 אני דור שלב, אני עשיתי בבקשה של הוסמר דפאנס ריסטר סנטר בישראל אורי, בבקשה של האנגלית, אני צריך לנסח את כל מיני פעמים אז אני חייבה שאתה להסתכל על זה, והסתכלה יהיה טובה, והדמואלה יהיה טובה אוקיי, בואו נעשה So we are talking about today we'll talk about, we'll do some kind of small introduction we'll talk about trust technology and new privacy issues raised by technology we'll chat a little bit about overview about home networking and privacy I will give you the steps to make a crazy toaster like I did here we'll do a small demonstration, I hope it will not crash because it's like a live network, so this is like very dangerous network to go so if it won't work you have to forgive me, it's work this morning I will chat a little bit about side effects of this research like Windows, SSDP, distributed denial of service we'll not show zero days of stuff here but I will try to make a small demonstration of the denial of service and we'll talk about some to-do, some extend ideas about the home networking and about cool devices after that we'll give some respect to the people that helped me and I went on their own way and then we'll leave some time for a Q&A okay, from the beginning it's dangerous so I stole those pictures from guys called HacktheToaster.com they have very cool ideas over there and it can be dangerous so the mission of this research was to make world domination via single UDP packet this mission was failed okay, so I heard some guy from Google some smart guy from Google talked about trust and about privacy and about doing care about all kind of stuff with technology and he said that do we care if our home devices will see us naked you wake up in the morning go grab a coffee or something and you're naked on the way to the kitchen and do you care or not so I think that we need to be care I think that home devices can turn against us and spy on our network I think that privacy and trust issues raised by new technologies and new hardware and cool devices if we look about some devices that support the SSDP and UPNP we can check cell phones like Nokia phones we have some cool devices like clocks internet radio windows media player 11 xbox and some DVDs cool stuff so this cool stuff raised like new tricks and new issues and I want to chat about them today so common privacy issues technology is about to replace the trust model we use today people get confused between people that know things and machine that know things do we care if Google machines know that we would like to pay for porn does this information can be given to a human usually we don't trust human to deal with this information should we trust corporate should we trust hardware windows and software windows home devices in XP and Windows Vista have some kind new component you can see in the lower button the lower side of the screen you can see some kind of way of icon that when we use devices that is internet enabled the windows box and the Vista box have support for those devices we'll not chat about peer-to-peer networking but this is part of the home networking in Vista and there is network appliances and wireless devices the UPNP architecture it's very cool architecture we'll mention a little bit about it we'll do some kind of overview of distributed UPNP architecture based on TCP, UDP and HTTP we'll not mention the IPv6 vector that reintroduce like old exploits that were already fixed in IPv4 like land attack last year and we'll talk about security exploit and early threats in those protocols and we'll give respect to the people that found them in new Vista there is a better support for device discovery so you can see that devices and software can be easily discovered those protocols behind it's net bios, UPNP, SSDP and some other protocol that don't really know about it okay in Vista there is the peer-to-peer networking people near me feature network discovery and media sharing so if you can see in my slides over there I just mentioned I will just show the network discovery and the media sharing feature in Vista and if we are talking about device scenario we are talking about smart home about computers all over in kitchen, living room, master bedroom garage, I don't know where when we look on the new Vista interface we have some kind under the network neighborhood or the network discovery we have like a place for the old computer that we use you can see it on the lower left corner we have some media sharing feature it's the second one from the left and we have some fake devices that we can add like the remote UI client the crazy toaster and the fake Intel access point so this is the presentation page and this is when someone wrote his device description you can choose whatever you like to put inside over there when we are talking about home networking each one of those device it can be own PC in the LAN it can be a web page with a virus it can be a media center VoIP devices wireless access points cell phones any appliance or crazy toaster like I did here today so each one of them can be own and can be a target to hackers inside our local network we'll use wireless connectivity to advise ourselves and show our stuff over there when we are talking about the UPNP architecture we are talking about very cool architecture it was made by a couple of vendors Microsoft was one of them not the leader one but it's internet-based technology it's built on TCPIP UDP, HTTP, XML and other technologies as well the UPNP support in XP is divided into two parts the SSDP simple search discovery protocol is a service that is default enabled and the UPNP that show the presentation and talk with the devices is not enabled by default so we have a listening port in port 180,000 221 I will show you by written later so we have the support for internet gateway device discovery and we have support for a couple of components inside but not all of the picture is still ready that was changed on Vista on XP installation we can find our device we can install it under the network services we have a default support for internet gateway devices if you can look on the graph over there we have four steps four steps when we do our when we add our device to the network we have four steps the device joined the network advertising is present by doing a multicast the control point so the control point in our point is the XP system we ask for device for device description it's an XML based technology the device gets the service description that the device is supporting and then the computer the control point invoke methods and start to control the device itself some early threads that was found in the SSDP and UPNP stuff part of them was found in the XP boxes like the previous one, the first one part of them was found in the device itself lots of research made by EI they are very cool guys they did lots of crazy stuff in lots of protocols so they have got the respect over there we see vulnerabilities in devices like appliances routers and stuff part of the exploits were buffer overflows part of them was some logical bugs that allow opening ports and get username and password of ADSL stuff and part of them was a DCRPC the major one was DCRPC found by IDFENSE and a couple of more people it was a DCRPC interface for the UPNP and it wasn't like broadcasting stuff but it's the same stuff the last one was found by Michael Lane it wasn't on the Microsoft it was on the OS Bonjour so it's very similar to SSDP and UPNP but it's work over DNS but it's same stuff over there and it's do the same so let's talk about steps to create a Crazy Toaster Trojan when we started this research we looked for open services in XP and we found the SSDP and the UPNP that is related to the SSDP and we realized that not only routers media players and servers and other cool stuff can connect to the networks but also that can be used for the attackers a scenario of Crazy Toaster a Trojan device or a software with TCP-IP capabilities like router, media players, access point that join to the local network is possible and it start to make like hacking inside the local LAN if you look in the picture over here we can see how I can present my stuff in my network places and when the user goes and do a right click on properties you can see I can write whatever I want I can put myself as a fake Intel access point there is no really SSL certificate or something that you verify my true ideas so steps to create a Crazy Toaster what you need to build your own Toaster needed ingredients so you need a Toaster okay you don't have to but you need a Toaster you need a hardware you can use any hardware or none you need a software I choose because I'm very lazy I choose a a stack vendor sample from Intel there are a couple of them but I was very lazy I took the Intel one it's cross platform it's very cool and you just need to take it and run your stuff also you need network access to victim network it can be a warm victim we will use multicast to broadcast our present inside the network and we will use some social engineering and physical or physical access so I can be part of the network or I can just take my Toaster and put it near the window of the guy not even inside the home and just use the wireless network the Intel SSDP and UPNP stuff SDK is very cool they have three layers there is the client or service application this is the application that I wrote in this case I just put some some browser exploits over there and I put it inside a web server and I did forwarding to a third party website and run my code from there we have the SDK layer from Intel that give us the web server the HTTP SSDP support a gene soap and XML parsers over there so they give us everything we need to run our stuff but we also need some kind of TCP stack give by the operating system some problems of this cool project so we had the heat problem okay if someone is turn off the toaster the computer or the hardware inside can melt we were I wasn't able to solve this problem the heat problem we had some Linux to Nokia Ipso porting issues I wanted to bring like a cool software or cool hardware to plug into the toaster and I had to rewrite everything like every the TCP TCP IP stuff like socket stuff to run on the cool Nokia Ipso we use in checkpoint we use the Nokia Ipso to run our firewall over there so they didn't like the idea that I would like to present atrosion on the same hardware but it was a cool one and last one we had the shipping problem how can I bring my toaster with all those stuff here how can I go via custom I didn't want to go to Guantanamo bay instead of come to Las Vegas so we had to FedEx everything okay our crazy toaster will advertising present on victim local network we will use the discovery process that you will use you will use HTTPU it's HTTP over UDP we'll do UDP multicast to all of the network so I don't really need to know about victim's network the multicast is to this strange address because I'm very nervous I can't really pronounce all the numbers over there but it's go to this port that is already listening in XP and on Vista we'll send couple of packets multicast packets over UDP we'll do some social engineering we declare ourselves as some standard computer equipment or kitchen appliance and we can choose whatever we like to do and then we'll wait for the victim for the LAN user to come and click our icon under the network neighborhood place the presentation web server I had lots of thinking what should I present should I try to steal his Gmail contacts should I read his local I'm talking about the victim should I read his inbox should I write a trojan should I do like I don't know, read stuff kill stuff and I decided to go and use some known techniques and experts from the wild it's the MPAC toolkit it was like one month before on the news the tool was written by Russian people PHP scripts very easy one it's like a toolkit to allow people to install their own trojan using a patch vulnerabilities I came from Israel okay we are single CD country we have one XP installation in all Israel so not all of us get patches and and the toaster the MPAC the toaster will use just for pipe to bring traffic from third party website will retrieve the attack payload from the remote host and then we'll run it from the local land okay you can see some stuff that was needed to this crazy toaster so I bought like a 15 bucks a toaster oven I took the Nokia hardware on the left but I didn't use it after all the porting stuff I took like a regular Pentium 3 PC and I plug it over here also you need bread in this demonstration I will run the crazy toaster we'll do the discovery process we'll do the presentation we'll do the social engineering and I will show you the browser exploits if you will have time and I think that you will have time because I'm running if you will have time I will open the source code of the JavaScript attack this is a multi-platform attack that use known techniques when someone come to the website the site gave him send him to the right page to run his code over there we'll not use the ipsor hardware and we will use the I use the windows SDK to run everything I do it on a live network so I hope it will run okay when I plug my toaster to the network I can see here the local toaster and when I first time plug my toaster to the network I see some kind of notification over here because I tested like 2,000 time before we will not see this notification but it's in the first time that you are there it's pumping over there so we'll ask our user to click on it it's inside the LAN and now we will forward the traffic to outside to my web server this is the impact so now the impact is running I put some alerts inside to show the process over there but we will try to download a trojan, the same trojan that I use in the toaster and try to distribute it inside the network so now after I had some kind of browser identification so this web server sent me to the right location this is an unpatched machine so all the exploits works over there what we will now try to do the bug that was really made whole the mess of the impact was the bug that was found by Finjan it was very logical bug I heard lots of talks in Defcon and in Black Hat about hip spraying hip spraying become a huge problem but this bug was some kind of logical bug so in this point my trojan was downloaded and was run if that exploit were failed the toolkit tried lots of other exploits and tried to run until he get hit the box after I ran my toaster and I infected the network I got spread the toaster from other places as well so if you have one box that is unpatched in your system it's enough for us because we will download our payload our trojan and run it I would like to show you a little bit more about the impact the impact was sold for a little bit less than 1K and they promised to give like some updates to people that buy it it's PHP based so you have statistics of how many exploits and how many traffic what was the exploit that was used and which OS they are running it so it's help you like inject stuff with malicious website the impact was quite a big hit not because the impact was a big hit not because the bugs that was used over there but because they had compromised lots of sharing shared hosting facilities and some stupid c-panel local exploit so if they had like a zero day they infected more than 10K of hosting shared hosting sites so if they had like a zero day they can took over the internet so a side effect of this research was some way that the SSDP protocol the simple search discovery protocol we made like a distributed denial of service it was a little bit strange because we were able to kill all the pieces on the local LAN which wasn't a remote code execution but we send like a malformed or well formatted XML document so it wasn't we had some kind of recursion over there that send all the computers in the LAN to go to 100% CPU so we're talking about recursive logic bomb we had some memory consumption virtual memory page went crazy so it took the computers couple of hours to go out from this 100 CPU sorry, I had some short flashback too much LSD in the 90s okay, you have a very cool distributed damage and possible attack vectors for that but a remote attacker must be inside the local LAN segment to do it, it can do it by erosion it can do it by worm or by other stuff MS promise to fix it on service pack 3 for XP so I will not show you the exploit but I will show you all the other stuff you can make the XML very easily you don't need to do to me to show you how to do it it's like a known bad XML that use for explorer as well but we'll do a notify notify it's like get and post but just for SSDP so we'll advertise our present we'll send it to the specific multicast address so we don't need to know about how the LAN is look at we'll give a URL so we'll have to have a web server that will give it back the XML the malicious XML and we'll give a respect to EI for doing lots of research in this field so if we talked about four steps of the discovery process we are going to kill the system on the third one advertising is the same the second page the second stage is the control point ask for a device description and the device bring like a very crazy or very recursive XML file with description that make everything go nuts so we'll try to make a small demonstration about how we make the smart home become a crazy home and I will try to show you the logic bomb discovery okay it's on its way this is the exploit, it's parallel based this is the notify packet we are planning to send this is port number and this is the broadcast okay now we can see the other victim is 100% CPU it was very fun to do it in checkpoint production land because we have like 200 pieces and I was able to kill or don't allow them to work anymore so I ask the forgiveness after that I do it like 2,000 or 4,000 times but this is the reason they ask to kick me out of the network after okay some extended idea that can be do in those fields I had when I started to look into home devices I had like lots of ideas and I talked with people and they described and gave us lots of ideas so you can do art spoofing art poisoning, so you can the toaster can read all the traffic inside the local network you can use kernel bugs like wireless drivers bugs to run your code if the network have a very bad very bad drivers installed there is lots to do in wireless hacking web cracking I play a little bit with MIPS and Linux embedded systems it's become very very cheap you know in Israel when you buy a six pack of coke you get like a free DVD so I think that in the future we'll see lots of embedded systems very cheap one and it can be a problem cell phone hacking like Nokia phones, GPS attacker can use the GPS things over there and no stuff about privacy and location and IP phones I guess they will see lots of IP phones exploits very very soon because I see that lots of you have IP phones iPhone, not IP phones iPhone like Apple stuff it will be very easy to exploit them media centers can be very good target game console so we can use the game console to send our stuff to get more victims I had some thinking about DVix worm to make like a movie that when you steal movies like all of us is doing they appear to appear you will get some kind of copyrights bomb that will whip all your movies or something like this and we can also think about physical security maybe put a microphone inside and a webcam or something and just broadcast from the toaster outside to the world also IPv6 will give us all the refrigerators and all the home equipment will be IPv6 so I guess there are lots of work to do over there conclusion I am running conclusion cheap hardware appliance open door for the bad guys I told you before about when you buy the coke you get a free DVD in Israel but I think that it will come very very common to do like embedded software embedded hardware and give it for free and stuff wireless hardware at IPv6 open new ball game like reintroduce stuff that already fixed the years before I think that you trust no one hardware and software and those and free gifts so even if you have a very cool device you don't really need to trust him home devices can be target for remote attackers as well and not just from places inside the LAN that can be buffer overflows that can be cross-site request Fergie or XSS like we've seen in the Jeremiah talk a couple of time the SSDP service and the UPNP on XP must be disabled this is my conclusion and in Vista you need to disable the network discovery protocol so can home device turn against us I think they can home devices are as bad as the software authors so if you are a badass and you write hardware and software you will be you will make a badass home devices I would like to give some respect to the people and the places that I stole some information from them and learn about them so the UPNP forum it's very cool site that have like lots of descriptions and links for everything that is connected to UPNP I would like to give some respect to the hackthetoster.com the guys did like the opposite side they took PC and put inside a toaster or screen so they went for the other side but they are very cool in the beginning when I started this toaster work I thought I'm so cool and I'm the first one is doing this but I've seen that it is very old idea of mad toaster or toaster that do stuff so I wanted to give some respect to the people that did this I would like to give another respect for EI guys for the SSDP and the UPNP staff and for the other staff that they did on the security research arena I would like to give you a link of a project cowbird that I heard about it in last black hat made by a friend of my Jonathan a new friend that I met a couple of days before he talked about how to make how to take a very cheap hardware like a link sees media center and 30 minutes and a 30 network so we replaced the OS inside and give like make it a wireless scanner so it was very cool idea there is the exploiting embedded systems made by a brand new maybe jack or whatever is a cool guy so he showed how to make a shellcode on an ARM process not Intel based I want to have links to the UPNP stack vendors like Intel, Cyberlink and Siemens there is the OS-GI Alliance that are making the software for the future smart home so it's very cool stuff and on DEF CON 9 some dude called DOG showed a very cool way to do a talking toaster so you need to go and look his work he did over there another website it's UPNP hacks that is was a very nice one okay so the slides and the toaster source code are in my website you can go over there and download stuff you can contact me send me an e-mails everything if you would like to play together cool stuff I am ready any questions excuse me maybe next year we are open for new ideas thank you for your time