SlideShare ist ein Scribd-Unternehmen logo
1 von 19
Downloaden Sie, um offline zu lesen
Internet of (dangerous) Things
Tobias Esser, Prof. Dr. Hartmut Pohl
softScheck GmbH Köln
Büro: Bonnerstr. 108. 53757 Sankt Augustin www. softScheck.com
reactive
…Security Information Event Management (SIEM)
Reactive Strategy
proactive
reactive
…Security Information Event Management (SIEM)
ISO 27034 Application Security
Reactive - Proactive Strategy
Explorative Testing
Manual Auditing
Penetration
Testing
Static Source
Code Analysis
Conformance
Testing
Dynamic Analysis
Fuzzing
Architecture Analysis
Threat Model
Attack Paths, Surface
SSQUARE
© softScheck
Products Tested
© softScheck
Application Security Management SASM
ISO 27034 conform Development
Application Security Audit
Security Requirements
Product Design Implementation ReleaseVerificationRequirements
Targeted Level
of Trust
Explorative Testing
Manual Auditing
Penetration
Testing
Risk Analysis
SSQUARE
Static Source
Code Analysis
Application Security Controls
Conformity Testing
Architecture Analysis
Threat Model
Attack Paths, Surface
ASC 01 ASC 06
Dynamic Analysis
Fuzzing
© softScheck
Internet of Things
© softScheck
Internet of (dangerous) Things
Reverse Engineering einer WiFi-Steckdose
 TP-Link HS110 WiFi Smartplug
 Steuerbar mit "Kasa for Mobile" Smartphone-App
(iOS, Android)
 TP-Link Cloud-Anbindung
© softScheck
 SmartPlug startet Access Point (AP) "TP-LINK_Smart Plug_XXXX"
 Kasa App verbindet Smartphone mit dem AP
 App kommuniziert lokal verschlüsselt über TCP Port 9999
 Passwort des Heim-WLANs wird von App an SmartPlug geschickt
 SmartPlug schaltet AP aus und verbindet sich mit Heim-WLAN
SmartPlug Setup
© softScheck
 Web-Server ist ein Fake!
Offene Ports
© softScheck
 Jedes Byte XOR mit vorigem Plaintext-Byte
 Erstes Byte XOR -85 (Schlüssel)
 Ver- und Entschlüsselung gleich
Reverse Engineering der Verschlüsselung
© softScheck
Wireshark Dissector
© softScheck
 JSON-basiert
 Beispiel-Befehle:
TP-Link SmartHome Protokoll
{"system":{"get_sysinfo":{}}} Systeminfos
{"system":{"reboot":{"delay":1}}} Neustart
{"system":{"set_relay_state":{"state":1}}} Steckdose
anschalten
{"netif":{"get_scaninfo":{"refresh":1}}} Nach WLANs
scannen
{"netif":{"set_stainfo":{"ssid":"WiFi","password":"secret",
"key_type":3}}}
Mit WLAN
verbinden
{"cnCloud":{"bind":{"username":"your@email.com","password":"secret"}}} In Cloud
registrieren
{"cnCloud":{"unbind":null}} Registrierung
aufheben
© softScheck
 time
 emeter (energy meter)
 schedule (scheduled on/off)
 count_down (countdown on/off)
 anti_theft (random scheduled on/off)
TP-Link SmartHome Protokoll
© softScheck
 SmartPlug agiert nur als HTTPS-Client
 Regelmäßige TLS-Verbindung zum Cloud-Server
 App schickt JSON-Befehle verpackt mit "method:passthrough"
 Cloud-Server leitet Befehle an SmartPlug weiter
Cloud-Kommunikation
POST /?token=<sessionid> HTTP/1.1
Content-Type: application/json
Host: eu-wap.tplinkcloud.com
{"method":"passthrough", "params":
{"deviceId":"<deviceID>,
"requestData":"{"system":{"get_sysinfo":null}}"}}
© softScheck
Offene Ports
© softScheck
TP-Link Device Debug Protocol
TDDP Patent
© softScheck
DES Key = md5(username + password)[:16]
TDDP Crypto
© softScheck
Demo
© softScheck
Internet of (dangerous) Things (IodT)
Fork us on GitHub: https://github.com/softScheck/tplink-smartplug
softScheck GmbH Köln
Büro: Bonnerstr. 108. 53757 Sankt Augustin www. softScheck.com +49 (2241) 255 43 – 12
Prof. Dr. Hartmut Pohl
Hartmut.Pohl@softScheck.com
Tobias Esser
Tobias. Esser@softScheck.com

Weitere ähnliche Inhalte

Ähnlich wie Internet of Dangerous Things - IoT Device Hacking

ESET - Remote-Administrator
ESET - Remote-AdministratorESET - Remote-Administrator
ESET - Remote-Administrator
ESET | Enjoy Safer Technology (Deutsch)
 
Web security mit owasp asvs
Web security mit owasp asvsWeb security mit owasp asvs
Web security mit owasp asvs
Benedikt Bauer
 
AKCP sensorProbe8-X60 Alarm Server mit 60 potentialfreien Kontakten
AKCP sensorProbe8-X60 Alarm Server mit 60 potentialfreien KontaktenAKCP sensorProbe8-X60 Alarm Server mit 60 potentialfreien Kontakten
AKCP sensorProbe8-X60 Alarm Server mit 60 potentialfreien Kontakten
Didactum
 

Ähnlich wie Internet of Dangerous Things - IoT Device Hacking (20)

AKCP securityProbe5ESV-X20 / X60 Alarm Server - Ganzheitliche Überwachung kri...
AKCP securityProbe5ESV-X20 / X60 Alarm Server - Ganzheitliche Überwachung kri...AKCP securityProbe5ESV-X20 / X60 Alarm Server - Ganzheitliche Überwachung kri...
AKCP securityProbe5ESV-X20 / X60 Alarm Server - Ganzheitliche Überwachung kri...
 
ESET - Remote-Administrator
ESET - Remote-AdministratorESET - Remote-Administrator
ESET - Remote-Administrator
 
Splunk Discovery Köln - 17-01-2020 - Security Operations mit Splunk
Splunk Discovery Köln - 17-01-2020 - Security Operations mit SplunkSplunk Discovery Köln - 17-01-2020 - Security Operations mit Splunk
Splunk Discovery Köln - 17-01-2020 - Security Operations mit Splunk
 
Internet of Things Architecture
Internet of Things ArchitectureInternet of Things Architecture
Internet of Things Architecture
 
SSV Predictive Maintenance
SSV Predictive MaintenanceSSV Predictive Maintenance
SSV Predictive Maintenance
 
stackconf 2020 | SecDevOps in der Cloud by Florian Wiethoff
stackconf 2020 | SecDevOps in der Cloud by Florian Wiethoffstackconf 2020 | SecDevOps in der Cloud by Florian Wiethoff
stackconf 2020 | SecDevOps in der Cloud by Florian Wiethoff
 
Webinar: Online Security
Webinar: Online SecurityWebinar: Online Security
Webinar: Online Security
 
IT-Sicherheit und agile Entwicklung – geht das? Sicher!
IT-Sicherheit und agile Entwicklung – geht das? Sicher!IT-Sicherheit und agile Entwicklung – geht das? Sicher!
IT-Sicherheit und agile Entwicklung – geht das? Sicher!
 
Steinzeit war gestern! Wege der Cloud-nativen Evolution.
Steinzeit war gestern! Wege der Cloud-nativen Evolution.Steinzeit war gestern! Wege der Cloud-nativen Evolution.
Steinzeit war gestern! Wege der Cloud-nativen Evolution.
 
Regelkonformität durch neue Architekturen
Regelkonformität durch neue ArchitekturenRegelkonformität durch neue Architekturen
Regelkonformität durch neue Architekturen
 
DWX 2016 - Monitoring 2.0 - Monitoring 2.0: Alles im Lot?
DWX 2016 - Monitoring 2.0 - Monitoring 2.0: Alles im Lot?DWX 2016 - Monitoring 2.0 - Monitoring 2.0: Alles im Lot?
DWX 2016 - Monitoring 2.0 - Monitoring 2.0: Alles im Lot?
 
Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?
Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?
Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?
 
AKCP E-opto16 Erweiterungsmodul
AKCP E-opto16 ErweiterungsmodulAKCP E-opto16 Erweiterungsmodul
AKCP E-opto16 Erweiterungsmodul
 
Softprom DACH 2018
Softprom DACH 2018 Softprom DACH 2018
Softprom DACH 2018
 
Web security mit owasp asvs
Web security mit owasp asvsWeb security mit owasp asvs
Web security mit owasp asvs
 
Splunk Webinar Searching & Reporting
Splunk Webinar Searching & ReportingSplunk Webinar Searching & Reporting
Splunk Webinar Searching & Reporting
 
Monitoring Openstack - LinuxTag 2013
Monitoring Openstack - LinuxTag 2013Monitoring Openstack - LinuxTag 2013
Monitoring Openstack - LinuxTag 2013
 
SignalR
SignalRSignalR
SignalR
 
AKCP sensorProbe8-X60 Alarm Server mit 60 potentialfreien Kontakten
AKCP sensorProbe8-X60 Alarm Server mit 60 potentialfreien KontaktenAKCP sensorProbe8-X60 Alarm Server mit 60 potentialfreien Kontakten
AKCP sensorProbe8-X60 Alarm Server mit 60 potentialfreien Kontakten
 
W-LAN @ RFID-Start 2009
W-LAN @ RFID-Start 2009 W-LAN @ RFID-Start 2009
W-LAN @ RFID-Start 2009
 

Mehr von M2M Alliance e.V.

Mehr von M2M Alliance e.V. (20)

M2M Journal 2017
M2M Journal 2017M2M Journal 2017
M2M Journal 2017
 
Predictive Maintenance - Elevator Service 4.0
Predictive Maintenance - Elevator Service 4.0Predictive Maintenance - Elevator Service 4.0
Predictive Maintenance - Elevator Service 4.0
 
Low-Power Wide Area - Overview
Low-Power Wide Area - OverviewLow-Power Wide Area - Overview
Low-Power Wide Area - Overview
 
VR Industry Solutions
VR Industry Solutions VR Industry Solutions
VR Industry Solutions
 
IoT Camera Systems as Sensors in the M2M Environment
IoT Camera Systems as Sensors in the M2M EnvironmentIoT Camera Systems as Sensors in the M2M Environment
IoT Camera Systems as Sensors in the M2M Environment
 
Non-Disruptive Evaluation Kit for Industry 4.0 for Small- and Medium-Size Ent...
Non-Disruptive Evaluation Kit for Industry 4.0 for Small- and Medium-Size Ent...Non-Disruptive Evaluation Kit for Industry 4.0 for Small- and Medium-Size Ent...
Non-Disruptive Evaluation Kit for Industry 4.0 for Small- and Medium-Size Ent...
 
StadtLärm - A Distributed Urban Noise Monitoring System
StadtLärm - A Distributed Urban Noise Monitoring System StadtLärm - A Distributed Urban Noise Monitoring System
StadtLärm - A Distributed Urban Noise Monitoring System
 
Completely Wireless Real-Time Sensors for Smart Factory Applications
Completely Wireless Real-Time Sensors for Smart Factory ApplicationsCompletely Wireless Real-Time Sensors for Smart Factory Applications
Completely Wireless Real-Time Sensors for Smart Factory Applications
 
Sustainable Business Advantage
Sustainable Business AdvantageSustainable Business Advantage
Sustainable Business Advantage
 
Secure Computing Core Technology - A non-NDA Teaser
Secure Computing Core Technology - A non-NDA TeaserSecure Computing Core Technology - A non-NDA Teaser
Secure Computing Core Technology - A non-NDA Teaser
 
NB-IoT: Pros and Cons of the new LPWA Radio Technology
NB-IoT: Pros and Cons of the new LPWA Radio Technology NB-IoT: Pros and Cons of the new LPWA Radio Technology
NB-IoT: Pros and Cons of the new LPWA Radio Technology
 
Smart Service Power – IoT-Assisted, Age-Appropriate Living
Smart Service Power – IoT-Assisted, Age-Appropriate Living Smart Service Power – IoT-Assisted, Age-Appropriate Living
Smart Service Power – IoT-Assisted, Age-Appropriate Living
 
Using Blockchain-Technologies for Factory Automation
Using Blockchain-Technologies for Factory Automation Using Blockchain-Technologies for Factory Automation
Using Blockchain-Technologies for Factory Automation
 
Mobile Edge Computing
Mobile Edge ComputingMobile Edge Computing
Mobile Edge Computing
 
Resilient Connectivity for Industrial IoT: How Sensor Platforms Become Realt ...
Resilient Connectivity for Industrial IoT: How Sensor Platforms Become Realt ...Resilient Connectivity for Industrial IoT: How Sensor Platforms Become Realt ...
Resilient Connectivity for Industrial IoT: How Sensor Platforms Become Realt ...
 
Quantified Self and the Social Internet of Things
Quantified Self and the Social Internet of ThingsQuantified Self and the Social Internet of Things
Quantified Self and the Social Internet of Things
 
You Need a Digital Platform to Turn Data Into Future Revenues
You Need a Digital Platform to Turn Data Into Future RevenuesYou Need a Digital Platform to Turn Data Into Future Revenues
You Need a Digital Platform to Turn Data Into Future Revenues
 
Cloud HMI - Monitoring, Control and Analyzing from Remote
Cloud HMI - Monitoring, Control and Analyzing from RemoteCloud HMI - Monitoring, Control and Analyzing from Remote
Cloud HMI - Monitoring, Control and Analyzing from Remote
 
Industrial Internet of Things - On the Verge of Exponential Growth
Industrial Internet of Things - On the Verge of Exponential GrowthIndustrial Internet of Things - On the Verge of Exponential Growth
Industrial Internet of Things - On the Verge of Exponential Growth
 
Vodafone Internet of Things
Vodafone Internet of ThingsVodafone Internet of Things
Vodafone Internet of Things
 

Internet of Dangerous Things - IoT Device Hacking

  • 1. Internet of (dangerous) Things Tobias Esser, Prof. Dr. Hartmut Pohl softScheck GmbH Köln Büro: Bonnerstr. 108. 53757 Sankt Augustin www. softScheck.com
  • 2. reactive …Security Information Event Management (SIEM) Reactive Strategy
  • 3. proactive reactive …Security Information Event Management (SIEM) ISO 27034 Application Security Reactive - Proactive Strategy Explorative Testing Manual Auditing Penetration Testing Static Source Code Analysis Conformance Testing Dynamic Analysis Fuzzing Architecture Analysis Threat Model Attack Paths, Surface SSQUARE
  • 5. © softScheck Application Security Management SASM ISO 27034 conform Development Application Security Audit Security Requirements Product Design Implementation ReleaseVerificationRequirements Targeted Level of Trust Explorative Testing Manual Auditing Penetration Testing Risk Analysis SSQUARE Static Source Code Analysis Application Security Controls Conformity Testing Architecture Analysis Threat Model Attack Paths, Surface ASC 01 ASC 06 Dynamic Analysis Fuzzing
  • 7. © softScheck Internet of (dangerous) Things Reverse Engineering einer WiFi-Steckdose  TP-Link HS110 WiFi Smartplug  Steuerbar mit "Kasa for Mobile" Smartphone-App (iOS, Android)  TP-Link Cloud-Anbindung
  • 8. © softScheck  SmartPlug startet Access Point (AP) "TP-LINK_Smart Plug_XXXX"  Kasa App verbindet Smartphone mit dem AP  App kommuniziert lokal verschlüsselt über TCP Port 9999  Passwort des Heim-WLANs wird von App an SmartPlug geschickt  SmartPlug schaltet AP aus und verbindet sich mit Heim-WLAN SmartPlug Setup
  • 9. © softScheck  Web-Server ist ein Fake! Offene Ports
  • 10. © softScheck  Jedes Byte XOR mit vorigem Plaintext-Byte  Erstes Byte XOR -85 (Schlüssel)  Ver- und Entschlüsselung gleich Reverse Engineering der Verschlüsselung
  • 12. © softScheck  JSON-basiert  Beispiel-Befehle: TP-Link SmartHome Protokoll {"system":{"get_sysinfo":{}}} Systeminfos {"system":{"reboot":{"delay":1}}} Neustart {"system":{"set_relay_state":{"state":1}}} Steckdose anschalten {"netif":{"get_scaninfo":{"refresh":1}}} Nach WLANs scannen {"netif":{"set_stainfo":{"ssid":"WiFi","password":"secret", "key_type":3}}} Mit WLAN verbinden {"cnCloud":{"bind":{"username":"your@email.com","password":"secret"}}} In Cloud registrieren {"cnCloud":{"unbind":null}} Registrierung aufheben
  • 13. © softScheck  time  emeter (energy meter)  schedule (scheduled on/off)  count_down (countdown on/off)  anti_theft (random scheduled on/off) TP-Link SmartHome Protokoll
  • 14. © softScheck  SmartPlug agiert nur als HTTPS-Client  Regelmäßige TLS-Verbindung zum Cloud-Server  App schickt JSON-Befehle verpackt mit "method:passthrough"  Cloud-Server leitet Befehle an SmartPlug weiter Cloud-Kommunikation POST /?token=<sessionid> HTTP/1.1 Content-Type: application/json Host: eu-wap.tplinkcloud.com {"method":"passthrough", "params": {"deviceId":"<deviceID>, "requestData":"{"system":{"get_sysinfo":null}}"}}
  • 16. © softScheck TP-Link Device Debug Protocol TDDP Patent
  • 17. © softScheck DES Key = md5(username + password)[:16] TDDP Crypto
  • 19. © softScheck Internet of (dangerous) Things (IodT) Fork us on GitHub: https://github.com/softScheck/tplink-smartplug softScheck GmbH Köln Büro: Bonnerstr. 108. 53757 Sankt Augustin www. softScheck.com +49 (2241) 255 43 – 12 Prof. Dr. Hartmut Pohl Hartmut.Pohl@softScheck.com Tobias Esser Tobias. Esser@softScheck.com