 Hi everyone. In this presentation, we will tell you about our experiences about IoT hacking. I will also mention the weakness and misconfiguration that we have identified and can be detected. But firstly, I want to talk about myself. When I look at myself in general, there are a few keywords I can use about me. These are co-founder, author, speaker and trainer. So apart from this, there is not much I can say for myself. And I can say I love Wi-Fi hackers. This place also contains some information about my friends. Since we cannot make the presentation live and we are in different locations, I am the only one giving the presentation right now. Let's start guys. In IoT hacking research, there is something that everyone is serious about. How should IoT devices be analyzed? What is a methodology? What tools should I use in IoT hacking or research? Many, many, many questions like how can I find weakness in IoT devices? In order to answer these questions, we should be able to look deeply for understanding everything correctly. In this context, the first step is to choose the product to be analyzed. In order to do this, we should ask ourselves the following questions. Which industry am I targeting? Which area of the industry I target? For example, your target in the financial sector may be product used in banks. Your target in the health sector may be products used in patient rooms of hospitals. If you ask yourself this question and write down the answer, you will have defined your goal. After defining the target, the product must be supplied. There are several solutions for this. You can contact the manufacturer of the target product. You can contact the customer using the target product. You can buy the target product. By using one of these methods, you can contact the manufacturer developer or customer to improve security. This is the most important step because now your target industry and target area are 13. You also provided the product. To model this place correctly, we should know that every product has many properties associated with it. Not that these features associated with the product itself can actually be used as an attack point against the product. For this reason, you need to take a piece of paper in your hand and write the feature associated with the product. You can try it yourself for understanding attack surface mapping. Once you have correctly defined the attack points, you will need a necessary hardware and thoughtware to perform the associated attack. And as you see, this resource you see in the presentation will be very, very, very helpful for this. You can find a lot of hardware and thoughtware in this resource. Finally, after all of them, you can start exploiting the product now. In this presentation, I would like to share the detail of three types and four products. The first is a robotic assistance. I can say about this target, this is a robot assistance and it has target features such as Wi-Fi connection, internet connection and USB inputs and others. And this target and product is used in hospital, restaurant, airport and in other possible areas. On this product, we found weaknesses such as pre-descalation, hidden admin panel, wake password, unsecured communication and login bypass. Let's take a closer look at them and for understand deeply. This is a login bypass in this target, you know, usually on the main screen there are processes related to the service of the device. But remember, there was a keyboard input. When you press a fifth key combination with a keyboard attached here, you can bypass the service screen and access the terminal directly. After accessing the terminal with the previous weakness, we gathered information about the device with the unim-e command. Then we saw that there was a kernel weakness and we increased the authority on the system with exploit, we don't know that from exploit DB. Another feature is the hidden admin panel in this product. You know, clicking on a particular area of the secret multiple times opens this secret. If it is also protected by a weak password, you can directly access it in admin authority. And yes, we did it. As my authority increased on the product, I started to try different things. And in an analysis, I saw that the product performed firmware and other software update were insecure protocols like FTP. And you know, FTP is an unsecured protocol. And if attacker there is an environment can sniff and can see username, password and others in the traffic. After all of them, I took control of the robots by catching the information of the server where the robots were updated. This is now a zombie robot network. We can do anything on the robots and we can control. This is a second story about smart scooter. And I can say about this product. It's a widget used for transportation purpose. It has a feature that can be targeted such as smart clock, mobile application, developer and other and we will talk about it. And this smart scooter generally used for short distance transportation like campus of the university, you know. And I also saw some people use it to tear household items in Turkey. When we look at this product, we found that there are basically four different attack points. The most important of this attack point is, of course, the human factor and is ignorant in most research. Here is the mobile application. There are many functions that can be used as an attack vector in this mobile app. And in general, every electrical and smart scooter also saw the same function like reserve. But, you know, you can reserve your scooter. You can start ringing function and you can log in register as it, you know. And this mobile application, it could be APK file or API file, you know. And this is ringing function and at the same time you can light the device constantly so people around you understand that someone has found it first. In our study, we have seen that this function can only be triggered without authorization by the QR code number on this device. We can watch this video. And we captured mobile application traffic for ringing function. And when delayed authorization header from the request, we saw we can repeat every time this function not limit and not anything for security. And when I analyzed the mobile apps for two different products of the manufacturer, I saw that they use it the same as key value as hard code. And as you see in the presentation screen. Another weak point is, again, from within the mobile application hosting hard code information on mobile application is a common problem. Here too, I saw that the secret password information was left statically in mobile application. And when you analyze any mobile application related with the smart scooter, you can find the same bug. So in mobile application penetration testing related smart hardware, you should check some static information. You can find a lot of hard coded information like super password, his key will. The main weakness here is the human and the devices that he uses. Therefore, we can expand the attack surface by asking the following question for the loop. Computer connected any Wi-Fi connected any USB, he opening every email and download file or run any file. Operation system is updated mobile phone of the developer is jailbreak or root. After this question, we can launch a social engineering attack or hack device network. The person is using in our research. We saw that there is a weakness here. The developer are very careless. And this is smart. Like you did a luck and smart electrical scooter. It usually has a QR code on it and has full to blow energy communication. It is also the main point as a site with the mobile application. The most danger point here is the QR code, which does not directly harm the smart scooter vehicle. But we have seen that it is an attack point for users in direct. Think like that. You can try to install malware on the phone with the fake QR code or redirect users to phishing page with the fake QR code on the smart scooter. And this story about the fifth smart luck, we want to tell you about it in no time. We can say about this target, this smart luck, it has started point such as mobile application, web service, internet connection, Bluetooth, low energy communication, firmware and hardware. All of them is attack vectors for us or our research. And this smart luck, it could be used in hospital, home, in the smart scooter and you know and others. There are a lot of weakness here in the smart luck, especially if you are using cloud-based devices using your home wireless network. You will lose communication with your smart device with a Wi-Fi dos attack. Another point is the wrong authorization made of the mobile application. So an attacker can control your locks. The weakness of the product is related to the web service that the mobile application communicate with. As you can see, there are many related points. And in the knock lock API, bind and unbind function is vulnerable related with broken authentication. Attacker can bind or unbind, can use bind and unbind function without any security restriction, you know. Finally, we have seen that other users profile information can be updated without authorization in knock lock API. And thanks a lot to Rootshaw Labs for their support and thank you for listening to us.