Mazen Aoun

5/12/2018 Black Hat Lebanon – Lebanese Black Hatters BLACK HAT LEBANON Lebanese Black Hatters POSTS J A N UA RY 2 1 , 2 0 1 7 Your Security Is Working Against You http://www.blackhatlebanon.com/ 1/6 5/12/2018 Black Hat Lebanon – Lebanese Black Hatters Internet Of Things and Us! The Lebanese like to boast about being the rst. First to buy the new Iph0ne, the new Mercede$, and most relevant to our article, rst to connect their home devices online: ” Eih ana l barrad 3ande bel beit bet7akam mnel iphone 3ala el 4g+ :* ” The Internet of Things involves the increasing prevalence of objects and entities – known, in this context as things — provided with unique identi ers and the ability to automatically transfer data over a network. Much of the increase in IoT communication comes from computing devices and embedded sensor systems used in industrial machine-to-machine (M2M) communication, smart energy grids, home and building automation, vehicle to vehicle communication and wearable computing devices. While the aforementioned could be an indicator of growing technological awareness in the region, it has quite severe implications. Any baboon can buy and set-up an IoT Device, but can you secure it ? Businesses made IoT feel like a need to the consumer, while it is just a luxury. The consumer caved and the need is growing exponentially. Why should a provider waste http://www.blackhatlebanon.com/ 2/6 5/12/2018 Black Hat Lebanon – Lebanese Black Hatters precious time and resources to secure your devices if you are simply unaware of the security risks they pose to you? And this is exactly what is happening. Your IoT devices, may very well be working against you. You are out there! (And so are They) Go, You! Get your devices out there! Do you feel connected? Are you in control? Splendid! Problem is, your device is not visible exclusively to you. Anyone can see it. Most would not know what it is, but any person moderately informed about technology and the IoT will know exactly that this is a refrigerator/security camera/home automation system/…. Much like paintings which most people do not get (though some pretend to because it’s classy), your device is a visible painting. Most of us will not bat an eye at it, if we ever notice it that is. Any beret-wearer however can and will easily notice it, and this person could cause you a lot of trouble. So you’ve got your home automation system online, you can access it through your mobile phone/computer, and so can anybody else that has internet access. Worry not child, there are many more layers of protection covering you! Usernames and passwords for your device, authentication with synchronized key generation,… http://www.blackhatlebanon.com/ 3/6 5/12/2018 Black Hat Lebanon – Lebanese Black Hatters For the sake of shortness (and mostly because the electricity might go off any minute now), i will dedicate this article to the rst mentioned security ‘mechanism’, which is the most important, fragile, and the one that is most probably screwing you over.. The almighty Username… and ********! admin – password1 Username/Password authentication is, in most cases, suf cient for most domestic needs, if used correctly. Everyone knows that password complexity matters, but few really use this information for mundane things. A modern computer can bruteforce passwords at 150,000,000 guesses per second. Here’s a small table detailing how long it will take Your computer to bruteforce various passwords. Length Charset Example Max Time 10 numeric - 1m40s 12 numeric - 2h3m27s 6 alphanumeric aBC123 6m24s http://www.blackhatlebanon.com/ 4/6 5/12/2018 Black Hat Lebanon – Lebanese Black Hatters 8 alphanumeric aBC123Dd 17d2h57m43s 10 alphanumeric ABC1d2EfHG 180 years 10 alphanumeric – Symbols ABC1d2EfH@ 1 thousand years Notice how an increase in size and complexity greatly reduce the risk of your password being bruteforced. Simply adding a special symbol (!@#$%^&*()-_+=) changed the estimate from a whopping 180 years, to exactly 1376 years 97 days 1 hour 29 minutes and 26 seconds! Totally worth the wait to see her nudes amirite? While the above applies to blind bruteforce attacks, another mode is the dictionary attack, where common passwords are stored in les ( les containing millions of passwords with their variations). for instance, P@ssw0rd1 seems complex, and would normally take ~18 years to crack with regular bruteforce, but being a common password, dictionary attacks will most likely have it and it will be cracked in a matter of minutes. (Lazy By )Default Password Human nature.. set up the device and start using it ASAP! A quick test over 100 of 216 currently visible AVTECH devices in Beirut (Security cameras for homes/of ces/shops/..) has shown that 42% of these Security cameras are secured with their default factory passwords (username: admin password: admin). 90 security devices are broadcasting themselves to the public in Beirut, with virtually no security ! Compare that to a small sample of 50 of the same devices in France, where only 8 devices (16%) are still using defaults, and you’d see a problem. Be it the consumer’s fault or the providers’, this is an issue that should not be taken lightly. The impact of the availability of such devices for a malicious individual who knows how to exploit them, is catastrophic. Robberies, device malfunctions, extortion, spying, huge data leaks (SCADA?). http://www.blackhatlebanon.com/ 5/6 5/12/2018 Black Hat Lebanon – Lebanese Black Hatters Statistics Product Sample Size % Default Passwords Iomega NAS (SSD) 30 26% AVTECH cameras 100 42% wi cam 20 90% Infected with Heartbleed 72 N/A Take the extra .. uh.. millimeter, change your default P@ssw0rd! http://www.blackhatlebanon.com/ 6/6