IoThings you don't even need to hack

The (Io)Things you don’t
even need to hack.
Should we worry?
Sławomir Jasek
OWASP EEE, 6.10.2015 Kraków

Pentester / security consultant.
Assessments and consultancy regarding
security of various applications - web,
mobile, embedded, ...
Since 2003 / over 400 systems and
applications
Sławomir Jasek

What is IoT?
Things you don’t even need to hack:
IP cameras
Serious equipment
Bluetooth low energy devices
Smart meters
Should we worry? How can we help?
Agenda

Another buzzword (?).
Several definitions and a bit of confusion.
Just like a few years back „cloud”, „big data” or „mobile”.
Let's simplify: network-connected devices with
embedded processing power.
Add the mobile, cloud and big data, of course ;)
What is „Internet of Things”?

IoT - Variety
http://www.talk2thefuture.com/internet-of-things-english/

IoT - Variety
http://www.beechamresearch.com

IoT - Variety
http://postscapes.com/what-exactly-is-the-internet-of-things-infographic

IoT – prevalence prediction
http://www.audiotech.com/trends-magazine/internet-things-begins-take-shape/

The best-priced IP camera with
PoE and ONVIF
Management standard (was
supposed to) assure painless
integration of the video in my
installation.
Camera

That has to be false positive, right?

PORT STATE SERVICE VERSION
23/tcp open telnet Busybox telnetd
80/tcp open tcpwrapped
554/tcp open rtsp?
8899/tcp open soap gSOAP soap 2.7
9527/tcp open unknown
Services

John the Ripper?
Online hash crack?
md5crypt(?) = $1$RYIwEiRA$d5iRR(...) anyone?
No need to hack, search „password”
and the name of device in Russian

# binwalk firmware.img
DECIMAL HEX DESCRIPTION
------------------------------------------------------------------
0 0x0 uImage header, header size: 64 bytes, header CRC:
0x4F9FDADF, created: Thu Apr 17 10:22:14 2014, image size: 3428352
bytes, Data Address: 0x80000, Entry Point: 0x580000, data CRC:
0xD5BE4969, OS: Linux, CPU: ARM, image type: OS Kernel Image,
compression type: gzip, image name: "linux"
64 0x40 CramFS filesystem, little endian size 3428352
version #2 sorted_dirs CRC 0x9bbb241e, edition 0, 1159 blocks, 175
files
Alt: firmware rev

# mount -o loop,offset=64 firmware.img /mnt/loop
# ls -l /mnt/loop
drwxrwxr-x 2 543 31 4096 Jan 1 1970 bin
drwxrwxr-x 2 543 31 4096 Jan 1 1970 boot
drwxrwxr-x 2 543 31 4096 Jan 1 1970 dev
drwxrwxr-x 5 543 31 4096 Jan 1 1970 etc
drwxrwxr-x 2 543 31 4096 Jan 1 1970 home
drwxrwxr-x 2 543 31 4096 Jan 1 1970 lib
(...)
Alt: firmware rev

# tcpdump host camera.local
18:48:41.290938 IP camera.local.49030 > ec2-
54-72-86-70.eu-west-
1.compute.amazonaws.com.8000: UDP, length 25
What the?
Unsolicited connection to „cloud service”

„Cloud service” – we clome

"Global Suitable Wireless Intercom HD Video Door Phone IR Night
Cellphone Vision Doorbell Wifi Doorbell System for Android/IOS"
http://www.aliexpress.com/item/Global-Suitable-Wireless-Intercom-HD-Video-Door-Phone-IR-Night-Cellphone-Vision-Doorbell-Wifi-Doorbell-System/32321324986.html

your LAN automatically available in the "cloud"
... and comes also with "P2P" feature
LAN
icons (CC) flaticon.com
Device ID
STUN (NAT traversal)

As seen on seller's pictures:
OBJ-019904-DBBAE
OBJ-019914-DBEEE
OBJ-019916-FABBA
OBJ-019888-DEBEF
OBJ-028458-DBECC
...
The secret ID

123456
... and the hidden root telnet password is:

The same most probably applies to your
smart TV, home installations, refrigerators,
microwaves, babysitters, keylocks,
toothbrushes, internet-connected sex toys...
PWN-ing these kind of devices does not
involve „hacking” and does not impress.
This is boring, obvious and well-known for
years. Aka „junk hacking”.
Also frequently used to spread FUD by some
antivirus companies.
„Junk hacking” (R) Dave Aitel
http://seclists.org/dailydave/2014/q3/52

THE DEVICE SUPPLY CHAIN
AKA does anybody care?

Device supply chain
Board Support Package - drivers, bootloader, kernel-level SDK
Broadcom, Texas Instruments, Intel, WindRiver...
Original Device Manufacturer – web interface, SDK, cloud...
usually unknown from China, Taiwan etc.
Original Equipment Manufacturer – composing, branding ODMs
+ support, license, warranty...
Value Added Reseller / Distributor
End user

Device supply chain
End user
Features! Price!
Features! Price!
Features! Price!
Features! Price!

Device supply chain
End user
Security?
?
?
?

That depends on the device and usage scenario.
For most - you are supposed to be aware and treat the devices
accordingly:
• just don’t connect this type of hardware to the Internet
• hack the firmware to reclaim control on device, disable backdoors,
p2p connections etc.; opensource - www.openipcam.com
• and carefully monitor the outgoing traffic...
But should we care about the others?
Should we worry?

Self-powered and lens-less cameras for IoT
http://www.cs.columbia.edu/CAVE/projects/self_
powered_camera/
Image sensors that can not only
capture images, but also generate
the power needed to do so.
http://www.rambus.com/documentation/emerging-
solutions/lensless-smart-sensors
Replace the lenses with ultra-miniaturized diffractive
sensor, extract the image with computation:
extremely small, low-cost „camera”

Indexed „public” cameras (rough IP-based
geolocation)
+
exact location (crowdsource?)
+
Cloud, Big Data (face recognition?)
=
PROBLEM?
And what if someone connects the dots?
https://www.flickr.com/photos/opensourceway

The "junk hacking" term is considered offensive, and
may influence motivation to prove greater impact ;)
https://www.youtube.com/watch?v=OobLb1McxnI

Very popular OBD2 Bluetooth adapter ~10$
Hardcoded PIN: 1234
Conditions to exploit:
• engine turned on
• close distance (few meters); or remote
access to mobile phone
• a car with diagnostic bus unseparated
But: most users probably are not aware that by
taking over their unpatched Android mobile it
may be possible to kill them in a car accident.
Speaking of car hacking...
https://play.google.com/store/apps/details?id=org.prowl.torquefree

But if the device would be connected...
http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/

Thousands of interfaces publicly available.
Trivial to discover, already scanned & catalogued
likewise cameras.
Modbus-TCP, Serial-TCP, default passwords or
password-less web management interfaces...
I won’t reveal the links here ;)
Industrial insecurity

Industrial insecurity – public interfaces
Default password

Industrial insecurity – public interfaces

Read RFIDs mounted in privileged trucks to
automatically open the gate.
Industrial RFID reader

PORT STATE SERVICE VERSION
23/tcp open telnet Busybox telnetd
4007/tcp open pxc-splr?
10001/tcp open tcpwrapped
Service Info: Host: UHF-RFID-Dev
Industrial RFID reader – port scan

$ echo -e "xAAxBBx01x01x11x01xAAxCC" | nc <IP> 4007 |
hexdump
0000000 bbaa 0101 8111 aa00 aacc 07bb aa00 aacc
0000010 07bb aa00 aacc 07bb aa00 aacc 07bb aa00
0000020 aacc 07bb aa00 aacc 07bb aa00 aacc 07bb
0000030 aa00 aacc 07bb aa00 aacc 07bb aa00 aacc
(...)
0000350 aacc 07bb aa00 aacc 07bb aa00 aacc 07bb
0000360 aa00 aacc 07bb aa00 aacc 07bb aa00 aacc
0000370 07bb aa00 aacc 01bb 1101 ffc1 0103 0247
0000380 1353 ed6b ccaa bbaa 0007 ccaa bbaa 0101
0000390 c111 0300 0001 5302 6b13 05ed aa00 aacc
(...)
...and now we can clone the tag

The incoming vehicles are also traditionally verified by
security staff.
The device is available in restricted LAN only.
The tag can also be scanned from the truck itself.
BUT: you have to be aware of the technology
shortcomings and not to alter the above conditions!
Should we worry?

BLUETOOTH SMART
- AKA Bluetooth Low Energy, BLE, Bluetooth 4

Bluetooth Smart != Bluetooth 3
Completely different stack –
from RF to upper layers.
Designed from the ground-up
for low energy usage.
Network topology
a) Broadcaster + Observer
b) Master + Peripheral

Broadcast – Apple iBeacon
https://www.flickr.com/photos/jnxyz/13570855743
UUID (vendor)
2F234454-CF6D-4A0F-
ADF2-F4911BA9FFA6
Major (group)
45044
Minor (individual)
5
Tx Power
-59
The mobile app can measure precise
distance to specified beacon.
You can read the values using
free mobile BTLE scanner

May broadcast:
• ID (similar to iBeacon)
• Sensor's data (e.g. temperature)
• URL – physical web
Physical web – prepare for a new
spam possibilities in the mobile.
Broadcast – Google Eddystone

Beacons – emulation #1: free app
https://itunes.apple.com/us/app/locate-beacon/id738709014
https://play.google.com/store/apps/details?id=com.radiusnetworks.locate
You can enter exact same
values as existing beacon

# hcitool cmd 0x08 0x0008 1E 02 01 1A 1A FF 4C 00 02
15 84 2A F9 C4 08 F5 11 E3 92 82 F2 3C 91 AE C0 5E FD
E8 AF C8 C5 00
Beacons – emulation #2: Bluez

# hcitool cmd 0x08 0x0008 1E 02 01 1A 1A FF 4C 00 02
15 84 2A F9 C4 08 F5 11 E3 92 82 F2 3C 91 AE C0 5E FD
E8 AF C8 C5 00
iBeacon data broadcast
iBeacon prefix (constant)
UUID: 842AF9C4-08F51-1E39-282F-
23C91AEC05E
Major:
FD E8 = 65 000
Minor:
AF C8 = 45 000
TX power

Additional info on products based on precise location.
Rewards for visiting places.
Indoor guide, help to navigate the blind etc.
Your home or toys can automatically react to you.
Be warned that your bike or car is no longer in the
garage.
Beacons – some example usage scenarios

Beacons – additional info based on location

The "no need to hack" attack scenarios (e.g. reconfigure
beacons to broadcast spam Eddystone URLs):
• #1 - you just need the dev app in order to reconfigure any
beacon
• #2 – you can configure only your devices. But the
restriction is only in app GUI
• #3 – static authentication key compiled in SDK, trivial to
decompile
Attack condition: same physical location OR hacked mobile.
Beacons – reconfiguration attacks

OTHER BLE DEVICES
Beacons are just the beginning...

1. Buy SDK+devices from selected vendor (Nordic, TI...)
2. Import ready-to-use sample code.
3. Add your bright usage scenario (and sometimes a bit
of hacking).
4. Create convincing bootstrap webpage + videos.
5. Run successful Kickstarter campaign.
6. Profit!
How to make your own BLE device?

Electric plugs, lightbulbs, locks, kettles,
sensors, wallets, socks, pans, jars,
toothbrushes, bags, plates, dildos,
sitting pads, measuring your farts
devices, calorie-counting mugs...
„It was just a dumb thing. Then we put a
chip in it. Now it's a smart thing.”
(weputachipinit.tumblr.com)
Crowdfunding: a new kind of celebrity.
Too often ridiculous meets big money.
Beacons are just the beginning...
www.myvessyl.com

I showed an intruder may approach the unsuspecting victim once, to
be able to get full control over the car for consecutive times -
without consent of the victim.
Details will come soon...
Other BLE devices
www.loxet.io

Confidentiality, integrity, AVAILABILITY
https://twitter.com/rabcyr/status/643956567818248192/

Confidentiality, integrity, AVAILABILITY
https://twitter.com/omershapira/status/649635266563604481/

... crashes the
Android Bluetooth
stack ;)
"Bluedroid can only handle
seeing 1,990 different
Bluetooth MAC addresses
before the Android
BluetoothService crashes"
BLE security feature – rotating MAC address...
http://developer.radiusnetworks.com/2014/04/02/a-solution-for-android-bluetooth-crashes.html

BLE Broadcast smart meter
BLE module with
photodiode

Smart meter: BLE broadcast
# hcidump -X -R
> 0000: 04 3e 1e 02 01 00 00 1d 61 35 6f 12 00 12 02 01 .>......a5o.....
0010: 06 0b ff 12 82 07 00 f4 2f 12 00 dc 05 02 0a 08 ......../.......
0020: aa .
> 0000: 04 3e 1e 02 01 00 00 1d 61 35 6f 12 00 12 02 01 .>......a5o.....
0010: 06 0b ff 12 82 06 00 01 30 12 00 dc 05 02 0a 08 ........0.......
0020: a7
.
> 0000: 04 3e 1e 02 01 00 00 1d 61 35 6f 12 00 12 02 01 .>......a5o.....
0010: 06 0b ff 12 82 24 00 49 30 12 00 dc 05 02 0a 08 .....$.I0.......
0020: a9

12 82 07 00 f4 2f 12 00 dc 05 02 0a 08
12 82 06 00 01 30 12 00 dc 05 02 0a 08
12 82 24 00 49 30 12 00 dc 05 02 0a 08
12 82 07 00 50 30 12 00 dc 05 02 0a 08

12 82 07 00 f4 2f 12 00 dc 05 02 0a 08
12 82 06 00 01 30 12 00 dc 05 02 0a 08
12 82 24 00 49 30 12 00 dc 05 02 0a 08
12 82 06 00 50 30 12 00 dc 05 02 0a 08

12 82 07 00 f4 2f 12 00 dc 05 02 0a 08
12 82 06 00 01 30 12 00 dc 05 02 0a 08
12 82 24 00 49 30 12 00 dc 05 02 0a 08
12 82 06 00 50 30 12 00 dc 05 02 0a 08
Temp. impulses
Total number of impulses

In fact, we didn’t even have to.
Wow, we can sniff the power
usage of a victim!
That looks like a serious
vulnerability, doesn’t it?
But is it really?
OMG! We have „hacked” it!
https://www.flickr.com/photos/viirok/2498157861

Conditions to exploit:
- distance 5-10 m from my house
The impact:
- A „not so anonymous” intruder can monitor my power
usage and deduce e.g. my presence at home.
But: my presence at home is also perfectly visible from
5.3 km distance.
And I can detect the intruder, too ;)
BLE Broadcast smart meter - risk

You can also reset this
device – I haven’t bother
to set the password ;)
As well as take a brick
and break my window,
but I honestly hope you
won’t.
BTW
https://www.flickr.com/photos/memestate/2840195/

Additional head mounted on the
water meter transmits the
indication wirelessly to mobile
collectors.
Several hundred thousands (and
counting) installed in Poland.
Wireless smart meters

RTL DVB-T USB stick ~ 40 PLN
Free software (e.g. GNU Radio)
Great beginner’s video tutorial:
http://greatscottgadgets.com/sdr/
Hacking wireless: Software Defined Radio

http://www.uke.gov.pl/pozwolenia-radiowe-dla-klasycznych-sieci-
radiokomunikacji-ruchomej-ladowej-5458
Public list of operators, frequencies etc.

GFSK demodulation – GNU Radio

1. The data is transmitted clear-text or without proper encryption.
2. The precision of transmitted data is higher than needed for billing.
3. Be in the range of wireless transmitter - max few hundred meters.
4. (A not-so-common-yet knowledge of wireless signals decoding)
Risk for the end-user – conditions to exploit
Image: http://www.taswater.com.au/Customers/Residential/Water-Meters

(this meter just broadcasts the indication)
Presence?
• it would be easier to observe e.g. parked cars or lights.
Personal habits?
• when does he bath (or not?), make laundry
• whether has a dishwasher,
• how big is the family...
"Bad neighbour" scenarios:
• emulate tampering alarm signal?
• broadcast enormous usage?
Risk for the end-user – impact

If the device would broadcast too detailed indication, a
regulation could prohibit it.
(there are actually such regulations for energy meters)
How much would it cost to replace several hundred
thousand devices?
Risk for the operator?

Risk for the operator?
868 Mhz transmitter 8 PLN
Arduino 30 PLN
6 x 3 = 18 PLN
TOTAL: 56 PLN

It depends.
The risk is not always obvious. An intruder may hack the
thing, but in the end it may not matter. But you may also
implement seemingly safe use scenario that may
dramatically increase the risk.
The physical presence condition does reduce the attack
possibilities significantly, but beware mobile malware.
The risk may increase in time – new tools, exploits,
adoption of technology.
Should we worry?

Wanna-be-hackers
• Act in good faith to reduce potential for harm.
• You won’t impress us with hacking speaking dolls to say naughty
words or teledildonics to vibrate abnormally ;)
• Please do take real risk into consideration, and the impact on
involved parties, too.
Pentesters
• Adapt new skills, labs for the emerging market
• Sometimes it’s just enough to RTFM
Enthusiasts, hackers, pentesters, consultants...

Confront your ideas with security professionals.
Be aware there is thin red line between "junk hacking" and real risk.
Startups:
• Bugcrowd www.bugcrowd.com
• Free consultancy www.securing.pl/konsultacje (form in PL),
contact us for EN. Drop us your device and we’ll see what we can
do in our spare time.
Proactively predict the future compliance (the FCC, EU,
governments are working on).
Educate the users, design secure by default devices – e.g. enforce
non-default passwords.
Vendors, inventors, entrepreneurs...

Understand the technology and associated risks – be
aware of it’s shortcomings and secure usage scenarios.
Depending on risk (e.g. industrial, urban, government,
medical...), consider security assessment of your
configuration.
Get used to the loss of privacy. You are no longer in
control of your data – no matter if you use the
technology or try to avoid it.
Demand the security.
End-users

Demand the security!
End user
Security !!!

OWASP IoT
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project

And for the Happy(?)-End – the pentester’s view
Features at low cost compromising on security is just obscene ;) Let’s do it better!

Thank you.
BTW anyone interested in hacking such devices?
slawomir.jasek@securing.pl
MORE THAN
SECURITY
TESTING

IoThings you don't even need to hack

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie IoThings you don't even need to hack

Ähnlich wie IoThings you don't even need to hack (20)

Mehr von Slawomir Jasek

Mehr von Slawomir Jasek (6)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

IoThings you don't even need to hack