IoT insecurities

cyclotron

https://blog.48bits.com/te-veo-el-ciclotron-jiji/

not "a thing"

"a thing"

problems

Firmware updates?

Born to be disconnected

Dev not easy: performance, assembly, ...

botnets: MIRAI

• Largest DDoS attack ever
• 2016
• Internet going down: Twitter, the Guardian, Netflix, Reddit, CNN, etc.
• Infected computers continually search for digital cameras and DVR players using default passwords to login and infect them.

scada: stuxnet, duqu, etc.

heart monitor: Owlet WiFi Baby

• Multiple vulns

webcams: TRENDnet Hack

• Live streaming by default
• https://pastebin.com/DtCL8Nvm

cars: Jeep Hack

• 2015
• Charlie Miller (Twitter) and Chris Poulin (IBM X-Force)

printers

• 2017
• 150.000 devices

adult toys

strava

strava: militar

https://twitter.com/Nrg8000/status/957319332874174464

targeting

shodan: explore

shodan: 2000

shodan: images

shodan: ship tracker

shodan: webcam

• https://www.shodan.io/search?query=Server%3A+SQ-WEBCAM

• http://nicerosniunos.blogspot.com/2010/07/jugando-con-shodan_20.html

• https://twitter.com/toolswatch/status/8889200187285504

shodan: routers

shodan + brute / exploits

shodan + brute / exploits

metasploit

autosploit

AutoSploit attempts to automate the exploitation of remote hosts. Targets can be collected automatically through Shodan, Censys or Zoomeye

custom tools

demo

• https://www.shodan.io/search?query=TANK+port%3A%2210001%22
• https://www.shodan.io/search?query=gasoleo

honeypot

• https://github.com/sjhilt/GasPot
• http://conpot.org
• https://github.com/paralax/awesome-honeypots
• https://honeyscore.shodan.io

CTFs

Thanks