Documente Academic
Documente Profesional
Documente Cultură
2
“Apply” Slide
#RSAC
3
#RSAC
5
ExfiltraIon
Methods #RSAC
Protocol Limitations
6
Smart Watch ExfiltraIon
#RSAC
Tested 4 Smartwatches
Apple Watch, Samsung Gear 2 Neo, Moto 360, U8
7
Smart Watch ExfiltraIon
#RSAC
• U8 Nucleus Smart Watch found to be sending data through the app on the
mobile device to a random IP in China, over an encrypted channel
• Samsung Gear 2 Neo found with no password and allowed remote privilege
escalaIon (disclosed to Samsung and now patched)
• HackCon Norway, BSidesSF, DEF CON Demo Lab demonstrated SWATtack -
python tool for exploiIng smartwatches
8
IoT Hubs and ExfiltraIon
#RSAC
• Many IoT devices and IoT Hubs now have USB ports for data backup
• New USB backup flash drives support Wireless (WiFi, BT, etc.)
Z-Wave Hub with
Ethernet and USB Ports
9
Windows Virtual WiFi (7, 8, & 10)
#RSAC
10
Wireless Rogues on Network - Virtual WiFi
#RSAC
Passerby
Hacker in
Contractor or Friend Parking Lot
INTERNET
Users
11
Wireless Rogues on Network - Virtual WiFi
#RSAC
Passerby
Hacker in
Contractor or Friend Parking Lot
OPEN - EXFIL!!!
Windows 10 Virtual WiFi
Rogue AP on Wireless
Sanctioned
Access Point
INTERNET
Users
12
Nearby IoT Threats - Drones
#RSAC
13
Drones
#RSAC
14
Drones
#RSAC
15
IoT Protocol ExfiltraIon
#RSAC
16
ExploiIng Lack of Integrity in IoT Protocols
#RSAC
17
ExploitaIon of SSDP - ULA OPT Field
#RSAC
18
UDP - ExploitaIon of SSDP
#RSAC
Our Target
19
UDP - ExploitaIon of SSDP
#RSAC
20
Covert UDP - SSDP
#RSAC
21
IoT Device CriIcal ConsideraIons
#RSAC
22
#RSAC
ExfiltraSon Demo
ExfiltraIon Case Study and Demo
#RSAC
• ExfiltraIon Example
• Typical Broadcast Message
broadCastMsg = \
'M-SEARCH * HTTP/1.1\r\n' \
'HOST:192.168.86.115:1900\r\n' \
'ST:upnp:rootdevice\r\n' \
'MX:2\r\n' \
'MAN:"ssdp:discover"\r\n' \
'\r\n'
24
ExfiltraIon Case Study and Demo
#RSAC
• ExfiltraIon Example
• Typical Broadcast Message
• Broadcast Message Data Appending Example - Simple
broadCastMsg = \
'M-SEARCH * HTTP/1.1\r\n' \
'HOST:192.168.86.115:1900\r\n' \ Plain-Text
'ST:upnp:rootdevice\r\n' \
'MX:2\r\n' \
InserIon
'MAN:"ssdp:discover"\r\n' \
‘Hello World\r\n'
25
ExfiltraIon Case Study and Demo
#RSAC
• ExfiltraIon Example
• Typical Broadcast Message
• Broadcast Message Data Appending Example - Obfuscated
broadCastMsg = \
'M-SEARCH * HTTP/1.1\r\n' \
'HOST:192.168.86.115:1900\r\n' \ Index to
'ST:upnp:rootdevice\r\n' \ pre-exchanged
'MX:2\r\n' \ lookup table
'MAN:"ssdp:discover"\r\n' \
‘894629\r\n'
26
Python Script to Exfiltrate Data using SSDP
#RSAC
27
PrescripIon for beeer non-Exfil Hygiene
#RSAC
28
Thank You!
#RSAC
29