SlideShare ist ein Scribd-Unternehmen logo

Defcon 22-jesus-molina-learn-how-to-control-every-room

Priyanka Aash
Priyanka Aash

Defcon 22-jesus-molina-learn-how-to-control-every-room

Technologie
1 von 30
LEARN HOW TO CONTROL EVERY ROOM AT A LUXURY HOTEL REMOTELY: THE DANGERS OF INSECURE HOME AUTOMATION DEPLOYMENT Jesus Molina @verifythentrust security@nomeames.com
HACKING IN MOVIES
The Italian Job • Seth Green takes control of all kind of public transit so the mini-coopers can run free • “all  I did was come up with my own... kick ass algorithm to sneak in, and now we own the place”
Jurassic Park • Electric fences go off, dinosaurs escape wrecking havoc. But the hacker teen fixes it later • “It’s  a  UNIX  system”
Hack Hard • Cheap remake of Die Hard, but the hero is a hacker defeating the terrorists by taking over control of every appliance in a Chinese luxury hotel • “It’s  a  KNX  system!  Let  me   google  this”
THE ST. REGIS SHENZHEN
HOTEL IS HERE
Hollywood movies vs. Art House movies • In Hollywood movies the hacker does all the job in a mere 5 sequences • In art house movies it takes a little longer.
Step1: Reckon • The iPad uses the guest network
Step1: Reckon • The hero needs to understand the protocol. Using ultra high tech technology intercepts communication between iPad and devices
Step 2: Reverse Engineer the protocol • What is this? • UDP packets flying left and right • No idea, but connects to port 3671
Step 2: Reverse Engineer the protocol • Use advanced machine learning techniques to discover the communication protocol
KNX INTERLUDE This is the part with frames of the hero reading his Kindle and researching the internets
Step 2: Reverse Engineer the protocol • KNX! And a fancy plugin for wireshark • So what is KNX? • According  to  their  webpage,  KNX  is  “the  world´s only open Standard for the control in both commercial and  residential  buildings".  It  goes  on  by  saying  “KNX   is therefore future proof” • This communication protocol is KNX/IP, or KNX over IP
KNX/IP frame Header Ethernet Header IP KNXnet/IP Header UDP Header Length Protocol Version Service Type Identifier PayloadTotal Length cEMI 06 10 04 20 00 15 04 49 00 00 11 00 bc e0 00 00 08 02 01 00 81
/* TUNNELLING_REQUEST */ /* Header (6 Bytes) */ treq[0] = 0x06; /* 06 - Header Length */ treq[1] = 0x10; /* 10 - KNXnet version (1.0) */ treq[2] = 0x04; /* 04 - hi-byte Service type descriptor (TUNNELLING_REQUEST) */ treq[3] = 0x20; /* 20 - lo-byte Service type descriptor (TUNNELLING_REQUEST) */ treq[4] = 0x00; /* 00 - hi-byte total length */ treq[5] = 0x15; /* 15 - lo-byte total lengt 21 bytes */ /* Connection Header (4 Bytes) */ treq[6] = 0x04; /* 04 - Structure length */ treq[7] = iChannelID & 0xff; /* given channel id */ treq[8] = 0x00; /* sequence counter, zero if you send one tunnelling request only at this session, otherwise count ++ */ treq[9] = 0x00; /* 00 - Reserved */ /* cEMI-Frame (11 Bytes) */ treq[10] = 0x11; /* message code, 11: Data Service transmitting */ treq[11] = 0x00; /* add. info length ( bytes) */ treq[12] = 0xbc; /* control byte */ treq[13] = 0xe0; /* DRL byte */ treq[14] = 0x00; /* hi-byte source individual address */ treq[15] = 0x00; /* lo-byte source (replace throw IP-Gateway) */ treq[16] = (destaddr >> 8) & 0xff; /* hi-byte destination address (20: group address) 4/0/0: (4*2048) + (0*256) + (0*1) = 8192 = 20 00 */ treq[17] = destaddr & 0xff; /* lo-Byte destination */ treq[18] = 0x01; /* 01 data byte following */ treq[19] = 0x00; /* tpdu */ treq[20] = 0x81; /* 81: switch on, 80: off */ A cEMI frame* to make a lightbulb go *According to http://www.eb-systeme.de/ Address Action
KNX/IP Network • Addresses are in the format A/B/C • Every room accessed by an IP address • Every room has a unique KNX subnet A/B • The last digit (C) is the appliance address, identical for each room • If room 7773 is on subnet 1/5 and the TV adress is 30, the you need to send to addres 1/5/30
KNX/IP security This slide is intentionally left blank
INTERLUDE ENDS Hero switches off his kindle. He understands the protocol and moves to the next step
Step 3: Get the attack ingredients • An attacker only needs four elements • A tool to send the KNX/IP frames – Code the protocol or check the internet: eibd • A library of IP addresses for each KNX/IP router and corresponding room number – Change rooms or listen to other rooms • A library of KNX addresses for each room and for every device in the room – Press each button on the iPad app • A library of actions and action payload for each device – Press each button on the iPad app
Step 3: Get the attack ingredients • Look for patterns using cutting edge technology
Step 3: Get the attack ingredients • The KNX/IP addresses of every room were simple to guess. The KNX subnets for the rooms where simple too • The actions and device address in each room were identical • The DND lights and make up room light had another address space dedicated to them in each floor
Step 4: Perform the attack Switching on every TV in the hotel For each [KNX_room, IP] For each [KNX_item,TV_action,TV_payload] KNXtunnel KNX_room/KNX_item TV_action TV_payload IP& DONE – be happy about it
Step 5: External Attack • You  said  “Remotely” • Attacker must be on the hotel network (Open) • Several options – A  “repeater”  inside  or  outside  the  hotel:  Big   antenna and a bridge – iPad trojan: Use the iPad to connect to the internet periodically
Mitigation and Solutions • iPad, network and KNX do not provide any security alternatives • A possible solution is to create a tunnel between iPad and router with mutual authentication • KNX released recently a new set of specification, but the closed nature of the protocol make it impossible to check it (for me)
Aftermath • The hotel took the system off-line • Security researchers, leaders in the automation market and members of the hotel industry need to start conversations to provide guest with reasonable protection standards while enjoying home automation
HARD HACK II • Guess where it will be located? Hint: The director like the Die Hard series

Empfohlen

Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Priyanka Aash
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
EC-Council
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Priyanka Aash
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat Security Conference
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Priyanka Aash
 

Empfohlen

Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Priyanka Aash
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
EC-Council
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Priyanka Aash
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat Security Conference
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Priyanka Aash
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
Chong-Kuan Chen
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
marcioalma
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
CanSecWest
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
Sunny Neo
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short description
Jose Moruno Cadima
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1
Chong-Kuan Chen
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Need
amiable_indian
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
Addios!
Addios!Addios!
Addios!
Chong-Kuan Chen
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
Shota Shinogi
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopDefcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Priyanka Aash
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
Shakacon
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
Chong-Kuan Chen
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
Chong-Kuan Chen
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
Leonardo Nve Egea
 
Defcon 22-deviant-ollam-and-howard-payne-elevator hacking-fr
Defcon 22-deviant-ollam-and-howard-payne-elevator hacking-frDefcon 22-deviant-ollam-and-howard-payne-elevator hacking-fr
Defcon 22-deviant-ollam-and-howard-payne-elevator hacking-fr
Priyanka Aash
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Priyanka Aash
 

Weitere ähnliche Inhalte

Was ist angesagt?

DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1
Chong-Kuan Chen
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
Shakacon
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
Chong-Kuan Chen
 

Was ist angesagt? (20)

DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short description
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Need
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Addios!
Addios!Addios!
Addios!
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopDefcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
 

Andere mochten auch

Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Priyanka Aash
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-security
Priyanka Aash
 

Andere mochten auch (10)

Defcon 22-deviant-ollam-and-howard-payne-elevator hacking-fr
Defcon 22-deviant-ollam-and-howard-payne-elevator hacking-frDefcon 22-deviant-ollam-and-howard-payne-elevator hacking-fr
Defcon 22-deviant-ollam-and-howard-payne-elevator hacking-fr
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
 
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fiDefcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet Analysis
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
 
Risk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsRisk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security Controls
 
Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-security
 
Defcon 22-metacortex-grifter-darkside-of-the-internet
Defcon 22-metacortex-grifter-darkside-of-the-internetDefcon 22-metacortex-grifter-darkside-of-the-internet
Defcon 22-metacortex-grifter-darkside-of-the-internet
 
Defcon 22-nir-valtman-a-journey-to-protect-pos
Defcon 22-nir-valtman-a-journey-to-protect-posDefcon 22-nir-valtman-a-journey-to-protect-pos
Defcon 22-nir-valtman-a-journey-to-protect-pos
 

Ähnlich wie Defcon 22-jesus-molina-learn-how-to-control-every-room

Alexander Bolshev, Alexander Malinovsky - HART (in)security
Alexander Bolshev, Alexander Malinovsky - HART (in)securityAlexander Bolshev, Alexander Malinovsky - HART (in)security
Alexander Bolshev, Alexander Malinovsky - HART (in)security
DefconRussia
 
Defcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesDefcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over Powerlines
Michael Smith
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
Priyanka Aash
 
6a52807edaf99ecbfafb8ecf2439b542b3623dea-1647242881015.pdf
6a52807edaf99ecbfafb8ecf2439b542b3623dea-1647242881015.pdf6a52807edaf99ecbfafb8ecf2439b542b3623dea-1647242881015.pdf
6a52807edaf99ecbfafb8ecf2439b542b3623dea-1647242881015.pdf
SILVIUSyt
 
WIFI MODEM Part-22
WIFI MODEM Part-22WIFI MODEM Part-22
WIFI MODEM Part-22
Techvilla
 

Ähnlich wie Defcon 22-jesus-molina-learn-how-to-control-every-room (20)

chapter 4.pptx
chapter 4.pptxchapter 4.pptx
chapter 4.pptx
 
33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks
 
Alexander Bolshev, Alexander Malinovsky - HART (in)security
Alexander Bolshev, Alexander Malinovsky - HART (in)securityAlexander Bolshev, Alexander Malinovsky - HART (in)security
Alexander Bolshev, Alexander Malinovsky - HART (in)security
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT Devices
 
Ethernet basics
Ethernet basicsEthernet basics
Ethernet basics
 
CCNA 200-120 Exam Quick Notes
CCNA 200-120 Exam Quick NotesCCNA 200-120 Exam Quick Notes
CCNA 200-120 Exam Quick Notes
 
Defcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesDefcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over Powerlines
 
Republic of IoT 2018 - ESPectro32 and NB-IoT Workshop
Republic of IoT 2018 - ESPectro32 and NB-IoT WorkshopRepublic of IoT 2018 - ESPectro32 and NB-IoT Workshop
Republic of IoT 2018 - ESPectro32 and NB-IoT Workshop
 
Internet of Things, Mobility & .Net Micro Framework SydMobNet March 2014
Internet of Things, Mobility & .Net Micro Framework SydMobNet March 2014Internet of Things, Mobility & .Net Micro Framework SydMobNet March 2014
Internet of Things, Mobility & .Net Micro Framework SydMobNet March 2014
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
SIGFOX Makers Tour - Barcelona
SIGFOX Makers Tour - BarcelonaSIGFOX Makers Tour - Barcelona
SIGFOX Makers Tour - Barcelona
 
Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking
 
6a52807edaf99ecbfafb8ecf2439b542b3623dea-1647242881015.pdf
6a52807edaf99ecbfafb8ecf2439b542b3623dea-1647242881015.pdf6a52807edaf99ecbfafb8ecf2439b542b3623dea-1647242881015.pdf
6a52807edaf99ecbfafb8ecf2439b542b3623dea-1647242881015.pdf
 
WIFI MODEM Part-22
WIFI MODEM Part-22WIFI MODEM Part-22
WIFI MODEM Part-22
 
Addressing in networking (IP,MAC,Port addressing)
Addressing in networking (IP,MAC,Port addressing)Addressing in networking (IP,MAC,Port addressing)
Addressing in networking (IP,MAC,Port addressing)
 
Ride the Light
Ride the LightRide the Light
Ride the Light
 
Project report
Project reportProject report
Project report
 
Project report
Project reportProject report
Project report
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
 
Zip Line New Product Sales Training Jan 31 2012
Zip Line New Product Sales Training Jan 31 2012Zip Line New Product Sales Training Jan 31 2012
Zip Line New Product Sales Training Jan 31 2012
 

Mehr von Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

Mehr von Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Kürzlich hochgeladen

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Kürzlich hochgeladen (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

Defcon 22-jesus-molina-learn-how-to-control-every-room

  • 1. LEARN HOW TO CONTROL EVERY ROOM AT A LUXURY HOTEL REMOTELY: THE DANGERS OF INSECURE HOME AUTOMATION DEPLOYMENT Jesus Molina @verifythentrust security@nomeames.com
  • 3. The Italian Job • Seth Green takes control of all kind of public transit so the mini-coopers can run free • “all  I did was come up with my own... kick ass algorithm to sneak in, and now we own the place”
  • 4. Jurassic Park • Electric fences go off, dinosaurs escape wrecking havoc. But the hacker teen fixes it later • “It’s  a  UNIX  system”
  • 5. Hack Hard • Cheap remake of Die Hard, but the hero is a hacker defeating the terrorists by taking over control of every appliance in a Chinese luxury hotel • “It’s  a  KNX  system!  Let  me   google  this”
  • 6. THE ST. REGIS SHENZHEN
  • 8.
  • 9.
  • 10. Hollywood movies vs. Art House movies • In Hollywood movies the hacker does all the job in a mere 5 sequences • In art house movies it takes a little longer.
  • 11. Step1: Reckon • The iPad uses the guest network
  • 12. Step1: Reckon • The hero needs to understand the protocol. Using ultra high tech technology intercepts communication between iPad and devices
  • 13. Step 2: Reverse Engineer the protocol • What is this? • UDP packets flying left and right • No idea, but connects to port 3671
  • 14. Step 2: Reverse Engineer the protocol • Use advanced machine learning techniques to discover the communication protocol
  • 15. KNX INTERLUDE This is the part with frames of the hero reading his Kindle and researching the internets
  • 16. Step 2: Reverse Engineer the protocol • KNX! And a fancy plugin for wireshark • So what is KNX? • According  to  their  webpage,  KNX  is  “the  world´s only open Standard for the control in both commercial and  residential  buildings".  It  goes  on  by  saying  “KNX   is therefore future proof” • This communication protocol is KNX/IP, or KNX over IP
  • 18. /* TUNNELLING_REQUEST */ /* Header (6 Bytes) */ treq[0] = 0x06; /* 06 - Header Length */ treq[1] = 0x10; /* 10 - KNXnet version (1.0) */ treq[2] = 0x04; /* 04 - hi-byte Service type descriptor (TUNNELLING_REQUEST) */ treq[3] = 0x20; /* 20 - lo-byte Service type descriptor (TUNNELLING_REQUEST) */ treq[4] = 0x00; /* 00 - hi-byte total length */ treq[5] = 0x15; /* 15 - lo-byte total lengt 21 bytes */ /* Connection Header (4 Bytes) */ treq[6] = 0x04; /* 04 - Structure length */ treq[7] = iChannelID & 0xff; /* given channel id */ treq[8] = 0x00; /* sequence counter, zero if you send one tunnelling request only at this session, otherwise count ++ */ treq[9] = 0x00; /* 00 - Reserved */ /* cEMI-Frame (11 Bytes) */ treq[10] = 0x11; /* message code, 11: Data Service transmitting */ treq[11] = 0x00; /* add. info length ( bytes) */ treq[12] = 0xbc; /* control byte */ treq[13] = 0xe0; /* DRL byte */ treq[14] = 0x00; /* hi-byte source individual address */ treq[15] = 0x00; /* lo-byte source (replace throw IP-Gateway) */ treq[16] = (destaddr >> 8) & 0xff; /* hi-byte destination address (20: group address) 4/0/0: (4*2048) + (0*256) + (0*1) = 8192 = 20 00 */ treq[17] = destaddr & 0xff; /* lo-Byte destination */ treq[18] = 0x01; /* 01 data byte following */ treq[19] = 0x00; /* tpdu */ treq[20] = 0x81; /* 81: switch on, 80: off */ A cEMI frame* to make a lightbulb go *According to http://www.eb-systeme.de/ Address Action
  • 19. KNX/IP Network • Addresses are in the format A/B/C • Every room accessed by an IP address • Every room has a unique KNX subnet A/B • The last digit (C) is the appliance address, identical for each room • If room 7773 is on subnet 1/5 and the TV adress is 30, the you need to send to addres 1/5/30
  • 20.
  • 21. KNX/IP security This slide is intentionally left blank
  • 22. INTERLUDE ENDS Hero switches off his kindle. He understands the protocol and moves to the next step
  • 23. Step 3: Get the attack ingredients • An attacker only needs four elements • A tool to send the KNX/IP frames – Code the protocol or check the internet: eibd • A library of IP addresses for each KNX/IP router and corresponding room number – Change rooms or listen to other rooms • A library of KNX addresses for each room and for every device in the room – Press each button on the iPad app • A library of actions and action payload for each device – Press each button on the iPad app
  • 24. Step 3: Get the attack ingredients • Look for patterns using cutting edge technology
  • 25. Step 3: Get the attack ingredients • The KNX/IP addresses of every room were simple to guess. The KNX subnets for the rooms where simple too • The actions and device address in each room were identical • The DND lights and make up room light had another address space dedicated to them in each floor
  • 26. Step 4: Perform the attack Switching on every TV in the hotel For each [KNX_room, IP] For each [KNX_item,TV_action,TV_payload] KNXtunnel KNX_room/KNX_item TV_action TV_payload IP& DONE – be happy about it
  • 27. Step 5: External Attack • You  said  “Remotely” • Attacker must be on the hotel network (Open) • Several options – A  “repeater”  inside  or  outside  the  hotel:  Big   antenna and a bridge – iPad trojan: Use the iPad to connect to the internet periodically
  • 28. Mitigation and Solutions • iPad, network and KNX do not provide any security alternatives • A possible solution is to create a tunnel between iPad and router with mutual authentication • KNX released recently a new set of specification, but the closed nature of the protocol make it impossible to check it (for me)
  • 29. Aftermath • The hotel took the system off-line • Security researchers, leaders in the automation market and members of the hotel industry need to start conversations to provide guest with reasonable protection standards while enjoying home automation
  • 30. HARD HACK II • Guess where it will be located? Hint: The director like the Die Hard series