>>This is Jose Molina and he'll talk about more problems with home automation stuff. Let's give him a big party track welcome? Applause (Applause) >> Perfect. Hi, everyone, it's nice to have so many people here, great, this is going to be a fun -- going to be a fun talk. So, it's good you are here, you can drink, have fun, this is the party track-- all right. I will just start with the questions for you, and it is the following: If I were here to tell you someone can control every appliance in your room, except the locks and maybe the thermostat but everything else like the TV, lights, the blinds, everything else, would you stay at that room or would you check out tonight? Not the locks. They cannot do you any physical harm and they cannot steal your shit but everything else is controlled by someone. Okay? So think about it. I will come back to this talk, to this question later. So who am I? I am a security consultant based in San Francisco. This part of the talk is brought to you by (Inaudible) I want the second last name to be said so my name is Dr. Jesus Maria Molina--. So, I'm a spanish guy. I'm from La Mancha where we roll our (indiscernable)and all that stuff. My website is -- My Twitter handle is identifyandtrust. And give me tequila and I will give you more videos which are more fun. All these video I sell have plausibility, meaning I can say someone else did it with the iPad. All right. What did I do? This is kind of the romantic side of security where someone goes to a place and they see something is broken and they will try to hack into or something, this is kind of this talk. I have 48 hours to do this cause I was checking out, in the process I was able to control 200 + rooms at a five-star hotel by using an insecure home automation protocol. So I was able to raise the blinds, the TVs, switch on everything, in 200 plus rooms. While I was a guest in the hotel, In China, okay, so give me credit for this, you know, because it was kind of scary! (Laughter) I did not hack anything. I abused something. Okay, So that is different things! The good thing is this is a story with a happy ending. Right, because I talked with Starwood and they were okay with this talk. Actually, they supported it, they say go ahead and do it. I talk with the CIO, by the way that was the most awkward talk in the world. My lawyer was on the phone with me, his lawyer was on the phone with him. We were like, Hi, how are you doing? We know you did something in our hotel! Explain what you did to us. (Laughter) But the fact is that they disabled the system right away and they have changed the policy on all hotels which are the seratones and the -- (Inaudible) -- because of this. They did the correct steps, you know, they did very good at that. Well, let's go to the talk. Um, the hotel is the St. Regis -- in China is the city, hotel is there in the 20 top stories of a skyscraper beautiful place. This is kind of like Die hard three take over Die Hard one. You know, -- but the feature of the hotel except that really caught my attention was an iPad. This ipad was is able to control, appears in every room and is able to control every feature of the room. So, the ipad comes in every room, With the iPad you can raise the blinds, switch on the lights and put the music on, switch on the channel for the TV, all that stuff, right. So, I was there in the room and I was like, okay, so can I control the room with my laptop run it along with my ipad. So, the first thing I did was, I said, whoa what is communicating between the ipad and the things in the room? So, the ipad is open to the (indiscernable) -- so I arose the ipad and where was the ipad connected to? The ipad was connected to the guest network at the hotel. If you go to the hotel and you know the guess network is open. You can -- you have to be for the Internet but you can be neighborly with all the people connected to. So, the guest network is open to (indiscernable)--. So, the automation protocol these guys used from the iPad to every feature in the room needs to be secure. Well, it was not! Hence the talk here. All right. I checked what was connecting, what was sending the iPad to every device and I found out it was telegrams from single port. So I went ahead and checked in the Internet what was this port about. I decide that there was a KNX, who in this room knows what KNX is? No one. All right. So KNX is a super extended protocol for home automation in Europe and China and Asian Europe really really oh centered there. Because it's a standard. In China, KNX is the only home automation standard. If you want to make a deal in the airport you have to deploy KNX. This is kind of serious. In the 1990s and it is very simple to deploy, you can see this is an activator so basically it you plack all the devices to the activator, and there is another wire, a wire protocol another wire you can send messages to and switch on the lights, raise the blinds and everything. Right? So it's an open standard and with open it means closed and that's another interesting fact here right? (Laughter) First time I saw this I was like okay I will go to the Internet and download the standards and see what happens. But you have to pay a thousand Euros to the lowest standard and that's an open standard. So but the KNX people decided to give the standard to Universities so universities created open source clients and that's how I was able to understand the standard, by taking all these clients, looking at the code and then I could make out what was going on there. And another fun fact is that there is absolutely no security. Okay. So, this is interesting. This is from the 1990s where there was physical securities around all these wires so they didn't need to put any security. However, they decided to create a evolution of the protocal called KNXIP which ended up being KNX messages with IP frames but didn't put any security either. And that is known since 2006. So, 2006 there was a document saying hey there is no security and these people said there needs to be security but no idea anything except six months ago the KNX people send a new protocol evolution, new version of the protocal that has does have -- that does have some security on it that they say but I cannot download it so I really know. Maybe in 5,000 years I can check it out! So how this works in the hotel. So every room has a single IP. That is the IP that I saw they were communicating through. That is a KNX IP router. This KNX IP router what it does, it converts these IP information into KNX information. KNX it's a wired protocol so all this goes through wires and as you see the wire protocol KNX has a different way of forming addresses. They are like three numbers. The first number there, you see like three numbers with the slashes. The first number is the area line. The second number is the area number. Second number is the line number and the third number is the device number. As you can see there a light will have 222 and a TV will have 223. So, it's kind of easy to guess, right? The rest of the hotel so the rest of the hotel if I wept to connect to another room you see the difference there? Like there was another IP address that room is 777, next room is 7778. The IP address is correct I think. So then if you look at the device numbers for each device, like 222 in the room 7778, there was like 232. Okay? So it was a little more difficult than that. You know there are different floors --but I went to different rooms and I was able to tell but what next number for each room. So, I was like I have them up for each IP address and room, oh, nice, that's maybe for me? Alright, So the protocol said now that I know that every room has an IP address that every device in every room has an address, right? So, the only thing I need to do now is code the protocol. The protocol goes like this, you know, I send a connect request to the IP address, it says hey, yes, and they give me like a window of that I have to use after that. I create a request and it sends back connector response, saying, hey, that's good. You are connected to the KNX network. After this I send a permanent request and after this moment I can send anything I want to the KNX network. Meaning that I can send anything to switch on the lights and switch off the lights, open the blinds close the blinds. This packet I sent internally is called a kenney and it's what goes into the KNX network. At the end I disconnect request and that's it! If I have the protocol to connect to the KNX network I have the IP address for every room and I have the address KNX address for every device, what can I do with it? I can raise every blind of the hotel at will. So what I'm sending to the wire to the Kenney thing that I was talking about. So you see, it's really simple. Like UDP and enveloping a kenny frame. So, all these numbers, they don't make any sense to you. They didn't make any sense to me in the 40 hours I was in the room but after researching I was able to understand. This is like part of the code of one of the open source plans I was told you. This is not from the standard. This is like something I said. And I saw there's a lot of things there but the only important things you have to see there is there's an address and an action. The Address is the address of the device I want to switch on. The action is depending on the device and that's specified in the only open document that KNX has, which is how you use, what action do you use for each device. For example, a light bulb, to switch on and off is AP and AP1. To raise the thermostat, which is also controlled by a room it is like different stuff that you have to send but it's like you code it and that's it. All right, so the question is: Can I switch, and that was kind of the quest here, can I switchd a TV on in every room. If you have been following the talk and I hope you have, you would understand that if I can switch one light bulb I can switch every device because I don't need the device, the device numbers and I need the device numbers for my room and if I can switch on the TV or blinds in my room, if I know the IP address of every room, then I can switch every TV on every room. Okay. So if I said you can switch one light bulb that means I can switch every TV. I want to show you exactly that. Oh, by the way, I was super caffeinated so sorry about that! So let me -- look at the left right there. See what's going on there? That's the first time I try to do this! (Laughter) That is happiness, of not being caught. All right. So (Laughter) I was doing that for posterity, so I wanted to record this. Alright, so you see thelight bulb right there, I used the smallest light bulb because it was the absolute brightest. (Indiscernable) --raising the blind, turning on tv's but I think this was the most, the fastest to show, see the light goes on, the light goes off and I am using my laptop to do this. That was like after a whole night of working on this and I had to code my own protocal and stuff, you know. Okay, let's go back. Alright. So we are in like I need to send in a ton of requests which you can use EIBD, which is (indiscernable) it's open source, you can download it righ now and you can start sending KNX frames on the wire. Very fast. The problem is that the daemon you can not paralyze, it works, it connects with a single IP address and I said I wanted to have the power to raise every TV so I have to code my own in (indiscernable). Really simple. Very simple protocol. It's a free protocal. You need the KNX address of each device in the room. So, what I did is I pressed the iPad, plop, plop, plop, automated connection and it will give me every address and action of every device in the room. They have this library of all these things. After this I get the IP address of each room and KNX area and line. That is required a little more complexity so what I did is change rooms all the time. I will go, call downstairs, hey, I don't like this room, can you put me in another room? They will be, okay! (Laughter) Two hours later, hey, I don't like this room. Too much light coming on! Can I change rooms? They were like, okay. (Laughter) I was, like, I cannot sleep in this room. So, they end they give me this room which is the suite. (Laughter) And It's a beautiful duplex suite like beautiful floor-to-ceiling windows but there is a problem with this room because of what I've done there is no iPad. (Laughter) I will continue. >> Are there any new speakers here? Raise your hand. >> Yeah. >> Hey! We got one! (Applause) >> So, What do you think of foam hinge -- (Inaudible) -- right there? That foam hinge right there? Like right there. Foam Hinge. We ordered a full-sized foam Stonehenge for you. >> Yeah, I know, I know you told me. You told me, that's great. I love it. >> All right. >> Cheers! >> Cheers! >> Cheers (Applause) >> Come on! (Applause) >> That was good. Thank you very much. Do you have another one? >> Good luck continuing. >> Alright, that was not tequila by the way. That was some sort of pretty strong stuff. Anyways... so the problem with the suite was there was no iPad. So, I could not continue my research there. So, I had to call back and say, hey, I really don't like this room. You know. I don't like duplex's, it's not my thing. You have to go upstairs to sleep. They changed my room again but the hotel manager came and I was like hey what's your problem? And then I got -- again, I was in a hotel in China, not afraid of a media scene but something, anyway, they are asking this question, hey Jose you told us you can control every room but how do you make sure you can control every room? So we created this HeartBleed program where outside each room there was the do not disturb light. You see this like blue and red so the light sits outside the room so I can go outside and see Room 777 and I can see its heartbeating, 778. and I will see a heartbeating and if I had time I would show you a video. But ugh, anyway. We can tell whenever I press that button I knew I had hacked that room. I could switch on the TV in that room I can do anything in that room. So I did that for a couple of rooms. Alright. Were there other devices connected? Maybe, but the problem is I tried sending random requests to random addresses that were not used and at some point someone knocked at my door and I got super scared and I was like oh my God they caught me, I'm ready to go to Chinese jail. Take me with you! I do my best. But it was the laundry lady, she was like laundry, laundry. Then she went to the other room -- I guess I did something there. But this has not been confirmed by the hotel. So, I am not really sure. I think I probably did something. So, what does it mean? By the way, not the rainbow guys for the stoner people here next to me. Anyway, for hotels, maybe it is to update their security policies. They don't include things like home automation or smart tv's and things like this that we can take over because hotels in time on these devices. Is this a problem in hotels? The answer is yes. Are these particular hotels, they do not tell which ones until -- (Inaudible) -- For the Internet of Things we are -- anybody that deploys their own protocols, nobody knows if they are deploying and we give extra care when they deploy automation in certain spaces because they still think you have a cocoon around them or something. What's the worst that can happen? When they first asked me this question, I was like I only had one ipad and now it controls every room of the hotel and the guy in the room does not know. I switch on the TV and every TV in the hotel switches on or I could go with magnetic helmet and say oh, he once died that and like put my arms up and every blind will switch on like all the TVs will start to flicker that seems to be the worst thing that could happen. I could go create chaos -- but they dont think that's the worst thing that could happen now. I think what the worst thing that could happen and the question they asking me for is because of this. I ask you: If I can control your room, will you stay in that room tonight? I don't know what your answer will have been. Probably the answer is like yeah, what's the worst that can happen you turn on my TV. What they will say is it was Obama, can I control your TV? If I go with an important news to you, do you want me to control your TV? You just said to me it's okay for you to stay at your hotel even if your not going to switch on your TV. Well just so you know saying to a President saying I will only switch your TV on if it's important news I need to tell you. Your going to say yes because it's the same thing. You are just like give me power over your TV implicitly you are going to say no to someone that has a reason to do this? Not like me switching on for sports. People don't care and that's the worst thing that can happen. I talked to so many reporters, so many people about it and they always ask me the same damn question. I don't care. You Switch on my light bulb, I don't care you switch on my TV, that's okay. You are not making any harm to me, your are not stealing any information from me. So go ahead. This is not a big security problem. Well, I disagree. I disagree. It's not a big security problem because I cannot do harm to you but at the end is your peace of mind which I'm playing with so be careful. Thank you very much and have fun. (Applause)