WEBVTT

00:00.330 --> 00:05.670
What are the big challenges of all these smart devices is the wild amount of connectivity that they

00:05.670 --> 00:06.940
can take advantage of.

00:07.050 --> 00:13.680
So in this episode what I want to do is go through a number of specifically listed security plus objectives

00:14.040 --> 00:20.910
and talk about scenarios where these particular types of connectivity could be or in some cases are

00:20.910 --> 00:22.600
completely not an issue.

00:22.620 --> 00:27.300
So for me probably the easiest one to start with is probably the safest one of all.

00:27.330 --> 00:28.140
SatCom

00:32.840 --> 00:37.670
Why don't know about you but I don't find myself in a situation where I'm in the middle of the Pacific

00:37.670 --> 00:42.470
Ocean on the top of Mt. Everest and suddenly just really need to make a phone call.

00:42.650 --> 00:46.660
Anyway that's the world of satellite communication or SatCom.

00:46.670 --> 00:52.360
Now traditionally satellite communication phones have been proprietary dedicated devices.

00:52.370 --> 00:59.300
However the last few years we have seen a number of folks that create SatCom snap ons for your regular

00:59.300 --> 01:00.350
old smartphone.

01:00.530 --> 01:02.530
So here's an example of one right here.

01:03.380 --> 01:08.780
Now if you look at that you'll see it's just a regular old smartphone but you snap on this extra device

01:09.050 --> 01:15.730
and now you have a cell phone.

01:15.900 --> 01:21.450
The only thing I want to say about Bluetooth is that we cover Bluetooth security at other episodes.

01:21.450 --> 01:27.250
So certainly Bluetooth is common on wireless devices and it's something we need to be thinking about.

01:27.420 --> 01:29.430
But keep in mind we've already covered.

01:29.430 --> 01:34.390
Think about things like blue jacket and blue snarfing and some of the problems we have to do there.

01:34.440 --> 01:37.570
Otherwise Bluetooth is pretty much already covered.

01:37.590 --> 01:43.430
However one that is not covered is one of my personal favorites and that is near-field communication

01:48.240 --> 01:54.850
so near-field communication is a very very short range wireless connectivity.

01:54.990 --> 01:58.590
It's actually electronically very very similar to Bluetooth.

01:58.590 --> 02:04.720
The only big difference is that you need physical contact between two devices or almost physical contact.

02:04.720 --> 02:11.230
Now I'm using Android devices because we all know that Android is wildly superior to Apple devices but

02:11.260 --> 02:12.680
nobody is saying anything.

02:13.170 --> 02:17.080
And it's very easy to get NFC to work on Androids.

02:17.400 --> 02:23.250
I am not aware of any Apple products that support NFC that could even be a security plus question.

02:23.250 --> 02:28.350
So anyway if you take a look at these two screens on one screen at the bottom here I just have a default

02:28.440 --> 02:29.330
desktop.

02:29.670 --> 02:37.110
And on top here I have a web page open to an incredibly powerful amazing book written by my favorite

02:37.110 --> 02:39.180
author of all time Mike Myers.

02:39.210 --> 02:44.230
So what I'm going to be doing with that is see is I'm just going to take these two guys and press them

02:44.230 --> 02:45.200
together.

02:45.220 --> 02:48.140
Now it's going to take a moment but if you see there hey.

02:48.160 --> 02:50.200
Hold on let me show you Let me show you Let me show you.

02:50.470 --> 02:57.040
So you can see he's automatically transferred this one particular web page and open a browser and moved

02:57.040 --> 02:59.130
it over to the other system.

02:59.380 --> 03:02.530
Near-field communication is an incredibly powerful tool.

03:02.560 --> 03:07.210
It's one that I am surprised that people don't use as much as they possibly can.

03:07.210 --> 03:13.960
The only downside to NFC is that if it's turned on there's no security there's no PIN code there's nothing

03:13.960 --> 03:20.080
to prevent if you leave your phone on your desk or something like that I can walk over tap them together

03:20.080 --> 03:25.300
and grab what is ever on your screen at any given moment in this particular case I was using a web page

03:25.540 --> 03:27.370
but you gave your contacts up.

03:27.400 --> 03:30.000
You can have your bank information up whatever it is.

03:30.130 --> 03:31.500
And it just takes a tap.

03:31.660 --> 03:34.600
And I've got that information.

03:34.610 --> 03:40.310
So next I want to talk about one that I should be using a little bit more and that is a..

03:44.640 --> 03:51.040
The problem with Bluetooth and even NFC is that there's a lot of times where we have very very simple

03:51.040 --> 03:56.250
devices that need to make a wireless connection to a smartphone or whatever it might be.

03:57.070 --> 04:06.340
A entire standard called a 20 or a n t plus was developed that was primarily for things like bicycle

04:06.340 --> 04:13.360
odometers heart rate monitors practice bikes that you could see where you were how many miles you've

04:13.360 --> 04:18.890
got in and the anti and anti plus standards worked really really well for that.

04:19.120 --> 04:25.900
As of this writing I am unaware of any security issue that has ever taken place with AT&amp;T Plus that

04:25.900 --> 04:28.590
was at least big enough to cross my radar.

04:28.600 --> 04:32.320
It's a very very simple form of wireless communication.

04:32.320 --> 04:36.530
It is incredibly slow and incredibly well-protected.

04:36.610 --> 04:40.870
Now let's go back to one of the types that I really like and that's infrared

04:45.780 --> 04:52.700
one of the reasons I like Android compared to Apple is that most Android devices have built in infrared

04:52.710 --> 04:53.880
transmitters.

04:53.990 --> 04:55.140
They're not receivers.

04:55.140 --> 05:00.780
Once in a while you'll see a receiver but built into most Android phones although unfortunately it's

05:00.780 --> 05:03.460
starting to fade out is a transmitter.

05:03.480 --> 05:09.030
And what that does for me is I can be sitting at a sushi bar and if I don't like what's on the channel

05:10.020 --> 05:15.630
I can press some buttons with the right app and we're watching whatever I want to watch now because

05:15.630 --> 05:20.520
the infrared that's built into these devices is transmit and not receive.

05:20.670 --> 05:26.430
There's very little danger in terms of security for anything taking place within the phone where you

05:26.430 --> 05:27.930
can hurt the phone.

05:27.930 --> 05:34.200
The problem is is when naughty people like me go around to sushi bars or television production studios

05:34.200 --> 05:38.610
or anything where there's infrared receivers of any type for any kind of device.

05:38.670 --> 05:43.500
I'm just a guy who's mean enough to start pressing things and maybe I'll change your cable modem to

05:43.500 --> 05:45.260
something I like next.

05:45.420 --> 05:47.040
Let's talk about USP.

05:51.580 --> 05:57.310
USP is another one of these types of connectivity that we've talked about in other episodes so I don't

05:57.310 --> 05:59.150
want to develop that too much.

05:59.340 --> 06:01.300
You have to be pretty robust in and of itself.

06:01.300 --> 06:08.370
However there is one part of us be that can be a real problem for smart devices and that's called us

06:08.380 --> 06:09.980
be on the go.

06:10.060 --> 06:15.800
Now a lot of people aren't aware of this use B is traditionally a one way device where you plug into

06:15.820 --> 06:19.840
something and it just takes commands from that particular device.

06:19.960 --> 06:24.460
But you can make us be two way and that's what us be on the go is all about.

06:24.460 --> 06:27.990
For example I can take this phone plug it into my desktop.

06:28.270 --> 06:32.840
And now this thing just acts like a hard drive and I can look at the storage or whatever it might be.

06:32.860 --> 06:38.980
So it's going from the device out to my desktop However you know if you ever seen something like this

06:38.980 --> 06:41.830
what I've got let me hold it up so you guys can see what is going on.

06:43.610 --> 06:48.160
So all I've got here is a mouse with a little adapter.

06:48.170 --> 06:50.890
In this particular case I'm using USPC.

06:51.050 --> 06:53.350
So I've got a regular old USP now.

06:53.360 --> 06:56.060
Nothing special it's got to be a connector on there.

06:56.060 --> 07:02.870
But I've got the special adapter that actually came from Google that goes from USPSA to us b c it's

07:02.870 --> 07:10.100
also important understand us be a female to us b c male with this little device we can have a little

07:10.100 --> 07:11.020
bit of fun.

07:11.530 --> 07:18.220
When I'm going to do is I'm going to plug this mouse into my phone.

07:18.470 --> 07:20.570
So we'll see if we can get a capture of this.

07:20.600 --> 07:24.240
Can you actually see that the mouse is working.

07:24.410 --> 07:31.760
That's with us be on the go is all about us be on the go will allow any one US report to either be ingoing

07:31.820 --> 07:36.140
or outgoing which is not a standard part of the U.S. be standard itself.

07:37.110 --> 07:43.170
However what makes it interesting is that as a bad guy if I've got the right kind of adapter I can plug

07:43.170 --> 07:49.290
a thumb drive in there I could plug into things like a hack fives us be rubber duck device and plug

07:49.290 --> 07:54.120
this in and start sending a whole bunch of commands and grabbing data and things like that.

07:54.480 --> 07:59.310
The downside to us beyond the go is that it's probably something you don't want to turn off because

07:59.610 --> 08:02.850
we use it so often without actually thinking about it.

08:02.880 --> 08:08.460
This is where really one of the big things we can do with our smart devices is make sure we know where

08:08.460 --> 08:10.130
they are at all times.

08:10.350 --> 08:17.700
Somebody leaving a wireless device on a desk or you know in a restaurant is just asking for trouble

08:18.000 --> 08:21.240
just because guys like me we might plug something in that because we're mean.

08:21.240 --> 08:24.240
We're just curious what we can get away with.

08:24.570 --> 08:29.520
The last thing I want to talk about is Wi-Fi and there's two aspects of Wi-Fi I want to talk about a

08:29.520 --> 08:30.480
one shot.

08:30.480 --> 08:34.370
I want to talk about Wi-Fi Direct and I want to talk about tethering

08:39.070 --> 08:44.890
obviously every type of smart device supports the 10:42 standard if there isn't one I wouldn't be interested

08:44.890 --> 08:46.060
in it.

08:46.060 --> 08:52.750
The problem with regular 10:42 is that it's used almost exclusively just create Internet connections

08:52.900 --> 08:57.960
to a wireless access point and we call that infrastructure mode and it works absolutely great.

08:58.150 --> 09:04.900
But there are other modes to 10:42 that people forget about since 1:52 11 was invented there's been

09:04.900 --> 09:07.660
a mode called Ad-Hoc with ad hoc mode.

09:07.660 --> 09:13.180
What I can do is I can take one device it doesn't have to be a smartphone but I could take any one device

09:13.480 --> 09:20.770
and I can create a wireless connection and Ato two eleven connection between these two devices now and

09:20.800 --> 09:22.740
how connections are rare.

09:22.870 --> 09:26.280
There are places where they're used but they're fairly uncommon.

09:26.620 --> 09:32.380
However one place we do see these ad hoc type connections is in something called Wi-Fi Direct.

09:32.740 --> 09:39.150
We know that everybody has streaming devices now in Chrome casts and road crews and things like that.

09:39.160 --> 09:46.090
Now some of these streaming devices use a technology called Wi-Fi Direct which allows a device to connect

09:46.090 --> 09:48.490
to another device very very easily.

09:48.490 --> 09:56.710
The downside to Wi-Fi Direct is that it uses Wi-Fi protected services WPX and in other episodes we talk

09:56.710 --> 09:58.610
about the downside to WPX.

09:58.840 --> 10:04.630
Generally what we do in these cases is we do a little research on whatever streaming device we have

10:04.630 --> 10:10.510
on security and see if there aren't some situations it's not that hard for me to be able to connect

10:10.510 --> 10:17.090
to some of these streaming devices as a bad guy just by doing standard wireless attacks.

10:17.170 --> 10:22.450
If you watch other episodes we talk about for example the diot attack and being able to completely intercept

10:22.450 --> 10:25.270
the stream of all your data.

10:25.270 --> 10:27.580
Now the other part to this is tethering.

10:27.580 --> 10:33.250
Now let's make sure we understand what tethering means tethering basically for most people tethering

10:33.250 --> 10:38.270
means to plug my phone into for example a laptop.

10:38.590 --> 10:46.270
And when I make this plug in connection I can actually take advantage of the cellular in on my phone

10:46.750 --> 10:50.500
and use that as a internet connection for my laptop.

10:50.530 --> 10:55.130
So most of the time when we talk about tethering tethering is great when it's done.

10:55.150 --> 11:00.570
Wired The downside to tethering and this is where 8:0 to 11 comes into play.

11:00.570 --> 11:06.060
Is that almost all smart devices today support wireless tethering.

11:06.100 --> 11:08.070
So you've got your cellular way.

11:08.170 --> 11:15.880
And then this little phone right here starts to act as a wireless access point and not properly configured

11:16.210 --> 11:18.900
by setting up this type of tethering.

11:19.000 --> 11:24.700
You can literally let anybody connect to the Internet through your phone.

11:24.730 --> 11:30.410
So the secret to this is on almost all of these phones you take the time to configure it properly set

11:30.410 --> 11:38.050
up WPA WPA too and get that encryption up and running to at least make somebody sign in and get a password

11:38.350 --> 11:42.620
before they start doing whatever they do on your phone.