Embed Size (px)
Citation preview
© 2012
Presented by:
Home Invasion v2.0Attacking Network-Controlled Embedded Devices
Daniel “unicornFurnace” CrowleyJennifer “savagejen” SavageDavid “videoman” Bryan
© 2012© 2012
• Who are we?
© 2012
The Presenters
• Daniel “unicornFurnace” Crowley– Managing Consultant, Trustwave (SpiderLabs team)
• Jennifer “savagejen” Savage– Software Engineer, Tabbedout
• David “videoman” Bryan– Security Consultant, Trustwave (SpiderLabs team)
© 2012© 2012
• What are we doing here?
© 2012
The “Smart” Home
Science fiction becomes science fact
Race to release novel products means poor security
Attempt to hack a sampling of “smart” devices
Many products we didn’t coverAndroid powered ovenSmart TVsIP security cameras
© 2012© 2012
• What’s out there?
© 2012
Belkin WeMo Switch
© 2012
Belkin WeMo Switch
1. Vulnerable libupnp version2. Unauthenticated UPnP actions
1. SetBinaryState2. SetFriendlyName3. UpdateFirmware
© 2012
MiOS VeraLite
© 2012
MiOS VeraLite
1. Lack of authentication on web console by default2. Lack of authentication on UPnP daemon3. Path Traversal4. Insufficient Authorization Checks
1. Firmware Update2. Settings backup3. Test Lua code
5. Server Side Request Forgery6. Cross-Site Request Forgery7. Unconfirmed Authentication Bypass8. Vulnerable libupnp Version
© 2012
INSTEON Hub
© 2012
INSTEON Hub
1. Lack of authentication on web console1. Web console exposed to the Internet
© 2012
Karotz Smart Rabbit
© 2012
Karotz Smart Rabbit
1. Exposure of wifi network credentials unencrypted2. Python module hijack in wifi setup3. Unencrypted remote API calls4. Unencrypted setup package download
© 2012
Linksys Media Adapter
1. Unauthenticated UPnP actions
© 2012
LIXIL Satis Smart Toilet
© 2012
Radio Thermostat
1. Unauthenticated API2. Disclosure of WiFi passphrase
© 2012
SONOS Bridge
© 2012
SONOS Bridge
1. Support console information disclosure
© 2012© 2012
• DEMONSTRATION
© 2012© 2012
• CONCLUSION
© 2012
Questions?
Daniel “unicornFurnace” [email protected]@dan_crowley
Jennifer “savagejen” [email protected] (PGP key ID 6326A948)@savagejen
David “videoman” [email protected]@_videoman_
