Weaponization of IoT

Jose L. Quiñones, BSEETMCP, MCSA, RHSA, HIT, C|EH, C|EI C)PEH, C)M2I, GCIH, GPEN

… nope, this is not it.

Mirai Botnet

Mirai (Japanese for "the future", 未来) is malware that turns computer systems running Linux into remotely controlled "bots", that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers.

TP-Link TL-MR3020

• Mobile broadband (3G/3.75G) router.

• 2.4GHz frequency.• 3G/WISP/AP connection modes.• Fast Ethernet port for WAN/LAN

connections.• USB 2.0.• Mini-USB.• 64/128bit WEP.• WPA2

Custom Firmware - OpenWRT

• OPKG Package Manager• Opkg attempts to resolve dependencies

with packages in the repositories

Development boards

Kali Linux ARM images

“New” Kid on the block … ESP8266

• 32-bit RISC CPU:• 64 KiB of instruction RAM, 96 KiB of data

RAM• External QSPI flash: 512 KiB to 4 MiB* (up

to 16 MiB is supported)• IEEE 802.11 b/g/n Wi-Fi• Integrated TR switch, balun, LNA, power

amplifier and matching network• WEP or WPA/WPA2 authentication, or

open networks• 16 GPIO pins• I²S interfaces with DMA (sharing pins with

GPIO)• UART on dedicated pins, plus a transmit-

only UART can be enabled on GPIO2• 10-bit ADC

ESP8266 Wi-Fi Jammer

Poisontap

• emulates an Ethernet device over USB (or Thunderbolt)

• hijacks all Internet traffic from the machine (despite being a low priority/unknown network

interface)

• siphons and stores HTTP cookies and sessions from the web browser for the Alexa top

1,000,000 websites

• exposes the internal router to the attacker, making it accessible remotely via outbound

WebSocket and DNS rebinding (thanks Matt Austin for rebinding idea!)

• installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of

domains and common Javascript CDN URLs, all with access to the user’s cookies via

cache poisoning

• allows attacker to remotely force the user to make HTTP requests and proxy back

responses (GET & POSTs) with the user’s cookies on any backdoored domain

• does not require the machine to be unlocked

• backdoors and remote access persist even after device is removed and attacker sashays

away

Hack all the things!

USB Killer LAN Turtle Bash Bunny

Wireless Tools

• Ubertooth RF

• HackRF One

• FreakUSB (Zigbee)

• WiFi Pineapple

Thanks!

• josequinones@codefidelio.org

• @josequinones

• http://codefidelio.org

• jquinones@obsidisconsortia.org

• @obsidis_NGO

• http://obsidisconsortia.org