Missed the talk?
No problem with CCC-Media!
The live talk from 28.12.2018 was recorded by the CCC and will now be streamed on the Internet. The talk was translated simultaneously so that the video recording is available in German, English and Spanish.
At media.ccc.de you also have the possibility to watch further exciting talks from the last years of the Chaos Communication Congress.
When smart bulbs look bad
Michael Steigerwald, one of the founders of VTRUST-GmbH, will reveal delicate findings at this year’s Chaos Communication Congress (35C3) at the end of December under the title “Smart Home – Smart Hack; How the path to the digital home becomes a walk”. While voice assistants and networked lighting are considered to be the bestsellers in the Christmas business, their impacts on the digital privacy of their users are rarely discussed.
In the following you will find all important information about the lecture as well as the review, consisting of the results and solutions presented.
How the way into the digital home becomes a walk in the park
More than 10,000 different device manufacturers from all over the world use the basic platform (WIFI module, cloud, app) of a single company to technically implement their smart home products.
The analysis of this base shows considerable security deficiencies, also of a conceptual nature, and thus various points of attack, which affects millions of smart devices.
The lecture will present the functionality of smart devices in relation with the above-mentioned basic platform, show the extent of the security gaps using various attack scenarios and offer the community a solution for the secure use of the affected devices.
For the tests on which the lecture is based, various light bulbs and sockets from different manufacturers were ordered and tested. It was immediately noticed that an ESP8266 (very cost-effective 32-bit microcontroller with integrated 802.11 b/g/n Wi-Fi) from the Chinese company espressif is very often used.
Further investigations showed that the same cloud and the same basic app from a Chinese IoT module manufacturer are used in addition to the WIFI module used, regardless of the printed manufacturer of the smart devices.
This basic platform gives anyone worldwide the possibility to become a reseller of already finished products, such as “Smart Bulbs” and “Smart Plugs”, or to bring their own smart devices onto the market in the shortest possible time, even without having in-depth technical knowledge of IoT or IT security.
The analysis of the “smart” devices using this basic platform is generally frightening. The simplest security rules are not followed and there are serious systematic and conceptual shortcomings, which strongly affect the security of end users.
Due to the simple possibility of obtaining and placing such smart devices on the market, completely new criminal concepts are conceivable that could be put into practice even without a great deal of expert hacker knowledge. The talk presents the functionality of the examined smart devices in relation with the basic platform and shows the extent of the security gaps on the basis of various attack scenarios.
Finally, a solution to the security dilemma of using affected smart devices is offered, which makes it possible for even non-experts to safely use these devices in their own homes.
Results and review of the talk
As promised during the talk, we will subsequently publish the results of the talk in the form of the presentation slides in PDF format, the scripts used and instructions for the secure use of various affected devices.
In cooperation with the C’t editorial team, the scripts used were prepared accordingly and the instructions for using the devices without the manufacturer cloud were developed.
Managing Partner VTRUST GmbH –
Dipl. Ing. Electrical Engineering and Information Technology
Already during his studies of Electrical Engineering and Information Technology, Michael Steigerwald was a consultant for small and medium-sized enterprises in the field of network technology and security, before he worked for Pay-TV providers in the field of hardware and software for reverse engineering and security evaluation.
For years, he has been involved with the topic of Smart Home and also uses it privately on a large scale. He is therefore very familiar with the task of ensuring IT security at home.
What is the Chaos Communication Congress 35C3?
The 35C3, the annual expert conference and hacker party of the Chaos Computer Club (CCC), will take place for the 35th time this year from 27 to 30 December at the CCL in Leipzig. With over 15,000 participants, the largest hacker congress in Europe under this year’s motto „35C3: Refreshing Memories“ will focus primarily on information technology, networks, computer security and the make scene, but will also deal with the critical and creative use of technology and its effects on our society.
What is the CCC?
The Chaos Computer Club e. V. (CCC) is the largest European hacker association and for over thirty years a mediator in the field of tension between technical and social developments. The club consists of decentralized local associations and groups, which organize regular events and meetings in many German-speaking cities. The activities of the CCC range from technical research, campaigns, events, policy advice, press releases and publications to the operation of anonymisation services and instruments of communication.