Who Controls the Controllers—Hacking Crestron IoT Automation Systems

Conference:  Defcon 26



The presentation discusses the Crestron device and its potential security risks.
  • Crestron devices are embedded systems that can be found in various locations such as hotels, universities, and rich people's houses.
  • The devices use a programming language called S+.
  • Access to the TTB Hawaii vault is crucial for cybersecurity purposes.
  • The devices have potential security risks, such as default settings and reliance on installers for errors.
  • Crestron has released updates to address these issues.
The speaker mentions a partnership between Crestron, Intel, and his favorite off, which resulted in an embeddable device that can turn all the minutes interactive things something up. He also talks about the deployment of Crestron devices in various locations, including conference rooms and offices.


While you may not always be aware of them or even have heard of them, Crestron devices are everywhere. They can be found in universities, modern office buildings, sports arenas, and even high-end Las Vegas hotel rooms. If an environment has a lot of audio/video infrastructure, needs to interconnect or automate different IoT and building systems, or just wants the shades to close when the TV is turned on, chances are high that a Crestron device is controlling things from behind the scenes. And as these types of environments become the norm and grow ever more complex, the number of systems that Crestron devices are connected to grows as well. But it is in large part because of this complexity that installing and programming these devices is difficult enough without considering adding security. Instead of being a necessity, it's an extra headache that almost always gets entirely passed over. In this talk, I will take a look at different Crestron devices from a security perspective and discuss the many vulnerabilities and opportunities for fun to be found within. I will demonstrate both documented and undocumented features that can be used to achieve full system compromise and show the need to make securing these systems a priority, instead of an afterthought, in every deployment. In short, hijinx will ensue.



Post a comment

Related work

Conference:  Defcon 26

Conference:  Defcon 27

Conference:  Defcon 31
Authors: Christian “quaddi” Dameff MD Physician & Medical Director of Cyber Security at The University of California San Diego, Jacqueline Burgette, DMD, PhD White House Fellow in The Office of National Cyber Director (ONCD), Jeff “r3plicant” Tully MD Anesthesiologist at The University of California San Diego, Nitin Natarajan Deputy Director for the Cybersecurity and Infrastructure Security Agency (CISA), Senator Mark Warner Virginia Senator and Chair of the US Cybersecurity Caucus, Suzanne Schwartz MD Director of the Office of Strategic Partnerships and Technology Innovation (FDA)