Tomb Raiders pilfering of critical data from the graves of our decommissioned IoT tech - Deral H.

thanks a lot today for coming from my presentation uh tomb raiders the pilfering of critical data from the graves of decommissioned iot technology so we're going to take this a little farther and we're not going to get into this crazy what's the definition of iot so i want you to look at this this is going to apply to embedded technology for the most part so embedded technology that are used by consumers used by medical industrial transportation whatever the case may be we're dealing with embedded technology technology that typically doesn't have a monitor on it or a keyboard those type of things and the potential risk and threats around that so a little more information about me

i'm daryl hyland i work at rapid7 i i have listed up here as a principal security researcher for iot i'm actually the manager of the research team for ot and iot but it's a very technical road i do much as much research as the guys that actually work with me or work for me i've been in information technology for 30 years i've been in the information security field for 20 years in the last five years has been 100 focused on research on iot ot and embedded based technology so we're going to talk about a lot of this is going to dive into you know what do we need to do with this tech because as the screen says

you're not going to have to eventually de-acquisition sooner or later it's going to die or it's going to be replaced with newer technology and historically we've been kind of trained eventually that when we deal with desktops laptop servers we finally got to the point where we don't sell our hard drives on ebay anymore we know from all the news stories and stuff out there that we don't do that the problem is is embedded technology can store quite a bit of data some of these embedded devices have multi-gig storage on them that can contain an infinite number of data and some of the critical data we're specifically going to talk about today so we start thinking about the

acquisition of the things what technology in your environment or in your home would fall into this category i think of a network appliances medical device technology industrial devices i also consider printers in this category smart tvs smart lighting and this is just a small list that goes on and on and on in this new automated world we live in all of this technology is in our homes in our hospitals in our plants in our manufacturing environments our business environments and we have to get rid of it sooner or later and we need to start thinking about that now because what i found out there is we're obviously not thinking about that and we'll talk about those specifically

so then we get into well we have to de-acquisition how do we do it there's so many different ways of doing this do we resell it that's a viable option sometimes companies want to retain some of the capital expenditures that go into some of this technology at home consumers do the same thing they have devices they're done with it hey let's sell it on ebay i may only get 10 cents on the dollar from what i paid for but that's better than nothing disposal services there's a number of those out there and as more and more states spin up required laws of disposing of electronic trash properly instead of just throwing in a dump somewhere you get disposal services

that are available and i think those are important something critical to think about recycling recycling takes a number of different things hey can we feed it through a grinder which i like that idea and recycle it for the metal the plastic the gold the silver whatever is in it that's pretty good we can donate it as another option that's kind of like the whole recycling thing i've seen companies give their stuff away to recycle it for other companies to reuse or other organizations or non-profits to reuse we also have to deal with the whole idea of leased equipment so you go out there and you lease all this equipment as example all your printers or whatever the tech may you

lease this technology it comes into your environment after so many impressions on the printer it goes back out the door have you ever thought about what's going back out the door so the picture in the middle there that actually shows all the printers i couldn't find the one i originally took so a number of years i did a lot of research on multi-function printer attacks for pin testers wrote a bunch of tools did a bunch of presentations and stuff like that and i was working on an exploit that i had developed on a xerox multi-function printers where you could actually gain root level access to these things by sending a print job to them and i needed to develop a metasploit

module so it's kind of hard to really do that when you're trying to hack away at a printer to set in your office people don't like that crap so i would up the buy one and you can go up to these places that recycle these things and resell them and you can pick them up fairly cheap i think i paid 500 for a printer three years before sold for 12 000 the warehouse i went into i could have swore the freaking printers which so far you could see them disappear on the over the horizon this building was that big was in columbus ohio and i got into the conversation with them about various attacks on these devices and harvesting

data off and the guys were kind of interested so i was testing the devices to see if they're the right versions and vulnerable and i showed this thing to him he's like wow you just pull data off that thing that's not supposed to be on that printer everything that comes back to me uncon contractual agreement from the resellers that are disposing of it that those are supposed to be wiped so we did a random check we just picked 12 printers went around and i checked every one of them over a half of them i was actually able to pull active directory creds off the device i was able to identify where it came from and the active directory credentials on

that particular device so then i asked them the question do you wipe these things he's like no we pack them and we ship them i said where do you ship them we ship them to asia so really really let that sink in so if we take this warehouse that had 10 000 printers in it and let's say only 10 of them still had creds on it and print jobs and data and critical information that's a thousand machines from who knows how many different companies of critical data that could be used to compromise those organizations being shipped to asia so then it makes me start wondering why does asia one of these old printers that are basically wore out things have like

a million impressions in them half of them don't even work right i don't know but it makes you think about that so moving on what is the risk well we've talked about one dealing with the printers but lots of critical data i have a couple news stories i thought this one was oh so freaking fascinating so this was two years ago i think two years what was it uh 20 uh 2020 two years ago news article came out and it deal with police body cams so one of the cities i don't remember where it was decided they needed upgrade their police body cams they gathered them all up bought new ones sold them all on ebay

every one of them still had police footage on it they'd never been wiped this was data of police you know everything from arresting people to showing up to homes where people were fighting and trying to solve that but it was probably thousands of hours of footage private footage in my opinion that probably shouldn't be out there being sold on ebay for the highest bidder and it was pretty cheap was a good example another one this was a great article think about selling an echo dot and this this goes home to the individual consumers and this was done by uh one of the user universities on phd team i think it was western i don't have that information in my head right

now i apologize but they did a bunch of tests and they did this on echo ones echo twos various versions of those the interesting thing i had done this exact same test but i'd only done it on version two of the echo i think it was they did it on all three of them it was is data still on these devices and it was a large percentage of these devices that they got still had consumer data on it which is basically amazon passwords so you you buy these and you can actually pull people's amazon passwords off and if you know anything about that you can often make purchases on that data which is pretty critical the cool thing about

this when you start dealing with the embedded multimedia controllers that exist on these devices they have a thing called level wearing level wearing is every time something is changed or altered on that device it doesn't overwrite the same location with the same data or modified data it writes it to another location on the chips uh silicon another place and then wipes that out and that is to maintain the chip to last for a long period of time keep writing in the same place you start having failures in the device and level wearing solves that problem so one of the tests they ran and then i think it was only on device level three like when you flush one of these devices

you do a factory reset which you should do that means you keep it online you go on the amazon and you decommission the device it will wipe the device so when it wipes the device it's not immediately it basically tags it and then waits for a watchdog process to kick in to wipe that data version one and two of the device and i even tested this prior to this paper coming out successfully wipe that that means if you do a factory reset through the amazon application it removes the data but apparently device number three the latency between the what you overriding it and the watchdog kicking off to actually carry this out was long enough that if you do

the clear on the amazon and walk over and unplug it it will not wipe your data so and the reason why i tell you that is you have these devices and you do a factory reset leave it online for a little time i don't know what that time is but leave it online for 30 more minutes before you unplug it and then the data will probably be cleaned up by the watchdog process when it does its level wearing on the device so it's something to think about as consumers when you get ready to get rid of any device kind of think about that you do a factory reset give it a little bit of time let things

process don't go factory reset and then pull the plug immediately give a chance for the internal operating systems to hopefully clear off the data and i've tested a lot of devices as iot research for factory resets to see does that work and most of them do it's a rare occasion you'll have one that will not delete the data it just tells you it's deleted but for the most part it's always deleted this here another example i do a lot of work with the iot village of defcon i run hands-on exercises out there which we're going to be doing again this year where you get actually hack on a piece of hardware and pull critical data out or interact with the

operating system uh to modify things and get root level access on it so these were devices i bought these luma which are mesh wi-fi devices i think i bought like 20 of these they come in kits to three ebay i'm just buying them left and right because i needed all these for the lab so when i got them home i started looking at them i found out over half of them had never been factory reset so for a consumer the threat is fairly minimal it's there but it's minimal but it turned out that a number of these were not used by consumers they were used by small businesses so i was able to get the business names

the accounts the wi-fi pre-shared keys all that critical information and if you know anything about anyone who decides they're going to change a wi-fi access point out in your organization you don't always change the passwords pre-share keys and all that stuff usually use the same ssids the same pre-shared keys that way you know if you have 100 users on your network you don't have to screw a change in all the workstations as a prime example so again another example of data just being out there and it kind of goes on and on so when you think about pulling the data off there's a number of ways to get data off these devices if i'm just after the data on the

devices i'm not going to worry about things like jtag and all this fancy stuff i'm going to throw the damn thing in a reflow oven and just rip the chip off and drop it into a reader pull all the information i can do that in a fraction of the time of getting that stuff off and here's some example of devices pulling chips it's easy it's simple this is not complex you can buy that reader on the on the right there for 130 bucks you can buy hot air or reflow system for another 130 bucks so for basically 270 bucks you could buy stuff off ebay and strip critical data out of it for less than three hundred dollars

very low entry point to compromising critical data so uh this one was interesting so i did some stuff with light bulbs i like bought crap little light bulbs and said hey you know what kind of data's on it can i get pre-shared keys off of it is it easy i only focus on the ones that were easy i mean the data's there period simple as that but how complex did they did they obfuscated in some way did they encrypt it in some way obviously they encrypted the freaking keys are there too so just a matter of hunt pecking to find that type of stuff so i focus on the ones that were easily compromised we

built these into exercises where we demoed this at rsa we were talking about from trash to treasure things you throw in the trash well last year defcon doing the iot thing i get a lot of people come up to me afterwards start talking about iot stuff so i had a gentleman come up to me and he's like you know he goes uh i have these smart bobs and i'm like well what kind of smart bobs are they enterprise or are they these type of bulbs he's like these we have a lot of small offices where there's like three or four people in an office and we don't have you know we just have regular incandescent style

light bulbs or smart bulbs simple ones you screw in he goes man i struggle with the problem with these things failing on me all the time and trying to manage that so we kind of addressed the whole management thing of it you know how do you how do you manage those and tell when they're out and when they're on and all that type of stuff the leds on these burn out the power supplies on these things blow out when these things die and no longer produce light if you plug them into a network nine times out of ten they're still on the network that means they're still fully functional that just the led functionings fail

and even if everything fails on this thing i assure you the data stored on the flash memory is not going to fail and most of these are fairly easy most of them just have the white block there happens to just be a wi-fi ship like an express f or something like that there's dozens of different manufacturers out there so in this particular case we just pull that chip off we mount it on a test board over there we hook four wires to it put the thing into debug mode and use a simple application to pull the firmware off of it search through the firmware there and we're quickly able to find the ssid and if i know what the ssid is on the

bulb or what it's broadcasting for attempting to connect to it's easy to search with it because 99 out of 100 times it's usually within about five lines of that it's going to be the pre-shared key in some form uh and it's it and they're obviously defined and this was the case we find the pre-shared key it happens to be the whole thing converted into hex so we just run it through and convert it back and we can see it right there that's the pre-shared key on these particular devices so i actually showed all this to him because i had this there so i showed him how it all worked how easy it was to get

the data oh the poor guy about crapped his pants he's like man i've been throwing those in the trash left and right uh i don't know i don't really get into dumpster diving but hey man if you guys want to start dumpster diving behind that uh local business you might be surprised what you find smart bulbs contain data kind of interesting data and this is so simple to actually interact with these uh ssid or these wi-fi chip devices manufacturers have all the data out there and they often have a short programming code that's available where you can actually interact with it to pull various data off the device and interact with the device in a number of different

ways some of these are kind of interesting so if you get these these wi-fi chips express f for example and you'll find these in certain small end devices that'll actually spin up their own access points so if you think of you think of a system that is kind of a closed system solution for example like an alarm system on your house where all the pieces communicate over wi-fi to each other it often has its own wi-fi ssid structure that it connects back to in that in that environment when you use the default on the expressives you can actually connect into the device and send an at command to it and say hey what is your wi-fi pre-share key it'll

give it to you in clear text as an example so you don't even have to hack at it just ask it the right things and it'll tell you if it's used as an access point another in a simple easy way to get data off of it i did this one just recently so air links it's an industrial wireless lan access point and i've bought a couple of these over the years just out of curiosity but recently i've been doing this particular presentation uh at a couple places in the last year so i just recently went and bought one of these things this airlinks they're old which is what you do you know they're industrial access points

people use them for a while and it's like hey things getting to be six seven eight years old time to update it hey let's make some money sell it on ebay daryl buys it on ebay i bring the thing home and i fire it up look it's still broadcasting its factory ssid probably not a good thing i kind of fuzzed it out there a little bit but you could probably find it with that much information so the thing is you can go to wiggle you go okay let's see if that ssid is out there which i've done this so every time i get a device and i steal the ssid and pre-share keys out of curiosity i look it up on wiggle

and go hey can i identify where this is located at in this case i was i was able to identify it and actually find the machine the one that actually replaced it because they used the same ssid on this device so how many paychecks you want to bet me that it's the same password now obviously i can't check that that is a crime but but i can almost bet my life on it that it's that way and i've done this test on a lot of technology that is commercial level not consumer some that i can't talk about yet because it's still issues that have to be dealt with where i've done this and have been able

to get the ssid and the pre-shared keys for upwards of five to eight major organizations that's scary that means we're not decommissioning technology correctly because we forget these are no different than a hard drive they may be smaller they may not spin around and make noise but i assure you they contain just as much critically dangerous data on those devices now i don't encourage you to go out and do this and then try to use the data again like i said that is a crime and it's all about security not insecurity thus why i'm speaking here i'm hoping everyone will go home and to your business your organization and have that discussion what does this mean to your organization

what do we do with these devices how do we handle these things you know do we have contractual agreements with companies that are we're licensing devices from or are we just letting them take them away and sell them as scrap with all your data on it something to think about so what next how do we mitigate these issues there's no perfect answer here because this is fairly new and it's an area very few organizations have really given much thought so the first steps awareness here we are we're all aware now daryl's buying our off ebay but i'm the good guy so you don't have to worry about that uh so i say go back have those

conversations develop plans one of the biggest problem with embedded technologies in our in our businesses is there's literally no ownership they're plug and play you stick them in the environment nobody pays any attention to them ever again they're shadow devices so if they come in as shadow devices they're going to go out as shadow devices with your data so start thinking about that start developing ownership within your organization on iot and embedded based technology who owns it who's responsible build a plan on de-acquisition of technology so you're sure that hey we're doing what's best for our organization we know that we've done the factory reset and we're comfortable that it's been wiped or we've contracted somebody else to do

that or we feed the thing into a giant metal shredder and shred it into dust actually nothing leaves my lab with a other than stuff that i give the co-workers to do hacking on and stuff like that nothing will go out in disposable electronic trash out of my house with an actual flash memory chip on it i literally remove them all and usually smash them or crush them now most of us as consumers that's kind of ridiculous to expect that and i don't because you end up wasting half a day probably cut your fingers off trying to open some of these boxes sometimes and then you have to figure out which is the memory chip and how the hell do i

get it off the board to smash it or what do i do and then if you ain't wearing safety glasses oh gosh i can only imagine the damage you could do to yourself so i don't recommend that but that doesn't mean as a commercial organization a business you can't come up with a solution ensures the data is not going out and they'll build a plan for execution how are we going to execute that and make sure that moving forward problem actually gets solved so the planning and execution again reiterate governance create policies and ownership of this technology build that ownership as it enters the door don't wait until you have to get rid of it

because because on another subject i've been doing embedded devices for quite a few years i was a pen tester for almost a decade guess what my area of expertise was attacking all your embedded devices on your network to harvest data or use those devices to carry out attacks as red team operations so your security operations centers running around in circles wondering why that xerox printer just carried out a an attack against your active directory and you don't know where it's coming from you think it's the printer so ownership of that technology as it's coming in the door will also help with decommissioning of the technology ensuring that you don't have any problems so how would

this process look like like i mentioned before wipe the device can we wipe it can we clean it are we confident that it's been cleaned hey if your organization and you have like 10 000 embedded devices spread all over the place and you want to know whether the the factory reset worked or not contact a company that does iot testing and say hey pull this see if the factory reset's actually working at least confirm it i can't expect that to cost you much money it's going to take quite a few hours worth of work for anyone that knows what they're doing to be able to validate whether a factory reset actually removes the data or not

destruction feed it into a shredder set it on i don't know get rid of it make it go away and when it goes away it goes away in pieces and dust never assume that if you smash it with a hammer that you successfully smash the flash memory chip if that chip is physically intact in any way shape or form the data can be pulled off it fairly easy change accounts and passwords so i worked at a fortune 500 company in security for a number of years for threat and vulnerability so i was kind of like giving them this awareness over a decade 15 years ago and we often would change out our wi-fi access a lot of times when we did that we're

also upgrading the overall security model that we're using whether as wpa wpa enterprise whatever the case was we're always up in the up in that and every time we did we stood it up separately the old systems in place stood it up separately sent the appropriate keys and structures to the workstations and laptops that needed to access this once they all switched over to the new system which was different accounts different passwords different ssids then we were able to tear down the old system to me that is the smartest way to go less likely this and then if you do screw it up they get accounts that are actually worthless and we had done that a couple times in a

fortune 500 company but if you're not changing the security model often it's easy to pull it out put a new one in same ssid same keys so be careful about that so electronic waste disposal i think this is critical we have literally too much electronic waste going into trash cans and garbage the sad part is there's currently no federal law guidelines it says this is how it's going to be disposed of the eu uk on the other hand very defined regulations and laws of disposing technology various states have different regulations and guidelines around this and of course since i'm in pittsburgh pennsylvania electronic waste disposal so they do have government guidelines on how that should

be done for device recycling or disposing of those if you're a large organization and have the resources to handle some of this cleanup stuff yourself pretty good if if you don't then you're going to contract this out to somebody and again i recommend if you're contracting out disposal don't give them the opportunity to just walk out the door with your data and sell it somewhere make sure it's properly disposed of and properly disposed of legally if it's going to go somewhere so it doesn't end up in some landfill inappropriately and of course pittsburgh has its electronic waste disposal this is kind of interesting i advise taking a look at these things if you as an organization go

i've never seen these before more than likely you are now in violation of pennsylvania state law and you're doing it incorrectly so make sure it happens because remember and i worked at a fortune 500 company and they were paranoid like crazy that they were going to get sued so all electronic stuff never actually went to an employee if they were getting rid of it and go out to an employee it actually went through a disposal service and was fed into a shredder and then when disposed of through proper proper means but with what but with that said make sure the per people you're hiring are doing it right too because if they take stuff say they're going to shred it

ends up on ebay and then that device ends up somewhere it shouldn't be often especially if it's a high brand name product or something serial numbers and it was acquired certain ways that is traceable right back to your company and that's why my fortune 500 company never let anyone have anything because they were scared that if they gave somebody some laptop after it was all done or some kind of device that would end up in some landfill and get traced back to them so you need to take that stuff into consideration and i'm actually running a little fast today than i normally do on this so i think everyone should have some questions for me so we have any

questions here come on someone's got to have a question yes sir

uh it's been a while uh i played around with zigbee and some z-wave stuff like three years ago uh unfortunately i don't i when you get into certain aspects of commercial stuff you see that so you start seeing variations that like uh um or back then when i was playing around i was seeing a lot of that stuff show up or variations of that protocol in electronic meters and stuff like that i see a lot more of that being tilted over to cellular based communication for backhaul and stuff like that so it's an interesting field we do uh we do run assessment work for companies our pen test teams do that for iot type stuff and every

once in a while we'll get somebody comes in has a zigbee or z-wave device the old stuff was terrible at least they've improved a lot of the security uh with the uh the zigbee the old the old zigbee like the consumer-grade zigbee and i'm sure they've fixed it now i haven't looked at it but back in years past when you keyed it up it would actually use the same encryption key and then never change it so all you would have to do is get the encryption key which i think was published on the internet for that encryption so at that point game over none of your zigbee stuff was secure but as they get into more outside

the consumer grades zigbee and you get into different protocols they have different key rotations capabilities and stuff like that so it's it's much better from that standpoint but no different if your disposal of a device is still configured somebody wants to pull that data off there uh it could be critical now i have not tried that because wi-fi stuff's so prevalent and so easy to get data off of it but like any of that type of stuff whether it's bluetooth any type of wireless communication if you don't factor your reset remove your keys remove various things it's going to go out the door containing that data and that should be considered also yes ma'am medical medical devices i don't want to

go into a whole lot of medical devices because yeah there's issues okay so i actually have a research report on that coming out later this year on medical based technology in this subject matter which i think people will find quite interesting and um

well that's dangerous

yeah i i have a yeah yeah i have a but this is near field so and you know you get to find out where my sugar levels are at the moment so but yes

okay so uh so i know a friend of mine jay radcliffe a number of people here may know him he's done a lot of security research on medical devices it was about five years ago he released a whole uh uh research on an actual insulin pump where he was actually able to decode all the communications and it had the ability to actually uh change that data and cause an insulin pump to yeah yeah yeah he worked he worked at rapid seven when he released that paper but it was work he had done before he came over he just hadn't got around to releasing it and literally you could kill somebody with that so so the the the logic for doing it is is to

improve security so so i so think about it when you deal with these types to kill somebody yeah yeah if i if i know not maybe not random i mean i mean think about it if you remember back um oh gosh the vice president uh under bush cheney yeah he had a pacemaker and if you remember they came out with a bunch of stuff on the pacemakers and they went in and modified his pacemaker specifically so think about it you have someone in a position of authority a government leader in some fashion that happens to be a diabetic and i assure you there's probably plenty of them out there you could kill them which is scary which is scary

randomly killing people yeah we already have enough of that so but to be able to kill people with this it's a little more complex you have to think it around think it through much more as an attack vector to be able to do that to cost somebody their life it i would expect you know a nation state as an example would really want to be able to do that against another leader of another country country or one of his political opponents or something like that there could be people wanting to do that in some some of these countries so i think it's a real threat so it's a good thing we have researchers i'm a big fan of

researchers working with a medical companies to identify and solve these people these issues i think that's pretty good so any other questions yes sir

you speak up a little bit

um yeah so there's a number of chip readers out there um then they're fairly cheap they're like i said about 135 dollars for a chip reader that'll cover like eight nine thousand ten thousand different chips out there the sockets that go in those when you start getting into ball grid array chips could be 40 50 bucks out of out of china and i buy a lot of those and the ability to heat the board up or something to desolder it often those boards are small enough you could throw them into a hot air reflow oven i think the one i have i paid 150 bucks for it out of a chinese product inexpensive right there's all you need

maybe some some stuff to clean some of the solder off of it some alcohol swabs you know things like that maybe a soldering iron and some solder wick you know so i i say less than 300 you could go out there and do that you could easily look at blogs that i've posted online and you'll probably see various aspects of tools there from a from an iot research lab i did a presentation not last year but the year before a iot presentation online specifically on uh building out a lab so it was it was i did the whole demo in my lab with cameras set up all around so we looked at all the different hardware

and stuff about what i could do with it how it worked what i used it for things like that so some good data out there for being able to get started if you're interested in doing this well if you're interested in iot research not if you're interested in getting other people's creds i don't encourage that any other questions yes sir

yes most most of the time they are most of the organizations when i see a real vulnerability uh that's a true vulnerability the fact that data is stored on these devices unencrypted i think if you contact them like most of the light bulbs that i see now the data is actually encrypted or encoded or obfuscated in some fashion it is in clear text which is a good thing but some of them that's not the case uh i haven't looked at the version three of the amazon echoes but the ver previous versions you just you pull it it's kind of crazy so you have you have chips on them called embedded multimedia controllers they're typically uh i think with those they're called

embedded multi-chip packages so they contain ram and flash on one ship so you have to have an oven to remove those those have on the underside of they have 201 quarter millimeter pads that balls go on to put it on that but you can buy these readers uh you get a cheap one for like 90 but another one for uh 135 bucks and what you do is you clean the chip up you drop it in you close the lid you plug it into usb and it mounts up like an sd drive so literally so this year this this year this year uh as a a pump for iot village at defcon our hands on exercise this year we're

actually looking at cable modems where we've actually wired in a sd card breakout board to an embedded multi-chip or a embedded multimedia controller chip so you can just plug the actual cable modem into your sd card slot and actually mount all of the flash memory up just like a hard drive and from there pull data alter it put it back on to gain root level access that's what the demo is going to be so

i don't think to hurt himself i mean i encourage people to go out and learn how embedded technology works it's how we that's how we get better at securing things is people to have an interest and learn how to do it you know before i was before i was doing this as my full-time job i was doing this research and speaking at conferences and publishing research 15 almost 20 years ago i started doing this on my own so it wasn't sanctioned by any company and as a professional advance in my career if you want to go out there and get this stuff and do it illegally you're going to do it anything i'm saying you could find pieces and parts

of this if not incomplete in various fashions online if you're going to do bad things me teaching you technology isn't going to make you any more dangerous you're already dangerous you're a criminal but

i don't i don't necessarily believe uh 100 that's the case i see more and more vendors focusing on literally full disk encryption on ships so we encounter that more and more and more you know and you're seeing devices that use tpms so encryption models hardware-based encryption i mean the cost goes up and that's what you have to take into consideration but if it's a high-end product a commercial level product and you want to be able to get out there and claim you have some level of security which puts you a notch above everyone else then obviously you want to spend that little extra and you're just going to pass it on to to the consumer so seeing

full full flash of full memory encryption is kind of cool uh without a tpm though if the device doesn't have a tpn or a sam chip on it for handling hard hardware-based encryption the keys are on there somewhere you know there's ways to hide those keys pretty safe but not they're never completely safe you know there's all kinds of crazy side channel attacks to get access to pieces of memory that you're not supposed to then but but you work you raise the cost you raise the amount of effort you raise the amount of cost so somebody can't just take a device get all the data off of it they have to go through and figure

out what the encryption keys are encryption keys are held in a section of flash that that is locked down and prevented access the only way to do that is some kind of side channel attacks on the on the chips to be able to pull data off and things like that things are getting better you know it isn't like we have the status quo of nothing getting better i i see it and working with vendors on stuff like this and vulnerabilities and issues you know 10 years 15 20 years ago you know i dealt with vendors that didn't want to talk to me and and were always kind of problematic in nature and would take forever to fix

things i would never just up and publish the data saying screw you and publish the data because i was running security for a large organization why would i want to make my life harder so i would just be patient and set on that unfortunately a lot of people just published that data back in when a vendor go ah screw you they would just publish it that's not the case it's pretty rare the only time i've ran into that issue is when i'm dealing with products that are like white labeled coming out of other countries where once they produce a million of these things they disappear or they don't care because they're producing something else those are the only

organizations i've ever contacted and they're like we don't care most u.s companies branded devices care about their security because failure within security is a black mark on them and they want to make sure that they're doing everything and they'll work with the work with researchers that actually care to do it properly to get their problems fixed which is nice i think i'm probably out of time okay any more questions these questions are good i like this no more questions okay well i hope you enjoyed this i hope you enjoyed the question section with some good stuff thank you for coming i appreciate it [Applause]