The real risks of the IoT security nightmare

The meetup will be held on Google Hangouts and you will be able to watch the live stream directly on YouTube.

https://www.youtube.com/watch?v=IK3nV_J8hgQ

The real risks of the IoT security nightmare - hacking IP cameras through the cloud

Hardly a day goes by without an article about a new IoT (Internet of Things) device being hacked. IP cameras, routers, baby monitors, smart homes, NAS devices, light bulbs, cars, rifles, you name it. We have seen in the past 5-10 years how horrible the security of these devices is. Some people play VNC roulette, others hijack cars driven by a journalist. Junk hacking has become part of the ITSEC industry. Journalists are happy because of improved click-through rates through scary headlines, security researchers feel they are the celebrities of the day. But this is just part of the full story.

During my research, I have created a methodology about the different risks IoT devices can introduce into a network. Most of the IoT security research focuses on the IoT device itself and its vulnerabilities, but don’t consider the environment. Is the device openly available to the whole IPv4 Internet? Is UPnP allowed on your router? Is the IoT device on IPv6?

In my presentation I will answer all these questions (and more), aided by live hacking of a NAS device on the home network through the victim’s browser, from the Internet.

I will also demonstrate that IoT devices (IP camera in my case) with cloud connections are also susceptible to hacks due to basic security weaknesses in the cloud servers, like lack of brute-force protections or weak default passwords. This hack is a real one using real devices, which means thousands of IP cameras are at risk.

At the end of the session we will cover the most important security tips people can use at home or at the company to protect their network against these vulnerable IoT devices. For example how Adblock can be configured to defeat Intranet hacking or which DNS server to use to prevent DNS rebind attacks.

If you have already bought or are planning to buy smart devices for home or enterprise use, this presentation is for you.

Speaker

Zoltan Balazs, MRG Effitas

Zoltan (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing.

Before MRG Effitas, he had worked as an IT Security expert in the financial industry for 5 years and as a senior IT security consultant at one of the Big Four companies for 2 years. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie Browser Tool that has POC malicious browser extensions for Firefox, Chrome and Safari. He is also the developer of the Hardware Firewall Bypass Kernel Driver (HWFWBypass), and the Sandbox tester tool to test Malware Analysis Sandboxes.