Weaponization of IoT
Jose L. Quiñones, BSEETMCP, MCSA, RHSA, HIT, C|EH, C|EI C)PEH, C)M2I, GCIH, GPEN
… nope, this is not it.
Mirai Botnet
Mirai (Japanese for "the future", 未来) is malware that turns computer systems running Linux into remotely controlled "bots", that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers.
TP-Link TL-MR3020
• Mobile broadband (3G/3.75G) router.
• 2.4GHz frequency.• 3G/WISP/AP connection modes.• Fast Ethernet port for WAN/LAN
connections.• USB 2.0.• Mini-USB.• 64/128bit WEP.• WPA2
Custom Firmware - OpenWRT
• OPKG Package Manager• Opkg attempts to resolve dependencies
with packages in the repositories
Development boards
Kali Linux ARM images
“New” Kid on the block … ESP8266
• 32-bit RISC CPU:• 64 KiB of instruction RAM, 96 KiB of data
RAM• External QSPI flash: 512 KiB to 4 MiB* (up
to 16 MiB is supported)• IEEE 802.11 b/g/n Wi-Fi• Integrated TR switch, balun, LNA, power
amplifier and matching network• WEP or WPA/WPA2 authentication, or
open networks• 16 GPIO pins• I²S interfaces with DMA (sharing pins with
GPIO)• UART on dedicated pins, plus a transmit-
only UART can be enabled on GPIO2• 10-bit ADC
ESP8266 Wi-Fi Jammer
Poisontap
• emulates an Ethernet device over USB (or Thunderbolt)
• hijacks all Internet traffic from the machine (despite being a low priority/unknown network
interface)
• siphons and stores HTTP cookies and sessions from the web browser for the Alexa top
1,000,000 websites
• exposes the internal router to the attacker, making it accessible remotely via outbound
WebSocket and DNS rebinding (thanks Matt Austin for rebinding idea!)
• installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of
domains and common Javascript CDN URLs, all with access to the user’s cookies via
cache poisoning
• allows attacker to remotely force the user to make HTTP requests and proxy back
responses (GET & POSTs) with the user’s cookies on any backdoored domain
• does not require the machine to be unlocked
• backdoors and remote access persist even after device is removed and attacker sashays
away
Hack all the things!
USB Killer LAN Turtle Bash Bunny
Wireless Tools
• Ubertooth RF
• HackRF One
• FreakUSB (Zigbee)
• WiFi Pineapple
Thanks!
• @josequinones
• http://codefidelio.org
• @obsidis_NGO
• http://obsidisconsortia.org