 Okay, sounds good. My name is Matt. I put this all together because I, so basically, I guess, you know, brief who is real quick. I'm from Louisville, Kentucky. I've been doing computers for a long time. I love it. And lately, the big thing I've been working on are both bounties. And that kind of actually got me into this. So, basically, TLDR on this is a network-based unauthenticated memory disclosure on a SIP phone. And I basically played with it, and it found just some pretty interesting things that you could pull out of it. And I'm going to show you here. It's worked out pretty cool. The backstory actually goes back to basically DerbyCon 2019. I, so, you know, that was the last DerbyCon course in being from Louisville. Naturally, I was, made sure I was there. And, you know, they always have a lineup of awesome speakers. But so, the first, I guess, it must have been Saturday. I was on my way to the first talk of the day, and I saw this sign over here across the way. And I, you know, basically was like drawn to that thing. Like, a bug is drawn to a zapper or something. And so, I walked in there and literally did not leave for the rest of the day. And it was so cool, you know, we work on this stuff all time and hear about the vulnerabilities and deal with them. But to see all the different stuff laid out there from basically, you know, nazes to routers to light bulbs really struck a chord with me, I guess. So I think in that sense, IOT Village really achieved what they were shooting for. So basically that, so that would have been in September of last year. And I kind of walked away from that with a with the notion that I wanted to spend some time in the next year hacking on that stuff coming up with my own, basically, you know, ode days. And so about a month later, I was working on a bug bounty and had an interesting scope, because it was basically like all IPs, which normally is like hosts and stuff. And so I thought I would do some recon, you know, follow all the steps, right? Passive recon first. And so I started with show Dan, mostly just to get familiar with it, because I hadn't really used it very much. And actually, I think I had done it wrong because I didn't end up at the target that I thought I was one to end up at. But I basically ended up just browsing through show Dan for a few hours. And like, you know, I never was one to like sit there and watch cat videos for hours. But once I came across show Dan and all the cool stuff that you can find on there. It's basically like my cat videos, I guess. And and so basically, as I'm browsing through here, I'm scrolling down and well, here, let's go back. Yeah, I guess I will. I imagine you guys probably can see that very well. So I'm working on how I can make that look better. Give me just one second. That's what I was shooting for. Actually that. Okay. So I'm browsing on show Dan and come across this. Obviously, I have a bunch of stuff marked out right now. So I apologize for that. But, you know, nothing too crazy here. And then I keep scrolling down and basically come to this. So clearly what's happened here is, you know, the show Dan server is hitting this web server. It's running on a phone over and over for one. And then basically, so they've implemented some security controls like, you know, basically password lockout. And and then it literally just peaks, it gets up on you. It's like, oh, you failed your password. And here you go. So you know, the first time I looked at this, I actually didn't see anything too interesting. You know, obviously that's memory. I recognize that pretty quickly. But you know, I didn't really see a whole lot of impact initially. And then so I basically monitored for a few days and started to see like some shit traffic come across. And so basically, I looked for other devices of this making model and there were actually only like two or three on the internet. And and they didn't always produce this output when they when you hit the 403. So it's kind of like on that particular day, I happened to just kind of stumble upon that particular device on the day that it was having a bad day. And because I'm, you know, we work on this stuff. And, you know, you're just kind of, I guess, keen to what may be an indication of above and followed up on it and it ended up being kind of cool. So so I actually just I actually watched that for probably, I don't know, a couple months. And then finally saw enough stuff come across there that I decided, okay, you know, this is obviously a legit vulnerability, but I want to confirm it first and also see like, what's the impact. And so I went ahead and just bought one, probably not, you know, the most efficient way of doing it. Certainly, you know, I could have tried to get the firmware and and loaded it up on on key mu or or pie or something like that. But in this case, basically, having it already basically worked out for me. It was just kind of a matter of confirming. And so figured I'll go ahead and just buy the by the device actually ended up. So I got it. And, you know, I mean, I've been working on this here and there for a few months at this point. And it's so like Amazon and dropped it off while I was at work and I came in and tore it open. And, you know, so within an hour, basically, I've got the thing bricked. You know, because I was thinking, well, let's make sure we have like the latest firmware on it. So we're not like reporting vulnerability on some already patched software. And and yeah, that device basically never came back. And so that was a little bit discouraging, especially after, you know, spending like 150 bucks on it. But, you know, I mean, that's, that's part of it. Occupational hazard, I guess. And part of the fun, of course, you know, took it apart, see what I could do and ribbon cable started breaking. I was like, wow, okay, we'll revisit this. And so that's what I did. I waited probably, you know, a couple of few more months. And and then finally decided, okay, well, I'll just order another one. And fortunately, this one came with the latest firmware. So I didn't have to break it. And within an hour of opening that one, I had confirmed the bug. And I actually did it through the browser. I mean, as far as bugs go, super duper easy to find and and to some degree to reproduce. I mean, so basically like the first time I've powered it up, I opened up Chrome, failed to log in a few times. And then and then we saw that. And so I quickly wrote it up, looked up like, Hey, does my tail have a bug bounty program? That would be cool. No, they didn't. But they did have a really good vulnerability disclosure presence, I guess. And clearly, like, you know, they have a program and a team that's handling only those things. So that worked out good. So I basically reported to them immediately. And let's say I don't want to get ahead of myself. And I'm not gonna spend too much time on that because I'm going to show you in person. Yeah, okay, we're on track here. So, so, you know, as far as I was concerned, I reproduced it and I wrote it up since it off. And they were very, you know, prompt and professional within a few days, I had a response and like, Hey, thanks. We'll look into it. And a couple of few weeks went by and then they emailed me and like, Hey, we can't reproduce this. And so like, you know, for a bug bounty hunter, like not being able to reproduce your report is probably one of the worst possible things that could happen. And so I'm like, Oh, man, you know, here I am just some schmuck on the internet, emailing these guys saying, Hey, your stuff's broken. They're like, No, it's not. So, fortunately, for me, I guess, I was able to figure out what happened there. And as it turns out, like, I never did get it to reproduce in a browser again, which kind of makes sense, because it's basically just random memory. And you never really know, like, Chrome is not going to know what to do with a bunch of crazy stuff. And so like, the first time I did it, it just happened to work in the browser. But basically, every time after that, I had to use like netcat. But using netcat or telnet or whatever, it is super duper reproducible. It's actually kind of impressive of how much you can get from it. So that was pretty cool. They do have a GPG key or PGP, I guess. So like, I probably did it the hard way. But, you know, I literally just use like GPG command line. So for, for someone who's used to reporting stuff to companies through Bounty Program, where they have basically like, you know, a website, it's HTTPS, they provide all the facilities through to upload evidence and tutorials and all that stuff. So major crew does, to my tell, for basically, you know, being willing to hear and having the people and the resources dedicated to fixing these problems. Like, you know, that in and of itself is a huge thing. One of the takeaways for me and not necessarily for me, but something that I would like to help some of these companies appreciate is, you know, the burden and really for them, the potential for human error. Because, you know, when you are like manually doing all that, even understanding asymmetric cryptography, you know, I still have to take a second to like, okay, so I'm sending this to them. They need to be able to open it. So I got encrypted their public key. You know, I got to generate a private key from their reply. So that's just a lot of logistical stuff that I think a lot of people may not have the patience or background for. And so, you know, that could have some pretty negative impacts if they basically just, you know, if someone else reporting a bug failed to do that properly. And next thing you know, you're sending it over HTTPS or playing them HTTP. You know, not really cool. So it ended up actually being, you know, P1, I guess, in my terms. So pretty interesting. My cell is a CVE naming authority. Oh, enough. Oh, yeah, PowerPoint, I think corrected that for me again. So basically, one of the things that was cool for me in this experience was learning the process for CVE. And I actually had another program, another bug through an actual binding program pretty much simultaneously. And it was interesting because like there, that one was not a CNA, my cell is a CNA. And so walking that path and understanding the different roles and how you do it and how you coordinate it. It's not very hard at all. And MITRE basically has like a PowerPoint that walks you through everything. But you know, it's kind of cool to go through the experience and understand it. Okay. So now we'll do some fun stuff. Okay. Okay, I'm sorry. I'll switch this off. My bad. Maximize this one. We'll see how this goes. And if I get too annoying on top of this, annoying on top of it, I will swap it. Okay. So basically, I have like, have one of these phones right here. And so, okay. So if we just basically, plain old as vanilla as you can get, we see the prerequisites right there to like a text line. And then I can't that pipe it to this on 40. Okay. For one unauthorized, that's perfectly acceptable, normal, expected. We'll do that a few times. I don't remember exactly how many days. Okay. Probably about them in five, something like that, which really, so like, you know, this came about, I always think it's interesting when you see like, multiple level deep failure of code. And so like this one is especially interesting because it's in an actual security control. And so I think there's really a lesson to be learned for, for all of us, you know, whether you're a penetration tester or building a system or a software developer, or, you know, unlike the IT security compliance side of things, you know, don't just check the box, push it a little bit, because no one would think to set up these particular circumstances to see what happens. But those are exactly the types of things that lead to some of the most impactful vulnerabilities. And, you know, I mean, there's all sorts of really good resources on that. Like, so the other day, I was like rewatching, I think, Sammy Kamkar's 2016 talk at AppSec College. And he basically, it's just very interesting to listen to someone with his level of experience, because he's explaining his thought process. And he's like, so I asked myself, what would happen if I did this? What would, what if I did this? Could I make it do that? And, and that's the kind of basically, like structured, but creative, and out of the box thinking that, that it takes to, to find impactful vulnerabilities, and not end up like with a whole bunch of duplicates and get frustrated with the whole process. Okay, so at this point, I've basically locked out the account, and it's locked out. Yeah. So, so I've written a script here, at this point, making it real easy. Give me a second. Let's see what that is about. Okay, some of that has to do with being able to make it so people can call in. But basically, the key thing there, you can see, I guess you can see it, right? Same thing I just did, but we're doing it 20 million times or something like that. Okay, so what I'm going to do, get the system over here. Okay, so I'm going to fire that off. That should just basically start spilling its guts. Yeah, there's some ringing right here. I mean, I have literally sacrificed one of these devices to the demo gods. So I fully expect that this is going to work right off the bat. Let's see, maybe then we just, let's just take another look at that real quick. Let's take a look here and see if we're getting something. That should be there. Okay, sometimes, you know, you'd like to mess up your shell. So let me just reopen the new shell today. You know, this stuff wouldn't be fun if it worked immediately, I guess. We'll simplify it for a second. Oh, my goodness. I'm so too deep. I'm so sorry. It is literally doing exactly what it's supposed to do. I'm calling this good grief. I forgot that I changed it up. Okay. So that is at this point, basically just pushing to a file and we open another window and we're going to monitor that file. And okay, so we will, this guy just created a script. It's going to sit there. Okay, so if nothing is happening, it doesn't do anything. It just sits there and does nothing. So when I initially got it, basically, how I confirmed it was just going here and play with stuff. And it was kind of neat because I would start to see kind of going to do a lot of stuff. I didn't say that. Wow, that's an incredible amount of stuff. Okay. Yeah. So there we go. That's what I was expecting. Like literally the thing is just puking its guts up. And you know, it's kind of neat. So like, you know, I've seen CVEs come across. I got subscribed to the RSS feed and some of the times like memory disclosure can be tricky to exploit to actually get something valuable because it's, you know, a lot of times you don't have control over exactly which memory space you're going to get. And so one thing that's kind of neat about this is just how easy it is to get stuff. It's kind of funny. That's why I named this talk what I did because it's like, basically, other than me like breaking the device, everything just like lined up, the stars aligned and you know, at the end of the day, the world's a safer place. So what I thought was really cool one time is I was sitting in here and I like changed the password. I'm in the admin portal and I saw it right there. I'm like, okay, well there's secrets right there. And one of my slides, you can't really read it very well, but basically when you configure the SIP endpoint yet, you know, you have to give it credentials and I could see those in the dump as well. Okay. So at this point, what I'll do, so I've got a couple numbers registered to this. So what I'll do is since we've done a bunch of stuff, I'm going to reboot this phone and that basically will reef basically like wipe its RAM and also let me get to the web interface to change its phone number. And while that's rebooting, I'll talk about a couple things here. Okay. Yeah. So obviously, there's not a whole lot of technical chops being put on display for finding this one. Let me kill this before it locks out this phone again. So, but what this did do was present a lot of opportunities to for like, I guess lessons that I already knew to kind of reinforce them and some insights about things that I had not really thought about. And so, you know, we have all these sayings like, you know, packing stuff and funding for profit. And I've used that myself and, you know, sounds cool, but never really thought about it, the actual words. And, but it kind of hit me the other day, I was reading some, you know, someone's Twitter or something and basically people just like going off. And you know, just really struck me that I think sometimes we need to step back and see where we're at, how we got here and where we're going and really why we're doing what we're doing. Because not that long ago and even still today, you know, a security researcher would find something like this and reach out to a company and either not get a response or get sued. And so, for me to be able to just reach out to them and, you know, basically just browse my way to a 10 and 9.8 CVSS bug on Shodan with absolutely no intent. And then find the company and they have a disclosure program, they want to hear about it. They're very friendly and professional. And then they fix it. And it all just like went so swimmingly. Like that, that didn't just happen out of nowhere. There was a whole like industry-wide, I don't know what you want to call it, but, you know, issue 10 years ago, maybe not that long ago. And okay. We're like the whole question of vulnerability disclosure was a huge deal. And basically it got to the point where researchers are like, well, you know, we all love technology and we all want the technology that you're building. We all need it. I think like COVID, for example, just shows how important technology is to humankind at this point. And, you know, I mean, as bad as it's been, how much worse would it have been? Would it be? It's still going on, obviously. You know, if the people who are working from home couldn't work from home, that's not to minimize the impact that it has had. But just to say like, you know, I guess it could actually be worse. And so like these companies, you know, SIP phones, for example, I mean, that is a key driver to the ability to work from home and have a distributed workforce. And so like we rely on not only these things working and not only them being secure, but like the people's trust in them. Like that's the worst possible thing that could happen is if people just stop trusting the internet, that's going to be a problem. And no one is going to protect it or can protect it. So like it falls on this relatively tiny community. And so, yeah, I mean, it's a very high-paying industry in Bug Bounties. Like I was watching an interview between Manaze, I don't know his real name, and the Homsack the other day. And like, so he started doing Bug Bounties late 2018 and has already made over a million dollars. I mean, that's amazing. But at the same time, it's important to understand where we came from and not be so caught up in that stuff that we're basically going off on Twitter because somebody didn't pay us as much as we thought they should pay us for a bug. And that doesn't help anybody. So I think like sometimes you got to do it for fun and sometimes you do it for profit. In this case, I did it for fun. And, you know, the other day I was basically just like, what else can I do with this? And I thought this might be kind of cool. So actually, the biggest issue I had with it was my internet connection is going through carrier grade NAT. So my public IP is not actually public. So getting the SIP traffic to me has been a debacle. But actually applied something I picked up from the so hopelessly broken lab I was doing like last year with, you know, tunneling stuff through SSH. And so that's what I'm doing right now is basically UDP SIP traffic is hitting Twilio and going to AWS through an SSH session that I created outbound and getting forwarded all the way to this phone. So basically, let me get a couple things to set up what I was going to do is I'll post a number. I've got like scripts and everything, just gripping stuff out to mask phone numbers and stuff. But if you call and you saw how fast that's coming up here, it's grabbing the phone numbers and it's going to show the last four digits and I think like the first one or something. And so if you call this number I put up there and your number shows up on this board over here somewhere, ping me after this and just tell me the remaining digits and your email address and I'll send you a Kindle, like a redemption code for Kindle IoT Hacker's Handbook. Okay, so I'm going to turn that off for one second. I'm going to leave myself so you don't hear me like clack in these keys and then just get a couple things set up here will be all set. Yeah, so I think I put this out there but like only like the first five people can I do that for. Yeah, I'm not mayonnaise. So let's clean all that stuff. Okay, this night, like you see what I'm doing here, nothing crazy. Okay, it's going to clear up this phone right now. My bad. You ever have yourself like double muted on the meeting or something? I basically just did that for myself. I'm sitting here talking to you. My bad. So I do have it all just basically ready to fire off. Because that window died. Is that one? That's actually the one we care about anyway. So so that should work. Okay, and if anybody is watching that window, they probably realize it's literally not doing that. So I'll hide that window so I don't don't people's phone numbers out. It looks like we're close. We're at the time here. So same, I guess. I mean, if you won't let me stop. But basically, we've got two. No, Matt, you're all good. If you want to sort of show anything off. I mean, like you're the last talk. So don't worry. I can keep going for a while. I mean, there's people there and you get time. That's cool. So I do. I mean, I can see this person's called right now. So, you know, I think I'm not in the discord at this moment. I was having some problem with it. But just ping me. I'll hop on there as soon as we get off here and give me your email address and I'll shoot that over to you. 06275 might be the only one. That would explain 5702. So if these numbers are your phone numbers, you know, last portion of yours ping me. So what was that 2? 93310. It's kind of funny because of the way I had to get that stuff working through SSH tunnels. It's basically does not understand that you hung up. Well, that was three. I'll go through here and if there are two more unique ones, post that. There's one right there. 25120. And actually, I was I thought this may happen if you are actually using like a sip drunk that's not PSTN source. So yeah, you know, I threw this together kind of cheap and fast. And you know how they say you can have things like cheap, fast and good, pick two. This is cheap and fast. One second. If that's a legit source, we want to I believe that's anonymous at. So I mean, if that is legitimately, that's cool. Here we go. Okay. 60918. I think that's five. So if any of those rang the bell to you, then just ping me after this. I'll send those codes over to you. And if that ends up being six, that's cool too. Okay. So let's switch. But actually, it's a little bit, I'm kind of glad it worked out like that, even though it was a little unplanned. I was, you know, based on what my testing, I was a little afraid like five people were called just like that. And we wouldn't even be able to find them. So okay. So I think I went through some of this already, most of this. But so show Dan dorking. And there's someone mentioned a similar service to me the other day. And I can't remember it. But a lot of times I think we go, we use these tools when we have found a vulnerability and we want to see the scale of the impact. I propose that you could, well, I mean, what this demonstrates is like, there's a lot of untapped data out there. And they have an API. And so it's like, if you're wanting to get into IoT and don't want to go spend $142 on a phone and then break it and then buy another one, which is completely understandable, one potential way to pick a target would be to use these APIs and structure a search that maybe searches for something like a bunch of 401s and then something unexpected. Or if you know a particular request, the results for a certain type of device are typically of a certain size, search for things that are outside that realm. Okay. So yeah, this is kind of something like I've just applied. So I've been doing computers professionally for 20 something years. And you know, my whole life, I'm geeking hard, I love it. And I do it because I love it. And I would be doing it even if I wasn't getting paid. And I've noticed over the years, whether it's in selling hardware, software, networking, or services, when you are invested in something because you care about it and you're not just like pushing stuff on people at the traditional sales person and just having fun, you know, money follows that and it builds trust. So I would propose to people like especially people who are trying to get into the industry and maybe see like, wow, look at all these people doing all this cool stuff, making all this money, this is so cool. I want to get me some of that. There's a whole lot behind scenes that you're not seeing when you see that. And so it's very easy to get frustrated if you have like the wrong, you know, you're focusing on the wrong thing. And so hack for fun and the profits will come. I truly believe that. And the only other thing on here that I want to point out is we really do need to praise these companies like myself. And there was someone else this week who gave a talk and he's like, you know, this company was spectacular. I mean, that's not nothing. And really like you could put companies on like the grief scale, right? Like over here you have denial, over here you have acceptance. And 10 years ago, everyone was in denial. And if you went to them with it, they just preemptively sued you out of fear and denial. And there's still people there, still companies at that place. And then you have companies who are like, hey, you know, come hack us. And if you write us a good report, we'll pay you even if you don't find bugs because we care and we want our stuff to work right. And you know, there's people everywhere in between. And while we as, you know, even if you're not in this for like bug bounties, but you're in it for whether it's just the good of the internet or pen testing as a career, whatever it may be, there are some elements that are similar to like traditional IT jobs where like, you don't just walk into a company and be like, hey, you know, let's replace all your computers and windows upgraded to 2019 and all this, you know, exchanged in the cloud tomorrow, you have to build a relationship and trust and understand them. And there's a whole bunch of stuff that goes into that. And I think if you approach this industry with that same attitude, where we'll get to a place where we understand that like, software vulnerabilities are going to happen. It doesn't matter like what controls you have in place. Human beings are writing it and it is only human to make mistakes. And we don't want to like stigmatize it. Actually, I think we should praise the people that are doing it. And really where we're at right now is there's basically like a set of companies who are like subsidizing this, this burgeoning industry. And I realize it's, you know, it's quite several years old, but in the grand scheme of things, it's still pretty new. And so we need to move these companies from over here to over here. And that's going to take time. And I can, I can think of one scenario in my own experience, where I basically like, I reported something to a company, clearly was an impactful bug. They didn't see it that way. You know, I didn't, I was like, okay, cool. You know, that's cool. Yeah, I didn't push it. I haven't returned to their programs since then. But I actually noticed like a few weeks ago, maybe a month ago, you know, now they're doing things to try to attract researchers to their programs. So what I think is happening there is like, they probably realized like, yeah, we're not getting much traffic. And so they're slowly moving over in this way. And, you know, it takes time. And if you're getting upset going off on Twitter, or, you know, just being unprofessional, not only is that going to hurt you, but that's going to hurt the whole industry because I mean, you represent this industry to those people. And that can be dangerous for us all, because really, at the end of the day, we do need all this stuff to work. And I mean, like, the Great Far Wall of America is now a topic of discussion. I mean, that's like a vote of no confidence in the internet. That's a concern. And we need to not let that happen. And okay, so I'm 15 over. So that's cool. Thanks for the extra time. Ping me afterwards, if any of those numbers were yours. Thanks for your time. Happy DevCon.