Home Invasion v2.0 Daniel “unicornFurn ace” Crowley
Transcript of Home Invasion v2.0 Daniel “unicornFurn ace” Crowley
![Page 1: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/1.jpg)
© 2012
Presented by:
Home Invasion v2.0Attacking Network-Controlled Embedded Devices
Daniel “unicornFurnace” CrowleyJennifer “savagejen” SavageDavid “videoman” Bryan
![Page 2: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/2.jpg)
© 2012© 2012
• Who are we?
![Page 3: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/3.jpg)
© 2012
The Presenters
• Daniel “unicornFurnace” Crowley– Managing Consultant, Trustwave (SpiderLabs team)
• Jennifer “savagejen” Savage– Software Engineer, Tabbedout
• David “videoman” Bryan– Security Consultant, Trustwave (SpiderLabs team)
![Page 4: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/4.jpg)
© 2012© 2012
• What are we doing here?
![Page 5: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/5.jpg)
© 2012
The “Smart” Home
Science fiction becomes science fact
Race to release novel products means poor security
Attempt to hack a sampling of “smart” devices
Many products we didn’t coverAndroid powered ovenSmart TVsIP security cameras
![Page 6: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/6.jpg)
© 2012© 2012
• What’s out there?
![Page 7: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/7.jpg)
© 2012
Belkin WeMo Switch
![Page 8: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/8.jpg)
© 2012
Belkin WeMo Switch
1. Vulnerable libupnp version2. Unauthenticated UPnP actions
1. SetBinaryState2. SetFriendlyName3. UpdateFirmware
![Page 9: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/9.jpg)
© 2012
MiOS VeraLite
![Page 10: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/10.jpg)
© 2012
MiOS VeraLite
1. Lack of authentication on web console by default2. Lack of authentication on UPnP daemon3. Path Traversal4. Insufficient Authorization Checks
1. Firmware Update2. Settings backup3. Test Lua code
5. Server Side Request Forgery6. Cross-Site Request Forgery7. Unconfirmed Authentication Bypass8. Vulnerable libupnp Version
![Page 11: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/11.jpg)
© 2012
INSTEON Hub
![Page 12: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/12.jpg)
© 2012
INSTEON Hub
1. Lack of authentication on web console1. Web console exposed to the Internet
![Page 13: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/13.jpg)
© 2012
Karotz Smart Rabbit
![Page 14: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/14.jpg)
© 2012
Karotz Smart Rabbit
1. Exposure of wifi network credentials unencrypted2. Python module hijack in wifi setup3. Unencrypted remote API calls4. Unencrypted setup package download
![Page 15: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/15.jpg)
© 2012
Linksys Media Adapter
1. Unauthenticated UPnP actions
![Page 16: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/16.jpg)
© 2012
LIXIL Satis Smart Toilet
![Page 17: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/17.jpg)
© 2012
Radio Thermostat
1. Unauthenticated API2. Disclosure of WiFi passphrase
![Page 18: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/18.jpg)
© 2012
SONOS Bridge
![Page 19: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/19.jpg)
© 2012
SONOS Bridge
1. Support console information disclosure
![Page 20: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/20.jpg)
© 2012© 2012
• DEMONSTRATION
![Page 21: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/21.jpg)
© 2012© 2012
• CONCLUSION
![Page 22: Home Invasion v2.0 Daniel “unicornFurn ace” Crowley](https://reader033.fdocuments.in/reader033/viewer/2022051712/586a2ea51a28abf52b8be743/html5/thumbnails/22.jpg)
© 2012
Questions?
Daniel “unicornFurnace” [email protected]@dan_crowley
Jennifer “savagejen” [email protected] (PGP key ID 6326A948)@savagejen
David “videoman” [email protected]@_videoman_