making them on the cloud because of course everything needs to be on the cloud and we want to talk to them so that they can listen to us so it's a more natural human interface you're shaking your head yeah I know oh [ __ ] that's terrible what's your name Mitch alright I'll use that in a joke later did you know that a smart TV will be sold to you for less than a dumb TV why how am i doing so far in this one thank you kind of the same thing only I feel more oppressed here by having to stand in this I know I like the physical humor

where I like slowly like run up the stairs I've actually done talks to where I like do like really bad parkour through through the audience yes you can

bingo what's your name Jenny Jenny just nailed it right there selling you up the creek they love your data the real creep what they're making your money off of something absolutely and even things that aren't certainly cheap they're starting to look at it like your car driving habits I had somebody the other day who was like oh there's this really cool app and it tells me where to find the cheapest gas and then on top of that it gives me these points and it gives me like 50 cents off a gallon and I was like you don't know why and they're like don't you want to use this I'm like do not know what I do for a living no all

right let's get that all right let's get this stuff because we're short on time all right so mostly what we see is the state of affairs of this is what's happening in IOT attacks first of all distributed denial of service Brian Krebs right ransomware I predict in the next five years that somewhere in this world someone is going to Blair Lee wake up look past the hangover brush their teeth go downstairs have a cup of coffee have some toast mentally prepare themselves to go into work and deal with the jackasses that they work with their terrible bosses somebody like sunny looks like he would be a terrible boss I wouldn't want to go into that what was that that's why we

hate working for you and they go to their car and they go to turn it on and the infotainment system pops up ransomware - bitcoins for your car to work that's not a dystopian hellscape well you haven't been paying attention to the weather out there because it's coming crypto jackin crypto jacking is another advantage are a different version of ransomware where I'm going to steal your CPU cycles IOT devices by themselves of course we're looking for efficiency we're looking for look you know scalability we're looking for just more and they don't necessary have a lot of computation but if I collect a million of a little than I get a lot and then these are of course tied

to whenever John McAfee releases an unhackable Bitcoin device so you know it's safe and that drives interest and then that's what what kind of ties to that I don't know there should probably be some sort of like cocaine metric there - I don't know and then finally as we were just talking about the beginning what the Russians just got doing lateral movement this is why these things are killing us again it's not the device itself what the device itself has a limited function but the fact is when you think about it I can't hack something I can't touch and IT security for it as much as we can complain about it is light years better than consumer

products who's monitoring what's happening on your consumer products you are how the firewall that's not modern do you okay so you actually are doing like stateful inspection all right where does your where your devices go have you looked at that they are all weak that's actually not a joke it's serious I'm serious if you plug it in and then you run snort and actually do packet inspection literally every single device for whatever reason decides there's some random place in China that it wants go say hello to now I'm not suggesting that there's a conspiracy theory here and the Chinese are trying to do something to us

but what I am saying is that every device goes to China seriously now no honestly though it's not necessarily nefarious usually it's going to like Alibaba or it's going to like some you know commercial sites but I could also point out there's no such thing as anything commercial in China so herd immunity this who's heard of herd immunity besides Jenni who's been in my talk you don't look like you've suffered through me before okay all right first time how's it going her immunity what is it okay you know where it originally came from reference to two what kinds of things yeah so it was looking at the epidemiological study on cattle so I have all of these living

creatures together and it turns out if there is a virus they share it they don't have to go to conferences to get the Khan flu right they live in it and so herd immunity is this concept that there's two tipping points there's the tipping point that my herd is inoculated enough against this virus that there's not an outbreak or it's not and suddenly McDonald's gets cheap burgers yeah think about that what that really means when I said that it's gross this is the concept that I am proposing applies to IOT all of those consumer devices are going to create a tipping point for us in our ecosystem so it's no longer the fact that Elliott has certain

IOT devices so much as those devices are connected to other things and it creates surface area and it creates space for me to gain purchase to then be able to laterally go to something of interest it increases the ability for there to be an outbreak so the question is how do these outbreaks happen get that alright so we've seen really two kinds of attacks the first was Mariah and what Mirai did is it turns out almost all of these devices have the same combination of user ID and password admin admin root root root no password it's like 10 of them Mariah is like a ho well that's really hard to figure out let's just try those and by the way

they're not typically monitored so I get as many guesses as I want and there's like ten combinations so I can do ten combinations unlike on Windows where it's three and I'm locked out right IOT devices don't lock me out so I just throw those and they got over a million devices like that Reaper and IO troops said alright something more sophisticated proof of concepts n days does everyone know what an M day is ok so an N day is a vulnerability that has been disclosed right an O day is a vulnerability that nobody knows about the public doesn't know about it I know about it because I'm gonna take advantage of it and n day is we've now

pushed that out but of course that only helps you if you actually patch it if you're not protected against that or if the patch isn't available yet because there is now it's clock ticking from when something is pushed this is why I am the cavalry stresses responsibilities closure so much because if you don't responsibly disclose and you share that information you've now given the attackers the headstart on here's the thing all you have to do is take this code and do it guess what we're gonna do today that's what we're gonna do so what they did is they had a catalogue of 65 n days and all they did was match this device against this code and I'm in

those are the two kinds of attacks that we see in IOT how hard is it to patch there's probably no easier consumer device to patch than your phone everyone remembers stage fright probably kind of rings a bell sort of like general like doom and gloom stage bright was a vulnerability where all I had to do was send you an SMS a text message I had your phone there's like no better remote exploit than that you didn't have to interact and I had it that worked on Android and that worked on Apple nine months after stage fright is what this chart of red and blue of all countries in the world the red is the unpatched

nine months after the pact was available on literally the easiest way that we have to apply a patch with the user saying yes like how often does your phone annoy you when a patches available right except the patch except the patch except the patch all right so our setup we're going to use for this demonstration is a geo vision webcam this is not a knock on geo vision this is not a knock on webcams this is merely a nominal IOT device that just happens to underpin this and I'll show you toward the end of the presentation ten minutes left okay I'll show you toward the end of the presentation a quick sweep of github that I did to show you

how many proof of concepts are out there for free to use that you can just download you don't even have to understand it's just again to the Reaper IO troop attack in addition I'll also we have published a home lab that works with this so you'll be able to do the demonstration of everything that I'm saying here at home on your own camera not anybody else's for demonstration purposes only all right video cannot be loaded fantastic all right so here we are where the user we're setting up the webcam so we log in with the default credentials good news is the camera actually says hey please change this yes score good job you geo vision here's

proof that hell exists you know don't you love when you go to a webpage and you fill it all out and you try to put the password in and then they tell you their arbitrary password rules afterward and they reset the cache when everything do it again there is evil in the world okay so we're set up we've changed the password all right so we're going to show the attack side first thing we have to do is reconnaissance I have to know something exists I have to know what it is the numeration identify exactly what it is we're gonna compromise it we're gonna pivot then we're gonna have fun stealing what's on it it's mandatory

that we have a ridiculous picture to show what a hacker is in this case not only is he wearing a black baklava he is also wearing a bandana and then for some reason is carrying something has nothing to do with the computer

the wheel of death

so what you're seeing right now is the attackers attempted going into this alright and so what he's going to do or she is they are going to do a dictionary style attack of the mirai approach so I'm gonna try all the combinations and I'm going to fail because the user change the password showing that that worked brilliant demonstration this was the best one you missed it okay so this is the exploit we're going to use coincidentally this exploit was written by a Chinese author it is available here at this address so this this I think will all be available afterwards so you can go and you can check it out yourself this is also the

part that is in the lab that I'll be sharing at the end so you can you can get it all and finally what it does is it does a remote exploit and I get in this was I just for fun when on github to see how many proof of concepts against IOT devices were out there there were 28 thousand so you know you can have fun yes sir Mitch I mean yes Mitch maybe would I release that no no uh so I I don't yeah I'm not gonna go down that rabbit hole no I'm not releasing that all right the fun video if it works

do you think our odds are this working 2% who said 2% you said 2% was that it was that like about like the 1% to make it political three and a half all right never throwing out random numbers and I like that we departed from integers as well done PI percent so the exploit is not there you go okay so here's the hacker all right I don't know why the video is now working so this was this was the fun part and I will share these videos so as a part of the lab I don't traditionally do that but I'll do that for you guys so that you can actually see what I was gonna show here and this is actually the

really funny part this is where I do the punchline so I know he's a knight win a key isn't that great when someone's like yeah I had a really funny joke uh-huh fair enough I want to acknowledge that we like our puns okay we're nerds who in here's a nerd all right those you don't you know why you self Hayden I want you to own it own it that's what we are okay have you noticed the new nerds are ruling the world so what this demonstration was going to show is we're going we're going to do a reaper iowa troop style attack where we've enumerated the device we have our end a code that actually

matches against that and we get onto the computer then what we do what the Russians did that just was discovered is they did a TCP dump so I'm gonna be looking at all the traffic around in this particular instance I was a little bit more straightforward and I just went looking for Windows file shares because Windows with 90% market share I'm pretty confident if I'm on either your enterprise or your home Windows is what I want to look for just in that particular instance doesn't take much more to add Mac and Linux once I found that file share since I had a remote exploit and I had the password because they didn't encrypt it locally and how

many of us use different passwords or slight variations on the same password that's what we did to get into the windows file share at that point what we get is we got your fun pictures which we're demonstrated here and then we also got your taxes in your bank account I guess that didn't sound like much of a punchline when I say it that way okay we're gonna just we don't have time for enterprise so it's kind of funny so I also try to include in the longer talk here I do the enterprise perspectives because we're not always just looking these things as consumers and so IOT devices inside an enterprise network you want to do they

kill or marry of them that should be your policy your friends get this all right so what can we do how can we make this better behind a firewall high-five Mitch change the default credentials we've learned that one turns out you don't have to be faster than the fancy bear just faster the other people that are running from the fancy bare patches who actually patches their IOT devices you're lying I'm teasin Eddie are you sure you only have one device [Music]

violated a lot of warranties by making them dumb I feel like you were like ran around your house like hitting things with a shovel soldering iron Oh sophisticated shovel patches once a year just like spring cleaning hi Karen she's super cool her talks way better than mine and it's coming up next

[Laughter] Touche who ever said that yes but does yours have coloring books thank you when I brought one for you by the way Thanks okay final thing going back to the concept hackers can only hack what they can touch we want to segregate our lands don't put consumer IOT devices on the same network as you are doing your taxes as you are taking your compromising photos as you are saving the porn footage of what you captured from Bo's webcam don't do it yes Mitch oh it's ting I should probably know that considering we use a Google home in our smart house demonstration wow sounds like I know what I'm doing good call though thank you

call-to-action manufacture accountability and don't I never expect any manufacturer to put something out on like John McAfee that is unhackable there's no such thing all right there's no something that's completely secure we need to plan for the life cycle starting with responsible disclosure I need a point of contact publicly available so the independent security research community has someone to go to when they find out how [ __ ] up it is or however else that's discovered I need to have a plan for triaging with an expectation of when I will respond because you've submitted something and then a convenient way to push out that patches so that consumers can we apply them and then final thing is

end of life right you should not just be allowed to have your IOT devices hang out there like zombies killing us references for more info some of those plus I am the cavalry questions firewall it's all I got his question was ipv6 no more NAT now what yeah I mean that's that's a good question because now you're gonna have direct IP addressing through those devices but you're still going to add you still have that choke point at the I mean at the connection in so going going back to the firewall that's that's what you're gonna have to do is controlling those things to specific devices and what those connections are aren't you a good son

and don't you do it guilt is the answer no you're absolutely right I mean at the end of the day most of the folks in out in the the world don't understand half of this stuff and how can we expect them to do it yeah I don't I don't have a good I don't have a great answer to that yep oh I got his firewall was it yeah there it is

done okay thanks anything else nope all right I think we ran out of time thank you [Applause]