"Smart lock? Nah.": Pwning a smart lock with Python

Anirudh (~icyphox)


Description:

With the digitization of nearly all things imaginable, or in terms of buzzwords — Internet of Things, "smart" devices have become the norm. This talk tells the story of one such smart lock we picked up on Amazon, and how we pwned it. Using Python, of course.

This issue has been assigned to CVE 2019-13143.

Who is the talk for?

  • Security enthusiasts
  • Hardware and IoT developers
  • Or just anyone who finds the absolute state of IoT security today, laughable :)

Brief outline of the session

  • Speaker(s) Intro [2 mins]
  • The IoT security scene today [5 mins]
  • The lock and its companion app [3 mins]
  • How we approached the lock (what didn't work) [6-7 mins]
  • The bug, the (Python) exploit and the disclosure [10 mins] (Including a video demo)
  • Conclusion and Q/A [5 mins]

Potential takeaways

  • An insight into a new domain in security
  • A lesson on "smart" devices
  • Applied Python in security

Prerequisites:

  • Basics of Python requests
  • Some level of understanding of application security

Content URLs:

PoC video (tweet).

Slide deck.

Blog post.

Speaker Info:

Speaker 1 — Anirudh

I'm a computer science major at SRM IST, Kattankulathur, Chennai. My primary interest is computer security, and more specifically — offensive security, digital forensics and privacy. I’m also a security researcher/CTF player at Sector443, an infosec community at our University. I've worked closely with a lot of organizations to provide security solutions, and have conducted pentests on their infrastructure. Apart from security, I actively contribute to open source projects, my most favourite being the Nim programming language.

Speaker 2 — Raghav

I'm also a CS undergrad at SRM IST, Kattankulathur. I've been into hardware security for over 3 years. I do security research at Sector443 too.

Speaker Links:

Anirudh's links

Raghav's links

Section: Networking and Security
Type: Talks
Target Audience: Intermediate
Last Updated: