Ken Munro is a security entrepreneur and industry maverick that has worked in infosec for over 15 years.
Good afternoon. My name is Ken. I am what’s known as an ethical hacker. Which sounds like a contradiction, doesn’t it? But we’re the good guys. So our job is to go in on behave of organizations, and hack them. In a controlled manner. Show them how we did it. Then they fix it so the bad guys can’t hack them anymore. Which is great!
And as Pep mentioned a moment ago, in the industry we’re known as penetration testers.
I don’t know who came up with that name, but it always makes my friends in the pub smile when I tell them what I do. I don’t know why.
Today we’re gonna be looking at the internet of things. Now the internet of things are connected devices. You might remember Samsung’s smart TVs that were listening to you. Do you remember that? That was our work.
But it can be anything from a thermostat to toys to even a smart refrigerator. Now I have one of these Samsung smart refrigerators. It’s got a great big screen. It’s fantastic. And a camera on the inside. So you can see what’s inside the refrigerator from the outside. 2500 euros.
Or maybe you can just open the door. I don’t know.
Sometimes I wonder why we need the internet of things. So let’s start with one of my favorite and first pieces of research into smart tech. And I’d like to introduce to you to a very special friend of mine. This is my friend Kayla. Now she’s an interactive talking kid’s doll.
That we first found about 5 years ago now. Now the idea is, is that she can connect to a smart phone, there’s an app on the smart phone and your child can talk to the doll. The doll can listen to the question figure out the answer and speak back.
So the child can interact with this doll. Great! Nice. Cool. Popular toy that sold well for the Christmas period 5 years ago.
Now the way she works is she uses Bluetooth to communicate with the smartphone. She has a speaker and a microphone. So Bluetooth, speaker, microphone…sound familiar? Yeah, she’s effectively a Bluetooth headset. So you can genuinely pair her to your phone, and take telephone conversations on the doll if you wish. You get some very weird looks when you do this. Particularly when you’re driving.
But the hacker in me is thinking, this innocent kid’s doll…I wonder. So I looked at the box on the doll from the store where I bought it. And it said that she was internet safe and child friendly. And intimated on the side of the box that if the child swore at the doll, that it wouldn’t respond.
Now I’m thinking, so this doll can’t swear. Uhm…So I started reverse engineering the mobile phone app, the smart app. And started looking to see how it worked. And I found something intrigued me. Because in order to know what a swear word is, it needs to have a database of swear words itself.
I unpacked a database in the mobile phone app and found 1.536 really good swear words. So I deleted them. And now she no longer knows what a swear word is. So I can get this doll to say anything I like. Now she’s a bit shy on live demo.
[doll] Hello!
[Ken] Here she goes.
[doll] Hey, calm down, or I will kick the shit out of you. Hahaha!
[Ken] She’s really creepy isn’t she?
But there’s worse. The reason that we’d hack her is the Bluetooth connection to the phone has got no PIN on it. Now remember when you connect your smartphone to your vehicle you have to put in a six-digit number. And that sets off a form of frequency hopping which encrypts the transmission. She on the other hand has no PIN at all. And that leads to something really creepy.
It means that anyone in Bluetooth range, so up to about 40 meters can connect to the doll and connect to the speaker and speak to your child. Or connect to the microphone and listen to your child. And I find that really, really creepy. Now we told the manufacturer about this and they ignored us. As most smart goods manufacturers do.
But there’s some good news which I’ll share with you right at the end of this talk about my lovely friend Kayla. So to change things I thought we go and stalk on some kids instead. This is a creepy presentation.
And I’d like to introduce to you, the reason why I’m wearing a bright pink watch. Now, those of you who are parents here…have you ever had a moment where you go to play park with your children, and you turn your back from them, and you turn and they’re gone. Now maybe they’ve just run off somewhere for a different part of the play park. And you start 30 seconds panicking. Great…
Now the idea of these is they keep track on your children for you. So they have a SIM in and they have a GPS antenna as well as being a watch. Your child puts it on and it means that from anywhere on a smart phone app, I can work out where my child is. Great, so that’s a huge relieve. I can see wherever they are. But we started looking at these in a bit more detail and discovered that actually there were a huge set of security flaws.
It meant that we could track anyone could track millions of children in real time, because there were
security problems in the APL that the mobile app used. You could set it off so it made it look like your children had been abducted. You could drive them up the street. You could even, and this is creepy…you could call the SIM card in the phone. So creepy people could call your children.
Even worse, you could also enable the microphone on this remotely without the child knowing. So you can stalk and creep on children’s crits. And that affects about 3 million watches. But even worse, with permission of a parent of a child who lives in surfer’s paradise in Brisbane, we discovered you could actually rewrite the GPS position that was reported. So you think your child is at home. You can then modify. And this particular child, with a bit of fun, we dropped her in the sea. And now everyone’s panicking, right? Or actually are they not really at home and someone’s abducted them?
So the very point of these devices, to keep you confident in the safety of your children,
are actually exposing them to creepy people and having them hacked. It got worse. The Icelandic data protection authority found another watch called Enox. And they banned it and they put an alert out on EU RAPEX, which is a great way of getting security alert data out to European countries. But we saw that. We went further.
There are about 20 thousand ENOX watches in circulation. We went back through the supply chain.
Worked out who the original Chinese original device manufacturer was, the ODM and realized it was a company called Thinkrace. And realized this 1 flaw didn’t apply to 20 thousand Enox watches, it applied to 7 million different devices. Both watches and also car GPS trackers. In some we found47 million vulnerable SIM equiped GPS tracking devices out there right now.
So let’s think about fraud. What can we do with this. Now I don’t know about you in the UK, I’m a Brit, we’re not very successful at EuroVision song contest. It doesn’t work very well. We haven’t won since 1997. So we’re a bit sore about this. So I’m thinking, can we use these tracker watches to effect some change. And we discovered that we could trigger the SIM cards in these devices to make phone calls independently. So we could either have them call premium rate phone lines and collect the cash or we could do something really fun.
Now EuroVision has the concept of the tele vote. So you dial a number, that’s the number in the UK, or you can SMS as well and it costs you in the UK 35 pence. And the top-up on pay-as-you-go is gonna be about 10 pounds. So we did some calculations. 47 million devices, can vote about 28 times before you exhaust the credit. Which means you can put in 1,3 trillion votes into any automated telephone voting system. So this is looking really interesting and I assure you that is the last time that The Netherlands are winning EuroVision. UK is at the top next year. You wait…
So this is mad right? So not only can we generate random votes, we can exhaust people’s funds, but we can also create fraud that we can profit from if we setup the premium rate numbers. This is pretty nasty. How about some other crazy things you can do. How’s about insurance claims.
Now, I’m sure many of you have alarms on your vehicles, right? We had a spate of thefts to do with key relay where you had a keyless entry car. Had a huge spate of thefts in the UK. Particularly expensive, high end vehicles. So many insurers, back home in the UK, insisted that if you’re going to have an expensive vehicle with keyless entry, you had to have a third party alarm. You had to have an additional alarm.
So we started looking a these alarms. And we found one that really got us interested because in their
advertising literature, they said they were unhackable. Are they really? It was a brand called Pandora. Thinking ok, we started looking at it. And it’s the idea of having a smart alarm on your car. So you can see where your car is. Where you left it in the car park. You can check you locked the doors. Great! You can trigger to mobilize itself if you’re worried it has been stolen. And we found a vulnerability.
We discovered we could reset any user’s email address. Without being a user. Thinking why does that matter? Well… if I’ve reset your email address to my email address and then I trigger a password reset, now I’ve got your password. Now I’ve got your account. Now I’m you. And now what I can do is start querying al the accounts on the system.
So I can query them by Range Rovers. Excellent! Or Lamborghinis or Ferraris. Great so I can choose the sort of cars I want. I can then geolocate them in real time. That’s one of the vehicles parked at the office. I can see where you are. I can see where you’re driving. I can stalk you. I can then set the alarm off remotely and immobilize the car. Your car comes to a stop. I know where you are. I drive up behind. I press the button that unlocks the door locks. Thank you very much. The car is now mine.
So you fitted a smart car alarm. That makes your car easier to steal. And makes it possible to track you. Even worse. I’m sure you’re familiar with the idea of eCall. So if your car has a high impact collision, you automatically dial the emergency services. We found in the installer manual for this alarm a microphone. Though why is there a microphone on an alarm? What an unusual thing to do.
And discovered it’s there, same reasons, eCall, high G impact, automatically calls the emergency services. We discovered we could enable the microphone remotely in 2 million vehicles. We could listen to what you were saying in your cars, without you knowing. I don’t know about you. I have conversations in my car that I don’t want anyone else to know about.
This is creepy. 2 million vehicles. But that’s a Russian brand. Still very popular. So how’s about the biggest brand in the US: Viper. Very well known. Huge, huge market penetration. Guess what…same problem. We could reset everyone’s password. We could take over everyone’s account. So people fitted alarms and made it easier for the car to be stolen.
We also looked at a number of smart immobilizers. So it meant the cars could be tracked over GSM, the cars could be immobilized. And this is one of my poor colleagues. We fitted this to his car. We triggered the immobilizer, remotely, unauthenticated and now his car will not start anymore. He’s now stuck. We could immobilize thousands and thousands of vehicles that had
immobilizers fitted to improve their defense against criminals to reduce people’s insurance premiums but actually it made it easier to steal them. That’s worrying, isn’t it?
And guess what? Many of these devices were accredited by the insurance industry! Familiar with Thatcham? It’s a UK insurance body that does things like Euro NCAP testing in the UK. And they also accredit some of these devices. So that you the insurer go, yes, that’s a good device, we’ll give you a reduced premium, ’cause you’ve lowered the risk. Actually…fitting these devices increased the risk of failure. And that really, really bothers me.
How’s about your homes. I’m sure many of you are looking at home insurance. Very common insurance category. So I’m sure many people, you got maybe offer discounts to people who
perhaps fits, I don’t know, CCTV. So you fit CCTV to your house so that you’re more comfortable. So that if someone breaks in it triggers, you got a recording. And typically on a wired system like this it’ll be recorded to a digital video recorder, a DVR.
This is supposed to keep you safer. Right? Guess what we found. We found over 300 of these DVRs that we could remotely access. And get to anyone’s video stream. And temper with it. Or delete it. Or do anything to it. Or even worse. It didn’t just affect one brand. It affected 63 different brands of digital video recorder. So much so they could all be remotely compromised. And nearly a million of these were then turned and used as a weapon to attack Facebook and Twitter. I lost access to Twitter for 2 hours on October 2016. I was so upset!
But these are security products that are supposed to make us safer. But they don’t. How’s about your house alarm. Maybe you’ve got a wireless house alarm. Nice and easy to fit the passive infrared detectors. So someone breaks in, they trigger, the alarm goes off. Trivially easy to jam. 25 bucks worth of kit. Off the shelve. Relayed to jam the signal between the PIR and the alarm panel. If you knew what you were doing you could do it for as little as 5 bucks.
The PIR is now jammed. You think the alarm panel would now go off, ’cause it’s being jammed. No! The alarm panel will not alarm for up to 2 hours in the event of jamming. So it’s trivial to break into houses with wireless alarms. There are 2 brands on the market I know that are not vulnerable to this attack. Guess what’s in my house. That easy.
But that’s too straight forward. You may have a fob that you use to deactivate your house alarm when you come home. Much easier then putting in the PIN. Press the fob. Guess what? We found we could brute force. We could disarm the alarm panel over radio by spoofing the fob. Deactivating the house alarm. So how do you defend the housing theft claim when the alarm wasn’t set? Do you mandate the alarm set if you have one? How do you proof it it was or wasn’t set giving how easy these things are to jam, and get around.
How’s about doorbells. Video doorbell: great idea, from Ring. Seen these? Love them. Show of hands, who’s got one? Oh, good. You’ve been listening. This is a smart video doorbell. The idea: you press it, great, it can then show you, wherever you are, on your phone, who’s at your door. You can hook it up to your smart doorbell. You can then maybe let someone in if it’s a friend or you can tell the courier or delivery guy where to leave the parcel.
It also picks up people who are trying to break into your house. I looked at it and thought, that’s a great idea. I want one of those. Looked to see how it works. It hooks up to your home WiFi network. Great! So I’m thinking it’s got to have your WiFi password to grab to your WiFi network.
So I took it off the door and found this big red button. I don’t know about you. I have to press buttons. You know. Had to do it. Pressed it. And that triggered. It put it into a reset mode. And in that reset mode I could connect to it over WiFi and it disclosed your WiFi key. So from outside the house I could unscrew it with 2 screws. Press the button and now I get your WiFi key. Now I got your WiFi key I can get onto your WiFi network. I’m on your network, now I can get to your WiFi router. Now I can intercept all of your internet traffic. The whole lot. Social media. Passwords. Maybe banking. Just ’cause you wanted to do this.
Now in fairness, Ring fixed it quite quickly. They did all right. Unfortunately they had a database corruption error about 6 months later where you pressed the button and you got someone else’s video. But hey…
And this little device. I love this little guy. This is a smart padlock. Now I don’t know about you with keys I’m always forgetting my keys. This is a fingerprint padlock. I don’t often forget my fingers. Which is great! So I can open this. Now we started looking at it and it said lots of really cool things like: AES 128-bit encryption, which sounds really good, doesn’t it? Ok, we started looking at it.
We started taking apart the mobile application. Looking how it worked. ‘Cause not only can you open it with your finger, you can also open it with your smartphone. Tap it, it will open over Bluetooth. How does this lock how does it generate a key so you can secure that exchange. And the way that it does it, we discovered, is it generates the key based on its Bluetooth-ID. Which is the one thing you can get to by looking at the Bluetooth explorer on your phone.
So it’s actually advertising its key. It chops it in half and turns it around the other way, but it makes it unbelievably easy for anyone within range to open that lock within about 2 seconds. There you go. It’s now open. We’ve now opened the lock. Fantastic. But I still need to know who’s got these locks. Except their API gives you addresses of everyone with these locks out there. Wow. That’s crazy.
Here’s another smart door lock. This is great. The idea of a fingerprint door lock. Or maybe got a PIN. We see these are quite popular in AirBnBs for example. So it’s easy to let people in and cancel. The problem is smart door locks just don’t get security right. This one had an overwrite key in the bottom. There was a gap that we could get a lock pin into. And we could trigger the latch and open it easily.
And this is one we published yesterday. This is a 140 pounds. It’s the Pine World door lock. All of these locks are made from very, very weak alloys. ‘Cause they’re easy to cast. We drilled at that point there it took us 3 seconds to drill a whole through the alloy. And then we could trigger the latch and open the door. 140 pounds for a lock that you could open in 4 seconds total. Nuts!
Now is there any good news? Or is it all just bad? Well, there has been some progress in the EU. ENISA are making progress towards putting out some standards. But unfortunately they’re only going to be mandatory for critical national infrastructure. They’re going to be optional for consumer smart devices. Consumer smart home devices.
And they are talking about regulation not coming in to at least 2023. Which is a bit of a shame. We’ve actually been consulted on this. We are actually involved in that document. We’re quoted in it. In the UK we got slightly different tack. There is regulation being consulted on right now, we expect it to become law next year, if we can sort our parliament out. But that’s another story.
But the good news is is in the US, unilaterally, California, the state has regulated that reasonable security features for California residents for smart devices have to be in place by January 1st 2020. And the one thing I’m more proud of than anything I’ve done today, is the Senator that proposed the bill, quoted our work on my friend Kayla, as a catalyst behind it. So that is looking promising. Although, it’s gonna sure need a lot of case law to figure out whether it’s effective or not.
My point for all of you is insurance tech, smart tech, is great. It offers efficiencies. It’s fantastic. We can reduce fraud. But the onus is on you, to ask deep, probing questions of your suppliers, about their security. And their suppliers’ security. And their suppliers’, suppliers’, suppliers’ security. ‘Cause you can guarantee there is a huge chain of people who wrote the application, who wrote the tech, who wrote the software behind it, who wrote the mobile apps, who wrote the APIs, who host the servers, who delivered the service.
If you don’t ask probing questions and ask for evidence you’re gonna find your cool new insurtech on the wrong end of my investigations. Now, what questions do you ask? Well, it’s complicated, but I would strongly recommend you take a look at my blog. We got lots of advice in there. It’s the sort of things you can ask, the sort of probing questions and certifications you should expect to see. That mean that you’re not exposing your data and your costumers’ data to hackers. You really don’t wanna do that. Thank you.
