DEF CON 29

IoT Village labs

IoT Hacking 101 is a set of quick, hands-on labs developed to teach the tools and techniques for discovering and exploiting some of the common weaknesses found in IoT devices today. Whether you're a penetration tester that has never hacked IoT devices or even someone that has never hacked anything(!), these self-guided labs will walk you through all the steps from analyzing router firmware, finding hidden backdoors, enumerating devices and performing remote exploits. Students work at their own pace following our IoT Hacking 101 guides, and instructors are on hand to provide assistance as needed and answer any questions. IoT Village currently offers 3 labs and is adding new labs in 2021 to expand our content even further.

IoT Village Labs

UART TO UBOOT TO ROOT

Rapid7 will be returning to the IoT Village this year with more hands-on hardware hacking exercises. In this year's exercises, we will be guiding the attendees through a multistep process to gain physical full root access to a targeted IoT device. This series of exercises will cover multiple steps including UART access, U-boot console access, working with U-Boot environment variables, single user mode access, identifying and mounting of writable flash chip partitions, and account creation process.

This activity will be available August 6-7 on site

Pentesting 101

Are your finding IoT Hacking exciting but a little over your head? INE presents a gentle introduction with live, hands-on labs directly from our venerable Penetration Tester Student (PTS) Learning Path. To play on your own, PTS is 100% free as part of the INE Starter Pass and comes with slides, videos, and unlimited time in our virtual labs to prepare you for eLearnSecurity’s Junior Penetration Tester (eJPT) certification exam (not included). You’ve got nothing to lose and a life-changing career move to gain! Scan the QR code to signup today.

This activity will be available August 6-7 on site

Black Box Challenges

Think you’ve got what it takes to hack devices you can’t see? Are you able to figure out and map the network/ecosystem? Is your google-fu game strong? Push yourself to the limit in a real-world simulated CTF challenge where the only thing we give you...is a single IP…the rest is up to you.

This content is exclusively onsite in Las Vegas, Nevada.

Title

When Penetration Testing Isn’t Penetration Testing At All

Abstract

When companies want to build secure IoT systems, they know they need to test their system for security flaws, which typically leads them to seek out “penetration testing.” However, this term has become so misused across the security community that it’s hard to decipher what is really happening.
So where does that leave you? What is your security testing program actually doing (and not doing)?
In this keynote, you’ll learn the often widely misunderstood difference about what penetration testing is (and is not). Drawing insights from the #1 bestselling book Hackable, you’ll learn why the distinction matters, and you’ll get an insight into the more advanced tactics used by ethical hackers, such as functionality abuse and exploit chaining. By design, this keynote is more strategic rather than technical, and will equip you with insights to think differently about your security testing program. As a result, you’ll leave with new ideas about how to build better, more secure systems.

Bio

Ted Harrington is the #1 best selling author of HACKABLE: How to Do Application Security Right, and the Executive Partner at Independent Security Evaluators (ISE), the company of ethical hackers famous for hacking cars, medical devices, web applications, and password managers. He’s helped hundreds of companies fix tens of thousands of security vulnerabilities, including Google, Amazon, and Netflix. Ted has been featured in more than 100 media outlets, including The Wall Street Journal, Financial Times, and Forbes. His team founded and organizes IoT Village, an event whose hacking contest is a three-time DEF CON Black Badge winner. He hosts the Tech Done Different podcast.

Title

Representation Matters

Abstract

We often hear about the importance of Diversity, Equity, and Inclusion (DEI) and how companies are striving to do better. However, there are plenty of examples where DEI that is being promoted is not actually happening behind scenes. Stories of those who are marginalized in tech showcasing we still have a large problem with companies practicing lip service and no actual actions to show for it. One way to see if a company is trying to be better on DEI is reflected on the board and C-suite. Yet, still to this day less than 20% of company boards represent marginalized identities.
It's time to increase representation of marginalized identities from less than 20% to 50%+ for all levels in tech. When we shift to incorporating DEI practices by making sure representation is present on the leadership team, board and c-suite, it recognizes the voices of marginalized identities: ethnicities, genders, generations, sexuality, and abilities.
Research has repeatedly shown that when we have diverse boards and c-level positions held by marginalized persons, it produces a trickle down effect. Where the company takes actions and voices are finally heard because there’s representation, and it's reflected in the vision, company policies, and hiring practices.
This talk discusses why we need representation on the leadership team, and how to get involved to actually bring a change to an industry that has run out of time to become more inclusive.

Bio

Chloé Messdaghi is a tech changemaker who is innovating tech and information security sectors to meet today’s and future’s demands by accelerating startups and providing solutions that empower. She is an international keynote speaker at major information security and tech conferences and events, and serves as a trusted source to reporters and editors, such as Forbes and Business Insider. Additionally, she is one of the Business Insider’s 50 Power Players. Camille Eddy is a Product Engineer and International Public Speaker. She earned her Bachelor of Science degree in Mechanical Engineering from the University of Idaho. Camille has given her talk “Recognizing Cultural Bias in AI” across the world, including San Francisco, Washington DC and Budapest; Helping Technical and Non-Technical Project Managers, Founders and Engineering Leads build better products. Finally, she coaches women building online platforms, helping them make a profitable business working on their passion.

Title

1.21 Gigawatts! Vulnerabilities in Solar Panel Controllers

Abstract

Embedded device security has come a long way since the days of telnet and default passwords. Product vendors are now doing more to secure their devices but how effective are they? This presentation will outline many of the software and hardware-based attacks used to compromise embedded systems. It also discusses some of the mitigations used to prevent these attacks. Many previous IoT talks show the simplicity of hacking devices that have weak security or no hardening. In contrast, this presentation shows how even secured devices have attack surfaces that still need to be addressed. It demonstrates the need for embedded devices to incorporate a security lifecycle plan and hardware designs must be audited for security weakness before production. Topics to be covered include firmware image encryption, disabling UART console access, hardening JTAG development access, securing e.MMC storage, NOR Flash protection, processor glitching, update lifecycle attacks, avoiding custom crypto, dealing with reverse engineers, and initial device setup vs authentication. None of these topics will be a deep dive. The intent is to show how they are attacked or utilized to mitigate specific attacks. To illustrate these topics the presentation will use a recent security audit of a US solar equipment manufacturer as a case study. The vendor incorporated many best practices for securing embedded devices but made some architecture decisions in the guise of security that ended up weakening their security posture rather than helping it. Finally, we'll show the ramifications of an attack against solar systems and how it could be used for racketeering. Attacks in this talk are beneficial to system designers, hobbyists, and researchers.

Bio

Waylon Grange is an experienced vulnerability researcher, reverse engineer, and developer. Prior to Stage 2, he worked for Symantec and the NSA. Waylon has been a speaker at Black Hat, DefCon, RSA, CanSecWest, and DerbyCon and is credited with a US patient, multiple CVEs, and exposing APT groups. His in-depth knowledge of embedded systems is utilized to evaluate the security of IoT systems and develop electronic badges for conferences.

Title

LED Light Lunacy!

Abstract

All your LEDs are mine ... How a case of lockdown boredom turned into led lights for everyone !

Bio

Security Researcher at SpiderLabs

Inspire and be Inspired !

Title

5 years of IoT vulnerability research and countless 0days - A retrospective

Abstract

How many 0days can a research team discover in 4 years of vulnerability research in IoT? How many of them are relevant and can be used even today? How to get started (or advance further) with IoT vulnerability research? This talk will answer all these questions and show you some hands-on shell-popping and authentication bypasses as well as some new 0days published this year

Bio

Alex "Jay" Balan is the Security Research Director and Spokesperson for Bitdefender. His career is focused on Information Security and Innovation, fields in which he has so far accumulated over 20 years of experience. He is now furthering security and privacy research and has been actively involved in creating awareness by speaking at a number of conferences including DEFCON , Derbycon, RSA, BSides, ISC China, and many others

Title

BLUEMONDAY Series – Exploitation & Mapping of vulnerable devices at scale through self-registration services (DATTO/EGNYTE/SYNOLOGY/MERAKI/GEOVISION)

Abstract

Vendors like DATTO, MERAKI, GEOVISION, SYNOLOGY, EGNYTE and others are which leverage or depend on these services are imperiling data, networks, and businesses through insecure design, intentional design decisions, and web application flaws.

These devices frequently self-provision services which leak critical data or through insecure network design and installation practices which are easily mapped, attacked, and discovered via insecure vendor, software, and integrator practices (ex. PKI, Dynamic DNS, “Finder” service registrations, DNS leakage, Layer 2 Attacks / DHCP network attacks, DNS passive hijacking through domain purchases & active record injection)

Some concepts and new attacks may be obliquely referenced or held private by the researcher. Essential PoC is contained in this document and is easily reproduced using supplied narrative and screenshots.

The affected devices are easily discoverable either through insecure practices (ex. insecure Zones, algorithmic FQDN generation, lack of local network controls, public metadata leakage) or vendor provided interfaces and access methods. (DATTOWEB, DATTOLOCAL, SYNOLOGY.ME, DYNAMIC-M, GVDIP.COM, EGNYTE-APPLIANCE.COM)

Many issues develop due to these problems. For example, nearly all of these devices and appliances provide easily discoverable portals / content / metadata with which to craft extremely convincing social engineering campaigns, even in the absence of technical exploit vectors.

Host Header Attacks & 302 redirects used in concert with malicious DNS records / spoofed or squatted domains can be abused in this manner. An attacker can identify the MERAKI device a victim uses through registration, abuse the API to obtain sensitive metadata, and send the victim to a spoofed site or malicious content purported to be a Meraki Dashboard alert. An attacker can change the dynamic DNS record through a number of vectors (ex. Third party service attacks, local vectors) and effectively “hijack” the user or content being accessed.

Through our DNS harvesting and our undisclosed 0-days, we can establish a complex exploit network and botnet via poor vendor controls (ex. MIRAI) We can also hide exploit code in APIs, persist across multiple appliance types, and abuse multiple dynamic DNS networks.

The DNS zones we have provided are intentionally designed, demonstrably insecure, provide detailed information, and can be abused easily. Registrations can be abused for data exfiltration or beaconing over the vendor’s DNS network. These DYNAMIC DNS services allow for efficient, mass exploitation and recon. The poor controls and “spoofability” of these networks (will demonstrate at another time) allow an attacker to not only FIND vulnerable devices.. but automate mass exploitation via attacks such as those we provided or other common attacks.

The author wishes for this to be noted as responsible disclosure and ethical considerations for the attacks / exploits seriously impacted disclosure dates and continues to.

Some initial work can be found here:

https://cybir.com/2021/cyber-security/bluemonday-series-part-1-exploitation-mapping-of-vulnerable-devices-at-scale-through-self-registration-services/

Bio

Ken Pyle is a partner of CYBIR, specializing in Information Security, exploit development, penetration testing and enterprise risk management. Ken is a graduate professor of CyberSecurity at Chestnut Hill College. He has published academic works on a wide range of topics and has presented at industry events such as ShmooCon, Secureworld, HTCIA International.

Title

“Alexa, have you been compromised?” — Exploitation of Voice Assistants in Healthcare (and other business contexts)

Abstract

As voice assistant technologies (such as Amazon Alexa and Google Assistant) become increasingly sophisticated, we are beginning to see adoption of these technologies in the workplace. Whether supporting conference room communications, or even supporting interactions between an organization and its customers — these technologies are becoming increasingly integrated into the ways that we do business. While implementations of these solutions can streamline operations, they are not always without risk. During this talk, the speaker will discuss lessons learned during a recent penetration test of a large-scale “Alexa for Business” implementation in a hospital environment where voice assistants were implemented to assist with patient interactions during the peak of the COVID-19 pandemic. The speaker will provide a live demonstration of how a cyber-criminal could potentially use pre-staged AWS Lambda functions to compromise an “Alexa for Business” device with less than one-minute of physical access. Multiple attack scenarios will be discussed to include making Alexa verbally abuse her users (resulting in possible reputation damage), remote eavesdropping on user interactions, and even active “vishing” (voice phishing) attacks to obtain sensitive information. Finally, the talk will conclude with a discussion of best-practice hardening measures that can be taken to prevent your “Alexa for Business” devices from being transformed into foul-mouthed miscreants with malicious intent.

Bio

Justin Hutchens (“Hutch”) is the Assessments Services Practice Lead at Set Solutions and manages TVM, IR, and GRC services. He is the co-host of the "Ready, Set, Secure" InfoSec podcast. He is also the creator of Sociosploit, a research blog which examines exploitation opportunities on the social web – a confluence of his interests in both hacking and social psychology. Hutch has spoken at multiple conferences to include HouSecCon, ToorCon, and DEF CON.

Title

IoT Testing Crash Course

Abstract

In this IoT 101 level talk I provide practical instruction to security focused individuals who want to test IoT devices for critical vulnerabilities. Included will be basic network pentesting of the device, web app or other UI testing, extracting/downloading firmware, and using binwalk. This will also include reviewing binaries for potential backdoors, looking for hardcoded credentials, and whitebox code review of the UI interface to look for backdoors or other vulnerabilities. All testing will be done against publicly downloadable binaries.

Bio

Tim has 9 years of professional security experience, largely in network, IoT, and web application penetration testing. He ran a hack lab in Fargo, ND for 4 years where he taught hardware hacking and penetration testing on evenings and weekends. When not hacking, Tim enjoys cycling, walking, and live music.

Title

Defending IoT in the Future of High-Tech Warfare

Abstract

The increase of cyberattacks using IoT devices has exposed the vulnerabilities in the infrastructures that make up the IoT and have shown how small devices can affect networks and services functioning. This talk presents a review of the vulnerabilities that bear the IoT and assessing the experiences in implementing RF attacks targeting the Internet of Things and analyses various facets of the IoT centricity of future military operations based on the IoT concept, IoT-led future shaping of the things, challenges, and developmental trajectories of major powers.

Bio

Harshit Agrawal is currently working as a Radio Security Researcher. He is enthusiastic about Sigint, Drone Pentesting, and IoT Security. He presented his research at Security conferences like RSAC USA, HITB Cyberweek, HITB Amsterdam, etc. Previously, he was President at CSI Chapter and Vice President for Entrepreneurship cell at MIT, where he also headed the team of security enthusiasts, giving him a good insight into cybersecurity and increased his thirst to explore more in this field.

Title

I used AppSec skills to hack IoT, and so can you

Abstract

We tend to think of AppSec and IoT as two separate infosec disciplines. Sure, the domain knowledge, attack vectors, and threat mitigation are not exactly the same in those two worlds. At the same time, as the hardware continues to evolve, we see more and more tiny general purpose computers around us. Many of these tiny computers nowadays run software that is written in a conventional programming language, listen on network ports, process data inputs, and communicate with the outside world. These devices can be attacked just like any other application running on a desktop, on a server, or in the cloud.
In this talk, I am going to tell you a story about my hacking journey that unexpectedly took me from device configuration settings to software reverse engineering, vulnerability discovery, and six new CVEs. Together, we’ll go step by step through reconnaissance, firmware analysis, decompiling, code review, and remote debugging. I’ll also share my experience with the responsible disclosure process. I hope this talk inspires you to apply your general hacking skills to new areas such as IoT, even if you’ve never done that before.

Bio

Alexei began his career as a software developer. A decade later, he realized that breaking code was way more fun than writing code, and decided to switch direction. He is now a full-time application security professional, with several years of assisting various development teams in delivering secure code, as well as security consulting. Outside of his day job, Alexei enjoys doing security research and learning new hacking techniques.

Title

You're Doing IoT RNG

Abstract

Think of a random number between '0' and infinity. Was your number '0'? Seriously? Crap. Well unfortunately, the hardware random number generators (RNG) used by your favorite IoT devices to create encryption keys may not work much better than you when it comes to randomness.

In this talk, we'll delve into murky design specs, opaque software libraries, and lots of empirical results. We wrote code for many popular IoT SoC platforms to extract gigabytes of data from their hardware RNGs and analyze them. What we found was a systemic minefield of vulnerabilities in almost every platform that could undermine IoT security. Something needs to change in how the Internet of Things does RNG.

The vulnerabilities are widespread and the attacks are practical. RNG is bad out there - "IoT Crypto-pocalypse" bad.

Bio

Dan "AltF4" Petro is Lead Researcher at Bishop Fox. Dan is widely known for the tools he creates: Eyeballer (a convolutional neural network pentest tool), the Rickmote Controller (a Chromecast-hacking device), Untwister (pseudorandom number generator cracker), and SmashBot (a merciless Smash Bros noob-pwning machine). Allan Cecil (dwangoAC) is a Security Consultant with Bishop Fox and the President of the North Bay Linux User’s Group. He acts as an ambassador for Tasvideos.org, a website devoted to using emulators to complete video games as quickly as the hardware allows. He participates in Games Done Quick charity speed running marathons using TASBot to entertain viewers with never-before-seen glitches in games.

Title

Strategic Trust and Deception in the Internet of Things

Abstract

"Game Theory is the study of choices and strategies made by rational actors, called ""players,"" during times of conflict or competition. It has been used throughout history to map human conflict. Statisticians use game theory to model war, biology, and even football. In this talk, we will model interactions between IoT devices based on strategic trust; how agents decide to trust each other.
The talk will provide an overview of game-theoretic modeling and its application to the IoT landscape. The landscape facilitates deception; players must decide whether or not to trust other agents in the network, and agents may have misaligned incentives. There is a trade-off between information gained and short-term security. This talk will build a framework for predictive and strategic trust where players make decisions based on the incentives of their ""opponents."" This talk will not look at network topology or protocols but will instead look at information exchange and strategy."

Bio

Raised in the woods of Alaska, Juneau attributes her love of hacking to a childhood spent building and breaking things. After studying computer science and economics, she moved to Dallas, Texas, where she found a home in the local community and started speaking at cons. Now Juneau works as a red teamer and continues her research in grad school. When she isn't programming or asking strangers about the prisoner's dilemma, Juneau breathes fire and runs DC214; Dallas's DefCon group.

Title

MIPS-X - The next IoT Frontier

Abstract

IoT vulnerability research usually involves both static and dynamic analysis of the target device. To aid in this task, researchers typically perform some sort of emulation to enumerate the filesystem as well as run the respective binaries. Luckily, there are tools like QEMU and/or Buildroot to guide our path on the way, but this does not mean the way is smooth.

Our main goal was to create a framework and documentation suitable for MIPS (LE/BE) device research, which can be used in a Dockerized environment to set up as many emulated IoT devices as desired. The goal was to create the least amount of pain and effort to set up the emulation infrastructure. This means, you will have a target MIPS architecture virtual machine running natively with all the binaries, full network stack, debugging tools, and other useful tools. Let the pwning begin!

Bio

Patrick (0xn00b), a DEF CON 26 Black Badge holder, is the co-founder of Village Idiot Labs which helps run IoT Village across the globe. Patrick has created a fully immersible/virtual web-based lab environment that people can learn how to hack IoT without the need for their own tools, equipment or even prior knowledge. Zoltan (@zh4ck) is the Head of Vulnerability Research Lab at CUJO AI, a company focusing on smart home security. Before joining CUJO AI he worked as a CTO for an AV Tester company, as an IT Security expert in the financial industry, and as a senior IT security consultant. He is also the developer of the Hardware Firewall Bypass Kernel Driver (HWFWBypass), the Encrypted Browser Exploit Delivery tool (#IRONSQUIRREL) and the Sandbox tester tool to test Malware Analysis Sandboxes.
He found and disclosed a vulnerability in IP cameras, and this vulnerability was exploited by the Persirai botnet, running on ˜600 000 cameras.

Title

Mind the Gap - Managing Insecurity in Enterprise IoT

Abstract

"IoT is an ever-expanding attack surface about which we have many misconceptions and assumptions but for which we have very few policies, regulations or security. These are devices built for one purpose, not meant to be upgraded and rarely if ever patched. As more devices are enabled to connect and communicate online, in the relentless pursuit of innovation, we’ve put the cart before the horse and failed to construct a framework to effectively control and secure the capability created.
Consider this: over 90% of the data in the world was created over the past two years, and current output is roughly 2.5 quintillion bytes per day. As IoT moves into a range of enterprise environments, driven by consumer demand and BYOD desire, Shadow IT becomes Shadow ET, bringing new challenges and risks that our existing compliance and security don’t address or regulate.
Misconfiguration usurps any benefits of eroding segregation as online exposure of both sensitive data and critical systems increases. Adversaries at all levels have been watching, waiting and are making their moves because ignorance isn’t an excuse – it’s an invitation to exploitation.

Introduction: (2 min)
• A deluge of data
• So many devices and growing

I have a dream: (5 min)
• Perceived benefits of IoT
• Improved efficiency, innovation, collaboration
• We don’t know what we’re doing
• The dangers of upholding a Utopian ideal as reality
• “The cost of breaches will be viewed like the toll taken by car crashes, which have not persuaded very many people not to drive.”

Defining IoT: (10 min)
• Our assumptions: what we think IoT is
• What is and isn't IoT. Adding intelligence to devices that are normally “dumb”, enabling them to communicate without human involvement
• Failure to inventory IoT devices because no centralized control over what IoT devices and applications are in the workplace
• Me and My Shadow IoT
o An open invitation to Shadow IoT through increasing unmonitored, unsanctioned BYOD
• Recent statistics on IoT cyberattacks on organizations
o “82% of organizations that manufacture IoT devices are concerned that the devices they develop are not adequately secured from a cyberattack.” (Irdeto Global Connected Industries Cybersecurity Survey 2019)
• Insecure third parties and Shadow IoT risks - what the party of your third party allows without your knowledge or consent
• Different flavors – ET, IIoT, IoHT, OT
Takeaways:
Attendees will understand what makes IoT/ET different from standard equipment we connect, and why we cannot secure them the same way.
Attendees will be alerted to the ongoing and increasing risk of Shadow IT within their networks so they can take action on it

Understanding IoT Architecture: (5 min)
• Sensors working overtime - Sensors and actuators connecting the digital and physical realms
• Internet gateway
• The Edge
• Managing, securing and storing all the data
• Communication architectures
• What is Enterprise Architecture
• Understanding IoT in the Enterprise
• Enterprise Architecture and IoT: How to build IoT into Enterprise Architecture

How IoT Attacks are Different: (5 min)
• A lack of awareness around the motivation, perpetrators, attacks
• Different threat dynamic: industrial espionage, damage, destruction.
• Geopolitics and the games nationstates play. After Stuxnet - Iran and Shamoon wiper malware.
• Threat actors seek something more than just monetary gain. Triton destructive malware.
• How sanctions drive retaliation. What could we expect in the current climate?
Takeaway: Attendees will understand IoT/ET as a potential threat, who attackers are and how to evaluate what they have in place to improve their security
It Only Takes One: Analysis of Attacks (15 min)
• It only takes ONE exposed, misconfigured system to spread the infection.
• Think ransomware: an increase in targeted ransomware attacks on industry in 2019 using LockerGoga and MegaCortex. Norsk Hydro
• Think NotPetya. Targeted attack that spread from one laptop globally bringing Maersk down.
• How cryptominers are increasingly leveraging exploits on critical vulnerabilities in enterprise realms and spreading via EternalBlue. Targets include Docker containers, and container escapes.
• Compromised conference equipment. Examine the attack on Polycom HDX video conferencing systems. Thousands exposed externally, many more deployed internally. Polycom systems are linked to each other across different corporate offices globally.
Takeaway: Attendees will be able to understand how an attack could be leveraged against IoT/ET in their enterprise environments

Making it Better: (5 min)
• IoT policy and compliance
• Strong authentication: what do we do better when we know that passwords and certs have failed us
• Automating the identification of IoT – no more hide and seek
• Network segmentation - it only works if we do it
• Automatically securing IoT devices before something happens, not after
• The need for Unified Endpoint Management over Enterprise Mobility Management.
Takeaways: Attendees will have recommendations to bring back they they can action within their environments for increased security posture
"

Bio

Cheryl Biswas is a Strategic Threat Intelligence Specialist with TD Bank in Toronto, Canada, experienced in security audits and assessments, privacy, disaster recovery and change management. She has an ITIL certification and a specialized honors degree in Political Science. She is actively engaged in the security community as a conference speaker and volunteer, mentors those entering the field, and champions women and diversity in cyber security as a founding member of “The Diana Initiative”.

Title

Reverse Supply Chain Attack - A Dangerous Pathway To Medical Facilities’ Networks

Abstract

The supply-chain attack vector has gained a lot of attention in the passing year. Our talk, however, will present a different type of a supply-chain attack vector -- the reverse supply-chain attack.

The process of a supply chain attack involves an attacker altering code of software, or the hardware of a device, en route to a potential victim. The reverse supply chain attack starts from the other end of the chain -- when a device is removed from a secure network. While IT departments are aware of the importance of wiping the harddrives of PCs, before they are being thrown away, or sold off, they are not fully aware that certain medical devices also withhold sensitive data, and the process to wipe these devices is also non-trivial.

In this talk, we will demonstrate the type of data that can be recovered from the most popular infusion pump -- the BD Alaris Infusion Pump. The recovered data can allow an attacker to infiltrate internal networks of medical facilities and exfiltrate or alter personal patient data. In the process of analyzing this attack vector, we purchased a handful of these used infusion pumps from eBay, which led us to the credentials of internal networks of large hospital facilities all over the US.

Bio

Barak Hadad is a security researcher at Armis, responsible for hunting zero days and reverse engineering. Formerly an R&D team lead in the Israeli Defense Forces Intelligence, his current focus is unraveling the mysteries of various embedded devices, found in hospitals, factories and anything in-between.

Title

Ethics at the Edge: IoT as the Embodiment of AI for Rampant Intelligence Actuation

Abstract

"In the eyes of a smart device and their human controllers, the world is an immense source of data and power. The expanding Internet of Things ecosystem only adds fuel to this, empowering real-time automatic sensing + actuation posing regulatory dilemmas, easily exploitable definitions of trusted entities (e.g., see the 2021 Verkada hack), and measurements of security, robustness, and ethics that change apropos data in the blink of an eye.

Governance and policing of Internet of Things devices is growing to cover the upcoming trail of destruction by flailing technical solutions, but some intriguing key unanswered questions are starting to reveal themselves.

In this talk, we’ll dive into what the sociotechnical problem of ethics means at the edge in the context of machine learning/artificial intelligence and address these questions:

1. Individual vectors of ethics (“Sustainability is an ethical principle?” “Edge devices have their own definition of fairness and bias different from human concepts?”)
2. Evolving principles and governance for IoT devices, and the importance of accountable anonymity
3. Definitions of trusted entities (“When are users a threat?” “Should humans be out of the loop?”), and how key ethical principles, such as privacy and transparency, can be a double-edged sword in the context of IoT security.
4. Incorporating morality into machines is now a reality (“How do we define a calculus and value alignment for IoT ethics?”) - what are key unconventional ethical concerns for human-centered design?"

Bio

Ria Cheruvu is an AI Ethics Lead Architect at the Intel Network and Edge engineering group, developing trustworthy AI products. She is 17 years old and graduated with her master’s degree in data science from Harvard University at 16. Her pathfinding domains include solutions for security and privacy for machine learning, fairness, explainable and responsible AI systems, uncertain AI, reinforcement learning, and computational models of intelligence.

Title

IoT devices as government witnesses: Can IoT devices ever be secure if law enforcement has unlimited access to their data?

Abstract

"A man in Connecticut was arrested after his wife’s Fitbit implicated him in her murder. Prosecutors in Arkansas sought to use data from an Amazon Echo as evidence against a murder suspect. Local police sought access to car, TV, and even refrigerator data to monitor Black Lives Matter protestors—and the FBI did the same thing to help track down suspects in the aftermath of the January 6th, 2021 riot at the U.S. Capitol.

These examples are hardly isolated instances—there are thousands of other cases just like them. And they all speak to an important truth: IoT devices are increasingly being used by law enforcement for investigational purposes and, in some cases, even being made into star witnesses at trial. But law enforcement’s use of IoT devices raises two important questions. First, does allowing the government to use IoT data violate consumer expectations of privacy, particularly at a time when IoT products are being made and marketed with an eye toward information security? Second, are criminal suspects being provided with the same near-limitless access to IoT data for purposes of mounting their legal defense?

The answers to both of these questions are troubling, in large part because the law is inherently back-ward looking and is thus not equipped to grapple with the raw amount of information is now generated. Just as many consumers did not realize several years that their watch or car audio system would be used by law enforcement to track their location 24/7, so lawmakers and judges did not either. For example, the Federal Privacy Act of 1974 never contemplated that, rather than maintaining records, the government would simply buy access to private records—as ICE recently did by purchasing access to CLEAR—or create its own iOS app to ensnare criminals, as the FBI recently did. Likewise, although the Supreme Court noted the private nature of cell phone location data in Carpenter v. United States, this was a 5-4 decision (while RBG was still on the bench) that only applied the Fourth Amendment to historical cell phone GPS data, effectively leaving the law unsettled on many other types of IoT data. This has led courts, including a New York federal court in a case involving Apple, to express concerns that, even where warrants are involved, allowing the government to force companies to produce IoT device data could “result in a virtually limitless expansion of the government’s legal authority to surreptitiously intrude on personal privacy.”

These concerns are heightened by the fact that, although the Federal Rules of Criminal Procedure are supposed provide defendants with equal discovery rights, the Stored Communications Act often prevents defendants from accessing the IoT data of others, such as witnesses, accusers, or potential other defendants. In practice, this means that IoT data can effectively be used against criminal suspects but is not available for them to use in arguing their legal defense. This results in an incredible inequality in the criminal justice system. And it may also lead to erroneous outcomes: as with DNA evidence, IoT data may help exonerate criminals just as often as it implicates them. Indeed, in the Arkansas v. Bates murder case, the prosecution dismissed the charges against the defendant shortly after it obtained the Amazon Echo data, which apparently validated the defendant’s alibi. Similarly, allegations of cheating against low-income students at Dartmouth Medical School were dismissed after IoT data brought into question potentially erroneous remote test monitoring that may have been skewed by poor internet.

So what can we do to reform or limit government use of IoT data? This talk aims to talk through ways in which both the infosec and legal communities can increase their mutual understanding and help drive reform. In the short term, the infosec community can increase security by minimizing, encrypting, or de-identifying data. This can reduce the amount of information that IoT devices collect and, thus, are required to turn over to law enforcement. Over the long-term, the best solution may be to pass new laws or drive new judicial precedent that incorporates an understanding as to what IoT data is, how it is changing expectations of privacy, and how it is being used by law enforcement. Such laws could either limit access to IoT data—enshrining a greater degree of privacy—or set forth procedures delineating when authorities may use it and guaranteeing defendants equal access. Of course, there are other potential solutions and we hope this talk will help launch a broader discussion on how to help the law interact with IoT technology. "

Bio

Jordan Sessler is an attorney who advises clients on data security as a member of Crowe & Dunlevy’s Cybersecurity & Data Privacy Practice Group. In that role, he regularly engages with legal issues related to IoT devices and has represented companies in disputes with law enforcement regarding the discoverability of user- and device-generated data. Prior to beginning his practice, he graduated from Harvard Law School and clerked for U.S. District Court Judge D.P. Marshall Jr. Anthony Hendricks. Anthony Hendricks is an attorney who advises clients as the chair of Crowe & Dunlevy’s Cybersecurity & Data Privacy Practice Group. In that role, he frequently analyzes and litigates legal issues related to IoT devices. Prior to beginning his practice, he studied as Howard University's first Marshall Scholar and later graduated from Harvard Law School. He now teaches cybersecurity law as an adjunct professor at Oklahoma City University School of Law.

Title

The Journey of Establishing IoT Trustworthiness and IoT Security Foundation

Abstract

The Internet of Things (IoT) ecosystem holds tremendous promise to promote innovation and productivity, and societal benefits. Yet, with increased connectivity, concerns remain with the growing attack surface. While the DFECON community often focuses on the security aspects of these issues, the multidimensional nature of IoT devices and the combination of AI/ML solutions, sparked standardization activities focusing more generally on the concept of “IoT trustworthiness”. This talk will introduce the audience to the latest developments in the IoT Security Policy landscape, proposals for confidence/certifications mechanisms emerging globally, and key IoT Security baseline standards developments, while exploring the connection to the IoT trustworthiness concept across the IoT Supply Chain. We will describe a case study of IoT robustness and trustworthiness applied in context of AI and smart analytics, including the importance of characterizing the behavior of data.

Bio

Dr. Anahit Tarkhanyan - Principal Engineer, Intel Corp., Network and Edge Group, IoT CTO Office
Anahit leads the security architecture of Intel edge portfolio. Her area of expertise covers security of Edge to Cloud systems and AI/ML, security standards and regulation. Anahit is IEEE Senior Member and has PhD in Distributed Computer Systems and Networks. She holds several patents, and has publications in diverse security technology. "Dr. Amit Elazari, Intel Corp., Director, Global Cybersecurity Policy, Government Affairs

Dr. Amit Elazari is Director, Global Cybersecurity Policy, Government Affairs at Intel Corp. and a Lecturer at UC Berkeley School of Information Master in Cybersecurity program. She graduated her Doctor of Science of the Law (J.S.D.) from UC Berkeley School of Law. Her work on security and technology law has been published in leading academic journals and popular press, including The New York Times, The Washington Post and Wall Street Journal and presented in top conferences including RSA, BlackHat, USENIX Enigma, USENIX Security and more. Elazari holds three prior degrees, summa cum laude (LL.B., LL.M. in the Law and a B.A. in Business) from IDC, Israel. Her work was awarded among others a USENIX Security Distinguished Paper Award, Annual Privacy Papers for Policymakers (PPPM) Award Academic Paper Honorable Mention, Casper Bowden PET award for Outstanding Research in Privacy Enhancing Technologies, University of California, Berkeley School of Information Distinguished Faculty Award. She is currently one of the co-editors of ISO/IEC 27402 at JTC1, SC27 (in draft, IoT Security Baseline Requirements).

Ria Cheruvu - AI Ethics Lead Architect, Intel Corp., Network and Edge Group, IoT CTO Office,

Ria Cheruvu is an AI Ethics Lead Architect at the Intel Network and Edge engineering group working on developing trustworthy AI products. She is 17 years old, and graduated with her bachelor’s degree in computer science at Harvard University at 11 and her master’s degree in data science from her alma mater at 16. Her pathfinding domains include solutions for security and privacy for machine learning, fairness, explainable and responsible AI systems, uncertain AI, reinforcement learning, and computational models of intelligence. She enjoys composing piano music, ocean-gazing with her family, and contributing to open-source communities in her free time.