[DefCamp 2016] Infecting Internet of Things

Those slides were presented at DefCamp in November 2016.


Every (security) researcher knows Internet of Things (IoT) are flawed: among other vulnerability, they often use unencrypted network, weak credentials etc. According to a survey of November 2015, the fear has even stretched out to consumers who perceive data or physical security as the highest downside of IoT. 


Malware, however, are a different story. Strangely, people do not believe connected objects can get infected. Even some security researchers do not get the point. "Who'd be interested in hacking my toothbrush?!" is a frequent answer. But malware authors need not be interested in the connected object itself as long as they can use it (e.g. to spread spam) or get/sell sensitive data (ransom, Trojan spyware...). This talk illustrates the point with demos and Proof of Concepts (PoC) malware for smart glasses and a smart watch (harmless of course). 


The first PoC is a basic ransomware for smart glasses. The second one is far more advanced and installs a hidden (and potentially malicious) application on smart glasses. The third one is a Trojan dialer for smart watch: a smart watch widget sends SMS messages. It is likely to go unnoticed for the victim because the widget works in low power mode, i.e without lighting up the screen.