 Nevím jak se na to robím, ne tuším. Ještě když to teda z nábenou, tak to už vidět. Jo, takže to mám za se vypnout, byž tak taková tím. Přesně lidi jsi dělávali. Díky, díky, díky, hlavé, Ilya z Red Hat Projag Security a se je říká o hrstóry i IoT security. Díky, díky, díky, díky, díky, jen jsme však větězli. Děkám, že se vyskáváte výzvodní výzvodní, že vyskáváte vyskáváte výzvodní. Vy vám se zjíjí technologičky a vyskáváte výzvodní a vyskáváte výzvodní. The term IoT, the term things, Internet of Things refers to wildly different objects from children's toys to industrial automation and airliners. In the context of this talk, I will mostly focus on the consumer devices. These surround us, we use them and it is in our best interest to use them wisely. Before the IoT era, most risks associated with computers, computer crime and computer glitches revolved around data loss. With the emergence of IoT, we are facing completely new, different dangers and that's because the things are so much embedded into our environment, into the world where we live, they have direct influence on the objects around us. They are made tiny and we may not notice them and they are designed to collect data and by collecting data they kind of watch us. The idea of computerized environment for humans is not new. It was envisioned by many science fiction authors and writers in the past. For example, Arthur Clark envisioned the instant messaging, worldwide instant messaging, which we have already and Ray Bradbury in his short story, there will come soft rains, introduced the reader to a computer-controlled house which cooks, cleans and does everything that a typical American family may ever need. Interestingly, Bradbury's smart home appeared to be extremely reliable as it survived a nuclear strike but kept running its duties, standing alone in a deserted and lifeless town and that story unfolds in 2026, I think. Karl Schapek, in the beginning of the 20th century, scared the public by an idea of self-replicating machines, ultimately revolted against their human masters and that was the play when the word robot was first used, first in that play and then it migrated to science and technology so if you're wondering where all the nowadays robots came from, they're probably from Czech Republic. Speaking of home automation, I think we are already on par with Bradbury's vision. One can have smart lightning at home or smart heating or smart irrigation. Not only that, one can have a personal home assistant to whom he could talk and control all the other home automation devices or ask things on Wikipedia or maintain a shopping list or order stuff on Amazon. If one is not in the mood to talk to his personal home assistant, they could just press a button and have the stuff they run out of delivered to their doorstep, possibly by a flying robot by a delivery drone. Then we have medical things. These are already part of critical medical infrastructure, things like pacemakers or insulin pumps and as we now know, they are not necessarily secure. Then we have weird stuff or marginally useful stuff like this smart brush. It's designed to control the health of your hair. By the way, it has a microphone and a bunch of other sensors and it is internet connected. Then we have things like smart mattress, which is a mattress with an embedded mobile phone. It will send you SMS whenever something is happening on your bed while you are... Then we have this doggy phone thing to communicate with your dog if you are not at home. Then we still have legacy buttons and there is a way to turn them into something more modern. So yeah, you can control your legacy buttons from your mobile app. And then we have almost creepy things like this kiss messenger. You get the idea. The telepresence technology is amazing and frightening. I can imagine security vulnerabilities in that area to be hilarious and tragic in the cool measure. So let me tell you a story about a botnet that lives in DVRs and internet cameras. You may remember one day in October last year when a number of high-profile websites went down for quite some time, so it's like PayPal or Twitter. Apparently, a huge network of harnest internet cameras stood behind that attack. My story is going to be about a slightly different botnet, not Mirai, I was talking about Mirai botnet, but my story is going to be about the Jaime botnet, which is a little bit more advanced and therefore more interesting. The idea behind a botnet is that you have a large number of computers you can control and you can direct them and instruct them to do things, usually bad things, like taking sites on the internet or doing spam attacks. Life of a botnet starts with a single node. In case of Jaime, the node starts hunting the internet in search for an open telnet port. Once it hits a running telnet service, it tries to brute force the login credentials through the list of hardcoded default factory passwords. Once the login succeeded, the attacker, the bot tries to find the writable file system there, creates a temporary file there and dumps binary codes into that file. That file is, of course, a program, an executable program, and, of course, it's run. Once run, it connects back to the attacking node and fetches a larger binary from there. That larger binary is an actual malware. The malware does two things. In the first place, it continues propagation using the same algorithm I just described. And secondly, it joins the BitTorrent network and starts waiting for software updates and further instructions to come from there. Once the botnet owner decides to mount an attack against someone, they prepare the attacking code and configuration, push it to the BitTorrent network, and all the nodes on all the infected cameras pick that up, apply, and the attack is ongoing. This is how it looks like in artistic terms. Researchers found that the Jaime bot is capable to run many types of packet floods, like these. But the architecture is very extensible and it can do wonders, I guess. The scale of Mirai attack was record-breaking. Depending on the place where you observe, researchers seen hundreds of thousands of running bots. The traffic at the core router spiked to two terabits. Looking at the root cause of this attack, it's definitely because of the hard-coded passwords, because of the default credentials and insecure services left running on the device. Researchers observed many different types of worms in the wild. Interestingly, sometimes those worms try to... They naturally compete for their hosts and sometimes it gets harsh and they try to kill or enslave each other. Among all those worms, one that stands out is called Linux WiFoCh and it's different in the sense that what it does, it tries to kill all the bots that know about the system, then it tries to shut down all the services it thinks are insecure and finally it changes the password to something unknown to the owner of the device. And that way it contains the infection. It kind of helps making us more secure. But the Mirai attack as well as Jaime bot is... It works with just a Linux box. It has nothing special, nothing IoT special. Before we move on to my first, to my second story about IoT specific attack, let me briefly introduce you to a typical IoT architecture. There is no single architecture, actually. It's very fluid, but something along these lines. So with a typical IoT product, it has a layered architecture. They have a bunch of sensors, including cameras and microphones at the very bottom. They are connected to a microcontroller or a single board computer. Those small computers are sometimes connected to a so-called IoT gateway or a wireless network. The IoT gateway has internet connectivity and it works with a server on the internet, which is known as IoT data platform or cloud. And the purpose of this cloud thing is that the data coming from the IoT network is collected there and the comments from the owner of this IoT network is pushed down from the cloud to the IoT network and devices. My next story is going to be about smart plug research, security research. This smart plug is a small simple gadget, which is an extension of your wall socket. So you can take it, plug it into your wall socket and plug some appliance into the smart plug. And then you can power on and power off your appliance through your mobile phone from the distance. The researchers looked into these appliance and tried to see how secure it is. So they started with taking the mobile application for Android, the compiling it and looking into the source code. In the source code, from the source code they figured that the mobile application is smart plug, communicate or text-based, simple text-based protocol like this. In this protocol they have, besides the comments, they have the MAC address to identify the plug and optional user set password, which can be empty. Then they figured that the protocol is encrypted and the encryption is done by Linux shared library bundled together with the application. So they have taken that shared library and run strings over it and found a bunch of ASCII strings. So they thought that maybe one of them is an encryption key. They have taken a sample packet of the network and tried to decrypt it with each of these candidate keys. Of course, at some point the clear text protocol revealed and they found the encryption key and they were able to build the proper protocol message and control the plug locally from their notebook, not from the vendor supply application. Then they looked into the way how that plug works through the internet from remote. They looked into the network and found the TCP connection from the plug to some server and that server is in China. So they connected to that server and tried to reuse the same protocol they already learned to control the plug through the server and that worked. Then that got them thinking if they could try to do the same things with other people's plugs. The only complication here is that they did not know the MAC addresses of other plugs, but that's not really a complication because MAC addresses are typically distributed to vendors in chunks and they are adjacent to each other so they started from their MAC address and they enumerated all the others and they could control other appliances all over the globe without their owners knowing. Then other researchers looking into this appliance figured that there is a shell injection vulnerability in some of the firmware versions of this plug which work like this. If you put a shell comment into a protocol field in this simple text protocol message it gets executed on the plug under root privileges which makes it a perfect platform for another bot or distributed service attack or you can attack local computers on other people's networks or spam people. It's interesting to think of that. It's a plug, it's not a computer from a user's perspective but still it can become a really powerful thing and behave wildly. Looking at this attack it's again it has something common with the previous one. It's also based on the hardcoded secrets. To give you a better understanding why these kind of problems are so common let me walk you quickly through the typical life cycle of an IoT product nowadays. In the first place the IoT product is a piece of high tech. It's complicated and it's built by many companies in a supply chain. In this supply chain the devices manufacturers, the middle one, these companies tend to give most of the grief to security researchers. Their business is that they take radily made components of the market, put them together as quickly as possible at their software and then possibly upsell this product to product manufacturers at their very up level. These devices manufacturers companies they are usually small, they may be just a single person company practically, they compete fiercely, they are usually single product companies and there are many of them. Explains why they may not have necessary sufficient time and resources to do proper security testing and secure engineering. Once the product reaches the product manufacturer then they start selling it. These companies are known to us customers. These companies are usually big names, they do the marketing and advertisement, they do branding, they do technical support and warranty and they also serve as a single and the only probably point of contact for us customers whenever we have an issue with the product and with security researchers reporting weaknesses or vulnerabilities they found. Unfortunately often times the product manufacturers can't do much about their vulnerabilities because they may not own the product and they may be unaware of its workings. So the best thing they could do they could just forward that vulnerability report down to the devices manufacturer in hope that these guys are still in business and they are willing to fix it or they can try to use their PR powers to downplay the importance of this weakness or even use a security researcher for looking into their stuff and violating some copyright or something like that. So these are the ways that the product manufacturers can possibly try to fix the problem, which is not really a fix. The IoT ecosystem is huge and vibrant. It has many parties interplaying there, pursuing their own goals and interests. Speaking of the vendors, for vendors it looks like it becomes a must to have some degree of smartness in their devices just to stay in business. For us customers, well, we love gadgets. We may poke fun at them, noting how silly or maybe useless they are, but we're still buying them for some reason. That explains why we have these things like eggs counter, so you can check how many eggs you have at home while you're at supermarket. Then there are some parties on this IoT market and the ecosystem, which may be extremely interested in learning more about us customers. With the introduction of the smart toys, like these pretty dolls, that becomes incredibly, incredibly easy. Consider this smart doll. It is designed to maintain a conversation with children. Everything that the child says is picked up by this doll and turned into text and uploaded into a cloud. The information is collected there and the maintainer of the database is legally allowed to share this information with whomever he wants. Also this doll is designed to speak. As researchers figured, when it speaks, it gets extremely excited about other dolls that are used by the same company as well as other services provided by the same company. Interesting. From the manufacturer's perspective, it may look easy to add smartness to their originally offline product. What it takes is just to add a $5 computer and that's it. Unfortunately, they may not always realize that by adding computer and especially network connectivity to their offline objects, they turn them into something huge, much huger and much more dangerous than it used to be. It is also apparently hard to do right. For example, consider software updates. It's extremely hard to deliver and deploy software updates to those teeny tiny boards, which are frequently disconnected, battery powered, which are maybe busy with something. The boards themselves, the computers, the IoT computers, sometimes frequently they are weak to run strong crypto, the developers struggle to get a good entropy source there on them. Also the boards are easily accessible physically what makes their hardware interfaces also a fruitful attack vector. Although when all the small computers are brought together and harness together, they can deliver tremendous power and floods of network traffic. From the software engineering perspective, software inside looks, frequently looks messy, that can be attributed to a long supply chain to the software companies building this thing in rush and hurry and time pressure. Finally, the smart things are not necessarily well understood by anyone practically. Consider this is a smart pillow. Does it occur to you that this pillow needs software updates? It's not that obvious, but it does. Also when people think of what kind of, what can possibly go wrong with a smart pillow, well maybe it miscalculates my sleeping pattern and it wakes me up earlier or later, okay well not a big deal, but in reality there are much bigger and much more dangerous risks. Consider that this smart pillow starts spying on you and starts feeding the data of your sleeping habits to someone that happened or it can engage in a denial of service attack while you are sleeping on it literally and you can help responsible for that because it's your property. The attacks we looked at so far, they were more or less, well not really complicated technically and they were against not really well protected targets. I'm going to tell about the other attack which is much more technically sophisticated and it was run against a major product of a large manufacturer, a well engineered, well sought out product and that is a Philips Hue lead bulbs. The idea behind this product is that you can screw these bulbs all over your home and control those bulbs individually from your mobile app from home automation center or from internet. You can do strange things with that, you can attach a Twitter account to this thing and light your home differently depending on what's happening in the world at the moment. Technically this bulbs and all the system is based on the Zigbee network. Zigbee is a proprietary mesh, proprietary is not network stack, it's a mesh network, specifically designed for low power, short range communication, wireless communication and secure communication. The network traffic on this network it's encrypted with a symmetric key. The key is shared among all the participants and it's distributed between the participants and it's unique for the network. So when a new node is coming to the network it asks the network for a key and the network basically gives it out the key and it encrypts the key with so-called master key. That master key is a top secret key. It is guarded by, it is hard coded to any of the Zigbee device and it is guarded by a safeguarding contract signed between the Zigbee manufacturers and Zigbee aliens. Apparently that kind of security didn't work and that secret key, that secret master key was leaked on the internet two years ago. So, but they have the second level of protection. They have so-called proximity check in this K exchange phase which works like this when a new node is coming the network measures the strength of the signal from this node and it should be strong enough and that serves as an indication that the new coming node is close centimeters. When the network replies with the key it does that at very low power so that it's hard to eavesdrop it. The researchers analyzing this Philips Hue system they knew about the master key so their challenge was to figure out how to attach to existing network from the distance because they couldn't approach it close enough. So they analyzed the open source bit cloud library which implements the Zigbee protocol, the Zigbee stack and found a major vulnerability there which allows them to reset any bulb from the distance of hundreds meters. So they mounted this attack against a bulb, reset it and once the bulb is reset it is programmed to start looking for another network to join and then the attackers they pretended to be another network and they offered their network to this bulb but they also asked this bulb they also advertised their network as a not a lighting network but some other Zigbee networks they have many different kinds of these network types in the Zigbee protocol, Zigbee network stack The important thing is that with the non-lighting network the proximity check can be skipped and that way the attackers could take over the bulb from the distance and get it on their network but their ultimate goal was to run their code on someone else's bulb to do that they wanted to they need to embed their code into the bulb the bulb is built on a microcontroller therefore the only way to embed their code was to reflash it, to change the whole firmware which is possible because the bulb supports all the air updates although the bootloader in the bulb performs signature check on the firmware so if they make a firmware and flash it won't run because the signature check would fail so they mounted the researchers mounted a side channel attack against the bootloader the idea, and they used power analysis attack the idea behind power analysis attack is that they fed bootloader with fake firmware images of different types and at the same time they measured the spikes of power consumption of the bulb at the same moment and by correlating the spikes of power consumption and the signatures they learned the firmware key so they were able to sign their firmware with Philips firmware signing keys the last challenge for them was to somehow approach other bulbs and infect them they need to approach them close enough of course they use high tech, they use drone they mounted an infected bulb on a drone and flew that drone near the windows by the windows of a major security firm somewhere company and once they did that the bulbs start blinking SOS all over the offices there so the important thing to to think about is that despite all the efforts that Philips and ZigBalians put into securing the ZigBal Network and their products it's still extremely hard to do right looking at the major attack vectors that happened over a couple of years ago probably the heart coded and ultimately eventually leaked secrets was the number one problem there also forgotten services frequently insecure services accidental or delivered vendors backdoors contribute to the insecurity of today's IoT considering how easy it can be to get hold on of the IoT device the unprotected hardware interfaces on the boards are also possible attack vector and finally we have all the good old web vulnerabilities there which can and they are exploited in the future it looks like the IoT devices would become more autonomous and less deterministic in their behavior and for that purpose they will collect more data about the environment and they will become interoperable to be able to join forces to join into ad hoc networks and solve their tasks their immediate tasks and then dissipate if you are involved somehow in an IoT development I think the most important thing is to realize to understand that once you have once you put your product online millions of ERIs would start looking at it watching in search for vulnerabilities that they can exploit in their interests the personal data is a toxic asset there are black markets on the internet that buy and sell personal data data can be more valuable than money so if you hold personal data especially in large amount there may be people around that would want to get that from you so if you can make a service if you can run a service without taking personal data it's much safer if you do I would encrypt everything phonetically there is a great website built at Secura maintained by the experts in this field checklists and advices on how to build IoT security and there is also open market for pentesters where you can hire hackers to pentest your product or you can join the crowd and offer your pentesting services there my personal attitude towards IoT is that for me they are too risky, too insecure to use at the moment if you want to have an IoT at home my advice would be to research before you buy look at the vendor you are buying it from how they handle security vulnerabilities in the past do they provide software updates for their products to give you an example there was a recent discovery in drone control remote control protocol vulnerability discovered in drone control protocol that allows a hacker to hijack your drone while it's flying and either take it over from you or crash it apparently that was hard to fix vulnerability but some vendors somehow managed to fix it but some did not so it's important to research the vendor if you have IoT sync in your home it's better to put it on a dedicated network and firewall it isolated from your real computers when you're selling your things be aware that you may be selling your secrets as well it may be hard or impossible it's things like Wi-Fi passwords from all those small gadgets they may not be designed for that and there are stories when people recover Wi-Fi passwords from those gadgets when you're buying things it's better to reflash everything because it may be infected already so the IoT industry is flourishing and blooming and it keeps us amazed and it is tricking us into buying those things I hope that this talk will make you more cautious and better prepared for the further things invasion to summarize be aware that things around you might be watching you all the time treat them as insecure by default try not to give out your personal data you never know where it ends up and who will be using it and finally repel things from your home for as long as you can be suspicious and keep safe thank you oh it's empty if you buy IoT things, you should reflex