Home Invasion v2.0 WHO ARE WE? The Presenters Daniel - - PowerPoint PPT Presentation

▶

Sep 01, 2023 104 likes •344 views

Home Invasion v2.0 WHO ARE WE? The Presenters Daniel unicornFurnace Crowley - Managing Consultant, Trustwave SpiderLabs Jennifer savagejen Savage - Software Engineer, Tabbedout David videoman Bryan - Security

SLIDE 1

Home Invasion v2.0

SLIDE 2

WHO ARE WE?

SLIDE 3

Daniel “unicornFurnace” Crowley

Managing Consultant, Trustwave SpiderLabs

Jennifer “savagejen” Savage

Software Engineer, Tabbedout

David “videoman” Bryan

Security Consultant, Trustwave SpiderLabs

The Presenters

SLIDE 4

WHAT ARE WE DOING HERE?

SLIDE 5

Science fiction becomes science fact Race to release novel products means poor security Attempt to hack a sampling of “smart” devices Many products we didn’t cover Android powered oven Smart TVs (another talk is covering one!) IP security cameras

The “Smart” Home

SLIDE 6

WHAT’S OUT THERE?

SLIDE 7

Belkin WeMo Switch

SLIDE 8

1. Vulnerable libupnp version
2. Unauthenticated UPnP actions
1. SetBinaryState
2. SetFriendlyName
3. UpdateFirmware

Belkin WeMo Switch

SLIDE 9

MiCasaVerde VeraLite

SLIDE 10

1. Lack of authentication on web console by default
2. Lack of authentication on UPnP daemon
3. Path Traversal
4. Insufficient Authorization Checks
1. Firmware Update
2. Settings backup
3. Test Lua code
5. Server Side Request Forgery
6. Cross-Site Request Forgery
7. Unconfirmed Authentication Bypass
8. Vulnerable libupnp Version

MiCasaVerde VeraLite

SLIDE 11

INSTEON Hub

SLIDE 12

1. Lack of authentication on web console
1. Web console exposed to the Internet

INSTEON Hub

SLIDE 13

Karotz Smart Rabbit

SLIDE 14

1. Exposure of wifi network credentials unencrypted
2. Python module hijack in wifi setup
3. Unencrypted remote API calls
4. Unencrypted setup package download

Karotz Smart Rabbit

SLIDE 15

1. Unauthenticated UPnP actions

Linksys Media Adapter

SLIDE 16

LIXIL Satis Smart Toilet

SLIDE 17

1. Default Bluetooth PIN

LIXIL Satis Smart Toilet

SLIDE 18

1. Unauthenticated API
2. Disclosure of WiFi passphrase

Radio Thermostat

SLIDE 19

SONOS Bridge

SLIDE 20

1. Support console information disclosure

SONOS Bridge

SLIDE 21

DEMONSTRATION

SLIDE 22

CONCLUSION

SLIDE 23

Daniel “unicornFurnace” Crowley dcrowley@trustwave.com @dan_crowley Jennifer “savagejen” Savage savagejen@gmail.com (PGP key ID 6326A948) @savagejen David “videoman” Bryan dbryan@trustwave.com @_videoman_

Home Invasion v2.0

WHO ARE WE?

Daniel “unicornFurnace” Crowley

Jennifer “savagejen” Savage

David “videoman” Bryan

The Presenters

WHAT ARE WE DOING HERE?

Science fiction becomes science fact Race to release novel products means poor security Attempt to hack a sampling of “smart” devices Many products we didn’t cover Android powered oven Smart TVs (another talk is covering one!) IP security cameras

The “Smart” Home

WHAT’S OUT THERE?

Belkin WeMo Switch

Belkin WeMo Switch

MiCasaVerde VeraLite

MiCasaVerde VeraLite

INSTEON Hub

INSTEON Hub

Karotz Smart Rabbit

Karotz Smart Rabbit

Linksys Media Adapter

LIXIL Satis Smart Toilet

LIXIL Satis Smart Toilet

Radio Thermostat

SONOS Bridge

SONOS Bridge

DEMONSTRATION

CONCLUSION

Daniel “unicornFurnace” Crowley dcrowley@trustwave.com @dan_crowley Jennifer “savagejen” Savage savagejen@gmail.com (PGP key ID 6326A948) @savagejen David “videoman” Bryan dbryan@trustwave.com @_videoman_

Questions?