learn how to control every
play

LEARN HOW TO CONTROL EVERY ROOM AT A LUXURY HOTEL REMOTELY: THE - PowerPoint PPT Presentation

Jul 11, 2023 •101 likes •417 views

LEARN HOW TO CONTROL EVERY ROOM AT A LUXURY HOTEL REMOTELY: THE DANGERS OF INSECURE HOME AUTOMATION DEPLOYMENT BY JESUS MOLINA @VERIFYTHENTRUST If I were to tell someone is able to control every appliance in your hotel room, will you move to

  1. LEARN HOW TO CONTROL EVERY ROOM AT A LUXURY HOTEL REMOTELY: THE DANGERS OF INSECURE HOME AUTOMATION DEPLOYMENT BY JESUS MOLINA @VERIFYTHENTRUST

  2. If I were to tell someone is able to control every appliance in your hotel room, will you move to another hotel tonight? 8/21/2014

  3. #WHOAMI • Security consultant based in SF • Full name and title • Doctor Jesús María Molina Terriza • Spanish from la Mancha • www.jesusmolina.com • @verifythentrust • Get me a good tequila at the bar 8/21/2014

  4. Preliminaries • Controlled 200+ rooms of a 5 star hotel by abusing an insecure home automation protocol • While I was a guest of the hotel • In CHINA • I did not hack – I abused • Starwood response was positive 8/21/2014

  5. The ST . REGIS SHENZHEN HOTEL IS HERE 8/21/2014

  6. 8/21/2014

  7. ROOM 7772 ? Could I control the room with my laptop? 8/21/2014

  8. 1 - IPAD IS OPEN TO INSPECTION AND TAMPERING 2 - IPAD IS CONNECTED TO GUEST NETWORK 3 – THE GUEST NETWORK IS OPEN TO INSPECTION AND TAMPERING 4 – THE AUTOMATION PROTOCOL NEEDS TO BE SECURE 5 – But it is NOT 8/21/2014

  9. UDP TO A SINGLE IP AND PORT 8/21/2014

  10. 8/21/2014

  11. TRUE FACTS ABOUT KNX/IP • IP encapsulation of KNX • KNX is a building automation protocol • Created in 1990 • Widespread in Europe and China • Simple to deploy 8/21/2014

  12. TRUE FACTS ABOUT KNX/IP • “Open” meaning “Closed” - 1000 € just to look at it? What is this? 1990s? • Open source clients – eibd daemon 8/21/2014

  13. TRUE FACTS ABOUT KNX/IP • NO SECURITY • EIBsec: a security extension to KNX/EIB 2006!!!!!!!!! New KNX specs (2013) claim security – but I • can’t read it – Anyone has 1000 euros? 8/21/2014

  14. ROOM 7777 GUEST NETWORK 2/2/2 KNXnet/IP Router 192.178.1.4 2/2/3 KNX Network 8/21/2014

  15. ROOM 7777 GUEST NETWORK 2/2/2 KNXnet/IP Router 192.178.1.4 2/2/3 KNX Network ROOM 7778 2/3/2 KNXnet/IP Router 192.178.1.5 2/3/3 KNX Network 8/21/2014

  16. 8/21/2014

  17. KNX/IP router KNX network CONNECT_REQUEST CONNECT_RESPONSE CONNECTIONSTATE_REQUEST CONNECTIONSTATE_RESPONSE TUNNELLING_REQUEST cEMI TUNNELLING_ACK ACK DISCONNECT_REQUEST DISCONNECT_RESPONSE 8/21/2014

  18. KNX/IP frame Header Header Header KNXnet/IP UDP Ethernet IP Protocol Service Type Header Payload Total Length Version Identifier Length cEMI 06 10 04 20 00 15 04 49 00 00 11 00 bc e0 00 00 08 02 01 00 81 8/21/2014

  19. A cEMI frame* to make a lightbulb go /* TUNNELLING_REQUEST */ /* Header (6 Bytes) */ treq[0] = 0x06; /* 06 - Header Length */ treq[1] = 0x10; /* 10 - KNXnet version (1.0) */ treq[2] = 0x04; /* 04 - hi-byte Service type descriptor (TUNNELLING_REQUEST) */ treq[3] = 0x20; /* 20 - lo-byte Service type descriptor (TUNNELLING_REQUEST) */ treq[4] = 0x00; /* 00 - hi-byte total length */ treq[5] = 0x15; /* 15 - lo-byte total lengt 21 bytes */ /* Connection Header (4 Bytes) */ treq[6] = 0x04; /* 04 - Structure length */ treq[7] = iChannelID & 0xff; /* given channel id */ treq[8] = 0x00; /* sequence counter, zero if you send one tunnelling request only at this session, otherwise count ++ */ treq[9] = 0x00; /* 00 - Reserved */ /* cEMI-Frame (11 Bytes) */ treq[10] = 0x11; /* message code, 11: Data Service transmitting */ treq[11] = 0x00; /* add. info length ( bytes) */ treq[12] = 0xbc; /* control byte */ treq[13] = 0xe0; /* DRL byte */ treq[14] = 0x00; /* hi-byte source individual address */ treq[15] = 0x00; /* lo-byte source (replace throw IP-Gateway) */ treq[16] = (destaddr >> 8) & 0xff; /* hi-byte destination address (20: group address) Address 4/0/0: (4*2048) + (0*256) + (0*1) = 8192 = 20 00 */ treq[17] = destaddr & 0xff; /* lo-Byte destination */ treq[18] = 0x01; /* 01 data byte following */ treq[19] = 0x00; /* tpdu */ Action treq[20] = 0x81; /* 81: switch on, 80: off */ 8/21/2014 *According to http://www.eb-systeme.de/

  20. Can I switch TV on in EVERY room? 8/21/2014

  21. “Let There Be Light” 8/21/2014

  22. THE ATTACK • Program to send tunneling request Code your own • Eibd: http://www.auto.tuwien.ac.at/~mkoegler/index.php/eibd • KNX Address of each device in the room • Press the iPad and automate collecting the result • IP address and KNX of each room • Change rooms and infer the pattern • 8/21/2014

  23. INFORMATION COLLECTION FAILURE NO IPAD  8/21/2014

  24. How do I know it works? • DND Lights are outside the room … • And I control them! DND heartbeat 8/21/2014

  25. Where there other things connected? MAYBE…. 8/21/2014

  26. WHAT DOES IT MEAN? 8/21/2014

  27. For Hotels • Update security policies according to new technologies • Open protocols and security for external researchers • Guest security cannot be an afterthought • Is this possible in other hotels? 8/21/2014

  28. For the IoT • Guerrilla war when it comes to deployment • KNX is a standard for home automation! • Most protocols are closed • Most protocols rely in external security • Extra care when deploying automation in shares spaces 8/21/2014

  29. So What? What’s the worst thing that could happen? “ The humans have played their hand” “One iPad to rule them all”

  30. If I were to tell someone is able to control every appliance in your hotel room, will you move to another hotel tonight? The worst thing that could happen is that we don’t care. Welcome to 1984 8/21/2014

  31. Questions? security@nomeames.com @verifythentrust 8/21/2014

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Objectives learn about Java branching statements learn about loops Flow of Control

Objectives learn about Java branching statements learn about loops Flow of Control

Objectives learn about Java branching statements learn about loops Flow of Control learn about the type boolean Chapter 3 Flow of Control Branching Statements: Outline Flow of control is the order in which a The if-else

311 views • 18 slides
Why We Should Take a Second What do we learn from Look at Access Control in Unix this?

Why We Should Take a Second What do we learn from Look at Access Control in Unix this?

Introduction A model for Unix Why We Should Take a Second What do we learn from Look at Access Control in Unix this? Concluding remarks Jason Crampton Information Security Group Royal Holloway, University of London NordSec 2008

590 views • 27 slides
Learn Blackboard Learn Learn with others Learn in your own time, pace, space Learn through

Learn Blackboard Learn Learn with others Learn in your own time, pace, space Learn through

Learn Blackboard Learn Learn with others Learn in your own time, pace, space Learn through designing for teaching Learn with others 1. Black Swan Conferences Hear The bigger picture Higher Education Blackboard UWA Experience

478 views • 16 slides
Choice and Control A workshop for people with a learning disability to learn about their rights.

Choice and Control A workshop for people with a learning disability to learn about their rights.

Choice and Control A workshop for people with a learning disability to learn about their rights. Created January 2014 Safety Net-People First 1 Choice and Control This booklet is for you to keep. There is a lot of important

481 views • 14 slides
(Learning to) Learn to Control Jan K ret nsk y Technical University of Munich, Germany

(Learning to) Learn to Control Jan K ret nsk y Technical University of Munich, Germany

(Learning to) Learn to Control Jan K ret nsk y Technical University of Munich, Germany joint work with P . Ashok, T. Meggendorfer (TUM), T. Br azdil (Masaryk University Brno), K. Chatterjee, M. Chmel k, P . Daca, A.

544 views • 35 slides
Today We Will Learn Why worry? Obesity is on the rise Weight control Surprising

Today We Will Learn Why worry? Obesity is on the rise Weight control Surprising

Today We Will Learn Why worry? Obesity is on the rise Weight control Surprising facts Being active is key Benefits of exercise Burn more calories Activity adds up Tips and tricks Obesity Trends* Among U.S.

453 views • 32 slides
Learn more Do more Be more Learn more Do more Be more UNITY Learn more Do

Learn more Do more Be more Learn more Do more Be more UNITY Learn more Do

Learn more Do more Be more Learn more Do more Be more UNITY Learn more Do more Be more Key Staff linked to Year 7 Mrs Angela Haynes Mrs Louisa Smith Head of Year 7 Year 7 PSM Ms Leyla Mrs Julia Emmel Bilsborough

736 views • 27 slides
Don't Make it a Race The Four Common Concurrency Data Control Patterns What You Will Learn

Don't Make it a Race The Four Common Concurrency Data Control Patterns What You Will Learn

Don't Make it a Race The Four Common Concurrency Data Control Patterns What You Will Learn The overall concurrency landscape The common ways to handle shared mutable state With detailed examples How it all hangs together

676 views • 49 slides
Learn how together we can fight back and win Learn more about whats at stake Learn about the

Learn how together we can fight back and win Learn more about whats at stake Learn about the

In this presentation you will: Learn how together we can fight back and win Learn more about whats at stake Learn about the state of play around the country 2.3 million members across 50 states fighting for access to abortion care, birth

511 views • 40 slides
Learning objectives Understand goals and implications of finite state abstraction Learn

Learning objectives Understand goals and implications of finite state abstraction Learn

Learning objectives Understand goals and implications of finite state abstraction Learn how to model program control flow with Finite Models graphs Learn how to model the software system structure with call graphs Learn how

229 views • 5 slides
Six Critical Things You Can Learn From a Flow Spot Check Speaker: Dan Kilpatrick GE Measurement

Six Critical Things You Can Learn From a Flow Spot Check Speaker: Dan Kilpatrick GE Measurement

RAECO Customer Webinar Six Critical Things You Can Learn From a Flow Spot Check Speaker: Dan Kilpatrick GE Measurement & Control Agenda Ultrasonic Meter Basics Application Considerations Six Things You Could Learn Questions Dec. 2002

367 views • 25 slides
Motivation to Learn GPGPU Julius Parulek Why to Learn About GPU? Computational power of GPU vs.

Motivation to Learn GPGPU Julius Parulek Why to Learn About GPU? Computational power of GPU vs.

Motivation to Learn GPGPU Julius Parulek Why to Learn About GPU? Computational power of GPU vs. CPU Why to Learn About GPU? NVIDIA GPU relative performances Why to Learn About GPU? Hardware Why to Learn About GPU? Interactive rendering

852 views • 46 slides
If anyone can control his tongue, it proves that he has perfect control over himself...

If anyone can control his tongue, it proves that he has perfect control over himself...

If anyone can control his tongue, it proves that he has perfect control over himself... James 3:2 (LB) If people never said anything wrong, they would be perfect. James 3:2 (NCV) Why Must I Learn To Manage My Mouth? 1. My mouth

808 views • 28 slides
Introduction to AAE520 Forebody/LDV Lab Learn to use a water tunnel Learn about the laser

Introduction to AAE520 Forebody/LDV Lab Learn to use a water tunnel Learn about the laser

Introduction to AAE520 Forebody/LDV Lab Learn to use a water tunnel Learn about the laser doppler velocimeter (LDV), use it for some measurements Learn about flow visualization Learn about subsonic forebodies at high angle of

952 views • 23 slides
what you need to learn now to decide what you need to learn next Bob Dowling

what you need to learn now to decide what you need to learn next Bob Dowling

Scientific computing: An introduction to tools and programming languages what you need to learn now to decide what you need to learn next Bob Dowling rjd4@cam.ac.uk University Information Services Course outline Basic concepts

762 views • 73 slides
Se Seek, k, Learn rn and nd Serve ve Se Seek, k, Learn rn and nd Serve ve WELCOME TO

Se Seek, k, Learn rn and nd Serve ve Se Seek, k, Learn rn and nd Serve ve WELCOME TO

Se Seek, k, Learn rn and nd Serve ve Se Seek, k, Learn rn and nd Serve ve WELCOME TO GOOD COUNSEL PRIMARY SCHOOL Se Seek, k, Learn rn and nd Serve ve PREPARATORY YEAR 2017 PARENT MEETING Seek, Se k, Learn rn and nd Serve ve

295 views • 18 slides
Overview Introduction Lexicalized TAG, Advantages of parsing with LTAG Parsing LTAGs

Overview Introduction Lexicalized TAG, Advantages of parsing with LTAG Parsing LTAGs

Parsing with Lexicalized TAG (1) Extracting and comparing LTAG (2) Presentation by Philip John Gorinski Seminar Recent Advances in Parsing Technology Saarland University, Winter Term 2011/12 (1) Yves Shabes, Aravind K. Joshi, 1990 (2)

514 views • 36 slides
It Is Finished Christ has accomplished our redemption. The Atonement Atonement means

It Is Finished Christ has accomplished our redemption. The Atonement Atonement means

It Is Finished Christ has accomplished our redemption. The Atonement Atonement means making amends, blotting out the offense, and giving satisfaction for wrong done; thus reconciling to oneself the alienated other and restoring the

346 views • 16 slides
Active Learning: Rethinking Our Teaching to Promote Deeper Learning Facilitated by Ken Silvestri,

Active Learning: Rethinking Our Teaching to Promote Deeper Learning Facilitated by Ken Silvestri,

Active Learning: Rethinking Our Teaching to Promote Deeper Learning Facilitated by Ken Silvestri, CFE Instructional Designer Adapted for Institute of Technology By Menaka Abraham OVERVIEW Why Active Learning What is Active Learning

542 views • 18 slides
Summarizing A 3 Way Relational Data Stream Baptiste Csernel, 3rd year PhD Student Fabrice

Summarizing A 3 Way Relational Data Stream Baptiste Csernel, 3rd year PhD Student Fabrice

Summarizing A 3 Way Relational Data Stream Baptiste Csernel, 3rd year PhD Student Fabrice Clrot, Supervisor FT R&D Georges Hbrail, Supervisor ENST 1 Plan Problem Presentation Context Problematic Useful Tools

236 views • 13 slides
Resolution and logarithmic resolution by weighted blowing up Dan Abramovich, Brown University

Resolution and logarithmic resolution by weighted blowing up Dan Abramovich, Brown University

Resolution and logarithmic resolution by weighted blowing up Dan Abramovich, Brown University Work with Michael T emkin and Jaros law W lodarczyk and work by Ming Hao Quek Also parallel work by M. McQuillan Simons Conference on

1.62k views • 66 slides
Content Everywhere Content Everywhere www.erg.com Or, navigating digital communications without

Content Everywhere Content Everywhere www.erg.com Or, navigating digital communications without

ERG Content Everywhere Content Everywhere www.erg.com Or, navigating digital communications without losing your mind or blowing your budget ERG NOTE TO DRUPAL GOVCON Content Everywhere www.erg.com // Not my actual proposed presentation

675 views • 41 slides
BLOWING THE COVER: HANDS-ON ANALYSIS OF HANDCRAFTED ANDROID MALWARE Alex Reshetniak | September

BLOWING THE COVER: HANDS-ON ANALYSIS OF HANDCRAFTED ANDROID MALWARE Alex Reshetniak | September

BLOWING THE COVER: HANDS-ON ANALYSIS OF HANDCRAFTED ANDROID MALWARE Alex Reshetniak | September 26 2018 About Me Senior Security Researcher @ Lookout B.S. in Information Security More than 5 years working in Information Security

663 views • 31 slides
Differential Equations Overview of differential equation Initial value problem

Differential Equations Overview of differential equation Initial value problem

Differential Equations Overview of differential equation Initial value problem Explicit numeric methods Implicit numeric methods Modular implementation Physics-based simulation An algorithm that produces a sequence of

939 views • 68 slides

More recommend