WEBVTT 1 00:00:00.120 --> 00:00:02.680 Welcome to the deep dive. Today. We're jumping into something 2 00:00:02.720 --> 00:00:06.280 that's well, probably all around you right now, the Internet 3 00:00:06.320 --> 00:00:10.199 of things IoT. Think about it, you're smart speaker, your 4 00:00:10.199 --> 00:00:13.560 fitness tracker, maybe even medical devices. They're super convenient, right, 5 00:00:13.720 --> 00:00:15.960 but they also open up a whole new world of 6 00:00:16.679 --> 00:00:22.280 well potential problems vulnerabilities. So our mission today is to 7 00:00:22.559 --> 00:00:26.559 really get into the weeds of IoT security. It's fascinating stuff, 8 00:00:26.600 --> 00:00:30.440 sometimes a bit unsettling. We're using the IoT Hackers Handbook 9 00:00:30.440 --> 00:00:32.880 as our guide here, kind of a shortcut to understanding 10 00:00:33.119 --> 00:00:36.159 why these things are often insecure and how security pros 11 00:00:36.200 --> 00:00:37.880 and yeah, the bad guys too figure out how to 12 00:00:37.920 --> 00:00:39.759 break into them. By the end of this you'll have 13 00:00:39.759 --> 00:00:42.000 a much better handle on the tech behind your smart world, 14 00:00:42.439 --> 00:00:45.000 way more than just a news headline. Ready to dive in. 15 00:00:45.280 --> 00:00:46.799 All right, So where did this all kick off, this 16 00:00:46.840 --> 00:00:48.719 idea of connecting everything, Well, the. 17 00:00:48.799 --> 00:00:51.560 Term internet of things actually goes back to Kevin Ashty. 18 00:00:51.640 --> 00:00:54.600 He was thinking about RFID, you know, tracking physical. 19 00:00:54.159 --> 00:00:57.880 Stuff RFID right, like in inventory tags exactly. 20 00:00:58.000 --> 00:01:03.079 But then fast forward to June two thousand, LG actually 21 00:01:03.200 --> 00:01:07.599 launched an Internet connected fridge, the Internet digital dios maybe 22 00:01:07.680 --> 00:01:09.719 the first real IoT device. 23 00:01:09.400 --> 00:01:10.840 And internet fridge in two thousand. 24 00:01:10.879 --> 00:01:13.599 Wow. Yeah, bit ahead of its time maybe, But the 25 00:01:13.640 --> 00:01:17.680 real sort of tipping point when people really noticed was 26 00:01:17.719 --> 00:01:21.599 probably the nests hrmostat ah nest I remember that right 27 00:01:21.840 --> 00:01:24.719 when Google bought them at twenty eleven for was a 28 00:01:24.760 --> 00:01:28.000 three point two billion dollars That really signaled, wait, this 29 00:01:28.040 --> 00:01:29.359 is happening, this is a revolution. 30 00:01:29.480 --> 00:01:31.680 So the money started flowing and everyone wanted. 31 00:01:31.480 --> 00:01:36.120 In pretty much. And the thing is, policymakers, regulators, they 32 00:01:36.239 --> 00:01:38.040 just couldn't keep up with how fast it was growing. 33 00:01:38.120 --> 00:01:41.319 So you had this massive adoption of devices, but often 34 00:01:41.359 --> 00:01:45.920 without any real strict quality controls or safety rules. 35 00:01:45.799 --> 00:01:49.519 Meaning developers could kind of ignore security largely. 36 00:01:49.599 --> 00:01:51.439 Yeah, the pressure was just to get products out the 37 00:01:51.439 --> 00:01:52.920 door fast. Security was often. 38 00:01:52.760 --> 00:01:55.439 An afterthought until something big happened to us exactly. 39 00:01:55.439 --> 00:01:58.200 The big wake up call was the Maria botnet twenty 40 00:01:58.239 --> 00:02:02.519 sixteen that was genuinely alarming. Maria basically went after internet 41 00:02:02.599 --> 00:02:07.200 connected cameras, cheap ones. Mostly. It was brutally simple, really, 42 00:02:07.400 --> 00:02:10.919 it just tried common default user names and passwords like 43 00:02:11.080 --> 00:02:15.000 admin and pass. They're king defaults on millions of devices. 44 00:02:15.240 --> 00:02:17.800 It was like millions of front doors just left unlocked, 45 00:02:18.000 --> 00:02:21.599 and once it got in, it took over Liberia's entire internet, 46 00:02:21.639 --> 00:02:24.639 the whole country, whole country. Yeah, and then launched this 47 00:02:24.840 --> 00:02:28.759 massive DDoS attack distributed denial of service against DIN, a 48 00:02:28.759 --> 00:02:35.439 big internet infrastructure company that took down huge sites GitHub, Twitter, Reddit, Netflix, 49 00:02:35.919 --> 00:02:38.840 you name it all because of default passwords on cheap cameras. 50 00:02:38.919 --> 00:02:41.639 That's staggering. It shows how interconnected everything is and how 51 00:02:41.719 --> 00:02:43.639 weak links can cause chaos. 52 00:02:43.680 --> 00:02:46.719 Precisely, it was a systemic failure, not just a few 53 00:02:46.759 --> 00:02:47.479 bad devices. 54 00:02:47.560 --> 00:02:49.199 Has security gotten better since. 55 00:02:49.039 --> 00:02:53.800 Then, It's improved definitely slowly, but I wouldn't say devices 56 00:02:53.800 --> 00:02:56.479 are extremely safe even now, not by a long shot. 57 00:02:56.800 --> 00:03:00.479 We've seen researchers do things like takeover Phillips HU smart 58 00:03:00.560 --> 00:03:04.039 lights using drones. Drones how they found encryption keys just 59 00:03:04.120 --> 00:03:07.039 hard coded into the firmware, easy to grab, and they 60 00:03:07.080 --> 00:03:10.639 use zigbie the wireless protocol to spread the infection. 61 00:03:10.560 --> 00:03:12.919 So one light infects the next, YEP. 62 00:03:13.439 --> 00:03:16.840 And even earlier, back in twenty thirteen, Natistan Johnny showed 63 00:03:16.879 --> 00:03:21.800 he could cause permanent blackouts just by replaying old network messages. 64 00:03:22.159 --> 00:03:24.879 He just needed the device's m ASSE address, which isn't 65 00:03:24.919 --> 00:03:28.319 hard to get and could spoof commands. Basic stuff really 66 00:03:28.599 --> 00:03:29.840 but effective, which is. 67 00:03:29.759 --> 00:03:32.520 Worrying because these devices collect so much data about us. 68 00:03:32.479 --> 00:03:36.039 Right, absolutely, really intimate data, sometimes health data, what you 69 00:03:36.080 --> 00:03:38.479 do in your home. It's a huge privacy risk if 70 00:03:38.479 --> 00:03:41.439 they get hacked. But on the flip side, all these 71 00:03:41.439 --> 00:03:45.080 incidents have created a real demand for IoT security experts, 72 00:03:45.400 --> 00:03:47.719 people who know how to build this stuff securely, and 73 00:03:47.759 --> 00:03:49.039 people who know how to break. 74 00:03:48.840 --> 00:03:50.960 It the ethical hackers right, and. 75 00:03:50.960 --> 00:03:53.879 Companies are finally starting to offer bug bounties more often, 76 00:03:54.000 --> 00:03:56.960 paying researchers to find flaws before the criminals do. 77 00:03:57.240 --> 00:03:59.280 Okay, So it sounds like the rapid growth and lack 78 00:03:59.319 --> 00:04:01.639 of early overst so I created a bit of a mess. 79 00:04:01.680 --> 00:04:03.879 Maybe the best way to understand the risks is to 80 00:04:03.919 --> 00:04:07.840 look at some specific example some of those headline grabbing hacks. 81 00:04:08.199 --> 00:04:10.960 Let's start with the Nest thermistat. Again, you mentioned it earlier. 82 00:04:10.759 --> 00:04:14.360 Right, the Nest. So researchers found you could crash it, 83 00:04:14.520 --> 00:04:17.800 make it reboot just by sending specific Bluetooth signals. 84 00:04:17.959 --> 00:04:19.480 Just crash it. What's the big deal? 85 00:04:19.680 --> 00:04:22.720 Well, it created about a ninety second window where the thermistat 86 00:04:22.720 --> 00:04:25.319 was offline. Okay, and if you had a nest security 87 00:04:25.360 --> 00:04:28.160 camera link to it. That camera might also be affected 88 00:04:28.240 --> 00:04:31.199 or delayed. Ninety seconds could be enough for a burglar 89 00:04:31.279 --> 00:04:32.639 to slip past undetected. 90 00:04:33.000 --> 00:04:35.879 Ah. I see, so a security device actually created an 91 00:04:35.879 --> 00:04:37.240 insecurity exactly. 92 00:04:37.480 --> 00:04:40.079 Then there were those Phillips Hugh lights. We mentioned the 93 00:04:40.160 --> 00:04:42.920 drone attack exploiting the hard coded Zigbie. 94 00:04:42.600 --> 00:04:44.560 Keys right, the self spreading worm. 95 00:04:44.560 --> 00:04:48.399 Yep, and also that replay attack causing permanent blackouts that 96 00:04:48.519 --> 00:04:52.839 was also targeting Phillips gear exploiting easily guessable device IDs. 97 00:04:53.079 --> 00:04:56.680 It seems like basic communications security was often missing often. 98 00:04:56.839 --> 00:05:00.000 Yes, look at the lift at smart Bold. Another research 99 00:05:00.319 --> 00:05:03.560 Alex Chapman found he could inject malicious packets. He could 100 00:05:03.560 --> 00:05:06.160 actually decrypt the owner's Wi Fi password from the. 101 00:05:06.079 --> 00:05:08.680 Bulb get the Wi Fi password from a light bulb. 102 00:05:09.000 --> 00:05:12.000 Yeah, the key was he dumped the firmware, the bulb 103 00:05:12.079 --> 00:05:15.639 software using a hardware technique called JTAG, and right there 104 00:05:15.680 --> 00:05:19.279 in the code the AES encryption key, the initialization vector, 105 00:05:19.759 --> 00:05:22.040 everything needed to break the security. Wow. 106 00:05:22.199 --> 00:05:25.759 Okay, that's bad, but maybe not as viscerally scary as 107 00:05:25.759 --> 00:05:26.360 the GP pack. 108 00:05:26.560 --> 00:05:29.439 Ah. The jeep pack twenty fifteen, That one really got 109 00:05:29.439 --> 00:05:32.639 people's attention. Doctor Charlie Miller and Chris Vallisek. 110 00:05:32.560 --> 00:05:34.959 Legends what did they do exactly? I remember the headlines, 111 00:05:34.959 --> 00:05:35.839 but the details. 112 00:05:36.079 --> 00:05:39.160 They remotely took control of a Jeep Cherokee while it 113 00:05:39.199 --> 00:05:43.040 was driving miles away. They found a vulnerability in the 114 00:05:43.120 --> 00:05:47.800 U Connect infotainment system, specifically an open network port Port 115 00:05:47.839 --> 00:05:50.720 six six sixty seven running something called DBUS over IP, 116 00:05:51.160 --> 00:05:53.079 and through that they found a service that let them 117 00:05:53.160 --> 00:05:55.319 run their own code on the car's system, giving them 118 00:05:55.319 --> 00:06:01.399 control of the steering, brakes, headlights, transmission, wipers, radio, everything 119 00:06:01.560 --> 00:06:03.040 while someone was driving out on the highway. 120 00:06:03.120 --> 00:06:07.480 That is terrifying, actual physical danger from a software flaw. 121 00:06:07.639 --> 00:06:10.360 Absolutely. It led to a recall of one point four 122 00:06:10.399 --> 00:06:13.519 million vehicles. It showed that IoT security wasn't just about 123 00:06:13.600 --> 00:06:15.680 data theft. It could be about physical safety. 124 00:06:15.879 --> 00:06:18.160 And it's not just cars or light bulbs. You mentioned 125 00:06:18.240 --> 00:06:19.680 medical devices, right. 126 00:06:19.839 --> 00:06:23.040 Jay Radcliffe found a major issue with a Johnson and 127 00:06:23.120 --> 00:06:27.560 Johnson insulin pump, the Anima's one Touch pain. It communicated 128 00:06:27.600 --> 00:06:29.800 wirelessly but in clear text. 129 00:06:30.120 --> 00:06:32.560 No encryption for an insulin pump. 130 00:06:32.600 --> 00:06:37.279 That sounds critically extremely It meant someone nearby could capture 131 00:06:37.319 --> 00:06:40.800 the commands, maybe modify them and replay them. They could 132 00:06:40.800 --> 00:06:43.800 potentially change the insulin dosage delivered to a patient that 133 00:06:43.839 --> 00:06:47.639 could be lethal. Potentially. Yes. Thankfully, the vendor did patch 134 00:06:47.680 --> 00:06:51.600 it relatively quickly, within about five months, but it highlighted 135 00:06:51.600 --> 00:06:53.439 the risks in critical health devices. 136 00:06:53.680 --> 00:06:56.120 Even things like smart door locks have had problems. 137 00:06:56.160 --> 00:06:59.839 Oh yeah, tons of issues. One researcher, Jay Max, looked 138 00:06:59.839 --> 00:07:02.199 at the August smart lock. He found a way for 139 00:07:02.279 --> 00:07:05.439 someone with guest access to become an administrator. Oh just 140 00:07:05.480 --> 00:07:08.279 by intercepting the network traffic and changing a value from 141 00:07:08.399 --> 00:07:12.120 user to super user. Simple as that. Plus the firmware 142 00:07:12.199 --> 00:07:15.000 wasn't signed, meaning you could modify it and to bypassed 143 00:07:15.000 --> 00:07:18.240 some standard security check to other locks. Other researchers found 144 00:07:18.319 --> 00:07:22.600 locks sending passwords and plaintext over the network yep, or 145 00:07:22.759 --> 00:07:27.639 vulnerable to replay attacks, or using ridiculously weak hard coded 146 00:07:27.720 --> 00:07:32.879 encryption keys. One Dana loock model literally used the key 147 00:07:33.000 --> 00:07:35.120 this this secret, this the secret. 148 00:07:35.399 --> 00:07:36.920 You can't make this stuff. 149 00:07:36.680 --> 00:07:40.120 Up, you really can't. The pattern is just surprisingly weak 150 00:07:40.160 --> 00:07:41.720 security practices in many. 151 00:07:41.560 --> 00:07:43.879 Cases, even smart guns. That sounds like something from a. 152 00:07:43.839 --> 00:07:47.680 Movie, It does, but it's real. Tracking point makes smart rifles, 153 00:07:47.800 --> 00:07:51.079 you know, with computer raided targeting. Researchers Runas Sandvik and 154 00:07:51.160 --> 00:07:54.079 Michael Auger found they could get admin access through a 155 00:07:54.079 --> 00:07:56.279 physical port called art okay. 156 00:07:56.519 --> 00:07:58.160 And what could they do from there? 157 00:07:58.240 --> 00:08:01.439 They could launch network attacks to mess with the rifle's calculations. 158 00:08:01.879 --> 00:08:05.079 Change the wind velocity value or the bulletweight parameter. 159 00:08:04.879 --> 00:08:07.079 So the rifle would calculate the wrong shot. 160 00:08:07.040 --> 00:08:10.040 Exactly, making the shoot or miss without them even knowing. 161 00:08:10.079 --> 00:08:11.839 Why imagine the implications. 162 00:08:11.920 --> 00:08:13.879 Yeah, and you mentioned another one with magnets. 163 00:08:14.240 --> 00:08:18.279 Ah, right, the Armatix IP one smart gun. It had 164 00:08:18.279 --> 00:08:21.839 a safety feature linked to a special watch. Another researcher 165 00:08:21.959 --> 00:08:26.000 poor bypassed it using yes, just strong magnets. He could 166 00:08:26.040 --> 00:08:29.600 manipulate the firing mechanism directly, proving that sometimes a really 167 00:08:29.680 --> 00:08:33.480 low tech attack works just fine against poorly designed high 168 00:08:33.480 --> 00:08:34.159 tech security. 169 00:08:34.279 --> 00:08:36.960 So, looking at all these different examples, what's the common thread? 170 00:08:37.320 --> 00:08:39.919 I think what's fascinating and worrying is how it shows 171 00:08:39.960 --> 00:08:41.919 every part of an IoT device can be a weak 172 00:08:41.960 --> 00:08:45.679 point if it's not secured properly. The hardware itself, the firmware, 173 00:08:45.759 --> 00:08:47.919 the mobile app, the cloud service it talks to, the 174 00:08:48.000 --> 00:08:51.840 radio signals, any single component can be the point of failure. 175 00:08:52.039 --> 00:08:52.879 It's the whole chain. 176 00:08:53.159 --> 00:08:56.159 Okay, so we've seen what goes wrong, But why why 177 00:08:56.200 --> 00:08:59.000 are these vulnerabilities so common? What are the root causes? 178 00:08:59.120 --> 00:09:01.440 That's the crucial quest if we actually want to fix things, 179 00:09:01.480 --> 00:09:03.960 And there's several big reasons. One huge one is fragmentation. 180 00:09:04.200 --> 00:09:07.639 Fragmentation means the sheer number of different ways these devices 181 00:09:07.639 --> 00:09:11.000 talk to each other ZIGB Bluetooth, low energy, z wave, 182 00:09:11.600 --> 00:09:15.960 Wi Fi, Laura six to low PAN, dozens of protocols 183 00:09:15.960 --> 00:09:16.879 and software. 184 00:09:16.480 --> 00:09:18.639 Frameworks like a tower of Babbel for devices. 185 00:09:18.960 --> 00:09:22.720 Kinda yeah, it creates enormous complexity. There's no single standard 186 00:09:22.759 --> 00:09:27.200 everyone follows, and this lack of standardization makes it way 187 00:09:27.240 --> 00:09:30.240 easier for flaws to creep in. Plus, a lot of 188 00:09:30.320 --> 00:09:32.679 developers just grab a popular framework and kind of assume 189 00:09:32.720 --> 00:09:36.000 it's secure out of the box, which is often a 190 00:09:36.000 --> 00:09:37.159 really dangerous assumption. 191 00:09:37.399 --> 00:09:39.279 So the variety itself is a problem. 192 00:09:39.360 --> 00:09:41.600 What else, A big one is simply a lack of 193 00:09:41.679 --> 00:09:44.480 security awareness among developers. You mean they don't care. Not 194 00:09:44.480 --> 00:09:47.679 necessarily that they don't care, but they're often under immense 195 00:09:47.720 --> 00:09:52.240 pressure to ship products quickly. Deadlines are tight, and they 196 00:09:52.320 --> 00:09:55.200 might just not be trained or aware of the specific 197 00:09:55.320 --> 00:09:59.639 security pitfalls and IoT how hardware interacts with software, how 198 00:09:59.720 --> 00:10:03.440 RADI protocols can be abused. It's a specialized field. 199 00:10:03.200 --> 00:10:05.879 So they need better training and maybe stricter guidelines. 200 00:10:05.960 --> 00:10:10.759 Definitely regular security training, clear coding rules, security checklists baked 201 00:10:10.799 --> 00:10:13.080 into the development cycle. That's essential. 202 00:10:13.159 --> 00:10:14.440 Okay, what other factors? 203 00:10:14.600 --> 00:10:16.960 Another issue is what you might call a lack of 204 00:10:17.000 --> 00:10:21.320 a macro perspective. A macro perspective, yeah, meaning teams often 205 00:10:21.360 --> 00:10:24.919 focus too much on securing just one piece of the puzzle, 206 00:10:25.440 --> 00:10:28.200 Like they'll pentis the mobile app, but they won't look 207 00:10:28.240 --> 00:10:30.639 closely at how the app, the device, and the cloud 208 00:10:30.720 --> 00:10:31.440 all interact. 209 00:10:31.679 --> 00:10:35.480 Ah, so they miss the vulnerabilities that emerge from the 210 00:10:35.480 --> 00:10:37.559 connections between components exactly. 211 00:10:37.720 --> 00:10:40.039 They miss the forest for the trees. You need to 212 00:10:40.039 --> 00:10:42.639 look at the entire system architecture end to end and 213 00:10:42.720 --> 00:10:45.159 do proper threat modeling to see how everything connects and 214 00:10:45.159 --> 00:10:46.440 where the real risks lie. 215 00:10:46.679 --> 00:10:49.120 That makes sense. It's the Internet of things, after all, 216 00:10:49.360 --> 00:10:50.440 the connections matter. 217 00:10:50.639 --> 00:10:52.679 Right. Then there are supply chain issues. 218 00:10:52.720 --> 00:10:55.480 Supply chain like where the parts come from precisely. 219 00:10:55.799 --> 00:10:58.440 Think about how a complex device gets made. You might 220 00:10:58.480 --> 00:11:01.279 have one company making the process or another. The Wi 221 00:11:01.279 --> 00:11:05.600 Fi chip another, assembling it, another distributing it. Every step 222 00:11:05.639 --> 00:11:08.840 in that chain, every vendor involved, is an opportunity for 223 00:11:08.879 --> 00:11:13.120 a vulnerability to be introduced, either accidentally or maybe even deliberately. 224 00:11:13.799 --> 00:11:16.000 A backdoor could be slipped in at any point. 225 00:11:16.240 --> 00:11:18.879 Wow, that's complex. How do you even secure that? 226 00:11:19.080 --> 00:11:22.279 It's incredibly difficult. It requires a lot of trust and verification, 227 00:11:22.480 --> 00:11:24.240 which is hard to achieve globally. 228 00:11:24.519 --> 00:11:26.480 Okay, any other major causes. 229 00:11:26.600 --> 00:11:30.080 One last big one is the use of insecure frameworks 230 00:11:30.120 --> 00:11:31.600 and third party libraries. 231 00:11:31.960 --> 00:11:35.799 So developers using pre written code that's already flawed exactly. 232 00:11:36.559 --> 00:11:40.039 It's very common to grab existing code samples or libraries 233 00:11:40.080 --> 00:11:43.000 to speed up development. But if that code you're importing 234 00:11:43.039 --> 00:11:46.840 has vulnerabilities, well, now your product has those vulnerabilities too. 235 00:11:47.519 --> 00:11:50.240 And again, the business pressure to launch quickly often means 236 00:11:50.559 --> 00:11:54.000 proper security vetting of these third party components gets pushed. 237 00:11:53.799 --> 00:11:55.519 To the back burner until there's a breach. 238 00:11:55.639 --> 00:11:59.080 Until there's a breach. Sadly, that's often the trigger for 239 00:11:59.120 --> 00:11:59.960 taking it seriously. 240 00:12:00.159 --> 00:12:03.240 So putting it all together, it's a mix of complexities, 241 00:12:03.360 --> 00:12:07.039 speed to market pressure, lack of awareness, and issues baked 242 00:12:07.039 --> 00:12:09.240 into the whole process of building these things that. 243 00:12:09.200 --> 00:12:11.519 Sums it up pretty well. It's a complex ecosystem with 244 00:12:11.600 --> 00:12:14.200 security challenges at almost every level. 245 00:12:14.000 --> 00:12:17.159 Which, as you said, creates a huge demand for people 246 00:12:17.360 --> 00:12:20.399 who can find these flaws. The security professionals, the pen testers. 247 00:12:20.919 --> 00:12:22.600 How did they actually do it? What's their process? 248 00:12:22.840 --> 00:12:25.480 Right? So, an IoT penetration test or pentest is different 249 00:12:25.519 --> 00:12:28.120 from just testing a website or a regular application. It's 250 00:12:28.159 --> 00:12:32.360 about assessing everything the physical device, the firmware inside it, 251 00:12:32.559 --> 00:12:36.440 the radio communications, the mobile app, the cloud back end. 252 00:12:37.240 --> 00:12:38.039 The whole solution. 253 00:12:38.200 --> 00:12:39.879 Sounds comprehensive, it has to. 254 00:12:39.840 --> 00:12:43.519 Be, And interestingly, you often need multiple physical devices for 255 00:12:43.639 --> 00:12:47.600 testing because some techniques like physically taking chips off the 256 00:12:47.600 --> 00:12:51.919 board are well destructive. You might break a device or 257 00:12:51.919 --> 00:12:53.399 two finding vulnerabilities. 258 00:12:53.519 --> 00:12:54.799 Okay, so where do they start? 259 00:12:54.960 --> 00:12:58.000 The absolute foundation is a tax surface mapping. This is 260 00:12:58.039 --> 00:13:00.759 the recon phase. You gather as much in from possible 261 00:13:00.840 --> 00:13:03.799 before you even touch the device. Read the manuals, check 262 00:13:03.799 --> 00:13:07.039 the vendor's website, look for patents, search for previous research 263 00:13:07.080 --> 00:13:09.559 on similar devices, anything you can find. 264 00:13:09.679 --> 00:13:11.120 What kind of info are you looking for? 265 00:13:11.279 --> 00:13:15.600 Q details like what processor, cpu architectures it use, what 266 00:13:15.639 --> 00:13:19.720 communication protocols, Wi Fi, bl zigbie, Is there a mobile app. 267 00:13:19.960 --> 00:13:22.720 How does it get firmware updates? Does it have USB ports, 268 00:13:22.919 --> 00:13:25.600 FD card slots, any hardware ports? Visible? 269 00:13:25.600 --> 00:13:27.840 Building a complete picture, yes exactly. 270 00:13:28.000 --> 00:13:30.240 You can generally break down the attack surface into three 271 00:13:30.279 --> 00:13:33.759 big areas. First, the embedded device itself the thing. Can 272 00:13:33.799 --> 00:13:36.600 you open it? Are the debug ports inside like art 273 00:13:36.679 --> 00:13:39.519 or jtag? Can you dump the firmware directly from a 274 00:13:39.600 --> 00:13:44.240 chip is authentication week? Second the firmware software and applications. 275 00:13:44.559 --> 00:13:46.960 This is where traditional pen testing skills come in more 276 00:13:47.440 --> 00:13:50.320 analyzing the mobile app, the web dashboard if there is one, 277 00:13:50.480 --> 00:13:53.360 checking network services like SSH or FDP that might be 278 00:13:53.399 --> 00:13:57.440 running on the device, looking for hard coded passwords, weak authentication, 279 00:13:57.919 --> 00:14:02.480 logic flaws. And Third the radio communications. This is often 280 00:14:02.519 --> 00:14:06.080 overlooked by developers. Wi Fi security yes, but also ble 281 00:14:06.519 --> 00:14:09.759 zigb Z wave Laura. Can you sniff the traffic as 282 00:14:09.799 --> 00:14:12.120 it encrypted? Can you jam the signal? Can you perform 283 00:14:12.159 --> 00:14:12.919 replay attacks? 284 00:14:12.960 --> 00:14:15.120 So you map out all these potential entry points right. 285 00:14:15.159 --> 00:14:17.919 The goal is to create an architectural diagram, show all 286 00:14:17.960 --> 00:14:20.000 the components how they talk to each other, and then 287 00:14:20.039 --> 00:14:22.279 list every potential way an attacker might try to get 288 00:14:22.279 --> 00:14:23.480 in every attack vector. 289 00:14:23.960 --> 00:14:26.200 You mentioned something earlier about sec IDs. 290 00:14:26.559 --> 00:14:30.519 Ah Yes, a really practical tip. Almost every device that 291 00:14:30.559 --> 00:14:33.799 transmits radio waves has to have an SECID never printed 292 00:14:33.840 --> 00:14:36.679 on it somewhere. If you take that ID and search 293 00:14:36.720 --> 00:14:40.360 for it on the FCC website, specifically sites like sccside 294 00:14:40.360 --> 00:14:42.679 dot io, it's often a gold mine. 295 00:14:42.840 --> 00:14:43.879 Why what's there? 296 00:14:44.000 --> 00:14:46.440 You can find internal photos of the device before it's 297 00:14:46.480 --> 00:14:51.120 even released, sometimes detailed documents test reports. For example, looking 298 00:14:51.200 --> 00:14:55.039 up the FCCID for an edmax IP camera revealed internal 299 00:14:55.080 --> 00:14:58.000 photos clearly showing four little pads on the circuit board 300 00:14:58.519 --> 00:15:01.879 that strongly suggested a u AT interface, a key debug port, 301 00:15:02.120 --> 00:15:04.600 public information giving you a clue for hardware hacking. 302 00:15:04.799 --> 00:15:07.480 That's clever, using public data to find hidden doors. 303 00:15:07.679 --> 00:15:10.000 Okay, so once you've mapped the attack surface, what's next? 304 00:15:10.039 --> 00:15:12.799 You mentioned getting physical to tear down exactly? 305 00:15:12.840 --> 00:15:15.360 This is often where the real fun begins for hardware hackers, 306 00:15:15.399 --> 00:15:17.600 getting physical with the device, trying it open. 307 00:15:17.840 --> 00:15:21.679 Pretty much, the main goals here are things like extracting 308 00:15:21.720 --> 00:15:25.120 the firmware directly from memory chips, maybe getting a rootshell 309 00:15:25.200 --> 00:15:27.399 or command prompt on the device through a hidden port, 310 00:15:27.840 --> 00:15:30.159 connecting debuggers to see what the code is doing live, 311 00:15:30.799 --> 00:15:35.440 sometimes even modifying the hardware or writing custom firmware. And yeah, 312 00:15:35.440 --> 00:15:37.320 as I said, you need spare devices because you might 313 00:15:37.360 --> 00:15:37.919 break things. 314 00:15:38.360 --> 00:15:41.559 So how do you start the physical analysis? First? 315 00:15:41.720 --> 00:15:45.279 Is just external inspection. Look closely at the outside, what 316 00:15:45.320 --> 00:15:49.559 buttons are there, any obvious ports, ethernet, USBSD card, what 317 00:15:49.679 --> 00:15:52.759 kind of display does it have? Power requirements? And critically 318 00:15:53.000 --> 00:15:56.519 look for those certification labels like the STCID. Even note 319 00:15:56.519 --> 00:15:59.120 the type of screws holding it together. Sometimes you need 320 00:15:59.159 --> 00:16:01.720 special screwdriver just to get inside. 321 00:16:01.279 --> 00:16:02.879 Like on Apple devices. 322 00:16:02.600 --> 00:16:07.120 Exactly ped loavescrews, torques. Knowing that tells you something. For instance, 323 00:16:07.200 --> 00:16:09.240 looking at an old Navman GPS, you might note it 324 00:16:09.320 --> 00:16:12.720 runs Windows, CE has a Samsung ARM processor and see 325 00:16:12.720 --> 00:16:15.360 the USB, port, SD slot, et cetera. All clues. 326 00:16:15.480 --> 00:16:16.559 Then you actually open it up. 327 00:16:16.759 --> 00:16:19.919 Yeah, carefully. This is the internal inspection. You're looking at 328 00:16:19.960 --> 00:16:24.679 the printed circuit board PCB, identifying the main chips, the CPU, RAM, 329 00:16:24.759 --> 00:16:28.519 flash memory, where the firmware lives. You're also hunting for connectors, antennas, 330 00:16:28.519 --> 00:16:31.240 and especially those debug interfaces. We talked about pins or 331 00:16:31.600 --> 00:16:35.600 pads for your JTAG SPI. These are often the keys 332 00:16:35.639 --> 00:16:36.960 to unlocking the device. 333 00:16:36.720 --> 00:16:40.080 And those fcc ID lookups help here too massively. 334 00:16:40.440 --> 00:16:44.799 Again, that FCC database SCCI dot io is amazing. You 335 00:16:44.879 --> 00:16:47.519 might see internal photos there that clearly label the CPU 336 00:16:47.600 --> 00:16:50.559 model or show exactly where the ur pads are, saving 337 00:16:50.639 --> 00:16:52.120 you a ton of guesswork, like. 338 00:16:52.039 --> 00:16:53.679 Finding the blueprint before you pick the lock. 339 00:16:53.840 --> 00:16:57.720 Precisely that edmax camera example. Again, the SEC filing basically 340 00:16:57.720 --> 00:17:00.200 pointed right to the r pads, a huge headstar for 341 00:17:00.240 --> 00:17:01.399 anyone wanting to connect to it. 342 00:17:01.480 --> 00:17:04.359 Okay, so you've found these internal ports like u ART, 343 00:17:04.599 --> 00:17:06.319 how do you actually use them? How do you talk 344 00:17:06.400 --> 00:17:07.559 to the device's insights? 345 00:17:07.680 --> 00:17:10.920 Right? That's where understanding these low level communication protocols is key. 346 00:17:11.240 --> 00:17:14.680 Let's start with u ART Universal Asynchronous Receival Transmitter. 347 00:17:14.759 --> 00:17:15.920 Okay, what is it? 348 00:17:16.000 --> 00:17:19.039 Simply, it's a really common, simple way for chips to 349 00:17:19.039 --> 00:17:21.880 talk serially one bit after another. It doesn't need a 350 00:17:21.920 --> 00:17:24.640 shared clock signal, which makes it easy to implement. Think 351 00:17:24.640 --> 00:17:28.240 of it like a basic direct serial chat line between components. 352 00:17:28.279 --> 00:17:29.319 And how do you exploit it? 353 00:17:29.440 --> 00:17:31.759 First, you need to identify the pins on the circuit 354 00:17:31.759 --> 00:17:36.440 board ground G and D, transmit TX, receive RX and 355 00:17:36.519 --> 00:17:40.359 sometimes power VCC. You can often find these using. 356 00:17:40.160 --> 00:17:43.319 A multimeter testing voltages and continuity exactly. 357 00:17:43.400 --> 00:17:45.519 Yeah, Then you need a tool to connect your computer 358 00:17:45.720 --> 00:17:49.200 to these pins, something like an FTDI adapter or a 359 00:17:49.200 --> 00:17:52.279 specialized tool like the Adify badge works well. You connect 360 00:17:52.319 --> 00:17:56.400 your tools TX to the devices RX, RX to TX 361 00:17:56.640 --> 00:17:59.200 and ground to ground. You usually leave the VCC power 362 00:17:59.240 --> 00:18:02.440 pin disconnected. Why because the device is usually already powered on. 363 00:18:02.480 --> 00:18:04.960 You don't want to feed it extra voltage. Then you 364 00:18:05.000 --> 00:18:07.039 need to figure out the speed the bod rate they're 365 00:18:07.079 --> 00:18:09.720 talking at. There are tools like bodrate dot PI that 366 00:18:09.759 --> 00:18:10.960 can automatically detect this. 367 00:18:11.119 --> 00:18:14.200 Okay, you've got the pins, the speed, then what Then? 368 00:18:14.279 --> 00:18:17.079 You just use a simple terminal program on your computer 369 00:18:17.279 --> 00:18:19.799 like screen or Mini coom, connect to the serial port 370 00:18:19.799 --> 00:18:22.759 provided by your tool, and very often, especially on cheaper 371 00:18:22.880 --> 00:18:25.640 or older devices, you'll just get dropped straight into a 372 00:18:25.640 --> 00:18:27.799 command prompt, often a rootshell. 373 00:18:27.720 --> 00:18:30.839 Meaning full administrative control, no password needed. 374 00:18:30.920 --> 00:18:35.920 Yep, an unauthenticated root shell over art. It's a surprisingly 375 00:18:36.079 --> 00:18:39.559 common and critical vulnerability. We found this on that Atmax 376 00:18:39.599 --> 00:18:43.599 camera for example, instant root access just by soldering three wires. 377 00:18:43.759 --> 00:18:46.359 Wow, okay, what about other protocols you mentioned I two 378 00:18:46.400 --> 00:18:47.559 C right, IT two. 379 00:18:47.359 --> 00:18:50.519 C integrated circuit. There is another common one, but it's 380 00:18:50.519 --> 00:18:53.880 a bus protocol, meaning multiple chips can share the same 381 00:18:53.920 --> 00:18:57.880 two wires SDA for data and SEL for the clock signal. 382 00:18:58.119 --> 00:19:00.480 So it's like a little internal network kind of. 383 00:19:00.559 --> 00:19:03.960 Yeah. It's used for slower communication between components like e 384 00:19:04.079 --> 00:19:08.839 proms small memory chips that store configuration data, real time clocks, sensors, 385 00:19:08.880 --> 00:19:09.400 things like that. 386 00:19:09.440 --> 00:19:10.920 And how is that useful for hacking? 387 00:19:11.240 --> 00:19:14.720 Well, if important data like settings or maybe even keys 388 00:19:15.079 --> 00:19:17.200 are stored in an e PROM chip that uses IT 389 00:19:17.359 --> 00:19:20.000 two C, you can often read or write directly to 390 00:19:20.119 --> 00:19:22.279 that chip. You'd find that chip on the board, look 391 00:19:22.359 --> 00:19:24.480 up its data sheet to understand how to talk to it. 392 00:19:24.799 --> 00:19:27.559 Connect your tool against something like the adify badge using 393 00:19:27.599 --> 00:19:28.200 clips or an. 394 00:19:28.119 --> 00:19:30.440 Adapter directly onto the chip yep, clip. 395 00:19:30.279 --> 00:19:33.079 Right onto the legs. If possible, then you use software 396 00:19:33.319 --> 00:19:35.680 like scripts often called I two C PROM dot PI 397 00:19:35.880 --> 00:19:38.640 or similar to communicate over I two C and dump 398 00:19:38.680 --> 00:19:41.279 the contents of the memory or even write new data 399 00:19:41.279 --> 00:19:41.680 back to. 400 00:19:41.640 --> 00:19:44.240 It, so you could potentially change device settings stored in 401 00:19:44.279 --> 00:19:45.839