2. About Us
• An co-founder and researcher of KEEN
• Working on GeekPwn program, focusing on
security of IoT and smart devices.
• A security researcher at XuanWu Lab, Tencent.
• IoT and Android security
• A security contest & a bug bounty program
organized by KEEN since 2014
Yuhao Song
(宋宇昊)
Huiming Liu
(刘惠明)
GeekPwn
3. Situations of IoT Security
Most Vulnerable Categories in IoT
Attack Vectors of IoT
IoT Can Do Evil
Contents
5. Mirai Incidents
Target Traffic
KrebsonSecurity 620Gbps
OVH ISP 1.1Tbps
Dyn 1.2Tbps
Liberia 500Gbps
WikiLeaks
Russian Banks
* The data is from ”Rise of the
Machines: The Dyn Attack Was Just a
Practice Run”
* The Picture is from DownDetector - DownDetector Level 3 Outage Map,CC BY-SA 4.0
,https://commons.wikimedia.org/w/index.php?curid=52420446
100,000 devices
6. How Does Mirai Attack?
Main Targets
IoT
Devices
Wi-Fi
Router
IP
Camera
Attack Vector
• Remote Shell
• Port Scan
(Looking for telnet, ssh, etc.)
• Dictionary Attack
•
(Based on generic and manufacturer
default credential)
7. “Smart Routers Arena”
• In 2014, GeekPwn began to accept routers’ vulnerabilities
• In Oct. 2015, a special session for routers to reveal their
security problems
• During 2014~2016, 32 vulnerabilities of routers
• Our routers are streaking
Covering all the top brands of
routers in China
Half of them are popular
globally
Resulting in remote root access
Other than shell of weak password
Of 18 top-selling models
Of 11 brands
8. “ Now this is not the end.
It is not even the beginning of the end.
But it is, perhaps, the end of the beginning.”
-- Winston Churchill
9. Situations of IoT Security
Large amounts of vulnerabilities
• Emerging market
• Manufacturers are focusing on
implementing products’ core
functions while ignoring security
• In a recruitment website for startups,
we found 3K+ IoT companies. But
none is looking for security engineers
• Immature standards
• Manufacturers don’t have methods to
measure and assure products’
security
Weapon of Mass Destruction
• Huge amounts of devices
• 8.4 billions in 2017 estimated by
Gartner
• Always online
• Hard to notice abnormal
behaviors (no/small screen)
• Close to users’ daily-life
10. IoT Vulnerabilities in GeekPwn
• We noticed security problems in
emerging market and launched
GeekPwn in 2014
• All the vulnerabilities are high risk and
result in full control of the target
(PWN).
• Most of the vulnerabilities are easy
and straightforward.
Non Memory
Level
71%
Memory
Corruption
29%
Single Vuln
Exploit
63%
Combo
Exploit
37%
Source:
12. Those Pwned
Mirai IoT
Wi-Fi Router POS machine Digital Safe Robot Drone Communication
Protocol
Computer
Software
IP Camera Smart Remote
Control
Smart Home
Device
Wearable Device Video Game
Console
App Mobile Phone
13. Wi-FiRouter
28%MobilePhone
18%
SmartHome
Device
15%
IPCamera
11%
App
11%
DigitalSafe
4%
POSmachine
3%
Drone
3%
WearableDevice 2%
VideoGameConsole 2%
Robot 1%
CommunicationProtocol 1%
SmartRemoteControl 1%
other
17%
Wi-Fi Router
Mobile Phone
Smart Home Device
IP Camera
App
Digital Safe
POS machine
Drone
Wearable Device
Video Game Console
• GeekPwn is an open contest. The contestants choose their own target.
• Fewer vulnerabilities are reported in some categories (especially new categories).
• They don’t require Memory Corruption attack.
• They are not necessarily secure but just neglected.
Blind Spot Vulnerabilities in different product category
0
5
10
15
20
25
30
35
0.00%
20.00%
40.00%
60.00%
80.00%
100.00%
Wi-FiRouter
MobilePhone
SmartHomeDevice
IPCamera
App
DigitalSafe
POSmachine
Drone
WearableDevice
VideoGameConsole
Robot
CommunicationProtocol
SmartRemoteControl
Mem Vuln % Total Vuln Num
Source:
16. All Roads Lead to Pwn
Memory Corruption
Attacks
31%
Insecure
Communicati
on Abuse
11%
Abuse of
Functionality
10%
Logical Input
Manipulation
9%
Code
Injection
7%
Hard-coded
Crypto Key
6%
other
26%
Remote
Information
Exposure
4%Spoofing
4%
Security
Mechanism
Bypass
4%
Other
4%
Remote Shell with
No/Weak Auth
4%
Forced
Access
3%
Side
Channel
3%
Source:
17. Insecure Communication Abuse
• Vulnerability
• Sensitive information transmitted over
unencrypted channel
• Exploit
• Sniffing to get the credential / session ID,
and then replay
Digital safe
<Real case in GeekPwn 2016>
• Tool
• Network Sniffer
• MITM HTTP(S) Proxy
• Ubertooth One (Bluetooth)
18. • <Real Case in GeekPwn 2015>
• It’s one of the steps in a case exploiting a combination of 6 vulnerabilities. The purpose is to
upload a script file to the target device.
• Vulnerability
• A network logging service is enabled on the device, and it doesn’t make appropriate filtering
before writing log to the file system.
• Exploit
• Clear the previous log
• Send traffic to create a log file containing shell script
<11> syslog-ng[1787]: 1; /usr/sbin/telnetd -l /bin/ashn
Abuse of Functionality
19. Logical Input Manipulation
• Vulnerability
• Server side incorrectly trust the
parameter (e.g. User ID) provided by the
client.
• Exploit
• Send the manipulated parameter to the
server (e.g. and act as another user)
Payment service
<Real case in GeekPwn 2015>
Beep!
Paying from
Bob’s account.
20. Code Injection
• <Real Case in GeekPwn 2016>
• Vulnerability
• In CGI service, an parameter is
accepted and finally passed to
“system” call without appropriate
filtering.
• Exploit
• Send the request with parameter
../xxxx/&&telnetd&& to CGI
21. Hard-coded Crypto Key
• Vulnerability
• Symmetric-key algorithm is used, and the key
is hard-coded in the client program.
• Exploit
• Reverse engineer the client, and get the key.
• Decrypt / Encrypt the data.
Smart luggage
<Real case in GeekPwn 2016>
23. Cases Chain
• Get Root Shell of a Router From Internet
• Get Login Password of a WebCam
• Compromise your home security alarm
24. Vulnerabilities Chains To Fun & Profit
• Fewer attack surfaces
• Limited access capabilities
• Limited compute capabilities
• Close-source firmware
• Cheap but huge amount
25. • Opening port(especially exposed on Internet)
• Configuration Port. 80/443
• Other Port. Nmap/ Netstat
• Other Vulnerability
• Dns cache?
• MITM? Remotely get file
Breakthrough
26. Get Opening port
• Dynamic method
• Nmap
• Netcat
• etc…
• In this case, 9000 port is open
• New feature?
• Static method
• Get the firmware
• Hexdump grep (regular expression matching)
• Get the binary
• Reverse to find the bug on the port
27. From Access to Control
• IDA reverse the file
• Working...
• More Working…
• More and More Working…
• Finally, Get the vulnerabilities
28. Router A step 0
XXX Router
ETM Process
Etm_configure
function
Parse
INI File
EVIL
License_server
Stack Overflow
36. Exploit A step 0 Exploit A step 1
XXX Router
ETM Process
INI File
GOOD
License_server
XXX Router
ETM Process
Callback Parse
Function
snprintf return
value misuse
INI File
INI File InjectInformation Leak
INI File
EVIL
License_server
37. Router A step 2 Router A step 3
XXX Router
ETM Process
Etm_configure
function
Parse
INI File
EVIL
License_server
XXX Router
ETM Process
INI File
EVIL
License_server
Reload
INI File
EVIL
License_server
Stack Overflow
Unauthorized
Restart CMD
38. Router A Exploit step 0
CMD to Excute
Wonderful Gadget
0x43434343
system Gadget
0x42424242
0x42424242
0x42424242
Pop Reg Gadget SP
Pop Reg Gadget
# 26cd0: pop {r0, r1, r2, r3, r4, Ir}
# 26cd4: bx Ir
39. Router A Exploit step 1
CMD to Excute
Wonderful Gadget
0x43434343
system Gadget
0x42424242
0x42424242
0x42424242
Pop Reg Gadget
SP
LR
R4
R3
R2
R0
R1
40. Router A Exploit step 2
Wonderful Gadget:
#.text:0003F184 MOV RO, SP
#.text:0003F188 MOV LR, PC
#.text:0003F18C BX R3
Wonderful Gadget
0x43434343
system Gadget
0x42424242
0x42424242
0x42424242
Pop Reg Gadget
SP
PC
R4
R3
R2
R0
R1
CMD to Excute
N bytes
41. Router A Exploit step 3
Wonderful Gadget
0x43434343
system Gadget
0x42424242
0x42424242
0x42424242
Pop Reg Gadget
R0
LR
R4
PC
R2
R0
R1
CMD to Excute
N bytes
Wonderful Gadget:
#.text:0003F184 MOV RO, SP
#.text:0003F188 MOV LR, PC
#.text:0003F18C BX R3
42. Attack Surface
Ming: $ nmap -Pn -p8999-9001 xx.xx.xx.xx
Starting Nmap 6.47 at 2017-02-19 17:25 CST
Nmap scan report for 10.72.196.78
Host is up (0.010s latency).
PORT STATE SERVICE
8999/tcp filtered bctp
9000/tcp open cslistener
9001/tcp filtered tor-orport
43. Similar Vulnerabilities
• Router B (can get root shell)
• Open Port 515
• Many devices Exposed on Internet
• strcpy overflow (parse queue_name)
• Stack pivot->leak write@got to bypass ASLR ->ROP to excute system
• WebCam C(can get root shell)
• Open Port UDP 8600
• Strcpy overflow(user, passwd) LOL
• Visit geekpwn.org for more information.
45. Then What?
• We are in LANs
• DDos tools
• Traffic monitor & hijack
• More?
• Watch you, literal watch
• Everything in attacks’ eyes from pwned WebCam
• WebCam D demo
46. WebCam D
• Backdoor 1
• Get the administrator’s username and password directly
• Send some Magic strings
• Backdoor 2
• Telnet on the webcam
• Default telnet backdoor (root, xxxxxx)
• visit geekpwn.org for more information
47. What can attackers do?
• Scan the internet to find the vulnerable devices
• Get the root shell of the router or webcam
• Surfing the LAN
• Watch even control you by your vulnerable IOT devices
• Demo video
48. What may you lose now in this case?
• Your online privacy (even worse on http)
• Your online account and password (MITM)
• Your daily life privacy (Obviously)
• Your credit card information (If you ever had shown it somewhere
in WebCams’ view)
• More?
52. IoT Can Be Peeper
n Locating user’s child
n Monitoring network traffic
n Hijacking network traffic
n Watching the user, literally
53. IoT Can Be Thief
n Query Transactions
n Steal Money
n Monitor user’s life pattern
n Turn on/off user’s appliance
n Disable intrusion alarm
n (For fun) Send out a weibo
(“Chinese Twitter”) from a
socket
n Unlock user's door
54. IoT Can Be Hijacked
n Be hijacked to fly away
n Be hijacked to eavesdrop