Abusing P2P to Hack 3 Million Cameras: Ain't Nobody Got Time for NAT

Conference:  Defcon 28



To a hacker, making a bug-ridden IoT device directly accessible to the Internet sounds like an insanely bad idea. But what's *truly* insane is that millions of IoT devices are shipping with features that expose them to the Internet the moment they come online, even in the presence of NAT and firewalls. P2P, or “peer-to-peer”, is a convenience feature designed to make the lives of users easier, but has the nasty side effect of making attackers’ lives easier as well. Come for the story of how supply chain vulnerabilities in modern IP cameras, baby monitors, and even alarm systems are putting millions at risk for eavesdropping and remote compromise. We'll talk about the hoards of IoT devices that exist outside of Shodan's reach and the botnet-like infrastructure they rely on. Learn how to find P2P networks and how to exploit them to jump firewalls, steal camera passwords over the Internet, and correlate devices to physical addresses. We'll demonstrate how to snoop on someone's video simply by using your own camera – and how someone may be snooping on your video, too.



Post a comment

Related work

Conference:  Black Hat Asia
Authors: Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, Paul Pajares

Conference:  Defcon 31
Authors: Alan Meekins Member, Dataparty, Roger Hicks