Hack your smart home first - Finding the mobile APIs

Presented at CactusCon 11 (2023), Jan. 28, 2023, 4 p.m. (60 minutes).

The majority of smart home solutions begin with downloading a mobile app to manage the smart home products. The mobile apps controlling the smart homes may provide convenience to quickly manage the security camera, garage door, house alarm, etc. However, do they hold up against modern malicious actors? We can confirm the security of these mobile apps with open source tools to guide our security testing. Just as Metasploit brought us convenience in security testing, we now have mobile security testing tools like MobSF, Genymotion, Burp Suite, Postman, JADX, APKLeaks, etc. In this presentation, I will outline a process to utilize the various tools to evaluate smart home products. I will review the process and details discovered during my testing of the smart home products in my house. This presentation will focus on mobile apps as well as the APIs involved. API security testing requires more custom testing. We have some automated testing features but there is plenty of hunting needed for API testing.

Presenters:

  • Joey White - Enterprise Architect & Security Architect at BCBSKS
    Relevant work experience: 20+ years enterprise security experience Education/Work History: 15+ years at Blue Cross and Blue Shield of Kansas including network admin, incident response, threat hunting, firewall admin, third party risk, red team, appsec team, security architecture, enterprise architecture, etc. Passions: Experience volunteering with ARIN and IETF. Playing tabletop board games.

Links:

Similar Presentations: