1 00:00:00,000 --> 00:00:07,280 awesome so everything seems to work so 2 00:00:05,240 --> 00:00:11,059 why am I here 3 00:00:07,280 --> 00:00:15,000 I'm basically going to be talking about 4 00:00:11,059 --> 00:00:17,900 the story of my IOT device it has two 5 00:00:15,000 --> 00:00:22,198 threads in it basically the first one is 6 00:00:17,900 --> 00:00:26,189 how I got my first IOT device it's a 7 00:00:22,199 --> 00:00:28,949 button I will definitely show you a lot 8 00:00:26,189 --> 00:00:32,040 about it but the second and I think more 9 00:00:28,949 --> 00:00:34,469 important where a thread here is what 10 00:00:32,040 --> 00:00:38,940 you guys can do once you get your own 11 00:00:34,469 --> 00:00:43,379 IOT devices if you already have them to 12 00:00:38,940 --> 00:00:47,129 say basically safe secure to to 13 00:00:43,379 --> 00:00:49,920 understand what what threats does it 14 00:00:47,129 --> 00:00:53,399 bring to your home and to do all of this 15 00:00:49,920 --> 00:00:55,199 cost effectively so you don't want to 16 00:00:53,399 --> 00:00:58,890 spend your time reverse engineering some 17 00:00:55,199 --> 00:01:00,660 weird CPU or maybe I mean it might be 18 00:00:58,890 --> 00:01:03,449 your day job but you don't want to bring 19 00:01:00,660 --> 00:01:07,080 it home you want to do some simple 20 00:01:03,449 --> 00:01:11,280 things that will then have a great a big 21 00:01:07,080 --> 00:01:18,150 impact and you will be able to live with 22 00:01:11,280 --> 00:01:20,970 whatever new device you bring so okay so 23 00:01:18,150 --> 00:01:25,409 the agenda is I'm basically going to be 24 00:01:20,970 --> 00:01:28,890 talking about four parts what do you do 25 00:01:25,409 --> 00:01:32,280 before you purchase your device what do 26 00:01:28,890 --> 00:01:34,439 you do once you have it with the 27 00:01:32,280 --> 00:01:36,900 application because most of the devices 28 00:01:34,439 --> 00:01:39,899 come with some kind of iOS or Android 29 00:01:36,900 --> 00:01:42,329 application what can you do to the 30 00:01:39,900 --> 00:01:43,259 device itself understand what's running 31 00:01:42,329 --> 00:01:46,798 on it 32 00:01:43,259 --> 00:01:48,780 what electronics it contains whether it 33 00:01:46,799 --> 00:01:51,869 contains things you didn't expect they 34 00:01:48,780 --> 00:01:54,060 do and of course they always talk to 35 00:01:51,869 --> 00:01:57,420 some remote server usually in China so 36 00:01:54,060 --> 00:02:00,210 what you can do to you know protect 37 00:01:57,420 --> 00:02:04,590 whatever it is that the device is 38 00:02:00,210 --> 00:02:06,460 collecting on you so who here has an IOT 39 00:02:04,590 --> 00:02:09,220 device already 40 00:02:06,460 --> 00:02:11,400 okay and who's planning to have one 41 00:02:09,220 --> 00:02:13,810 within like the next five years 42 00:02:11,400 --> 00:02:17,710 everyone's hand should be up right now 43 00:02:13,810 --> 00:02:19,540 because there's no way you will buy like 44 00:02:17,710 --> 00:02:21,550 there are some electronics that you can 45 00:02:19,540 --> 00:02:24,220 basically not buy that aren't smart 46 00:02:21,550 --> 00:02:30,310 anymore like TVs I think there's no more 47 00:02:24,220 --> 00:02:33,550 dumb TVs and basically everything is 48 00:02:30,310 --> 00:02:37,420 going to become IOT why I guess because 49 00:02:33,550 --> 00:02:39,310 that's how the world works right but we 50 00:02:37,420 --> 00:02:42,488 don't have control over it anymore like 51 00:02:39,310 --> 00:02:46,660 we can stop it and it's better to 52 00:02:42,489 --> 00:02:50,580 embrace it than to hope that you know it 53 00:02:46,660 --> 00:02:54,700 will go away because it's not going away 54 00:02:50,580 --> 00:02:56,860 so I mean I'd really love to hear later 55 00:02:54,700 --> 00:03:00,670 and the question phase how you guys have 56 00:02:56,860 --> 00:03:04,660 been protecting yourself but for me it 57 00:03:00,670 --> 00:03:07,660 all started with a problem I have this 58 00:03:04,660 --> 00:03:11,019 habit once in a while I think what can i 59 00:03:07,660 --> 00:03:14,109 order mate like for example how can I 60 00:03:11,019 --> 00:03:16,570 make my life easier and I started a new 61 00:03:14,110 --> 00:03:18,760 job I started biking to to the new job 62 00:03:16,570 --> 00:03:22,720 and when I got home I had to wait like 63 00:03:18,760 --> 00:03:26,340 30 minutes before I had hot water so I 64 00:03:22,720 --> 00:03:31,720 mean it's really a big problem I know 65 00:03:26,340 --> 00:03:33,190 life and death even but it was the first 66 00:03:31,720 --> 00:03:35,470 thing that popped out as something easy 67 00:03:33,190 --> 00:03:40,090 to automate right I mean you can 68 00:03:35,470 --> 00:03:44,350 basically you can there are so many ways 69 00:03:40,090 --> 00:03:46,720 to solve this and the two main things I 70 00:03:44,350 --> 00:03:49,390 found in Israel is first there's only 71 00:03:46,720 --> 00:03:51,970 one actual device that will work there 72 00:03:49,390 --> 00:03:55,000 are like two models but one of them was 73 00:03:51,970 --> 00:03:57,609 sold out and of course you can do it DIY 74 00:03:55,000 --> 00:04:01,670 this is actually a friend of mine and 75 00:03:57,610 --> 00:04:07,380 his girlfriend get electrocuted by that 76 00:04:01,670 --> 00:04:09,660 and he swears by it by the way so as you 77 00:04:07,380 --> 00:04:10,430 can see this is the DIY route and I'm 78 00:04:09,660 --> 00:04:13,290 sure it would 79 00:04:10,430 --> 00:04:15,630 it's like it works for him but it took a 80 00:04:13,290 --> 00:04:18,029 lot of time and he really likes to think 81 00:04:15,630 --> 00:04:20,700 everything's like that I thought I don't 82 00:04:18,029 --> 00:04:26,099 have any time I'll spend some money so I 83 00:04:20,700 --> 00:04:30,150 bought this cool device you will give of 84 00:04:26,100 --> 00:04:32,400 it soon so that was the only option I 85 00:04:30,150 --> 00:04:35,060 had right if I didn't want to elect by 86 00:04:32,400 --> 00:04:38,909 an electrocution device 87 00:04:35,060 --> 00:04:41,970 it's an Israeli company that that sells 88 00:04:38,910 --> 00:04:43,980 it called smart grade but the device is 89 00:04:41,970 --> 00:04:45,690 obviously not built in Israel it's 90 00:04:43,980 --> 00:04:47,700 actually built by a company called 91 00:04:45,690 --> 00:04:50,430 broadly you can see signs of it 92 00:04:47,700 --> 00:04:55,320 everywhere and their site in the app 93 00:04:50,430 --> 00:04:59,190 that you download it's like it's a 94 00:04:55,320 --> 00:05:02,150 different form factor of all of broad 95 00:04:59,190 --> 00:05:04,440 links devices which are just like 96 00:05:02,150 --> 00:05:07,169 manufacture a very popular manufacturer 97 00:05:04,440 --> 00:05:08,969 of smart devices they have different 98 00:05:07,169 --> 00:05:12,359 devices that they sell and apparently 99 00:05:08,970 --> 00:05:15,180 they they created the device for the 100 00:05:12,360 --> 00:05:17,190 Israeli market that is that thing I 101 00:05:15,180 --> 00:05:20,460 didn't see any documentation about it 102 00:05:17,190 --> 00:05:23,729 from anywhere outside of Israel which I 103 00:05:20,460 --> 00:05:25,849 mean it was fun but it's also similar to 104 00:05:23,729 --> 00:05:34,340 a lot of other devices they manufacture 105 00:05:25,850 --> 00:05:37,979 and this is how the unpacking goes and 106 00:05:34,340 --> 00:05:41,119 basically what you have here is a button 107 00:05:37,979 --> 00:05:44,580 it's a glorified button with a few LEDs 108 00:05:41,120 --> 00:05:47,490 it has an actual electromagnetic relay 109 00:05:44,580 --> 00:05:49,800 so each time you press it on or off you 110 00:05:47,490 --> 00:05:54,930 can hear like a satisfying click which 111 00:05:49,800 --> 00:05:59,010 is very fun and it has an annoying LED 112 00:05:54,930 --> 00:06:03,060 that's always on and it gives my house 113 00:05:59,010 --> 00:06:05,280 like a ghostly feeling and the fun part 114 00:06:03,060 --> 00:06:07,560 is controlled by an application of 115 00:06:05,280 --> 00:06:10,140 course the application is called a smart 116 00:06:07,560 --> 00:06:11,760 home it is made well brought linked by 117 00:06:10,140 --> 00:06:12,889 but the name of the application is 118 00:06:11,760 --> 00:06:15,319 called bottling 119 00:06:12,889 --> 00:06:18,110 neutral app so why is it you churl app 120 00:06:15,319 --> 00:06:20,300 because apparently it's their white 121 00:06:18,110 --> 00:06:23,210 label application so that's what they 122 00:06:20,300 --> 00:06:25,370 gave companies like smart grade and you 123 00:06:23,210 --> 00:06:27,378 get a little a QR code and then it 124 00:06:25,370 --> 00:06:29,740 downloads the logos of the company and 125 00:06:27,379 --> 00:06:32,930 then puts it on the actual application 126 00:06:29,740 --> 00:06:36,199 so apparently I had a very white label 127 00:06:32,930 --> 00:06:38,990 experience no it was very obvious it's 128 00:06:36,199 --> 00:06:40,909 Chinese like the everything was in 129 00:06:38,990 --> 00:06:44,060 broken English of course and know that 130 00:06:40,909 --> 00:06:48,650 I'm aligning it it's well I'm going to 131 00:06:44,060 --> 00:06:50,270 malign it so this this is basically 132 00:06:48,650 --> 00:06:54,080 what's supposed to do this is the old 133 00:06:50,270 --> 00:06:57,770 the old button I had I replaced it with 134 00:06:54,080 --> 00:07:03,289 the new button that's just how you set 135 00:06:57,770 --> 00:07:06,219 it up it takes a C and you basically put 136 00:07:03,289 --> 00:07:09,110 it in the hole in my wall and it works 137 00:07:06,219 --> 00:07:13,189 so what can you do before you purchase 138 00:07:09,110 --> 00:07:15,740 your own device first do your research 139 00:07:13,189 --> 00:07:17,509 right you want to buy a device that's 140 00:07:15,740 --> 00:07:21,020 pretty popular you want to make sure 141 00:07:17,509 --> 00:07:23,120 that if you can search for how hackable 142 00:07:21,020 --> 00:07:25,419 it is how documented it is whether other 143 00:07:23,120 --> 00:07:28,159 people already reverse-engineer this 144 00:07:25,419 --> 00:07:32,150 hopefully your market doesn't have only 145 00:07:28,159 --> 00:07:35,659 one device of that kind and you want to 146 00:07:32,150 --> 00:07:37,429 see if if the case is there's only one 147 00:07:35,659 --> 00:07:39,500 device of that kind how many devices are 148 00:07:37,430 --> 00:07:41,960 in the family so the broad link family 149 00:07:39,500 --> 00:07:44,330 has a lot of devices and it comes into 150 00:07:41,960 --> 00:07:46,310 playing a bit and of course think about 151 00:07:44,330 --> 00:07:49,310 what risks it exposes you like what 152 00:07:46,310 --> 00:07:54,889 personal information can the device 153 00:07:49,310 --> 00:07:59,509 collect on you so this is the Android 154 00:07:54,889 --> 00:08:04,069 app as you can see it asks for all of 155 00:07:59,509 --> 00:08:06,620 androids permissions all of them the 156 00:08:04,069 --> 00:08:09,919 weird ones were contacts because I mean 157 00:08:06,620 --> 00:08:15,349 of course I want to share my my what 158 00:08:09,919 --> 00:08:17,270 their status with my friends my kin 159 00:08:15,349 --> 00:08:20,120 camera which I mean is pretty 160 00:08:17,270 --> 00:08:22,609 self-explanatory modify system settings 161 00:08:20,120 --> 00:08:24,300 of course but we order other apps I have 162 00:08:22,610 --> 00:08:26,670 no idea what that means like 163 00:08:24,300 --> 00:08:31,380 but what can it reorder it seems very 164 00:08:26,670 --> 00:08:34,920 sketchy right so I mean it isn't really 165 00:08:31,380 --> 00:08:37,049 malicious I mean probably not it's 166 00:08:34,919 --> 00:08:40,020 probably not malicious but once again 167 00:08:37,049 --> 00:08:44,910 it's like we'll see in a bit it contains 168 00:08:40,020 --> 00:08:48,150 like SDKs of every Chinese popular site 169 00:08:44,910 --> 00:08:52,050 like map SDKs and WeChat SDKs and things 170 00:08:48,150 --> 00:08:54,720 like that but but the fact that it asks 171 00:08:52,050 --> 00:08:56,729 for all the permissions it opens you up 172 00:08:54,720 --> 00:08:58,910 to a lot of attacks for example if an 173 00:08:56,730 --> 00:09:02,310 update and malicious update occurs and 174 00:08:58,910 --> 00:09:06,660 or if there is indeed a vulnerability 175 00:09:02,310 --> 00:09:08,959 and the app can be used to have 176 00:09:06,660 --> 00:09:11,550 basically a permission elevation attack 177 00:09:08,960 --> 00:09:14,490 but of course I still wanted to use my 178 00:09:11,550 --> 00:09:17,849 new toy so I don't want to install the 179 00:09:14,490 --> 00:09:20,640 Chinese rap obviously so I just carried 180 00:09:17,850 --> 00:09:22,950 a tablet with me an old tablet which 181 00:09:20,640 --> 00:09:27,930 only had the app with like a fake new 182 00:09:22,950 --> 00:09:30,110 gmail account that wasn't convenient so 183 00:09:27,930 --> 00:09:34,050 let's dig deeper let's see what we can 184 00:09:30,110 --> 00:09:35,670 let's see what we can actually do so of 185 00:09:34,050 --> 00:09:37,920 course you can decompile the app it's 186 00:09:35,670 --> 00:09:41,280 pretty easy there even online services 187 00:09:37,920 --> 00:09:43,250 to do it at least for Android iOS is a 188 00:09:41,280 --> 00:09:49,050 different story 189 00:09:43,250 --> 00:09:52,200 so the the compiling it worked I found 190 00:09:49,050 --> 00:09:55,079 out there's like 13,000 files and 300 191 00:09:52,200 --> 00:09:58,620 lines of Java code that's not super 192 00:09:55,080 --> 00:10:02,160 helpful but the the actual code relating 193 00:09:58,620 --> 00:10:06,660 to my device I could start to understand 194 00:10:02,160 --> 00:10:11,969 it and I could see how you know the main 195 00:10:06,660 --> 00:10:14,520 flows work but and basically I mean once 196 00:10:11,970 --> 00:10:18,000 again the app itself included a ton of 197 00:10:14,520 --> 00:10:21,630 different SDKs other vendors code that 198 00:10:18,000 --> 00:10:24,900 they support obviously more code means 199 00:10:21,630 --> 00:10:28,439 more vulnerabilities that tens of SDKs 200 00:10:24,900 --> 00:10:30,300 of Chinese companies that do you know 201 00:10:28,440 --> 00:10:32,670 basically everything that Google does 202 00:10:30,300 --> 00:10:35,969 Docs Maps 203 00:10:32,670 --> 00:10:37,329 text text translations things like that 204 00:10:35,970 --> 00:10:39,639 I have no idea but 205 00:10:37,329 --> 00:10:44,589 what device we'll need Maps but I guess 206 00:10:39,639 --> 00:10:46,389 maybe I'm not imaginative enough the 207 00:10:44,589 --> 00:10:48,670 actual control code was obfuscated but 208 00:10:46,389 --> 00:10:51,699 of course I mean if you're bored enough 209 00:10:48,670 --> 00:10:53,319 you can I can start an office gating and 210 00:10:51,699 --> 00:10:55,748 renaming the functions and everything 211 00:10:53,319 --> 00:10:58,420 but really gets annoying especially when 212 00:10:55,749 --> 00:11:02,170 you try to reverse engineer something as 213 00:10:58,420 --> 00:11:04,149 you just this and so I mean at this 214 00:11:02,170 --> 00:11:07,329 point I started maybe Google in a bit 215 00:11:04,149 --> 00:11:10,480 more and apparently the device family is 216 00:11:07,329 --> 00:11:12,429 indeed popular so while my well this 217 00:11:10,480 --> 00:11:14,439 device itself doesn't have anything on 218 00:11:12,429 --> 00:11:16,449 the internet like it doesn't outside of 219 00:11:14,439 --> 00:11:19,540 Israeli sales site that sell it it 220 00:11:16,449 --> 00:11:21,609 doesn't exist but the communication API 221 00:11:19,540 --> 00:11:24,790 to bottling the devices the the company 222 00:11:21,610 --> 00:11:26,619 that manufactures it we're reverse 223 00:11:24,790 --> 00:11:31,679 engineer there's even a Python library 224 00:11:26,619 --> 00:11:34,149 so that made life really easy but 225 00:11:31,679 --> 00:11:35,799 because of the way this device works 226 00:11:34,149 --> 00:11:37,509 it's a bit different than actual 227 00:11:35,799 --> 00:11:40,149 broughton devices i have no idea why by 228 00:11:37,509 --> 00:11:42,730 the way we'll see it in a bit I still 229 00:11:40,149 --> 00:11:44,799 have to use the app to activate the 230 00:11:42,730 --> 00:11:47,739 device and then I could control it with 231 00:11:44,799 --> 00:11:50,199 the Python library which is like three 232 00:11:47,739 --> 00:11:53,319 lines of code you basically input the 233 00:11:50,199 --> 00:11:55,959 library you initialize the sp2 device 234 00:11:53,319 --> 00:11:58,839 which is just like the name of a device 235 00:11:55,959 --> 00:12:01,569 similar to this one which the internet 236 00:11:58,839 --> 00:12:05,439 actually knows about you authenticate 237 00:12:01,569 --> 00:12:07,389 which sends a token and basically and 238 00:12:05,439 --> 00:12:11,199 then you set power on or off 239 00:12:07,389 --> 00:12:16,629 I could get rid of the tablet I set up a 240 00:12:11,199 --> 00:12:18,488 simple web server I opened up port on my 241 00:12:16,629 --> 00:12:22,239 router the forwarded to my computer 242 00:12:18,489 --> 00:12:24,819 which is silly and don't do that but 243 00:12:22,239 --> 00:12:27,399 sometimes you must do that I used a 244 00:12:24,819 --> 00:12:31,029 random URL because I didn't want random 245 00:12:27,399 --> 00:12:33,129 Internet crawlers to turn or turn my 246 00:12:31,029 --> 00:12:34,959 water heater on or off it's actually 247 00:12:33,129 --> 00:12:36,970 like once you put something on the 248 00:12:34,959 --> 00:12:38,799 internet you know that like after two 249 00:12:36,970 --> 00:12:40,600 minutes you start getting weird crawlers 250 00:12:38,799 --> 00:12:43,779 trying to understand if it's WordPress 251 00:12:40,600 --> 00:12:47,589 or some other popular and some other 252 00:12:43,779 --> 00:12:49,899 popular side the deccan hack so that was 253 00:12:47,589 --> 00:12:51,400 fun seeing all those people trying to 254 00:12:49,899 --> 00:12:54,430 crawl me 255 00:12:51,400 --> 00:12:57,189 and then basically I could throw the 256 00:12:54,430 --> 00:12:59,800 tablet away and hope my eye speed 257 00:12:57,190 --> 00:13:02,830 doesn't change my IP there are ways 258 00:12:59,800 --> 00:13:05,620 around that - there's a dynamic DNS in 259 00:13:02,830 --> 00:13:10,390 DNS there's other things you can do you 260 00:13:05,620 --> 00:13:12,730 can constantly update your your IP but I 261 00:13:10,390 --> 00:13:17,380 mean I wanted something simple and they 262 00:13:12,730 --> 00:13:19,510 still didn't change my IP so what can 263 00:13:17,380 --> 00:13:22,180 you do first of all Google the hell out 264 00:13:19,510 --> 00:13:24,040 of whatever you're buying a guy that I 265 00:13:22,180 --> 00:13:27,910 met yesterday told me that he would 266 00:13:24,040 --> 00:13:31,480 actually the the device that he bought 267 00:13:27,910 --> 00:13:33,490 had a CPU that he could with flash and 268 00:13:31,480 --> 00:13:36,339 there was already like an open frame 269 00:13:33,490 --> 00:13:39,130 word that you can use so that really 270 00:13:36,339 --> 00:13:43,180 makes life easier because you'll see 271 00:13:39,130 --> 00:13:45,130 what I needed to do use keywords use 272 00:13:43,180 --> 00:13:47,439 Google Translate for Russian and Chinese 273 00:13:45,130 --> 00:13:50,800 side so this is a guy who basically 274 00:13:47,440 --> 00:13:52,570 rewrote the broad desegregation like he 275 00:13:50,800 --> 00:13:54,760 reverse engineered it he wrote the new 276 00:13:52,570 --> 00:13:59,170 application and Russian guy that was 277 00:13:54,760 --> 00:14:01,839 very helpful and it actually works I've 278 00:13:59,170 --> 00:14:03,819 no idea how by the way like I still 279 00:14:01,839 --> 00:14:05,830 haven't started in first engineering 280 00:14:03,820 --> 00:14:09,160 that but I mean I don't need to because 281 00:14:05,830 --> 00:14:11,080 I found something better what else can 282 00:14:09,160 --> 00:14:13,510 you do you can use an old device you 283 00:14:11,080 --> 00:14:15,820 could use a sandbox or an emulator like 284 00:14:13,510 --> 00:14:18,640 blue specs it's an Android emulator it 285 00:14:15,820 --> 00:14:21,779 works really well in this case both 286 00:14:18,640 --> 00:14:24,670 didn't work well an old device did work 287 00:14:21,779 --> 00:14:27,089 you can find and reverse engineer your 288 00:14:24,670 --> 00:14:29,439 API yourself it's not that hard like 289 00:14:27,089 --> 00:14:32,140 reverse engineering is something that 290 00:14:29,440 --> 00:14:34,180 takes a lot of patience and some people 291 00:14:32,140 --> 00:14:36,459 are better than others but you will 292 00:14:34,180 --> 00:14:40,510 eventually get somewhere like just 293 00:14:36,459 --> 00:14:45,339 follow code and and do like finding 294 00:14:40,510 --> 00:14:48,550 files and you will get something and of 295 00:14:45,339 --> 00:14:50,440 course once you had an API or you can 296 00:14:48,550 --> 00:14:52,810 change the application you can also 297 00:14:50,440 --> 00:14:55,870 customize the device for example I guess 298 00:14:52,810 --> 00:14:57,520 because no one thought this specific the 299 00:14:55,870 --> 00:14:59,699 specific framework is going to be used 300 00:14:57,520 --> 00:15:01,949 for water heater 301 00:14:59,699 --> 00:15:04,108 no one thought about turning it off 302 00:15:01,949 --> 00:15:06,689 after 30 minutes when water is already 303 00:15:04,109 --> 00:15:08,459 hot and I have a habit of forgetting it 304 00:15:06,689 --> 00:15:11,069 on for the whole day so I could just 305 00:15:08,459 --> 00:15:14,189 write a simple daemon that checks if 306 00:15:11,069 --> 00:15:15,868 it's on and saves the timestamp and if 307 00:15:14,189 --> 00:15:19,618 it's on no more than 30 minutes just 308 00:15:15,869 --> 00:15:22,939 turns it off a lot of those devices 309 00:15:19,619 --> 00:15:26,669 basically come with the basic set of 310 00:15:22,939 --> 00:15:29,730 commands or things that whoever designed 311 00:15:26,669 --> 00:15:32,279 it thought of and they usually don't 312 00:15:29,730 --> 00:15:35,489 complement whatever your lifestyle is 313 00:15:32,279 --> 00:15:38,009 whatever you your use of the devices so 314 00:15:35,489 --> 00:15:40,799 having an API having a way to control it 315 00:15:38,009 --> 00:15:44,419 outside of the app really opens you up 316 00:15:40,799 --> 00:15:46,769 to customizing it and making it your own 317 00:15:44,419 --> 00:15:49,319 what else can you do you can check what 318 00:15:46,769 --> 00:15:51,359 the app is communicating with there are 319 00:15:49,319 --> 00:15:54,689 things like Wireshark which is a network 320 00:15:51,359 --> 00:15:58,379 sniffer web suit which I'll talk about 321 00:15:54,689 --> 00:15:59,998 in a second Open VPN basically tunnel 322 00:15:58,379 --> 00:16:03,509 all the communication from your device 323 00:15:59,999 --> 00:16:05,519 through a computer that you can you can 324 00:16:03,509 --> 00:16:09,679 use the sleeve the communication better 325 00:16:05,519 --> 00:16:13,410 and kismet which is a Wi-Fi sniffer 326 00:16:09,679 --> 00:16:15,480 basically sniffing random like all hi-5 327 00:16:13,410 --> 00:16:18,509 traffic so these devices are usually 328 00:16:15,480 --> 00:16:21,859 Wi-Fi enabled they're also sniffers for 329 00:16:18,509 --> 00:16:25,559 Bluetooth like people mentioned before 330 00:16:21,859 --> 00:16:31,949 decompile the Android app again jad acts 331 00:16:25,559 --> 00:16:34,649 the D compiler and you can also get you 332 00:16:31,949 --> 00:16:37,169 can try following the main pass the 333 00:16:34,649 --> 00:16:41,609 buttons like the on button see where 334 00:16:37,169 --> 00:16:44,910 that goes URLs we'll see how that turned 335 00:16:41,609 --> 00:16:47,839 out and logs and use the streams and 336 00:16:44,910 --> 00:16:50,549 grab which are very simple and very fun 337 00:16:47,839 --> 00:16:53,209 burps it gets a special mention because 338 00:16:50,549 --> 00:16:58,009 it actually worked and helped me find 339 00:16:53,209 --> 00:17:01,729 some cool things it's an HTTP HTTP proxy 340 00:16:58,009 --> 00:17:06,000 you can watch the traffic your devices 341 00:17:01,730 --> 00:17:08,039 the api's it calls it's very useful to 342 00:17:06,000 --> 00:17:10,730 play with the core REST API is which 343 00:17:08,039 --> 00:17:12,980 usually these devices 344 00:17:10,730 --> 00:17:15,680 try at least like they communicate with 345 00:17:12,980 --> 00:17:19,310 basic JSON and stuff like that it can do 346 00:17:15,680 --> 00:17:22,700 HTTP if you install the certificate that 347 00:17:19,310 --> 00:17:26,139 burp certificate into your device it can 348 00:17:22,700 --> 00:17:29,900 basically man in the middle the SSL and 349 00:17:26,140 --> 00:17:34,280 you can see even if the device is using 350 00:17:29,900 --> 00:17:39,560 a safe and encrypted URLs this device 351 00:17:34,280 --> 00:17:42,670 wasn't it's so I mean okay let's talk 352 00:17:39,560 --> 00:17:45,590 about the device itself basically I 353 00:17:42,670 --> 00:17:48,820 decided to see really what it 354 00:17:45,590 --> 00:17:52,240 communicates with so I opened it up I 355 00:17:48,820 --> 00:17:55,850 realized that it phones home because the 356 00:17:52,240 --> 00:17:58,430 app has has a feature where you can see 357 00:17:55,850 --> 00:18:01,310 the on and off state history and even if 358 00:17:58,430 --> 00:18:04,100 I manually pressed it on or off without 359 00:18:01,310 --> 00:18:06,590 the app it's still new so I started 360 00:18:04,100 --> 00:18:08,810 suspecting that something's not quite 361 00:18:06,590 --> 00:18:12,500 right and that the device is doing stuff 362 00:18:08,810 --> 00:18:16,010 that well maybe I don't want it to do 363 00:18:12,500 --> 00:18:18,110 like talk with some remote server and so 364 00:18:16,010 --> 00:18:19,580 I thought hey what else can it be doing 365 00:18:18,110 --> 00:18:21,830 like does it have like a camera 366 00:18:19,580 --> 00:18:26,330 somewhere I don't know let's be paranoid 367 00:18:21,830 --> 00:18:29,110 about it and actually check so I mean 368 00:18:26,330 --> 00:18:31,520 once you open it you can see it's a 369 00:18:29,110 --> 00:18:34,610 Wi-Fi chip from a company called 370 00:18:31,520 --> 00:18:36,500 mediatek they're super popular there's a 371 00:18:34,610 --> 00:18:39,740 flash memory there's the electromagnetic 372 00:18:36,500 --> 00:18:42,830 really button thing the user interface 373 00:18:39,740 --> 00:18:45,380 is two buttons in the lab that's about 374 00:18:42,830 --> 00:18:48,350 it like some random mother electronics 375 00:18:45,380 --> 00:18:50,900 but nothing suspicious like no 376 00:18:48,350 --> 00:18:52,189 microphone on camera I was really hoping 377 00:18:50,900 --> 00:18:56,990 to find something like that that would 378 00:18:52,190 --> 00:18:58,400 have made this talk awesome okay so then 379 00:18:56,990 --> 00:19:00,170 I thought okay let me get the framework 380 00:18:58,400 --> 00:19:03,500 the code running on the device itself 381 00:19:00,170 --> 00:19:07,220 this is usually more tricky it wasn't as 382 00:19:03,500 --> 00:19:14,270 easy as I expected we have flash reader 383 00:19:07,220 --> 00:19:16,790 at work I I used it but the first device 384 00:19:14,270 --> 00:19:19,340 we got like this is the first device I 385 00:19:16,790 --> 00:19:21,770 brought for test that wasn't actually in 386 00:19:19,340 --> 00:19:23,149 my home someone pressed erase instead of 387 00:19:21,770 --> 00:19:28,158 read 388 00:19:23,149 --> 00:19:32,449 and well we had to buy like two more and 389 00:19:28,159 --> 00:19:35,269 of course the two-year so the the 390 00:19:32,450 --> 00:19:39,799 mediatek chip uses some system of a chip 391 00:19:35,269 --> 00:19:41,509 that we couldn't find an instruction set 392 00:19:39,799 --> 00:19:44,059 to there was like some random 393 00:19:41,509 --> 00:19:46,609 presentation from a Taiwanese University 394 00:19:44,059 --> 00:19:49,668 with some of the instructions but the 395 00:19:46,609 --> 00:19:52,489 rest of it is annoying and well beyond 396 00:19:49,669 --> 00:19:55,669 like what I wanted to do that's like 397 00:19:52,489 --> 00:19:58,549 hard stuff but strings still work 398 00:19:55,669 --> 00:20:00,649 strings is very useful so first of all 399 00:19:58,549 --> 00:20:02,929 you can see all the embedded access 400 00:20:00,649 --> 00:20:06,158 point names this device is supposed to 401 00:20:02,929 --> 00:20:11,269 open an access point that you connect to 402 00:20:06,159 --> 00:20:14,659 and then you set it up but that's not 403 00:20:11,269 --> 00:20:16,249 how it works so I still am not sure how 404 00:20:14,659 --> 00:20:19,999 the app itself is doing it probably 405 00:20:16,249 --> 00:20:22,460 broadcast in it you can see all the 406 00:20:19,999 --> 00:20:24,679 passwords of course the server URLs 407 00:20:22,460 --> 00:20:25,639 which are our main dot broadening and 408 00:20:24,679 --> 00:20:29,749 backup 409 00:20:25,639 --> 00:20:32,178 they have backups that's good and just 410 00:20:29,749 --> 00:20:34,129 notable that the system of the chip uses 411 00:20:32,179 --> 00:20:36,200 something called micro IP it's a network 412 00:20:34,129 --> 00:20:40,639 stack which has like one known 413 00:20:36,200 --> 00:20:42,470 vulnerability and it's it's it's really 414 00:20:40,639 --> 00:20:46,158 restricted but once again the chip 415 00:20:42,470 --> 00:20:47,899 itself is very restricted so at this 416 00:20:46,159 --> 00:20:50,659 point I wanted to start playing with the 417 00:20:47,899 --> 00:20:52,959 device but once it's open it's not a 418 00:20:50,659 --> 00:20:56,499 good idea to connect it to AC anymore 419 00:20:52,960 --> 00:21:00,679 but thankfully they left VCC and ground 420 00:20:56,499 --> 00:21:07,309 points that I could solder to a USB so 421 00:21:00,679 --> 00:21:10,489 now I have a USB connected device and so 422 00:21:07,309 --> 00:21:12,769 that it was pretty easy it could have 423 00:21:10,489 --> 00:21:16,909 been harder if they didn't just mark it 424 00:21:12,769 --> 00:21:19,730 and of course it's not really sending 425 00:21:16,909 --> 00:21:21,980 any data to the usb it just powers it 426 00:21:19,730 --> 00:21:23,509 but still it makes it easier to work 427 00:21:21,980 --> 00:21:25,239 with I'm not going to get electrocuted 428 00:21:23,509 --> 00:21:29,330 by it 429 00:21:25,239 --> 00:21:33,859 don't leave the points they're super 430 00:21:29,330 --> 00:21:37,178 easy also I switch the LEDs from blue to 431 00:21:33,859 --> 00:21:37,178 red just because it could 432 00:21:39,110 --> 00:21:45,240 so what can you do about the device 433 00:21:41,700 --> 00:21:47,850 itself first of all you should open it 434 00:21:45,240 --> 00:21:49,710 up and see that there's no nothing there 435 00:21:47,850 --> 00:21:51,929 that you didn't expect 436 00:21:49,710 --> 00:21:55,650 you can usually recognize the components 437 00:21:51,930 --> 00:21:58,590 just by googling whatever is on them you 438 00:21:55,650 --> 00:22:01,710 can look up data sheets if you wanna do 439 00:21:58,590 --> 00:22:04,830 something more advanced you can make 440 00:22:01,710 --> 00:22:06,630 life easier by finding ways to connect 441 00:22:04,830 --> 00:22:11,460 it to your computer easier maybe 442 00:22:06,630 --> 00:22:13,800 reflashing it you can customize it so 443 00:22:11,460 --> 00:22:16,410 for firmware you can usually find the 444 00:22:13,800 --> 00:22:18,780 framework online or maybe check where 445 00:22:16,410 --> 00:22:20,030 the app the app usually initiates 446 00:22:18,780 --> 00:22:22,590 updates 447 00:22:20,030 --> 00:22:25,620 maybe the device itself but you can find 448 00:22:22,590 --> 00:22:26,939 that by sniffing you can try reading the 449 00:22:25,620 --> 00:22:31,669 framework from the device but you'll 450 00:22:26,940 --> 00:22:34,770 need some some flash reader that that's 451 00:22:31,670 --> 00:22:39,780 something not everyone has so maybe a 452 00:22:34,770 --> 00:22:42,420 hackerspace or you can you can you can 453 00:22:39,780 --> 00:22:44,490 make your own using a Raspberry Pi or 454 00:22:42,420 --> 00:22:47,790 something there a ton of tutorials 455 00:22:44,490 --> 00:22:50,700 online you can hack set it the free 456 00:22:47,790 --> 00:22:52,230 won't write it back that's like the next 457 00:22:50,700 --> 00:22:56,940 thing I want to do is see if replacing 458 00:22:52,230 --> 00:22:59,730 the URLs from brought link forces it to 459 00:22:56,940 --> 00:23:01,920 stop sending information and of course 460 00:22:59,730 --> 00:23:05,370 you can find a hardware development kit 461 00:23:01,920 --> 00:23:07,860 with media tech heads and see if you can 462 00:23:05,370 --> 00:23:10,979 compile your own hardware that's going 463 00:23:07,860 --> 00:23:16,229 to be way harder because once the device 464 00:23:10,980 --> 00:23:19,080 is actually in production so they 465 00:23:16,230 --> 00:23:21,510 usually have it set and this one for 466 00:23:19,080 --> 00:23:23,909 example the chip itself has some memory 467 00:23:21,510 --> 00:23:26,280 with some code that I mean it's hard to 468 00:23:23,910 --> 00:23:29,250 get and there's also an external flash 469 00:23:26,280 --> 00:23:32,580 drive which was easier to get to but 470 00:23:29,250 --> 00:23:36,150 still and of course use your software 471 00:23:32,580 --> 00:23:37,980 right and like so that's the read in the 472 00:23:36,150 --> 00:23:46,560 erase buttons are so close together that 473 00:23:37,980 --> 00:23:49,299 we just I mean cool so I still have the 474 00:23:46,560 --> 00:23:53,739 problem of something is a few remote 475 00:23:49,299 --> 00:23:58,119 Oh like trying to reverse the framework 476 00:23:53,739 --> 00:24:00,909 didn't really help and wireshark 477 00:23:58,119 --> 00:24:04,470 also didn't really help so now I just 478 00:24:00,909 --> 00:24:05,980 grabbed for all the URLs in the in the 479 00:24:04,470 --> 00:24:09,730 application itself 480 00:24:05,980 --> 00:24:13,269 and oh wow I was surprised so there's a 481 00:24:09,730 --> 00:24:16,840 file called API URL so Java it has like 482 00:24:13,269 --> 00:24:22,299 71 URLs only 28 or HTTPS because I mean 483 00:24:16,840 --> 00:24:24,908 why why bother 55 of them were brought 484 00:24:22,299 --> 00:24:29,730 link API is the rest were like like I 485 00:24:24,909 --> 00:24:34,570 said just api's of every company that 486 00:24:29,730 --> 00:24:36,309 Alibaba QQ Weibo no other companies by 487 00:24:34,570 --> 00:24:38,590 the way only Chinese companies I don't 488 00:24:36,309 --> 00:24:40,658 know why they're discriminating against 489 00:24:38,590 --> 00:24:44,109 Google or something and of course 490 00:24:40,659 --> 00:24:50,200 calling these api's gives you a funny or 491 00:24:44,109 --> 00:24:52,539 it's like the Chinese Jason and the API 492 00:24:50,200 --> 00:24:55,960 itself that interested me was of course 493 00:24:52,539 --> 00:24:59,350 the history API it wanted the token 494 00:24:55,960 --> 00:25:02,739 which was really really spoiled the 495 00:24:59,350 --> 00:25:06,158 founder so I could either read and 496 00:25:02,739 --> 00:25:09,940 decomp like read 300 lines of the 497 00:25:06,159 --> 00:25:13,659 compilation of how it created this token 498 00:25:09,940 --> 00:25:19,330 or I could use verb to find the token 499 00:25:13,659 --> 00:25:21,190 and send it and that's work basically I 500 00:25:19,330 --> 00:25:23,769 could use the token for like a minute 501 00:25:21,190 --> 00:25:26,889 until it expired or maybe five minutes 502 00:25:23,769 --> 00:25:29,980 until it's expired and I had to proxy 503 00:25:26,889 --> 00:25:33,309 the app again and find the token so this 504 00:25:29,980 --> 00:25:36,639 was pretty convenient and I could see 505 00:25:33,309 --> 00:25:40,029 that it actually only only returned my 506 00:25:36,639 --> 00:25:43,600 history so nothing too malicious I guess 507 00:25:40,029 --> 00:25:47,679 I mean it depends on your definition of 508 00:25:43,600 --> 00:25:49,779 malicious and a totally open source of 509 00:25:47,679 --> 00:25:51,999 always saying look at the server first 510 00:25:49,779 --> 00:25:56,710 of all it's running an ancient nginx 511 00:25:51,999 --> 00:25:59,619 version with a lot of known series there 512 00:25:56,710 --> 00:26:00,159 is a valid HTTP cert which is not being 513 00:25:59,619 --> 00:26:02,110 used 514 00:26:00,159 --> 00:26:05,530 I mean why bother have 515 00:26:02,110 --> 00:26:08,080 HTTP it and then not use it in the 516 00:26:05,530 --> 00:26:11,200 application maybe it's for newer 517 00:26:08,080 --> 00:26:15,040 versions they left the nginx welcome 518 00:26:11,200 --> 00:26:19,000 page at the root of the URL to welcome 519 00:26:15,040 --> 00:26:20,129 you to their site and of course I'm not 520 00:26:19,000 --> 00:26:24,040 doing anything else 521 00:26:20,130 --> 00:26:27,460 so is this anticlimactic well it depends 522 00:26:24,040 --> 00:26:31,178 I mean it's good to know that only my 523 00:26:27,460 --> 00:26:34,390 history saved I can decide whether I'm 524 00:26:31,179 --> 00:26:36,790 ok with it and whether I want it to be 525 00:26:34,390 --> 00:26:39,040 saved and I know the extent of what is 526 00:26:36,790 --> 00:26:41,440 collected and of course I wasn't ok with 527 00:26:39,040 --> 00:26:42,850 it so I just like blocked all of the 528 00:26:41,440 --> 00:26:45,669 devices communication with the outside 529 00:26:42,850 --> 00:26:49,178 world through the router through 530 00:26:45,669 --> 00:26:52,570 parental controls and now basically I 531 00:26:49,179 --> 00:26:54,840 had I had my server in my network that 532 00:26:52,570 --> 00:26:59,530 can talk to it and turn it on or off and 533 00:26:54,840 --> 00:27:02,559 no one knew about it of course so I felt 534 00:26:59,530 --> 00:27:05,918 very very proud of myself so what can 535 00:27:02,559 --> 00:27:08,500 you do well the easiest thing is just 536 00:27:05,919 --> 00:27:11,440 block everything right that's very good 537 00:27:08,500 --> 00:27:14,200 default sometimes you do want some 538 00:27:11,440 --> 00:27:16,090 features maybe you want to connect it 539 00:27:14,200 --> 00:27:21,100 with remote servers without having to 540 00:27:16,090 --> 00:27:24,459 proxy it to your own your own web server 541 00:27:21,100 --> 00:27:28,260 or your own service but you should at 542 00:27:24,460 --> 00:27:32,140 least be aware of what it's sending and 543 00:27:28,260 --> 00:27:34,840 you know be you be sure that it's ok 544 00:27:32,140 --> 00:27:37,470 with you you could use parental controls 545 00:27:34,840 --> 00:27:40,360 which I think most modern routers have 546 00:27:37,470 --> 00:27:42,790 you put the device in the guest Network 547 00:27:40,360 --> 00:27:46,740 if you don't want it used as a spearhead 548 00:27:42,790 --> 00:27:50,770 to hack other computers in your network 549 00:27:46,740 --> 00:27:52,809 and of course you can run your own DNS 550 00:27:50,770 --> 00:27:54,970 server and trying to see like whether 551 00:27:52,809 --> 00:27:57,910 you can move the communication the 552 00:27:54,970 --> 00:28:01,480 device tries to do with the remote 553 00:27:57,910 --> 00:28:04,120 server to your own the fun thing was 554 00:28:01,480 --> 00:28:07,809 that I couldn't actually resolve brought 555 00:28:04,120 --> 00:28:11,709 Lync on main and back up so I guess it 556 00:28:07,809 --> 00:28:14,168 might be using its own DNS still stuff 557 00:28:11,710 --> 00:28:15,820 to research there's the three damn 558 00:28:14,169 --> 00:28:19,119 router solution which 559 00:28:15,820 --> 00:28:21,460 basically says put the IOT devices in 560 00:28:19,119 --> 00:28:25,478 one network with like grout there and 561 00:28:21,460 --> 00:28:30,399 then all your other nice devices another 562 00:28:25,479 --> 00:28:32,649 and then have both of them both of them 563 00:28:30,399 --> 00:28:34,600 connect to another router that connects 564 00:28:32,649 --> 00:28:37,959 to the internet so there's no way for 565 00:28:34,600 --> 00:28:41,738 any crosstalk that's another good 566 00:28:37,960 --> 00:28:44,590 solution some final thoughts first of 567 00:28:41,739 --> 00:28:47,080 all clients or you know devices that you 568 00:28:44,590 --> 00:28:49,918 on are always hackable it's like a maxi 569 00:28:47,080 --> 00:28:52,629 min you know iOS and Android development 570 00:28:49,919 --> 00:28:55,419 the device the application whatever 571 00:28:52,629 --> 00:28:57,879 whenever it's not on your server is 572 00:28:55,419 --> 00:29:00,399 hackable when it's a newer server it's 573 00:28:57,879 --> 00:29:04,599 harder but still hackable of course I 574 00:29:00,399 --> 00:29:06,820 mean but clients are always hackable and 575 00:29:04,599 --> 00:29:08,519 you should and you can open up your 576 00:29:06,820 --> 00:29:12,599 devices you shouldn't be afraid of it 577 00:29:08,519 --> 00:29:15,849 void your warranty is all of that and 578 00:29:12,599 --> 00:29:19,269 one thing that's sometimes hard is the 579 00:29:15,849 --> 00:29:21,399 hardware is well at least for me maybe 580 00:29:19,269 --> 00:29:24,070 for a lot of people is harder than 581 00:29:21,399 --> 00:29:25,869 software and sometimes it's not worth 582 00:29:24,070 --> 00:29:28,720 your time but it's definitely something 583 00:29:25,869 --> 00:29:31,899 that you can you can do you can read 584 00:29:28,720 --> 00:29:34,479 firmware you can understand chips and 585 00:29:31,899 --> 00:29:37,809 you don't need to do more than that like 586 00:29:34,479 --> 00:29:43,359 you will know there's a weird camera 587 00:29:37,809 --> 00:29:44,859 hidden in your water heater and the 588 00:29:43,359 --> 00:29:47,349 important thing is you can add your own 589 00:29:44,859 --> 00:29:51,399 features whether it's in Hardware 590 00:29:47,349 --> 00:29:54,879 whether it's in software you can you can 591 00:29:51,399 --> 00:30:01,119 at least try and you should make the 592 00:29:54,879 --> 00:30:04,059 device your own make it make it fit you 593 00:30:01,119 --> 00:30:06,070 instead of you fit in it and it's app 594 00:30:04,059 --> 00:30:08,529 and all of the things it's sending to 595 00:30:06,070 --> 00:30:13,439 the server and the rest of the crap 596 00:30:08,529 --> 00:30:18,550 that's going on there cool so thank you 597 00:30:13,440 --> 00:30:31,410 and I'd love to hear some questions and 598 00:30:18,550 --> 00:30:31,409 I actually don't see if their question 599 00:30:33,990 --> 00:30:36,990 anyone 600 00:30:40,130 --> 00:30:46,850 okay well oh sorry 601 00:30:44,169 --> 00:30:50,360 it's hard to see there's so many lies 602 00:30:46,850 --> 00:30:52,459 yes so I played around with a few 603 00:30:50,360 --> 00:30:54,350 different IOT devices that all came from 604 00:30:52,460 --> 00:30:57,020 one company that I think was based in 605 00:30:54,350 --> 00:31:00,530 New York City called quirky and they all 606 00:30:57,020 --> 00:31:02,030 have this very strange control chip in 607 00:31:00,530 --> 00:31:04,428 them that was all like it seems like it 608 00:31:02,030 --> 00:31:09,530 came off an assembly line and that it 609 00:31:04,429 --> 00:31:12,010 used the generic API that could just 610 00:31:09,530 --> 00:31:14,299 send and receive various like you know 611 00:31:12,010 --> 00:31:16,309 signed character values or something 612 00:31:14,299 --> 00:31:20,530 like that and it was unique because it 613 00:31:16,309 --> 00:31:23,210 was configured by the devices all had a 614 00:31:20,530 --> 00:31:25,190 CTS cell on them so like a light sensor 615 00:31:23,210 --> 00:31:27,140 on them and you held up a smartphone up 616 00:31:25,190 --> 00:31:29,299 to the light sensor the smartphone app 617 00:31:27,140 --> 00:31:31,520 would flash the screen in a pattern to 618 00:31:29,299 --> 00:31:33,770 transmit your Wi-Fi credentials there's 619 00:31:31,520 --> 00:31:35,120 nothing to that I was curious if you had 620 00:31:33,770 --> 00:31:36,799 when you've played around with these 621 00:31:35,120 --> 00:31:40,908 devices you came across anything similar 622 00:31:36,799 --> 00:31:44,240 to that so I haven't seen this specific 623 00:31:40,909 --> 00:31:47,059 way of transmitting data it sounds like 624 00:31:44,240 --> 00:31:49,130 like those hacks where you try to 625 00:31:47,059 --> 00:31:51,678 transmit data with the hard drive light 626 00:31:49,130 --> 00:31:55,730 on and off that's something that was 627 00:31:51,679 --> 00:32:01,280 done like a few few years ago I guess 628 00:31:55,730 --> 00:32:03,049 there are it's it's it seems like it 629 00:32:01,280 --> 00:32:06,280 would be very hard like it's very low 630 00:32:03,049 --> 00:32:09,440 bandwidth just holding it up and very 631 00:32:06,280 --> 00:32:12,678 but for devices that don't have any 632 00:32:09,440 --> 00:32:14,510 network connectivity which may be oh no 633 00:32:12,679 --> 00:32:15,980 these did have Wi-Fi chips in them this 634 00:32:14,510 --> 00:32:19,100 is how they receive the Wi-Fi 635 00:32:15,980 --> 00:32:21,650 credentials oh so I mean it depends like 636 00:32:19,100 --> 00:32:25,520 this device also has a Wi-Fi chip on it 637 00:32:21,650 --> 00:32:27,679 it's very basic it's like the lowest 638 00:32:25,520 --> 00:32:31,490 mediatek the company that makes it has 639 00:32:27,679 --> 00:32:34,250 it and it connects there's an AP an 640 00:32:31,490 --> 00:32:37,610 access point and that's like usually 641 00:32:34,250 --> 00:32:41,299 what they do I haven't heard about of 642 00:32:37,610 --> 00:32:45,939 that method but you can also send it to 643 00:32:41,299 --> 00:32:48,620 broadcast there's some ways to do that 644 00:32:45,940 --> 00:32:49,130 that's unique though I have another 645 00:32:48,620 --> 00:32:51,678 question 646 00:32:49,130 --> 00:32:53,580 have you taken apart any smart like 647 00:32:51,679 --> 00:32:56,850 speakers or anything like that 648 00:32:53,580 --> 00:33:00,080 I don't own one yet so I haven't taken 649 00:32:56,850 --> 00:33:02,669 one apart no there was a tear down that 650 00:33:00,080 --> 00:33:06,590 there's a tear down on medium we love 651 00:33:02,670 --> 00:33:10,500 the echo and the Sonos smart speakers 652 00:33:06,590 --> 00:33:13,980 it's very interesting like the guy who 653 00:33:10,500 --> 00:33:16,620 did it tries to understand what it means 654 00:33:13,980 --> 00:33:19,470 for the companies which is a bit out of 655 00:33:16,620 --> 00:33:21,570 my league there but the components and 656 00:33:19,470 --> 00:33:23,370 everything is really interesting just 657 00:33:21,570 --> 00:33:26,610 google it it was like when hacker news 658 00:33:23,370 --> 00:33:29,790 last week or something thanks thanks I 659 00:33:26,610 --> 00:33:33,659 actually have worked on both of those 660 00:33:29,790 --> 00:33:35,520 things so not quirky itself but I can 661 00:33:33,660 --> 00:33:37,200 answer a bit of that all the quirky 662 00:33:35,520 --> 00:33:39,360 devices a lot of the ones that use Wi-Fi 663 00:33:37,200 --> 00:33:41,130 have the electric amp inside of them and 664 00:33:39,360 --> 00:33:42,419 you can actually get that as a dev kit 665 00:33:41,130 --> 00:33:44,940 if you're curious about it you can 666 00:33:42,420 --> 00:33:46,590 program it yourself using that's 667 00:33:44,940 --> 00:33:49,170 although electric and gets a Wi-Fi even 668 00:33:46,590 --> 00:33:51,659 though it's just a company called 669 00:33:49,170 --> 00:33:52,830 electric and and they have dev boards 670 00:33:51,660 --> 00:33:53,160 and stuff you can play around with on 671 00:33:52,830 --> 00:33:57,149 their own 672 00:33:53,160 --> 00:33:59,070 I also took apart Eko and the goal with 673 00:33:57,150 --> 00:34:02,370 that is because when I was moving into a 674 00:33:59,070 --> 00:34:03,899 new place I was using it as a music 675 00:34:02,370 --> 00:34:05,429 speaker which it's great for and you can 676 00:34:03,900 --> 00:34:07,050 control it from Spotify on your phone or 677 00:34:05,430 --> 00:34:08,909 whatever but I didn't I wanted to 678 00:34:07,050 --> 00:34:11,009 disable the mics and that was actually 679 00:34:08,909 --> 00:34:12,899 my question is that there's this array 680 00:34:11,010 --> 00:34:15,330 of like seven members microphones on 681 00:34:12,900 --> 00:34:20,490 there and I tried drilling them off 682 00:34:15,330 --> 00:34:23,489 which was not the best idea whether it 683 00:34:20,489 --> 00:34:25,469 was that or the fact that I probably had 684 00:34:23,489 --> 00:34:28,020 some collateral damage it doesn't work 685 00:34:25,469 --> 00:34:30,959 at all anymore but I was considering 686 00:34:28,020 --> 00:34:32,730 injecting some epoxy into the little 687 00:34:30,960 --> 00:34:33,740 holes on them I'm not sure but I was 688 00:34:32,730 --> 00:34:35,580 wondering if you had any other 689 00:34:33,739 --> 00:34:38,719 recommendations for that I guess I could 690 00:34:35,580 --> 00:34:41,639 try and hack into the software side so 691 00:34:38,719 --> 00:34:44,580 sometimes for example the LEDs on this 692 00:34:41,639 --> 00:34:46,350 device they're harmless like I could 693 00:34:44,580 --> 00:34:47,759 take them off I don't have to change 694 00:34:46,350 --> 00:34:50,610 them to different color just because 695 00:34:47,760 --> 00:34:52,740 they can and they're not part of the 696 00:34:50,610 --> 00:34:55,470 main electric board sometimes though 697 00:34:52,739 --> 00:34:57,979 these components like the mics like in 698 00:34:55,469 --> 00:35:00,600 the echo case there are part of the main 699 00:34:57,980 --> 00:35:02,190 board that makes everything else run and 700 00:35:00,600 --> 00:35:05,100 then you'll need to think of a creative 701 00:35:02,190 --> 00:35:05,890 solution for example actually start 702 00:35:05,100 --> 00:35:08,288 reverse engine 703 00:35:05,890 --> 00:35:11,558 in the circuit understanding what it 704 00:35:08,289 --> 00:35:15,819 expects it like what the interactions it 705 00:35:11,559 --> 00:35:20,019 expects is maybe you know just emulating 706 00:35:15,819 --> 00:35:22,089 somehow a mic that's also possible but 707 00:35:20,019 --> 00:35:24,959 in this case maybe some side channel 708 00:35:22,089 --> 00:35:28,808 things like preventing it from 709 00:35:24,960 --> 00:35:30,640 transmitting to the Internet and it's a 710 00:35:28,809 --> 00:35:34,739 good question I don't have anything 711 00:35:30,640 --> 00:35:34,739 smart to say about how to fix it though 712 00:35:37,230 --> 00:35:42,279 yeah you need like you need to be trying 713 00:35:40,119 --> 00:35:44,200 that's that's one important takeaway 714 00:35:42,279 --> 00:35:48,279 thank you so much it's very inspiring 715 00:35:44,200 --> 00:35:51,640 thank you thank you thanks Michael for a 716 00:35:48,279 --> 00:35:54,249 great talk while backward I'm up I work 717 00:35:51,640 --> 00:35:56,529 in IOT stuff so it was fun to see how 718 00:35:54,249 --> 00:35:57,220 things get taken apart and then I really 719 00:35:56,529 --> 00:35:59,140 appreciate everything you've done 720 00:35:57,220 --> 00:36:02,618 there's a project called the thing 721 00:35:59,140 --> 00:36:04,150 system which unfortunately when poof but 722 00:36:02,619 --> 00:36:06,039 it was all done open source so anyone 723 00:36:04,150 --> 00:36:07,930 who's looking to hack their devices 724 00:36:06,039 --> 00:36:09,549 especially the early Gen ones the thing 725 00:36:07,930 --> 00:36:10,808 system was really cool and they just 726 00:36:09,549 --> 00:36:13,989 basically bought everything they could 727 00:36:10,809 --> 00:36:15,910 in 2013 and 2014 and kind of did this in 728 00:36:13,989 --> 00:36:17,980 publish stuff and I'd say as well the 729 00:36:15,910 --> 00:36:19,359 other one to look at maybe is openhab I 730 00:36:17,980 --> 00:36:22,180 don't know if that came up on your on 731 00:36:19,359 --> 00:36:23,410 your list but it's a there's a lot of 732 00:36:22,180 --> 00:36:24,848 people that will do the discussion and 733 00:36:23,410 --> 00:36:26,890 similar things on some of the devices 734 00:36:24,849 --> 00:36:29,079 and then try and sort of coordinate them 735 00:36:26,890 --> 00:36:31,118 under a steward or something that runs 736 00:36:29,079 --> 00:36:33,940 on a Raspberry Pi in the home before 737 00:36:31,119 --> 00:36:36,809 letting the stuff out too so there's 738 00:36:33,940 --> 00:36:39,789 something called home assistant which is 739 00:36:36,809 --> 00:36:42,730 awesome which someone told me about it 740 00:36:39,789 --> 00:36:47,829 has it's basically like a platform to 741 00:36:42,730 --> 00:36:50,259 control IOT devices it has it can talk 742 00:36:47,829 --> 00:36:52,960 to a lot of devices and it can do some 743 00:36:50,259 --> 00:36:54,759 cool things like I don't know it 744 00:36:52,960 --> 00:36:57,059 connects to a lot of data sources so you 745 00:36:54,759 --> 00:37:00,489 can say when the angle of the Sun is 746 00:36:57,059 --> 00:37:03,369 very low then start the lights without 747 00:37:00,489 --> 00:37:06,700 me having to you know get off my chair 748 00:37:03,369 --> 00:37:08,200 and turn it on that's that's exactly the 749 00:37:06,700 --> 00:37:10,899 thing you should be looking for like 750 00:37:08,200 --> 00:37:12,430 whether the device itself is supported 751 00:37:10,900 --> 00:37:14,680 by platforms like that the open 752 00:37:12,430 --> 00:37:17,169 platforms whether you can reflash it 753 00:37:14,680 --> 00:37:18,430 for example this device I still have no 754 00:37:17,170 --> 00:37:20,410 idea how I can get 755 00:37:18,430 --> 00:37:23,680 own custom custom three more on it it 756 00:37:20,410 --> 00:37:26,799 seems a bit hard but the point is try 757 00:37:23,680 --> 00:37:30,040 hard things so I'm definitely going to 758 00:37:26,800 --> 00:37:32,589 try it and hopefully I mean I could do 759 00:37:30,040 --> 00:37:35,349 something open-source that you know I I 760 00:37:32,589 --> 00:37:41,589 don't that I can I can know exactly 761 00:37:35,349 --> 00:37:44,319 what's running on that yeah just on in 762 00:37:41,589 --> 00:37:47,259 response to the question about the about 763 00:37:44,319 --> 00:37:49,300 the optical transmission for the Wi-Fi 764 00:37:47,260 --> 00:37:54,250 the other thing I've seen a lot of with 765 00:37:49,300 --> 00:37:56,920 that is audio transmission you see that 766 00:37:54,250 --> 00:38:00,490 a lot of a lot of IP cameras when they 767 00:37:56,920 --> 00:38:02,040 when they want to connect to some Wi-Fi 768 00:38:00,490 --> 00:38:05,500 network they never connected to before 769 00:38:02,040 --> 00:38:07,599 it'll actually could be any number of 770 00:38:05,500 --> 00:38:09,940 protocols to do it but it'll actually 771 00:38:07,599 --> 00:38:11,230 send it out over over sound to the 772 00:38:09,940 --> 00:38:13,750 microphone on the camera and pick it up 773 00:38:11,230 --> 00:38:15,400 that way there's there are several 774 00:38:13,750 --> 00:38:19,349 different ways that you see that where 775 00:38:15,400 --> 00:38:21,849 it doesn't exactly want to want to 776 00:38:19,349 --> 00:38:24,579 connect to it as long as you send out 777 00:38:21,849 --> 00:38:27,250 its own AP but it does want you to have 778 00:38:24,579 --> 00:38:30,160 some way of can I can do it yeah there's 779 00:38:27,250 --> 00:38:32,349 a lot of creative solutions like that so 780 00:38:30,160 --> 00:38:34,299 I mean it's hard for me to understand 781 00:38:32,349 --> 00:38:36,430 why if you already have a Wi-Fi chip 782 00:38:34,299 --> 00:38:40,180 that can act as an AP maybe it can't act 783 00:38:36,430 --> 00:38:42,339 as it might be maybe it's just some easy 784 00:38:40,180 --> 00:38:44,799 way that someone thought of and didn't 785 00:38:42,339 --> 00:38:48,630 really think of alternatives but it also 786 00:38:44,799 --> 00:38:48,630 seems like something that would be very 787 00:38:48,839 --> 00:38:54,730 error-prone right although they do use 788 00:38:52,299 --> 00:38:58,569 tones that humans can produce and 789 00:38:54,730 --> 00:39:02,609 usually yeah the other things that may 790 00:38:58,569 --> 00:39:06,400 very well be in so many cases the people 791 00:39:02,609 --> 00:39:08,170 building the system are thinking of it 792 00:39:06,400 --> 00:39:10,450 in terms of a security camera system or 793 00:39:08,170 --> 00:39:12,690 or that sort of a system so you're 794 00:39:10,450 --> 00:39:15,189 you're looking at it and you've got 795 00:39:12,690 --> 00:39:16,690 you're not necessarily thinking about it 796 00:39:15,190 --> 00:39:19,300 in terms of the network side of it even 797 00:39:16,690 --> 00:39:23,470 to add an internet to it 798 00:39:19,300 --> 00:39:26,380 very wealthy recently the company work 799 00:39:23,470 --> 00:39:28,359 at Vito it's actually an IOT company 800 00:39:26,380 --> 00:39:30,640 although I'm just like a back-end 801 00:39:28,360 --> 00:39:32,650 developer this is something I've done 802 00:39:30,640 --> 00:39:37,589 like on my own time but we've looked 803 00:39:32,650 --> 00:39:42,280 into I don't know like a few dozen maybe 804 00:39:37,590 --> 00:39:45,010 IOT cameras and there's like every 805 00:39:42,280 --> 00:39:47,760 camera look at has a ton of CVS and a 806 00:39:45,010 --> 00:39:48,870 ton of things that are broken 807 00:39:47,760 --> 00:39:51,310 [Music] 808 00:39:48,870 --> 00:39:55,450 unfortunately this is still the state of 809 00:39:51,310 --> 00:39:56,590 the commercial security market like the 810 00:39:55,450 --> 00:40:00,700 commercial can't execute 811 00:39:56,590 --> 00:40:05,230 security camera market but that's why 812 00:40:00,700 --> 00:40:07,000 we're here to make it better I shall 813 00:40:05,230 --> 00:40:09,340 talk might have a question I don't know 814 00:40:07,000 --> 00:40:11,740 whether there may be somebody else in 815 00:40:09,340 --> 00:40:14,410 the audience might want to say something 816 00:40:11,740 --> 00:40:18,549 you're getting touched me but my concern 817 00:40:14,410 --> 00:40:22,660 and of course is cars so I want to find 818 00:40:18,550 --> 00:40:24,820 the the wireless transmitter in my car 819 00:40:22,660 --> 00:40:27,430 wring its neck and get rid of the 820 00:40:24,820 --> 00:40:28,810 microphone into while I'm at it so any 821 00:40:27,430 --> 00:40:38,620 suggestions for how to go about doing 822 00:40:28,810 --> 00:40:40,299 that no long term I mean I can think of 823 00:40:38,620 --> 00:40:41,890 a few ways just off the top of my head 824 00:40:40,300 --> 00:40:45,880 it's usually connected to something in 825 00:40:41,890 --> 00:40:48,190 the OBD I mean I'm sure you can like 826 00:40:45,880 --> 00:40:49,630 find someone's done it before and if 827 00:40:48,190 --> 00:40:51,310 you're the first and it just means 828 00:40:49,630 --> 00:40:54,660 you'll be the one getting all the glory 829 00:40:51,310 --> 00:40:54,660 when you publish it right 830 00:40:59,589 --> 00:41:06,339 back to some cars it's a separate move 831 00:41:02,859 --> 00:41:08,650 here that only runs both Lu two other 832 00:41:06,339 --> 00:41:12,038 times it will be part of the overall 833 00:41:08,650 --> 00:41:14,140 telematics module so you can't you can't 834 00:41:12,039 --> 00:41:18,719 always just unplug it without waiting 835 00:41:14,140 --> 00:41:21,879 over to the power amplifier come on 836 00:41:18,719 --> 00:41:23,559 maybe some years old but might occur I 837 00:41:21,880 --> 00:41:25,749 heard they are not many car 838 00:41:23,559 --> 00:41:27,939 manufacturers are not yet making it so 839 00:41:25,749 --> 00:41:30,368 that removing the telematics module 840 00:41:27,939 --> 00:41:32,519 cripples and bricks the car so I don't 841 00:41:30,369 --> 00:41:34,599 see any use for the telematics or 842 00:41:32,519 --> 00:41:36,669 microphone whatsoever I just want to get 843 00:41:34,599 --> 00:41:40,089 rid of the whole that all subsystems 844 00:41:36,670 --> 00:41:43,709 I like Rick the car that's they said 845 00:41:40,089 --> 00:41:43,709 that we have to use these words now 846 00:41:44,249 --> 00:41:50,499 Jabra have supported it until your 847 00:41:48,180 --> 00:41:53,529 Bluetooth but don't want Nick phoning 848 00:41:50,499 --> 00:41:55,988 home the box will have connectors for 849 00:41:53,529 --> 00:41:58,890 for GPS and a data center and talk to 850 00:41:55,989 --> 00:41:58,890 some plug the attempts 851 00:42:04,870 --> 00:42:11,740 it's great to see your research and how 852 00:42:08,560 --> 00:42:13,420 you went through reversing the the 853 00:42:11,740 --> 00:42:15,609 firmware with some strings and stuff 854 00:42:13,420 --> 00:42:17,680 like that I was wondering because you 855 00:42:15,610 --> 00:42:20,980 know some strings can be packed and if 856 00:42:17,680 --> 00:42:24,310 people are hiding things was so where's 857 00:42:20,980 --> 00:42:27,880 the media chip a separate was it a 858 00:42:24,310 --> 00:42:31,049 separate chip from the SOC or was it all 859 00:42:27,880 --> 00:42:34,960 in one package it's all in one package 860 00:42:31,050 --> 00:42:38,490 so it also has its own the the femur I 861 00:42:34,960 --> 00:42:41,710 got was from separate flash memory chip 862 00:42:38,490 --> 00:42:45,459 the the chip itself also has some memory 863 00:42:41,710 --> 00:42:48,340 so first of all some data might be 864 00:42:45,460 --> 00:42:51,610 packed like he said although I mean why 865 00:42:48,340 --> 00:42:54,190 would they bother right but some of the 866 00:42:51,610 --> 00:42:58,660 code might be on the chip itself which I 867 00:42:54,190 --> 00:43:01,000 didn't that wasn't part of it wasn't an 868 00:42:58,660 --> 00:43:04,810 easy thing to do which is something that 869 00:43:01,000 --> 00:43:06,790 I pride myself in doing easy things okay 870 00:43:04,810 --> 00:43:09,040 I was just that would make it a little 871 00:43:06,790 --> 00:43:10,990 difficult for my question but I was 872 00:43:09,040 --> 00:43:13,180 wondering if there was any opportunity 873 00:43:10,990 --> 00:43:16,089 to use a logic analyzers in order to try 874 00:43:13,180 --> 00:43:19,600 to extract like configuration data for 875 00:43:16,090 --> 00:43:25,000 like modems and things like that no no 876 00:43:19,600 --> 00:43:27,779 we used a freeware reader from the flash 877 00:43:25,000 --> 00:43:30,220 memory chip we didn't it's like 878 00:43:27,780 --> 00:43:34,660 specialized device that we have but you 879 00:43:30,220 --> 00:43:36,459 can also do it I I mean we could we 880 00:43:34,660 --> 00:43:39,580 could try and analyze the board like we 881 00:43:36,460 --> 00:43:41,950 said and see what's actually happening 882 00:43:39,580 --> 00:43:44,230 and then just remove the chip and try 883 00:43:41,950 --> 00:43:48,700 and emulate it with something another 884 00:43:44,230 --> 00:43:53,970 but that's something we thought of but 885 00:43:48,700 --> 00:43:53,970 again it's hard right like yeah 886 00:43:55,579 --> 00:44:01,670 I really enjoyed your talk and really 887 00:43:58,880 --> 00:44:04,640 appreciate these kinds of exercises in 888 00:44:01,670 --> 00:44:06,829 the United States water heaters tend to 889 00:44:04,640 --> 00:44:09,229 be I think for most people with 40 890 00:44:06,829 --> 00:44:11,390 gallon drum that is either gas or 891 00:44:09,229 --> 00:44:14,379 electric and it tends to always be on so 892 00:44:11,390 --> 00:44:16,489 when you turn the faucet on the water 893 00:44:14,380 --> 00:44:18,680 eventually gets hot 894 00:44:16,489 --> 00:44:21,019 there's the newer flash you know hot 895 00:44:18,680 --> 00:44:22,999 water on demand I was wondering if you 896 00:44:21,019 --> 00:44:25,430 could take a minute to describe what 897 00:44:22,999 --> 00:44:27,529 this water heater is and you know having 898 00:44:25,430 --> 00:44:33,940 the switch in the house is it a tank is 899 00:44:27,529 --> 00:44:36,440 it a electric so that's a good question 900 00:44:33,940 --> 00:44:38,390 maybe I should have explained it a 901 00:44:36,440 --> 00:44:41,239 little bit better I'm from Israel in 902 00:44:38,390 --> 00:44:46,029 case Mac sentence will give it away we 903 00:44:41,239 --> 00:44:50,599 have drums that are electrically heated 904 00:44:46,029 --> 00:44:52,519 and the drums themselves are usually on 905 00:44:50,599 --> 00:44:57,469 the roof of the house sometimes you have 906 00:44:52,519 --> 00:45:00,198 a solar heater and in this case it's 907 00:44:57,469 --> 00:45:03,229 controlled by basically all you have is 908 00:45:00,199 --> 00:45:04,880 a button and I guess that's why the 909 00:45:03,229 --> 00:45:08,538 device is only for the Israeli market 910 00:45:04,880 --> 00:45:12,949 the form factor of it and of course the 911 00:45:08,539 --> 00:45:14,469 way it behaves but uh yeah that's that's 912 00:45:12,949 --> 00:45:22,369 what it is 913 00:45:14,469 --> 00:45:25,400 water comes from somewhere magically 914 00:45:22,369 --> 00:45:28,539 yeah I mean maybe that's something I 915 00:45:25,400 --> 00:45:28,539 should check where it comes from 916 00:45:28,640 --> 00:45:32,970 [Laughter] 917 00:45:35,029 --> 00:45:43,460 cool so thank you very much 918 00:45:38,330 --> 00:45:43,460 [Applause]