 My name is Bryson Bort. I'm the founder of a startup called Scythe which um, I just found out this week we completed our seed round raise. So uh, if you've never been in that position before there's like no better feeling than when you finally get to complete, stop having to ask people for money and then like just start doing the job. So you could round of applause for that. That would be cool. Um, so when I'm not building attack simulation platforms, I'm the co-founder of the ICS Village. So right over there, I hope you have a come and check us out. Uh, in today's talk I'm going to be talking about some different issues around internet of things than probably you've heard before. So the agenda will start off by painting what is the landscape. Um, the different kinds of attack types. Enterprise? This guy translated over, dropped my letters. Oh yes, this is the enterprise. This is, this is where the IOT is and tell to defend against. Yes. Uh, so what we're going to be showing is by, by working from what we've seen, one of the things that I'm going to take with my research a step further is showing how easy it is to build a mass attack campaign. So not just going after a particular IOT device but showing how to build, no pun intended, the fishing net to go after tens of thousands at a time. Uh, and then the reason for the name of the talk was then I wanted to talk about how to turn all those IOT devices into your own tour. Um, has anybody ever had to give a talk before and you like running down to the deadline to complete your research? You know that feeling? And then you don't finish your research. So that part's going to be a little conceptual. I didn't quite get all the way through it. Uh, turns out putting the village together took a little bit more time than I'd hoped. Um, but I will set up the concept and, uh, I will continue to, to publish that research as I, um, actually do complete it. All right. So who has IOT devices? Right? This is where we all raise our hands. It's the thing about this internet of things is they're ubiquitous. They're everywhere. Um, I mean it is not, we're not far away from this, these computers being embedded in our clothes. You start thinking about that computerized underwear. That's coming. It's happening. Um, and that, that's a reflection of the fact that computing has finally reached this point where it is so cheap that we can mass produce it and we can push computation anywhere. And that has phenomenal use when we start thinking about its purposes in our daily lives or in manufacturing, industrial control systems, the delivery of that. There's ability to collect that data and then to bring some sort of automated intelligence analysis to drive something. It's fantastic. But then we start to think, well what else could it be used for? And all that computational capacity is sitting out there just waiting for somebody to do something with it. So we have across as a part of the CTF, uh, what we call Howdy Neighbor and that's a model smart house. Um, and this is one of the things that we're going to be pushing out in the coming weeks is we actually have an IOT workshop for those of you who want to stand up your own piece to demonstrate what I'm going to be going through in today's research. So we're going to be pushing that on GitHub. Uh, so stay tuned. Uh, and that'll show you everything you need to do to set it up yourself. We'll push out the builds. Um, you don't even need to have your own environment. We'll provide the environment and from the comfort of your own home you'll be able to walk through everything that I'm going to be demonstrating today. So, CES, which is actually here in Vegas and is about six times the size of DEF CON. I've never seen 200,000 people together before. Um, I was there, uh, giving a talk on automotive mobility. And so, uh, I went, uh, with a journalist and we walked to the floor and of course the, the setup here is we went to all to see all the new IOT devices that were coming out. And if you can imagine the discussions on security as we walked to the floor, nobody had given any thought to it. This was my favorite though. So this, this is this engineered umbrella. This umbrella literally could do everything. It had built in solar power that fueled a battery down here. It had just about every single communication protocol I'd ever heard of. I mean it did your homework for you. It followed the sun around. It, it was incredible. And I started thinking to myself, well why, why did we need to put all of these things in there? And then I thought of the second question which is, how much does that cost? And so fortunately I was lucky. The COO was there and was kind enough to, to come up and she's like, just guess, how much do you think this umbrella costs? What? $350. Whoa, you're, you're like a magnitude off. You look like you raised your hand so I'm going to pick on you anyway. Guess the number. Above 350. 50,000. Well it's not a Porsche. Porsche of umbrellas right here. What? $9,000. $9,000, right? So yes. So of course the logical question is who's the demographic? Who buys a $9,000 umbrella? I was lucky again that I was talking to the COO because she informed me she was buying 10 of them for her vineyard. I, I don't own a vineyard. So I summed up my experience on CES with two things. If it could be interconnected, it was. And everybody now wants to talk to everything. So you now have the choice because they are putting voices into everything. So it's no longer just going to be in your head. Everything you're going to be interacting with, you'll be able to talk to it and it'll talk back. Now there was a really interesting public quote, I think it was about two years ago, and I'll throw the company on the bus, LG. And they were releasing their new product line of all consumer appliances. And the vice president or whatever of products gets up at this press conference. And this is what he says. He's like, we are putting the internet in everything. And of course the logical question from somebody in the audience was why? He's like, well, because. And they're like, and so they came up with the idea like, well, like a toaster. Does a toaster need to be internet connected? He's like, no, but we're doing it. Seriously, you can look this up. This guy, this was the conversation this guy had in public. All right. So we've heard of IoT. We know about IIOT, industrial internet of things. It's basically the inclusion of that ubiquitous computing so that we can drive decisions for all sorts of interesting things besides what is in the consumer environment. I point this out because this talk, I'm using consumer devices to demonstrate it, but it applies just as easy to your house as it applies to the manufacturing floor as it applies to lots of different uses of critical infrastructure. So the state of affairs. These are the three kinds of things that we've seen. We have seen Brian Krebs get DDoS by hundreds of thousands of internet of thing devices. We have seen ransomware start to appear and ransomware lands on an IoT device and locks it down and says, send me bitcoins. And then crypto jacking. Crypto jacking is the fact that now that bitcoin is actually worth something that I can take advantage of those computational cycles that are free to me as the bad guy and use your spare cycles to go mining cryptocurrency. Now if you look at all of this, how does this affect you the end consumer? Right? These devices are in your home so it might be a little bit of an inconvenience that you're using a little bit more electricity. Certainly the ransomware might be an issue, but that hasn't been that widespread. And then DDoS and Brian Krebs doesn't really affect you. Right? So it might be a bit creepy that I'm on your web camera, but I haven't really done anything to bother you. And so we get a little carried away because our community, we really love zero days, but we still have to really start to think about what does it matter? Right? Zero dang, a nest thermostat. Am I really going to do that research so that I can play with your temperature? Like, I don't want you to have 68. I want you to be 70. There's no money in that. So we need to put it in perspective of what, in fact, is the security research accomplishing. So history of attacks. These follow two basic models. So, Marai, what they did is the fact that most people don't change their passwords. And there are about 10 default password combinations that work on just about everything. And so the vendors pushed those out to you and the default password worked. So what Marai did was just scan the internet, anything that it saw that talked back to it, it threw those 10 password combinations at it. Guess what? That worked. Reaper and IO Troop took it up a step further. They went and identified because security researchers like us are constantly identifying these things. And let's say that even a security researcher who's doing the right thing contacts the vendor privately, gives them time to push a patch out, and then releases the research. Well, they release that research as a proof of concept. So that code is there for somebody who can just copy it down and use it. Now, assuming that the patch has been applied, that's great. That doesn't work. How many folks actually go around applying patches to their IoT devices? And we're the smart ones, right? We even know what a computer is. For the rest of the world, it's black voodoo magic. And they'd never even considered what a patch is. And so what Reaper and IO Troop did was I'm just going to enumerate about 65 to 70 devices across multiple categories, match those to known exploits, because I've just pulled down those proof of concept code. Enumerate is where I fingerprint a device so I know exactly what it is. Because you can't just go throw exploits willy-nilly. They won't work. They work on certain models and certain firmware versions. And so, same case here, I have to make sure it is the device that I think it is. I match that up against my list and then I'm going to launch that proof of concept code and automatically take it over. The difference here is up here, if you change your password, this won't work. Here, it doesn't matter. If the patch isn't there, then the device will be compromised. So phone patch history. Everyone has a phone. Who's heard of stage fright? You remember stage fright? What was stage fright? Yeah, that's right. Stage fright, it's like a pun. So it was a SMS attack where I just had to send a text message to your phone independent of you doing anything and I got remote code execution. SMS. And so that of course was a really big deal because that works on both Android and Apple. You didn't even need to participate. I just sent some text, boom, I got you. So of course, that was a critical failure. They pushed out patches. Nine months after it was discovered, these are countries, doesn't matter which ones, but fundamentally you just look at the red versus the blue. Nine months after the patch was pushed out into the population and cell phones are actually fairly easy to update compared to IoT devices which you usually have to go manually download something and then figure out how to interact with your device. This was how much of the world was still vulnerable. Nine months after a patch of that critical magnitude. Yeah, I mean, that's scary, right? This is our environment. Did you know that you only are supported for so long by your operating system vendors on phones? You have to buy a new phone. There's just gonna be a point where you're on your own. And that is of course much shorter than what we see on traditional PCs. So the setup. What we're gonna show for this demonstration, like I said, this is a commercial demonstration but the same thing would apply to any similar embedded system device in any other kind of environment is that our consumer and our smart house, they want enhanced security. Alarm systems are expensive, why am I gonna spend 99 bucks a month for ADT? I wanna secure my house. Cost is a factor as it often is. Consumers are primarily driven by two things. Function, I want to do something. Cost, I don't wanna pay a lot. And so people are used to buying security cameras. So this is just a nominal security camera that we're gonna use and put into our house. All right, let's see if I can get this going. So our customer has bought his camera or her camera and he or she, what? Okay, that's bad juju, still works. All right, so we are logging in and we are setting up our web camera and we're in. All right, at least it tells me I should change my password. That's a good start. So I'm putting in a really good password. I'm gonna follow basic principles here. Oh, all right, well nope, I don't want special characters. So it's actually gonna try to make me less secure. Thanks. So this is enforcing me trying to do the right thing and it won't let me do it as far as I want. So nope, still making it hard. All right, we got there. Okay, so our camera's set up. You can actually go and see the view from the house across in the ICS village. We set up port forwarding so that we're able to access this from the internet because of course for internet security camera, this is something that I'm gonna be using when I'm away from home. Okay, and let's see what our password was. It's applesauce bang. Now remember, we tried to make a harder password but it wouldn't let us. But we're still ahead of the game because we've built, we've changed the default password and we're step up. All right, so what we're gonna do is we're gonna show the attacker perspective now. Our consumer's set up their IoT device and what we're gonna do is we're gonna go from reconnaissance to identifying what is everything we can see on the world because the starting point from an attacker perspective particularly when I'm looking at how to attack thousands to tens of thousands of devices around the world is to find them and I can only affect what I can touch. Enumerate, I wanna make sure that I'm dealing with what exactly I think I'm going to that works with my exploit. I'm gonna compromise and then this is the part where we're gonna make it more interesting. I'm gonna use that IoT device not because it's the IoT device itself. I'm not interested in creeping on you in the webcam. I am interested in your personal information, your social security number, your bank accounts, your tax forms and that's what we're gonna do. We're gonna show how to pivot through the network to take over other devices, eventually working my way to something that is interesting and stealing interesting information off that. So first, reconnaissance and enumeration. So like we talked about, the camera's connected in. Census is just another version of Shodan so we look out there for the model of camera that we're interested in from an attacker perspective and we just happen to coincidentally pick the camera that matches what this consumer's put in and by quick search we can immediately see 2700 cameras around the world that are available on port 80, so unencrypted and now we get to play Z-Hackas and of course we always have to have a picture when we demonstrate the hackers of two items that do not go together to demonstrate that we're doing bad things. So I hope all of you are wearing your masks and carrying a hair camera when you are hacking away. And so now we're gonna demonstrate the attacker view of how he's going to, all right, so first we're gonna start with our reconnaissance phase. So we're going into Census, which like I said is a Shodan equivalent. And we're going to pair together just the keys to identify that camera against port 80. We like port 80 because it's just open without any certification. And here we get back all of the cameras that match that around the world. Probably have elevator music during this part. Okay, so we see there's a lot. And the point of this is that this can be scripted. All right, so we click in on a specific one and we see that through this we automatically can get a lot of information. All right, so now we're gonna try to get in and we're gonna start off with the Mariah approach, which is we are going to try to do all of the password combinations, see if we can get in. And we failed. Score one for the home team. All right, so now we're gonna take it a step further. There you told me this would be easy. I'm not good with computers. All right, so now we just saw the Mariah approach where we try the default combinations and that failed because we did change the password. And so now here is the code where we're gonna launch a known end day that we've identified. That was the slide I just skipped over quickly, I apologize, there's a proof of concept code for the end day that's out there. No technical knowledge, all I have to do is copy paste that down and then my script here essentially goes to all the IP addresses that I pulled down from census and launches that known end day against all of them. And we're on, we're root. So even though we changed the password, of course, that was irrelevant, we have remote code execution. So now what I'm gonna do is I'm going to enumerate the network for services. So this is the initial scan to identify what else can I see. Now I'm looking for file shares. Of course file shares locally are where we post interesting information. And I find a window share. So we tried brute forcing that. One of the advantages is also, if you think about it, since, pause this for a second. Now remember, our user initially changed the password on their web camera. So they were trying to do the right thing. How often do we reuse passwords? So when I use my exploit to land on that camera, I'm going to of course have access to your password file and I'm gonna take that password and I'm gonna try it against everything that I can see. So that part of what I enumerate into that network is I'm now going to add that into a dictionary attack in different combinations because most of us tend to follow patterns of reusing passwords or derivative passwords. And I'm gonna try that now on everything that I see. And that's how we get access into the windows file share. And so of course we do a directory run to see what we can get. We see some photos. We pull all those back because we're gonna start with the fun stuff. So what kind of photos do we get? The Grim Family. If you go look inside the house, you can actually see the family portraits. So like I said, this is creepy, but not that interesting. Let's see what else we can find on the computer. So we're now gonna start looking for documents and try to find things of interest. Again, keep in mind that the key to all of this is that this would be scripted. So the automated capability to do this, walking through each of those steps is what makes this interesting, right? How am I doing this times thousands? Not that I'm actually hands on shell right there. So we take all the documents and in those documents we get all your passwords, check with your bank account and routing number, and your tax forms. Yeah, oops, somebody say oops. So what can I do? Let's go back to the first principle. Does anybody remember what it is? Can it attack or just do anything, right? I can only do something to what I can touch. So starting point, place it behind a firewall. Something should not be internet accessible unless absolutely necessary. And putting it behind a firewall, you can create some state-based rules that will allow to restrict that traffic so that it doesn't just do that. Changing default credentials. We saw that that worked against the initial kind of attack. It's not necessarily about that I have to be faster than the bear, but I just have to be faster than somebody else running away from the bear. As long as folks continue to fall behind on these basic rules, attackers are not going to change their mindset. They will continue to run the sweeps that work because that produces results. When all of us start to establish a higher level, then that's what's gonna require them to shift. By definition, hackers are lazy, right? What's the bear minimum that I need to do to get the effect that I need? Patches, applying patches, right? This is the pain in the ass thing because every IoT device is gonna be pulling from a different place. Each vendor is gonna have its own approach. And we're gonna talk about this at the end of the talk about things that the manufacturing community could do better because this burden should not be on us, the consumer, as much as it is. But my recommendation now, just like every year, you have to do your taxes. Every year, find some time like spring cleaning, make an inventory of your devices, go to the manufacturer website for each of those devices and try to identify the latest patch and install it. And then finally, segregating your Wi-Fi's onto VLANs. So in that previous attack, everything was on the same network, which is what allowed me to see it. All of your IoT devices should be on their own segregated VLAN at least. And then the important things like the PC that you're using to do your taxes or to access your bank account should be on its own VLAN by itself. Now granted, this only ups the ante because those VLANs are just, of course, virtual LANs that are all going back to a common router. And just the same issue that our web camera had, routers can have that same problem. They have end days that are published and you can exploit that and get past this barrier. But again, you're stepping it up to at least a higher level. Who's heard of the concept of herd immunity? What is it, sir? So like IoT devices. We don't have any vaccines. This is the threat that we're facing. It's not individual IoT devices. It's not even the damage or nuisance of how I could do some damage to a group of folks in a consumer environment. The risk is that there are every day more and more of these coming into our environment. I mean, I don't know what the number is, but I can't imagine it's not less than tens of thousands that are being introduced into our internet every day. And we talked about the fact that while it might be inconvenient that these things can be reused for malicious purposes to someone else, it's actually decreasing the security of the overall environment in ways that we hadn't thought. Because it's no longer, oh, okay, the web camera got taken over, but we've already started to see how that web camera is a pivot point to other things that would have been more secure had that not been in the environment. IoT devices are putting us in the same kind of challenge where we're going to increase our probability of a different kind of outbreak in our environment. I mean, in this country, in the world, because we're continuing to introduce this capability that's unsecure. By itself, it's a nuisance. Adding it, the fact that all these devices are connected, we are increasing our overall risk. So call to action. Manufacturer accountability. Has anyone ever seen a manufacturer punished for putting out an insecure device? There are no consequences. There are none. We've already seen how difficult it is to apply a patch. We've seen that they can push out something where everything has default credentials. It does not take a lot of engineering to have a unique password pair supplied to each IoT device that's issued to that consumer. So your own admin password has already changed for you and is unique to your device. That would solve a large percentage of the problems that we're seeing. That is on the manufacturer. The other piece, of course, is I don't think it's reasonable to expect any vendor to push out a completely secure device. Has anybody ever seen anything that's unhackable? I mean, except for John McAfee. But besides him, and he got quickly proved wrong, because nothing is unhackable. So it's not a question of can I push out something that is absolutely completely secure, particularly when it costs $39, but why can't we demand that they have planned for a security life cycle, right? It's not that you made sure that it's secure tomorrow, but that it's very easy to secure down the road. You have a disclosure policy that allows independent researchers to identify things to you and you have a time period that you're required to turn around a response. Push out a patch, right? Push out a patch. Make that patch available. Make it easy for the consumer to take it and to apply it. We are all dealing with this problem because the manufacturers have no incentive to change and the burden is being pushed on us to solve it. So references for more information. Obviously the ICS Village, we pushed a lot of this. There's also the IoT Security Foundation and then I am the Calvary. These are all independent organizations, nonprofits, pushing security, education and awareness around this problem. This is things that all of us as volunteers do, just this is our passion, because I think it takes the experts who identify the problems, push for calls to action, highlight the issues and try to drive a change. So I talked earlier about the fact, the reason this was originally called TORT. The Onion Router approach for IoT, that's gonna be my upcoming research that I did not get in time for today. So I'll be pushing that out and that'll be coming to future areas. As well as the Home Hacking Lab, which will have a build environment and a setup for you to be able to demonstrate and build the scripts to automatically attack. Not illegally, but in the comfort of your own home with something that you own, so that you'll be able to prove this yourself. So we'll be pushing that out on GitHub in the future. I think I have time for like one question. Anybody has any questions? Yes, sir. Just one thing from your slides, we do spring cleaning. So the original idea there for the complex password that you were forced to change every 30 days and cannot match the prior 12 passwords and must be at least 14 characters long. Have we all experienced that? Okay, the guy who created that standard back in 2003 has now apologized to all of humanity. He was wrong. You don't like any of that. There is no, I don't like any of that. I, there is tar and there's feather, I don't know. He apologized though, because that's not necessary, right? If you look at what the threat is here, certainly if somebody is already on your network, theoretically you changing access to something like that could cause an issue, but chances are, having done this kind of research for 20 years, I'll tell you if that was me, I've already got root on your box. You change your password. I already know what it's gonna be every time you change it because I'm root. I'm gonna be there hanging out. What you're changing is up here. So it doesn't actually, you haven't shifted anything. And those passwords, you forget them. That's the reason why passwords usually are so derivative in the same because that's easier to remember. The password was the worst invention in the history of mankind but we have no other choice. And then that rule was just proof that there is hell. The devil does exist. So I apologize, my time is up. I'll be over at the ICS Village for the rest of the day if you have any more questions and follow so you can see the additional open source stuff will be pushing out. Thank you.