 We're in the IOT village and this is the hardware hacking your kitchen. It's what's really cool. It's presented by GE and there's a ton of different GE appliances like espresso makers and hot water machines and it looks like what looks like an oven over there and what's so cool about these and also terrifying is everything has an IP address now and because everything has an IP address and we want to be able to control everything like our coffee from our smartphone this introduces a bunch of like anomalies, bugs, vulnerabilities that can happen with any of these devices. Things like injecting a packet or either locking up the device or like a more dangerous thing would be having it heat up with no water which might cause the heat exchanger to push to a heat and maybe cause a short like those things are on the extreme side versus maybe just like overriding firmware. Right now in the CTF is there's not really vulnerabilities built into the CTF. You're looking for what would amount to a zero-day vulnerability or things we don't know about yet and you submit that POC to GE and they reach out and I don't know if they have a plug bounty program but it's so cool that more and more of these villagers are growing to include like appliances which I haven't really hit either hit the market yet or ones where the company is now understanding that hackers are some of the ones finding these vulnerabilities and they find those earlier in the cycle. So cool that you'll be able to just plug in interact with these systems. Let's go find out more about the contest. Before we start actually you can go ahead and kick it on. This is the IoT Village. You're running a contest. Is the contest these devices out here? No. So these devices here are some devices GE brought. So basically they're looking to see if anyone can find any vulnerabilities on them that maybe their engineers back home didn't find. That would amount to an effect of like a zero day. Yeah they're looking for zero days. Yeah they're looking for zero days on these few minutes ago someone cracked one and Steam started shooting out of one of these coffee makers so pretty cool. So you're running the IoT Village the CTF competition so can you tell me a little bit about how that one is? Yeah so basically the IoT Village CTF we've got all sorts of embedded devices whether it's you know IP camera, a NAS, routers, switches and what we do is we set all of them up and we know that these device manufacturers have been pretty lax about their firmware. They've left zero days, they've left vulnerabilities in services or in hardware that people can compromise. So we we basically give any one of these contestants the ability to go and start poking in all these devices see if they could find a either a known way of getting in or find a new zero day for one of these devices. So unlike other CTS where we'll say you design challenges and vulnerabilities in them this is a we'll call it a stock IoT device which has a vulnerability the manufacturer accidentally introduced into the software. It's not like a hey we snuck a challenge. No no yeah typically we'll go and we'll add a flag to these so that someone can get it once they've compromised the device but we haven't done any sort of mucking with the the device firmware besides that the only point of changing those devices so that the participants can actually get a flag to submit to the CTF. So question if I think about like an IoT device there's a couple different vulnerabilities that impact them. Some of them you're worried about looks to say loss of confidentiality. If it's a camera gaining access to the camera and getting the footage is you have a different stages we'll say when you give out points of they've gotten into the device they've compromised the data of the device they've now constantly introduced an integrity vulnerability where now it won't function as well they've now over in the firmware how do you like scale the risk there? We keep it simple for the main reason that just inherent in these devices being little tiny IoT devices we're gonna have to reboot them and we don't want to rely too long like too much on someone having to sit on one of these devices for too long and find and research. Basically these devices once you've cracked them you've got everything you've got RCE you've got access to the firmware you can dump the firmware if you want so basically once they've got that and they're into the device we give them the flag and we basically score it based on how how tough the CVE is to find or how tough that device is if we have some over here which I'm sure we do that they don't have any vulnerabilities we'll give that a high high score because someone just found a zero day but what's been the most interesting vulnerability that has been found so far I mean interesting it's a loaded term yeah it's a loaded term but I'd say the most interesting ones that we've got over here are just ones where the PHP developer left like thousands of passwords in the PHP not only that you can view the page sources in some of these and and see the passwords there and it just it shows you a little bit of you know how IoT device manufacturers deal with making devices like these a lot of the time those those considerations are not very high and it could be really expensive to fix these after you put them out the door which is I would always say highly takes a technical skill to be able to push a firmware upgrade yeah yeah not not to mention there's plenty of times where pushing firmware updates can be horrendous for one because someone can compromise the firmware updates and for two because if you fuck one thing up in the firmware updates device is pricked and you've got angry customers are we gonna have to bleep that out no no you're fine fair enough it's deaf gone you're right no that's so interesting what's interesting is like things like you can't really push out the update so like what is the solution as weird as it is bugs are always going to be there but like what would be the recommendation for one um i'm a big fan of rust as a programming language rest will solve all of our problems it'll it won't solve all our problems we'll solve about 70 percent of them we see a lot of memory safety issues on these because a lot of the time all the firmwares can see or they're lying on heavily on c dependencies um rust is a pretty darn good language for embedded devices just to clear out the possibility of memory related issues um it's not going to fix everything uh for sure it's not going to fix sequel injection you can still do that but for one that for two possibly some better uh c i c d dev ops practices that they're testing for security while they're writing the software for these devices would go a long way um typically they leave that to the end though there's like a lot of the vulnerabilities which i've seen on the devices are often things like in sequel injection passwords and newsrooms and source code words like you've got even the most semblance of sass the dash tool is going to pick this up it's amazing that they get out to market without ever having this time yeah and i mean to their credit it is a bit of a tough job right if you want to avoid stored credentials that are default credentials on these devices it'd be tough like maybe you can have the thing generate a new password when the thing starts up so you never have a default credential but what if someone just grabs your thing off the shelf just solders onto the board and figures out what algorithm you're using to generate those random passwords people do that all the time they'll use these side channel attacks where they will just dig into the bare hardware see if they can read the firmware right off the board and decode what they're doing that's nuts well hey thank you so much thank you for your time thank you for watching and as always