Raúl Siles - IOT: INTERNET OF T... [rooted2018]

2018 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
IoT: Internet of T…
w w w. d i n o s e c . c o m
@ d i n o s e c
Raúl Siles
Founder & Senior Security Analyst
raul@dinosec.com
March 3, 2018

2
This presentation is inspired by true events.
All events, locations, characters, persons, companies, firms,
and IoT products J depicted in this presentation, even
those based on real devices, are fictitious.
Any resemblance to reality is purely coincidental and
unintentional.

3

4
Disclaimer
• Real devices and details have been sanitized to minimize
the risk of vendor identification and massive exploitation.
• Live demonstrations and videos have to deal with and
overcome these constraints.
• Any resemblance of images, screenshots, text, code
snippets, and other details… to reality is purely
coincidental and unintentional.

5
• IoT, Internet of Things
– Terror
– Traps, Tricks, Targets, Threats,
Turbulences, Toilets… J
– Trends
– Topics, Timers…
– …
• Internet of Testing
• Internet ot Trust
https://twitter.com/dinosec/status/954283251081928706 (Carles, Javier…)

6
IoT Security Analysis Methodology
Hardware components (+buttons/interfaces/ports...)•
Firmware•
"Cloud" services•
Mobile apps•
(Admin/Mgmt.) Web interface (& other services)•
Wireless/Radio communications•
Local storage•
"Análisis de los vectores de ataque del Internet de las cosas (IoT)"
https://www.ismsforum.es/estudioCEM

7
RootedCON 2016

Target

9
Advanced IoT Solutions: Parts List J
Central controller or hub•
Wireless peripheral devices•
Sensors–
Actuators–
"Cloud" services•
Mobile apps•
Web interface (& other services)•

10
Target: Domotic IoT Solution
• Central controller or hub (plus remote controllers)
• Wireless peripheral devices: Sensors & Actuators
– Environmental control system
• Heating system
• Shutters
– Lighting system and power plugs
– Physical access (e.g. garage door)
• "Cloud" services, mobile apps, web interface…
(Smart) Home Automation

11
Market(ing) vs. Real Needs

12
Domotic IoT Solution: Technologies
• IoT: Internet (TCP/IP) of T…
• Radio/Wireless technologies (proprietary protocols)
– v1: 433 MHz (∼50m)
• Up to 6 paired transmitters (or channels)
– v2: 868 MHz (∼150m) + state feedback
• Up to 32 paired transmitters
• Transmitter, receiver (+ feedback) or transceiver
• USB expansion port: Z-Wave?…
• Absent wireless technologies: Wi-Fi, Bluetooth, ZigBee, etc.

13
Target: Blueprint

14
Finding the entry…

15
Outline
Hardware components (+buttons/interfaces/ports...)•
Firmware•
"Cloud" services•
Mobile apps•
(Admin/Mgmt.) Web interface (& other services)•
Wireless/Radio communications•
Local storage•

Hardware Teardown

17
Target: Hardware

18
Hardware Teardown
• Central controller or hub (Internet to radio/wireless)
• Remote control (up to 3/16 channels)
• Heating system (thermostat schedule)
– Heating controller (software), heater/boiler module (with state
feedback) and temperature sensor
• Lighting (e.g. indoor/outdoor bulbs, ceiling lights, lamps… anything)
– On/off or dimmer module, wall switch, motion or presence
detector, opening detector and power plugs (on/off or dimmer)
• Physical environment and access control
– Shutter module (with state feedback), and door or gate module

19
Devices Classification
Transmitters (• ∼sensors)
Remote controller–
Wall switch–
(indoor/outdoor) Motion or presence detector–
(door/window) Opening detector–
Temperature sensor–
Receivers (• ∼actuators)
Heater/– boiler module
Shutter– module
Door or gate module–
Lighting– on/off or dimmer module
Power– plugs (on/off or dimmer)
Transceiver•
Central controller or hub–

20
Hardware Hacking 101 J
Screwdriver hacking!•
Thanks to my father!
857/1 Z punta de horquilla o
punta para tornillo spanner

21
Remote Controller
• 3 channels
• NDR433TS:
– NEDI SAW (surface-acoustic-wave) resonator
• Frequency stabilization at 433.920 MHz
• Radio chip: 611S21 * DA17DB
– Unknown (radio chip)
• Found a single Internet reference in
Norwegian for 433.92 MHz
• Google, www.findchips.com, etc.

22
Shutter or Door/Gate

23
Hub or Central Controller

24
Temperature Sensor
Main• (and unique) chip
– …

25
Heater / Boiler Module

26
Power Plug

Firmware

28
Target: Firmware

29
Firmware Updates
• No auto update capabilities
• Manual download from manufacturer website (or by
contacting support)
• Backup current configuration first J (…via cloud only L)
• Upload '<version>.bin' file via web interface
– Authentication required as "admin" (web interface details)
– No signature (build your own firmware version J and…)
• Restart
Use <a href="/upload">MPFS Upload</a> to program web pages... (strings)

30
Firmware Analysis

31
Firmware Analysis: Details
binwalk• : Firmware analysis tool
Found: MPFS v2.1 filesystem, images (PNG, GIF, JPEG, TIFF…),–
compressed data (gzip and Zlib), HTML documents, etc.
No encryption and just… some compression•
"strings is your friend…" (e.g. Google Maps API key)•
https://github.com/ReFirmLabs/binwalk
Version 3.5.2 autologin
Builddate Mar 3 2018 # login as user
Productmodel A8021 admin
FW-Version 186370035640 # login as admin
… usrpass 52d04dc20036dbd8
MPFS-2.1 setpass 7a57a5a743894a0e

32
Firmware Analysis: Filesystem Format
MPFS (Microchip PIC File System)•
Indexed web files for auto tag expansion (e.g.– ~foo~)
Plain and compressed files–
Microchip TCP/IP Stack•
Microchip's– HTTP(2) web server – MPFS(2)
Internal memory or EEPROM•
https://books.google.es/books?id=V1wLsfO1114C

33
Firmware MPFS Extraction
binwalk• custom plugin
Signature: known MPFS data signatures ("…/magic/filesystems")–
Starts with the string "MPFS{v}{s}• {f}" (version, subversion, file entries)
MPFS{byte}{byte}{– leshort} (byte: 8-bit integer; leshort: little endian 2-byte integer)
Extractor:– <missing>
MPFS extraction tools…• L
MPFS2 extraction tools•
mpfs2– -fsutil (--list & --extract)
https://– www.mjoldfield.com/atelier/
2007/12/mpfs2.html
https://github.com/ReFirmLabs/binwalk/wiki/Creating-Custom-Plugins

34
Physical Firmware Extraction
• 4-pin JTAG interface
Joint– Test Action Group
PIC•
TMS, TDO, TCK, TDI–
Pins: 23, 24, 27, 28–
TMS (Test Mode Select)•
TDO (Test Data Out)•
TCK (Test Clock)•
TDI (Test Data In)•
TRST (Test Reset) optional•

"Cloud" Services

36
Cloud Service
• User to cloud
– Direct access to the IoT environment through the cloud
– Web browser (traditional computer or mobile) and/or mobile app
– Registration process
– Backup / Restore capabilities
• Not available through local web server or via mobile app !!!!
• IoT to cloud
– Communication between the IoT environment and the cloud
– Proprietary protocol, enabled by default

37
Target: User to Cloud

38
TCP/IP Port Mapping
What do you think of a critical cloud server that has…?•
21/tcp
22/tcp
25/tcp
53/tcp
80/tcp
110/tcp
143/tcp
443/tcp
465/tcp
587/tcp
993/tcp
995/tcp
3128/tcp
8080/tcp
8081/tcp
8090/tcp
… this list of open ports, and more!

39
Cloud Passwords
At some point, you cannot log in again (web and mobile)•
After logging in, you should receive a Bearer Token•
(OAuth 2.0), used for API requests
Instead, you get a JSON error (interception proxy)•
Reason: After extensive research…•
Does the vendor even know it?–
If your password is greater than 25 characters (back– -end issue)
Have you heard about passphrases?–
{"code":503,"error":"server_error","error_description":"server_error"}

40
Something Does Not Smell Very Well Here…

41
Backup / Restore Capabilities
Is it possible to access other IoT environment's backups?•
Backups are saved in a proprietary plain text format–
Reverse engineer backup format to extract rooms, device IDs, MD5…•
Is it possible to make backups of other IoT environments?• J
Anonymously?•

42
Target: IoT to Cloud

43
IoT to Cloud
Proprietary protocol similar to HTTP•
Enough to make standard HTTP(S) interception proxies fail–
Solution:– mitm_relay (or NoPE) + Burp (et. al.)
Custom port (1234/• tcp)
Enabled by default•
No encryption, no integrity, no…thing•
Discloses multiple device IDs: model, firmware version,•
MAC address, serial number, and message ID
https://github.com/jrmdev/mitm_relay

44
IoT to Cloud: Proprietary Protocol
JSON API
ABCD/1.0 CONNECT
Model: …
FW-Version: …
MAC: …
SN: …
Message-ID: …
ABCD/1.0 KEEP-ALIVE
Message-ID: …

45
IoT to Cloud: Admin Access
• Unencrypted: Cloud requesting admin access to IoT
hub…ABCD/1.0 API-REQUEST ABCD/1.0 API-RESPONSE
X-Token: …
Message-ID: … {…"msg":"API_NOT_AUTHED"}
Content-Length: …
god=admin
ABCD/1.0 API-REQUEST ABCD/1.0 API-RESPONSE
X-Token: …
Message-ID: … {…"msg":"SUCCESS"}
Content-Length: …
user=admin&pass=7a57a5a743894a0e&autologin=0&god=login&…
Full access to IoT hub and the associated IoT environment...

Mobile Apps

47
Target: Mobile Apps

48
Mobile Apps
iOS and Android•

49
Username Enumeration in iOS
• In the login page for the mobile app… L
• And as a bonus, if the username does not exist…
• Be careful with typos in your username J
POST /auth HTTP/1.1 (via HTTPS)
Host: cloud.example.com
...
{username: "monica", password: "0123456789abcdef"}
{"code":"101","error":"error","error_description":"Wrong Password"}
{"code":"100","error":"error","error_description":"User not found"}
POST /auth HTTP/1.1 (via HTTP)
Host: example.com
...
{username: "monica", password: "0123456789abcdef"}

Web Interface

51
Target: Web Interface

52
Web Interface
Local administrative/management web interface•
Only port 80/• tcp open
HTTPS?–
Settings section (e.g. "/settings/") requires authentication•
Default password: admin– – no username?
Did I mention there is no encryption?–
Traditional or mobile access•

53
Admin Web Interface (via Mobile)

54
Admin Web Interface
• Login page simply requests a password, but…
• Change password…
<html>
<head><title Login</title>~inc:inc/header.inc~</head>
<body>
<div class="login"><h2 >Admin Login</h2>
<div class="login-form">
<input id="user" type="hidden" value="admin">
<input id="password" type="password" placeholder="password">
<button id="login">LOGIN</button>
</div>...
<input id="admin-pass" class="admin-pass" name="admin-pass" type="password"
maxlength="16" disabled>
var pwdvalidator = {required: true, rangelength: [4, 16]};
config('setpass', md5($('#admin-pass').val(), 16));

55
Web Interface Passwords
• MD5-related passwords?
• Dynamic analysis
• Static analysis
• Firmware password-like strings…
Firmware:
usrpass 52d04dc20036dbd8
setpass 7a57a5a743894a0e
Usage: md5(<password>, 16)
File: md5.js
$ jsc getmd5.js – "IoT"
60a13f2f4c7e11c7
... if(h==16){return a.substr(8,16)} ...
81dc9bdb52d04dc20036dbd8313ed055 --> 1234
21232f297a57a5a743894a0e4a801fc3 --> admin

56
Firmware Upload Capabilities
• Without authentication (obtained via firmware strings…)

Wireless/Radio Communications

58
Target: Wireless/Radio Communications

59
Wireless Communications
• Adding new wireless devices (pairing)
– Pairing 433 & 868 MHz devices
– Wireless devices classification
• Digital modulation for 433 & 868 MHz signals
• Replaying 433 & 868 MHz signals
• Decoding 433 & 868 MHz signals

60
HackRF One OperaCake

61
OperaCake: Auto-Antenna Selection

62
Wireless Devices Classification
Receivers•
Grab signals and store them in memory (learning function)–
Transmitters•
Generate signals (static or dynamic– J)
Transceivers•
Both (e.g. receivers with state feedback)–
Hub•
Legitimate replay attacks– J
Hardware Components

63
Digital Modulation for 433 MHz Devices

64
Digital Modulation for 868 MHz Devices

65
Playing with Wireless/Radio Signals
Replaying 433 & 868 MHz signals•
"script– -kiddie" attacks
Decoding 433 & 868 MHz signals•
Digital demodulation (reverse engineering radio signals)–

Internet of T…

67

68

69

70
Heater Module: GRC

71
Heater Module: rfcat script

Conclusions

73
• Internet of Troubles
• Internet of Testing
• Internet ot Trust

74
Spanish Collection of Proverbs
"Cada uno en su
casa… y
DiOs
en la de todos"
todo

75
Credits
– Produced by:
– Sponsored by:
– Casting by:
– Supported by:
– Music & visuals by:
– Costume designer:
Raúl Siles
Mónica Salas
E & E
IoT vendors
My parents, et. al.
Siletes
DinoSec

w w w.d in o s e c .c o m
@ d in o s e c
R a ú l S ile s
r a u l@ d in o s e c .c o m

77
Questions?
w w w.d in o s e c .c o m
@ d in o s e c

Raúl Siles - IOT: INTERNET OF T... [rooted2018]

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Raúl Siles - IOT: INTERNET OF T... [rooted2018]

Ähnlich wie Raúl Siles - IOT: INTERNET OF T... [rooted2018] (20)

Mehr von RootedCON

Mehr von RootedCON (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Raúl Siles - IOT: INTERNET OF T... [rooted2018]