First thing I need to record my selfie.
Thank you guys. Whatever the outcome is, I have evidence it was a success. Semi-success.
Excellent. Oh god. You guys are working on that? Okay. Les
qui a vu un dîner de con? Bienvenue a mon dîner. Uh for the yeah sorry closed captioning.
Sorry folks. A wonderful French movie uh called the dinner game. Very dark French humor. Um
who has solar panels? Who cares about their privacy? Yeah. Eden um raise your hand. Get out.
There's an EFF talk I think next door. You can ask about privacy. Still nothing. Is it working
on that side? Yeah. Who's seen war games? Excellent movie. It hasn't aged a minute. I did.
Um but even if uh Lichfield was cool I was much more serious about my craft. Serious enough
not to have distraction of a girlfriend. By choice of course.
Um this quote is excellent. It is actually what I believe I am. Trying to take things opening
them up and figuring out ways to make them better. Isn't that why you all here? Well it's not
happy hour yet. Hey by the way I need my speaker shot. I could use two actually. Thank you.
So we're going to talk solar. Um this is a system by Tygo. I brought the little part that is
the only piece that we're going to look at today which is the connection between the solar array
and the internet. It's really cool because not only does it upload config uh production data
to the internet it also downloads configuration of the panels. Things like maximum uh power
voltage, maximum temperature of the panels and things like that. Of course over the internet.
Um what it does is gives the installer the ability to monitor remotely the production of my
system. Why? Because they have an SLA and they actually guarantee production of my array and
they'll pay me back if it doesn't produce what it's expected to. Yes indeed. Um I could. I
would not. Just think about it. About 9,000 kilowatt hours a year of production. This says
15 cents. Yes I could score. I could score. I could score. I could score. I could score. I could score. I could score. I could score. I could score. I could score. I could score. I could score. I could score.
Again a around acent two thousand bucks but I would get busted for it because this is not the only thing
that reports my production. So that angle you can have fun uh not with me. This is what,
its, what started it all. You know how you take your Nest and or any IOT device when you
initially power it it starts advertising an access point uh you connect to it, configure it, tell it.
this is my home network and then it shuts down and becomes just a Wi-Fi client. Not this one,
it connects both to my network as well as the open access point. Um, that really, really
bugged me. So, started to need to figure, I needed to figure out how to fix that problem and
started inventorying all of the attack surfaces I had, uh, at my disposal. We talked about the
access point, a little httpd server that we'll talk about later. SSH, cool. Yeah, except
there's a built-in, uh, defense in depth, maybe. It crashes after 1500 tries. Have to re-power
the, uh, re- uh, power cycle the device. So quickly it was no longer funny. Um, I
never got it to work, unfortunately, but it had a nice little UI. Do you want the, uh, the
console to be tunneled through TCP or the display, this little guy, or the gateway that it
controls through, um, through, uh, serial port. From a physical perspective, of course I
opened that box. Remember what I told you? I take a screwdriver to anything. Um, I
put my cursor here. Nicely labeled at the bottom left of the screen. You see a little, uh,
silkscreen of console. Guess what? You plug in your, um, serial to USB connector and it works.
So, I had a nice console interface, which unfortunately required authentication. So,
back to square one. U-boot. Excellent. Maybe I could boot it in recovery mode and try some
fix the password. No, unfortunately they put a password on the uh on the bootloader and
now I have a confession. I live in California. This was October, the middle of winter. This
device is outdoors. It was too hard for me to take. So I had to look at an easier path and
more comfortable. Um so behind this, this is a very, very, very, very, very, very, very
access point. There is a website as I mentioned. That website has properties. If you use
Shodan, you'll find out that actually 12 or so uh very courageous people, maybe ignorant,
decided to have that device also internet accessible. Guys, this is where you're supposed
to laugh. Thank you.
Um thanks to Shodan, I was able to verify that my findings, actually no, my lawyer is not
present. So do what you want with the Shodan findings. Um remember the open access point? It
has an SSID. So I went to those wonderful folks at Wiggle.net and uh looked at their database.
Guess what? I'm not the only one who detected those. Uh they're all over the world. And
they're captured for posterity. You now have GPS coordinates of all of those devices or some of
those devices. Um who war drives? Thank you. Keep doing it. Upload to Wiggle. Uh because it's
a treasure trove of data about people that, I can't say effortlessly, but I can't say effortlessly.
If you keep that up you can mess it up. Nope mess up. Let's go back to the web server.
That's it. My talk is over. Thank you. Um there's an authentication screen. We can't do much
about it. Can we? Of course not. It's funny how I've seen other slide decks today that also use a
password file called rocku dot txt. Who's used it in the past? Oh come on. Um the data gets
guys. If you didn't raise your hand, that's the best password file on earth. Uh, so I ran my
brute force. 36 hours later, yeah I know, I know, I'm lazy but it was 36 computer hours, not
mine. Uh, turns out admin support works very well. Okay, where do we go from there? Looking
around the little website on the server, there's a nice little page that caught my attention. No
such file or directory. Ooh, guess what happens when you put a file there? Uh, for those of you
who don't have their uh, URL decode option on Google glasses, this is what it looks like. Copy
shadow file into that location. What would happen? Yeah, I might brick my $20,000 solar array
by putting something there. Um, but I didn't. By the way, this MD5, I tried to brute force it.
I failed. If you ever get to it, I believe it is still on those devices. Uh, please send me an
email. I would appreciate. So that, that route didn't work out. Um, I needed something easier.
Remember I can, I can essentially run a script through that injection. Um, so PSR. Oh,
guess what, the http server is running under root. Bingo. Also the manufacturer, nice enough,
has net cat already on the device. Ooo. By the way, I won't admit that in public,
but it still took me 4-6 hours to get my reverse shut down. And, that gives me 40, 40 hours to get my reverse shut down. I was pretty proud of that one though, by the way. Uh, I'm a bit bored, I think. I had a good lunch
all working. But I didn't say that. Um, I did eventually get it working. I had root on
that device. What do you do with root? I know what I didn't do. I didn't get a copy of the
file system. So, once I was locked out, I no longer had anything to work on. But, after a
little bit of, uh, kung fu with the drive, uh, mount, I was able to get a copy of the
device. Come on. I know, I know. It feels good to pretend I'm that good. Um, what I did was
not rocket science, I just had the time to do it. Clearly, that manufacturer picked the
wrong customer to sell a device to. I'm sure they're still regretting that move. Um,
it probably cost them a lot more in, uh, clean up than it did in, uh, profits. So, anyhow,
looking around the file system, something caught my attention. Actually, not the file system,
the running processes. Open VPN. You guys know what open VPN is for? A VPN tunnel. Guess what?
That VPN tunnel was on at all times on the device. I didn't do it, and I still haven't done it.
Swear, this is not a joke, I did not scan that VPN subnet. The manufacturer confirmed that all
of its little siblings are on that subnet. Of course, nowhere was it mentioned in any of the
documentation that nobody ever reads that there was a VPN. Remember, that device is still on my
home network. I was trusting it, even though I didn't have access to it. So, I didn't do it. So, I
need to do something about it. Even though it didn't appear trustable, I was still doing that.
Um, so, let's move onto me trying to get something done about the device. So, I try, politely, in
October, to get their attention. Hey guys, there might be a problem. You know, it, I'd like to talk
to someone who actually understands security. Yeah, by the way, in the back, if the font size is too
small, next time remember, DEFCON 2 is piece for piece. And, yes you can, like I said, use the
is all about LineCon. Get early to the talk. So, a few emails later, um, while still trying to
reach to people that might understand me through LinkedIn, my clueless installer and his
contacts, I got nowhere. Actually, it got even worse. We're now in mid-December. Our
email address, my everything. They already knew everything about me, but they couldn't find me
in the database. Um, this was the icing on the cake. For those in the back, I will read what is
highlighted. Or I'll, I'll paraphrase. We can help you get access to the system. Do I need
access to the system at that point? No. I can help myself. Um, and I, I, I need to read that
one. Quote. Info of system installed on your roof is always kept as confidential since it was
installed. Apparently before it is installed, not guaranteed. And, you know, English is my second
language. I don't, I don't understand that sentence. So, time to st- to change strategy.
Clearly, I'm getting nowhere. I've been at it for 2 months already. Uh, I'm talking to the wrong
kind of support. So, I send this email. What I'm saying there is, hey guys, here's a picture. You
remember the root picture? Here's a picture. The last line doesn't belong there. Forward this to
whoever is in charge. I don't want to talk to you no more. Remember the VPN tunnel? Within an
hour, they were logging in on that device and they were starting cleaning up. Not, not security
cleaning up. Damage control cleaning up. Disabling my account. Shutting down the web server, uh,
and things like that. In the process, yeah, disabling my entire array. Went offline for 4, 6 hours.
Um, I was not done helping, guys. Please. I was trying to be nice. Um, thankfully, I didn't
tell them about one thing I had found while browsing the file system. In that CGI bin folder,
there's also a file called shell. So, I got back in. And, uh, told them the next day about it.
And, repeat. So, that's the best part. So, that's the best part. So, that's the best part. The
thing is, once I got to talk to someone in charge of their product development, great guy, um,
his first response was, there's a problem. This is not a production device. What? I bought a
Tesla at the Tesla price and the autopilot crashes on me because it's a debug version I have.
No. Sorry, Tesla guys. I'm just jealous. Everybody in my neighborhood has one except for me. So,
if you guys are thankful for the talk, don't hesitate. Thank you. Um. So, 6 months
later, I'm pretty sure they were actually not lying. It was a very convenient excuse, but they
happened to ship me a development build. And a few thousand others, uh, throughout the world. God.
What they did well. Once I had a line of communication with Tygo, they were actually very
welcoming of my finding. And relatively forthcoming with sharing the insider information. Like,
for example, telling me, oh, all of those devices are on the same subnet through the VPN tunnel.
Um, that would have been preferable for not, them not to tell me that. Um. One thing I discovered.
Log shipping. Especially for the one, oh. This is a very important question, guys. Who in the
audience is a black hat versus a white hat? Come on, raise your hands. Oh my God, there's not a
single hand up. Yeah, okay. Um. So, next time you go on a system you're not authorized to, think
about disconnecting it from the network before. Because this guy is not going to be able to get a
signal. So, this guy ships its logs every half an hour. And boy was I noisy. Of course there was
nobody looking. Thank God. But, uh, it's, it's important to realize that even small IOT devices
have that capability. And, uh, you might trigger a few alerts if you're not too careful. So,
we got root. I made fun of the vendor. Why am I talking about this? I'm not talking about the
software. I'm talking about this. And this is actually the most important slide of the entire
presentation. Yeah. I could remotely, see this little red button? The software behind it. I
could remotely shut down any of those thousands of solar arrays. I could be a pain to people off
the grid. Maybe. I don't have, there's not enough electricity production for it to be meaningful yet.
it will be in a few years but not today. What's more important is this is a bot. I could have a
thousand of those remotely controlled on your home network spying on your home activity. You
know. Oh shoot my kid is here so I can't say prawn but things like that. Um the biggest part
the part that bugs me the most is even though I've been a security practitioner for a long
time only after this device being on my network did I realize I really needed two networks. My
home personal network and a completely independent IOT network on which I have of course this
guy now. He was the first candidate. But the next.
Um a few development boards. Who's played with the particle photon photons? Yay. Those are
excellent devices. Uh but just like this guy don't trust them. Um my security cameras. You
know those cameras that I bought on Alibaba with that Chinese firmware. It is apparently very
chatty. Uh I won't go further. So yeah. Is is this a bot or is this a security device?
Is it a Transformer? Is it a
huh? Um a. Um it's a bot. Um yeah it's a bot. Uh I don't understand. Uh are there any
options. Uh can I uh can I I use this. Um I I'm in a very very good mood. Um but I don't
know where this is. What's the answer? I don't know. Um uh and I'm very very sad because I'm having to
comes out of DEF CON as much as possible because it is time that we have a UL rating of
devices uh that also takes into account your privacy. Cause we all have that expectation. You
don't buy a car without seat belts. Yes. Responsible disclosure is
hard. Yes. Don't give up. Please, follow responsible disclosure. And finally, thank you
to all IOT devices for so much entertainment. Thank you to quite a few people. My wife for
tolerating my late nights. Uh, Rafael, where are you? Stand up. Keep doing what you're doing.
You're packet storming. And Tygo, for not suing me. Thank you. Uh, you got me scared
there. Guys, thank you. Yeah, you screwed up off of a crowd.