SlideShare a Scribd company logo

Home Invasion 2.0 - DEF CON 21 - 2013

B
BaronZor

A talk discussing vulnerabilities in various "smart home" technologies from home automation gear to a child's toy.

TechnologyEntertainment & Humor
1 of 33
Download to read offline
© 2012 Home  Invasion  v2.0  
© 2012 WHO  ARE  WE?  
© 2012 Daniel  “unicornFurnace”  Crowley   •  Managing  Consultant,  Trustwave  SpiderLabs     Jennifer  “savagejen”  Savage   •  SoAware  Engineer,  Tabbedout     David  “videoman”  Bryan   •  Security  Consultant,  Trustwave  SpiderLabs     The  Presenters  
© 2012 WHAT  ARE  WE  DOING  HERE?  
© 2012 Science  ficFon  becomes  science  fact     Race  to  release  novel  products  means  poor  security     AIempt  to  hack  a  sampling  of  “smart”  devices     Many  products  we  didn’t  cover    Android  powered  oven    Smart  TVs  (another  talk  is  covering  one!)    IP  security  cameras   The  “Smart”  Home  
WHAT’S  OUT  THERE   NOW?     Locks,  thermostats,  fridges,   toilets,  lights,  toys   EnFre  smart  ciFes  like   Songdo       WHAT’S  IN  THE    FUTURE?    
    Karotz  Smart  Rabbit  
•  Exposure  of  wifi  network  credenFals  unencrypted   •  Unencrypted  remote  API  calls   •  Unencrypted  setup  package                download   •  Python  module  hijack  in                autorunwifi  script Karotz  Smart  Rabbit  
Karotz  Smart  Rabbit  
Karotz  Smart  Rabbit  
Karotz  Smart  Rabbit   Python  Module  Hijacking    •  Python  Module  Hijacking  is  insecure  library  loading   o  Similar  to  LD_PRELOAD  and  DLL  hijacking   •  Python  loads  modules  from  the  dir  of  script  first   •  Karotz  autorunwifi  script  uses  simplejson  module   o  Put  code  to  execute  in  simplejson.py  in  the  same   directory  as  autorunwifi   •  Defeats  code  signing    
Karotz  Smart  Rabbit    An  aIacker  could:     •  MITM  insecure  connecFon  to  Karotz  server   •  Replace  user's  download  with  malicious  version   •  Use  vuln  to  make  Karotz  run  their  own  code!   •  ...Bunny  bot  net?    
© 2012 Belkin  WeMo  Switch  
© 2012 •  Vulnerable  libupnp  version   o  Remote  pre-­‐auth  root   •  UnauthenFcated  UPnP  acFons   o  SetBinaryState   o  SetFriendlyName   •  EULA  used  to  “secure”  the  device.   •  Belkin  has  been  awesome!   Belkin  WeMo  Switch  
    SONOS  Bridge  
•  Support  console  informaFon  disclosure       SONOS  Bridge  
    SONOS  Bridge  
    SONOS  Bridge  
    SONOS  Bridge  
    SONOS  Bridge  
    SONOS  Bridge  
© 2012 LIXIL  SaSs  Smart  Toilet  
© 2012 •  Default  Bluetooth  PIN   LIXIL  SaSs  Smart  Toilet  
© 2012     INSTEON  Hub  
© 2012 INSTEON  Hub  
© 2012 •  Lack  of  authenFcaFon  on  web  console   o  Web  console  exposed  to  the  Internet   §  Time  zone  –  city   §  Name  street     o  Control  all  the  things.     •  Fixed  the  authenFcaFon  with  model  2422-­‐222”R”   INSTEON  Hub  
© 2012 •  SFll  lack  of  SSL/TLS   •  Uses  HTTP  Auth   o  Base64  encoded  credenFals   o  Username:  admin   o  Password:  ABCDEF    ←  INSTEON  ID  and  last  3  of   the  MAC   o  #SecurityFail   o  It  only  takes  16  Million  aIempts     INSTEON  Hub  
© 2012 MiCasaVerde  VeraLite  
© 2012 •  Lack  of  authenFcaFon  on  web  console  by  default   •  Insufficient  AuthorizaFon  Checks   o  Firmware  Update   o  Sekngs  backup   o  Test  Lua  code   •  Path  Traversal   •  Cross-­‐Site  Request  Forgery   •  Lack  of  authenFcaFon  on  UPnP  daemon   •  Vulnerable  libupnp  Version   •  Server  Side  Request  Forgery     •  Unconfirmed  AuthenFcaFon  Bypass   MiCasaVerde  VeraLite  
© 2012 •  Three  methods  of  auth  bypass   •  Seven  methods  to  get  root   •  Two  aIacks  remotely  exploitable  through  SE   •  PotenFal  for  ownage  of  ALL  the  VeraLites!   MiCasaVerde  VeraLite  
© 2012 DEMONSTRATION  
© 2012 CONCLUSION  
© 2012 Daniel  “unicornFurnace”  Crowley    dcrowley@trustwave.com    @dan_crowley   Jennifer  “savagejen”  Savage    savagejen@gmail.com  (PGP  key  ID  6326A948)    @savagejen   David  “videoman”  Bryan    dbryan@trustwave.com    @_videoman_       QuesSons?  

Recommended

FIWARE Global Summit - Connecting to IoT
FIWARE Global Summit - Connecting to IoTFIWARE Global Summit - Connecting to IoT
FIWARE Global Summit - Connecting to IoTFIWARE
 
FIWARE Global Summit - Building Your Own IoT Agent
FIWARE Global Summit - Building Your Own IoT AgentFIWARE Global Summit - Building Your Own IoT Agent
FIWARE Global Summit - Building Your Own IoT AgentFIWARE
 
Introduction to Game Network Programming
Introduction to Game Network ProgrammingIntroduction to Game Network Programming
Introduction to Game Network ProgrammingCorey Clark, Ph.D.
 
Introduction to Oberon HomeKit SDKs
Introduction to Oberon HomeKit SDKsIntroduction to Oberon HomeKit SDKs
Introduction to Oberon HomeKit SDKsCuno Pfister
 
Alfred Project @LinuxDayNapoli2014
Alfred Project @LinuxDayNapoli2014Alfred Project @LinuxDayNapoli2014
Alfred Project @LinuxDayNapoli2014gbr1
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus GatewayAlessandro Polidori
 
CODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONG
CODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONGCODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONG
CODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONGCODE BLUE
 

Recommended

FIWARE Global Summit - Connecting to IoT
FIWARE Global Summit - Connecting to IoTFIWARE Global Summit - Connecting to IoT
FIWARE Global Summit - Connecting to IoTFIWARE
 
FIWARE Global Summit - Building Your Own IoT Agent
FIWARE Global Summit - Building Your Own IoT AgentFIWARE Global Summit - Building Your Own IoT Agent
FIWARE Global Summit - Building Your Own IoT AgentFIWARE
 
Introduction to Game Network Programming
Introduction to Game Network ProgrammingIntroduction to Game Network Programming
Introduction to Game Network ProgrammingCorey Clark, Ph.D.
 
Introduction to Oberon HomeKit SDKs
Introduction to Oberon HomeKit SDKsIntroduction to Oberon HomeKit SDKs
Introduction to Oberon HomeKit SDKsCuno Pfister
 
Alfred Project @LinuxDayNapoli2014
Alfred Project @LinuxDayNapoli2014Alfred Project @LinuxDayNapoli2014
Alfred Project @LinuxDayNapoli2014gbr1
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus GatewayAlessandro Polidori
 
CODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONG
CODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONGCODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONG
CODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONGCODE BLUE
 
Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvil
Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvilNuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvil
Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvilDavid Godoy San Andrés
 
Future of Web Apps - Giving Customer Support using WebRTC
Future of Web Apps - Giving Customer Support using WebRTCFuture of Web Apps - Giving Customer Support using WebRTC
Future of Web Apps - Giving Customer Support using WebRTCDan Jenkins
 
Getting the Best Out Of WebRTC - Astricon 2014
Getting the Best Out Of WebRTC - Astricon 2014Getting the Best Out Of WebRTC - Astricon 2014
Getting the Best Out Of WebRTC - Astricon 2014Dan Jenkins
 
WebRTC Reborn London Node User Group
WebRTC Reborn London Node User GroupWebRTC Reborn London Node User Group
WebRTC Reborn London Node User GroupDan Jenkins
 
WebRTC Reborn Over The Air
WebRTC Reborn Over The AirWebRTC Reborn Over The Air
WebRTC Reborn Over The AirDan Jenkins
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKACODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKACODE BLUE
 
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONGCODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONGCODE BLUE
 
My home iot for dev connect korea
My home iot for dev connect koreaMy home iot for dev connect korea
My home iot for dev connect koreaYoonseok Hur
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraudFlavio Eduardo de Andrade Goncalves
 
Windows 10 IoT Core for Raspberry Pi 2
Windows 10 IoT Core for Raspberry Pi 2Windows 10 IoT Core for Raspberry Pi 2
Windows 10 IoT Core for Raspberry Pi 2Stavros Kalapothas
 
presentation
presentationpresentation
presentationaaron bishop
 
No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014Flavio Eduardo de Andrade Goncalves
 
Customize and control connected devices
Customize and control connected devicesCustomize and control connected devices
Customize and control connected devicesCodemotion
 
Asterisk Deployments
Asterisk DeploymentsAsterisk Deployments
Asterisk DeploymentsAsterisk Community
 
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus GatewayAlessandro Polidori
 
2012 ah emea deploying byod
2012 ah emea deploying byod2012 ah emea deploying byod
2012 ah emea deploying byodAruba, a Hewlett Packard Enterprise company
 
Universalserialweb frontconf
Universalserialweb frontconfUniversalserialweb frontconf
Universalserialweb frontconfasciidisco
 
Sniffer https connection over Android
Sniffer https connection over AndroidSniffer https connection over Android
Sniffer https connection over AndroidEnPing Eric Hsieh
 
Grohe Bathroom Brochure - Taps4Less.com
Grohe Bathroom Brochure - Taps4Less.comGrohe Bathroom Brochure - Taps4Less.com
Grohe Bathroom Brochure - Taps4Less.comTaps4Less.com
 
あるじゃんコミュニティ | SORACOMサービス紹介
あるじゃんコミュニティ | SORACOMサービス紹介あるじゃんコミュニティ | SORACOMサービス紹介
あるじゃんコミュニティ | SORACOMサービス紹介SORACOM,INC
 
Smart toilet in france_euromed management
Smart toilet in france_euromed managementSmart toilet in france_euromed management
Smart toilet in france_euromed managementXiaoqing Dora
 

More Related Content

What's hot

Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvil
Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvilNuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvil
Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvilDavid Godoy San Andrés
 
Future of Web Apps - Giving Customer Support using WebRTC
Future of Web Apps - Giving Customer Support using WebRTCFuture of Web Apps - Giving Customer Support using WebRTC
Future of Web Apps - Giving Customer Support using WebRTCDan Jenkins
 
Getting the Best Out Of WebRTC - Astricon 2014
Getting the Best Out Of WebRTC - Astricon 2014Getting the Best Out Of WebRTC - Astricon 2014
Getting the Best Out Of WebRTC - Astricon 2014Dan Jenkins
 
WebRTC Reborn London Node User Group
WebRTC Reborn London Node User GroupWebRTC Reborn London Node User Group
WebRTC Reborn London Node User GroupDan Jenkins
 
WebRTC Reborn Over The Air
WebRTC Reborn Over The AirWebRTC Reborn Over The Air
WebRTC Reborn Over The AirDan Jenkins
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKACODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKACODE BLUE
 
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONGCODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONGCODE BLUE
 
My home iot for dev connect korea
My home iot for dev connect koreaMy home iot for dev connect korea
My home iot for dev connect koreaYoonseok Hur
 
Windows 10 IoT Core for Raspberry Pi 2
Windows 10 IoT Core for Raspberry Pi 2Windows 10 IoT Core for Raspberry Pi 2
Windows 10 IoT Core for Raspberry Pi 2Stavros Kalapothas
 
Customize and control connected devices
Customize and control connected devicesCustomize and control connected devices
Customize and control connected devicesCodemotion
 
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus GatewayAlessandro Polidori
 
Universalserialweb frontconf
Universalserialweb frontconfUniversalserialweb frontconf
Universalserialweb frontconfasciidisco
 
Sniffer https connection over Android
Sniffer https connection over AndroidSniffer https connection over Android
Sniffer https connection over AndroidEnPing Eric Hsieh
 

What's hot (19)

Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvil
Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvilNuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvil
Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvil
 
Future of Web Apps - Giving Customer Support using WebRTC
Future of Web Apps - Giving Customer Support using WebRTCFuture of Web Apps - Giving Customer Support using WebRTC
Future of Web Apps - Giving Customer Support using WebRTC
 
Getting the Best Out Of WebRTC - Astricon 2014
Getting the Best Out Of WebRTC - Astricon 2014Getting the Best Out Of WebRTC - Astricon 2014
Getting the Best Out Of WebRTC - Astricon 2014
 
WebRTC Reborn London Node User Group
WebRTC Reborn London Node User GroupWebRTC Reborn London Node User Group
WebRTC Reborn London Node User Group
 
WebRTC Reborn Over The Air
WebRTC Reborn Over The AirWebRTC Reborn Over The Air
WebRTC Reborn Over The Air
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKACODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
 
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONGCODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
 
My home iot for dev connect korea
My home iot for dev connect koreaMy home iot for dev connect korea
My home iot for dev connect korea
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraud
 
Windows 10 IoT Core for Raspberry Pi 2
Windows 10 IoT Core for Raspberry Pi 2Windows 10 IoT Core for Raspberry Pi 2
Windows 10 IoT Core for Raspberry Pi 2
 
presentation
presentationpresentation
presentation
 
No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014
 
Customize and control connected devices
Customize and control connected devicesCustomize and control connected devices
Customize and control connected devices
 
Asterisk Deployments
Asterisk DeploymentsAsterisk Deployments
Asterisk Deployments
 
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
 
2012 ah emea deploying byod
2012 ah emea deploying byod2012 ah emea deploying byod
2012 ah emea deploying byod
 
Universalserialweb frontconf
Universalserialweb frontconfUniversalserialweb frontconf
Universalserialweb frontconf
 
Sniffer https connection over Android
Sniffer https connection over AndroidSniffer https connection over Android
Sniffer https connection over Android
 

Viewers also liked

Grohe Bathroom Brochure - Taps4Less.com
Grohe Bathroom Brochure - Taps4Less.comGrohe Bathroom Brochure - Taps4Less.com
Grohe Bathroom Brochure - Taps4Less.comTaps4Less.com
 
あるじゃんコミュニティ | SORACOMサービス紹介
あるじゃんコミュニティ | SORACOMサービス紹介あるじゃんコミュニティ | SORACOMサービス紹介
あるじゃんコミュニティ | SORACOMサービス紹介SORACOM,INC
 
Smart toilet in france_euromed management
Smart toilet in france_euromed managementSmart toilet in france_euromed management
Smart toilet in france_euromed managementXiaoqing Dora
 
LIXIL ACCEKERATOR 事前セミナー | IoTプラットフォーム SORACOM
LIXIL ACCEKERATOR 事前セミナー | IoTプラットフォーム SORACOMLIXIL ACCEKERATOR 事前セミナー | IoTプラットフォーム SORACOM
LIXIL ACCEKERATOR 事前セミナー | IoTプラットフォーム SORACOMSORACOM,INC
 

Viewers also liked (6)

Grohe Bathroom Brochure - Taps4Less.com
Grohe Bathroom Brochure - Taps4Less.comGrohe Bathroom Brochure - Taps4Less.com
Grohe Bathroom Brochure - Taps4Less.com
 
あるじゃんコミュニティ | SORACOMサービス紹介
あるじゃんコミュニティ | SORACOMサービス紹介あるじゃんコミュニティ | SORACOMサービス紹介
あるじゃんコミュニティ | SORACOMサービス紹介
 
Smart toilet in france_euromed management
Smart toilet in france_euromed managementSmart toilet in france_euromed management
Smart toilet in france_euromed management
 
Certificate-3
Certificate-3Certificate-3
Certificate-3
 
Grohe blue book bath
Grohe blue book bathGrohe blue book bath
Grohe blue book bath
 
LIXIL ACCEKERATOR 事前セミナー | IoTプラットフォーム SORACOM
LIXIL ACCEKERATOR 事前セミナー | IoTプラットフォーム SORACOMLIXIL ACCEKERATOR 事前セミナー | IoTプラットフォーム SORACOM
LIXIL ACCEKERATOR 事前セミナー | IoTプラットフォーム SORACOM
 

Similar to Home Invasion 2.0 - DEF CON 21 - 2013

[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...CODE BLUE
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...JosephTesta9
 
Connecting RubyMotion with Hardware - Rubymotion #Inspect 2014
Connecting RubyMotion with Hardware - Rubymotion #Inspect 2014Connecting RubyMotion with Hardware - Rubymotion #Inspect 2014
Connecting RubyMotion with Hardware - Rubymotion #Inspect 2014Mark Villacampa
 
CableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkCableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkChristopher Grayson
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best PracticesLyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best PracticesEric Bottard
 
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul MadsenCIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul MadsenCloudIDSummit
 
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERSCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERCODE BLUE
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkAmmar WK
 
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSignalSEC Ltd.
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkMartin Vigo
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 

Similar to Home Invasion 2.0 - DEF CON 21 - 2013 (20)

Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
 
Connecting RubyMotion with Hardware - Rubymotion #Inspect 2014
Connecting RubyMotion with Hardware - Rubymotion #Inspect 2014Connecting RubyMotion with Hardware - Rubymotion #Inspect 2014
Connecting RubyMotion with Hardware - Rubymotion #Inspect 2014
 
CableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkCableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home Network
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best PracticesLyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
 
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul MadsenCIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
 
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERSCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
 
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
2012 ah vegas wlan security fundamentals
2012 ah vegas wlan security fundamentals2012 ah vegas wlan security fundamentals
2012 ah vegas wlan security fundamentals
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
Xamarin v.Now
Xamarin v.NowXamarin v.Now
Xamarin v.Now
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
 

More from BaronZor

The Patsy Proxy
The Patsy ProxyThe Patsy Proxy
The Patsy ProxyBaronZor
 
No-Knowledge Crypto Attacks
No-Knowledge Crypto AttacksNo-Knowledge Crypto Attacks
No-Knowledge Crypto AttacksBaronZor
 
Why UPnP is awesome and terrifying
Why UPnP is awesome and terrifyingWhy UPnP is awesome and terrifying
Why UPnP is awesome and terrifyingBaronZor
 
Advanced SQL Injection with SQLol
Advanced SQL Injection with SQLolAdvanced SQL Injection with SQLol
Advanced SQL Injection with SQLolBaronZor
 
Jack of all Formats
Jack of all FormatsJack of all Formats
Jack of all FormatsBaronZor
 
Daniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic OraclesDaniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic OraclesBaronZor
 
Windows File Pseudonyms
Windows File PseudonymsWindows File Pseudonyms
Windows File PseudonymsBaronZor
 

More from BaronZor (7)

The Patsy Proxy
The Patsy ProxyThe Patsy Proxy
The Patsy Proxy
 
No-Knowledge Crypto Attacks
No-Knowledge Crypto AttacksNo-Knowledge Crypto Attacks
No-Knowledge Crypto Attacks
 
Why UPnP is awesome and terrifying
Why UPnP is awesome and terrifyingWhy UPnP is awesome and terrifying
Why UPnP is awesome and terrifying
 
Advanced SQL Injection with SQLol
Advanced SQL Injection with SQLolAdvanced SQL Injection with SQLol
Advanced SQL Injection with SQLol
 
Jack of all Formats
Jack of all FormatsJack of all Formats
Jack of all Formats
 
Daniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic OraclesDaniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic Oracles
 
Windows File Pseudonyms
Windows File PseudonymsWindows File Pseudonyms
Windows File Pseudonyms
 

Recently uploaded

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 

Recently uploaded (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 

Home Invasion 2.0 - DEF CON 21 - 2013

  • 2. © 2012 WHO  ARE  WE?  
  • 3. © 2012 Daniel  “unicornFurnace”  Crowley   •  Managing  Consultant,  Trustwave  SpiderLabs     Jennifer  “savagejen”  Savage   •  SoAware  Engineer,  Tabbedout     David  “videoman”  Bryan   •  Security  Consultant,  Trustwave  SpiderLabs     The  Presenters  
  • 4. © 2012 WHAT  ARE  WE  DOING  HERE?  
  • 5. © 2012 Science  ficFon  becomes  science  fact     Race  to  release  novel  products  means  poor  security     AIempt  to  hack  a  sampling  of  “smart”  devices     Many  products  we  didn’t  cover    Android  powered  oven    Smart  TVs  (another  talk  is  covering  one!)    IP  security  cameras   The  “Smart”  Home  
  • 6. WHAT’S  OUT  THERE   NOW?     Locks,  thermostats,  fridges,   toilets,  lights,  toys   EnFre  smart  ciFes  like   Songdo       WHAT’S  IN  THE    FUTURE?    
  • 7.     Karotz  Smart  Rabbit  
  • 8. •  Exposure  of  wifi  network  credenFals  unencrypted   •  Unencrypted  remote  API  calls   •  Unencrypted  setup  package                download   •  Python  module  hijack  in                autorunwifi  script Karotz  Smart  Rabbit  
  • 11. Karotz  Smart  Rabbit   Python  Module  Hijacking    •  Python  Module  Hijacking  is  insecure  library  loading   o  Similar  to  LD_PRELOAD  and  DLL  hijacking   •  Python  loads  modules  from  the  dir  of  script  first   •  Karotz  autorunwifi  script  uses  simplejson  module   o  Put  code  to  execute  in  simplejson.py  in  the  same   directory  as  autorunwifi   •  Defeats  code  signing    
  • 12. Karotz  Smart  Rabbit    An  aIacker  could:     •  MITM  insecure  connecFon  to  Karotz  server   •  Replace  user's  download  with  malicious  version   •  Use  vuln  to  make  Karotz  run  their  own  code!   •  ...Bunny  bot  net?    
  • 13. © 2012 Belkin  WeMo  Switch  
  • 14. © 2012 •  Vulnerable  libupnp  version   o  Remote  pre-­‐auth  root   •  UnauthenFcated  UPnP  acFons   o  SetBinaryState   o  SetFriendlyName   •  EULA  used  to  “secure”  the  device.   •  Belkin  has  been  awesome!   Belkin  WeMo  Switch  
  • 16. •  Support  console  informaFon  disclosure       SONOS  Bridge  
  • 22. © 2012 LIXIL  SaSs  Smart  Toilet  
  • 23. © 2012 •  Default  Bluetooth  PIN   LIXIL  SaSs  Smart  Toilet  
  • 24. © 2012     INSTEON  Hub  
  • 26. © 2012 •  Lack  of  authenFcaFon  on  web  console   o  Web  console  exposed  to  the  Internet   §  Time  zone  –  city   §  Name  street     o  Control  all  the  things.     •  Fixed  the  authenFcaFon  with  model  2422-­‐222”R”   INSTEON  Hub  
  • 27. © 2012 •  SFll  lack  of  SSL/TLS   •  Uses  HTTP  Auth   o  Base64  encoded  credenFals   o  Username:  admin   o  Password:  ABCDEF    ←  INSTEON  ID  and  last  3  of   the  MAC   o  #SecurityFail   o  It  only  takes  16  Million  aIempts     INSTEON  Hub  
  • 29. © 2012 •  Lack  of  authenFcaFon  on  web  console  by  default   •  Insufficient  AuthorizaFon  Checks   o  Firmware  Update   o  Sekngs  backup   o  Test  Lua  code   •  Path  Traversal   •  Cross-­‐Site  Request  Forgery   •  Lack  of  authenFcaFon  on  UPnP  daemon   •  Vulnerable  libupnp  Version   •  Server  Side  Request  Forgery     •  Unconfirmed  AuthenFcaFon  Bypass   MiCasaVerde  VeraLite  
  • 30. © 2012 •  Three  methods  of  auth  bypass   •  Seven  methods  to  get  root   •  Two  aIacks  remotely  exploitable  through  SE   •  PotenFal  for  ownage  of  ALL  the  VeraLites!   MiCasaVerde  VeraLite  
  • 33. © 2012 Daniel  “unicornFurnace”  Crowley    dcrowley@trustwave.com    @dan_crowley   Jennifer  “savagejen”  Savage    savagejen@gmail.com  (PGP  key  ID  6326A948)    @savagejen   David  “videoman”  Bryan    dbryan@trustwave.com    @_videoman_       QuesSons?