 Good morning. Good afternoon everyone. Hello. Yeah. So today I'll be talking about the dark side of Internet of Things. Before that, let me introduce myself. I'm Dipesh Monga. I'm a tech speaker at Mozilla. And I'm a research associate at Indian Institute of Technology in DOR where I work for the development of IoT based system on chips and I work on emerging technologies. Today I'll be talking about the privacy and security concerns related to Internet of Things. For that, I think most of you might have a clear definition of what Internet of Things is. There are a number of definitions on the Internet. My personal favorite one is it is the interface between physical and digital world that allows one to collect information from and control everyday objects. And let's divide the components of IoT into four parts. The first is the hardware, the tiny bits and pieces that sense the information that senses things. And they communicate in a language called data. And they send this data to the software which interprets and gives it to the user. And all is connected by the form of maybe a Bluetooth Wi-Fi and there are various communication protocols. And there are a number of sensors available. You might have a clear idea about and the data is what they communicate in. The software, the user, and the connectivity. We have ZigBee, we have Bluetooth. We have a number of things. And now let's come to the main point, the dangers of uploading our physical lives to the cloud. We know that privacy is paramount. I don't mind if my thermostat knows that I'm inside my home but it better not share that information with anyone else. And we can trust our banks for the privacy and security concern but can we do that same for our devices? Can we know what technologies these are using? We just consider the sake of convenience. If it's doing our work, then it's good. That's it. But think of a scenario where our IoT device can share information like this. It can tell if we have been out of our house or not. So it's really a thing to, we have to get started thinking about. And now, we want the vulnerabilities in the IoT ecosystem. The four parts that we discussed before, the hardware, the data, the software, and the connectivity. So what if a person can get access to the hardware? If he has the hardware with him, the hardware that is connected to the internet, he can get the access to shell. I'll show the demo in this detail in the further slides. He can edit the config file and he can manipulate the hardware to get the data. And the software that we install for IoT devices, we don't even consider before installing what privileges they are asking or what technologies they are using. We just do the next, next finish. Yeah, I agree to this. I agree to continue. And then we just get the X for the sake of our convenience and the data. So is the data that the hardware is using, is the device that is using, is it secure? So if I can plug in my multimeter or some device and read the data in the form of binary, so is it really safe in the IoT devices and the connectivity? So if it's connected to the cloud, it's sending its data via Wi-Fi or Bluetooth. So what encryption they are using? We don't even consider this case. It's just, it's more feature is good. This device has a Bluetooth, this device has a Wi-Fi. Okay, I'll go for it. It has a lot of features. But do we even think of this before buying any device which is IoT enabled? And think of future scenario like the, the cigarettes come with a warning, smoking is injurious to health. And in future, maybe this can be the scenario we have to think before using a smart toilet. Maybe you are using a smart toilet and you are in a, doing your business and some intruder comes. He knows that you're doing your business inside a toilet and takes all the stuff of your home and just goes by. So think of these security and privacy concerns. And now let us divide the attack that can possibly happen. Some examples into three parts. The physical attacks, the local attacks and the remote attacks. So the first and the least preferable is the physical one and the most preferred and the most common is the remote attack. So this device called UART, I think most of the, you guys might be aware of this UART. It's a universal asynchronous receiver and transmitter. It is used in most of the hardware and most of your hardware stuff, your DIY kits. And it has, it works on various operating voltages. It has a TX wire of transmission and reception. So you just need this small device. It's around one or two dollars and you can get the access to the physical hardware to, you can manipulate the physical hardware actually. And these are some AMC chips. They are just like your SD, microSD card in your mobile phones. These are the device, these are the chips that store your OS, your boot, loader, your firmware in the IoT devices, the embedded hardware. So let's take this example of this Epson Artisan 700 800 printer. It's an IoT enabled Wi-Fi control device. And if you open this device, you have the hardware access. You can find these four pins. And in some cases it's their written ground VCC TXRS. You just hook up your USB TTL device and what do you get? You get this screen when you plug it in USB. You have the root access. See, you can reboot your printer. You can display IP address. But my favorite one is you can run arbitrary shell commands. You can maybe write a shell command to upload to whatever it's can to upload to your email address or something like that. So this is what the manufacturers are not even thinking of, even the buyers are not even thinking of. So this is like pretty far approach because no one would physically open a printer. But this can be done. And your smart refrigerators. So these have two... They can be manipulated in two ways. They have the EMMC card and they have this RXT expense. And you can hook up these or use these nearby resistors to read the data what they are doing. And just get access of what the information they are beaming. And probably... I'll show you a demo in the end like how this smart screen can be manipulated and it runs on Android 2.3 and you can install your own stock Android and you can get a super user access of this. And this is my personal favorite. The smart SGM Merlin at home. This is a medical IoT device. So what it does is it gets the data from a pay speaker and it sends this data to the doctors at this hospital called SGM Merlin. So you can actually open this and manipulate and send data whatever you want to the doctor in spite of what data it actually is. And there are many more devices. This website you can just get a tutorial or to how to... There are videos, step-by-step guides even Google TV is there and a number of devices that are vulnerable from the physical point of view. Now moving on to the local networks. The local networks can be... This is an example of drone hijacking. So you can... I'll show you a demo in the end. You can probably use a drone what we did, I'll tell you an example. What we did, we used a drone. We mounted a Raspberry Pi Zero on that. And a Kali Linux was installed and it was capturing the sessions of the Wi-Fi router connected to a hostel where we lived. And what we did, we made it, took a round of the whole hostel all the blocks and it captures the session, the data of all the students, the sessions they were doing, what activities were they doing. So this is how you can even mess up with your neighbor using the local network, the smart devices. And this is also a pretty sweet example of local access. So this is a key sweeper. So it's very easy to make. There's a link down. You can check how to make it. In the end I have some hardware also and it can be done. So this looks like a charger. It's a charger, yes, of course. But it has some extra circuitry, some magical circuitry. So it has a microcontroller, an RF Bluetooth device and also a GSM for SIM cards. You can all fit this in this whole package and it sends what a user is trying. Maybe I can give this charger at the end to all of you guys and if you put in your home, use this charger and I can get the keystrokes. What keys you are pressing for your wireless charger, wireless keyboard. So what type of passwords you type, like if I open facebook.com and enter this email address and it's sending me text messages of what the user is opening. So there are tutorials available, there are everything available on the net how to exploit these devices, how to get into someone else's local network and the next one is my personal favorite, the shodan, the search engine for internet of things. So this is how you get the remote access. You just open this browser, you type Honeywell network building or any other device. Have you guys heard about this browser shodan? Anyone? Okay, awesome. So you just type what device, what IoT device you need to find. For example, Honeywell is a very trusted company for automation and IoT solutions. So you just, you can refine it by countries. You can refine, say I search Belgium, these devices in Belgium. There are a number of filters available and now it shows the list. I type Honeywell building network adapter and this shows password. I open this, it gives me a manual of a data sheet of the adapter and when I read this sheet I find there's no password. See, your IoT devices are secure. Honeywell, okay. So then I open this, I'm logged in as a root user and I have the root access for a building adapter. They have power meters available on this website. Even you have an intuitive map of the IoT devices connected to the world. You can access and exploit easily. And these are the targets of this search engine. It's not illegal. It just searches the things that are available that are not password protected, that are connected to devices, especially for the devices, some images that has been obtained. That is like a child's life, it's all in the cloud. They can get information about purchasing patterns, the access codes, the door logs, our driving habits when we leave, when we come by, our real-time locations. Our car even has a GPS system where there are various diagnostic devices, infotainment systems, and all these are connected to our home. So if there's a one vulnerability in the ecosystem, it can exploit the whole smart home. It's running 100 million lines of code and if we get into one tiny bit, we can get the access to the whole smart home, even your lives. And think of a scenario in future you have to buy a firewall for your toaster. And this example is a very good one. This Hello Barbie doll, recently a group of hackers. This is a Wi-Fi for your information. This is a Wi-Fi enabled doll that it's like a small version of Siri. You talk with this, it's connected to Wi-Fi and it replies you back for the child. So if these hackers, what they did, they got into this network using the Wi-Fi doll. Because when you manufacture a doll, or if you buy a doll, you don't consider for the security, right? It's a toy. It is not supposed to be for security. So they got into the whole network using this doll. And there are smart egg trays that tells how many eggs has been placed. And this smart insulin pumps, I can inject the amount of insulin. It's a Wi-Fi enabled control sim that is regulated by the doctors to keep a regular level of insulin. And what if your devices deny you in future of the service? And now I'll show you a demo of the drones just a second. So this is what I was talking about. So you have this Bluetooth-enabled mouse and there's a drone coming. The drone comes with types using the Bluetooth. You can type, you can read whatever you want to do. So this is how your secure network is. And this one, the Epson artisan printer I was talking about. So when you plug the USB, you can see all this command run by and you can type arbitrary shell commands and you get the root access. And you can pretty easily manipulate the printer. Okay. And there are a lot of functions. This is a quick demo of the LG Smart Refrigerator. Can you please turn off this? Okay. So this one is the LG Smart Refrigerator. And it runs on 2.3 Android. And it has a launcher. You can install your stock OS using the AMC or USB TTL device. So this is what the OS comes with the device. And you can control all the compressor and do a lot of stuff. And this one is the stock Android that has been installed. So you can see there's a super user access and you can install all the softwares that you want, the apps that you want. Even you can run the terminal as a root. The smart refrigerator. See. You just press. You need to press okay, no password, no encryption, nothing. Okay. Next is this. You can put this device, this SJM Merlin at home. I told you already into party mode. See. This device is meant for your health and sending the data. You can do whatever you want with these devices. And now I'll show you a quick demo of the Shodan search engine I told you about. So this is the search engine for Internet of Things. Security. And you just type a company's name. Say your Cam. I'll write your Cam. It's a famous IPCAM company. So it shows the map, the devices that are connected. And I'll just simply open these cameras. See. Some are password protected and some are not. You can just see what content they are displaying. You can even search for Raspberry Pi or Dino. It will show the devices connected to the Internet that has not been secured. See. You don't want your living room or bedroom to be live on Internet and people watching in a conference. Okay. So that's it for the dark side of Internet of Things. Thank you. Any questions? Yeah. The moral of the story is just put passwords. That's it. No. Because you have to know things of the security concern. It's not about passwords. If you have the physical access. Passwords can be easily... We can easily encrypt the passwords also. You have to think of this side also. You don't have to think about the ease of convenience. If it's doing my work, it's good for the IoT. Because it's a booming industry. And everyone is trying to get their hands on. Like, I want to buy this. I want to have this feature in my device. Even in a pen, it should tell me what I'm typing. It's connected to the Internet. But we're not thinking of this side. So the moral of this talk is to think about this side. The privacy and security concerns that the devices can have. Not just passwords. Yeah. Have you heard about the Internet Human Therapy Project which happened a few months ago? There was this guy who released a virus called Wikipedia. Which happened to all these IoT devices. And bring them. They can't be used by somebody who's actually trying to use them as a big fan. I think a lot of ISPs got down because of this. Because their downloaders were all vulnerable. And tons of security cameras also got down because of this. And the guy actually had to stop it. Because the investigative viewers were getting close to catching them. So he sent out a big note on the Internet on the Facebook as a warning that people should look at this more seriously. Because otherwise, he's not a bad guy. He wanted to fix the Internet. He wanted to delay the death of the Internet. He said that these people are taking over all these devices. There are billions of devices, more devices on the Internet. So there's so many of them. They're all being captured by bad actors. Also by bad state actors. And they will eventually have more power. Yeah, they'll have more opportunities with this. If everything is connected to the cloud. If you can control it. So there's a number of examples you'll find. Because no one has... You had your IoT devices from decades ago. The term actually came into being you had your mobile phones. It's connected to the Internet. There's a hype of IoT, IoT, IoT. But it existed in the embedded era. Your devices were... Your embedded devices were still there. Refrigerators were still there. You're just doing the third. You're connecting it to Internet. And adding a new physical dimension. Initially, it was web. You were just searching stuff and doing the data. But now you are adding another dimension to the Internet. It's physical entities. So it's a really big question to think. I'm not against connecting the things to Internet. No one is actually thinking this point. This privacy and security concern that this guy also told. There was an attack this big. And yeah. Okay. Any more questions? Okay. Thank you.