 First thing I need to record my selfie. Thank you guys. Whatever the outcome is I have evidence. It was a success So my success Yeah, do they francais dans la salle? excellent lift You guys are working on that okay les français allez Qui a vu un diner de con? Bienvenue à mon diner For the Yeah, sorry closed captioning. Sorry folks a wonderful french movie Called the dinner game very dark french humor Who has solar panels? Who cares about their privacy? Yeah You didn't Raise your hand get out There's an eff talk. I think next door you can ask about privacy Still nothing is it working on that side? Yeah Who's seen war games? Excellent movie. It hasn't aged a minute. I did But even if uh lichfield was cool, I was much more serious about my craft serious enough not to have distraction of a girlfriend by choice, of course This quote is excellent. It is actually what I believe I am trying to take things Opening them up and figuring out ways to make them better Isn't that why you're all here? well It's not happy hour yet Hey, by the way, I need my speaker shot I could use two actually Thank you So we're going to talk solar um This is a system by taigo I brought the little part that is the only piece that we're going to look at today Which is the the connection between the solar array and the internet It's really cool because not only does it upload Uh production data to the internet. It also downloads configuration of the panels things like maximum Power voltage maximum temperature of the panels and things like that Of course over the internet What it does is gives the installer the ability to Monitor remotely the production of my system Why because they have an sla And they actually guarantee production of my Array and they'll pay me back if it doesn't produce what it's expected to Yes, indeed I could I would not because think about it About 9,000 kilowatt hours a year of production This says 15 cents. Yes, I could score A thousand two thousand bucks, but I would get busted for it because this is not the only thing that reports my production So that angle You can have fun Not with me This is what it's what started it all You know how you take your nest And or any iot device when you initially power it it starts advertising an access point You connect to it configure it tell it. This is my home network And then it shuts down and becomes just a wi-fi client Not this one It connects both to my network as well as the open access point That really really bugged me So started to need to figure I needed to figure out how to fix that problem And started inventorying All of the attack surfaces I had At my disposal We talked about the access point A little htpd server that we'll talk about later SSH cool Yeah, except there's a built-in Defense in depth maybe it crashes after 1500 tries I have to repower the Power cycle the device so quickly it was no longer funny Serial to tcp I never got it to work unfortunately, but it had a nice little ui. Do you want the The console to be tunneled through tcp or the display this little guy or the gateway that it controls through Through a serial port From a physical perspective, of course, I opened that box. Remember what I told you I take a screwdriver to anything Nicely labeled at the bottom left of the screen You see a little Silkscreen of console guess what you plug in your Serial to usb connector and it works So I had a nice console interface Which unfortunately required authentication so back to square one u boot Excellent, maybe I could boot it in recovery mode Fix the password. No, unfortunately, they put a password on the on the bootloader and Now I have a confession. I live in california This was october The middle of winter This device is outdoors Was too hard for me to take so I had to look at an easier path and more comfortable So behind this access point There is a website as I mentioned That website has properties if you use shodan you'll find out that actually 12 or so Very courageous People maybe ignorant decided to have that device also internet accessible Guys, this is where you're supposed to laugh Thank you Thanks to shodan I was able to verify that my findings Actually, no my lawyer is not present. So Do what you want with the shodan findings Um Remember the open access point it has an ssid So I went to those wonderful folks at wiggle dot net And uh looked at their database Guess what? I'm not the only one who detected those Uh, they're all over the world And they're captured for posterity You now have gps coordinates of all of those devices or some of those devices Um, who war drives? Thank you. Keep doing it upload to wiggle Because it's a treasure trove of data about People that I can't say f up. No mess up Let's go back to the web server That's it. My talk is over. Thank you Um, there's an authentication screen. We can't do much about it. Can we? Of course not It's funny how I've seen other slide decks today That also use a password file called rock you dot txt who's used it in the past Oh, come on guys If you didn't raise your hand That's the best password file on earth Uh, so I ran my brute force 36 hours later. Yeah, I know I know I'm lazy, but it was 36 computers at computer hours not mine Um, turns out Admin support works very well Okay, where do we go from there? Looking around the little website on the server. There's a nice little page that caught my attention No such file or directory. Ooh Guess what happens when you put a file there? Um, for those of you who don't have their url decode option on google glasses This is what it looks like Copy shadow file into that location What would happen? Yeah, I might brick my 20 000 solar array by putting something there Um, but I didn't by the way This md5 I tried to brute force it I failed if you ever get to it. I believe it is still on those devices Please send me an email. I would appreciate it So that that route didn't work out Um, I needed something easier remember I can I can essentially run a script Through that injection Um So ps all Oh, guess what the httpd server is running under root bingo Also, the manufacturer nice enough has netcat already on the device Ooh By the way, I won't admit that in public, but it still took me four to six hours to get my reverse shell working But I didn't say that I did eventually get it working. I had root on that device. What do you do with root? I know what I didn't do I didn't get a copy of the file system so Once I was locked out I no longer had anything to work on but After a little bit of a kung fu with the drive mount Come on I know I know It feels good to pretend I'm that good What I did was not rocket science. I just had the time to do it clearly That manufacturer picked the wrong customer to sell a device to I'm sure they're still regretting that move It probably cost them a lot more In clean up than it did in profits. So anyhow looking around the file system Something caught my attention actually not the file system the running processes open vpn You guys know what open vpn is for? A vpn tunnel Guess what that vpn tunnel was on at all times on the device I didn't do it and I swear. This is not a joke. I did not scan that VPN subnet The manufacturer confirmed That all of its little siblings are on that subnet Of course nowhere was it mentioned in any of the documentation that nobody ever reads That there was a vpn Remember that device is still on my home network. I was trusting it Even though it didn't appear trustable. I was still doing that Um So let's move on to me trying to get something done about the device. So I try Politely in october to get their attention. Hey guys, there might be a problem You know, I'd like to talk to someone who actually understands security Yeah, by the way in the back if the font size is too small next time remember def con is all about line con Get early to the talk so A few emails later While still trying to reach to people Might understand me through linkedin my and clueless installer and his contacts I got nowhere Actually got even worse. We're now in mid december. Are you the owner of this device? Do you have the right to do what you're doing? Yeah, I've seen that play out not that well um They actually already had my full name my email address my Everything they already knew everything about me, but they couldn't find me in the database um This was the icing on the cake for those in the back. I will read what is highlighted Or I'll paraphrase We can help you get access to the system Do I need access to the system at that point? No, I can help myself And I need to read that one quote Info of system installed on your roof is always kept as confidential since it was installed Apparently before it is installed not guaranteed And you know english is my second language I don't I don't understand that sentence So time to state to change strategy clearly. I'm getting nowhere. I've been at it for two months already I'm talking to the wrong kind of support So I send this email What I'm saying there is hey guys. Here's a picture. You remember the root picture Here's a picture the last line doesn't belong there forward this to whoever is in charge I don't want to talk to you no more Remember the vpn tunnel? Within an hour they were logging in on that device and they were starting cleaning up Not not security cleaning up damage control cleaning up Disabling my account shutting down the web server And things like that in the process yet disabling my entire array went offline for four six hours I was not done helping guys. Please. I was trying to be nice Um, thankfully I didn't tell them about one thing I had found while browsing the file system in that cgi bin folder There's also a file called shell so I got back in and uh told them the next day about it and repeat So that's the best part once I got to talk to Someone in charge of their product development great guy. Um, his first response was there's a problem This is not a production device what I bought A tesla at the tesla price and The autopilot crashes on me because it's a debug version. I have no sorry tesla guys. I'm just jealous Everybody in my neighborhood has one except for me So if you guys are thankful for the talk don't hesitate. Thank you So six months later I'm pretty sure they were actually not lying. It was a very convenient excuse But they happened to ship me a development build and a few thousand others throughout the world What they did well once I had a line of communication with taigo they were actually very welcoming of my finding and relatively forthcoming with sharing the insider information like for example telling me Oh, all of those devices aren't the same subnet through the vpn tunnel. Um, that would have been preferable for not them not to tell me that. Um One thing I discovered log shipping especially for the one oh This is a very important question guys Who in the audience is a black hat versus a white hat come on raise your hands Oh my god, there's not a single hand up Yeah, okay So next time you go on a system you're not authorized to Think about disconnecting it from the network before Because this guy ships its logs every half an hour And boy was I noisy Of course, there was nobody looking thank god But uh, it's it's important to realize that even small iot devices have that capability And uh, you might trigger a few alerts if you're not too careful So the got route made fun of the vendor Why am I talking about this? And this is actually the most important slide of the entire presentation Yeah, I could remotely see this little red button The software behind it I could remotely shut down any of those thousands of solar arrays I could be a pain to people off the grid maybe I don't have there's not enough Electricity production for it to be meaningful yet. It will be in a few years, but not today What's more important is this is a bot I could have a thousand of those remotely controlled On your home network Spying on your home activity, you know Oh shoot my my kid is here. So I can't say prawn, but Things like that The biggest part The part that bugs me the most is Even though I've been a security practitioner for A long time Only after this device Being on my network Did I realize I really needed two networks? My home personal network and a completely independent IOT network on which I have of course this guy now. He was the first candidate, but the nest Um a few development boards. Who's played with the particle photo photons Yay, those are excellent devices But just like this guy don't trust them My security cameras, you know those cameras that I bought on Alibaba with that Chinese firmware It is apparently very chatty I won't go further so yeah is your mom or your Brother or your family expected to have two networks at home and to be able to manage those no There is no way they that even us handle it There is no way that Customers of IOTs can be expected to actually Protect themselves from those devices that is a very sad state and I hope That message comes out of DEF CON As much as possible because it is time that we have a ul rating of devices That also takes into account your privacy because we all have that expectation. You don't buy a car without seatbelts Yes Responsible disclosure is hard Yes, don't give up. Please follow responsible disclosure And finally Thank you to all IOT devices for so much entertainment Thank you to quite a few people my wife for tolerating my late nights Rafelle, where are you? Stand up Keep doing your packet storming And Tygo for not suing me. Thank you. You got me scared there Guys, thank you. Yeah