[FULL] Interview with a hacker - Is your smart home safe?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

Club here with Charlton and Charlton is a sophomore at the University of Central Florida what's your actual major so right now I'm a computer science major we don't have anything directly relating to cybersecurity you just yet we may have some efforts actually to change that pretty soon so I'm just focused on computer science very cool and you are a member of the cybersecurity team or a happy team what's your what's your name the official name is the collegiate cyber defense club at UCF I've got a we go by hack UCF our membership is between three to three to four hundred members and we are one of the largest deleted cybersecurity clubs in the nation I believe if if not just the state of Florida very cool and so I mentioned that you mentioned that you call yourself hack UCF is that still a term that people use hackers so if you want to like really go back in like hacker history and look at like you know I used to read like text files calm right it's 2600 and all that stuff so technically hackers are like anyone who likes to do things in it that's sort of like an orthodox way like they they want to self teach and like find novel ways to solve problems and like get around limitations of a system whereas the old term for the people that do the things that we refer to as hackers now would be crackers really okay so like they're going to crack a system sure now obviously like they're not they're not doing like crack or anything they're just like cracking systems and that was like the term right that cracking code cracking encryption things like this or I feel like that doesn't make sense though because you know I often say things that like I hacked this together isn't that which you know I wouldn't call myself a hacker for hacking things together you know I don't know what the work maker I guess is the thing that we use for that term now soon yeah maker I guess it's kind of supplanted that because hackers got more of a negative connotation to it but I think it's important to sort of maintain the positive connotation around that because there's a lot of applications for that like said just outside of purely offensive security right yeah so you are about as close to an expert I think as I I can even come close to getting to and I think you're probably as close to an expert as there can be in a general sense because if I you know if I can get up on my soapbox here for a minute when I went to college I learned about a lot of things and a lot of the things most of the things that I learned about in college aside from my calculus and stuff like that are now out of date I would college sixteen seventeen years ago now and and things have changed and I know when it comes to CS computer science and things like that things change really rapidly so you being in the mix right now you are learning all kinds of things that are currently relevant and so I know stuff that was relevant eighteen years ago or whatever and that's not really helpful so when it comes to smart home stuff this is a primarily smart home channel what kinds of things do we need to be concerned about as as this sort of DIY smartphone community what are the main things that a hacker would want to target on our systems so as far as something that would be targeted like it depends on like what I'm trying to do necessarily and at that point you know for example if I'm trying to get on your network there might be a vulnerability in particular devices like for example I remember lifx actually had this issue years ago where you can impersonate like their bulbs have sort of like a master/slave relationship which carries a master controller bulb that does all of the smartphone like integration stuff and right at the central point of contact above them yeah and it just sort of elects itself and then the slave will talk to it so you can personate a slate bulb in the master bowl that sends you the Wi-Fi credentials in an encrypted format and some people reverse engineered the firmware to figure out how if you decrypt that which would then give them the credentials gotcha so instead of hacking the Wi-Fi network you hack the lifx Network and then you get the lifx networks going to give you the yeah so lifx technically is already on the Wi-Fi network so I assume that this sort of attack would be maybe you have limited access with Ethernet or something and you want to gain access to the wireless environment as well something like that so I think is it for some make sure yeah so I think the way that it might work is there's all kinds of different protocols in in smart homes carrier smart home technology where you have things like a Wi-Fi hub that integrates with your network and then you have you know ZigBee or z-wave or one of those other you know same frequency but different protocol so I wonder if lifx is using a ZigBee or z-wave type of communication between the hub and the actual lights and then the hubs or the master light is the one that knows the actual information to talk to the network so I think it might be I have a couple FX bolts myself and it's it's like old life of ease oh yeah oh yeah that's cool but I think that it's just like on the network like so you have a bunch of life x bulbs you don't want your phone to have to talk to each individual and it's like it's the master and that propagates out right in a little ad-hoc thing however with hub based systems like you're absolutely correct and that arguably increases your attack service even more right because if both ZigBee and z-wave there are different types of attacks that you can actually leverage against those networks - you know impersonate devices extract keys I have some examples for both the ZigBee and z-wave we'll get back to those so that's another question that I have is what what's the point why would somebody want to target in my network so the it's not necessarily you specifically so there's a couple things first is that with a lot of the smart home technology your attack surfaces is just vastly increased by having all of these different networks and all of these different embedded devices just everywhere with their own little communications protocols their own little you know they may or may not reserve receive updates over-the-air the area may not receive support certain things like that so it becomes very easy right right relatively speaking so for example there were some attacks against Amazon Cloud key right where you could knock the camera offline which that's actually that's a fundamental issue with any Wi-Fi device really like not it's not necessarily specifically the camera or there was one I saw where it seemed like a like a z-wave replay attack where this guy demonstrated a proof of concept concept where he like drops this little box off by the door and amazon Keith's delivery happens the driver leaves after locking door then he can come back and push a button on his box and open the door up like things like this we're on you know all of a sudden you have these important pieces of infrastructure in your house hooked into a network and that can like any other computer network attacked right yeah no that's that's something that I've given a lot of thought to for my network so in my mind if somebody gets into my wife I unscrew it anyways if you're if you are in my physical network then nothing that I have done to try to be secure is going to help me because you know I've got I'll share some computers I've got you know I've got an internal network that's fairly vulnerable but what I've tried to do is spend most of my time doing is preventing outside attacks from getting in to the network in the first place so there's been a lot of talk in the Spartan community about whether or not you should open any ports ever and so for the case of home assistant eight port eight one two three is is open and I know I also have port five five four or something like that and it might be crazy you might think that I'm crazy for for telling you which ports I have open on my network but as Jonathan can tell you that is the easiest possible thing for somebody to figure out it if you know my IP you can tell which ports I have open immediately right yeah or even without your IP so for example with io is sort of like Google yeah it's more services on the internet so they just crawl the entire four billion ipv4 address space scan all the ports and all the services and then just let you search for that yeah I recently learned about that it's it's terrifying I pulled up some IP cameras from like I think there were like traffic cameras from Russia or something yeah that but they were they were completely open I think they I've never found the IP cameras only I've never looked at those yeah yeah I'm on camera so uh so yeah I think actually it showed it was on it was I'm showing and it said here's this IP camera and if they were password-protected but they never changed the default so instead password-protected with admin and password or something like that as the primary passwords Oh even give you the people yep oh is it done oh yeah this hasn't so so that's fun but like I said when we talk about reducing surface area I have two ports open and RTSP port that is encrypted and password protected and my my home system port and and I guess all I can do is hope that there are no vulnerabilities in this system that I'm using as the bridge which is homeless system and that's that's really all you can do at that point so what I my typical approach to opening ports unless it's like a very specific service that doesn't speak HTTP right but most of those sorts of things are HTTP these days this might take people like a second to actually figure out and do but what my recommendation is is virtual hosts behind the reverse proxy I think a lot more aesthetics yeah nginx yeah so what I do is um see I live like my domain calm right and I'll have my home IP pointed to that right and then I will set up on my router like a port forward to a little server that runs nginx right right and I set up what's called virtual hosts so um I'll get like a certificate from let's encrypt so that gives me a cell across all the services that I'm hosting right so from the outside coming in everything yes he's good yeah and then in my virtual hosts it'll be like say home assistant but mydomain.com right right will that will proxy from my web server to my home assistant box on my network right and then you can do that for each of your services right and that gives you a secure way to keep all of those behind one thing that's also really difficult to enumerate right so so when you say that it's more secure because they're almost behind one thing what what actually makes them more secure what's the what's the increase in security so here's a couple things for you number one you're not just straight-up putting them on the internet right there behind an intermediary that makes the discovery of those services more difficult okay it's not like I'm scanning for some integer port number it's like it's on one of these subdomains but I don't know which one that is especially if you have like a wild-card subdomains so every subdomain results then it's like more difficult to actually figure out which ones go to different posts okay secondly since it's behind HTTPS and all of that that keeps your traffic secure a lot of these things like if you just point them on the internet they don't have an SSL cert or they don't support HTTPS or they have their own self-generated one that you can't validate right so that makes it more difficult to know if that connection is more secure so this takes care of that thirdly since it's behind one centralized point right your web server if you keep that secure right keep that nice and patched and then you also you can implement like basic authentication in front of it if you want so then even services that don't have authentication you could have behind that right put like a web proxy or a web application firewall so like mod security is great for internets and that will filter out a lot of attacks and like detect them and then you can have some sort of log ingestion notify you when attacks your notice cool so I don't actually use nginx I'm using duck DNS and let's encrypt so I do have SSL and TLS but and also actually I think in the last they come a couple patches ago they offer now two-factor authentic for promo system so that's nice too dude so I guess as I mentioned one of the biggest things for me is making sure that my internal network is secure so how crazy am I to think that a Wi-Fi network that is WPS has WPS passwords or key phrases or whatever they call those things keys keys yes K's yes what how hard is it for you to get on to a Wi-Fi network like what what has to happen in order for a Wi-Fi network security to break down so it depends if it's something that's like way older like a web then I remember I don't have any memories of being a kid and linking my grandma's and using aircraft to just like crack WEP because that's super you can just collect like a certain amount of packets right so that's a really fun like hypothetical memory but then for things like Leppa to like that's a lot more involved and you you can't do that same thing because it's the encryptions a lot more feisty okay so you can try brute forcing the key to a certain extent you can also attack WPS which is on Wi-Fi Protected setup like you hit the button though right yeah and will connect and that works on some routers but most have like rate limits now because like if you brute-force the pin for that usually basically like you can just get connected to the Wi-Fi right you can also try so sometimes depending on the router like if the vendor so for example I think it was like Verizon FiOS had where'd was like um based on the bssid of the network like that was part of the passphrase and then or it was like just a few dictionary words he can just approve for simply right so they were like procedurally generating things yeah in like a deterministic way yeah yeah so that was vulnerable or again like things like if I extract your credentials from like one of your smart home devices then like I'm in there right so it's it's kind of a nightmare yeah so that's that's something that I've given thought to is on a lot of the smart devices that I have the Wi-Fi smart home devices when they part of the firmware is that if they lose Wi-Fi connectivity that they start AP mode right and from a security standpoint that seems like a terrible plan because in AP mode they still have all of their information on them you would think information about your Wi-Fi network so let's say and I'm spitballing here because I don't really know you're a hundred percent going in there so so how hard is it let's say I tell you are you you figure out oh there's a there's a smart home there's a smart device here you know near the front door right so you can essentially last a Wi-Fi blocking signal so I what I would what you can do is so for example with weapon right it's more secure the passphrase encryption and all that is but it's still one herbal to something called at the authentication it's a current deal attack okay which is basically essentially there's like a packet that the AP can send to a client to say like hey I need you to disconnect and then client will just disconnect right okay but that's super easy to impersonate gotcha so with the but what's kiddies will do a lot of the time is like look at this javascript case yes your kitty okay don't get a scripts that like just floods the authentication packets on a particular Wi-Fi network suit like have a so they have to be on the network to begin with no okay no it's it's something I got good down the street just like spew the authentication packets link toss everyone's life like it's really Ricky this is another reason why I like with security cameras on Wi-Fi network so if you're just setting yourself up for failure basically is if I'm gonna rob your house and I noticed that your security cameras are like hooked up via Wi-Fi I'm just gonna jam right I'm gonna Rob your house sure that's why you always wear your security cameras in exactly because it's like anyone anyone can do this anyone who can like spend five minutes on Google can like the authenticate a Wi-Fi network and like totally does I did I did notice that it was I was watching someone read oh I know what it was I was on reddit technology I think there was a footage of somebody some - you know bumbling thieves essentially but they had purchased a iPad or something like that that had a Tesla hacking app on it really yeah and so they were going around and hitting buttons hitting the buttons hitting the buttons and you know eventually what happened is the Tesla that was in front of the Model S that was in front of them unlocked and they were able to get into it and drive away yeah again you know when you mentioned script Katie's like those guys they had literally no idea what they were doing yeah they probably just hey somebody was like hey you want to buy this for 500 bucks it opens Tesla's and it's not just like 12 year olds on hacking forums right exactly you know these are criminals so yeah if you're somebody who's saying I'm gonna go break into a house and somebody says hey 400 bucks I can put this you know app on your on your laptop and all you gotta do is press a button and then all the cameras that are Wi-Fi will go down that seems that seems like I'm pretty and on top of that like it'll talk to you avin zukie and like open any door locks or whatever and like you've got a pretty good right innovation tool kit right there yeah I've been very reluctant to put door locks to put connected door locks on for that very reason it's just that I first of all I would never do it with you know in August or ashlag or one of those like cloud services because that's just crazy why would you give the cloud the ability to unlock you don't want to I think then now the attacks are just like think about from like the attacks are simply I want to access your life I can either be in front of your house I can be maybe another device on the same network that can then talk to the lock if I feel I got some other device there or I can be like somewhere in the cloud if I've got access to the backend in one way or another right which that does happen like yeah they for example um there's this one I think fingerprint days lock that like their app totally didn't implement any of the communications properly didn't implement authentication scopes properly all the communication between the app in the back it was HTTP like where the security was abysmal right but like this was their cloud service and you know you really have to think about how much you trust their developers with the security of your home like it's not not even just like you have a lock and you can unlock it remotely like that whole pipeline should be part of your threat model and you should really be considering how that affects your own security and that's that's another thing to sort of transition here you know clean it all up because but so I've often said that you know the cloud devices that I have I have Google Wi-Fi which you know a lot of people get on me about that because ubiquity I guess it's the new king of Wi-Fi for for people who know about stuff but I use Google Wi-Fi and I love it for the most part but it is a cloud service right I can't get access to my router from my phone which is weird and then I also have echo devices I have Amazon devices all over my house and a lot of the things that I talk about on my channel are not using cloud services don't use cloud service Dunsey depressors and I have these two major huge cloud services but my rationale and you can tell me if I'm crazy is Amazon and Google they are employing the best developers in the world right and they're probably going to be more secure than you know if I buy a startup company like you know or a lock company like she's like or something like yeah right let's say I buy a connected Lockport sling how many developers is Schlage employing compare whoever weighted the lowest on the country exactly and then you dip again you don't know how long that's going to be around or what sort of support its gonna receive right you compare that with Amazon and Google like they've been developing software basically like they're the entire existence of their company right they have like massive teams of very skilled developers Amazon security have a lot of buddies actually on sorry I can't even Amazon stuff save it's probably pretty safe but then again it's not infallible you know right just because it's like a blue chip tech company like doesn't mean that they don't also make mistakes like let us not forget I believe just last year Us East one completely went down so like big companies make mistakes too so it was that so that that was that a hack of us wonder was that an earlier on their part so there were two times when there was a capacity if AWS outage one was when there was an issue with s3 and like some developer on the back end was like trying to delete I think some test buckets and ended up the like a whole bunch of really important ones in production yes and so that broke a lot of stuff and then the other time was when there was like a power transfer happening when they were testing like their backup power systems and that didn't go well and the whole thing went down gotcha yeah if you're not familiar with what we're talking about AWS Amazon Web Services Amazon doesn't just sell you stuff on the Internet in fact they run the internet if you've used services like IFFT for instance if is wholly run through Amazon Web Services and if you've basically been on any web site that will be using Amazon Web service absolutely or at least some of it what do you think are they the largest provider they are absolutely the largest Google comes in a close second the Google comes in close second or third by part of the largest and then again most sites that you use have some capabilities that are on AWS especially if it's in like the Alexa top 1000 jerk like anything at that scale you know reddit Netflix is all AWS famously just most things really right yeah because why would you try to set up your own thing when there's a company that is very good at it and spending a lot of time and effort figuring out how to be the best exactly and so there's no reason to reinvent the wheel on that especially when they're offering it decent prices yeah I mean I'd rather click some buttons than ship server X exact places well I mean it depends on my yeast case but like for the most part yeah buttons is a lot less heavy yeah well not only ship those server racks there but then employing a team to keep them running in you know backing them up and all that good stuff you know that's something that I really enjoy and use heavily as Bob a storage services because I've got you know a decent backup system here in the house but they're way better at it than me yeah they're not going to lose my data I don't think I've ever heard a story about somebody's Google Drive getting lost yeah right yeah or some even somebody's Dropbox Drive getting lost I don't know I don't know who handles Dropbox is data so these tools would be under percent EWS but then they migrated all fatal yesterday under infrastructure so I actually think they were under in four went to AWS and went back to the Hosting nuances it looks like a venture capital e okay I like to do tutorials and things on my channel I like to tell people of how to do certain things what can they tell people to do when it comes to security in their house security on their smart home network what are the main things that they need to absolutely be sure that they're doing in order to ensure that they are as secure as possible so a lot of it comes down to threat modeling and just how you really build security into your network design so it's not just like I've got a network that I've thrown up and then it's like I did this magic thing and not safe because that's that's never the case with anything computer security related so what I what I like to do on my personal network is um I have ubiquity so it's a bit more configurable shirt on so I have my like wireless SS I use one that's the actual network and I have one that's like a less secure thing that's VLANs off and the VLAN is um it's a way to segment your your network basically into multiple other networks kind of okay how's that how does it how is it different from Sunday so it's different from subnetting because it's like you can you can use like a different IP range it's like exactly like completely isolated okay it's trumped over the same port so like there's some physical security and considerations to have one here like an admin and you're like deploying me lands in like you're never closet or something but by and large they're like a wireless environment like this is this is like fine because um you can't change the tag so essentially I have my VLAN for like where I'm actually working and I'm my computer's and then I have one for like embedded devices right right so what that lets me do is it's like my embedded smart devices connect to the land for that right right so that that keeps them physically separate from my other networking equipment sure and so that actually so how do they communicate from one network to this so you can do things like Bonjour for example and you can set like different like access control rules essentially to determine how traffic can flow from one way or one networking to the other and make sure that modular services are still advertised across the two VLANs right and that's that's something that it's like off the top of my head no but you can find that unlike the forum's right and cuz if you have like an edge router or something which is like a big lose yeah rather it runs to be honest it's like links and you can have it set up however you like but that that is marginally more secure because it's like there's less mobility there if it's like someone on the land wants to attack my TV my scissors someone's in my IT device and when I tech my land I've disabled UPnP that's a huge one always to say well you can be never never leave that up because essentially anyone can just ask your router to open a port right if they can speak is it like soap I think it's so yeah so n quick plug on what UPnP is UPnP was a decently intentioned protocol where you when you put a smartphone device or any device on network that device can ask your router to forward a port to open a port and then forward that port to it so that you didn't have to go through the complicated setup of doing that yourself right so you put on a ring camera or something like that it's like hey I'm gonna need port seven seven two and so the ring camera asks your router to open port seven seven two which overall not so bad but the problem is that I believe there are a lot of exploits now where it was supposed to only be able to be done from an internal net from the internal network and now there are a lot of exploits where you can have external traffic yeah asking like an internal device essentially emulating an internal device and basically just reflecting off your internal device or also like if I'm in your computer say and I want to open some kind and like I just I need my port pokin like I can just really nicely ask your honor to do that for me middle it'll do it right for the P piece and and so I guess it's not just external problems either let's say we did patch UPnP and it was only going to work for internal devices a lot of us have stuff in our house that is on a cloud from you know some Chinese company or whatever you were using as a cheap Chinese but a lot of them are using the same cloud these days yeah to a cloud there's the smart light cloud there's the emailing cloud right and it would be absolutely trivial for them to say hey let's publish a firmware update that asks our devices to open this port for us exactly right I mean you would never even know we like to think oh I have to press yes please do the firmware update but you absolutely do not we actually just saw that two weeks ago Harmonie Logitech pushed a firmware update to their hub devices they disabled local control yeah they said it was a security hole that they were having trouble getting that to be secure and that was a way that their devices could be vulnerable so just completely conscious so they just they just disabled it yeah that's really that inspires a lot of confidence in their security team exactly and they they did backed up and that's sarcasm they did they did backpedal and they said so now you can go in and you can download this you know beta firmware or whatever that reenable zit but you know you gotta click through and say well I understand that this has you know possible security vulnerabilities and an inset soon so that sounds like they discovered that it was a really really terrible dumpster fire yeah it's like we just need to just cut a lock just get rid of this exactly amputee and I you know I don't I don't know enough about it other than the fact that I use my Logitech Harmony hub with home assistant and when they published this firmware just just not working and I was ok I didn't do anything I messed with my setup for that and just just stopped which that's one of those things with the cloud that I absolutely hate this like I didn't change anything mm-hmm this and now stuff doesn't work I want to know that if I if something's broken on my network I want to know I broke it I want to know is my fault and in cases like that where you have firmware updates that are happening without your knowledge you can't know that and you can't be in control of them eep-eep specifically there was actually some recent activity and like the security community because there was this apt group that's like that's the term to refer to like nation-state actors apt means like advanced persistent threat it's like very very that's terrifying like terror inspiring yes but basically they used UPnP as a way to kind of proxy and hide their activity right okay so they would they had like vulnerable routers and they could use that to actually open ports into people's windows machines which they would then hit with eternal blue and then like just like pivot through the eternal blue so that that was when our wonderful government accidentally left a bunch of hacking tools on like a server a long time ago it was a bunch of like zero days and eternal blue kind of got leaked and that's like a really effective like Windows hacking tool essentially interesting yeah so um that has that has enabled a lot of these groups to actually have really really effective tools at their disposal to attack older Windows machines that are not patched against this sort of thing sure okay it was that like back in those days that was more recently I can't remember the exact oh yeah date that you know so there there was a report published by Akamai exactly that called they call it yukine proxy and then rapid7 did a little study like to do further confirmation they found like 80 million vulnerable devices to this specific attack so those are vulnerable to having ep proxy being got you Wow and and those are not necessarily just routers but also I'm pretty sure I think it's just rather just routers it was it's been a minute since they looked at the report probably worth noting I would guess the vast majority of people out there have never updated the firmware on their yeah that means they're probably owned so the things like you may recall ditmir I write a lot of these botnets just straight-up gopher routers because for the most part they're just open and vulnerable most people don't update their routers a lot of ISPs open ports on the riders they supply for like remote management and stuff and a lot of the time those are like default credentials or like they're really easily guessed right and you can just extract them from the firmware of the router and yeah just generally speaking like the security routers are it's really bad because they're like a super integrated Linux computer most of the time right like they've had a little Lynx firmware image and like you call them routers but there are a lot more than just routers they're like a modem and a router and like a wireless access point and like the DHCP server and the DNS server and like an FTP server and all the right things in little box so it's like massive massive attack surface yeah that's another thing that it's really scary is when we talk about default credentials and stuff like that you know let's say I buy a cheap Chinese network video recorder right for my for my cameras my security cameras I go in I Jake I see okay there's a there's an admin password credential I go and I delete that and make my own you know give it a secure password whatever the terrifying thing is that a lot of these companies most of them actually within the firmware have a a backup your login and password I'm some where you know let's say if I call their tech or whatever they say okay hang on let's lucky let me help you out give me your IP address and they type in their their backup login and password to your device then I thought well it's on all the time right even in like enterprise equipment like I believe like Juniper has something like that you may have had something like that and it's it's all over the place where it's like they have their their tech credentials don't share because it's like if they have them excuse right but and the problem is that and I'm sure that you are aware of this that if you can go to a website let's say you know I get Z modo and VR and I go to their website and they have a firmware update I can download the whole firmware and if I can get into that firmware I could probably find those passwords in those credentials because it's just Linux right exactly so so actually I'm exactly this topic I saw a really awesome Def Con talk from 2013 called exploiting network surveillance cameras like a Hollywood hacker and basically this guy does exactly what you described so is his whole focus for the entire talk is from consumer surveillance cameras like IP cameras to enterprise grade ones they're like widely deployed in places like power substations and I factories he just he goes full length grab the firmware image and a lot of the time like 90 to 99 percent of the time there is hard-coded credentials like right there right or there's like a service account that has administrative access or can like change some part of the configuration really trivially to them like getting like Bruguera admin access or there's like a command injection vulnerability in like some really like stupid trivial place or the cameras just aren't secured by default or they have like default credentials that just never get changed right and so it's like trivially trivially easy for him to just go get it sometimes the vendors will be like well you need to have an account with us to download the firmware image update but like he trivially found a way right that and it's like as long as you have the image like that's generally um like a squash best image like you know you can use like bin walcker of different file targets you find all the different parts of the image right and just extract them and then you have the actual stuff that's running on the device and so you can take that and right through with Aria or like Ida to disassemble it and have a look and see most of the time it's very very invisible right yeah no that's so another thing that you mentioned there a lot of times people will talk about or a lot of people in a sarten community use precompiled stuff precompiled pins and things like that and for someone who doesn't know anything about security and things like that you may assume that that bin file can't you can't extract credentials from it or anything like that but it's it's no trivial to do that so don't even programs that can do that you know just by clicking a button yes so only you could you could do something really basic like run it there's a program called strings for people that are like if you're just going to do a first pass of like reverse engineering a binary file literally like the first thing most people do is run strings to see what hard-coded strings are in the file sometimes it's like really simple stuff like yours like a formatted error message that's like any good passages or F or something but like sometimes you'll just find like stuff it looks like passwords right or if you look at in Ida or whatever you'll see like holes to like stare count or something and see like what's this string oh that looks like that might be some kind of pass right you know you just follow the execution flow and dealer here's where it's gonna check the credentials and like oh like alongside this check against is what it gets from the file like there's this hard-coded check right here I wonder what that does right there you go it's like really really easy yeah no that's terrifying too so man well nice thing I will add is that with a lot of these devices like you were looking at mentioned earlier that the code base is shared between vendors right there was a similar issue with d-link routers a while back where there's like a hard-coded service account that had like elevated access it was just like because basically in their application back-end like it needed to go back and modify something so to do that it needed authorization but it's like they don't know what the user is gonna change their password - so they hard-coded in a service account for two years right yeah because because people to get their passwords but yeah I forget their passwords but it's like else early there's just no way for you to securely delegate access to a like a component of your your router management application that doesn't involve right hard-coded credentials like it's really a tragedy in security today but yeah like so that was like shared around between router vendors because like in the same way with security cameras a lot of embedded devices the software development is like a massive expense and a lot of these are just like we've got the same code base running on a bunch of different things that are roughly the same yeah and we see that all the time one of the things that that we love with that is that when you buy let's say you know random RGB light right well there's a good chance you crack open that random RGB light it's just gonna be like every other RGB light that's out there yeah it doesn't matter which supplier you get it from the components are mostly the same and the software is mostly the same exact so if you want to put your own software on it it's probably gonna work because there aren't that many variants out there of these things because nobody's reading anything wheel it's expensive to do that yeah it works exactly what so so if your company can take something that works put it in a slightly different package and you know make it more desirable then you're probably gonna make money off of it how do you feel we spoke a little bit about passwords or a lot about passwords how do you feel about things like LastPass and these places where you're putting all of your passwords and you have a master password so that's obviously like having is like a single point of failure like that is a bit of a concern but the added security of it is like you don't necessarily have to do all your hazards by a formula but for example all of my passwords now are like sha-256 hashes of the first like 200 lines of Devi or like try to crack those today and it's like that's obviously not something I can memorize right but by having those in a password manager like it auto fills in there and so even if the service gets compromised like that is literally a unique random password specifically generated before that service so that's not going to compromise the rest of my accounts right right yeah I I recently had to deal with that where I was live-streaming and I pulled up a file and it had one of my passwords in there that's like well crap I need to change that password and then I was like oh no I've got that password on like 10 other things now I gotta go change all those things as well yeah um which you know that's stupid that's my fault but it's fun yeah but you know it's something that that needs to be considered with with something like LastPass you would theoretically have no shared passwords between any account right and every account has a unique password every account has a password that you know could never be brute force and things like that what happens first of all you know is that stuff stored locally somewhere yes so typically it'll be stored in like some kind of encrypted volume and the the type of encryption and like the different layers they depend on which one you use specifically a lot of my friends recommend less pass or key pass it with bit warden right because those are all really good bid wardens also really good because it's Foss so it's like free and open-source software and you can sell those okay that's cool yeah and it's it's encrypted at rest you can do all kinds of different things with the encryptions you say require like a unique e or something as an additional authentication factor to actually open your password vault so let's say that on my home assistant account I got it 1 2 3 open externally and at 4 is a 1 2 3 internally yeah what do I save what do I help by making it an obscure port outside you know let's say I instead of opening up a 23 on the outside I opened up 6000 and then I forward that date once you through does that help me at all so practically speaking that's gonna make your log files a bit smaller because you're not gonna be hit by as many Chinese BOTS constantly on the a 23 potentially but that's not really affording much in terms of like actual security it's just changing the port that you're hosting the service on so it's still gonna get picked up things like shred and it's still going to picked up by port scan so if you're really late someone specifically targeting home assistant that would still pop up or like on port scanning you I would still see that you know so it's not hiding anything as such it's just making it maybe a little bit more difficult to guess but more difficult to guess in this case is like it takes one or two more seconds to find yeah so you know moderately more no no no not even monitors not even moderate moderate it's just just stopping stopping at a bot but not stopping anybody who actually has a desire to braking yes look you're gonna stop a but that's basically I'm just gonna scan everything for 8123 like all the time right right so something that's constantly doing this scans would not connect on the 8123 like if it's gonna connect to other ports sleep you're not necessarily sure so you might do that like if you've ever run SSH on port 22 you've probably seen your luggage like a lot of Chinese IP addresses just like filling up trying to do different types of brute force attacks where if you change that port then you're gonna see a lot less of that traffic but you may still get some connections every once in a while so that's that's it so let's circle back around to something we've talked about a little bit earlier that I feel like it's really just in my mind and that is why and I feel like there's maybe two different why's in the case of home assistance so why would somebody want to hack my network maybe there's three okay number one somebody who's local right if you are somebody who wants to break into my house a good way to do that seems like to pack you to my home assistant open my garage and walk into my house is that any easier than breaking the window well it's certainly a lot less suspicious I suppose if you just sort of shirk go to the driveway and the door opens up that everyone just sort of sees you doing that so they assume at that point that like he must have authorized access to this person's house I agree perfectly fine yes and you can like walk in there and take the car because again you just open the garage door clearly you live there or been delegated access to this house by the homeowner and you know it's another day and certainly Florida that doesn't make sense that make sense to me yeah so the largers feel like if it's organized crime for example and you're gonna do like a localized string of burglaries and you're like great this these are the two ISPs for this particular region and I can place all of the assignments for these blocks roughly to around this neighborhood right right it's like great this many in that block have these smart home devices or these home assistant controllers or what have you and then they used like different than vulnerabilities or like misconfigurations to gain access to those then they kinda like triage it to figure out what house are they looking at right so maybe on somewhere in that if they're on the network they're able to figure out maybe like a rough estimate of like the houses location or if maybe you you know give like open Network shares maybe there's some documents in there that would inform what it is or if there's security cameras right right you can look through those and see like where am I just about you know different things might over Bonjour like I said MP expose a little bit of the information about their like location like if you've ever said printer up right like put the location field in there so like there's a lot of stuff that you do to kind of figure out where that is so you can start to build a profile of each house like again security cameras I can see what stuff you have right if it's a nice stuff if I want it you know and then potentially if you have like open like door locks they're smart or you got like a smart garage door controller after I've got all this information about your house which would also include stuff like when you go to sleep how often you got home right do you leave things like at home typically like when you're going to come or like is there something that would tell me like the location of your phone or like anything like that or like are there services in the house that I can disrupt like maybe your like phone service or something to prevent your like alarm system which I may or may not be able to find it's also in the network right and of what kind of alarm system and like for that particular type of alarm system are there different ways for me this are convenient like are the cameras in the house or the wireless are connected over Ethernet and I disrupt them you know stuff like that and then like who's coming now am I wrong to think like hey if you did all that work you could write it in time I grab it's not that nice versus versus somebody coming up in you know let's say a pillhead coming up who's gonna go and break through my my sliding glass door and then yeah right pull through my medicine cabinet to see if I have any opiates yes so that I'd say those are two different cases rates right in the one case it's just kind of like a smash-and-grab kind of thing we're on the other it's on you just by having a lot of this stuff exposed like you're already you've kind of placed yourself in a particularly income bracket and then on top of that it's like now that I'm in your networking I can see all that I can decide whether or not this is worthy to seal and then do it in a way that's like totally seamless and chances are you don't really have very robust logging on any of your stuff right so I can open the doors grab the things totally disrupt the security system you have like no video recording is there anything right and just like walk out without breaking any windows or leaving any trace of my presence and you don't have anything to really go to the police with right that's just depressed that's the nightmare yeah I'm an aggressive it is impressive but it's like for a lot of the stuff where you have like a tool kit right yeah things that you can use against all these different services doing it on a larger scale like that becomes easier and easier right and that that's the kind of stuff thing that we should really be concerned about not even just as security professionals but also people who were influence of technologies in their home like it's not just like you've got you know your windows box and you've got like some security cameras and stuff it's like these are all things that are working together to keep your home secure and if you're going to action you're going to actually um you know have a robust security model for your house you need to take this into account it's not just like what type of blocks do you have right you know what type of windows do you have it's like everything in there you have to really be serious about it right no yeah yeah and so I guess maybe then this this answers that question you know if it's organized crime I guess it is feasible for you know that organized crime to be connected to a company like that's using the smart for the the email link app or the smart life app or the 2mm or something like that where they say hey we'll give you you know four million and you just give us a back door and then we can go steal stuff from these localized areas I guess that's maybe the connection that I was missing in that like you know I buy some cheap candy stuff they're not living here in Tampa you know they're not gonna open up my front door or whatever here in Tampa they're way halfway across the world so that's I guess that answers that question perfectly it's more of an organized type of thing an organized crime type of hit even stuff like um say that one of those companies because that's a goes out of business like something that actually has happened multiple times is where there's like a a command and control domain for those devices that they go connect you to reach the back end right and maybe that goes out of business and then the registration on that domain lapses right and now you want somebody registered agit yeah you just grab the domain and now you all these like embedded devices connecting out to reach it and you have control of them because they they expect here the back end right so it's like it's not even necessarily just like there's collusion between that company and organized crime or organized crime also just takes control of their infrastructure it can also just be something as simple as they register a domain name that we're devices me trust that make that makes sense to me so that's maybe that's one local attacks where you want my physical stuff and by the way I don't have any nice physical stuff in my house and so my neighbors have much nicer stuff than me I call dibs on so the second thing though I feel like is remote attacks so if they are not interested in ever coming into my house and taking my physical things yes why do they want into my network so let's see Rick so these days there's a lot of crypto mushrooms like there's a lot of crypto miners I actually I like to joke that capitalism has like freed us from malware in a way because you know instead of like just straight-up ransomware and stuff like that like they'll just drop a crypto miner on some like exposed service and like it'll mine you know Manero or something for them for a while right and then you find it and like have to remove it but it hasn't done all that much outside of it like a lot of the really low hanging fruit of malware these days and like this is stuff like I hear from a lot of my buddies it's just straight up like they'll drop a Krypton liner and it'll just not good though then that's it and and so you know let's say you have a IP camera or something like that you see your framerate go down on it oh not even so IP cameras that stuff like that is mainly gonna be part of the botnets okay so the Krypton minor kind of stuff that's more like larger powered stuff because like that's actually gonna have some enemies of Jimenez Iseman yeah yeah and of course like financially anything can be part of a botnet there curtam anything is more of a trend like for a while back like there was ransomware was right up the thing but that's that's kind of like taking it down sharing and like now they just sort of realized just drop the piece of software my coins but IP cameras routers digital set top boxes stuff like that most of that's going to be part of botanist so things like me right that was like a massive botnet of like hacked routers because in those botnets does it for DDoS attacks yeah so a lot of the time so for example with me right the Creator actually had a service right that it was like a DDoS protection service that basically was like it's like buying protection from the mob exactly so you know you pay him and he doesn't need us you maybe he actually does have some sort of DDoS mitigating technology but like for the most part he just has you know causing technology and so a lot of these things they get they get advertised as like stress testers or like stressors as opposed to just straight up like DDoS and yeah bit like it's actually what most of those devices or feel the same way about about phone companies these days I'm almost positive that the phone companies are giving me all the spam calls so that they can sell me their stop your spam calls so that's actually a fundamental issue with switching system 7 or SS 7 which is the actual underlying protocol that makes all the telephone switches work and talk to each other and route calls right a whole world and since it was created and implemented in 1970 with the assumption that only people who were authorized would have access to the ss7 network right like there wouldn't be any bad actors grace the phone company right you're not just gonna go plug into the phone company right or it's not gonna be scaled across the entire world right except that all of that did happen and so people can impersonate any color ID and like you know just send all kinds of fake calls out yeah and that's why this is such a big issue because it's like the fundamental technology that actually underlies the entire phone network is really old and insecurity ya know and it's it's really weird to I'd like to know more about how they figure out which numbers they're gonna use because one of the things that's I started notice was it okay there's a lot of these numbers that look like my number right that's easy because you're calling a number and you just make the number that it's from you know scrambled up a little bit from that memories you're like okay well I should probably better that's easy to say okay that's one of the ones that looks just like mine so I'm not going to go over the last like two weeks these spam calls have been coming from numbers that look like my daughter's school really yeah they've got the same prefix as all of Hillsborough County Schools that's brilliant yeah and so and so I'm like I've got to pick this up I don't have an option to not pick it up because it it seems like you know not only do I work for them but also my daughter is at schools oh so why wouldn't I take it up sooner if they've gotten breached or something yeah cuz that's that's a very very specifically localized thing right that's not even that's like very specific to like Hillsboro County has a district right you know and like they'd also have to know like you're a parent with a child in Hillsborough County right so or your employee of Hillsborough County so like you're specifically going to look for this pattern in the number and pick it up right you know and it's one of the most annoying things because before I either just you know block that you know by blocking everything from Long Island or something like that but I can't block those numbers yeah can't block prefix I can block anything I need to see them and he also can't just straight up send it to voicemail because for some reason iOS doesn't have a facility to say like if I don't have this ember in my context and then directly voicemail it could be a really nifty switch that would be helpful yeah after all this we're probably all pretty terrified yeah what can we do you know we're never gonna be able to 100% make ourselves you know invulnerable but one of the things that are most important for us to do right now to increase the security that we have so if you think about like kind of the traditional network security metaphor is like a castle right sure where it's it's not even necessarily like you have a lot of like thick stone balls but it's like there's a layered security model right right you've got like a moat you've got like a big high wind or you've got like the top thing where you can like pour boiling oil on people which are things like that important yeah very important or like yell yell at them for smelling like elderberries that sort of thing so you really want you when you're looking at securing your own home network you should think about like segregation and segmentation right so you should think about how you can split your network up almost so that's you know if I compromised a part of your network I just don't have access to the whole thing that doesn't necessarily like keep you 100% safe but it makes it a lot more difficult to move laterally and it makes the implications of like say one of your smart home devices leaks like wireless credentials and network or say for example like one of your buddies was on your network with like you know his Lynx laptop for like something and then he gets hacked and those credentials get pulled off and right now someone has them so like your guest network like all of those things should be separated right you should also consider you threatened all right so threat modeling is essentially it's how you model your security posture to reflect the types of threats that you expect to be faced with right so whether that's like someone off the street like bust your window and like this rifling through your stuff or if that's like some some Russian in things somewhere is like attacking your ear externally hosted services or you know one of your I o T devices malicious room where update gets pushed out you should really consider all the different types of vectors that you would be faced with there and you should try to integrate that into how you actually design how you actually design your network because that will help you be secure against the threats that you expect to see the most right of course another part of that is like just asking what all those need to be smart right so in everything everything needs to be smart that's the answer but things like for example you don't have smart door locks charlie shy I think that's a great idea I would not put my door locks I would not put a computer in my door locks right I guess as someone who busts computers I just would not trust having a computer and luckily good that should be a dumb piece of metal and like that that's what a lock is right right the locks on computers are bad enough to start putting there than our physical real world blocks right protecting against the threats that you are expecting yeah you know you can't you can't protect against everything right you can have the most secure network in the world and you know somebody off the street can still come in break your windows in and steal your stuff right you can have the most secure house in the world you can put bars on your doors and somebody can penetrate the network pizza but what are you what are you protecting what are you afraid of that type of thing you know so let's say you break into my Network what are you gonna find you're gonna find home pictures you know you're gonna find family photos from the last you know 20 years or something like that gonna view cameras you're gonna find external cameras I don't have any internal cameras which is that's another smart thing like even that is like in threat modeling right am I gonna have internal cameras as well as external cameras and we're gonna have things that are like microphones in my home right you know all of that plays into how you actually structure your networks here's all of it plays a role right so so it's a matter of what are you protecting are you protecting your physical things are you protecting your digital files you know if somebody did break into your house what are they going to get if somebody does break into your network what are they getting actly and exploring the inter fluid between those two things of course is important right you are aware of the current trends in cybersecurity in what's actually happening what you know what the script kiddies are doing I don't think anybody most of us are not concerned about a very well-versed hacker targeting our system yeah right what we're concerned about with it is is people who are bad actors who can download a program or read about something on blog and go do it yeah right so one of the things that are in cybersecurity right now are the hot topics what what are things that that if I'm just a novice hacker if I'm the script kitty what am I gonna do so you can just as someone with no real experience can just go grab a lot of these tools that are just industry tools that are used so things like Kali Linux for example is a Linux distribution that's customized to have a ton of like really useful security tools in it right and then most things like you know CDE proof of concept stuff like that or just put up on github for people to study so really you can just go pull a lot of this stuff straight off the internet and if you have even a rudimentary working knowledge you can get a lot of it working sometimes people put effort into making sure that like the code is like only semi functional so you can't just like straight up take it and run it right so you have to have some degree of knowledge to actually make it work but even still a lot of them are like yeah you can compile this yourself if you'd like but you need to know how to do that and we can't just download an exe anywhere or something like that so I think that's really good because you're still publishing the research and all of that but you're not necessarily like handing machine guns to monkeys exactly so just as a novice you have a lot of access to resources and tools so for things like unpatched things that haven't really been updated in a long time you're a huge target because by and large like you can hit a button for a lot of those things and just like - oh yeah Windows XP no don't use that come unless unless you're like an ATM or something and you're in Windows EE because that's that's even better yeah we you talked about it a little bit and we forgot stop John earlier home assistant all open source on the github page has got a nicely organized all their source files does that make it more secure or less security absolutely makes it more secure so there's this whole thing like if you can't open it you don't jerk so in the case of like open source software if there so there's there's a few things working to open sources advantage here number one since the source anyone can like look through an audit it right so if there's anything that's like an obvious security vulnerability like there have been a few open source projects where like I'll go in there it's like this is cool I'm not gonna use it for my project I'll like start looking for the code I'm like oh god this is terrible right when they have done this yeah exactly so at that point you're there like promptly switch to a different you know package or something or you know deploy that or if it's good then you can actually vet that like hey this this looks fairly secure I would I would feel safe having this on the network on top of that being open source right if there is some sort of security vulnerabilities patches typically happen they don't always happen very quickly depending it depends on the size of the project and also like how many developers on the team donate their time but that is something that it's like if there's a particular issue you can usually put some sort of hotfix patch on there yourself right now obviously a lot of this requires some level of coding ability right so if you haven't coded like you're not gonna be able to necessarily like we can see like oh they're doing this and like this is bad right or right so or necessarily to patch it yourself but maybe if there's like a help article or someone's like me to post in the community like hey there's this terrible thing working on like a patch board you can do this in the meantime that's that's typically really useful yeah one of the things that I've really longed for in-home assistant and if you're listening paulus thank you so much for all you do but there is no distinction between security patches and content patches so let's say you know they upgrade from 0.02 to or 0.8 to 2 0.84 or something like that and that was adding some components and adding some new stuff that you can add that home assistant well if I don't need those things I don't need to do that update look if there was a security update in there then I do need to do that update and a lot of times that come with breaking changes because they're adding new components and things like that but if there was a separate upload update channel channel where you could just get security updates that would be I think fantastic for the overall community because you could stay safe and not have to worry about breaking changes and things like that and it's certainly difficult to do and I understand why that's not necessarily a thing there's a lot that goes into that because you have to do all kinds of different platform detection and like you check for module support and stuff yeah security patches for things that don't necessarily apply to that specific installation so right I can get pretty hairy pretty fast yeah definitely one of the things that almost as it has going for it specifically the fact that I use is it's called them has i/o and has I runs on its own OS they've written their own essentially version of Linux for thoron so they know what it's running on for the most pensee and they know what's happening in the backend I just recently switched from a Raspberry Pi to a virtual machine for it but when hypervisor using I'm just using VEBA VirtualBox so it's you know it works very well and it's got a lot of good I'm running on the plex server so maybe it's a Windows Server mmm a lot of people using docker to run it on Linux boxes I don't have any peer Linux boxes in the house so I'm using Windows it's reading pretty well so far all right so that was a great a great design staying informed how do we stay in form how does the layperson who doesn't go to a weekly meeting stay informed so if you want to stay informed about security one great ways to subscribe to like security mailing lists right so I'm on like mailing lists for Linux right so for example in Ubuntu there are different security vulnerabilities or different patches that are getting ruled out I actually am on the like a bunch of security announce digests mailing lists I get that all in the digest like every week essentially same thing for Apple and for some windows just to stay informed obviously like your you don't need to go necessarily to subscribe to every security mailing list and like just look at CDE descriptions because like for the layperson that's not going to do much but you know things like you could you could follow on the vendor maybe on social media you could follow different people in security organizations like the e FF you know different sub reddits specific to security it's it's important that if you're really serious about security that you try to educate yourself to a certain degree about it so it's not necessarily that you can ignore it except for the times when you sometimes get notifications about like hey there's like this patch coming out like this thing is insecure right you should try to gain like some level of depth full understanding into security if it's something that concerns you in the same way that like if you're gonna physically keep your home secure you probably you know a bit about physical security right you put some thought into how you keyed your locks and what types of locks you have and what type of gate that you have and what type of fencing that sort of thing it's the same thing for like digital security as well you have a digital perimeter of sorts within your network you want to keep that secure so you should have some idea of those types of challenges relate to do that that makes sense to me so tell us give you a minute to do a plug here to tell us about about your your organization's right so I am involved with an organization called hack UCF we are the resident surf security Club UCF we do everything from hosting weekly meetings and workshops to going to various competitions at a national and sometimes global scale between three to four hundred members in our group we all love what we do with cyber security so if you're in the Central Florida area and you're not even necessarily like a UCF student then you're able to come to our meetings Eric okay we have open meetings to everyone so we have people that are like way older people who are younger that are just interested in security like so we've had people in high school as well as like you know old hacker types that's cool and then yeah if you already you see a student then you should definitely check us out and yeah we also have a blog that we maintain with all sorts of different info about security and lots of other exciting stuff in the pipeline very cool and I will link to all of the specific documents that we've talked about down in the description and I will also link to the hack UCF website in the description thank you for coming thank you for having your knowledge into into this small YouTube channel that we have it's a great channel thank you appreciate it like and subscribe to this guy absolutely if you got any additional questions that I can either answer myself or forward on charlton leader down in the description if you enjoyed this video please consider subscribing and as always thanks for watching yeah

Info

Channel: The Hook Up

Views: 29,634

Rating: undefined out of 5

Keywords: home assistant, hassio, home automation, hass.io, smart home, diy, electronics, arduino, esp8266, nodemcu, wemos d1, automation, hack, hacking, vulnerabilities, iot, interview

Id: SJ8oJFXqj6w

Channel Id: undefined

Length: 67min 51sec (4071 seconds)

Published: Wed Mar 13 2019