Who Controls the Controllers—Hacking Crestron IoT Automation Systems

DEF CON 26

Presented by: Ricky Lawshae
Date: Friday August 10, 2018
Time: 12:00 - 12:45
Location: Track 3

While you may not always be aware of them or even have heard of them, Crestron devices are everywhere. They can be found in universities, modern office buildings, sports arenas, and even high-end Las Vegas hotel rooms. If an environment has a lot of audio/video infrastructure, needs to interconnect or automate different IoT and building systems, or just wants the shades to close when the TV is turned on, chances are high that a Crestron device is controlling things from behind the scenes. And as these types of environments become the norm and grow ever more complex, the number of systems that Crestron devices are connected to grows as well. But it is in large part because of this complexity that installing and programming these devices is difficult enough without considering adding security. Instead of being a necessity, it's an extra headache that almost always gets entirely passed over. In this talk, I will take a look at different Crestron devices from a security perspective and discuss the many vulnerabilities and opportunities for fun to be found within. I will demonstrate both documented and undocumented features that can be used to achieve full system compromise and show the need to make securing these systems a priority, instead of an afterthought, in every deployment. In short, hijinx will ensue.

Ricky Lawshae

Ricky "HeadlessZeke" Lawshae is an offensive security researcher for the Advanced Security Research team at Trend Micro. He spends his days breaking interesting things in interesting ways with his focus mainly centered on IoT research. His work has been featured in Forbes, Wired, Ars Technica, Hackaday, and more. He tries his best to be responsible with the vulnerabilities he finds, but despite that his work has also been featured in the likes of Satori, BrickerBot, and JenX. This will be his fourth time speaking at DEF CON, and he has also spoken at Recon, Ruxcon, Insomnihack, and many more. He spends his off-hours reading (mostly comics), drinking (mostly dark beers), and gaming (mostly PS4). @HeadlessZeke


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats