Ethical Hacking of a Robot Vacuum Cleaner1450590/FULLTEXT01.pdf · Hacking has grown to be a real...

IN DEGREE PROJECT TECHNOLOGY,FIRST CYCLE, 15 CREDITS

, STOCKHOLM SWEDEN 2020

Ethical Hacking of a Robot Vacuum Cleaner

ERIC BRÖNDUM

CHRISTOFFER TORGILSMAN

KTH ROYAL INSTITUTE OF TECHNOLOGYSCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE

Ethical Hacking of a Robot Vacuum CleanerEtisk Hackning av en Robotdammsugare

Eric Brondum, KTH, Christoffer Torgilsman, KTHExaminer Assoc. Prof. Robert Lagerstrom, KTH, Supervisor Prof. Pontus Johnson, KTH

Abstract - This study revolves around the safetyof IoT devices, more specifically how safe the robotvacuum cleaner Ironpie m6 is. The method is basedon threat modeling the device, using the DREADand STRIDE models. The threats with the highestestimated severity were then penetration tested tosee which security measures are implemented toprotect against them. Using client side manipula-tion one vulnerability was found in Trifo’s mobileapplication ”Trifo home” which could be used toharm customers property.

Sammanfattning - Den har studien kretsar kringIoT enheters sakerhet, mer specifikt hur sakerrobotdammsugaren Ironpie m6 ar. Metoden arbaserad pa att hotmodellera enheten med hjalp avDREAD och STRIDE modellerna. Dem allvarli-gaste hoten blev penetrationstestade for att se vilkasakerhetsatgarder som har blivit implementeradefor att skydda produkten fran dem. En sarbarhetupptacktes i Trifos mobilapplikation ”Trifo Home”som kunde exploiteras via manipulation av klientsidan. Denna sarbarhet kunde anvandas for attskada kunders agodelar.

Keywords - IoT, Ethical Hacking, Penetra-tion testing, Threat Model, Security, DREAD,STRIDE, Encryption, MQTT, Ironpie m6

I. Introduction

Hacking has grown to be a real problem in recent timeswith the rapid increase of IoT devices. To protect con-sumers from exploitation, ethical hackers called whitehats are used to find the vulnerabilities before theyget exploited by malicious hackers called black hats.Maintaining the security of IoT devices is vital sincemany devices have access to private information andothers have sensors and cameras that can be used to vi-olate peoples privacy. This problem will only continueto grow as society becomes increasingly dependent ondifferent IoT devices. This increases the demand andnecessity of ethical hacking so that consumer productscan remain safe from exploitation [1].

This study revolves around ethical hacking and cy-

ber security. The objective of this study is to hacka robot vacuum cleaner (Trifo Ironpie m6). This isdone with the intention of evaluating the device’s se-curity measures to find out how secure the device is.The results from this study can be used both by thecompany when making risk assessments and regularmaintenance, but also by other ethical hackers to pro-vide them with methods and hacking techniques thatthey can use when evaluating other similar devices.

When analyzing the devices security measures twodelimitations are used. The first delimitation of thisstudy is to ignore hardware that can only be accessedby disassembling the robot. This delimitation is estab-lished due to three main reasons; the first reason is thatin a real world scenario the hacker will most likely nothave physical access to the robot, therefore physicalmodifications is classified as a non-threat. The secondreason is to reduce the risk of damaging any internalcomponents and finally the third reason is due to timeconstraints.The second delimitation of this study is to not hackany servers. This delimitation is established so as notto break any laws that concern the act of hacking otherpeoples property.

This report is structured in the following way:In section II (Background) some network theory andthe general concepts of IoT and ethical hacking aredescribed. This section also includes references to pre-vious work done in the field of ethical hacking, forexample hacks performed on robot vacuum cleanersand other IoT devices.Section III (Ironpie m6) contains information aboutthe targeted device (Ironpie m6) and the accompany-ing software.Section IV (Method) describes both hacking methodsand methods used for threat modeling and the generalmethods used when penetration testing.Section V (Threat model) includes the asset descrip-tion, architecture diagram and also various threatscategorised by the STRIDE and DREAD models.In section VI (Penetration testing) all the penetrationtests are listed with their associated methods used,

1

results and discussion with a quick explanation for anysoftware and tool used within the test.Section VII (Results) includes a summarization of themain threats that were evaluated in a threat traceabil-ity matrix.Section VIII (Discussion) discusses the validity, relia-bility and generalizability of the found results from thepenetration testing.Section IX (Sustainability and ethics) describes howthe penetration testing remained ”ethical” and legal.Section X (Conclusion) includes a summarized securityevaluation of the Ironpie m6 based on the findings ofthis study.Section XI (Appendix 1 - Threat Traceability Matrixfor mobile applications) contains a threat traceabilitymatrix for general threats against mobile applications,more specifically applications that can control or in-teract with robot vacuum cleaners.Section XII (Appendix 2 - Threat Traceability Matrixfor robot vacuum cleaners) contains a threat traceabil-ity matrix for general threats against IoT devices morespecifically robot vacuum cleaners.Section XIII (Appendix 3 - Proof of Concept Servercode) contains proof of concept code for a HTTP re-sponse server that sends a file on received connection.Section XIV (Appendix 4 - The Results Threat Trace-ability Matrix) contains the results summarized insideof a threat traceability matrix.

II. Background

A. IoT

IoT which stands for Internet of Things is a communi-cation paradigm that has recently started to gain trac-tion and the number of IoT devices have rapidly grownfor several years. IoT aims to connect all devices to theinternet and therefore simplify the process required toharvest data generated by various devices such as sen-sors. Another reason for connecting devices to the in-ternet is that it allows for some devices to be remotelycontrolled. ”Smart” devices are constantly expandingtheir reach, new devices are constantly being developedfor more and more markets resulting in smart fridges,smart watches and so on. This comes at a cost how-ever since some devices require personal and in somecases private data to function as intended. This meansthe data is threatened and could be obtained by anhacker if the security of the device is lacking [2]. Toprevent malicious hackers from exploiting weaknessesthe IoT developer may hire ethical hackers to securetheir devices.

B. Ethical Hacking

Ethical hacking also known as white hat hacking in-volves the use of penetration testing on authorized de-vices to locate security flaws with the intention of get-ting them patched. White hat hacking is a completelylegal practice and is often rewarded quite handsomely,hackers are mainly used to find vulnerabilities that thedesign team may have overlooked when designing theproduct. By finding weaknesses in the targeted IoT de-vice and then getting the problems fixed quickly limitsBlack and Grey hat hackers from exploiting the foundweaknesses in secret [1].

C. MQTT

MQ-Telemetry Transport is a machine to machine(M2M) protocol that mainly focuses on IoT devicesdue to its low requirement of bandwidth. MQTT usesa broker and a publish/subscribe design, to commu-nicate data over different devices. The broker storesall the received published messages in topics so thatdevices that subscribe to these topics can retrieve themessage [3].

D. HTTPS and SSL/TLS

Hypertext Transfer Protocol Secure (HTTPS) is usedto communicate over computer networks in a secureway. The Security Sockets Layer (SSL) and Trans-port Layer Security (TLS) provides security related toauthentication and data transfer. They use both thehandshake and record protocol to transport all datasafely. When a client sends a request to a website SSLand TLS will provide a certificate to the client. Whenthe client receives the certificate it is further evaluatedby the web browsers Certificate authority(CA) whichvalidates that the website is correct and secure [4].

E. ARP

Address Resolution Protocol (ARP) is a communica-tion protocol, that binds the IP addresses of the net-work layer to the MAC addresses of the link layer. Byusing ARP tables, the protocol can translate the IPaddresses used by applications to the MAC addressesused by individual nodes [5].

F. SSH

Secure Shell (SSH) is used for secure remote login andfile transfers on port 22. The SSH protocol works asa client-server model. The SSH client initiates theconnection and uses public key cryptography to ver-ify the SSH server. When the server client connectionis set up, the SSH protocol uses encryptions and strong

2

hashes to ensure that the data sent between the clientand server is secure [6].

G. Previous work

In [7], the aim was to find vulnerabilities in consumerIoT devices with a large scaled approach. Two maintools were used; Shodan to get quantities of IoT de-vices to test and Nestle to determine potential vul-nerabilities. The results showed that IoT devices arevulnerable and easy to exploit when compromisinguser data. Nearly 40% of the IoT devices showcaseda ’high’ risk of having vulnerabilities. There has beenmultiple case studies on consumer IoT devices like webcameras, smartTVs and healthcare systems. Showcas-ing common vulnerabilities in these devices but alsohighlighting the necessity for better security [8] [9] [10].Another IoT device that has been studied extensivelyare robot vacuum cleaners [11] [12] [13] [14], one inparticular was evaluated by Theodor Olsson and AlbinLarsson Forsberg [15]. They studied the ”Jisiwei i3Robot Vacuum” with the intention of finding vulnera-bilities and evaluating the security of the device. Theyaccomplished this by using the threat model analysismethods STRIDE and DREAD and from the gatheredresults performed penetration testing. Two vulnerabil-ities were discovered, One vulnerability was regardingthe protocol that the device communicated informa-tion over. The other vulnerability being predictableQR codes used to link devices to users.

Another vacuum cleaner that has recently been stud-ied for vulnerabilities, is the Ironpie m6 which is thisstudies researched vacuum cleaner. In [16], CheckmarxSecurity Research Team found six vulnerabilities thatcould infringe upon a customers privacy. The mostsevere of the vulnerabilities which were rated eight orhigher on the CVSS scale are [17];

1. An unencrypted HTTP request was sent outwhen querying for a software update. This en-ables the hackers to tamper with the request andto send a malicious version instead.

2. The ability to impersonate someone else’s clientID and therefore gain remote access to theMQTT servers.

3. The ability to impersonate the MQTT server,which would give the hacker full control of thevacuum cleaner.

III. Ironpie m6

During this study the device evaluated is Trifo’s robotvacuum cleaner Ironpie m6. The Ironpie m6 is a mid

range vacuum cleaner with features such as good nav-igation made possible by the use of SLAM algorithmsand an integrated camera. SLAM algorithms are al-gorithms that allow robots to simultaneously realizetheir position in the environment while at the sametime mapping the new environment. The robot alsoincludes multiple sensors with the intention of provid-ing more safety for the robot, the sensors can identifystairs and other dangerous environments. The vacuumcleaner can only connect to 2.4 GHz local networkswith the inbuilt WiFi receiver. To manually maneuverand control the vacuum cleaner’s functionalities Trifo’smobile application ”Trifo Home” is used. Functional-ities that can be controlled through the mobile appli-cation are for example the camera. The camera can becontrolled to record videos or be used as a live videofeed, working as a surveillance camera. Other func-tionalities like telling the robot to charge or clean arealso available in the application. The application hassupport for both iOS and Android.

IV. Methodology

As software security has gained more attention manydifferent models have been defined and created to an-alyze the safety of the product. This is called Threatmodeling which is the technique used when model-ing, identifying and reducing risks within the product.Threat modeling can be accomplished manually or byusing automatized tools. Some manual approacheswould be to use STRIDE, DREAD or PASTA [18][19].While some automatized approaches could be to useMulVal, the TVA tool or NetSecuritas [20]. In thisproject the manual methods STRIDE and DREADwill be used due to their simplicity and efficiency ofidentifying threats in smaller IoT ecosystems.

The STRIDE model suggested by Microsoft is usedto identify threats in a given product by highlightingthe six different threats categories that a product canencounter. These threats are categorised as Spoofing,Tampering, Repudiation, Information Disclosure, De-nial of Service (DoS) and Elevation of Privilege [18].These threat categories are explained below [21].

– Spoofing is the act of stealing or identifying asan other person or computer, to get illegitimateaccess or advantages.

– Tampering information is when legitimate infor-mation is modified or edited.

– Repudiation is to discard or deny certain actionsin a given system.

– Information Disclosure regards data breaches

3

which is when the hacker gets unauthorized ac-cess to confidential information.

– DoS is to attack or disrupt different services tointerfere with the legitimate users.

– Elevation of Privilege is to reach higher privilegeaccess to a system, from a user with restrictiveauthority.

The threat assessment model DREAD is a tool that canbe used when prioritizing which threats to be handlefirst. The DREAD model is made up of five differentfactors that are assessed individually and then summedup producing a number that it uses for risk assessment.These factors can then be further split up into threefactors that describe the likelihood of the threat occur-ring and two factors that describe the severity of thethreat. The first factor is damage potential, this factormeasures the impact and the damage that an exploita-tion could cause. It is therefore one of the factors usedfor assessing the severity of the threat. The secondfactor that is assessed is reproducibility which is oneof the likelihood factors. It is evaluated in regards tohow easy it would be to produce attacks. The thirdfactor is exploitability this is also an likelihood factorand measures how easy the threat would be to exploit.The fourth factor is affected users this is a severityfactor that measure how many users that would beaffected by the threat. The final factor discoverabilityis a likelihood factor that measure the possibility ofthe threat being found [18] [22] [23].

The methodology followed in this study is divided intotwo parts: Threat modeling and penetration testing.The threat modeling methodology is based on chapter2 of [24] the ”IoT penetration testing cookbook”. Thethreat modeling method described in this chapter usesboth the STRIDE and DREAD models and containsthe following steps which will be followed in this study:

1. Identify all the assets in the device ecosystem

2. Visualize the architecture of the device

3. Decompose the IoT device

4. Identify threats using the STRIDE model

5. Document the found threats

6. Rate the threats using the DREAD model

After a threat model has been created and the dif-ferent threats are listed and rated the next step is topenetration test the most severe of them. There existsmultiple different approaches to penetration testingbut the most common ones are: Black box testing andwhite box testing [25].

When applying Black box testing, the hacker will ac-cess the network infrastructure without being aware ofany internal technologies created by the organization.Since the information about the device is limited, it isgenerally a more time consuming and expensive ser-vice. Vulnerabilities can be identified and exploitedthrough multiple testing phases and the use of realworld hacking techniques [25].

White box testing is done with the full knowledgeof all the internal and underlying technologies thatis part of the system. Thanks to this the knowledgerequired to utilize this testing method is much lowerthan other methods such as black box testing. Thetesting can be done with minimal effort and are muchmore accurate since the time spent testing can be fullyutilized testing potential vulnerabilities instead of in-vestigating the protocols used for example [25].

During the penetration testing phase of this studythe black box testing approach will be used since thisstudy is not supported by Trifo. The threats with thehighest priority will be tested individually by utiliz-ing common attack techniques. Some of these attacktechniques are:

Brute Force Attack

To brute force something such as a password or pincode is to try every single input combination that couldbe an possible login. Brute force attacks are inefficientsince the difficulty of actually finding the correct inputgrows exponentially in regards to the input length [26].Therefore the time complexity for this sort of algorithmis O(γη), where γ is the character set size, and η is thelength of the input.

Dictionary Attack

A dictionary attack is similar to a brute force attack,the difference being that instead of trying every digitcombination, a list of common usernames and pass-words are tried with each other until one combinationmatches. There exists multiple popular password liststo use such as ”Rockyou” containing more than 14 mil-lion passwords currently and ”John the Ripper”.

Man-in-the-middle

Man-In-The-Middle (MITM) is a attack where a thirdparty listens and takes control of the communicationbetween others while remaining hidden. The attackerhas the ability to intercept the target by using Dis-tributed denial of service (DDOS). But also to modify,change or replace the targets communication traffic.

4

Since the person has such control when conducting theMITM attack, it is possible to receive user IDs andpasswords. A passive MITM attack is when the at-tacker’s presence remains hidden, with the intent ofcapturing the data and then sending it to the correctuser. An active attack is where the content receivedgets manipulated before being sent out to the originaldestination. MITM is mainly used on a wireless con-nection, it is much easier to hook up to different hotspots in comparison to wired connections [27].

Replay attack

A replay attack is a kind of MITM attack where theattacker sniffs the local network traffic with the inten-tion of storing or manipulating packets sent or receivedby the target. These packets are then later used in thereplay attack and sent back to the target. The reasonwhy replay attacks are used is because they can by-pass encryption such SSL or TLS. The attack bypassesthe encryption due to never creating any new packetsand instead reuses packets that the target themselvescreated or requested [28].

Port scanning

By port scanning a certain network, open ports and de-vices connected to the network can be identified. Eachport provides a certain service, more common ones areport 80 (HTTP), port 22 (SSH) and port 23 (Telnet).By identifying the open ports, the attacker can attackthe port with the intentions of gaining access to thedevice.

Phishing a mobile application

Phishing is a form of identity theft in that it tries tocopy the look of another web page or application. Aphishing attack tries to exploit the human factor of notrecognizing small differences in familiar environments.This can cause users to accidentally give account infor-mation to the attacker [29].

V. Threat model

The first step in creating a threat model is to divideand identify the different assets that the evaluated sys-tem contains or interacts with. In this studies case theIronpie m6 is evaluated. The Ironpie m6’s assets canbe seen in Table 1.The next step is to visualize the architecture of thedevice by creating use cases and an architectural di-agram. The use cases are created in order to get abetter grasp of how the different assets and functional-ities work together. A few use cases of the Ironpie m6are mentioned below.

Use case 1: To clean, start a video or chargethe robot

1. Install Trifo’s mobile application ”Trifo home”.

2. Register an account with the use of email anddesired password.

3. Sign in to the account and press add device.

4. Select Ironpie m6, and your local network.

5. Use the provided QR code from the applicationto provide the Ironpie m6 with internet accessand to link the account with the Ironpie m6.

6. Select the robot in the main menu.

7. Press ”Clean”, ”Recharge” or ”Start Video” but-ton depending on what the user desires.

Use case 2: Install firmware updates on Ironpiem6

1-6. Same as use case 1.

7. Go to ”Device Settings”.

8. Press ”Software update”.

Use case 3: Install and upgrade the applicationversion


6. Go to ”Settings”.

7. Press ”About”.

8. Press on ”Version”

9. Query and perform the application update.

Use case 4: Change the password for the mobileapplication


6. Go to ”Settings”.

7. Press ”About”.

8. Press on ”Change Password” and enter in thenew password.

5

Table 1: Description of the vacuum cleaners assets.

Assets DescriptionIronpie m6 The ironpie m6 manufactured by

Trifo comes with an inbuilt camera,two different sensors: a cliff sensorand a bumper sensor. Navigation isdone through the usage of SLAM al-gorithms that are in turn supportedby the usage of the inbuilt camera.Manual control over the robot andaccess to the video feed can be ob-tained through connecting the robotto an Trifo account in the mobile ap-plication. The robot has WiFi capa-bilities for this reason.

Application There exists a mobile application forboth Android and IOS devices. Theapp gives the user the ability to nav-igate the robot but also get a livefeed of the camera.

Firmware The firmware is used to controlspeakers, video feeds, lights andmovement in the robot.

After creating the use cases, the architectural diagramis created to showcase how the data in the system istransferred both internally and externally. The dia-gram highlights what network protocols that the eval-uated system uses to transport data i.e unencryptedTCP is used to transport version control requests andresponses. HTTPS is used to transport sensitive infor-mation such as account credentials when logging in. AllMQTT traffic is encrypted using SSL and transportedusing TCP. The robot also sends out UDP broadcasts.According to the Checkmarx research team the MQTTserver acts as a bridge for all network traffic passingbetween the application, back-end server and robot[16]. Ironpie m6’s architectural diagram is showcasedin Figure 1.

With the architectural diagram in mind, the nextstep in the threat model methodology is to decomposethe IoT device. The purpose of this step is to high-light entry points that are vulnerable for the deviceor application. In this case the Ironpie m6 containsa multitude of entry points where some are easier toexploit than others. The most apparent one being themobile application which is used to control most of therobots functionalities with the only requirement beingaccount credentials. The communication between themobile application and server can be monitored butis encrypted with SSL. For the robot to communicatewith the mobile application the robot has to be con-nected to a 2.4 Ghz WiFi network. Another entrypoint is the Ironpie m6 itself, since it might have ports

open that can be exploited. The last entry point isthe firmware since it controls all the robots actions.This also includes when the mobile application wantsto assume control, where the commands sent from theapplication are enforced by the firmware.

The next step in the threat model creation process isto discover and identify threats within the system. Ageneral threat overview of the different attack vectorsin IoT devices and mobile applications were analyzed.Two of OWASP’s top 10 lists were used, the top 10IoT threats and the top 10 mobile application threats.These lists are used to make sure that no essentialattack vectors are left out [30] [31]. The listed threatswere then filtered for ones that can affect robot vac-uum cleaners and their eco-systems. These threatswere summarized and placed into two threat traceabil-ity matrices which can be found in Appendix 1 and 2.

After achieving a general understanding of commonfound threats in robot vacuum cleaners, the STRIDEmodel was used to highlight more specific threatsagainst the Ironpie m6. The STRIDE model can beseen in Table 2.

Table 2: Threats described using the STRIDE model.

ThreatCategory

Description

Spoofing Confidential information can be gath-ered such as login details, the connec-tion can be disrupted using specific for-warding.

Tampering Reverse engineering the android appli-cation to modify the shell code or bi-nary files. Analyzing and modifying thepackets being sent between the phoneand router to have malicious content.

Repudiation The integrity of the data is not securedby means such as up to date data hashesi.e. SHA2, SHA3 and BLAKE2. Thiswill allow hackers to tamper with dataunnoticed.

InformationDisclosure

Confidential information is sent unen-crypted allowing for malicious exploitsto be performed. For example whenquerying for software updates or send-ing account credentials when logging in.

Denial ofServiceElevationof Privi-lege

Horizontal privilege escalation, usingbrute force methods to retrieve accountinformation via open SSH ports. Thisinformation is then misused to exploitthe robots functionalities.

6

Figure 1: The architectural diagram of Trifo’s Ironpie m6.

After creating the STRIDE model the next step isto document the threats. In this documentation thethreats: description, threat target, attack technique(s)and countermeasure(s) will be listed. This threat tablecan be seen in Table 3-7.

Table 3: Threat #1 Documentation

Threat description The attacker gains accountcredentials for the mobile ap-plication and therefore con-trols the robot or gets theclient ID from the robotsMQTT traffic.

Threat target Mobile application and Robot.Attack technique The attacker can perform a

MITM attack using ARPspoofand tools like mitmproxy orBurp Suite to sniff the pack-ets sent from or received bythe mobile application or therobot.

Countermeasures By using encryption tools suchas SSL or TLS to turn regu-lar HTTP traffic into HTTPS,the network traffic becomessafer.


Threat description The attacker gains root accessto the robot via open ports.

Threat target The robot’s open ports.Attack technique By using nmap’s port scan-

ning functionality the robotsopen ports can be identified.These open ports can then bebrute forced with the help ofprograms like Hydra to gainroot access.

Countermeasures Uses secure ports like SSH.


Threat description The attacker downloads theAPK files. By decoding theAPK, the source code can beused to find weaknesses inthe mobile application but canalso be modified.

Threat target Mobile application for An-droid.

Attack technique By using APK decoders thesource code can be obtainedand then be read or modi-fied in a text editor. Staticcode analysis tools can be runon the source code to identifybugs or vulnerabilities.

Countermeasures The code is obfuscated, whichhinders the attacker from un-derstanding the source code.

7


Threat description The attacker sends their ownfiles when a client queries foran software update of the mo-bile application.

Threat target Mobile application.Attack technique The HTTP request can be

intercepted using Burp Suiteand then tampered with sothat the request gets sent tothe attacker instead of Trifosown servers.

Countermeasures The software update queryshould redirect the user toGoogle play or App Store.If not possible it should useHTTPS.


Threat description The attacker impersonates theMQTT server and throughthis gains full control of therobot

Threat target The robots wireless MQTTconnection.

Attack technique The attacker spoofs the robotinto thinking that it is theMQTT server and thereforeenables the attacker to senddirect commands to the robot.

Countermeasures The network traffic should beencrypted.

The last step of the threat model is to prioritize andevaluate the discovered threats, the DREAD model wasused in this study as can be seen in Table 8. EachDREAD category was scaled from one to three, wherea one corresponds to ”low risk”, two corresponds to”medium risk” and a three corresponds to ”high risk”.The threats that gets an evaluation of twelve or higherare considered ”high risk” vulnerabilities, threats thatget an evaluation between 8-11 are ”medium risk” andfinally an evaluation of 5-7 being ”low risk” [24].

Table 8: Threats evaluated according to the DREADmodel.

Threat Description D R E A D TotalThe attacker listensand receives pack-ets containing con-fidential informationi.e. account cre-dentials by utilizingARPspoof to redirectthe network trafficbetween the gatewayhost and the target.

3 3 3 2 3 14

The attacker seesthat a user wants todownload an softwareupdate while packetsniffing, and sendstheir own maliciousversion [32].

3 2 2 3 3 13

The attacker gainsroot access to therobot by using bruteforce programs suchas Hydra on openports that can befound via port scan-ning.

3 3 3 1 3 13

The attacker down-loads the androidapplications APKfile and decodes itto get the sourcecode and resourcefiles. These files canthen be analyzedand modified formalicious purposes.

3 3 1 2 3 12

The attacker imper-sonates the MQTTserver and throughthis gains full controlof the robot[32].

3 1 1 3 3 11

Confidence of success

When estimating the probability of success for thedifferent threats three factors were taken into consid-eration; complexity, requirements and previous workbased on other studies. A threats probability of suc-cess could then be rated as low, medium or high.

The first threat, being to spoof and sniff account cre-dentials and clientID scored a 14 on the DREAD model

8

with the estimated probability of success being high.The DREAD scores are based on the definitions statedin [24]. Where a high on both exploitability and repro-ducibility meant that the attack could be performedby a novice at anytime. This is one of the reasons thatthe threats success rate is estimated to be high. Theother reason being that MITM attacks has previouslybeen shown to work on the mobile applications andsimilar robot devices as seen in [15] [16].

The second threat, to send a malicious application dur-ing a software update query scored 13 on the DREADmodel with the estimated probability of success beinghigh. In [16] a recent exploitation of this threat wassuccessfully performed on the Ironpie m6. This is theprimary reason why the estimated probability of suc-cess is rated as high. Because in the DREAD modelthis threat was rated as medium in both exploitabilityand reproducibility. Which means that only a skilledattacker could reproduce the attack repeatedly andthat it could only be performed on specific conditions.

The third threat is to brute force an open SSH portusing a dictionary attack. This threat was given ascore of 13 in the DREAD model, with the estimatedprobability of success being low. The estimation israted as low because dictionary attacks can be ratherinconsistent. The chance of success is dependant onthe passwords complexity and the amount of passwordscontained within the dictionary. Although the threatwas rated as high in both exploitability and repro-ducibility it does not change the fact that the methoditself is inconsistent.

The fourth threat is to analyze and modify the APKfiles for the mobile application. The DREAD score ofthis threat is 12 and the estimated probability of suc-cess is low. The reason behind this estimation is thehigh complexity of the attack, only a skilled attackerwith in depth knowledge would be able to performit. This can be seen in the low evaluated score forexloitability given to this threat in the DREAD model.

The final threat is to impersonate the server and gainfull control of the robot. The DREAD score was 11with the estimated probability of success being low.This estimation is mainly due to the severe complexityof executing the attack. The test requires specific con-ditions to line up outside the attackers control and forthe attacker to be skilled with in depth knowledge ofthe attack for it to succeed [16]. This can also be seenin the low DREAD model rating of exploitability andreproducibility.

VI. Penetration testing

A. Test 1 - MITM on the mobile application with noclient side manipulation

Introduction

The attack vector to be explored is spoofing. Sincethe robot vacuum cleaner uses a mobile applicationto communicate, a man in the middle attack can beperformed. The aim of this test is to discover if thenetwork traffic is encrypted. To perform this test KaliLinux was used inside an VM together with Ettercapand ARPspoof.

Kali Linux

Kali Linux (kali) is its own Linux distribution basedon the Debian Linux distribution. Kali is specializedtowards performing penetration testing and includesmultiple penetration testing tools i.e to find informa-tion, potential vulnerabilities, sniffing and spoofing[25].

ARPspoof

ARPspoof is a tool that is often used when attackingdevices on an local area network (LAN). This tool canbe used to modify Address Resolution Protocol (ARP)tables and therefore redirect packets that travel overthe network so that they pass through the attacker.This can be done because ARP does not contain anyauthentication of where the reply packet came from. Itis therefore possible to redirect traffic to the attackerand then generate forged reply packets. These repliescan then be sent to the original destination with no onein the network detecting the attack [33].

Ettercap

Ettercap is a program that is used to create MITM at-tacks in a simple way. The program can detect nearbydevices and hosts, but also sniff and filter the contentsent over live connections[34].

Method

This test is performed to check if the packets sent bythe application are unencrypted. To test this the pack-ets sent by the robots application ”Trifo Home” areredirected to the attacker by utilizing ARPspoof andthen displayed using Ettercap.

Results

This MITM test verified that the data was not trans-ported via any non encrypted means such as HTTP. Allof the packets received from Ettercap were encrypted,

9

using a SSL certificate called ”GoDaddy”. No pass-words or usernames could be viewed in cleartext.

Discussion

This MITM penetration test was performed to see ifthe packets sent were unencrypted and to see if anycompromising information such as account credentialswere shown. This test determines how vulnerable theapplication is regarding account security. The relia-bility of this test is high thanks to the simplicity ofthe attack, only requiring the usage of basic spoofingtechniques.

B. Test 2 - MITM on the mobile application withclient side manipulation

Introduction

The attack vector of this test is also spoofing. Thistest was performed as an expansion of the first MITMtest, to evaluate what the encrypted packets contained.Since the first test showed that the packets are en-crypted using SSL, mitmproxy could be used to bypassit.

mitmproxy

mitmproxy is a program that allows the user toview http and https requests and responses that passthrough their computer thanks to the use of proxy set-tings or other tools such as ARPspoof. mitmproxy canalso generate CA-certificates.

Method

The MITM test is performed to bypass the TLS andSSL encryption used in HTTPS traffic, for this mitm-proxy is utilized. The first step in this attack is toset up the attackers computer as the proxy server onthe mobile device. When the proxy settings are cor-rectly set up, mitmproxy’s CA-certificate can be ob-tained from the website ”mitm.it”. The generated cer-tificates are used to notify websites and applicationsthat use HTTPS that the proxy is safe. The final stepis to set up a transparent proxy, this is done throughIP forwarding and ARPspoof. To set up IP forward-ing mitmproxy’s documentation on how to set up atransparent proxy is followed [35]. And to set up ARP-spoofing this [36] guide is followed. Because ARPspoofis used the proxy settings on the attacked device areturned off.

Results

The MITM test successfully bypassed the encryp-tion used in HTTPS, as mitmxproxy could gather

the HTTPS packets and display the information.The account credentials could partially be gath-ered from listening to the traffic sent when log-ging in to the application on the mobile phone viaWiFi. The username (email) was displayed in cleartext while the password still remained unreadableas seen in Figure 2. The mobile app uses a MD5hashing function to make the password more safe.The two final digits of the password are removedor hidden, making it harder to reverse the hash.

Figure 2: Captured HTTPS login request sent from ap-plication to the server displaying the email(Username)in plain text and showing that the password remainsencrypted after removing the SSL encryption withmitmproxy.

Discussion

The MITM attack was used to see the content of the re-quests sent without the SSL/TLS encryption. But alsoto see if any further encryption was used to protect theaccount credentials. The method suggested is believedto be reliable since it is heavily based on mitmproxysguidelines on how to set up a transparent proxy [35].These guidelines are made to educate other hackers onhow to be able to perform a MITM attack. The resultsfrom this test were expected since there has been manyexamples and studies showing how vulnerable HTTPSis to MITM attacks [37].

C. Test 3 - MITM attack on the robot’s MQTT traffic

Introduction

The attack vector for this test is spoofing. The aimof this test is to perform a MITM and a replay attackon the robot vacuum cleaner. The reason behind thistest is to verify if the vulnerability found by Check-marx research team [16] still exists, to exploit unen-crypted MQTT traffic by impersonating the MQTTserver. Three main programs are used for this test,

10

ARPspoof, Wireshark and Packet Sender. ARPspoofis used to redirect the packets to the attacker whileWireshark displays all the redirected network trafficand Packet Sender is used to send packets to specifiedIP addresses and ports.

Method

The set up for this MITM attack is to start Wiresharkon the interface connected to the internet, in this caseWiFi. To access the network traffic that is sent fromthe robot, monitor mode is enabled. After setting upthe Wireshark settings correctly, ARPspoof is used toredirect the traffic. Since ARPspoof can disrupt or dra-matically slow down the internet connection, IP for-warding is used to speed up the redirection process.When the network traffic is monitored any unencryptedMQTT packets can easily be spotted. To exploit theMQTT traffic a replay attack is performed. This isdone through copying a MQTT packet captured byWireshark and sending it to the robot directly or to therobot’s MQTT broker or to a MQTT broker created bythe attacker (this can be done using Mosquitto).

Results

The results gathered from this MITM attack is thatno explicit MQTT packets can be identified within thenetwork traffic. During the test the only traffic beingsent or received by the vacuum cleaner’s IP addresswas UDP broadcasts and unreadable TCP packets,which can be seen in Figure 3. No common patternswere found in the TCP packets, neither could anyvalid information be seen in the data segment of thepackets due to the encryption. When trying to exploitthe MQTT traffic with the use of a replay attack, nosuccessful commands could be sent to the robot orit’s MQTT broker or the MQTT broker created usingMosquitto.

Figure 3: The Ironpie m6’s network traffic capturedand showed using Wireshark

Discussion

The purpose of this test was to verify if the MQTTpackets sent by the robot still remained unencrypted,

which was stated by Checkmarx Research team [16].This test was performed due to multiple threats usingthis insecure communication to exploit the system. Forexample using the traffic to calculate the client ID andthrough this ID being able to impersonate the MQTTserver. The ID can also be used when monitoring thetraffic and through this obtaining a devkey which canbe used to unencrypt all of Trifo’s network traffic [16].Since the results did not align with the conclusionsstated by Checkmarx, that the MQTT traffic is un-encrypted. An additional test had to be performedto validate that the described method for the MITMattack was correct and that general MQTT traffic ac-tually could be sniffed. This additional test used twocomputer with one running an MQTT publisher andthe other running an MQTT subscriber both connectedto the MQTT broker HIVEMQ. The source code usedfor the publisher and subscriber was taken directlyfrom the MQTT broker HIVEMQ’s client library en-cyclopedia [38]. By using the described method for thisadditional test most if not all MQTT traffic could beseen which validates that the method for this MITMattack works. Since the MQTT traffic can be seenusing this test, but not during the MITM attack onthe robot it could mean that the MQTT pings sentfrom the robot are encrypted and seen as TCP packetsinstead.

To bypass this encryption a replay attack was per-formed to test if the MQTT traffic could still be ex-ploited even though it was encrypted. However thisattack failed, using a fake MQTT broker created us-ing Mosquitto and redirecting the traffic to it did notaccomplish anything due to the fake broker not com-prehending the encryption. Trying to impersonate theMQTT server through the use of client ID like how theCheckmarx research team did was not possible eitherdue to the encryption. And trying to send the MQTTcommands to the robot’s own MQTT broker resultedin nothing. None of the MQTT commands could besent directly to the robot either since no MQTT portswere open.

D. Test 4 - Dictionary attack on open SSH port

Introduction

The attack vector that this test is meant to target iselevation of privilege. This test is performed to evalu-ate how secure the robots root access is. This test isexecuted with the help of the password guessing toolHydra which can perform automatised dictionary at-tacks on IP addresses and ports. Nmap was used toscan the network for used IP addresses and open ports.

11

Method

This dictionary attack is performed by scanning forthe targeted device’s IP address and then afterwardsscanning for open ports using Nmap. If the SSH portis open, a Hydra dictionary attack can be launchedtargeting the device’s IP address and the SSH port.To perform a dictionary attack, lists of passwords andusernames need to be acquired first. In this test twopassword lists are used; ”John the Ripper” and ”rock-you”. Both lists consists of simple and commonly usedpasswords. For the username list, Nmaps includedusername list is used.

Results

The first dictionary attack used the ”John the Ripper”password list and finished after 14 hours. The seconddictionary attack using ”rockyou” ran for 96 hours butwas cancelled prematurely. It was cancelled prema-turely due to the lists size requiring the test to run forapproximately 50000 hours. Both attacks failed sinceno username and password combination tested werevalid. The result of the first dictionary attack can beseen in Figure 4.

Figure 4: Results of a dictionary attack performed us-ing Hydra with John the Rippers password list andNmaps username list.

Discussion

This dictionary attack was performed to test if rootaccess could be gained through the open ports, namelythe SSH port. This tests reliability and probability ofsuccess increases with the length of the dictionary used.But increasing the length will also increase the time ittakes to perform the test, making it a rather ineffi-cient way to gain root access. There has been similarmethods with success in gaining root access throughdictionary attacks, but also failures [39].

E. Test 5 - Tampering with the software update

Introduction

The targeted attack vector for this test is tampering.The aim of this test is to evaluate if the previouslyfound vulnerability within the update function discov-ered by the Checkmarx research team still exists [16].The main tool used for this test is Burp Suite. BurpSuite allows the attacker to forward, drop and modifyrequests sent from the mobile application to the server.This test is performed on both Android (Samsung S4)and iOS (iPhone 7). The application version used forboth phones is 2.0.6.

Method

Since Trifos mobile application mainly communicatesvia HTTPS a proxy server had to be used on bothphones that redirected the traffic to a computer run-ning Burp Suite. The method to set up proxy set-tings on the Android phone is described in PortSwig-gers tutorial [40]. By using Burp Suite as a proxyand downloading the Burp Suites CA-certificate at”http://burp”, security measurements like TLS andSSL can be avoided. After the proxy has been setup asoftware update can be requested as long as the phonedoes not run the newest version. This request can thenthrough Burp Suite be tampered with and redirectedso that it downloads a file from the attacker. For thisa server is setup on the attacker’s computer that canhandle the request and send out a response containingthe attacker’s file. The server used for this attack isjust a proof of concept server written in Java and thecode can be seen in the Appendix 3.

Results

The test failed on the iOS device since the applica-tions update goes through the App store instead ofTrifo’s own servers. On the Android device the testwas successful. The update request did not redirectto Google Play and instead went though Trifos ownservers. During this test the request was successfullyhijacked and the attackers file was downloaded whichcan be seen in Figures 5 and 6.

12

Figure 5: The hijacked software update downloadingthe attackers file.

Figure 6: A file manager showing that the attackersfile was downloaded.

Discussion

This attack was performed to validate if a previouslyfound vulnerability within the software update functionstill exists [16]. A successful execution of this attack al-lows the application to download unintended files. This

is a risk factor since the files can have malicious intentfor example a virus or a compromised version of the ap-plication. This attack has a high reliability on Androiddevices, but it requires the hacker to set up multiplesteps correctly. For example one step is to configureproxy settings on to the users phone and another oneis to set up a HTTP response server that can handlethe software updates request. The main problem withthis test is that the attacker has a limited time win-dow where it is possible to tamper with the request. Ifit takes too long the application cancels the softwareupdate resulting in an error.

F. Test 6 - Read and Modify the APK files

Introduction

The attack vector of this test is reverse engineering.The Android Package Kit (APK) is a compressed folderthat contains the resources and a dex file that containsthe source code of a Android application. The aimof this test is to analyze the source code for vulnera-bilities and to potentially modify the code. By usingonline APK decoders or downloadable tools like Jadxor APKTools, the APK file can be uncompressed anddecoded. To access the source code the dex file needs tobe decompiled, this can be done by using tools such asJadx or dex2jar. Static code analyzers such as ”Find-bugs” can be used when analyzing the source code tosimplify the process of finding potential bugs.

Common source code vulnerabilities

Finished projects and applications often consist of agreat amount of code causing multiple vulnerabilitiesto be overlooked, these are some common ones [41]:

– The use of hard-coded credentials such as pass-words, usernames and API keys.

– Bugs in the source code, i.e. Buffer and Integeroverflows or incorrect use of comparisons.

– The use of third party dependencies, these maybe outdated or contain flaws that can be ex-ploited.

– If and how the application uses encryption totransfer sensitive data, no encryption or an out-dated encryption method can be exploited.

– If some function sends user data to the database,then injection can potentially be used to trick thedatabase to send, delete or change data in the ap-plication.

13

Method

To access the source code, the APK file had to be de-coded and the contained dex file had to be decompiled.This can all be done by utilizing Jadx, by using thegraphical user interface (GUI) version of Jadx the APKfile when opened is automatically decoded and the con-tained dex file is decompiled. The GUI version willtherefore allow the user to view the source code andresources inside the tool. Jadx also includes a deobfus-cation tool that can make the code easier to read. Sincethe source code has an abundance of class files, only afew of the core functionalities of the applications activ-ities are studied extensively. For example the Androidmanifest xml file, MQTT server files, login and soft-ware update procedures are examined. When examin-ing the functionalities special attention is paid towardsfinding hard-coded credentials and finding any new in-formation regarding the encryption methods used. Tonavigate through the files, the inbuilt search tool isused. A static code analysis program Findbugs is alsoused throughout this test to find and highlight poten-tial bugs.

Results

The findings from this test showed that the source codewas obfuscated. This obfuscation could be removedwith some degree of success using the deobfuscationtool included in Jadx. But it did not make the sourcecode completely readable, leaving multiple functionsand some classes with cryptic names. Due to the ob-fuscation no weaknesses were identified and the codecould not be modified in any meaningful way. No cre-dentials such as password, usernames, account or clientIDS were hard coded in the source code. Only pre-viously known security measures were found such asMD5, SSL, SHA1 and RSA. The scan performed byFindBugs resulted in 14 ”Scariest”, 110 ”Scary”, 162”Troubling” and 18 ”Of Concern” bugs being found.Out of the 14 scariest bugs, eight were due to theIDE used not supporting certain android packages thuscausing false positives. The remaining bugs were dueto poor java practices; Two bugs were found due tomisuse of Javas inbuilt equals method comparing twodifferent data types. Two bugs were found due to anincorrect way of using Javas inbuilt data type ”Set”having a set contain itself, which resulted in a if statealways being false. One bug was caused when self as-signing a variable to itself. The final bug was foundin a stop function, calling a method where the valuereturned from the method never is used. None of thefound bugs were tested for exploitability, rather theones that were not false positives were tested for logi-cal failures and how they could impact the whole.

Discussion

This test was performed to find potential vulnerabili-ties in the source code through finding out which secu-rity measures has been implemented and locating se-vere bugs. The results from this test showed that thesource code was protected from reverse engineering at-tacks by obfuscating the code. Although the code waspartly deobfuscated, no sensitive information could beretrieved and no bugs that could be used to exploit theapplication were found. The method used for this at-tack is simplistic and only requires the attacker to useJadx to get the source code and FindBugs to search forbugs. But the results from analyzing the source codeand investigating thmay vary depending on the skilllevel of the person that is analyzing them.

VII. Sustainability and Ethics

One way to maintain the integrity of a study and tostay ethical is to follow established guidelines such asIEEE’s code of ethics [42]. But being an ethical hackeralso comes with big challenges, the main one beingon how to find and present vulnerabilities in a waythat does not infringe upon peoples privacy or breakany laws. The main law that affected this study andhad to be followed was ”Brottsbalken 4 kap. 9c” Lag(2014:302) [43]. This is the law that prohibits peoplefrom hacking others property. To avoid breaking thislaw all the hacking done throughout the study only af-fected personal devices or devices owned by KTH i.e.no other vacuum cleaners or servers were hacked. Pri-vate networks were used throughout the study to avoiddisrupting any other peoples network traffic since itwould get slowed down during some of the penetrationtests. When publishing vulnerabilities there always ex-ists the risk of rebound effects, one such effect wouldbe that hackers can and would exploit the vulnerabili-ties before the company manages to patch them. Thisproblem can be avoided by contacting the companyabout the vulnerabilities instead of publishing them.

VIII. Results

After performing the penetration tests one vulnerabil-ity was found. By querying for a software update theattacker could make the mobile application downloadtheir own file. One minor vulnerability was also foundduring a MITM attack on the mobile application withclient side manipulation. The MITM attack showedthat the username could be retrieved as plain text andthat the password as a not fully complete MD5 hash.When performing a MITM attack on the robot deviceno explicit MQTT traffic was seen but multiple TCPpackets were seen, which is believed to be encrypted

14

MQTT pings. The MQTT traffic could not be ex-ploited, replaying captured MQTT commands failedduring the replay attack, and the MQTT server couldnot be impersonated. No valid combination of pass-words and usernames were found when performing thedictionary attacks on the open SSH port. The finaltest showed that the decompiled APK file was obfus-cated, causing no vulnerabilities to be found. Therewas no use of hard coded account credentials in thesource code and none of the bugs found by ”Findbugs”were exploited. A summary and overview of the threatscan be seen in the threat traceability matrix found inAppendix 4.

IX. Discussion

The results from the penetration testing phase corre-lated well with the probability of success described insection V (Threat model). In the first two penetrationtests MITM attacks were performed with intention ofgaining account credentials at the login screen. Thesetests also contributed information regarding the en-cryption status of the communication and if there wereany other additional safety measures used. The resultsfrom these two tests were that HTTPS is used to securethe communication and that the password is furtherprotected using MD5 hashing. These tests have a highreliability with little deviation of the results thanks tothe abundant availability of documentation on how toperform the attack for example [35][36].

In the third penetration test a MITM attack wasperformed on the robot, to see if the MQTT traf-fic sent from the robot still remains unencrypted andexploitable which was stated by Checkmarx researchteam. No explicit MQTT packets were identified dur-ing the MITM attack which did not align with Check-marx’s results. This can be due to the packets nowbeing encrypted and Wireshark not being able to differ-entiate them from regular TCP packets. The reliabil-ity of this test is believed to be high since another testwas performed to validate that the described methodworked properly. The MQTT traffics exploitabilitywas further tested by performing three replay attacksof which none succeeded.

In the fourth penetration test two dictionary attackswere performed to evaluate how secure the access toroot functionalities are. To protect the robots root ac-cess the more secure SSH is used instead of telnet, SSHhas the strength of using encryption over all internettraffic reducing the possibility for hackers to listen tothe traffic. SSH can also restrict IPs from trying tolog in which can diminish the threat that brute forceattacks poses. The results from these dictionary at-

tacks showed that no simple default password is usedto protect the root access since none of the dictionaryattacks were successful. This kind of attack has a highreliability due to the fact that brute force will alwaysgive the same result if the attacker uses the same input.

The fifth penetration test was performed to examineif a vulnerability previously found by the Checkmarxresearch team still exists [16]. This vulnerability existwithin the software update function and can be usedto force the application to download unintended files.The result from this test can imply that Trifo has alack of time, money or that they prioritize other things.The proof of concept server used in this test is ratherunreliable mainly due to the fact that packet loss canoccur resulting in incomplete file transfers. On theother hand the method to tamper with requests usingBurp Suite is reliable thanks to the simplicity.

The sixth penetration test was performed to identifyvulnerabilities in the mobile applications APK file andto potentially modify it. This was done by decodingthe APK file and then decompiling the dex file throughthe use of Jadx, the code could then be analyzed bothmanually and by using tools such as FindBugs. Al-though a thorough manual analysis was performed ona few core functionalities in the mobile application,no additional vulnerabilities or unknown security mea-sures were found due to the code being obfuscated.When using the tool Findbugs on the source code, itresulted in 14 ”scariest” bugs being found. The bugswere not exploited in this test, they were only testedfor logical failures. The reliability of this test is depen-dant on three main factors; the extent of the sourcecode that has been analysed (Quantity), the parts thathas been analysed (Quality) and finally the attackersskill level.

The research question of this study was to evaluatewhich security measures were used in the Trifo Ironpiem6 and through this find out how secure it is. Due tothe delimitation’s established for this study no hard-ware aspects were investigated. Instead most of thetesting revolved around finding what security measuresare used in the mobile application and what measuresare used to secure the robots wireless communication.The results showed that Trifo’s Ironpie m6 uses multi-ple security measures such as obfuscated source code,SSL, SSH and hashed passwords. Although these se-curity measures are used one vulnerability was foundthat could be exploited if the attacker had access tothe victims phone. The hacker has to have access tothe phone because HTTPS is used for all sensitive net-work traffic and a CA-certificate has to be installed tocircumvent this.

15

X. Conclusion

This study was performed with the objective of evalu-ating how secure the robot vacuum cleaner Trifo Iron-pie m6 is. This was done by first creating a threatmodel and then during the penetration testing phaseidentifying which security measures are used to pro-tect against these threats. To protect against MITMattacks the mobile application used HTTPS to commu-nicate sensitive data to the server and the passwordsare hashed using MD5. The MQTT packets sent fromthe robot are now believed to be encrypted. To pro-tect against Brute force attacks on open ports the moresecure SSH port is used instead of telnet. Finally toprotect the mobile application against reverse engineer-ing, the source code was obfuscated. Although thesemeasures are used one vulnerability was found in howsoftware updates are performed on the Android OS.Therefore in conclusion if any hardware or server at-tacks are disregarded since they weren’t tested, the sys-tem is secure against basic attacks that doesn’t requireany client side manipulation. But if an attacker man-ages to get passed the HTTPS encryption through theusage of generated CA-certificates the security dropssignificantly and can cause threats towards the privacyof consumers.

Acknowledgements

We want to thank and express our sincere gratitudetowards our supervisor Professor Pontus Johnson andour examiner Associate Professor Robert Lagerstromfor their continuous supportive feedback and guidancethroughout this thesis.

16

XI. Appendix 1 - Threat Traceability Matrix for mobile applications

Threatcategory

Unsafe communica-tion

InsufficientCryptography

Poor quality ofcode

Code tampering Reverse engi-neering

ThreatAgent

An attacker thathas access to thelocal network thatthe target is locatedon.

An Attackerthat has accessto improp-erly or weaklyencrypted data.

An attackerthat can sendinputs to themobile appli-cation duringmethod orfunction calls.

An attacker thatcan trick or makethe user downloadand install foreignprograms or appli-cations.

An attackerthat has accessto the mobileapplicationsAPK files.

AffectedAsset

Mobile application Mobile applica-tion

Mobile ap-plication orFirmware

Mobile application Mobile Applica-tion

Attack MITM attacks Reverse en-gineering orMITM attacks

Reverse engi-neering

Code tampering &Phishing attacks

Reverse engi-neering

Attacksurface

WiFi WiFi WiFi & thesource code

APK & WiFi APK

AttackGoal

Sniff or steal pack-ets in the insecurenetwork to stealcredentials suchas usernames andpasswords.

Successfully de-crypt sensitivedata.

Due to poorquality of thesource code,vulnerabili-ties/bugs arefound andexploited.

To Perform binarychanges to the APKfiles or to make thesystem API’s exe-cute foreign code.

Find informa-tion regardinghow the datais encrypted orhow functionali-ties such as thedevice, mobileapplication orback end serversare set up.

Impact Account theft,which gives theattacker control ofthe robot.

Account or in-formation theft,which can givethe attackeraccess to therobot.

Remote serverendpoint DoSand/or execu-tion of foreigncode.

Information theftand unwanted pro-grams or featurescan be installed.

Communicationbetween backend servers andthe applicationis compromised.

SecurityControls

Use trusted CA-certificates andSSL/TLS to pro-tect the communi-cation.

Avoid storingsensitive dataon the mobileapplication &Use well secureand well knownencryptionmethods.

Prevent bufferoverflows byvalidating thelengths ofincoming data.

Detect codechanges at run-time and reactappropriately tothem.

Obfuscationof the sourcecode to makeit harder tounderstand andanalyze.

RelatedWork

Jisiwei i3 hackeddue to poor com-munication security[15]. SuccessfulMITM attack onXiaomi RoboRockS55 [44].

Dyson 360 Eyehas no encryp-tion for localnetwork traffic[45].

Neato’s Botvacpreviously had abuffer overflowvulnerabilityin it’s firmware[46].

Ironpie m6’s appli-cation update canbe forced to down-load foreign code[16].

In Xiaomi’s mo-bile application”Xiaomi SmartHome Set” sen-sitive data couldbe found in mul-tiple log mes-sages[44].

17

XII. Appendix 2 - Threat Traceability Matrix for robot vacuum cleaners

Threatcategory

Weak orhard codedpasswords

Unsafe update mecha-nism

Unsafe datatransfer

Lack of physical secu-rity

Injection

ThreatAgent

An attackerthat hasaccess tothe localnetwork thatthe target islocated on.

An attacker that canidentify when theclient updates theirdevice and interceptthe request.

An attackerthat has accessto the localnetwork thatthe target islocated on.

The attacker that hasaccess to the device.

An attackerthat cansend datato an inter-preter.

AffectedAsset

Robot vac-uum cleaner

Firmware or Mobileapplication

Robot vacuumcleaner

Robot vacuum cleaner Robot vac-uum cleaner& Server

Attack Brute forceattacks

MITM attack MITM attack Disassembly SQL or com-mand injec-tions.

Attacksurface

Open ports WiFi WiFi External ports and thedata storage

Code flaws &WiFi

AttackGoal

Gain unau-thorizedaccess tothe systemby bruteforcing weakpasswords.

To hijack firmware up-dates on the systemor software updates onthe mobile application.

By listening tothe unencryptedcommunicationsensitive databetween theserver and robotcan be seen.

Access the data storedon the device orthrough the use ofthe external portsupdate the device withmalicious code.

To injectunautho-rized codethat isexecuted.

Impact The attackercan gain rootaccess to thedevice, giv-ing full con-trol of therobot to theattacker.

The attacker throughtheir modifiedfirmware gains controlof the system, orthrough their modi-fied application stealsinformation.

A local attackercan through im-personating theserver take con-trol of the de-vice.

Information theft orcontrol of the devicecan be achieved due toa lack of physical secu-rity.

The attackercan gaincontrol ofthe device orcause dataloss andcorruption offiles.

SecurityControls

Strong pass-words, use ofencryption.

SSL or TLS is used toencrypt the communi-cation.

SSL or TLS canbe used to en-crypt the com-munication.

The device is hard todisassemble, no unnec-essary external portsand ensuring that theexternal ports that ex-ist can not be used ma-liciously.

Using safeAPIs, re-movinglegacy codeand usingpositiveserver sidevalidation.

RelatedWork

The Diqee360 robotvacuumcleanerused a hardcoded adminpasswordwhich waseasily bruteforced.[11]

Trifo’s mobile appli-cation ”Trifo home”was hijacked during ansoftware update. [16],the firmware update ofthe Xiaomi Mi robotvacuum cleaner couldbe hijacked and the at-tackers own firmwarecould be installedsince the passwordused for encryptionwas weak.[13].

No encryptionused for MQTTtraffic in the lo-cal network, foreither Dyson’s360 eye andTrifo’s Ironpiem6 [45] [16].

The Diqee 360 vacuumcleaner could be madeinto a spying deviceby disassembling thedevice and insertinga microSD card [11].The Xiaomi Mi robot’sflash drive could beread or written to byshort circuiting someof the processes on themotherboard [13].

Neato’s Bot-vac couldbe exploitedand exe-cute unau-thorizedcommandsby usingcommand in-jection in the”ntp” fieldas previouslyseen in [14].

18

XIII. Appendix 3 - Proof of Concept Server code

import java.net.*;

import java.io.*;

public class HTTPAsk {

public static void main( String[] args) throws IOException {

ServerSocket serverSocket = new ServerSocket(80);

File myFile = new File("/home/$USER/Downloads/Trifo.apk");

while(true) {

byte[] buffer = new byte[1024];

BufferedInputStream bis = new BufferedInputStream(new FileInputStream(myFile));

Socket connection = serverSocket.accept();

BufferedWriter out = new BufferedWriter(new OutputStreamWriter(connection.getOutputStream()));

OutputStream os = connection.getOutputStream();

BufferedOutputStream bos = new BufferedOutputStream(os);

out.write("HTTP/1.1 200 OK\r\n");

out.write("\r\n");

out.flush();

try{

for(int bytesToRead;(bytesToRead = bis.read(buffer)) != -1;){

bos.write(buffer, 0,bytesToRead);

}

}catch(IOException ex){

ex.printStackTrace();

}

finally {

bis.close();

bos.close();

}

connection.close();

}

}

}

19

XIV. Appendix 4 - The Results Threat Traceability Matrix

DREADScore

14 13 13 12 11

AffectedAsset

Mobile ap-plication &Robot

Mobile application Robot Mobile application Robot

Attack MITM MITM Dictionaryattack

Reverse engineering MITM

Attack sur-face

WiFi WiFi WiFi Openports

Mobile application WiFi

AttackGoal

Gain accountcredentials orclientID.

Tamper with thesoftware update re-quest, so that thetarget downloads amalicious version.

Gain rootaccess to therobot viaopen ports.

Analyzing the appssecurity risks andto add maliciouscontent to theAPK.

Impersonatethe robotsMQTTserver.

Impact Gain fullcontrol of themobile appand thereforecontrol ofthe robot.Gain clientIDand thereforethe abilityto send fakecommands tothe robot.

Gain full control ofthe mobile app andtherefore control ofthe robot. A ma-licious applicationcan hold the mobilehostage.

Gain fullcontrol ofthe robot.

Identify hash or en-cryption methodswhich could benefitthe success rateof other pentests.The modified APK,if downloadedcould hold a mobilehostage and sendsensitive data backto the attacker.

Gain fullcontrol ofthe robotthrough im-personatingthe serverand there-fore havingthe abilityto sendcommands.

SecurityControls

SSL, TLS andMD5 hashing.

SSL, TLS and AppStore(iOS)

SSH Obfuscated sourcecode.

SSL/TLS

Attempted Penetrationtest one, twoand three.

Penetration testfive.

Penetrationtest four.

Penetration testsix.

Penetrationtest three

Probabilityof success

High High Low Low Low

Confidenceof successprobability

Section V(Threatmodel)

Section V (Threatmodel)


Section V (Threatmodel)


Results With theuse of CA-certificatesa usernamein plain text& passwordhashed withMD5 can beseen. No ex-plicit MQTTtraffic wereseen.

Successfully down-loaded an unin-tended file during asoftware update.

No successfulcombinationof user-name andpasswordfound.

No additional secu-rity measures werefound in the sourcecode. Modificationof the code not at-tempted due to ob-fuscation. 14 ”Scariest” bugs wereidentified by usingthe static code an-alyzer tool Find-Bugs.

Due to en-cryption noclient IDcould becalculatedand used toimpersonatethe MQTTserver.

20

References

[1] Patil S et al. “Ethical Hacking: The Need forCyber Security”. In: 2017 IEEE InternationalConference on Power, Control, Signals and In-strumentation Engineering (ICPCSI). Chennai:IEEE, 2017, pp. 1602–1606.

[2] Meneghello F et al. “IoT: Internet of Threats?A Survey of Practical Security Vulnerabilities inReal IoT Devices”. In: IEEE Internet of ThingsJournal. Vol. vol. 6. no. 5. IEEE, Oct. 2019, pp.8182–8201.

[3] Sadio O, Ngom I, and Lishou C. “Lightweight Se-curity Scheme for MQTT/MQTT-SN Protocol”.In: 2019 Sixth International Conference on In-ternet of Things: Systems, Management and Se-curity (IOTSMS). 2019, pp. 119–123.

[4] Sirohi P, Agarwal A, and Tyagi S. “A compre-hensive study on security attacks on SSL/TLSprotocol”. In: 2016 2nd International Confer-ence on Next Generation Computing Technolo-gies (NGCT). Dehradun: IEEE, 2016, pp. 893–898.

[5] Kimmatkar K and Shrawankar U. “Modified ad-dress resolution protocol for delay improvementin distributed environment”. In: 2013 StudentsConference on Engineering and Systems (SCES).2013, pp. 1–5.

[6] SSH Protocol. SSH. url: https://www.ssh.

com/ssh/protocol/ (visited on 04/15/2020).

[7] Williams R et al. “Identifying vulnerabilities ofconsumer Internet of Things (IoT) devices: Ascalable approach”. In: IEEE International Con-ference on Intelligence and Security Informatics(ISI). Beijing: IEEE, 2017, pp.179–181.

[8] Seralathan Y et al. “IoT security vulnerability: Acase study of a Web camera”. In: 20th Interna-tional Conference on Advanced CommunicationTechnology (ICACT). Chuncheon-si Gangwon-do: IEEE, 2018, pp. 1–2.

[9] L. Rutledge R, K. Massey A, and I. Anton A.“Privacy Impacts of IoT Devices: A SmartTVCase Study”. In: 2016 IEEE 24th InternationalRequirements Engineering Conference Work-shops (REW). Beijing: IEEE, 2016, pp. 261–270.

[10] Strielkina A, Kharchenko V, and Uzun D. “Avail-ability models for healthcare IoT systems: Classi-fication and research considering attacks on vul-nerabilities”. In: 2018 IEEE 9th InternationalConference on Dependable Systems, Services andTechnologies (DESSERT). Kiev: IEEE, 2018, pp.58–62.

[11] Paganini P. Experts disclose dangerous flawsin robotic Dongguan Diqee 360 smart vacuums.Security affairs. July 20, 2018. url: https :

/ / securityaffairs . co / wordpress / 74592 /

hacking/hacking-smart-vacuums.html (vis-ited on 04/21/2020).

[12] Austin M. Is your high-tech robot vacuum lettinghackers into your home? Digitaltrends. Oct. 28,2017. url: https://www.digitaltrends.com/home/lg-hom-bot-vacuum-hacked/ (visited on04/21/2020).

[13] Drozhzhin A. Xiaomi Mi Robot vacuum cleanerhacked. kaspersky daily. Jan. 4, 2018. url:https : / / www . kaspersky . com . au / blog /

xiaomi-mi-robot-hacked/19309/ (visited on04/21/2020).

[14] Kielpinski J. Security in a Vacuum: Hackingthe Neato Botvac Connected, Part 1. 2018. url:https : / / www . nccgroup . trust / us / about -

us/newsroom-and-events/blog/2018/march/

security - in - a - vacuum - hacking - the -

neato-botvac-connected-part-1/ (visited on05/19/2020).

[15] Olsson T and L. Forsberg A. “IoT Offensive Secu-rity Penetration Testing. Hacking a Smart RobotVacuum Cleaner”. Bachelor Thesis. KTH RoyalInstitute of Technology, 2019.

[16] Umbelino P. Checkmarx Research: Smart Vac-uum Security Flaws May Leave Users Exposed.Checkmarx. Feb. 26, 2020. url: https://www.checkmarx.com/blog/checkmarxresearch-

smart - vacuum - security - flaws - leave -

users-exposed (visited on 04/21/2020).

[17] Common Vulnerability Scoring System ver-sion 3.1: Specification Document. FIRST.url: https : / / www . first . org /

cvss / specification - document (visited on04/21/2020).

[18] Hussain S, Erwin H, and Dunne P. “Threat mod-eling using formal methods: A new approach todevelop secure web applications”. In: 2011 7thInternational Conference on Emerging Technolo-gies. Islamabad: IEEE, 2011, pp. 1–5.

[19] Shevchenko N et al. Threat modeling: a summaryof available methods. Tech. rep. Carnegie MellonUniversity Software Engineering Institute Pitts-burgh United . . ., 2018.

[20] Johnson P et al. “pwnPr3d: An Attack-Graph-Driven Probabilistic Threat-Modeling Ap-proach”. In: 2016 11th International Conferenceon Availability, Reliability and Security (ARES).2016, pp. 278–283.

21

[21] Khan R et al. “STRIDE-based threat modelingfor cyber-physical systems”. In: IEEE PES Inno-vative Smart Grid Technologies Conference Eu-rope (ISGT-Europe). Torino: IEEE, 2017, pp. 1–6.

[22] Sonia, Singhal A, and Banati H. “Fuzzy LogicApproach for Threat Prioritization in Agile Se-curity Framework using DREAD Model”. In: In-ternational Journal of Computer Science Issuesvol. 8.no. 1 (July 2011), pp. 182–190.

[23] A. Ingalsbe J et al. “Threat Modeling: Divinginto the Deep End”. In: IEEE Software vol.25.no. 1 (Jan. 2008), pp. 28–34.

[24] Aaron G and Aditya G. IoT Penetration Test-ing Cookbook: Identify vulnerabilities and secureyour smart devices. Packt Publishing Ltd, 2017.

[25] Allen L, Heriyanto T, and Ali S. Kali-Linux -Assuring Security by Penetration Testing. PacktPublishing Ltd, 2014.

[26] Patil A et al. “A multilevel system to mitigateDDOS, brute force and SQL injection attackfor cloud security”. In: 2017 International Con-ference on Information, Communication, Instru-mentation and Control (ICICIC). Indore: IEEE,2017, pp. 1–7.

[27] Pingle B, Mairaj A, and Y. Javaid A. “Real-World Man-in-the-Middle (MITM) Attack Im-plementation Using Open Source Tools for In-structional Use”. In: 2018 IEEE InternationalConference on Electro/Information Technology(EIT). Rochester,MI: IEEE, 2018, pp. 192–197.

[28] Hendricks B. Replay Attack: Definition, Exam-ples & Prevention. url: https : / / study .

com / academy / lesson / replay - attack -

definition-examples-prevention.html (vis-ited on 05/25/2020).

[29] Khonji M, Iraqi Y, and Jones A. “Phish-ing Detection: A Literature Survey”. In: IEEECommunications Surveys Tutorials 15.4 (2013),pp. 2091–2121.

[30] OWASP Mobile Top 10. OWASP. 2016. url:https://owasp.org/www- project- mobile-

top-10/ (visited on 05/11/2020).

[31] Internet of Things (IoT) Top 10 2018. OWASP.2018. url: https : / / owasp . org / www - pdf -

archive/OWASP-IoT-Top-10-2018-final.pdf

(visited on 05/14/2020).

[32] O’Donnell L. Unpatched Security Flaws OpenConnected Vacuum to Takeover. threatpost. url:https : / / threatpost . com / unpatched -

security - flaws - open - connected - vacuum -

to-takeover/153142/ (visited on 04/15/2020).

[33] A. Assegie T and S. Nair P. “COMPARATIVESTUDY ON METHODS USED IN PREVEN-TION AND DETECTION AGAINST ADRESSRESOLUTION PROTOCOL SPOOFING AT-TACK”. In: Journal of Theoretical and AppliedInformation Technology vol. 97.no. 16 (Aug.2019), pp. 4259–4269.

[34] WELCOME TO THE ETTERCAP PROJECT.ettercap-project. url: https://www.ettercap-project.org/ (visited on 04/07/2020).

[35] Transparent Proxying. mitmproxy. url: https:/ / docs . mitmproxy . org / stable / howto -

transparent/ (visited on 04/07/2020).

[36] MITM using arpspoof + Burp or mitmproxy onKali Linux. 2017. url: https://www.valbrux.it/blog/2017/11/26/mitm-using-arpspoof-

burp-or-mitmproxy-on-kali-linux/ (visitedon 05/08/2020).

[37] Huang H et al. “A look into the information yoursmartphone leaks”. In: 2017 International Sym-posium on Networks, Computers and Communi-cations (ISNCC). Marrakech: IEEE, 2017, pp. 1–6.

[38] Light R. Paho Python - MQTT Client LibraryEncyclopedia. HIVEMQ. 2015. url: https://

www.hivemq.com/blog/mqtt-client-library-

paho-python/ (visited on 05/18/2020).

[39] Kakarla T, Mairaj A, and Y. Javaid A. “AReal-World Password Cracking DemonstrationUsing Open Source Tools for InstructionalUse”. In: 2018 IEEE International Conferenceon Electro/Information Technology (EIT). 2018,pp. 0387–0391.

[40] Configuring an Android Device to Work WithBurp. 2020. url: https://portswigger.net/support/configuring- an- android- device-

to-work-with-burp (visited on 05/08/2020).

[41] Sangwan S. Finding vulnerabilities in SourceCode. 2019. url: https : / / medium . com /

@somdevsangwan/finding- vulnerabilities-

in - source - code - 8575ece385dc (visited on05/19/2020).

[42] 7.8 IEEE Code of Ethics. IEEE. url: https://www.ieee.org/about/corporate/governance/

p7-8.html (visited on 05/05/2020).

[43] Brottsbalk (1962:700). Riksdagen. url: https:

//www.riksdagen.se/sv/dokument- lagar/

dokument / svensk - forfattningssamling /

brottsbalk- 1962700_sfs- 1962- 700 (visitedon 05/05/2020).

22

[44] Clausing E. From the Land of Smiles – XiaomiRoborock S55. 2019. url: https://www.iot-

tests . org / 2019 / 02 / from - the - land - of -

smiles - xiaomi - roborock - s55/ (visited on05/11/2020).

[45] Clausing E. Dyson 360 Eye – The Rolls Royce ofRobot Vacuums? 2019. url: https://www.iot-tests.org/2019/02/dyson- 360- eye- the-

rolls-royce-of-robot-vacuums/ (visited on05/11/2020).

[46] Ullrich F et al. “Vacuums in the Cloud. Analyz-ing Security in a Hardened IoT Ecosystem”. MAthesis. TU Darmstadt, 2019.

23

TRITA-EECS-EX-2020:208

www.kth.se

Ethical Hacking of a Robot Vacuum Cleaner1450590/FULLTEXT01.pdf · Hacking has grown to be a real...

Documents

Transcript of Ethical Hacking of a Robot Vacuum Cleaner1450590/FULLTEXT01.pdf · Hacking has grown to be a real...