From kettles to toys it seems there is nothing that cannot be internet enabled and controlled with an app. WHY!?
There are downsides though. What if your product leaks information, or can be used to sabotage a network, or even endanger personal safety? Ken used live demos to show how popular devices can be hacked and abused, and what you can do to prevent it. He also discusses the benefits of baking security into products, by enabling over-the-air updates, avoiding costly product recalls and being a truly trustworthy brand. IoT | Internet of Things | Security
Want to watch the video of this talk & hear about free speaker hangouts?
Hop over here: http://bit.ly/IoTForum16Talks We will keep you up to date with new talks. We will never sell your email address and you can unsubscribe at any time.
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Ken Munro Pentest Partners IoT Forum 2016
1. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Vulnerabilities in the Internet of
Things
or
How weak mobile app code led us to a
bunch of IoT bugs
2. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Warning:
This presentation may contain
hot liquids
(and swearing)
3. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Basic mobile app security principle:
Write it securely
Obfuscate the code to make reverse
engineering really tough
4. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
What’s the problem?
Huge increase in attack surface:
Mobile app security
Web app security
API security
Mobile device security
IoT device hardware/firmware security
RF security
For a manufacturer of ‘things’…
5. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
My Wi-Fi Kettle
Er yeah. Why?
Nice idea, if pointless
Future potential quite
interesting
Coffee machine ships mid October
Security-fail central
7. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
How to reverse Android apps
First, get the APK, can use ADB to extract it
from phone
Then decompile using Dex2Jar or Jadex
https://github.com/pxb1988/dex2jar
Figure out how the app works
Edit Dalvik bytecode using APKTool (smali)
https://ibotpeaches.github.io/Apktool/
Or simply edit resources it uses
Recompile, sign with any key, distribute
9. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Attacking a kettle
Other crazy consequences:
Write your own client software – kudos to Mark J Cox
Geo-locate unconfigured wireless kettles
Geo-locate configured wireless kettles
‘Steamy windows’ attack, run up victim’s power bill
WIP: exploding kettle
13. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
My Friend Cayla
Remember our sweary
talking doll?
A year is a long time
in security…
15. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Hacking Cayla
Wikipedia API
Evil API
Bluetooth
Voice recognition
Local Q database + ‘badwords’
MITM
Modify
unencrypted
data in
transit
Evil phone,
modified app
Modify SQLite
DB contents
Tamper with
anti-swearing
process
API call broken
when Wikipedia
enforced SSL!
16. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Putting it right
Manufacturer clearly doesn’t ‘get’ security
“We will be issuing an update to the mobile app to fix the
issues raised” – except they didn’t
Implementing SSL will help, so long as certificate pinning
is enforced
Otherwise, MITM again
But, Bluetooth promiscuity cannot be fixed, as there is no
security of pairing process
17. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Vendor updates the app
Our attack stopped working a while back, after the application
was finally updated
They ‘fixed’ it by encrypting the database contents with
SQLcipher
Er – ignoring the issues that actually mattered
18. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
My Friend Freddy Bear
Nothing changes…
Whilst reverse engineering the
iOS version of Cayla’s app, a
researcher found a ‘machine gun’
sound file in her code
Action Cayla?
Freddy Bear shipped this Xmas,
equally vulnerable
Slightly more annoying
19. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
The media don’t help
CSI Cyber contacted us about My Friend Cayla
A talking doll involved in a murder. So we wrote a technically
plausible ‘hack’ for them
In the end they just dubbed a Barbie-alike!
20. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Hello Barbie
Totally different security model
BUT
Wi-Fi PSK stored on board
Potential to intercept mike
Some other data cached on board
…and parents can create accounts
to view child’s activity
21. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Samsung Smart Fridge
Samsung RF28HMELBSR Smart Fridge
View Google calendars, weather,
recipes, TV etc
Did I say ‘utterly pointless’?
Spectacularly fails to properly
encrypt your Gmail password
Drive past your house, attack fridge, steal your email
22. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Samsung Washing machine
Samsung WW10H9600EW ‘smart’ washer
Work in progress, but allows remote
control of your washing machine
Similar control to smart fridge
Wi-Fi network primary attack vector
Amusing conversation with installer:
“Can I plumb it in for you?”
“No thanks, I’m not using it for washing”
-> very confused look
At least SSL certs are validated
24. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Hoover Wizard
Ready for a train wreck?
Time to look at the mobile app code
Static oauth tokens for API
Plain text control on local network
with ‘encription’
Can we set fire to it?
25. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Ring Wi-Fi doorbell
Remove doorbell
Unscrew two T6 Torx screws,
Push setup button on rear of bell
Connect to embedded web server
running on Gainspan Wi-Fi module
Users Wi-Fi PSK displayed in plain
text…
26. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Ring Wi-Fi doorbell
For once, a vendor that actually responded quickly and
effectively
Acknowledged bug within about 20 minutes of Twitter DM
Fix pushed within 2 weeks
But, still trackable:
27. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Internet scales
FitBit Aria internet scales
Connects to your network over Wi-Fi
Shares weight & fatness through Fitbit online services
Set up guest-only IDs the user by weight
Don’t eat too many pies overnight
Sends your home SSID to FitBit servers at
registration, potential to identify user
Fitbit could therefore geolocate you with wigle.net
Nothing on the board appears to be encrypted
Limited processing power & storage
28. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Setup mode PSK disclosure
Put kettle in to setup mode –
either push reset button, or take
out batteries
Navigate to URL here
PSK disclosed in plain text
Found & reported, fixed in
firmware 38
How we found it:
32. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Star Wars
Remember this guy?
Surely BB-8 can’t
have
vulnerabilities?
33. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Wearables
Wi-Fi eminently more trackable
than other RF technologies
Mostly due to war driving and
wigle.net
Though still potential with
BlueTooth, BT LE, Zigbee, Z-Wave
802.11ah HaLow concerning
What do you sync your device
with?
34. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Wearables – smart bra
Innovative approach to
heart rate monitoring
Some discussion about
being able to assess
other stats, such as
body temperature
Not quite shipping yet
www.omsignal.com
Can’t wait…
35. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Wearables – tracking
The HRM in the smart
clothing syncs with a
smart phone and fitness
app
Strava
MapMyRun
Nike+
Runkeeper
And Runtastic, which had a lovely vulnerability that
allowed unauthenticated live tracking…
36. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
Tracking by fitness apps
Privacy for various activity tracking apps is dreadful
Runkeeper, MapMyRun, Strava, Runtastic
All had privacy settings off by default
Generally hard to find and configure privacy
Strava in fairness mailed users on day2 to show how
Most had sequential session IDs
Runtastic had the shocking real-time tracking bug,
even when profile set to private
Only Nike+ seemed to get security & privacy ‘right’
37. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
iSpy Tank
Wi-Fi access point with tracks
Static creds to web interface
Take control from outside the
victim’s house
Go spy!
Thermostats, LightwaveRF etc etc all
being investigated
38. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
In summary
IoT product vendors have a lot to learn about security
So do some mobile app coders
Finding these bugs would have been really tough if the code
was properly obfuscated
Check out your mobile app code; look for the basics:
Is it obfuscated / encrypted?
Static credentials / static keys
Plain text communications / SSL pinning
39. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
IoT Security Foundation
There’s hope yet!
Various bodies attempting to bring
good practice to IoT manufacturers
Some progress by US FDA towards
medical device security standards
IoT SF shortly to deliver initial
self-cert for IoT security,
followed by more robust compliance
40. info@pentestpartners.com | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP
The Internet of Things is
a scary place
Be cynical, don’t adopt technologies
that aren’t proven secure
@thekenmunroshow
@pentestpartners
Blog:www.pentestpartners.com