Keynote: Choose Your Own Cyberpunk Dystopia

finish your conversations

are we doing congratulations what's your name Nathaniel we're gonna be an actual kids Austin okay how many people have been here all five times okay nice did the small crew okay how many people in the industry have been in the industry for less than five years that's a great time okay how do people know more than fifteen if you can still put your hands up the livelihood of the industry depends on those two groups and so I heard you two get together or do a little mentoring spend some time today to see if you can find somebody that you don't know and it's been some time I met them about what they're doing why you're

doing it or if you're new in the industry you won't understand how to get to a certain place there's a lot of people here have been very successful doing the things that they love and untraditional ways so make sure you get a piece of some of how that works so you can put this P - my name is Fred Wilma this is my third Kansas City besides I came here by way of some of the guys that that's been their livelihood doing work in KC I live in Seattle so it's kind of odd but I'm like I'm like the cool uncle so I get to come and hang out with you guys you know a couple times a

year which is great for me there's some things that I want to impart to you about sort of b-sides in general your first time that's you know your first time to Casey besides you got something pretty unique here Kansas City has a there's a bunch of individual groups of people at new security work and there's a lot of different sectional and of concepts and a lot of cities that you guys have brought all those groups together and you have you know like a pre funk party with you know all the all the SEC KC guys in our parties in Def Con you know it's the entire crew from Kansas City so the unity around the community here

is something pretty special I think it's also something that happens that at the b-sides that we have here so you know there's a couple of things in the industry I just quickly point out because you know they're sort of topical but there's a lot of discussion around codes of conduct and behavior and you know all of these things and those of you have been to conferences in other places there's just no room for any of that right here but I'm also saying that because I haven't experienced any of that here and I hope that none of that you know when it's of being here so when you think about the challenges in other places you read about hey you know there

because of your near to my heart this is the last year for it all the craziness around what causes things like this to go right or wrong it's all about you so please be excellent to one another is going to I would say that's for the 15 year veterans and just make sure that what you come here for is what you take away so with that I'm going to introduce a couple of people Eric white John Dallas you guys are here no no you don't get to hang out of the vehicle here yeah all right you guys want to represent that proxy so there's a lot as you guys know putting any conference on the funnest part of the conference we

need to do with conferences when it's over and these guys put this exercise on there's a this is one of the biggest East Side's in the country and so that begins speaks to you it also [Applause]

it speaks to the work these guys win at the tireless work you guys coming here also the vendors which we talked about you guys have anything you want to know okay if you have anything any questions or challenges or feedback just grab somebody in a safety vest if you have something that's really wrong you know there's always the knot on one situation but still reach out and grab people just for the sake of all of these other pieces you know in case of fire we go out the front door there although the exits are all marked make sure you follow the expo in the room make sure you're taking care of yourself water and the annex coffee all the things there's

stuff over there for you guys to participate with there's trash cans and so that's that's great I used to make effective use of those and the other thing is is that this is a kind of a public facility and while these science is borrowing in for the course of today in the weekend there's cameras everywhere right so we all live our lives and ops act like you're on camera there's a cons we tend to also think that we're at a con and maybe not on camera but you are on camera just be mindful also we have hacks with kids here so between 10 and 3 o'clock today and a bunch of these young superstars hanging out in the audience

probably will appreciate your best language behavior so bear that in mind for the next next generation and then I want to cover just a couple other things we have a vendor village and we also have these guys in the badge pirates and

hardware but these badges are awesome yeah and in addition to having lots of badges and the benefit of having a bunch of sponsors that help pay for you know the keeping the cost of the stuff down making it okay for us to hang out we also have the opportunity to use these badges in conjunction with that so you know I just want you to consider if you have an electronic badge go see what gets unlocked as you move around the con okay and if you haven't unlocked everything keep moving around the cup and that part would be fun for you if you're going to go to the after-party which I would love if you went to the

after-party that's you know it's the next it's the next next it's over here in the annex across the way you have to go to fish down and visit fish tech they sponsor the after party here as they do and we're gonna have a great time at it would love for you to be there that's gonna be on top of the children which is what I refer to as the annex and it's upstairs and outside and you know you'll be getting your decimal as a base artillery fire at your base and that's that's sort of just now the last thing that I want to say is I want to sort of talk about maybe what you should take

away from of these sides there's always the question and goes for your conference what's it all about you got Paul Kahn which is awesome here you know there's actually lockers and hallways so there's like legitimate hallway and yeah somebody could knock your books you know out of your hands you get all but what you want to take away from this right so if you go to any of the tracks you know my general rule for something you should consume is walk away from every conversation you have but also every speakers presentation just one thing maybe you get more that's great but if you walk out a whole day with four or five things and you put

something into practice I mean the cost of admission it's probably okay and the networking that you get out of doing something like this is remarkable we have some great people here locally we have some great people iconic industry people who have come here to speak to and that kind of relationship is what fosters the community in general so when you think about that code of conduct you think about what you want to be when you grow up and you think about what you want your kids to be now at you old yes that's long okay without further ado I'd love to introduce speaking of that I'd love to interview somebody that I both respect highly as a professional as an industry

veteran but I also want my daughter to grow up just like her Leslie Carr she's not only an amazing presenter a reference in the industry for digital forensics instant response open-source intelligence but she's also martial artist and she's a sharpshooter and she's one of the classiest people who has the Rockstar status but you'll never know what when you talk to her so Leslie

my school drama here hi everybody and as you mentioned I like her and this be speaking to you about something a little bit bizarre today so we're talking about our community making a change in an industry that is not in Cossack and how that impacted our future potential you know we think about the way our society is going sometimes than you think about the way technology is misused and sometimes it feels a bit dystopian and what I'm going to be telling you about today it's a personal story where our community really came together across the country and made a change to prevent something from becoming as dystopian if you don't know me my name is Leslie I have a Twitter

handle it's called hacks for pancakes because I I'm a digital forensics in instant response professional I specialize in industrial control system security so when a power plant gets hacked I'm one of the people who goes out there and figures out how it happened I work for a company called Drago's I've spent about 20 years in IT about 11 years in InfoSec specifically I do some as we mentioned some martial arts I also do some managing of locksmithing which is going to be relevant to this talk and I speak I blog and I am a social media personality sorry but the most relevant thing to miss talk today is that I live an environment like many of you probably do and they

recently chose to deploy smart systems to all residents and this kind of turned my life upside down so I was standing in front of an audience like you when I looked down it I guess my talking to time myself I'm speaking and I was looking at my phone to check my timing and I got an email and the email said congratulations we're excited to announce a new smart phone technology is coming to your building and I got the email up here so you can notice I flagged a couple things that really stood out to me that really concerned to concern me about this first of all they're talking about community on tree second of all they're talking about four

digit PIN codes to open your front door and then they start talking about how you issue those pin codes they talk about you being able to pick up your severe cell phone wherever you are and send somebody a pin code open your door so let me see you know no no no no so rationally why was I so concerned because as security people at desk engineers and I come from an electronics background I think about how things work how systems and processes work and I understand how this he has to happen how you get it's not magic how you get from the lock on the door with the impact to the phone and back again

there has to be a number of steps right so at the door you have the lock it's got a pin pad on it but that has to connect out down somehow so it has to connect to some kind of hub and from that hub you have to have connection out to the Internet something in the end of that hopefully it's secure and then it has to go somewhere something has to make decisions about how that data and that control gets to the app on your phone and finally there is that app and we all know that observes super secure never get hacked so that's a lot of data being transferred across a lot of different

devices and there's a lot of points of failure potential points of failure there and we're spending a lot of very sensitive data think about what people can learn about you from under and what you're doing in your apartment when you open and close your door when you change the temperature when it gets cooler because you're not home when you use your water when you lose your faucets all types of sensors were being deployed into our apartments and it was enough to eat very simply see when you were on vacation your routine when you went to work when you were home when you were asleep and that's where other sensitive data for certain people some of you might not care about any given

person or a company knowing when you're asleep or when you go on vacation but you can think about how that might be useful to a criminal um so why did I care personally well I know a lot of things about Internet of Things devices because I'm cleaning up the messes 10 years after they were deployed in industrial control systems and that's a good venture now because about 10 to 15 years ago it was the hot you thing to connect your power plants from manufacturing devices in water treatment plants to the internet for remote access or receiving updates etc and there wasn't a lot of security for thought put into plugging those systems in and I

know as well on top of that that security is often an afterthought IOT devices we're all familiar with that when you go out and buy a spark light bulb they don't give you a big security document telling you how to make sure your light bulb doesn't get exploited and we have many many media cases and I've got some up here on the on the screen if they're not too small to read but we've seen lots of cases of smart devices in homes getting hacked it very embarrassing very scary ways so it's it's concerning just from a basic technological standpoint well what was I personally worried about myself I can be a little selfish about this because

there's nothing more personal to us than the safety of our family our personal safety the safety of our home I for living investigate like I mentioned hacking of infrastructure I have been dealing with investigating nation-state hacking and advanced adversaries for over a decade and a lot of the people who I'm dealing with in that space have a lot of expertise in Internet of Things devices they probably are not fans of mine especially the people who I'm getting in trouble or working and takedown efforts to stop and I also knew that my neighbors are going to love this system they're going to think is the best thing ever oh my gosh we can change your temperature Mart phone this is super

cool it's got a cool light in the thermostat I think it looks really neat and it was just gonna be me looking like a crazy person I also have a long time left on my niece and I'd like my apartment I didn't want to feel like I was getting forced out of my home but I also finally knew that everybody else in my building could be impacted by these things even if they thought it was a super great idea I knew that it could really impact their personal safety and security but they would never know so I shot an email back to my landlord and I said hey you just exam me from this like

it'll save you some money they just just don't do it to my permant and it's just like nah there's no exemptions sorry Leslie just go to the town hall we're going into vendor in and ask your questions about security whatever I'm sure there's no security problems with this system it'll be fine and I knew that it wasn't going to be firing me but I knew it wasn't going to be fine because I knew all those things that I had mentioned previously about those systems and about the problems they had the security in the past so I started to assume open source intelligence gathering I started looking into the company I started looking onto their photos of their technology I started

looking into their documentation and their help system to understand what devices they were using I've started asking questions on Twitter and some of you probably had to witness the travesty which was be panicking about the system going into effect which was tell me about this lack tell me about this club whose exits you know like I have million questions about how the system was deployed and I was able to gather a lot of information about it I learned what block model was a new specific block model I learned how it was wired into the hub while wirelessly connected to the hub I learned about the app and how it was constructed and what it was

capable of doing but more alarmingly I learned very quickly that it wasn't just my building getting the system deployed it was my entire top 50 in the u.s. property management company that was getting the system void into it and all of a sudden is making a much much much bigger thing than I had initially anticipated it wasn't just one building where maybe I could you know work something out with my landlord this was coming late they afraid reading to a very very large company with thousands of thousands of apartment units so things weren't looking so good for me I looked into the provider and they were startup they were tiny bit just series aid and I read through their series a

paperwork and they had left about 50 employees and I could only find a couple security people at that entire company that was not necessarily that I work for startup to I know all about start-up like but think about securing thousands and thousands of apartments and they're responsible for all those things in the chain you're responsible for the hub for catching the devices like the third party look you're responsible for the connectivity between the hub and your servers you're responsible for the security of your servers and more the responsible development of the hub and your app so there's a lot of points of failure there and you're relying on potentially two security people that I could find to do all that all that

research and all that Toto do diligence to make sure that the system is secure so I was getting no less frightened I was actually quite alarmed and so I started doing so much more substantial research I decided to take some time off work and really dedicate myself to finding out what was going on with the system before I went into my apartment and I had one week before that meeting it was me against a top 50 property management company a start-up of a massive multi-million dollar technology deployment and I had seven days to figure out if there was any real concerns in this system so I immediately next ate a bunch of stuff from Amazon I

bought a spurt luck I bought the z-wave module for it so there's a couple different technologies that a smart lock can use to connect to a hub one of them is safety which is an open standard which plenty of who probably familiar with in DOS in commercial applications and we also see a lot of home devices that you see wave which is a ploy standard in this case the the I found out that the system was using the z-wave so I bought the z-wave technology I walked the hub that they were using it was off the shelf and I started talking to other people who had seen the system deployed about how it was deployed in their in Park

apartments and then I started looking at those various devices individually and connecting them together to find out ways that those could be exploited so yes I was in newbs 2 a.m. and I was drilling through locks with power drill in my bathroom which was probably a violation of my lease to begin with but I'm trying to figure out the ways that somebody could physically open this lock so let's see if let's see if this touchpad lock that's being used in these deployments can just be opened physically like the physical lock on my door right now it could be picked or bombed and I'm who need help and I didn't have enough pride to say no I can

do this by myself I had one week and there's all these parts of the system that needed analysis so I started a Google Doc and I started asking a bunch of questions about the security of the system and its various components and starting posing hypotheses about ways it could be exploited and I got a couple of my friends actually ended up being like eight friends to begin with and they were all Prudential two UH security experts and locksmiths and I said look at my questions and what I found and save them crazy try to disprove my hypothesis so it's very important when you're when you're doing security when you're doing security research to pose a

hypothesis know what your hypothesis gaze and then have somebody to a sanity check and try to disprove your hypothesis peer review is very important and I found out very rapidly as I started talking to people about this and people started reaching out to me about my tweets that I wasn't the only one who had had problems with this I was the only one with a substantial breach and voids on the internet but I spoke to several cybersecurity people who were tenants at other buildings who had the system deployed and they had sent in questions to their management they had gone to the town halls they had asked about security they had asked about privacy they hadn't gotten any answers

whatsoever and they had given up because they just got blown off they they had gotten no answers they got no responses they got told that they were crazy and they were all moving out they were all giving up on their homes they weren't renewing their leases they had either started packing or they were moved out already which is very alarming I mean a guy there's nothing that really hits you more in the fields than something that impacts the safety of your family or your personal safety or you know your ability to live in your home so and that was really sad what they did help me they were excited that somebody had a shot to do something about it and

actually used some security research so then he's stacking everything they sent me photos of everything they sent me I beams and MAC addresses they sent me the firmware off of the hub they sent me all of their communications and the research they had conducted some of them had done some interesting software rehearsing and analysis of the network traffic the device sent so we had about a week with this information and I had some very very scary questions to ask so I kind of break it down into eat questions so are there any substantial increased issues with the block itself so if the lock is just on the door it's not connected anything is it is there a physical way

that I can override this lock or a digital way that I can override this lock just standing there without it connected to anything else does the lock send data reasonably securely to the hub so the hub is doing the communications between the smart in the internet how's this hub is it reasonably secure have they done any security audits on it working it simply being exploited does it have a web portal on it does the hub send data securely through the Internet is the data encrypted etc etc and who receives the data and is it stored retransmitted securely so who's getting this information about when we're home what are they doing with that information will this level of security be

maintained over time what happens when these devices start laying on a support what retention privacy auditing and security policies are in place are they going to resell information about what we do in our homes who is the datalove - and who will they shared it with even if our property managers own the data are they going to monetize that what are they going to do with it in the future and basically those all boil down to one simple question how could the system realistically be abused and does that pose more risk in any practical scenario than a physical quick setback like hey we have on most apartments with the master key so let's make that a

hypothesis our hypothesis here is there is a realistic scenario related to deployment devices or policy in which this system could pose a substantially higher safety privacy or security risk to a tenant than our typical apartment dumb lock so I didn't have an Internet of Things lab in my apartment and things were getting down to the wire we were all trampling over this document trying to find as much as we could through open source intelligence reading of reports etc so the wonderful wonderful group of people at Dallas hackers volunteered to help me which was absolutely outstanding because they do a lot of any of the things hacking and investigations so they got everything they got all of the hardware - they got

the firmware for the hub and they started tearing it apart and in our investigation we found out that the vendor installing in my apartment building was also releasing home a home rolled to public their own their building their own hub and they knew who was building it but we couldn't get access to one in time it hadn't been deployed anywhere but we did go through we did a lot of investigation on the internet posts about it so we followed this guy who was building his hub we started looking at every like question he asked on Stack Overflow and you know what was he posting to Twitter it's not addressed so we started watching everything that he was doing to

understand what he was doing it is coding the new hub so Dallas hackers took all that information and started doing some investigation of the devices and I want to send some thanks some greetings out to some people who were very kinda both helping me work on those hypotheses and also do an actual physical investigation of the devices I don't think any of them are here today but hopefully they watch this someday and I am so grateful for their help there's other people who wish to remain anonymous too so if you're all amazing

[Applause] but the really scary thing is I had mentioned previously this was not just by building it was not just my property management company it was several of the top 50 property property management companies in the United States there are multiple vendors building this technology in a space that's brand-new and it's full of competing products for smart apartments in the next few years projects um so these systems this type of system being deployed in over a million apartments in the United States through multiple vendors and multiple property management companies this will likely change the face of renting in the United States in a few years it will not be possible by a modern updated apartment that doesn't have a smart look

that doesn't have smart thermostats that is it monitoring your activity and usage and really ultimately in one week there was less than 20 of us doing this research so I went to the meeting the week was up then I didn't sleep for several days I went to the meeting with 15 pages of security concerns that we found I brought a demo in case they wanted to see me break into one of their lives the property management company I felt so bad for these people I don't even when I did a bun cooked piece of fish at a restaurant and I'm like I can't eat this I don't return it like I just like pick around it

the dinner was very nice tip 20 something percent lady I'm not a confrontational person and this killed me I went to this meeting and I felt so bad the person from the vendor had been working for the vendor for one week the property management company had clearly been hearing all the paranoid complaints about this system the their irrational stuff aliens are gonna monitor my brain kind of things and she was just like I come in here with a stack of papers and a lock and like some black picks and stuff and she's like what so she was incredibly incredibly patient and I mean she was in a bad situation she is a product product manager on this she

wasn't a technical person there was no technical person there and yeah I mean I went through all the concerns with her we sat there for like an hour and she answered a couple of them like who owned the data in the case of my building the property management company owns the data which is something at least the startup isn't going to resell it but they couldn't say much about their privacy policy or anything and they said yeah you're gonna have to send these in these concerns in written so I got their mailing address about their email and so we sent certified letter I had eight different very well credentialed experts cosign with me I'll show you the letter

one in taraweeh so you can take a look at the type of stuff that I sent for your own reference um it was very formal letter I'm dumb I requested annex moves it again if they couldn't address my concerns with security and privacy my next day Lister next day certified mailed it to them and I started mentioning that I was gonna seek legal counsel if they couldn't resolve these concerns so yeah you can take a quick letter look at my letter obviously underneath I had all the concerns with the system that we have found potential vulnerabilities potential upkeep upkeep concerns data privacy concerns with their privacy policy we had lawyers look at their privacy policy and yeah I mean I was as

courteous as I could possibly be and a lot of people that what I was sending in to make sure I was accurate on everything but yeah this is what we came up with I do not consent to this attempt to add new turns to additions to my existing lease I do not consent to the collection of my personal data including music data and then acting out of this installation for the duration of my tenancy so yeah send it out and if you what is it be free time last night when we were chatting at dinner it was we quote we voted I sometimes tweet some some people follow my Twitter and my saga here gathered a lot of attention and I

started getting all kinds of emails from reporters in their league we want to cover this we want to hear your story wouldn't put it on the news and I didn't want to get affected it's a scary situation again and I wanted to be curious I wanted to approach this is through responsible disclosure and so I said no to pretty much everything I deleted all my original tweets because they're just too frazzled and I posted a blog about everything that we had found without naming company names and I discussed my ascension concerns and my situation and it got thousands and thousands of gnu's right away and within a few days three of the vendors who built

systems had contacted me directly asking for security advice and to talk about my blog and I gotta tell you they really seemed to genuinely care about security these three startups and they had a lot of interesting ideas about security like they were like well yeah we'd love to have wired segmented connections to the apartments but nobody's willing to pay for it there is a big market push in this industry right now to push fast get these smart apartment systems deployed into the million apartments as cheaply as possible do it as fast as possible and these companies need money time and people to do it securely so it's not necessarily the smart cart vendors who are at fault for there being security

flaws in these systems yes they have responsibility but they're getting pushed to do cheap and maxed / secure they're not going to be paying to hire more security professionals by the apartment vendors or the apartment management companies some of the issues that brought up had never been brought up before they didn't have anyone who is like dedicated IOT security at some of the firms and I gotta see the reaction was tended to be very promising I was asked to speak at a property management company last month a conference at San Francisco last month and it was full of these companies and they wanted me to be their first speaker of the day come up there and talk about everything that I

had found and it was really outstanding they were incredibly supportive and they wanted to hear what I had to say but let's talk about the major issues with this system so first of all your threat model is not my threaten oh definitely your risk they are surrounding these smart systems the threats that you individually face but the problem here is that renters don't really get a choice in these systems they are getting deployed it's a freight train it's not stopping and I will add the caveat here that a touch screen lock really is in a lot of ways if it's a decent one more secure than a quick set lock which is practically no it's a deterrent it's practically

provides no security at all so yeah you can't pick it you can't bump it that's great it's pretty hard and voicing the drill through it what but think about certain people certain vulnerable groups out there abuse and stalking victims sensitive jobs like journalists like human rights activist think about somebody being able to open this lock over and over and over again through exploitation instead of a physical means in their in their caves how terrifying that could actually ended up being there's a lot of liability in class questions for the property managers and vendors and there's an expectation of resin resident privacy but we don't have any answers about what that privacy should be there's no

legislation and that's B's yet so we really don't know what privacy protections residents have so the first major issue is PIN codes um when you have a key in your pocket and somebody steals it you know that he is going like unless you're really inattentive and you don't open your door that day that key is gone even though it's been stolen if somebody looks over your shoulder when you're entering in PIN code they know that pin but nothing's been taken away from you so there's a lot of problems with using pins for door access especially if you never change them or you don't encourage your residents master codes for the locks are Quagmire yes you don't have to do physical key

escrow once you start converting to one of these systems but is it unique per unit because you can pull it off the lock by pulling the lock part what happens if the Installer inspired to all the in codes get changed what if they get arrested how do you go to all those apartments and change the master pin codes yeah you can't take it away from the person's memory like a physical key yes this can be good it can be better than bad physical keys bro but you have to do it right touch pad locks are not for us as residents they look really cool yes and they make cool teepee noises and they're really fun property

management companies love them though because a lot of them really don't like subletting or Airbnb and stuff and being able to monitor who you wish encodes too is awesome for them making sure you don't issue too many guest codes making sure you're noting they know they have a log of who you're allowing into your apartment they don't have to do that physical key escrow anymore which is expensive they don't have to physically rekey locks by inserting new cylinders they can issue one-time quotes or maintenance so it's a big cost and time saver for the property management companies but there's a lot of problems with putting those touch screen locks and buildings first of all they're not

even a compliant they are not approved for use by the blind or usable by people with vision problems they can be very daunting to non-technical people they are not usable like certain religious groups who can't use technology either all time over and in the case of these blocks that have no physical key override there's no external override a case lock fails so yes there's a there's an override on the inside of the lock you can get out of the apartment if there's a fire but if the lock fails and you're outside and your kids locked inside there's a jump board on some of the locks where you connect a 9-volt battery and hope for the best but if the box really failed

you have double locks that come out and throw through the lock to get your fire door open and in fact I will note that in the case of this Yale lock that I was looking at they say specifically and uses manual not to install up in departments with one entry point obscured policies and procedures any company handling this type of sensitive data should have at least three things in place a dataview response plan so what happens if our data is breached an instant response plan what happens if we're hacked or infected and a vulnerability disclosure program who does somebody like Leslie talk to when there's a problem with the system none of the companies I spoke to have all

three initially some of them are working on them now but this isn't great from a trust or a liability perspective the routers and the hub in the case of our system they were plugging the hub directly in people's personal home routers so your comcast ruther yeah so if I don't ask question I've asked it elsewhere but think to yourself to raise your hand haven't written it changed the password to your Wi-Fi in the last year yeah most people do not do that most of these home routers especially live provided ones they they are not really great security devices yeah so plugging this hub into a router is plugging it into essentially unsegmented access to their wireless network and there's not

necessarily any security provided at all on this router it's in terms of what's coming in from the internet or going out so who's legally or financially liable if this hub is exploited and then in turn used to compromise the president's home network or if they work from home even there are lawyers Network we know that the router is provided practically no security or isolation from Wi-Fi so how this is helping to protect itself it's sitting out there totally exposed potentially on wireless and over the Internet how good is its defense is it ever professional you saw stress security is anybody doing it on it on it is it monitored for administrative logins if somebody gets on their local

network and attacks it a brute forces it do they notice so the scary thing that I was trying to lead to earlier is there's this scenario here for sensitive groups of people where this system could possibly be exploited in a way that there's no physical evidence of tampering so imagine a scenario where you plug this hub into the router in your house somebody stands outside they crack your Wi-Fi obviously wk2 is super secure it's not don't it's not secure I don't even want that sarcasm to be missed there yeah so imagine a scenario where you come there a year earlier and you crack into their wireless network and now you've had access to their wireless network

whenever you like now you can go up there and attack that hub whenever you like and if it's vulnerable you can keep opening that door you can be like unlock door unlocked door unlocked door and now all of a sudden you've got a really scary situation where like a stalker can like open the door of the house anytime they walk up there with a laptop and the problem there is that I I know that law-enforcement agencies do a lot of work and catching criminals tracking catching stalkers and abusers but their comprendo Slee backlog to their forensic labs there's countless cases that talk about people getting off on horrible crimes because of delays in forensic analysis of devices and if they even

have the capacity to do forensics on Internet of Things devices there could be months of backlog to figure out what actually happened was the device exploited so this is this is an ugly situation you know a big local police department might be able to figure out a lock was picked or bumped or drilled but determining that this plaque this is this complex system of smart devices has been exploited even repeatedly it's going to be much much trickier so we could follow up on Dallas hackers yeah they they heard that hypothesis that bad things would happen to certain groups of people and so yeah this is how fast they can open this lock now they built an

auto home sis script thank you to Charles Darwin and III yeah that was

yeah holy cow so yeah thanks to the many things to them that was extraordinary research and they're still under responsible disclosure in the a but they will be giving a talk in this research in the next few months once there they're able to so what I recommend to these companies don't connect a lot at all or connect to it's connected to a separate closed network please use a dedicated network for the hubs don't put them in people's apartments where they can attack them where they can attack them over the network or attack them physically put them on a wired network lots of hub up somewhere where people can't access it and then you know do

responsible security auditing of the devices to make sure they're secure we're not the only people who are going to take these hubs apart they're sitting on top of people's Comcast straight TT routers they're just sitting there and people are going to bang at them ad infinitum and they're not necessarily going to disclose X possibility so uh then internal security so they got all this data now even if they don't me retain that data about when your door is open and closed etc it's out it's still per versing their environment it has to the date about when your door is open and closed when you're changing your temperature when you're home when you're not going that has traversed their

infrastructure to get to your phone or to get to the property management company who's also monitoring the information and that data has value criminals maybe not the casual that ie who's breaking into your house to steal your TV but there's a lot of reasons why people would want that information about where when a million people are home and not home in their purpose or what their PIN codes are what their master and codes are for their locks and these other stuffs security straps are mostly small there there are a couple people who have to wear a lot of hats please I companies don't expect one security person to wear the the app security hat and the device security hat and the

internal security have that so much and of course we have basic expectations I'm not going to go through them all for personal security and private data handling but we're hoping that they're using strong encryption to send the data we're hoping that they handle any who is responsibly they're salting and hashing them that wasn't the case everywhere that I spoke to I hope that they're doing routine security security assessments of their environments and their devices I hope that they're not just blindly trusting the cloud to do the security Florida and even the big guys who do I owe tea and smart devices get compromised a laundress long-term support is really scary to hear too because it doesn't seem like anybody at

the property management companies is really thinking through it long-term isn't a thing in IOT you can put a pick set lock on an apartment door and use it for 50 years the lock on the door that's just smart lock it's electronic that's gonna have a lifecycle of maybe five maybe ten on the outside years and then that lock has to go it's no longer getting security updates it's no longer supportive and we need to know who is responsible to support those devices what happens when they go out of support who's gonna replace them what are they gonna do if there's a critical vulnerability and they have to be replaced and how could they are all

these security and response things contractually obligated to be done nobody really had a question in answer for that question in terms of privacy I saw the whole gamut I saw companies where there were support plans overt plans to sell the data we sell the data anonymized for for various reasons and then I saw companies that were like number resale usage data that's that's not our policy but none of them really had a substantial privacy policy that said either one they were all kind of like the big copy-paste privacy policies so yeah I'm buying a house and I can't say that legislators do care I've spoken to some people in legislative areas in there are people investigating this and

talking about it and we've seen some high profile news cases about this in New York specifically recently but not every resonate out there an apartment understands these issues they don't understand what they're being signed up for and they may not care it's a small group of us who are thinking about these issues and I will say one of the biggest issues in my case was resonant communication I was very pleased in a lot of ways with the response I got from a smart apartment vendor they were pretty great people they were really nice they do a lot of community does work they seem like good folks and but the property management company I still haven't gotten a response to that

certified letter I send it's been three months and I've got nothing back the vendor stepped in to exempt me when I bought my case to them and what's this became high-profile yeah they've had to step in and override my property management company and say we don't want to put any I didn't like returning food restaurant super bad but yeah the privacy policies were incomplete on both sides we were never provided any written agreement about this whatsoever it was like we're going to come and plug this into your router okay do with a choice no we're gonna come in plug this into your router use up your internet bandwidth whatever you do believe okay there were a lot of

security to play spoke to who again had brought up these concerns and didn't have my polymer base and they were ignoring and I'm still getting messages from people I got one this week from somebody with a completely different vendor who was like I got to move out they didn't respond to me I don't know what to do I'm really lucky I had I have united to support me I've had wonderful community I had a lot of people who came together to help me on this and do research with me and you know constructively look at the things that I found but what if I was a unknown victim of abuse or a victim of stalking what if

I was a journalist covering sensitive stories or like an engineer working on sensitive projects and what if I didn't have these resources or my security expertise and the audience that I have online and it cons like this I was at the right place in the right time to tackle this issue less so for me but you know they could have yeah I can hope you guys know but I can't be the only person advocating for added security in these deployments and I can't fix every problem that thunders have brought to me they're all asking me for advice now and security and I uh need the job already I can't consult for them I will help them as much as I can but

there's nowhere to send them there's no vendors in this space doing security there's no one there's no experi company that's an expert at all the areas of smart apartment security Internet of Things devices but this is the future of the rental market this is where we're going if you live in an apartment and it's a major rental company you're going to be seeing this in the next couple of years so here you know I'm the foremost expert on for apartment security anybody has a question about this or they're having trouble with their own building they reach out to me which is a lot and again I have a full-time job actually have multiple full-time jobs and yeah

it's a lot I've been on NPR speaking about this oven in a couple news programs and I've spoken to researchers lawmakers and of course Dallas half was going to release their research fairly soon but you know this is a it's been a lot so what does it mean for you as a tenant though well by the list here of property management companies that are publicly and directly investing in this technology so if you live in a company apartment if one of these companies this type of technology is coming to you sorry for the bad news we're good news if you really love smart home tech it's coming and there's more companies than this - who are purchasing the technology

who haven't invested in it smart technology isn't necessarily bad it carries a lot of concerns that I've mentioned because a lot of questions that need to be answered and there's a lot of security avenues that need to be followed I definitely don't want you to get the impression that these companies are evil that the either of the property men the companies or the smart of hurt the company's smart partner companies are responding to a a market request from the property management companies and the property management companies yes there are reasons why these technologies are cost-saving for them but they're also getting requests from their residents to have smart thermostats things like that it's cool for the residents so they're

asking for them so there's left next to no legislative or tenant protections from this happening in your apartment right now there's some potentially coming in New York that's about it if this happens to you there's not a lot you can do other than be a responsible security person but I will implore you to continue my work and do try to the whole property managers accountable for answering the questions I brought up today make sure they have proper privacy policies make sure they have a plan for how they're going to update their devices and how they're going to secure them across that whole chain of devices and it's not for you or your family then do it for the

people who are vulnerable and a security professional um we made a difference I was up there speaking in front of you know dozens of property management companies and smart apartment companies a few weeks ago they were listening they really wanted to know how to do security security better we made a difference all of us together in doing this research responsibly disclosing it it was very important that we are courteous and good conversations with those companies it's very important that I tried to stay rational and I had people very carefully pre peer-review my work and try to disprove my hypotheses but speaking of really mattered and sometimes insecurity especially when we get blown off than disclosures over and over again it can

get disheartening and we can be burnt out trying to report this type of stuff to people but in this case it really did matter people really did listen and they're making changes some of these companies have instituted in policies they've got incident response plans now they've got data breach response plans now they've instituted wonderfully disclosure programs things really happened because of this and they were really important sometimes people just don't have the security background to know there's a problem and I will mention that a number of those multifamily technology companies reached out to me to find people in security who could help them they were like who can be hired tell me who I can hire today to

help me do this and yeah they're still looking for people they need help to do this they also need money from the permian management companies to invest in security but they're also looking for innovative smart security people to build out their systems better so that's what I really want you to take away from this this still we've done a lot we've made a really big difference and we've changed some of the ways these systems are being deployed a lot of the major security vulnerabilities and some of the vendor systems have been fixed but there's still so much work to be done and I need all of your help out there because there are those vulnerable

people there are people who are stalking and abuse victims there are people in other sensitive positions who could really face a lot of trouble if data about when they're home etc seat or a device is used to compromise their home networks so please help those people please help your families please ensure that we don't end up in a dystopia where everything we do our apartment is monitored and resold to third parties we need your help pick you up

anybody wants to ask anything about this whole debacle and happy to answer it or yeah really it's too much information it's too early in the morning oh so most of the vendors if you don't have internet in your apartment they directly connect a 3G dongle to it now they know that's a problem and a couple of the vendors that spoke to are like well there's now these dongles that have VPN tunneling capacity built directly into the dongle and as like Anna's yeah that's better that's better in their leg but that costs money yeah anything else so everything functions if the power goes out there is a battery backup and some of the vendors hubs um you can't

obviously do any of the network functionality but the lock will still work because it's battery-powered now in the cases of the the vendors that are using wired locks that use building power that is a problem anything else I [Music] really don't want to name any vendors in this talk we can talk about it offline but there is at least I've worked with four vendors now and I definitely have personal opinions now on who's doing a better job in building in security but those spend poor vendors at least have made a concerted effort to increase their security after this all went down so yeah it was really really good I couldn't believe I thought it was a scam

the initial email from them they were like you made a huge difference in our community you don't know what you've done you fix this huge problem and I'm like I'm just waiting to see if I get evicted or not late so yeah I mean it was really generally very good I mean it was probably the best feedback I've ever gotten from a disclosure before yeah Oh master correct for emergency services I think it really depends on property management company and the property they can definitely configure that but then you've got another master code issue a

huh for which part for the I haven't seen any of them deploy two-factor to anything yet but I couldn't be wrong they might have done that recently but I wish I I wish I saw more to factor in terms of like issuing codes things like that but no I haven't really seen much use of it I'd have to get back to you on that I don't remember seeing anything that had a push notification on like doors opening there was a little bit more simplistic than that

no well I ot devices in general yes tenets of yes but it's a very limited subset of law enforcement because I mean we see a lot of law enforcement doing like automotive forensics so yes there is IOT forensic work done in law enforcement but one-year backlog on even just doing analysis of phones and computers that's a lot to ask again that kind of defense on the property management company I would presume in most cases the property amendment company would issue a code for the door to unlock it yes in my case yes there's building access in the unit access I

have not unfortunately I mean and again I'm one of the few you know everybody else in my building was really excited about it was being employed and the thing I'm trying to convey here it's not that we should just blow away this is coming this is happening for Leslie can't stop this from happening it's a freight train this is this is happening and what I would want you guys to do is when it comes to your building and it will likely come to your building if it hasn't already ask these questions and make sure they're responsibly doing security because it really [Music] you're gonna have to talk to those tinker and Charles and stuff and knit

three yeah you're going to talk to them it depends on when they get approval from the smart apartment company once they're done patching fixing things I'm not planning on putting a smart-looking back in my house but actually there's nothing really wrong with smart locks it's all a matter of how you connect them and what you do what they're what makes them smart you know that the electronic lock by itself can be very secure compared to a quick set which anybody can pump open in a few seconds [Music] that's what I'm scared of that's one of the things that scares me there's two major things that scare me there is the device to becoming vulnerable and being

exploited and the other thing is the privacy concerns of either the property management firms or the vendors reselling the native

[Music] oh I didn't really bring it I don't know me neither so I'm going to introverted security person but like I didn't really bring it up to my neighbors I did bring it up on like next-door and stuff and I did have a chat with some people in my community through there but yeah I mean most everybody thinks I'm crazy but then again we just watch the video of how fast you can pop these locks so maybe I'm not completely crazy I'm sorry I can't you're a little far back no none of us are able to get out of early 2020 there's no legal protections against these systems for the most part you renters rights in the u.s. are pretty

except New York City stuff like that it's you don't have a lot of protections against nobody's built-in protections against digital systems yet because nobody's thought of that so the requirements have a lot of your door is that it provides an adequate level of security you would have to go to court and prove that an inadequate level of digital security is equivalent it is separate from a inadequate level of physical security somebody picking the lock because they can make the argument that if somebody comes up with lock picks this lock is more secure it does make your apartment more secure but of course there's now this whole separate view of digital concerns which can in other cases make the lock less secure

no not in my case I would have loved that but yeah there's not allowed in my case anything else I think we kinda had a time zone [Applause]

you guys have seen these but it's kind of it's cool that we joke about it but it's a little bit like the enemies and whenever I get an opportunity to have somebody cool in town and talk about something really relevant to me it's just unfortunate you can give us a pool for all of our speakers we have these besides Kansas City speaker works [Applause]

you