Home Invasion v2.0 Daniel “unicornFurn ace” Crowley

Preview:

Click to see full reader

Citation preview

© 2012

Presented by:

Home Invasion v2.0Attacking Network-Controlled Embedded Devices

Daniel “unicornFurnace” CrowleyJennifer “savagejen” SavageDavid “videoman” Bryan

© 2012© 2012

• Who are we?

© 2012

The Presenters

• Daniel “unicornFurnace” Crowley– Managing Consultant, Trustwave (SpiderLabs team)

• Jennifer “savagejen” Savage– Software Engineer, Tabbedout

• David “videoman” Bryan– Security Consultant, Trustwave (SpiderLabs team)

© 2012© 2012

• What are we doing here?

© 2012

The “Smart” Home

Science fiction becomes science fact

Race to release novel products means poor security

Attempt to hack a sampling of “smart” devices

Many products we didn’t coverAndroid powered ovenSmart TVsIP security cameras

© 2012© 2012

• What’s out there?

© 2012

Belkin WeMo Switch

© 2012

Belkin WeMo Switch

1. Vulnerable libupnp version2. Unauthenticated UPnP actions

1. SetBinaryState2. SetFriendlyName3. UpdateFirmware

© 2012

MiOS VeraLite

© 2012

MiOS VeraLite

1. Lack of authentication on web console by default2. Lack of authentication on UPnP daemon3. Path Traversal4. Insufficient Authorization Checks

1. Firmware Update2. Settings backup3. Test Lua code

5. Server Side Request Forgery6. Cross-Site Request Forgery7. Unconfirmed Authentication Bypass8. Vulnerable libupnp Version

© 2012

INSTEON Hub

© 2012

INSTEON Hub

1. Lack of authentication on web console1. Web console exposed to the Internet

© 2012

Karotz Smart Rabbit

© 2012

Karotz Smart Rabbit

1. Exposure of wifi network credentials unencrypted2. Python module hijack in wifi setup3. Unencrypted remote API calls4. Unencrypted setup package download

© 2012

Linksys Media Adapter

1. Unauthenticated UPnP actions

© 2012

LIXIL Satis Smart Toilet

© 2012

Radio Thermostat

1. Unauthenticated API2. Disclosure of WiFi passphrase

© 2012

SONOS Bridge

© 2012

SONOS Bridge

1. Support console information disclosure

© 2012© 2012

• DEMONSTRATION

© 2012© 2012

• CONCLUSION

© 2012

Questions?

Daniel “unicornFurnace” Crowleydcrowley@trustwave.com@dan_crowley

Jennifer “savagejen” Savagesavagejen@gmail.com (PGP key ID 6326A948)@savagejen

David “videoman” Bryandbryan@trustwave.com@_videoman_

mailto:dcrowley@trustwave.com
mailto:savagejen@gmail.com
mailto:dbryan@trustwave.com

Recommended

Meredith A. Crowley
Documents
ALEISTER CROWLEY-The Confessions of Aleister Crowley
Documents
Chaplain Jim Crowley COPC 1 Welcome 1 Chaplain Jim Crowley COPC 2 Critical Incident Stress Management (CISM) Jim Crowley Mike Dismore Chaplains Central
Documents
Aleister Crowley - Joga
Documents
Crowley, John - Antiguedades
Documents
Microsoft Office 2010: Hands On James Crowley C3 – Crowley Computer Consulting
Documents
ASTROLOGÍA - Aleister Crowley
Documents
Aleister Crowley - Olla
Documents
Mr Crowley
Documents
Necronomicon. Aleister Crowley
Documents
Handleiding voor BMM V2.0 / MB V2.0 / VAG V2.0 / POR V2.0 ... V2.0 Series... · ① BACK BUTTON -- Returns to previous menu. ② UP BUTTON -- Moves cursor up for selection. ③ LEFT
Documents
Aleister crowley 777
Documents
CHRISTINA CROWLEY
Documents
Aleister Crowley - ASTROLOGIA
Documents
Aleister Crowley - 777
Documents
Magiak. Aleister Crowley
Documents
Crowley Aleister - Joga
Documents
Alistair Crowley
Documents
Nadine Crowley Information - Amazon S3 Crowley Comms&Co Title Microsoft Word - Nadine Crowley Information.docx Created Date 5/5/2015 11:19:11 AM
Documents
Dr. Geoffrey Crowley
Documents