The Wild West of IoT: Hacking and Securing Devices with Matt Brown

Transcript

Eric Johansen: Hello, everybody. This is the IoT Security Podcast. I’m, um, Eric Johansen, and we have a great guest for you today, IoT hacker Matt Brown of Brown Fine Security. Today we are covering all kinds of topics, IoT, uh, attack surface, our favorite IoT devices, and even some tips for shopping on Amazon. Hey, Matt, um, thanks for, uh, joining us today. My main question, and I think a lot of people, you know, the same thing. It’s kind of like, how did you get into this? Right. Um, you know, just. You’re kind of. You kind of been everywhere when you talk about the IoT scene. So what kind of dropped you into where you are today?

Matt Brown: Absolutely. Well, first, thank you for having me on, and my background in IOT hacking, I guess, kind of started with my background in hacking itself. And so I was really interested in computers as a kid and, uh, I loved taking apart electronics. I learned to solder when I was a kid, so I. All these requisite, uh, interests and skills I felt were, uh, lurking in my background. Uh, and then when I went off to school, I specialized in cybersecurity. Uh, but all the while was. Was doing tinkering and kind of side projects in, uh, the area of hardware, devices. And then once I kind of launched into my career, I got some opportunities to work, uh, for companies that produced IoT devices. And, uh, the. The rest was history, as they say. There’s a lot, A lot of details I’m leaving out, but I’m interested if there’s anything in particular, uh. Yeah, you’re wanting to know from that question.

Eric Johansen: Yeah, that’s interesting story. I thought, I thought it would be, uh, because at least as far as my interest went, it was, uh. When I was growing up, uh, it was a lot cheaper to work with smaller, uh, embedded devices than say, perhaps the family computer if you make a mistake, you know, so that’s cool. So you actually were in the business itself and were you doing analysis, uh, professionally for that organization or was it kind of, uh, tangentially related? And then you got into this.

Matt Brown: Even within my, like, you know, college and university studies, I was getting some exposure to embedded devices there, but then really started to specialize in that area, uh, when I took a role that was, you know, researching offensive capabilities and specifically trying to do, you know, vulnerability research on embedded targets. And, uh, that was. That was one work experience that I had. And then I’ve also, uh, had some work experience At a company that produces IoT devices and getting to learn all the nitty gritty details of how supply chains work, of how vulnerabilities uh, don’t uh, just exist in one product but they exist in a whole like family of products. Right. And so got uh, a lot of hands on experience with IoT devices there and uh, and working closely with engineers and uh, third party uh, partners and stuff like that to uh, find and fix phones.

Eric Johansen: Very cool. Tell us more about that offensive component. Uh, or at least what you can say like was you mentioned working for a vendor so I assume it wasn’t that particular role. Wasn’t a vendor itself like that was you know, military or anything like that or.

Matt Brown: Yeah so, so that was, that was again my very early on in my career I took a position at Lockheed Martin where okay I was, I was doing research and uh, the long story short is that I, I ended up kind of taking an exit from that company and going into a, and going to work at a startup and I kind of went away from IoT for a little bit. But that, that got my interests in that embedded and that was all like obviously unclassified work that I was doing. Um, but looking into vulnerabilities and specifically embedded Linux devices and I’ve, I’ve been a longtime Linux user. I’m, I’m running Linux right now on my desktop daily driving it and so that’s always been something I’ve been passionate about and then getting to use my Linux expertise and kind of combine it with cybersecurity because so many of these embedded uh, devices out there, these IoT devices are running Linux under the hood because it’s free, it’s lightweight in terms of resource utilization at least compared with other modern uh, full operating systems like Windows or something like that. So uh, you see a lot of that in the wild and that made me good at finding vulns on these, on these targets. And so but yeah it was, it was more of that uh, kind of you know, military contractor background that I, that got me started and got me really interested in these devices.

Eric Johansen: Interesting. And so when you think about that experience and then obviously you know everything since then this uh, is kind of a generic question but I feel like the open endedness makes it more interesting. But like what’s kind of been the most surprising device for, for you like or, or has it not been surprising because so many things are just essentially vulnerable and full of holes and that type of thing?

Matt Brown: Yeah, I could take that question in a lot of directions. There’s Sometimes I get surprised when something isn’t chocked full of vulnerabilities, right? Uh, when I, when I get a, get my hands on a device and I’m like oh, they actually did take the time to for example in, on an, in the embedded Linux world, uh, I have this running joke that in iot the class of vulnerability uh, for privilege escalation doesn’t exist because everything runs as root, right? So if everything, if everything in the environment runs as root, you don’t need to escalate your privileges from some lower user up to that root. So sometimes I get surprised when I see uh, privilege separation and running with low privileged accounts on devices. Uh, uh, but I would say surprising. What’s surprising to me is in some sense what I found. This is another thing I found really interesting about the whole IOT world is you kind of get to do some time traveling and that’s because oftentimes these embedded systems are, are a platform that’s been developed over a long period of time and there is no way they’re going to ever be able to update, you know, the kernel that’s running or the critical libraries on that. It would just be way too hard. Um, and oftentimes the people who developed these platforms or these software development kits for embedded devices are long gone from the initial company and so uh, trying to maintain them is really hard. Which means oftentimes you get your hands on an embedded device and it’s running a kernel from 10 years ago, from 15 years ago. Right. And so you have all of this obviously uh, legacy attack surface that you have to deal with on these devices. You just get to exploit types of vulnerabilities that are so much harder to exploit today. Yeah, so, so that is a surprising thing because when I was coming out of university, right I was learning about all these memory protections for example. In Linux you have you know, uh, a lot more advanced exploitation techniques, uh like return oriented programming to get around you know, memory protections like SLR and you know, no execute and stuff like that. And so but on these older Linux, on these older Linux devices sometimes you’ll find devices that have a kernel version that’s even before ASLR was implemented. Right. And so, and so as, as a younger hacker who maybe feels like uh, some like I missed out on this nostalgia of like the golden age of hacking, like you know, the old, old school DEFCON crew and stuff like that. I feel like IOT you sometimes get to like do some time traveling back to, to, to a simpler age of uh, of exploitation and stuff like that.

Eric Johansen: So, yeah, when it was, uh. Yeah, a lot, a lot, lot less steps involved to, to make that initial entry point. So I guess when you talk about, when you talk about time travel, I guess another good topic would be, I guess on the surprising front, if we keep with that track, what has been, I guess one, in your opinion, one of the best mitigation strategies, when you’re talking about what you just mentioned, where these things come off a factory line and they’re just going to go live, they’re not going to ever go away until someone unplugs them because like you say, they’re essentially static. And yeah, there might be firmware updates, but in general, most people aren’t proactively making that update happen. So knowing that they’re shipping something and I would, you know, I’m just curious, like, what’s the best mitigation strategy that you’ve seen? Because, you know, IoT devices, the challenge is always the resources. You know, they don’t have enough where you can just, you know, put in, you know, an IPS on the network level or what have you. So kind of what’s been the coolest mitigation strategy that you’ve seen or A few.

Matt Brown: Yeah, so the, uh, way you frame the question, right, because the first thing that comes to my mind is, well, build a very solid, uh, firmware update pipeline. Right. But, but you, yeah, you, you rightly have pointed out that for many IoT devices, that is not.

Eric Johansen: That’s how Amazon, Apple and Google deal with it.

Matt Brown: Right.

Eric Johansen: I mean, I think when we all think about IoT, they’re the ones that are really doing it well because they are built that methodology for updating. So.

Matt Brown: Sorry to interrupt, but yeah, no, you’re, you’re so right. And so I’ve, So this is like even kind of like leaving the security, the embedded security world and just stepping into what you want to do on a good. Like when you’re engineering, when you are producing a new IoT device, I would say the single most important feature is your OTA firmware update process. Right. But so setting that aside, as far as mitigations go, I would say it’s. I’m going to kind of like do some hand waving here, but I would say one or like almost like step zero is understanding your specific threat model. Right. Understanding what threats are going to come after your device that might not be the same threats that come after somebody else’s device. Right. Uh, if we think of like you mentioned companies like Amazon and Apple. Right. Like, like Apple I think, I can’t think of uh, another company that has a higher threat model, a more exposed threat model to, because they have nation state actors coming after them that you know, they have governments, they have very well funded, you know, criminal enterprises that are wanting to find vulnerabilities in their platform. Um, or let’s take another type of embedded device and talk about the threat model, right? A crypto wallet, a hardware crypto wallet. Well in that threat model if, if I can gain access, like debug access to the hardware, that, that’s the whole game, right? That is that, that compromises their entire threat model, right. To keep you out of the internal memories of the device. Right. Whereas maybe your, your WI fi router that you have, you know, in your home that they might not worry about that as much. Right. If I can get by gaining physical access to my device, if I can modify my own device with physical access, maybe they’re not concerned about that threat. So, so just to answer that question that uh, my first answer is you need to know your threat model and you need to target what you care about because security, you’re always, you’re always playing a game of resource allocation, right? Like where do I spend my, my time, my mind share on solving security problems. And I would say you need to understand your threat model and, and the market that your product’s going into really well to know what to spend time on and then the second that kind of comes out of that is just reducing your uh, your exposure. Right. So this is really simple thing. So again my, most of my experience is in the embedded Linux world and if you have a service that’s open on your device and it doesn’t need to be open, then close it. It’s that, it’s that simple, right? Instead of trying to worry about oh you know, let me do scan it. You know, if there’s some service that has some very complicated exploit it’s like yeah, well we could divine, we could design you know, tools to do source code analysis. Uh, in the IoT world sometimes you don’t have source code. Uh, that’s the, that’s like the dirty little secret of these supply chains, right?

Eric Johansen: Busy box and throwing it on something and you know, whatever. Yeah.

Matt Brown: Uh, or, or, or company whose name is slapped on the front of the device, right. They contract with another company to do the software development and, and then the device and then they don’t have it in the contract that they should have the source code, right? That, that, that, that actually is someone else’s ip. And so it kind of goes along the supply chain. Right. And, and then the company whose name is on the product doesn’t even have source code. Right. So how. So, so what, what do you do then? But I’m kind of, I’m kind of diverging there. But just every service, analyze every service, every function, every feature, and ask yourself, is this necessary on this device? And if it’s not removing it? Uh, There are many IoT devices out there that don’t need to have a single port open because the device doesn’t get connected to. It connects out to a cloud server. Right. So, so I would say that’s. Those are kind of my, like my, my, my two answers to that question of like, know your, know your threat model, like, know what you’re up against in the, in the wide world that’s out there in the cyber landscape, and then reduce the attack surface, reduce the amount of places where they can attack you.

Eric Johansen: Well, essentially least privilege, kind of like what you’re talking about with, you’re used to just getting root automatically, so there is no privilege privilege. So when you see that, you’re like, wow, that’s quite cool. I mean, I think it’s a tough question and I think, you know, you answered it well, adeptly as far as like kind of tiptoeing around all these things. Because when you really look at IoT devices, it’s so crazy when you think about like, the stuff that just has to be there in order for the device to be used by your typical end user. You know, things like factory default credentials, which to ask an engineer to secure something that not only has to live, say five years in someone’s house minimum, but then it has to have default credentials so they can set it up easily. And it’s gotta, you know, have a web browser so they can access it and, or, you know, an app or what have you. And so you kind of layer all those things on and it’s a, uh, extremely tough challenge. And by the way, it has to be as cheap as possible so we can mass produce it. So it’s just like, you know, here it just slowly gets down to that point where, you know, that’s like, where at phosphorus. Like that’s all we focus on is, is finding them, assessing that attack surface that you mentioned and then having the capability to change credentials, upgrade firmware, so you can get to like, kind of the most healthy state, uh, as quickly as possible. But like, in reality, I mean, this is something I was thinking about is like, you know, if I have to go to somebody’s grandmother and make a recommendation, you know, for safe Iot, I think we go back to what we were just talking about. Like, in general, the, uh, recommendation would be go for the big names that you recognize. Because as you start, I think we’ve all gone through this in Amazon is you go and you say, like, a great example is, I was looking for dash cams. You can hardly find a dash cam that is like a brand that, you know, they’re all going to be all these weird, you know, rebadged, relabeled type of devices. And so, you know, I think that’s one of the big things that, that can make it mercury murky for these people is like, you just look at the reviews, people say it works well. But as far as that risk factor and what you’re introducing to your ecosystem, whether that’s your home network or what have you, like, it’s just such a, a Wild west type environment.

Matt Brown: It really is. Yeah, you. Yeah, those, uh, yeah, uh, for, for the stuff I do for my, my YouTube content and finding fun devices to hack on. It’s, it’s, it’s funny because the advice I always get a question from people in my discord or in my community. What, what device should I look at to like, like, should I start, I want to learn Iot hacking? And I’m like, well, definitely don’t go and get a, uh, device from Amazon or Apple or, you know. Right. No, go, go.

Eric Johansen: Go to hard mode.

Matt Brown: Go to the listing that you’re talking about. Go to Amazon and find like the cheapest thing that you can and, and have a brand that you don’t recognize at all. Right. And start there. That will be a, uh, less painful learning experience from the offensive side, uh, of the world. Yeah.

Eric Johansen: And I mean, is that kind of your general tip? I think, like, a lot of people are, are like, hey, uh, I see what Matt’s doing. It’s really cool. I’m interested in it. Like, kind of along those lines. Is that. What is. What are your tips for people like that? Is it generally just, hey, get a device, start hacking around, do some packet capture, kind of. How do you, how do you kind of prescribe that? If someone asks that, which I think all of us in cyber security have been asked that, and it’s like, you know, at least for me, I’m always like, well, you have to have some kind of acumen. It’s kind of hard when someone’s like, I want to get into cyber security and they may be doing something else over here. Because, like, if you don’t have a passion for it, it can kind of be hard, but, like, kind of. How do you answer that?

Matt Brown: Yeah, I, I totally agree, and I resonate with what you’re saying there. If there’s no passion or if the passion is sometimes misguided.

Eric Johansen: Uh, I want, I want to make money.

Matt Brown: I. Yeah, I was just.

Eric Johansen: Look at Matt and look at that belt. I mean, this is the type of, like, I think. I bet you’ve got a Scrooge McDuck vault somewhere full of, uh, gold, right? You know?

Matt Brown: Oh, man. Yeah, it’s, it’s, it’s like that meme format with the, with the, with the person who’s trying to, like, climb upstairs and he’s like, stepping over, like, five stairs, you know, to get to the top stair. I don’t know if you’ve seen that meme format. Right? And it’s, and, and, and it’s, it’s been used many times. Right. But that’s oftentimes what people want to do in cybersecurity. Oh. Like, learn the basics of networking, of operating systems, of. Of, you know, you, uh, know, like using Wireshark, you know, base. Really basic, like, basic stuff. It’s like, no, I want to skip over that and get to the cool stuff.

Eric Johansen: Like people that are like, I want to learn how to be a forensic analyst, and they’re not even in it at all. And you’re just like, whoa.

Matt Brown: Yeah.

Eric Johansen: You know. Yeah. So, so I guess in general, the recommendation is go to Amazon, find the most crazy off brand device. Is there like a, uh, not that it’s your favorite device, but is there like a class or a certain type of device or like, you know, like, imagine your, uh. You know, we’re going to Mos Eisley, and we all know what we’re getting into in the Star wars universe. It’s, it’s just, you know, the hive of scum and villainy. And so how do you introduce yourself into that world? Uh, when you’re looking for a device and I’m sure you maybe don’t have to anymore in your, your career now, but like, if you were to put yourself in that shoe or you’re those shoes where you’re like, on Best Buy or Amazon or Walmart or whatever, trying to figure out what, what, uh, interesting device to get.

Matt Brown: Yeah, so, uh, yeah, so, so to go back to that question, right. The way I usually answer it is I would, I would recommend that they find a blog or, you know, a YouTube video or something that, where somebody has already gone down a path with a specific device that you can then go buy that same device. And uh, the first step is just to mimic, is just to try to follow all the same steps on your own that you see in the blog. And then you’re going to, you know, maybe encounter some problems along the way. You know, maybe they didn’t give you complete information. And you can, you can learn by not having to learn everything from scratch. Right. You can do some, some handholding down that, that hacking journey. And when you get to the end of that, then you can decide, oh, I want to look around for more things. You know, I, I followed this blog and it taught me how to get, uh, a UART shell by, you know, soldering and plugging into something on the device. Now let me look for other interesting things on the device to look for.

Eric Johansen: Right.

Matt Brown: Uh, I would say, but starting by imitating imitate something that you see in a blog or a video. And, uh, you’re going to have, you’re going to have little wins along the way that keep you motivated and wanting.

Eric Johansen: To learn more, practice the tools and techniques and see if you have an aptitude for it or an interest once you’re practicing along, uh, to validate that. Kind of like, uh, when I was in college, for some reason, my wife tells us, she always makes fun of me. She’s like, because I wanted to be in criminal justice when I went into college. And one of the first things they do is they have the police come and like, kind of show you some gory pictures. And, uh, that was the first thing I realized. I don’t like blood. And I’m like, why did I ever, you know. But then here I am in cyber security. It’s perfect. There’s, there’s, you know, there’s the digital component. There’s not, uh, you know, all that. So I guess, uh, I didn’t become Batman, but, you know, here I am. I’m still in cyber security, which is, uh, interesting.

Matt Brown: But, yeah, I had that experience, uh, in my, in my first, uh, programming class in college, uh, when half the class realized that it wasn’t like playing video games. Right? Yeah, they like to, they like to play video games. And then it turns out that it’s a lot more, uh, you know, there’s logic and math and all this other stuff involved in, uh, computer programming. Right.

Eric Johansen: Yeah. And that, and that is, that’s a great point, Matt, because, I mean, the things that you do in your videos are, are awesome. And it’s so Cool. But it’s like behind that, you know, how many hours do you think you put into a video? A final output? I mean you’ve got to put in a lot of work. And I mean even just looking at the equipment behind you, I mean there’s so many layers. It’s not just like the matrix stuff is coming down and you’re wearing shades and it’s just cool music playing. It’s like, you know, you’re burning the midnight oil, you’re, you know, whatever. But kind of what does that look like for you when you, when you think about you’re outputting a video that’s 15, 30 minutes, hour, whatever. But, but what do you have to put in for that?

Matt Brown: Yeah, it really depends on the device and on the context. But oftentimes I’ll be at a minimum any device I pick up. I’m going to try to do background research. Right. Because I want to see has anyone already gone before me and learned something? Because I don’t want to, I mean one, I don’t want to make a video that’s just like, oh, I found this thing and it turns out like five years ago somebody did the same thing. Right?

Eric Johansen: Yeah.

Matt Brown: Or if they did, or if they did and I’m still do the video, I want to credit them. I want, I want to, I want to like cite my work. So there’s a lot of research and reading other people’s blog posts. Uh, there is obviously like taking apart the device and I do try to show some of my struggles on my video but like me struggling for multiple hours to like find one thing is not exactly good content. So, so there, there is an uh, element to which I do a lot of like work ahead of time where uh, where I’ll, I’ll struggle to find you know, a debug interface and how to solder onto it properly or what I need to do after I pull a chip off, a firmware chip off to do the analysis. So yeah, there’s definitely a lot of prep work and I would say just like uh, sometimes I got, I have to write code to perform analysis that’s very custom and it’s like a, it’s a one off thing. So you, you do really get pulled into the weeds. I personally like it. This uh, kind of goes even higher level. But one of the things I really like about IoT is because I like to keep learning all different kinds of technologies. And the cool thing about IoT is is it’s often the intersection between multiple different technologies. Right. So just if you have a device, it’s not like just the device. Oftentimes it’s communicating to a cloud server. So you have to know networking, you have to know about, about cloud infrastructure. You uh, oftentimes have a mobile app so that now you have mobile app security that’s involved and the communication between the mobile app and the cloud. Or maybe there’s like other wireless protocols like Wi Fi or Bluetooth involved. So it really kind of brings uh, in tons of different technologies uh, and makes it fun.

Eric Johansen: So yeah, my mind went to Laura Wan. I mean that’s such like, you know, and even you mentioned crypto wallets and so you know, I messed around with Helium, which is just basically a single board computer inside and then you know, the Lorawan antennas and then all that good stuff and it’s just like. Yeah, it’s so true. There’s so many like different cool avenues kind of tied to it. But I guess like back to that question, like, so how if you make a video, what would you say, 20 hours goes into it?

Matt Brown: Yeah, five to 10? Yeah, I, I do usually, yeah, my videos are a little bit different in that sometimes I, I purposefully believe a part of the video that I’ve never done before to like give people that experience of me trying to figure it out. So uh, uh, sometimes I will like analyze part of the device and then I will show that part and then I’ll go a step beyond that and show people that, that real time reaction which, which sometimes those videos fail and they never get uploaded to YouTube. So there’s there is also that, there is also that aspect of it too.

Eric Johansen: So it’s not always, it doesn’t always make for a good video. But I mean I think it’s uh, that that experience and, and what you’re going through like is, is also what’s so amazing because of Iot like the things we just talked about, like there’s just so many different vessels for these embedded devices to enable things whether they’re a sensor or you know, the biomet, just like a million different ways that IoT devices uh, are utilized. And especially today it just keeps increasing. Like I always use this analogy with people. It’s like, you know, when you go to Best Buy now, I mean you can’t even buy a dumb device. Like you’re going to have a refrigerator that wants on your WI fi. I mean everything wants telemetry. We all know TVs are essentially subsidized now and the price is low so they can get information about your viewing Habits and network and all of those good things. So it’s, it’s, it’s pretty incredible. Which, I mean most people have no problem with that. You know, they’re, they’re happy to take that on. Um, I guess with that from the TV conversation, because I think in general we look at that space and there’s a lot of vendors that are kind of doing some, they’re pushing the envelope ethically, I think with some of that. And I think, you know, it’s kind of like, you know, Facebook or whatever 10 years ago. But are there any vendors that you would not put on blast? But like, are there, is there like a particular like bad offender or do you not necessarily want to go there, you know, or, or you know, I guess. Do you want to speak agnostically or kind of. How do you look at that?

Matt Brown: That is. Yeah, no, that’s a good question. I have limited experience with smart TVs and stuff like that. It is an area that I have been very interested to get into. Uh, definitely not putting them on blast.

Eric Johansen: But uh, as a part of like in general IoT kind of using that as an example of kind of how consumers are exposed to it on a regular basis. Is there like a particular brand that you’ve worked with through your efforts that is consistently, you know, disappointing or what have you, you know. Hmm.

Matt Brown: M. Yeah. Yeah. Like I said, I don’t have as much experience in, to be able to give you that. I do, I do know that I am sketched out and I will say I have one of these TVs in my house. But I think, I believe the brand is TLC or. Yeah, or uh, yeah, or TCL or it’s, it’s one of those.

Eric Johansen: Tcl. Yeah, it’s Roku. Is it Roku or something? Or Google Play or something like that?

Matt Brown: Um, it’s an Android based t. I, I believe it’s like an app, a Google TV based platform. But the thing, the thing when you dig into those different systems is that they’re, yeah, they are running Android and it’s a. But oftentimes you don’t know what they’re running. The Android open source project. Right. And so you don’t know what modifications they’ve made. Right. Because the Android open source project is a, uh, it’s in the name. It’s an open source project so they can fork it and they can add whatever sketchy apps or, or they can modify the OS itself and you would never really have visibility into that as a consumer. So I, Yeah, those, those do concern me and I believe that they, they’ve kind of been pointed out by the US Government, CISA or some other big name entities before. So there are definitely some concerns there. Uh, Sometimes I have IoT devices in my house that sketch me out and I’m like, that’s, that’s a future project. That’s, that’s, that’s in my house there.

Eric Johansen: All right, well, one last question here. Uh, and this, you can be quick with it because maybe you don’t want to, uh, expose this question, but what is in Matt Brown’s house when it comes to Iot? You kind of hinted at the tv. Like, I mean, I, I know personally I’ve got some stuff here because of like the lab element, which is, that’s the excuse I use. But I mean, I’ve got some stuff here I probably shouldn’t have on the network because it’s like older stuff. But it’s like you do what you can to mitigate it as best as you can. But are there, are there any things that you’re using that you’re just like, geez, I got to take care of that. Or, or do you kind of, you have a Faraday cage around stuff or how, you know, how do you deal with that?

Matt Brown: Yeah, uh, part, part of the Faraday cage is uh, is living on 10 acres out in the woods. So, but, but uh, so there are two devices that are at my house that I’m like, I need to, I need to make these research projects. One is, uh, my grill or my charcoal smoker.

Eric Johansen: Okay.

Matt Brown: So it’s master built and it has like, you can connect, you connect it to your wi fi and it’s got this app that lets you control, you know, via some cloud server API. It lets you like control the heat piece of crap.

Eric Johansen: Right? Because like I was just helping my cousin with his and I could not believe how fickle it was and it’s like, dude, how do people use this?

Matt Brown: I have to remove it and re and re. Add it all the time. Yep.

Eric Johansen: Yeah.

Matt Brown: Yep.

Eric Johansen: Yeah. And because that’s a challenge, it’s a grill. So it’s not going to be in your living room where you have great reception, you know?

Matt Brown: Yeah. So I mean, uh, and that’s why that could be a cool project. Almost like not even. Yes. The security part of it. And this is where, uh, uh, on the, the content on my YouTube channel, there’s this crossover between cyber security and jailbreaking and trying or you know, open source modification of closed embedded devices. Right. So that would be A great use case if I could, you know, have it connect to my own server and so that I can more reliably, you know, uh, change the heat on my grill. The other thing, I’ll answer really quickly. I have a Samsung oven, and it. I’ve never used any of the smart capabilities, but it is right now broadcasting, uh, a wi fi ssid. So.

Eric Johansen: Wow. So it actually. Wow. It’s a router in of itself. That’s insane.

Matt Brown: And that might just be part of the setup process. Right. It might only have that AP open for you to do the setup, but that could be a way that somebody could control the oven, I guess. But, yeah, uh, we’ll see future projects.

Eric Johansen: Yeah. All right, Matt, how can people find you and your content that we’ve been, uh, talking about here today?

Matt Brown: Yeah, thanks. So, primarily, I am on YouTube. You can put, uh, type Matt Brown into YouTube or Matt Brown IOT, and you should find my channel. I’m the IOT hacking, uh, YouTuber. I’m not the UFC fighter. Although I, you know, it’s a bug round.

Eric Johansen: You’re not doing a good job to debunk that.

Matt Brown: Oh, yeah, I know. Right? Yeah. Well, I promise, I promise I’m not living two lives. So, uh, yeah, so map around on YouTube, and then I go by nmat0 on GitHub and on X. So that’s, uh, primarily how you can reach out. Yeah.

Eric Johansen: All right, well, hey, thank you very much for joining us today, Matt. Really appreciate it. It’s a fun conversation. And, uh, geez, I actually wish we could go longer, but, uh, yeah, thank you.

Matt Brown: Well, thanks for having me on and.

Eric Johansen: Thank you for watching, Matt. Really enjoyed the conversation. It, uh, was really fun geeking out with you. Uh, the IoT Security Podcast is brought to you by Phosphorus, the leading provider of proactive, unified security management for the extended Internet of things. I’m Eric Johansson, and we’ll be back soon with more of the IoT Security Podcast.