The prevalence of computers in form of so called "smart" devices embedded in our everyday environment is inevitable. From pentester's perspective, the adjective "smart" at first glance can hardly be used to describe their inventors and ambassadors.
Based on a few examples (i.a. BTLE beacons, smart meters, security cameras...) I will show how easily "smart" devices can be outsmarted. Sometimes you don't even need any 'hacking' skills, or the default configuration is wide-open. But are we doomed? What are the conditions for real threat? Can the vulnerabilities be exploited anonymously and as easily as in web application? Where is the physical border the intruder would be likely to cross? The risks involved are usually different, but does it mean we don't have to worry? Are we sure how to use securely the emerging technology?
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
IoThings you don't even need to hack
1. The (Io)Things you don’t
even need to hack.
Should we worry?
Sławomir Jasek
OWASP EEE, 6.10.2015 Kraków
2. Pentester / security consultant.
Assessments and consultancy regarding
security of various applications - web,
mobile, embedded, ...
Since 2003 / over 400 systems and
applications
Sławomir Jasek
3. What is IoT?
Things you don’t even need to hack:
IP cameras
Serious equipment
Bluetooth low energy devices
Smart meters
Should we worry? How can we help?
Agenda
5. Another buzzword (?).
Several definitions and a bit of confusion.
Just like a few years back „cloud”, „big data” or „mobile”.
Let's simplify: network-connected devices with
embedded processing power.
Add the mobile, cloud and big data, of course ;)
What is „Internet of Things”?
11. The best-priced IP camera with
PoE and ONVIF
Management standard (was
supposed to) assure painless
integration of the video in my
installation.
Camera
15. PORT STATE SERVICE VERSION
23/tcp open telnet Busybox telnetd
80/tcp open tcpwrapped
554/tcp open rtsp?
8899/tcp open soap gSOAP soap 2.7
9527/tcp open unknown
34561/tcp open unknown
34567/tcp open unknown
34599/tcp open unknown
Services
17. John the Ripper?
Online hash crack?
md5crypt(?) = $1$RYIwEiRA$d5iRR(...) anyone?
No need to hack, search „password”
and the name of device in Russian
24. "Global Suitable Wireless Intercom HD Video Door Phone IR Night
Cellphone Vision Doorbell Wifi Doorbell System for Android/IOS"
http://www.aliexpress.com/item/Global-Suitable-Wireless-Intercom-HD-Video-Door-Phone-IR-Night-Cellphone-Vision-Doorbell-Wifi-Doorbell-System/32321324986.html
29. The same most probably applies to your
smart TV, home installations, refrigerators,
microwaves, babysitters, keylocks,
toothbrushes, internet-connected sex toys...
PWN-ing these kind of devices does not
involve „hacking” and does not impress.
This is boring, obvious and well-known for
years. Aka „junk hacking”.
Also frequently used to spread FUD by some
antivirus companies.
„Junk hacking” (R) Dave Aitel
http://seclists.org/dailydave/2014/q3/52
32. Device supply chain
Board Support Package - drivers, bootloader, kernel-level SDK
Broadcom, Texas Instruments, Intel, WindRiver...
Original Device Manufacturer – web interface, SDK, cloud...
usually unknown from China, Taiwan etc.
Original Equipment Manufacturer – composing, branding ODMs
+ support, license, warranty...
Value Added Reseller / Distributor
End user
33. Device supply chain
Board Support Package - drivers, bootloader, kernel-level SDK
Broadcom, Texas Instruments, Intel, WindRiver...
Original Device Manufacturer – web interface, SDK, cloud...
usually unknown from China, Taiwan etc.
Original Equipment Manufacturer – composing, branding ODMs
+ support, license, warranty...
Value Added Reseller / Distributor
End user
Features! Price!
Features! Price!
Features! Price!
Features! Price!
34. Device supply chain
Board Support Package - drivers, bootloader, kernel-level SDK
Broadcom, Texas Instruments, Intel, WindRiver...
Original Device Manufacturer – web interface, SDK, cloud...
usually unknown from China, Taiwan etc.
Original Equipment Manufacturer – composing, branding ODMs
+ support, license, warranty...
Value Added Reseller / Distributor
End user
Security?
?
?
?
36. That depends on the device and usage scenario.
For most - you are supposed to be aware and treat the devices
accordingly:
• just don’t connect this type of hardware to the Internet
• hack the firmware to reclaim control on device, disable backdoors,
p2p connections etc.; opensource - www.openipcam.com
• and carefully monitor the outgoing traffic...
But should we care about the others?
Should we worry?
37. Self-powered and lens-less cameras for IoT
http://www.cs.columbia.edu/CAVE/projects/self_
powered_camera/
Image sensors that can not only
capture images, but also generate
the power needed to do so.
http://www.rambus.com/documentation/emerging-
solutions/lensless-smart-sensors
Replace the lenses with ultra-miniaturized diffractive
sensor, extract the image with computation:
extremely small, low-cost „camera”
45. Indexed „public” cameras (rough IP-based
geolocation)
+
exact location (crowdsource?)
+
Cloud, Big Data (face recognition?)
=
PROBLEM?
And what if someone connects the dots?
https://www.flickr.com/photos/opensourceway
47. The "junk hacking" term is considered offensive, and
may influence motivation to prove greater impact ;)
https://www.youtube.com/watch?v=OobLb1McxnI
48. Very popular OBD2 Bluetooth adapter ~10$
Hardcoded PIN: 1234
Conditions to exploit:
• engine turned on
• close distance (few meters); or remote
access to mobile phone
• a car with diagnostic bus unseparated
But: most users probably are not aware that by
taking over their unpatched Android mobile it
may be possible to kill them in a car accident.
Speaking of car hacking...
https://play.google.com/store/apps/details?id=org.prowl.torquefree
49. But if the device would be connected...
http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/
50. Thousands of interfaces publicly available.
Trivial to discover, already scanned & catalogued
likewise cameras.
Modbus-TCP, Serial-TCP, default passwords or
password-less web management interfaces...
I won’t reveal the links here ;)
Industrial insecurity
54. Read RFIDs mounted in privileged trucks to
automatically open the gate.
Industrial RFID reader
55. PORT STATE SERVICE VERSION
23/tcp open telnet Busybox telnetd
4007/tcp open pxc-splr?
4684/tcp open unknown
10001/tcp open tcpwrapped
Service Info: Host: UHF-RFID-Dev
Industrial RFID reader – port scan
59. The incoming vehicles are also traditionally verified by
security staff.
The device is available in restricted LAN only.
The tag can also be scanned from the truck itself.
BUT: you have to be aware of the technology
shortcomings and not to alter the above conditions!
Should we worry?
61. Bluetooth Smart != Bluetooth 3
Completely different stack –
from RF to upper layers.
Designed from the ground-up
for low energy usage.
Network topology
a) Broadcaster + Observer
b) Master + Peripheral
62. Broadcast – Apple iBeacon
https://www.flickr.com/photos/jnxyz/13570855743
UUID (vendor)
2F234454-CF6D-4A0F-
ADF2-F4911BA9FFA6
Major (group)
45044
Minor (individual)
5
Tx Power
-59
The mobile app can measure precise
distance to specified beacon.
You can read the values using
free mobile BTLE scanner
63. May broadcast:
• ID (similar to iBeacon)
• Sensor's data (e.g. temperature)
• URL – physical web
Physical web – prepare for a new
spam possibilities in the mobile.
Broadcast – Google Eddystone
64. Beacons – emulation #1: free app
https://itunes.apple.com/us/app/locate-beacon/id738709014
https://play.google.com/store/apps/details?id=com.radiusnetworks.locate
You can enter exact same
values as existing beacon
68. Additional info on products based on precise location.
Rewards for visiting places.
Indoor guide, help to navigate the blind etc.
Your home or toys can automatically react to you.
Be warned that your bike or car is no longer in the
garage.
Beacons – some example usage scenarios
71. The "no need to hack" attack scenarios (e.g. reconfigure
beacons to broadcast spam Eddystone URLs):
• #1 - you just need the dev app in order to reconfigure any
beacon
• #2 – you can configure only your devices. But the
restriction is only in app GUI
• #3 – static authentication key compiled in SDK, trivial to
decompile
Attack condition: same physical location OR hacked mobile.
Beacons – reconfiguration attacks
73. 1. Buy SDK+devices from selected vendor (Nordic, TI...)
2. Import ready-to-use sample code.
3. Add your bright usage scenario (and sometimes a bit
of hacking).
4. Create convincing bootstrap webpage + videos.
5. Run successful Kickstarter campaign.
6. Profit!
How to make your own BLE device?
74. Electric plugs, lightbulbs, locks, kettles,
sensors, wallets, socks, pans, jars,
toothbrushes, bags, plates, dildos,
sitting pads, measuring your farts
devices, calorie-counting mugs...
„It was just a dumb thing. Then we put a
chip in it. Now it's a smart thing.”
(weputachipinit.tumblr.com)
Crowdfunding: a new kind of celebrity.
Too often ridiculous meets big money.
Beacons are just the beginning...
www.myvessyl.com
75. I showed an intruder may approach the unsuspecting victim once, to
be able to get full control over the car for consecutive times -
without consent of the victim.
Details will come soon...
Other BLE devices
www.loxet.io
78. ... crashes the
Android Bluetooth
stack ;)
"Bluedroid can only handle
seeing 1,990 different
Bluetooth MAC addresses
before the Android
BluetoothService crashes"
BLE security feature – rotating MAC address...
http://developer.radiusnetworks.com/2014/04/02/a-solution-for-android-bluetooth-crashes.html
85. Smart meter: BLE broadcast
12 82 07 00 f4 2f 12 00 dc 05 02 0a 08
12 82 06 00 01 30 12 00 dc 05 02 0a 08
12 82 24 00 49 30 12 00 dc 05 02 0a 08
12 82 06 00 50 30 12 00 dc 05 02 0a 08
Temp. impulses
Total number of impulses
86. In fact, we didn’t even have to.
Wow, we can sniff the power
usage of a victim!
That looks like a serious
vulnerability, doesn’t it?
But is it really?
OMG! We have „hacked” it!
https://www.flickr.com/photos/viirok/2498157861
87. Conditions to exploit:
- distance 5-10 m from my house
The impact:
- A „not so anonymous” intruder can monitor my power
usage and deduce e.g. my presence at home.
But: my presence at home is also perfectly visible from
5.3 km distance.
And I can detect the intruder, too ;)
BLE Broadcast smart meter - risk
88. You can also reset this
device – I haven’t bother
to set the password ;)
As well as take a brick
and break my window,
but I honestly hope you
won’t.
BTW
https://www.flickr.com/photos/memestate/2840195/
90. Additional head mounted on the
water meter transmits the
indication wirelessly to mobile
collectors.
Several hundred thousands (and
counting) installed in Poland.
Wireless smart meters
91. RTL DVB-T USB stick ~ 40 PLN
Free software (e.g. GNU Radio)
Great beginner’s video tutorial:
http://greatscottgadgets.com/sdr/
Hacking wireless: Software Defined Radio
96. 1. The data is transmitted clear-text or without proper encryption.
2. The precision of transmitted data is higher than needed for billing.
3. Be in the range of wireless transmitter - max few hundred meters.
4. (A not-so-common-yet knowledge of wireless signals decoding)
Risk for the end-user – conditions to exploit
Image: http://www.taswater.com.au/Customers/Residential/Water-Meters
97. (this meter just broadcasts the indication)
Presence?
• it would be easier to observe e.g. parked cars or lights.
Personal habits?
• when does he bath (or not?), make laundry
• whether has a dishwasher,
• how big is the family...
"Bad neighbour" scenarios:
• emulate tampering alarm signal?
• broadcast enormous usage?
Risk for the end-user – impact
98. If the device would broadcast too detailed indication, a
regulation could prohibit it.
(there are actually such regulations for energy meters)
How much would it cost to replace several hundred
thousand devices?
Risk for the operator?
99. Risk for the operator?
868 Mhz transmitter 8 PLN
Arduino 30 PLN
6 x 3 = 18 PLN
TOTAL: 56 PLN
102. It depends.
The risk is not always obvious. An intruder may hack the
thing, but in the end it may not matter. But you may also
implement seemingly safe use scenario that may
dramatically increase the risk.
The physical presence condition does reduce the attack
possibilities significantly, but beware mobile malware.
The risk may increase in time – new tools, exploits,
adoption of technology.
Should we worry?
103. Wanna-be-hackers
• Act in good faith to reduce potential for harm.
• You won’t impress us with hacking speaking dolls to say naughty
words or teledildonics to vibrate abnormally ;)
• Please do take real risk into consideration, and the impact on
involved parties, too.
Pentesters
• Adapt new skills, labs for the emerging market
• Sometimes it’s just enough to RTFM
Enthusiasts, hackers, pentesters, consultants...
104. Confront your ideas with security professionals.
Be aware there is thin red line between "junk hacking" and real risk.
Startups:
• Bugcrowd www.bugcrowd.com
• Free consultancy www.securing.pl/konsultacje (form in PL),
contact us for EN. Drop us your device and we’ll see what we can
do in our spare time.
Proactively predict the future compliance (the FCC, EU,
governments are working on).
Educate the users, design secure by default devices – e.g. enforce
non-default passwords.
Vendors, inventors, entrepreneurs...
105. Understand the technology and associated risks – be
aware of it’s shortcomings and secure usage scenarios.
Depending on risk (e.g. industrial, urban, government,
medical...), consider security assessment of your
configuration.
Get used to the loss of privacy. You are no longer in
control of your data – no matter if you use the
technology or try to avoid it.
Demand the security.
End-users
106. Demand the security!
Board Support Package - drivers, bootloader, kernel-level SDK
Broadcom, Texas Instruments, Intel, WindRiver...
Original Device Manufacturer – web interface, SDK, cloud...
usually unknown from China, Taiwan etc.
Original Equipment Manufacturer – composing, branding ODMs
+ support, license, warranty...
Value Added Reseller / Distributor
End user
Security !!!