Thursday 25 September 11:30 - 12:00, Green room.
David Jacoby Kaspersky Lab
In the IT security industry, we are at the moment releasing articles about how hackers and researchers find vulnerabilities in, for example, cars, refrigerators, hotels and home alarm systems. All of these things go under the term 'IoT' ('Internet of Things'), and it is one of the most hyped topics in the industry. The only problem with this kind of research is that we cannot really relate to all of it.
I decided to conduct some research of my own, trying to identify how easy it would be to hack my own home. What can the attacker actually do if these devices are compromised? Is my home 'hackable'? Before I started my research I was fairly sure that my home was pretty secure, I mean, I've been working in the security industry for over 15 years, and I'm quite paranoid when it comes to applying security patches. It turned out I was wrong, and that I had a lot of devices connected to my network.
Just imagine a scenario where you notice that you have been compromised, you do everything that's written in the book to bring things back to normal again, you do a backup of your data, reinstall your devices and make sure that the new installation has protection against malicious code, all updates are installed, but then six months later, you get compromised again, and all your new data is stolen. An attacker might have compromised your network storage device and turned it into a backdoor - which is undetected and unfixable unless you replace the entire device. This is what I tried to achieve in my research.
Several '0-day' vulnerabilities were discovered in my devices, which allowed me to obtain unauthorized access to all my files, obtain administrative access on most of the devices, and also install backdoors on the devices, transforming them into zombies in botnets. Even some 'hidden' features were identified in my DLS router, allowing someone to actually take control of my device. The only question left is, who is that 'someone' and how do they get access to my device?
(All vulnerabilities have been reported to the vendors, and who are currently working on fixing these vulnerabilities. This research is 100% fresh, and was only finalized very recently!)
David Jacoby was born in Sweden 1981 and as a kid he had a passion for breaking stuff - at least that's what his parents say. David's professional career started when he was hired by various companies in Sweden to break into their systems. In 2001 David started to work as 'Chief Hacker' at the automated vulnerability scanning vendor Outpost24, where he worked for seven years before he went back to breaking things as head of R&D at TrueSec. During his time at TrueSec he was recruited by Kaspersky Lab, where he now works as a security evangelist and is head of research in the Nordic, BeNeLux regions. David is a known face and name in the IT security industry around the world, mostly from his wild and provocative presentations, and his unique presentation style. When he is not doing IT security stuff, he collects horror movies on VHS, and renovates old retro computers.