Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel...
Transcript of Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel...
![Page 1: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/1.jpg)
Home Invasion v2.0
![Page 2: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/2.jpg)
WHO ARE WE?
![Page 3: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/3.jpg)
Daniel “unicornFurnace” Crowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen” Savage - Software Engineer, Tabbedout
David “videoman” Bryan - Security Consultant, Trustwave SpiderLabs
The Presenters
![Page 4: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/4.jpg)
WHAT ARE WE DOING HERE?
![Page 5: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/5.jpg)
Science fiction becomes science fact Race to release novel products means poor security Attempt to hack a sampling of “smart” devices Many products we didn’t cover Android powered oven Smart TVs (another talk is covering one!) IP security cameras
The “Smart” Home
![Page 6: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/6.jpg)
WHAT’S OUT THERE?
![Page 7: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/7.jpg)
Belkin WeMo Switch
![Page 8: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/8.jpg)
1. Vulnerable libupnp version 2. Unauthenticated UPnP actions
1. SetBinaryState 2. SetFriendlyName 3. UpdateFirmware
Belkin WeMo Switch
![Page 9: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/9.jpg)
MiCasaVerde VeraLite
![Page 10: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/10.jpg)
1. Lack of authentication on web console by default 2. Lack of authentication on UPnP daemon 3. Path Traversal 4. Insufficient Authorization Checks
1. Firmware Update 2. Settings backup 3. Test Lua code
5. Server Side Request Forgery 6. Cross-Site Request Forgery 7. Unconfirmed Authentication Bypass 8. Vulnerable libupnp Version
MiCasaVerde VeraLite
![Page 11: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/11.jpg)
INSTEON Hub
![Page 12: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/12.jpg)
1. Lack of authentication on web console 1. Web console exposed to the Internet
INSTEON Hub
![Page 13: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/13.jpg)
Karotz Smart Rabbit
![Page 14: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/14.jpg)
1. Exposure of wifi network credentials unencrypted 2. Python module hijack in wifi setup 3. Unencrypted remote API calls 4. Unencrypted setup package download
Karotz Smart Rabbit
![Page 15: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/15.jpg)
1. Unauthenticated UPnP actions
Linksys Media Adapter
![Page 16: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/16.jpg)
LIXIL Satis Smart Toilet
![Page 17: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/17.jpg)
1. Default Bluetooth PIN
LIXIL Satis Smart Toilet
![Page 18: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/18.jpg)
1. Unauthenticated API 2. Disclosure of WiFi passphrase
Radio Thermostat
![Page 19: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/19.jpg)
SONOS Bridge
![Page 20: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/20.jpg)
1. Support console information disclosure
SONOS Bridge
![Page 21: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/21.jpg)
DEMONSTRATION
![Page 22: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/22.jpg)
CONCLUSION
![Page 23: Home Invasion v2 - Black Hat Briefings · Home Invasion v2.0 . WHO ARE WE? Daniel “unicornFurnace” rowley - Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen”](https://reader033.fdocuments.in/reader033/viewer/2022060302/5f087a8f7e708231d4223641/html5/thumbnails/23.jpg)
Daniel “unicornFurnace” Crowley [email protected] @dan_crowley Jennifer “savagejen” Savage [email protected] (PGP key ID 6326A948) @savagejen David “videoman” Bryan [email protected] @_videoman_
Questions?