No IOUs with IOT

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers yeah once you see my background you're gonna be like what the [ __ ] went wrong there how do you end up like this maybe I'll turn this into a career talking this is like what not to do so where the the name of talk is no io u--'s with IOT who came here expecting like the traditional Def Con presentation of AMA to drop some O'Day on some IOT anybody kind of why kind of because I don't look like I'm technically competent what's that walked in air maybe he's honest I like heckling so a good job but I

won't fire back IOT is not hard if you want to feel like one of those leat rock stars that you see on Twitter on YouTube drop-in O'Day go do it with IOT you can literally look at this stuff and it'll fall over it's that bad so we're not going to do that alright so just in terms of expectation management both clearly in my technical capabilities and mental faculties are apparent as you what's your name by the way as Josh rightly pointed out so we're not gonna do that so isn't me I founded Grimm I co-founded the ICS village who knows the ICS village who's done any of our CTFs really how'd you do it was pretty good

the neighborhood Oh howdy neighbor so how Dean aber is actually a Grimm exhibit that we built so but it's a part of the ICS village CTF hack the planet right so we've done that we've been at DEFCON now for I don't know lost count six seven years we are at multiple conferences the ICS village John thanks man we are a 501c3 nonprofit we even have our own conference has ever heard of pack the capital you're the only person I haven't met that has apparently been in my conference I guess hi Bryson Derek Derek nice to meet you oh you know Monty Monty Monty is a better speaker than I am I do not acta capital is we bring to the the

nonprofit mission we do education awareness on critical infrastructure and it occurred to us since I'm locally based wow it's like the US government is based here and they're incompetent and they don't know things maybe we should try to give them some education a critical infrastructure so we created our own conference called hack the capital its annually in May we're hosted inside the rows of the Reagan building so we're actually on federal government space and we do a lot of stuff but we bring members of Congress we bring congressional staffers we bring think tanks so it's essentially their chance to meet with the technical community to learn how to do their [ __ ] jobs so

please come to that conference if you're interested it's free our nonprofit pays for everything and then last year I launched a company called scythe so that's now my full-time job I'm now a commercial software vendor [ __ ] and this is what I do for a living and on top of that I'm a fellow at the National Security Institute and on the board of advisers for the army cyber Institute all right so we're going to be talking through what is IOT the landscape types we're gonna do a demonstration if you saw the preface for this I'm going to provide you with the take home lab so what I'm going to demonstrate here today you can go and do in the comfort of your

own home I'm going to emphasize it here and I'll emphasize again later in the talk what you do in the comfort of your own home not on anybody else's home

I like a collaborative style I think that I am NOT the smartest person in the room or the world clearly and together we can all be smarter if you have questions if you have comments if you want to be like Josh and try to heckle you can do that and I'm a former army officer so my approach to things is you can voluntarily do things or I will volunteer you lack of eye contact or eye contact will have the same results for you so there's nowhere to hide as long as you're in this room Sean's laughing because he's seen this before all right Consumer Electronics Show last year anybody heard the Consumer Electronics Show yes this is where the industry around

the world gets together two hundred thousand people descend on Las Vegas and all pitch to each other all the wonderful ways that they're all gonna send us a hell in a handbasket security wise I mean sell you things you want so I went around with Rob peg rro who at the time was writing for Yahoo Finance and what we did is we went to different vendors that struck our interest and of course the set up is bringing what looks like a security expert to one of these vendors and start asking them security questions how do you think that went like I said it was a setup mostly it would be salesperson like blinking furiously like wait you're not

trying to like buy what I don't understand and then usually a manager would come over and like handle me away my favorite vendor though is the shade craft umbrella who is heard of the shade craft umbrella before you have really

go around you around here tell us what you know it moves it moves it does wait I ran all the way over here for that that's all you got you got something else right that's not like that does it does it you think it blocks the shade at least eat try it tries what's your name Jim that was very disappointing but you all saw that well I'm not on keto clearly and that's as far as my aerobic capability last stuff I'm gonna have to do that this thing's hot this is fleece if I'm gonna run I went a little better okay you now know it's standard Jim you got it set the standard that's the bottom I'm the demonstration

of the body you just kind of like little you could like trip over it the shade craft umbrella talks pretty much every communication protocol you can imagine it does move so it's solar-powered because there's a battery in the base and it follows the Sun it can do everything but your homework pretty much so the first question is how much do you think it costs too much well of course the answers too much see I don't mind being is disappointed because I didn't have to run over here for that answer can you put a number too too much sir or are there things I can sell you five thousand or some five thousand or something okay what do you think too

high too low too high too low keep going you're drinking Starbucks you like overpaying for things twenty five hundred not more we're going the other way you also don't listen because I said five thousand was too though go up what 3,500 no above five thousand right oh did you say 7500 I'm in [ __ ] okay to be fair I got in from South Dakota after midnight last night but I apologize you are correct Mia culpa not 7,500 still too low but I'm an idiot eight grant so it was just under over that it was like eighty seven hundred nine thousand dollars so the first question is who wants the nine thousand dollar umbrella rich folks who

said that Oh see if that was a good answer excuse me coming through watch the tail watch the tail boom piss bow that was awesome oh it's easier to go around that way sort of so the demographic like I told you if I talk to sales people I would find the manager come over to handle me I was lucky that I met a Silicon Valley CEO who happened to be there with shade crafts she informs me that she was buying ten for her vineyard I'm not making that up that's not a punchline that's actually what she told me they of course had zero concept of security and this was the best example not only of an overpriced product but

one that was rightful of all sorts of opportunities to do something with if you can have one takeaway on security the more you have in code or function means exponentially greater surface area for compromise do we know what surface area is what surface area you're on your computer what are you doing I'm taking copious notes actually I'm looking at my calendar oh hey that's oh yeah no I I took a note to send that conference that you mentioned surface areas opportunity to exploit something okay yeah so surface area is what establishes access right I can't do something unless I can touch it hackers are not omniscient and omnipotent I can't hack it if I can't

find some way to interact with it surface area is that technical purchase where I'm able to go get into the code get onto the machine and do something that I want two takeaways if it could be internet-connected if it could be internet-connected if it could be voice-enabled why is voice enabling a problem now we know internet connected we just talked about I can't hack what I can't touch why is voice enabling an issue secretly well is it really secret you're actually paying for it you can order [ __ ] so yes your kids can now you know reorder the dildo that you just got but when we say secretly record [ __ ] what do we actually mean it's not covert

you paid for it you said I like the fact I can ask Alexa to do something yes so that's the problem because it's always on so it's always on listening but then where does it go the cloud right so we're going to be covering shortly why IOT devices have to be cloud connected and Internet connected but now with voice enabling we have privacy concerns because they're always on and we tend to forget that they're there when we're like Mantes boss or during sex toys which by the way sex toys are IOT vendor man yes whoa is that Cassie you can control them via Bluetooth yeah and hack them ddossing now imagine some of you men in this room using what passes for

some of those sex toys and you get ransom weird yeah it's funny it's going to happen and it won't be funny then think about it think about what will happen like yeah yeah I mean John Wayne Bobbitt through the internet yeah I was like that's it was funny until there was dark don't go check what you have at home right away okay stay for the rest of the talk it's dumb to be smart did you know that a Smart TV now costs you less as a consumer to buy than a Smart TV why services what about the services they're spying on you they're collecting data on your habits and they're monetizing you as the viewer

you as the consumer of being monetized by these devices there is a phenomenal study and now I'm being facetious that came out from McKinsey in 2015 60 pages that they privately released to all the auto manufacturers on them saying here's how you can monetize drivers now who's ever read an end-user License Agreement a EULA well Shawn you do weird things for Ars Technica that's technically the press right okay you do things that people don't normally do I also do it but it's unadvised when I do it but go on

if you haven't read the EULA when you buy something you giving you're giving them the permission to collect data on you essentially in many of these licenses but that's that's in claim and plain and simple language on page one right no it's usually buried around page 94 yes which is why none of the rest of us have ever read a EULA I've asked that question at a conference of entirely lawyers they were honest too one hand went up I'm like oh you're the person who writes those so buried in that I agree click-through is where we are signing our privacy away they're monetizing you as the consumer but they're charging us because they're making money on you another way right

this is the lesson we a society learned from Facebook besides the next lesson we've learned from Facebook besides the lesson we're currently learning from Facebook does anybody know Mark Zuckerberg can we like just like have a talk with him no like really like he's he's harming all of us bad what you know people who work for him so you know what if I asked again no worth a shot his eyes said yes though his mouth said no all right so who has IOT devices if you're not raising your hand you're just choosing not to participate yes that's you thank you so we all have them now here's the question Suchi how many IOT devices do you have

SUCI one that is a lie we don't tend to know even how many I have we're all aware of the problem of asset discovery in enterprise because we talk about that all the time we have the same problem as consumers we don't know how many devices are in our homes I really don't know even I've never really kept count of it it's just there's sort of there and you kind of think about them and occasionally it tells me to patch it or not we'll be covering that later so IOT vs. IOT I mean excuse me IT versus IOT so now we're talking and they're Enterprise so first problem we have with our enterprise is bring-your-own-device so who has a cell

phone do you bring that to work do you do work mail on that so we have a few knows but most of us yes is there an enterprise policy on you doing that some places yes some places no the challenge that you have at the enterprise level is it's very easy for employees to bring their Apple watches or Andrew smart watches or their phones or whatever other things they have into that environment it's difficult to control so this is where we get the problem of rogues how many of you are engineers how many of you like it when somebody tells you what you can't do seriously kai why do you like being because you do it

anyway so he was just like I'm gonna praise my hand because I don't mind it and [ __ ] you it's gonna happen anyway the rest of you just like [ __ ] you it's gonna happen anyway that's the engineering mindset I'm not gonna let somebody who's like well you like a deputy editor chief of staff or like you're like important you're my you're my nominal executive wearing a hoodie to blendin when Sean tells his staff no actually you're better when you tell Monse what he can or can't do yeah exactly why would you even bother funny thing about corporations is they think that they're drones all do what they tell them though they do there is

an expectation there are people with starched shirts I've seen them they exist and we ignore them on top of that in the enterprise we have vendors vendors need to do maintenance on their things whether that sensors whether that's HVAC temperature control if you're in a critical infrastructure environment you're gonna have an even greater chain there and then as we've seen the same problem that we have in the consumer world these things have a cloud back-end by definition IOT is really two things cheap computing with limited resources some level battery life maybe that's why they're proliferating they need the cloud back-end to be truly functional because we now have reached this point where we can trust that I can have a

wireless connection to somewhere else in the world and then I can have my big iron there to do all the heavy thinking and then signatures so this is the hard part where you're an enterprise this environment is fragmented there are so many different types so if you think about that from a technical perspective how do I even identify what's on my network unless I physically put it there and if we have this problem of users with BYOD or Kai doing the rogue thing you can't even figure out what it is let alone where it is enterprise challenges oh yeah this next slide who is responsible for updating the security or the patches on a consumer IOT device a

company that went out of business that's for them to provide it so we do have the Chinese you know company that's there for three months or Taiwanese company and all of a sudden it appears and they disappear and you're done but let's assume they've lived longer than three months right the patch is there who's responsible for updating it us or in the bottom right corner Putin will do it for you what do you think of this security model so far this is the security model yeah well this is why we're all [ __ ] in one slide I could talk the entire presentation to this one slide users are responsible well let's see how our users do it updating things

anybody remember stage fright yep yes yes and that's why I got an iPhone it didn't really matter yeah state also worked against iPhone I didn't know that users stagefright was I don't even members if he's severed who all right you're really gonna have the answer because I'm walking because I'm not gonna run again this I am starting to get hot you know what I mean it's so stage fright was a vulnerability in a library that the iOS and Android used the Vernor ability was the way that read images and then so end up being a buffer overflow and then you can end up writing exploit code into that how did I deliver that exploit through sending so

no picture all I had to do was send you a text did you even have to open the text negative no you did all I had to do was be able to read that text that's it so it was a very simple O'Day and it went out very quickly so all I have to do is send you a text all I need is your phone number I have your whole phone no user interaction required going back to I can't hack what I can't touch all I need your phone number that is the patching across the world nine months after the patch was available is there any easier device that you know of then your phone to update it

literally comes to you and says update me please do it update me why haven't you updated me yet nine months across the world all of that red and that eye chart is users not having patched that critical vulnerability which is literally there is no worse case other than some mental telepathy where I can just say I have your phone that is like the ultimate Silver Bullet for compromise it worked across all platforms and it required nothing more than just being able to know where you were done on top of that it turns out your phones are not indefinitely supported you have to buy a new phone hi Sophia or you're just showing me a phone so you

know you're owed yeah John and Suchi Sophia and Jesse are right there Jesse you didn't wave hi you have to buy a new phone because the manufacturers only supports you for a limited period of time Android three years Apple five years let alone if your battery life got you that far because your batteries are degrading the second you buy them it's a scam says the guy who knows Facebook people yes next up social engineering a country so heard him unique who's heard of the concept of herd immunity Wow I was just in South Dakota I feel like more people would have known it there than here raise those hands again all right you look cool mitigation through to quantity

the more people who are immune to something the slower it spreads so if we think about this in a ceiling and a floor right what is that what would how would that concept to apply well there's like a top percentage of the bottom percentage to the population most people if more people are immune the more people that are immune the less likely something is to pop up one and work with their immune the less likely it is to spread who knows where the concept of herd immunity originated vaccines epidemiological studies of cattle ants heard why this matters to us in this conversation is the same principle applies to the challenge we have with IOT so earlier when I talked

about more function more availability more surface area now let's apply that to if we think about all of the computing devices in our ecosystem and by the way all of our ecosystems interact right all the way from our personal ecosystem as a consumer to organization and this is where I could make my critical infrastructure joke and air gap is not an air gap is not an air gap nobody got that it's gonna be that kind of day all right herd immunity is the fact that we just showed the security model users we show how well users do it on the biggest problem we've ever seen and now let's tie this to I can pull like a CES graph

up of what do you think the adoption rate is for IOT devices it's like a Freddie Mercury pose so we're Freddie Mercury ourselves whoo that could mean a lot of things any moment so IOT devices are vectors to other things this is now what we're going to demonstrate through this talk the IOT device isn't actually the problem what is on an IOT device does an IOT device have your credit card information no does it really have much of anything most of the time no the problem is that they are proliferating in the environment we talked about the security model so they are this increasing exponential number of vectors to things we do care about what are some

things we care about what is something you care about besides beard oil privacy privacy so this is the there are they're different examples some of which we covered one of the ones that I want to point out is a red herring people are afraid of webcams because they think that somebody out there is looking to find you does that happen because I'm talking to engineer so you're going to be specific yes is that the primary threat model No there are weirdos out there what not in here Oh in here are you one two yes thank you for self-identifying I was feeling lonely I sit over there by you what are we eating okay so besides

privacy what do you think is another concern we should have about the fact that these can vector into something else staging staging staging what the staging to other devices that have private information okay like what kinds of private information well I like things that have social security numbers and credit cards and that sort of thing viii and pH I financial information taxes that's what we're going to demonstrate we're also going to show how easy it is because again our very preface was you don't have to be very technical to do any of this stuff key example all you have to do is just know how to find it and run some code well fortunately the world is kind at giving

us this so we have seen four kinds of attack campaigns in threat landscape distributed denial-of-service is anybody in here Brian Krebs so you're not worried about that okay ransomware Shawn I feel like you have an opinion about ransomware anything you would like to share or I won't pick on you on this one so ransomware is that one thing that will get you no matter what if you have more than one person on your network because somebody is nefeli going to click on something if you don't have you haven't patched if you haven't have the devices that have an attack surface at all that and you have email connected to them in some way or you're on its a

device on a network that has a vulnerability that can be remotely scanned and exploited you will find ransomware on your network and it will make your life very not happy Baltimore found out it's Baltimore found out you so what what happened in Baltimore if you could summarize in two sentences or less sure so somebody in Baltimore clicked on an attachment an email and this ransomware called Robin Hood deployed itself across the entire network took down the water software for the city as well as a number of other servers including servers that allowed people to do real estate transactions and basically wiped out the city's ability to collect money for over a month and a half about how

many ransomware incidents have we seen across the United States in the last 12 months against cities municipalities water plants it's in the hundreds if not thousands at this point publicly thank you John what is it you do for a living again I didn't mean to pick on you that way John's an Intel analyst that's why he actually thinks about the second-order effect so this is already happening to us if you haven't seen it in the news which I can't imagine any of you haven't one of the primary problems that we've had the issue that we've had here is because again all these things were internet connected the obscurity of them didn't matter and also by the way

the fact that something might have been like a small city or a small County or even like a water utility that might not be what we would consider like a primary thing to target but what if I don't have to think about it real hard to just hit lots of things at the same time then it's just pretty much anything below that water line that's vulnerable is going to get caught and this is where ransomware is really getting us Texas is a great example they had 23 and they hit an MSP and they use the MSP to to spread crypto jackin anybody know crypto jacking is is that no okay it's using the end users

compute power to do between computation for your own profit yep so we have all of these cycles one nest thermostats not going to be able to mine a whole lot for me right by definition it doesn't have a lot of computational capacity we've got a million nests what about that times what is Bitcoin going for these days they might enough 100 120 what wait one bitcoins worth $120,000 [Music] 9300 I was about to say because I was but to quit my talk and walk out I think I'm done I don't have to do this anymore I don't have to perform for your amusement like I could quit my life see you in the Caymans this became a thing

because of two factors one there's a lot more devices and the bitcoins will someday be worth that but they became worth something they were like this they were like this and then they shot up from what I've seen over the last couple years is it sort of in between eight and ten thousand dollars but put those two factors together this what we've seen and then recently so I've been giving this talk for over two years updating it modifying it and doing lots of different things and when I first started doing this with my entire focus on that it's not the IOT device but it's the vector to something else I was the only person saying that in well never

say that because it's always untrue I was one of the few people who was highlighting that aspect does anybody know what just got what happened in August Microsoft caught somebody doing something that's also very vague but tied specifically to lateral vector don't worry about it we'll come back to it but now recently a common thing and we will talk through that later so history of attacks there are two major attack types that we've seen the first is Mirai Mirai said every device that gets pushed out in IOT pretty much has a default user name and password and go back to our user model very few of us update them so all I have to do is try a

handful of combinations and anything I can see I just try those and work because do IOT devices typically timeout if I try too hard nope are any of you monitoring what's connecting to your IOT devices in a 24-7 sock nope we don't do that at home Mirai boom of a million devices then we have the more sophisticated ones like reefer an i/o troupe they said there's a lot of published code because we're constantly finding vulnerabilities and then we're very kind as the security community that we share the proof of concept of how those work even if we're doing that with responsible disclosure which we should we go back to the problem of when does the patch actually come out when do

users actually put them in play so all I have to do is know what your device is match it to proof of concept code that's going to be able to compromise it done so they just had a catalogue of 65 POC end days and any device that matched those they just threw that and took it [Music] the other public example we have and this is attributed to Iran is there is a fish tank in casino in Las Vegas going back to our vendors the vendor was had a sensitive had sensors in the think tank to manage the temperature to remotely and that was what was compromised they used that as a lateral vector jump into

the casino and I could also be in the Caymans if that had been me so here's the setup we're gonna run through this quickly we've got about 12 minutes remaining the setup is we are an average consumer we're bringing in a webcam in this particular example it's this version of geo vision webcam I'm not picking on geo vision I'm not picking on webcams any IOT device would be suitable for this demo so first up we as the user are going to configure the web cam so we log in with the default credentials and it kindly prompts us to change the password that's actually a above-average feature so we're gonna try to change the password nope you want to know if

there's proof that there's evil in the world it's any web page that does that to you so we got in eventually just trying to change the password here and we're in we can now for security reasons in this case we can now keep an eye on our baby so we've configured it we want this to be internet because accessible of course and we have our new password what is our new password

applesauce exclamation point because it made it hard for us to do something different exclamation point 70% of the time is the symbol that every user does in their password so tie that to a dictionary attack how do we get out no not start again go to the next slide

let me go to the next slide there we go so now we're going to demonstrate this from the attack perspective so we're going to do reconnaissance enumeration enumeration is I have two fingerprint that exact device to make sure it works compromise pivot steal that's the fun stuff need an arbitrary stupid picture to demonstrate hackers so he's wearing about klava he's wearing a bandana he's holding an implement that has nothing to do with a computer and a computer alright so first up we're going to try the mirai style of attack we are going to try we are going to try okay so first question will this work it should not why shouldn't it because we changed the defaults what about other

accounts that aren't showing for the purpose of this demonstration we're assuming there's only one account on the machine but you bring up a great example particularly when we're talking about Linux devices that they come with multiple default roles many of which are never exposed to the user in the interest of time what we're going to show here is has everyone heard of census does everyone heard of showed an okay show it into a smaller brother this is our Osen platform where all I have to do is plug in the particular device that I'm looking for and what protocol that talks and it already has an open database of all of those around the world I don't have to go anywhere that's

what showed and does that's where everybody gets a look really cool be like look at all the things I can hack look at all the things I can hack so that's what we've got here we've now got our list of everything that is vulnerable to code we're about to throw and I didn't have to do anything as a user as a hacker other than that just go to a website that already has an open-source database for me to do all of that and it already tells me what's vulnerable to my code like I don't even have to worry about that so we got our enumeration we've defined the environment you can get all sorts of interesting information

in here and then the next part of this demo is we show the brute force attack which of course doesn't work and in the interest of time we're moving on this is the actual code that we're throwing so it's available out there it's free open source you don't have to know anything all these details are in the lab this morning I took a look on github to see how many code commits there were for geo vision on github there are 30,000 503 as of this morning of people out there updating code for you to use now this is the fun part now we're going to try that code so the Reaper IO troop method of

this isn't patched there's published code all I have to do is all those IP addresses I have throw that code against every single one of them so in this case we're only doing this against one webcam but how hard is that to write a simple script with a few lines to now do thousands not so we're in we have administrative access because we use a compromise so I now own the machine which means I can also figure out what that password was from that we're gonna enumerate what else can we see again because I'm probably going to be how much time do I have left eight okay we can do this so I'm a numerating I'll

never file shares from this why do I want to do that I find a real computer that has a never file share so in this case we see a Windows file share that's can be interesting that's their home computer what do we have on that machine well first up we find family photos so we're going to download all those and take a look this is the fun part where we're just demonstrating how what's fun as a hacker when you get to do this so we pull those down we take a look at them

that's a hipster okay but that's not really interesting and again keep in mind that this can be automated even though we're demonstrating this manually so what do we really want we want anything that looks like passwords money bank accounts taxes blackmail we already saw the blackmail that was there as the pictures there so what do we got well we've got there some people saved their passwords in text files on the computer don't do that Oh bank account information and taxes all things that you use your personal computer for at home so now the Russians this is what happened August this was against corporate enterprise versus us as individuals one of the reasons that he did this is the attack

approach that they took would not work on this particular device because consumer IOT tends to not have a lot of memory their approach was they ran TCP dump if you ran TCP dump on anywhere that has more than a few devices you're gonna send them be overwhelmed and we're already like pivoting into like how much space is left because they're IRT devices are cheap right they don't have a lot of resources so we're kind of like thinner you know just fitting in that little bit of space that just happens to be available TCP dump would not work on a consumer device but it does work on say a corporate printer which could have gigabytes of RAM because it's meant to

handle multiple cron jobs cron jobs across multiple users versus say what you're gonna see in a consumer environment so this doesn't work on our consumer device but they got caught by Microsoft trying to do that where they use the exploitation method and then they use TCP dump to try to identify their next step for lateral movement I'm going to be continuing down the research here because I am going to find a consumer device that this will work on you saw a much simpler approach that is more effective because knowing that I'm only going to be looking for say like Windows file shares or a Linux file share if I limit what my campaign wants to do I use a lot less memory and I can

get away with a lot more so their technique was not quite as effective as what we're doing this works against printers the video decoders and white phones we talked up that will skip that let's get that alright so what can we do at home how do we defend ourselves 5 first of all I can't hack what I can't touch firewall do we have firewalls everybody has a firewall first problem firewalls are also vulnerable as devices but we can't solve all the problems we can be though faster than the bearer and the person running away from the bear wait just the person running away from the bear you just have to be faster than other users we can't beat the bear now

that that's the Russians like we kind of fit that metaphor together the fancy bear cozy bear don't any of you read CrowdStrike propaganda yes yes you do God strike propaganda I love you Dimitri hi oh sorry that could have al I love you to meet you a pair of itch change the default credentials that should be obvious patching okay they don't make it easy for us this is where it's incumbent on us just like every year we have to do our taxes just like every year we have to do things we don't want to do patch go to each manufacturer site for each thing that you have pull and you're gonna have to most likely a

lot of these cases manually like through like a USB stick install the patch and update it but it is incumbent on us as users to do that because that currently is the model and then we can segregate these things your router at home allows you to create virtual LANs I can segment my network why is my PC talking on the same where I do my taxes on the same VLAN as where I'm managing temperature control for example very simple to just create a specific VLAN for IOT devices and have your PCs only on their own thing can that be defeated as well yes of course but again we're changing the environment because still most users

don't do this call to action so this is since this is the I am the cavalry track everybody knows I am the cavalry right no ok I am the cavalry is a loose organization of a bunch of independent security researchers where we're trying to pressure policy and manufacturing changes so that we can improve the environment so the first is manufacturers should be accountable for putting insecure devices into our environment now what is an insecure device is kind of in the eye of the beholder and there is no such thing as anything that is unhackable right so some best practices being embedded to start is good first of all having a public disclosure POC somewhere if we

find something we can easily be able to report that to the manufacturer to be able to manage that then expectations for them to take that see seriously look at those triage those and push out patches so that we are improving the environment it's the life cycle that's the most important part of this less something being published that's just secure hence we should have a release plan how do we easily get the patches to the consumers why isn't that something that's a part of the device and then finally this idea came out of something that I saw being debated in France I don't know if it ultimately passed but when a manufacturer goes out of business or a manufacturer decides to

end-of-life a product why don't we have them open source that code one that's an incentive for them not to end-of-life or two if they do it at least gives us the opportunity for the independent security research community to still pick up the mantle and push those patches out so some other options that are out there anybody see this what are they doing in 2020 what is Japan during a 2020 the Olympics so them recognizing the challenge they're going to do this for their citizens stay tuned some other options this just came out this a couple of days ago so the five eyes essentially the five english-speaking countries have now agreed I thought it was very kind of on

their webpage to provide their signatures so that was cool they've made a commitment and I think I show this on the next slide but basically that that first part where I said this is what we should do they've all made a commitment of five countries that these governments are going to be pushing toward those standards if you want to be a part of that because this was a call to action then I went out one of the organizers and actually hardly Giger's local but Jen Ellis both of them are at rapid7 they do a lot of policy work so if you're interested in trying to make the world a better place reach out so happening here there has

been bipartisan legislation that has been languishing for over two years now so both Republicans and Democrats both in the House and the Senate have agreed as sponsors to this idea and they're not even pushing it on consumer devices they're only pushing it for government agencies to just follow these principles and this still hasn't passed but fundamentally say hey NIST tell us what to do OMB make it happen and audit it do the things that we just said and then US government contractors who are part of that procurement process should follow through as well still hasn't passed this is something that you can also as individuals in terms of call to action write your Congressman write your

senator what the [ __ ] dude Sarah and Peter's acto started CIT l what they are doing is and there's the website for it is they are evaluating on a bunch of IOT manufacturers across do they have basic safety features as a part of the device so a SLR stack cards and a non-executable stack guess what do you think most of a meet those standards one of them actually responded to the press when they were when Sarah did an interview in August and said we don't think those are important that true story like you can't make this stuff up references for more info obviously I mentioned my nonprofit the ICS village in addition the IOT security

foundation.org I am the cavalry of course which just a loose confederation of like-minded individuals trying to make the world better for specific guidance this - 800 - 183 CSA published his security guidance for critical areas of focus version 3.0 that's a mouthful and then at the bottom is the lab so this is your ability to this is your ability to take this home and do this safely only in your own home I will not fail you out of jail look at me I don't have money questions yes sir I was wondering is that like is that because more users in those countries just did it or was that like a government policy that made so why was

it so bad why was I'm not sure I'm following know so I was looking at the grab I think was like Morocco Saudi Arabia and Algeria they had the highest right right so why were certain countries a little bit better than others obviously it's very hard to know the specific trends at a macro level most likely a lot of those folks are actually much more invested in the mobile infrastructure than we are so that is what I'm assuming was the case there are a lot of folks over there they don't have any pcs everything they do is off of a phone and a lot of places they've completely replaced currency by using phones for payments like the

entire economy in the way that their way of life is on phones I'm guessing that's why there was the higher uptake any other questions yes sir are there any brands that are doing it no next question how is Google doing it wrong actually so yes Google is doing a very good job I love my Google pixel the reason I chose Google actually just because that kind of tied to this piece is if you look at the Android platform Google owns that operating system and so anytime a patch is pushed out to a vulnerability it immediately goes to anything that is running native Google OS Android all of the other manufacturers though have skinned their own things on top of it which means you

know have some period of delay between google has pushed out something and then you know Samsung decides to do something our LG etc but yeah Google is one of the better ones and a plus google also has their project zero program which is probably worth calling out on that note where it's just a bunch of Google security researchers and the company is pretty much just given the money and time and they are allowed to go out and VR anything they want they do competitor products and they go and do responsible disclosure to those vendors to help improve the ecosystem so I will give specific credit to Google let alone from my my joke of saying no

thank you for your time [Applause]