Professional Documents
Culture Documents
IoT: Internet of T…
https://www.ismsforum.es/estudioCEM
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 6
RootedCON 2016
Thanks to my father!
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 20
Remote Controller
• 3 channels
• NDR433TS:
– NEDI SAW (surface-acoustic-wave) resonator
• Frequency stabilization at 433.920 MHz
• Radio chip: 611S21 * DA17DB
– Unknown (radio chip)
• Found a single Internet reference in
Norwegian for 433.92 MHz
• Google, www.findchips.com, etc.
• Restart
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 29
Firmware Analysis
https://github.com/ReFirmLabs/binwalk
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 31
Firmware Analysis: Filesystem Format
• MPFS (Microchip PIC File System)
– Indexed web files for auto tag expansion (e.g. ~foo~)
– Plain and compressed files
• Microchip TCP/IP Stack
– Microchip's HTTP(2) web server – MPFS(2)
• Internal memory or EEPROM
https://books.google.es/books?id=V1wLsfO1114C
ABCD/1.0 CONNECT
Model: …
FW-Version: …
MAC: …
SN: …
Message-ID: …
JSON API
ABCD/1.0 KEEP-ALIVE
Message-ID: …
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 44
IoT to Cloud: Admin Access
• Unencrypted: Cloud requesting admin access to IoT
hub…API-REQUEST
ABCD/1.0 ABCD/1.0 API-RESPONSE
X-Token: …
Message-ID: … {…"msg":"API_NOT_AUTHED"}
Content-Length: …
god=admin
user=admin&pass=7a57a5a743894a0e&autologin=0&god=login&…
{"code":"101","error":"error","error_description":"Wrong Password"}
{"code":"100","error":"error","error_description":"User not found"}
• Change password…
<input id="admin-pass" class="admin-pass" name="admin-pass" type="password"
maxlength="16" disabled>
var pwdvalidator = {required: true, rangelength: [4, 16]};
config('setpass', md5($('#admin-pass').val(), 16));
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 54
Web Interface Passwords
• MD5-related passwords?
Usage: md5(<password>, 16)
File: md5.js
• Dynamic analysis
$ jsc getmd5.js – "IoT"
60a13f2f4c7e11c7
• Static analysis
... if(h==16){return a.substr(8,16)} ...
Hardware Components
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 62
Digital Modulation for 433 MHz Devices
• Internet of Troubles
• Internet of Testing
• Internet ot Trust
"Cada uno en su
casa… y
todo DiOs
en la de todos"
Raúl Siles
raul@dinosec.com
Questions?
w w w. d i n o s e c . c o m
@dinosec