I was asked to talk in front of Computer science students at the Bar-Ilan university about "what happens" when you don't care about writing "secured" or "safe" code. A perfect example for that, in my opinion, was the world of embedded computing AKA the IoT. I talked about the history of consumer embedded devices and showed a live demo of an 0day I found in one of the most popular routers in the country.
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
The internet of $h1t
1. The internet of $h1T
Or: Root all things (of the internet of things)
By: Amit Serper, ADhD
2. /bin/whoami
● Now: Lead Mac OSX security researcher @ Cybereason (we’re hiring!)
● Before: ~9 years @ PMO, Lead security researcher, doing mostly embedded
security research in the last 3 years.
● Terrible coder
● Reverse Engineer
● Hardcore Linux guy, Now I use Mac :( and Windows :((
● I like to make stuff that break stuff
● I tweet: @0xAmit
29. Every one of those little bastards is a computer!
(that handles all of your traffic!)
30. Ok… So it’s a “computer” - woo-friggin’-hoo
A calculator is also a computer
31. You’re right. Routers used to have custom RTOS O/S’s
that worked on custom architectures and instruction
sets
32. But all of a sudden, it wasn’t the standard anymore,
care to guess why?
33.
34. Linux is built around networking, it’s easy to develop for
and deploy, it’s totally cross platform and ITS FREE!
35. Plus, it has tons of ALREADY written code that vendors
can use!
36. Used in Xbox, Cable/SAT STB’s, PS4,
roku, etc...
libdlna:
Used in smartTVs, routers,
streamers, Cable/SAT STB’s,
etc...
A small webserver, used in
almost EVERY router in some
variation.
37. ALL OF THE PREVIOUSLY MENTIONED SOFTWARE HAVE
BEEN AND IS EXPLOITED ALL THE TIME!
38. The transition to Linux started a whole wave of vendors
using Linux, some even took pride in it
Linksys WRT54GL
39. It had a Linux based (HyperWRT) firmware and most of
its code was open sourced
40. Entire communities of firmware spin-offs were founded
to enhance and add extra features to products
41. Firmware
● permanent software programmed into a read-only memory. (wikipedia)
● One file which includes a Linux distro consisting of:
○ Bootloader
○ Kernel
○ Root filesystem (userland)
○ Swap (product dependent)
43. Firmware (continued)
● Drivers/modules (kernel mode)
● Software and Daemons/Services (User mode) :
○ Busybox
○ DHCP server
○ NTP (server/client)
○ FTP server
○ Telnet/ssh server
○ UPnP server
○ Webserver
44. Limitations when developing a firmware
● Very little memory - Code has to be really efficient, even on the cost of security
● Very little disk space - No bells and whistles - Just the barebones!
● Very weak cpu
● You think you’re invincible - if it compiles its fine! ← PROBLEM
48. Attack vectors:
● Backdoors in firmware (a very specific url or service that’s running on a specific
port)
● Physical/Local access - uploading a patched firmware
● Attack from afar - own the webserver!
49. Enter the webserver:
● It is our common configuration interface with the device
● Everything is controlled through there
● Gives us a direct interface with User-controlled data
● Often listens for connections form the
0.0.0.0 (everywhere!)
● Often badly configured by the vendor/user
● Runs as root!!!!1!!!!!1!
62. ; - run this after you’re done
&& - run this if first command exited with status 0
`statement` - run the command between the backticks
and use it as a value