xIoT Hacking Demonstrations & Strategies to Disappoint Bad Actors

you guys ready to rock try it again good morning New York [Applause] are you ready to rock you wanted the best but they got stuck in the tunnel so you got me so uh my name is Brian cantos I am the chief strategy officer with sevco security a little bit about me I've been in cyber for about 25 years I started with disa the defense Information Systems agency and then after that Bell labs and then just started building a bunch of startups with friends so I've had two IPOs I've had eight Acquisitions we were just talking just sold my last company to Google about a year ago um it's been a fun ride I I wrote a book

a couple books but I wrote my last book with the director of the NSA um my mom said it was good I think she's the only one who read it um so just food for thought if you ever write a book with somebody that's been with the NSA for 35 years no they're very verbose and the book can stop a low caliber bullet I did a documentary with General Michael Hayden former head of the CIA and the NSA and literally dozens of people saw that as well so I haven't I haven't been that successful on that side of the house but uh I do enjoy building companies as my wife likes to tell me it's about she measures it based on

weight so I've gained about five pounds per IPO or acquisition but I did the math jokes on her it's closer to six and a half pounds per IPO in acquisition so today's presentation is xiot hacking demos and strategies to disappoint Bad actors so xiot is one of those made up terms well I guess every term is a made-up term I think about it like Ohio that's made up the brain named itself so that's kind of made up so anyways it stands for extended internet of things and we'll dive into what that means so what exactly is xiot so it's really three categories the first one is what we generally think about when we think about Enterprise iot

these are security cameras digital door locks UPS systems printers products like that and by the way out of all the products printers are by far 100 the most promiscuous of all iot devices in fact I think there was a Nelly Furtado song about printers a few years ago uh and what I mean by that is you can connect through wired wireless Bluetooth Bluetooth low energy HTTP https SSH telnet FTP tftp they're like use me print me use my ink so by far we see these promiscuous printers being attacked almost more than any other device the number one device by far security cameras but printers just because the volume and variety are really high so that's Enterprise iot

the next category the second of the three this is OT these are things some people just call scada devices or industrial Control Systems it's digital equipment that controls physics voltage volume speed different mixtures if you're talking about like batch manufacturing versus discrete manufacturing these are the devices that you see in power and energy oil and gas Transportation building cars Etc so these are those OT devices the final category which we're all familiar with but a lot of people tend to skip over this when they think of X iot these are the network devices these are the switches the nas the load balancers the wireless access points now what all these groups have in common besides just being in my presentation is

their purpose-built firmware and Hardware so you typically don't use a camera for printing and you typically don't use a digital door lock to be your UPS system so they're purpose built even though they're purpose built they're generally running popular operating systems typically Ubuntu we see busy box on the network side a little bit of BSD and on the OT side you see real-time operating systems like vxworks by and large though usually Linux or Linux like like Android for example they're Network connected almost always some of the real real old school OT stuff stuff that they depreciate it like they do turbines when they're at a dam that stuff's been around for decades so some of those

things aren't Network connected some of them are some of them are actually running like Windows NT 3.51 or the real new stuff NT 4.0 which has been end of life for about 20 years and they can't run for the purposes of this presentation kind of why we put this together security so you can't load you know scilanch you can't load crowdstrike you can't put McAfee you can't put an endpoint anti-malware firewall or IPS on these systems you just can't load it they don't operate that way there are some companies that are trying to look at micro code that you can put on there these microagents that has to be done at the manufacturer it hasn't really caught

on so technically these are non-security capable devices there's things you can do to make them more secure but you can't install the things that we think about generally in it on these devices now while this presentation is about X iot and hacking xiot it's really interesting don't lose the forest through the trees remember xiot is just another asset within your environment just like you have laptops Cloud SAS Solutions applications users and you probably have some type of asset intelligence program hopefully none of you are using spreadsheets still although I know some of you are to track all your critical assets within your organization so you shouldn't have a separate xiot Security Group you might have people that

specialize in that but it should be part of your overall Security Group and it shouldn't be a separate Solution that's Standalone in a silo like we see here I know it's a bit hard to read but you see products like phosphorus or axonius nozomi these are products that specialize in this xiot world in terms of Discovery and actually remediating certain risks but that has to be all Incorporated to your larger asset intelligence program so again don't lose sight of that through this presentation it's really easy to get kind of in The Silo which is just xiot but not a part of your grander strategy and when you're talking about those assumptions a lot of people look at asset

intelligence from sort of a assumption-based perspective juxtaposed to an evidence-based perspective make sure that you're going beyond the way that we used to do asset intelligence you know back in the olden days which is like five or six years ago make sure you're actually looking at across the board tell me every device I have that's running Malwarebytes and crowdstrike and it's a Microsoft active directory and these users have access to it and be able to correlate that asset information just like you're able to do on a Sims side for example looking at event data that's kind of the new new that's what people are doing with assets today and certainly xiot has to be part of that if

you're going to be successful so that's that's all I have to say about assets now when we think about xiot the volume velocity and variety is staggering if I if I asked all of you to just name five x iot devices you'd probably have very very different perspectives on what they are brands use cases Etc but consider this there's about 10 million servers in the cloud I'm not talking about virtual machines or anything like that I'm just talking about physical devices and think about that as kind of the number of horses in the world there's about 60 million so it's pretty small if we think about how many traditional computers with actual keyboards connected to them like my laptop here

that number has been decreasing year over year over year today there's about five billion of those or roughly the number of people which is about 8 billion so that number continues to decrease so let's look at the number of X iot devices there's about 50 billion or roughly the number of birds in the world and growing and growing rapidly and being developed by virtually every country out there most of which have organizations developing them that are not technology companies certainly not security companies and certainly not in a very security minded way so there's a ton of these which means it's a very Target Rich environment for attackers so who here has used Cabana okay who here has used Showdown

okay so a lot of you guys use Showdown the reason I asked about that is we're going to do a little Cabana a little bit later so Showdown for those of you who aren't familiar just to kind of dumb it down it's like a Google shirts to show me what's connected to the internet at any given time now it's not perfect and it's not awful but it's pretty good it can give us some kind of rough estimates of numbers so the first one I said tell me how many security cameras are actually connected to the internet internet right now it's over 4 million and then I looked at printers and I looked at some other things this last

category are UPF systems uninterrupted power supplies what's the use case of having your UPS which you probably have because you probably have something really critical plugged into it out on the internet and exposed like that it probably isn't very good and I'll probably say that there's some percentage of these devices that are honey pots and they're just looking to get attacked but even if it's five percent still why would you have a UPS now here's a question for you guys what do you think is the most popular brand of UPS around the world APC great furthermore what do you think the default username and password is on APC UPS APC APC and if you didn't know I used

this other hacking tool called Google and I said what's the default password for APC UPS and in less than a half a second it said oh it's lowercase APC and then lowercase APC so we have a a bit of a competition in our company if we ever find an apcp APC UPS that doesn't have the default password APC APC everybody in the company gets a steak dinner we've been eating a hell of a lot of chicken because it's never happened 100 of the time so those roughly 13 000 that are out there right now you can log into them with APC APC disable them or LeapFrog into the organization not that you should but you could and there you

go and now you know um a few more stats that are kind of interesting when it relates to these xiot devices so there's about three to five x iot devices per employee so a company of 10 000 people has roughly 30 to 50 000 X iot devices which is about twice as many than they generally think they have when you go in if you say how many do you guys think you have oh Brian we think we've got about twenty five thousand in the back of my mind I'm saying okay so they've got about fifty thousand and that's usually about right that three to five now there's a bit of a bell curve to that a law firm is going

to be a little bit less they're closer to about one to two retail is a little bit higher that's closer to about five to six and then manufacturing can be even higher than that closer to seven or eight but it averages out especially Financial Services Health Care uh so on and so forth about three to five per employee right which is a heck of a lot more than anybody generally thinks about and they go oh well the Voiceover IP phones oh and that's right we have ten thousand security cameras oh yep you're right the digital door locks and all these other things so there's a lot again a very Target Rich environment so what's the big problem there's a lot

of them the other issue is 50 of them run default passwords just like that APC UPS we saw the other 25 so you've got 50 000 in your network 25 000 of them have a default password that I can simply Google and find out how to get in no one's changing them think of security cameras a crew shows up in a van with a box of cameras and they're drilling them into the wall they're connecting it to power and fiber optic cable and then they leave do you think they're really thinking about your security development life cycle do you think they're really thinking about hey we should go ahead and wrote These rotate these passwords every 90

days uppercase lowercase special characters at least 20 characters long so on so forth we should file a good password policy no they're thinking I want to bolt this into the wall so I can get out of here that's what they're thinking so 50 percent have default passwords which means when we're saying hacking xiot we really have to put it in quotes because a lot of the times you don't really have to do much more than a Google search now most hacks aren't because these devices are internet accessible we'll talk more about that later most hacks actually don't get in that way but the fact that we just showed you with Showdown there's a heck of a lot that

are it just kind of makes life a little bit easier so 50 default passwords the next issue is end of life firmware about a quarter are running end of life firmware there's no support there's no patches coming there's no updates but they've been there and they're running the other three-fourths well those guys the average age is six years the average age of the firmware on an X iot device is six years we've all got a smartphone in our pocket we're holding it up and taking pictures of my slides regardless would that phone work if the OS was six years old or the apps were no or if they would they be horribly degraded right but we're expecting these

devices that are running critical Enterprises to operate this way so it's a very sad State and what comes with old end-of-life firmware vulnerabilities so if you look at these stats 70 percent roughly have level eight nine and ten CVSs scores so cbes of an eight nine or ten so those of some of you are probably very familiar with these ratings those of you are aren't a level eight nine and ten means with little to no skill closer to no skill on the 9 and 10 side I can get remote access to your device and completely take it over okay so that's the State of the State there's a lot of them they're very vulnerable and the bad guys have taken

notice so there's a few common attack types out there the first one is Legacy attacks and this is the ones that people when they think about X iot attacks these are the ones that flash into their minds first who's heard of Mirai great quite a few of you actually okay summarize the grandfather of iot attacks right it was specifically set up to go after security cameras and what it would do is it would get into the security camera it would load some malware and then people are able to turn that camera into a bot and do blackout search engine optimization malware distribution phishing DDOS all the things that Bots do well what they found these attackers

that were using Mariah was hey there's a lot of shared libraries and there's a lot of sort of shared code and binaries and white labeling that's done in xiot so it's not just this camera that has this really bad code in this default password and is running telnet it's actually this printer and this phone in this door lock and all these other devices that they're using the same code because the people that created it weren't security Engineers it's not a technology company and they just plugged all this stuff together so the white labeling and the shared libraries really impacts xiot so when Mariah came out it went from cameras to very quickly a much larger Network at

its peak at its peak Mariah had more processing and network capability than Amazon and Google combined of X iot devices what the hell that's huge right so the sad thing is and there's many sad things in this presentation the sad thing is we go into organizations today that still have devices that are vulnerable to Mariah why because their code hasn't been updated it's still six years old like we were talking about furthermore we find organizations that are infected with Mirai they've been running Mirai for the last several years and they don't know or don't care or no one's watching remember the end of Spider-Man the spider-verse for all Spider-Man were pointing at each other who's Spider-Man

and you go into these companies and say well who's responsible for your security cameras well it's the security team oh no it's not us it's the network Ops Team oh no it's facilities facilities what no we Outsource that to a third party a lot of finger pointing nobody wants to take take responsibility and I don't blame them if you have 25 000 cameras that you need to update and fix the firmware and the way you're supposed to do it is walk around with a thumb drive and a paper clip to reset this thing it's going to take a long time right so Nobody Does it if the choice is that or do nothing you choose do nothing

um who's heard of an attack called our socks this is kind of recent so our socks was part of a takedown the United States the UK a couple other countries it wasn't the five eyes but it was a couple couple other countries were involved in this South Korea as well there was a major botnet this was from a Russian Russian cyber crime group cyber crime by day nation state actors by night we see that all the time um because they have Safe Harbor just like the Pirates of the Caribbean not giant but the real pirates anyways I digress so they're hacking in and they're getting into these devices but when they wrote the code they say you

know we're going to go after let's go after industrial Control Systems we'll we'll go after Enterprise iot we'll even go after some network devices but let's really focus on scada and they did because nobody really pays attention if people don't pay attention to cameras you know no one's really paying attention to plc's Industrial control systems on assembly lines right so they actually compromised tons of industrial Control Systems probably the most widespread industrial control system attack ever but it wasn't used to blow things up or shut the power down or destroy the chemicals in a pharmaceutical company here for agricultural company or anything like that it was just simply because they had the audacity to be accessible off the

internet and they added them to their botnet army now these guys for our socks they are actually renting their botnet out so for 30 a day you too could have access to this massive botnet black hat search engine optimization DDOS attacks so on and so forth but for a hundred dollars a day you got full 24x7 Online technical support to help you out so they monetize the crap out of this thing cyber criminals have gotten really really good at monetizing X iot attacks nation states use them for different reasons but cyber criminals are look look you have more X iot devices than you do laptops it's super easy to get in I can do the same type of capabilities

and I can rent these things out and it's easy to hide and I'll show you how to do that a little bit later outside of these types of attacks the Legacy ones are the physical attacks I want to get in and shut down your power I want to get in and spy on you with your camera we see a lot of this in manufacturing we see a lot of this in the video cameras that are in conference rooms we're actually with a very very large financial services company that had the cameras and their TVs that they had their LCD TVs mounted in the wall and all of their executive briefing rooms compromise and people are able to

spy on them with audio and video in some cases for a couple years very sad again a lot of sad stories we saw an organization where they had their digital door locks compromised and people could unlock and lock doors at will right I think it was 8 500 different doors and again hacking wasn't really a big thing but I mentioned nation states and cyber criminals have taken note of this we talked about cyber criminals for our socks this is fronten has anybody here heard of or used fronten so fronten was a tool designed by contractors for the Russian FSB ically to find xiot devices compromise those devices control those devices and then use those devices to LeapFrog to

attack it assets and cloud-based assets within that organization which we'll get to in a moment but that is the most prevalent type of attack today so if you speak Russian or you can use Google English to Russian translator you too can have a military grade nation-state designed X iot hacking tool why because after they built this tool the digital Revolution hacking group actually stole it from the Russians and released it so you can download it on any of your favorite locations where you guys which would never I'm sure download illegal stuff but the same place where you can get movies and other tools and things like that you can also download fronten and it's a very powerful tool it's very well

made actually the next type of attack are OEM attacks this one's really really interesting so there's a number of security or a number of security camera companies out there that ship not with malware on their devices but with Mal design they're designed to be evil from the get-go it's not like they can be patched they're built that way from the manufacturer so for example I might have a security camera I say hey stop recording don't record audio don't record video it says okay okay I'm going to turn the green light to red but don't tell anybody I'm still recording and it still records and furthermore it doesn't only record but it sends that information off to a distant country

that rhymes with Lima so you have this issue now where you have security cameras that measure in the hundreds of millions worldwide recording audio and video collecting data setting it to some location where apparently they're doing some type of correlation anomaly detection temporal analysis volumetric analysis who knows to try to Crunch it because it's a huge amount of data looking for people the blackmail I guess or looking for corporate Secrets what have you so a couple years ago the US government said hey you know what this is bad I said okay that's good I'm glad you noticed and we're not going to allow any government contractors or any government organizations to actually operate these cameras from Huawei ZTE hickvision and

so forth but it wasn't until November of 2022 where they actually made it illegal they're now illegal to import and they're illegal to sell within the United States and that's pretty interesting but I was just at a conference called jaisek in Dubai about six months ago the biggest sponsor of this conference which was huge it was like 200 000 people they actually had a hovercraft motorcycle which I thought was really cool but 200 000 people the number one sponsor Huawei so it's not like they're gone they're still here but you're seeing governments all over the world now scrambling to try to get in front of these things because their camera specifically designed to record audio record video and siphon

it out now the last group are pivot attacks and this is the big one so I want to keep this one to the end these are attackers that gain access through some other means like a phishing attack for example and they're like well great I got you to click on something on your laptop but I don't want to stay on your laptop your laptop is not a great place to hide because you've got network security and app security and data security and people looking at it and auto audit logs and all these other things why don't I just go on one of those promiscuous printers you've been telling me about or one of those naughty naughty

Huawei cameras and I'll just go ahead and hide out there and then from there I'll use that to tack your it devices I'll use that to siphon out sensitive data I'll use that to attack the cloud and bandian actually discovered an attack a few years or I'm sorry a few months back called quiet exit and this is the new new this is the one that's really making people nervous as well it should because it's not about attacking your device to turn into a botnet it didn't come shipped malicious from the manufacturer it's not about shutting your power off or opening up a door those of course are horrible types of attacks that can cause physical safety

issues ETC this is all about stealing your data and they got in through a typical phishing attack whether it was through messaging or you know email social media what have you somebody clicked on something and they got their device infected now to maintain persistence and evade detection they had to Pivot from there to an X iot device now do you think they just pivoted to like one promiscuous printer and one camera hell no they went from there to tens of thousands of devices why hide in one when you can easily hide on Ten Thousand makes you much much harder to get out now when they're on those devices what they did was they installed a bit of

malware they installed drop bear SSH drop bear SSH has been a tool that's been used for reverse SSH Tunnels for a very long time what was interesting about this is it was being installed on a lot of network devices Nas wireless access points which is BSD and a lot of voice over IP phones cameras and things like that which is mostly BusyBox and Android Linux right so they installed that from that point on they're able to remotely control those X iot devices from whatever location they were at and they used it in this particular case this is what these apts are up to they used it to log on to office 365. in the cloud they actually made setup

apis into it and local exchange services and they're pulling emails and they specifically Target the emails from Executives anybody that had to deal with M A and BD things like that a lot of this was probably tied to making Investments and short sales and things of this nature that's what they were going after they got in through phishing pivoted to xiot to maintain Persistence of bay detection then attacked I.T then attacked cloud and stole sensitive data and almost every case the minimum amount of time that these guys were within the network before the initial Discovery we're not even talking about getting rid of it was two years for two years they were siping off sensitive data in this way because no

one's watching these devices nobody's thinking about them like Spider-Man everyone's hoping somebody else is doing it right so let's look at how you actually hack a security camera so we've got Kali Linux here and I think I I did this in 4-3 hoping this would be easier to see but I actually have some pop-ups that will bring up the text so hopefully this will be a little bit easier so we're gonna hack a security camera Soup To Nuts and just show you how easy first I'm just going to log on to the security camera just to show you what you can do most of you are probably familiar but most security cameras have a web server and you can log into this

web server nothing's hacking now this is just logging in and there's a couple things you can do one thing you can look at the live view you can see what's the security camera looking at and in my case I have my security camera looking at a very secure Netgear device and a hickvision camera okay so it's just sitting there on the desk so nothing really too interesting at this point but the next thing we're going to do is look at the configuration information because you can do that as well IP addresses default gateways DNS so and so forth General Network config okay nothing there we just know that we have a camera so now I'm actually going to go back to

our friend a showdown right I'm going to do a quick little search here I'm going to use the command line for showden instead of the cool GUI and say show me how many of these devices actually exist in the world that are internet accessible oh there's about three and a half million of these okay great show me how many of these just exist in the United States came up oh there's about a half million of these so there's about a half million of these cameras that are internet accessible and like I mentioned internet accessibility isn't really how most organizations get in so now knowing that this is a Hikvision camera which I can find out from just

doing a cursory scan I'm going to go to exploit database now there's lots and lots of these there's some that you can pay for a hack like this is usually about five thousand dollars but I'm very cheap so I just want to get the free one from xplaydb um there's some that you can get on tour as well you can have stuff built for you but we don't need to go Couture here we'll just go regular so I'm going to create uh and this is right now is just in Kali Linux I'm going to go ahead and create a file here and I grab that python script from exploitdb and I'm going to execute it

I'm just going to execute and now it's verifying that yes in fact this camera can be hacked that's all it did so I downloaded the script I ran the python I typed in the IP address and I had said go so now I'm going to make a directory on this device now I'm in the camera I've actually exploited it because I ran the python script that's all it took now I'm doing some things I would do on any Linux this happens to be running BusyBox so we made a directory and we called this directory bad and the next thing I want to do once I do that is I'm going to download some tools so I can actually download tools to my

camera I can download scanners I can download password crackers I can download malware I can download whatever I want so I'm going to use tftp to do a remote get of a file called do bad from my tftp server which this happens to be running on my Kali Linux so we download this file again this these are just just general Linux commands nothing special here unix commands now I'm going to change that file 777 anybody can read write and execute this file called do bad and what's this hacking tool that we downloaded onto uh onto our security camera it was a Shrek video so why not so I easily compromise the camera the hardest part was actually

taking the time to go to exploitdb and find the python script and then just running the python script so I went ahead and I uploaded that so now I actually want to do something else I showed that I can upload files I want to exfil files so I can go ahead and attack another device grab sensitive data for the sake of time I'm just grabbing the pem files so the cert files from these devices and I'm using SCP which goes over Port 22 just like SSH so I'm basically doing a secure copy protocol of any sensitive data that I have on that camera and that's how easy this is there's the command again it's just SCP assessing nothing super crazy

so I can download files to this camera I can X fill files from this camera and I can take those x-fill file those files that I pulled off and now I just have them directly on my database or I'm sorry my laptop that I downloaded them to that simple again that's hacking a security camera all I knew about it going in was it was a Hikvision camera I went to exploit database I grabbed the there's only a few a few different scripts out there I can run this through Metasploit but I just decided to use the python script by itself I checked to see if it was vulnerable yes it was and I knew going

in 90 of the time it will be and I just ran to execute and once I have I execute that I have full administrative privileges on that device lower than the application that's actually running the camera so very powerful capability there now that's Enterprise iot let's talk a little bit about the scada stuff this is pretty interesting I I tell a lot of people that OT security and X iot security and all this is kind of like security was in the 1990s it's very very early Siemens experience attack called S7 plus crash they named it that I don't know why a very simple attack you have to Simply send TCP packets on Port 102 to the PLC which stands for programmable

logic controller and plcs generally do things that are based on What's called the set point for example I'm allowed to get up to 100 degrees or drop down to 90 degrees as long as I'm in that range everything's good but if I get hotter than that I'm going to send an alert to a scada system which is just a management control system for this and say hey I'm getting too hot or if I get lower I'll send an alert I'm getting too cold so 100 degrees is the hottest that this is supposed to get I could go ahead and crank this up to 150 degrees and then start setting up packets on Port 102 and

in doing so it's trying to send an alert but it can't because it doesn't understand what's happening on this port 102 it gets confused so it just does nothing it's essentially a Dos attack on this device now Seaman said okay well we have some ways you can fix this uh the first thing you guys need to do is um enable passwords so okay so enable a password on the PLC and then after you do that hold on to your hats you need to set a password okay so I'm going to turn on passwords and then put it put a password in then it said you should also update your firmware because we know a lot of you guys are

running really really old firmware so just do a patch update okay thank you Siemens and what's the last piece turn off stuff that you don't know because while our plcs aren't super naughty like a printer they're still pretty darn promiscuous they're running a whole bunch of open ports FTP telnet things like that that you probably don't need they might be running Wi-Fi they might be running Bluetooth low energy shut that stuff down now now this wasn't bad from Siemens this is this is good information but this was like security 101 in 1995 right but these are the types of things that we see time and time again so I'm going to show you another attack I think this one will be

a little bit easier to see this is actually with a real physical robot it's the neatest way to look at this but this is an attack against a industrial robot this robot is about 300 pounds and it connects to a power supply that's about 200 pounds so it's not very mobile but it is pretty cool and we're going to do a live attack on this now a couple things about these robots these robots are used both in batch and discrete manufacturing so they can be used for making Volvos or they can be used for making pharmaceutical medicine they're really good at cutting and grinding and welding and poking and all sorts of cool things we use it for Less

much less technical things than that you could also make it do push-ups which is kind of neat we found out and I don't think that's the intended use case so we went ahead and got this robot uh which you any of you can buy one they're not like super secret uh we got the license for it and the latest greatest software and loaded it on there that was actually much harder than acquiring the robot because it was apparently they don't just sell this to everybody because who who is buying software for a robot not many people it's a pretty pretty finite group of folks and we went ahead and tried to figure out a way to

hack it well it comes with this remote control this is called the pendant and like any remote control if you ever played with a remote control cars this is like the old school one where it's connected via a wire so you've got this remote control and we wrote a very small basic bit of code a configuration that said go ahead and touch the top of the can that's all we're doing we're having because we're super creative and we took this really expensive robot and we said let's have let's let's bolt it to a crate that it was shipped in and then let's put some blue blankets behind it and have it touch the top of the can so

this pendant is what you use to actually manage it but it can be managed two other ways the other way is through these two plcs you see in the rats a Rockwell or a Siemens like we talked about with that Siemens attack but the third way is really cool we found out oh this is Network connected I can ping it well that's pretty cool I'm sure there's no problems there at all so let's see what we can actually do well it's running a web server that's cool we just did a little port scan on it and we pull up the web server and if that's not 1995 web UI I I don't know what is

um so so anyways we we pull up the web server again this Webster is running on the robot it actually comes default we didn't change any configurations this is how it is out of the box and we can see things like there's the version so this was from January 10th 2023. we see some some other information you know who knows what a that means but we can go ahead and look at some of the other configurations on this device like active programs now when we pull it back to programs we can actually see what's running here's the thing intellectual property for a Manufacturing Company both batch or discrete it's stored on these devices all these set points all these

configurations whether you're making a drug or a Volvo that's where it is it's not on a file server it's not an Oracle database so if you can steal that that's actually real IP really really expensive IP sometimes so we found out through the web server well I can look at all your configurations so that's a thing the next thing we found out is wow it comes with a virtual version of that physical remote control that eye pendant so I can actually do all the things that that remote control did through this very old school web interface and I go oh that's neat look at all these things and sure enough look I it even has the FTP server could that be

right and it's Anonymous what let me pull up the documentation the documentation was nice enough to say this hey you might find it says Anonymous FTP if it does say Anonymous FTP don't worry you don't need a password well well that thank you thank you internet accessible PDF so now we're going to FTP into this guy we just saw how Ultra secure and hip the web server was so let's FTP into this hit enter oh oh now I'm in well I'm sure I probably can't do much it's just an FTP server what could possibly happen so let's pull up the directory it's going to pull up everything that's listed and remember a lot of this is super secret

intellectual property right you know I I want to steal the code that touches the top of the can with your robot but there's the file can LS that's the actual file that we're going to we're going to try to take but I probably can't download it can I run a get maybe oh oh crap I can so I can actually download the can file okay so all I've done now is downloaded that program that touches the top of the can so I'm going to use this hacker tool called Notepad so I open it up and we're going to change one variable on one set point right there on z-axis it said 205 millimeters we're changing it to 305 millimeters

take that robot so now it's again it's just sitting on my laptop so it's not really doing anything so I'm going to save it I'm going to do a save as because it has to be saved with a DOT LS so nothing nothing can't see there so can crush is the new name so I've now named this to can crush and I've got it sitting on my laptop big whoop the FTP receiver definitely won't let me put a file on the FTP server why oh crap it does I can download a file I can modify it and I can put it back on the robot oh robot well that's not good is it and we made

some calls and apparently it's not good at all so we go a little bit deeper and say well it's on the robot but the robot doesn't know how to use it so there's probably some secret secure way to make it use that file so we come over here and we look at the programs there's can Crush okay so it's there but it's still not running it but we see there's there's the one we modified with the the Z access right there 305. okay cool so it's on it's on the it's on the robot but the robot's not using it I'm sure there's no way to to make it use that file so we go into the menu

system again this is the virtual pendant this is what you could do through a PLC like a Rockwell or Siemens or through the remote control or through this handy dandy web server and even if you don't know anything about this thing this robot you can find out oh well that's pretty easy to understand let me go into the default program change it from can to can Crush and now I'm going to click ok did you see that I clicked okay that was the biggest part of the hack I clicked okay okay so now can crush is the default program the cool thing now is people reboot these robots like every couple weeks their their cash gets full just

like laptops computers etc but that will stay persistent now and they reboot usually in about five ten seconds so you see the reboot now even after a reboot it's gonna always run cam Crush instead of Cam so now the robot is doing his robot stuff he's winding up and again he's just supposed to touch the top touch the top of that can and and oh no who any guests can Crush would crush a can and that is how easy it was to hack an industrial robot we use the power of logging on with HTTP and FTP and notepad that's about all it took and we made it dance as well it's actually kind of I mean it's pretty honest it's pretty

cool to play with these things um now that was pretty obvious that attack it would be less obvious if I was making a gear for example and that gear was supposed to be grinded to 2.55 millimeters in thickness but I have it changed to 2.5 zero millimeters and it's probably going to work and it's probably going to pass QA and if it's in a a car or helicopter or machine it's probably going to operate for a while maybe maybe a few months maybe a few thousand miles but then there's going to be too much friction something's eventually going to break so if you do a very small attack like that across not one robot but across

thousands of robots and you just saw how easy what it was to do or you modify the chemical mixture in some type of pharmaceutical you can have a dramatic and dangerous impact on things it was that small and as we saw before I could have taken the configuration file and stolen that and used it for my own personal nefarious activities so we looked at Enterprise iot we looked at OT let's now look at network devices I'm not going to do this as a attack I'll just walk it through because this one's like watching paint dry um so these are this is Network gear so it could be a Netgear Linksys whatever we're all pretty familiar with these but

there was an attack called VPN filter which was a bit of malware and the compromise get this was the remote managed Service Port was running with a default password which you would never guess an xit device would have a default password but this one did and they logged in with the default password and loaded VPN filter which was the malware now this malware could do a couple things one it could capture traffic but I guess that's kind of interesting I mean oh I'm going to sniff for tftp I'm going to sniff for FTP and telnet and this and that maybe Pop I guess is an interesting use case but not not Uber interesting also when you're doing heavy

sniffing like that it's like running it in debug mode and it actually has a performance impact so most people might detect that the thing that's pretty cool though just like we did on the robot is it stays persistent post reboot because a lot of the malware previously to this generation once it got rebooted uh it was gone but this actually stayed persistent so that's pretty valuable but the really really nefarious part was if they just got pissed off at you they could just wipe the firmware and destroy the router and probably not for the people in this room but most of the people outside of this room aren't going to take the time to figure out okay let

me download the latest firmware and update it and fix it they'll just throw it in the trash go down to Best Buy or order one on Amazon and be off on their way so that's how the network Ops attacks work so that's kind of all the bad stuff let's talk a little bit about how to mitigate these attacks at a high level so a lot of people say well I don't even know where my stuff is you're saying I have three to five per person how do I even find them can I scan for them well not really there's great tools out there for scanning there's tenable and Rapid seven and koalas but they don't work well in

xiot and you can't really do this in an OT environment because they'll they'll break your laptop in half and throw it in the ocean because it can knock those devices down oh I see icmp Echo request three I don't know what that is that's a pain they go I'm going to fall over and die because their TCP Stacks were written in a vacuum they never were expected to be operated in this way they're more expecting things like ethernet cereal over Ethernet or Bond bus or dnp3 so sometimes when you hit them with the TCP IP packet they die so you can't scan okay well if I can't scan what's my other option should I sniff

well sniffing's okay but mostly in communication for these devices is encrypted so it's hard to ascertain what the device is by sniffing traffic it's kind of like walking through a cocktail party where there's a hundred people and each of them speaks a different language that you don't know and as you walk through there you have to figure out what country they're from what their name is and what their birthday is it's it's sometimes you might be able to but probably you won't so scanning doesn't really work so there's a new breed of products out there I mentioned like nozomi armis phosphorus these are xiot security platforms and they're designed to do what's called intelligent Discovery and they all work in a little

bit different way but the the idea behind it is they actually log on to these devices all these different devices and the way that they're designed to talk so it's like C-3PO right it was a diplomat he could speak like a million languages including water evaporators and binary so these platforms can go ahead and communicate with all these disparate systems OT and iot extract information hey you're a HP printer model abc123 running firmware XYZ that we know has cves and it can pull out all that information now it moves on to the next one the next one the next one so that's a really good approach but remember think back to what we talked about initially don't do that

in a vacuum make sure that's part of your asset intelligence program so the same place where you're collecting all of your asset Intel all the information what's Malwarebytes running on what's crowdstrike running on what's an active directory what SAS tools which users Auto mocks all that you're correlating all that information for your assets now pull in X iot as well once you do that now you can actually start affecting change because we talked before about the security cameras and the people armed with a thumb drive and a paper clip to update those cameras no one's going to do it well these tools can actually do a few things the first one is manage credentials so Pam tools

things like hashicorp thychotic um cyber Arc they're great at it management but they're not great at talking to X iot devices they can but they can talk to xiot platforms which talk to X iot devices so now you can start enforcing password policies so instead of having 50 of your devices with default passwords you can actually rotate those passwords based on your policy every 90 days and the X iot platform smart enough to say hey this device can only take a four digit numeric pin but this device can go 20 characters but for some reason not the letter L I mean we've seen all sorts of weird things so it pulls in this intelligence and you can actually

say okay this is this is what my password strength can be and now we're going to rotate it every 90 days so that's really a powerful tool so first off let's make sure it's got strong creds because Siemens says make sure you have a password capability and then add a password so number two let's upgrade the firmware again most of this firmware is six years old or its end of life it's filled with vulnerabilities so just like with the Pam tool these devices on these xiit platforms exonius nozomi phosphorus they can log on to these devices update the firmware do the patches across your 10 000 phones across your twenty thousand cameras a Crosshair naughty promiscuous

printers and they can bring everything up to date which is really nice and they can even do downgrades and there's some other features there but I'll let you guys check out some of those tools the next one is looking for environmental drift the second you update all your systems as we all know in this room wherever you started is probably broken again so you have to have this constant monitoring and a lot of these platforms work by re-logging into these devices on a daily basis and they say hey wait a tick you were on version five but now you're in version two of the firmware you have this awesome password through hashicorp but now it's set back to the

default password you weren't running telnet and FTP you were only running SSH but now you got all the clear text to open back up so you can look for drifts so you can manage by exception which means you can scale so if you have 50 000 devices you know these five devices change so that's really important and then the last piece these tools are great is isolating all the malicious nefarious devices that are illegal like those security cameras out of China wow hke hickvision that you know are spying on you you know you've got in your network well how do you get rid of them they do a soft brick what that really means is they usually change

the default gateway on it so it can't actually get out on the network and then you can go around with a drill and bolt cutters and take them out wherever you need to take out and replace it with something that hopefully is not spying on you um so as we wrap up here it looks like we're we're almost at time um this is what I would suggest to all of you that are that are working with organizations that you think you might have some X iot devices uh over the next week just make some inquiries like what are we doing for these devices is anybody managing our printers or cameras or door locks all these things just kind

of kind of get a state of where you are sadly most organizations don't really have any process related to this um if they do they're saying oh we're just going to stick everything behind a VLAN we know the passwords suck we know the firmware is filled with vulnerabilities we know how has all these issues but we're going to stick it behind a VLAN nothing against vlans but you should really fix your stuff and not just stick it behind VLAN plus that's a very expensive and unscalable way to approach things with 50 000 devices it's kind of like I'm typing away I cut open my left hand it's bleeding everywhere and I should go to the doctor but

instead of going to the doctor I take my ham sandwich out of my backpack take the bag out put it on my hand wrap it up with duct tape sure I'm not getting blood in my right here on my keyboard but I still got a bloody hand in a sandwich bag it's pretty stupid right not saying vlans are like that so the other things that I'll tell you in the next three months go ahead and try one of those tools phosphorus nozomi um RMS and see what's on your network see what the vulnerabilities are and then should you want to go that next level start integrating this those tools if you decide to purchase them into your

greater asset intelligence programs so you can actually manage these devices monitor these devices be proactive about mitigating the threats and going on from there if anybody wants to reach me here's my email Brian sevco.io here's my LinkedIn I know some of you are college students we have a pretty beefy internship program we're based all over the place I live in San Francisco we've got people in Austin people all over the country so go ahead and hit me up on the email and I'm more than happy to point you to our HR folks and I think we are we out of time we're at time thanks everybody [Applause] [Music]