IoT Fofoqueiro
Nossos dispositivos IoT não sabem guardar um segredo!
Nesta palestra vamos rever vários casos recentes sobre dispositivos de Internet das Coisas que, deliberadamente ou não, revelavam dados pessoais de seus usuários.
A Internet das Coisas (do inglês Internet of Things, ou IoT) está cada vez mais presente em nosso dia-a-dia em dispositivos pessoais, computação vestível, automação residencial, carros inteligentes e muito mais. Conforme eles se proliferam, crescem tambem os casos de exposição de dados pessoais. Nessa apresentação vamos rever alguns casos interessantes de dispositivos IoT que não tinham os devidos cuidados com privacidade.
Palestra apresentada em 04/05/2018 na CryptoRave #CR2018
4. IoT Fofoqueiro: s.m. Dispositivo IoT que tem acesso não
autorizado a dados pessoais de seu usuário, permitindo o
compartilhamentou indevido e/ou acesso por terceiros.
Imagem: giphy
20. “When connected to Wi-Fi the
doll was vulnerable to hacking,
allowing him easy access to the
doll’s system information, account
information, stored audio files and
direct access to the microphone.”
22. “The police said they were able
to extract data from Echo,
though it's uncertain what they
were able to uncover and how
useful that data would be in
their investigation.”
Imagem: Amazon
23. “According to court records, Bates' smart
water meter shows that his home ran 140
gallons of water between 1 AM and 3 AM
the night Collins was found dead in Bates'
hot tub. The prosecution claims that the
water was used to wash away evidence after
he killed Collins. ”
25. “In 2014, satellite radio and telematics provider
SiriusXM provided location information of a Toyota 4-
Runner following a warrant by New York police (…).
The warrant asked SiriusXM "to activate and monitor
as a tracking device the SIRIUS XM Satellite Radio
installed on the Target Vehicle" for ten days, and the
company admitted to Forbes that it complied with
the order.
(…) The company simply turned on the stolen vehicle
recovery feature of its Connected Vehicle Services
technology on the target vehicle, (…).”
”
The Hacker News
26. “In 2007, OnStar was ordered to provide audio
data from a Chevrolet Tahoe belonging to
Gareth Wilson in Ohio.
An emergency button in Wilson's car was
automatically pushed without his knowledge,
which allowed an officer from the Office of the
Fairfield County Sheriff to listen to the
conversation about a possible drug deal (…).
After that, when the feds located and searched
the car, they found marijuana. (…).”
”
The Hacker News
35. Cuidados básicos
• Altere as senhas padrão
• Desativar o recurso Universal Plug-and-
Play (UPnP)
• Revisar restrições de Gerenciamento
Remoto
• Verifique as atualizações de software
Fonte: The Hacker News
37. Para saber mais...
Artigo - Notícias sobre ameaças em IoT
https://anchisesbr.blogspot.com/2018/02/seguranca-noticias-sobre-ameacas-em-iot.html
Artigo – IoT Espião
https://anchisesbr.blogspot.com.br/2017/03/seguranca-iot-espiao.html
Security Guidance for Early Adopters of the IoT”
https://cloudsecurityalliance.org/download/new-security-guidance-for-early-adopters-of-
the-iot/
"Future-proofing the Connected World: 13 Steps to Developing Secure
IoT Products“
https://cloudsecurityalliance.org/download/future-proofing-the-connected-world/
@Internet of Shit
https://twitter.com/internetofshit
Licença: http://creativecommons.org/licenses/by-sa/3.0/
IoT Fofoqueiro
Nossos dispositivos IoT não sabem guardar um segredo!
Nesta palestra vamos rever vários casos recentes sobre dispositivos de Internet das Coisas que, deliberadamente ou não, revelavam dados pessoais de seus usuários.
A Internet das Coisas (do inglês Internet of Things, ou IoT) está cada vez mais presente em nosso dia-a-dia em dispositivos pessoais, computação vestível, automação residencial, carros inteligentes e muito mais. Conforme eles se proliferam, crescem tambem os casos de exposição de dados pessoais. Nessa apresentaçao vamos rever alguns casos interessantes de dispositivos IoT que não tinham os devidos cuidados com privacidade.
Context Information Security found that the LIFX mesh network protocol was largely unencrypted, allowing it to "easily dissect the protocol, crop messages to control the light bulbs and replay arbitrary packet payloads". By monitoring packets from the mesh network when adding new bulbs, it was able to identify those which contained Wi-Fi network credentials: when any new bulbs are added, messages are transmitted from the master bulb containing Wi-Fi details.
PIC: https://www.lifx.com
Your TV now watching you too! LG Smart TV caught collecting owners' Habits and USB file names
https://thehackernews.com/2013/11/your-tv-now-watching-you-too-lg-smart.html
https://doctorbeet.blogspot.com.br/2013/11/lg-smart-tvs-logging-usb-filenames-and.html
A UK blogger, developer and Linux enthusiast, known only as DoctorBeet has discovered that LG's smart TVs are sending personal information back to the company's servers about what channels you watch and viewing habits.
Actually, LG conducts the data collection for its Smart Ad function, which advertisers can use to see when it is best to target their products at the most suitable audience.
Smart Vacuum Cleaners Making Map Of Your Home — And Wants to Sell It
https://thehackernews.com/2017/07/irobot-roomba-vacuums.html
https://giphy.com/gifs/roomba-floof-floofin-hmGQKkNaUIgHS
During an interview with Reuters, the CEO of iRobot, the company which manufactured Roomba device, has revealed that the robotic vacuum cleaner also builds a map of your home while cleaning — and is now planning to sell this data to third-party companies.
Hackers Could Turn LG Smart Appliances Into Remote-Controlled Spy Robot
https://thehackernews.com/2017/10/smart-iot-device-hacking.html
Check Point researchers discovered a security vulnerability in LG SmartThinQ smart home devices that allowed them to hijack internet-connected devices like refrigerators, ovens, dishwashers, air conditioners, dryers, and washing machines manufactured by LG. Hackers could even remotely take control of LG's Hom-Bot, a camera-equipped robotic vacuum cleaner, and access the live video feed to spy on anything in the device's vicinity.
https://www.youtube.com/watch?v=BnAHfZWPaCs
Hackers can hijack Wi-Fi Hello Barbie to spy on your children
https://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children
Security researcher warns hackers could steal personal information and turn the microphone of the doll into a surveillance device
It connects to the internet via Wi-Fi and has a microphone to record children and send that information off to third-parties for processing before responding with natural language responses.
But US security researcher Matt Jakubowski discovered that when connected to Wi-Fi the doll was vulnerable to hacking, allowing him easy access to the doll’s system information, account information, stored audio files and direct access to the microphone.
Police Ask for Amazon Echo Data to Help Solve a Murder Case
https://thehackernews.com/2016/12/amazon-echo-murder.html
Collins died on November 21 last year while visiting the house of Bates, his friend from work, in Bentonville, Arkansas. The next morning, Collins' dead body was discovered in a hot tub, and Bates was charged with first-degree murder.
As part of the investigation, authorities seized an Amazon Echo device belonging to Bates, among other internet-connected devices in his home, including a water meter, a Nest thermostat, and a Honeywell alarm system.
However, due to its always-on feature, it's usual for
The police said they were able to extract data from Echo, though it's uncertain what they were able to uncover and how useful that data would be in their investigation.the Echo to activate by mistake and grab snippets of audio that users may not have known was being recorded.
Picture: https://www.amazon.co.uk/Amazon-Echo-2nd-Generation-Charcoal-Fabric/dp/B06Y5ZW72J
Collins died on November 21 last year while visiting the house of Bates, his friend from work, in Bentonville, Arkansas. The next morning, Collins' dead body was discovered in a hot tub, and Bates was charged with first-degree murder.
As part of the investigation, authorities seized an Amazon Echo device belonging to Bates, among other internet-connected devices in his home, including a water meter, a Nest thermostat, and a Honeywell alarm system.
However, due to its always-on feature, it's usual for
The police said they were able to extract data from Echo, though it's uncertain what they were able to uncover and how useful that data would be in their investigation.the Echo to activate by mistake and grab snippets of audio that users may not have known was being recorded.
Court Documents Reveal How Feds Spied On Connected Cars For 15 Years
https://thehackernews.com/2017/01/cartapping-connected-cars.html
WikiLeaks: The CIA is using popular TVs, smartphones and cars to spy on their owners
https://www.washingtonpost.com/news/the-switch/wp/2017/03/07/why-the-cia-is-using-your-tvs-smartphones-and-cars-for-spying/
https://www.youtube.com/watch?v=P2_ZWKwM5Bw
Published on Mar 9, 2017
Fitness tracking app Strava gives away locate
https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-baseson of secret US army bases
Sensitive information about the location and staffing of military bases and spy outposts around the world has been revealed by a fitness tracking company.
The details were released by Strava in a data visualisation map that shows all the activity tracked by users of its app, which allows people to record their exercise and share it with others.
The map, released in November 2017, shows every single activity ever uploaded to Strava – more than 3 trillion individual GPS data points, according to the company. The app can be used on various devices including smartphones and fitness trackers like Fitbit to see popular running routes in major cities, or spot individuals in more remote areas who have unusual exercise patterns.