The billion dollar IoT attack no one knows about

Presented at 44CON 2019, Sept. 13, 2019, 11 a.m. (59 minutes)

What would you do if you knew you could exploit 20 million plus IoT devices? Denial of service? Old hat. Power grid manipulation? Boring! What about making a billion dollars? Many IoT tracking devices now use cellular data networks to communicate with servers allowing owners to track and interact in near real time with their devices. Which is great, but is that opening another avenue for attack? Sometimes it feels we are going backwards in IoT security, along with the obvious wireless attacks, the rooting of the latest must have sex toy and the very public exposure of undocumented services on Shodan, we have seen countless compromises being performed by simple logic flaws. Insecure Direct Object References (IDOR) is commonly used in attacks that look to compromise the web service to take over the end user account. It is most often found in the rush to deliver new devices, usually from the companies playing catch up with their outsourced development team. These logic flaws allow the attacker to perform functions as the user, such as remotely unlocking, starting and stealing your car or tracking your kids in real time. Great, so money made, move on right? Well, there are many problems with stealing a car or kidnapping a child for ransom, not least you might easily get arrested and moving stolen goods especially high value stolen goods is harder than you think and let’s be honest a kidnapping and ransom is not a good look for anyone. But are we missing a trick? In this talk we will look at connected tracking devices and show examples of how simple logic flaws are being repeated time and time again across multiple devices. We will show how manufacturers and developers are white labelling vulnerable APIs for and selling them on to multiple tracking device companies magnifying the issue millions of times to unsuspecting victims around the world. However, where IDOR is well known, what is not is a new technique of abusing these logic flaws for financial gain, so far unused by malicious hackers, it can easily be used to turn 20 million tracking devices in to nearly a billion dollars, all without the manufacturers and possibly the owners knowing anything about it. We will show how trivial it is to exploit and how the attack can be instigated worldwide in seconds to immediately start making money and show how the attack can be repeated time and time again with little or no repercussions.

Presenters:

  • Vangelis Stykas - Pen Test Partners
    Vangelis Stykas is a backend engineer turned into a pentester. Playing around with bits and bytes for the past 30 years , he has hacked ships,cars and locks. He has a weak spot for breaking APIs and web stuff but hates building them.
  • Tony Gee - Pen Test Partners
    Tony has over 14 years of security experience, he has worked both as an internal blue team consultant within the finance industry and for the technology partner for the world leading Oyster card system and more latterly as an external security tester and auditor. Tony speaks the world over at technology events highlighting key risks with the internet of things, automotive and maritime, med tech and key payment systems.

Links:

Similar Presentations: