You are on page 1of 77

Raúl Siles

Founder & Senior Security Analyst


raul@dinosec.com
March 3, 2018
www.dinosec.com
@dinosec

IoT: Internet of T…

2018 © Dino Security S.L.


All rights reserved. Todos los derechos reservados. www.dinosec.com
This presentation is inspired by true events.

All events, locations, characters, persons, companies, firms,


and IoT products J depicted in this presentation, even
those based on real devices, are fictitious.

Any resemblance to reality is purely coincidental and


unintentional.

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 2
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 3
Disclaimer
• Real devices and details have been sanitized to minimize
the risk of vendor identification and massive exploitation.
• Live demonstrations and videos have to deal with and
overcome these constraints.
• Any resemblance of images, screenshots, text, code
snippets, and other details… to reality is purely
coincidental and unintentional.

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 4
IoT: Internet of T…
• IoT, Internet of Things
– Terror
– Traps, Tricks, Targets, Threats,
Turbulences, Toilets… J
– Trends
– Topics, Timers…
–…
• Internet of Testing
• Internet ot Trust
https://twitter.com/dinosec/status/954283251081928706 (Carles, Javier…)
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 5
IoT Security Analysis Methodology
• Hardware components (+buttons/interfaces/ports...)
• Firmware
• "Cloud" services
• Mobile apps
• (Admin/Mgmt.) Web interface (& other services)
• Wireless/Radio communications
• Local storage
"Análisis de los vectores de ataque del Internet de las cosas (IoT)"

https://www.ismsforum.es/estudioCEM
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 6
RootedCON 2016

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 7
Target

2018 © Dino Security S.L.


All rights reserved. Todos los derechos reservados. www.dinosec.com
Advanced IoT Solutions: Parts List J
• Central controller or hub
• Wireless peripheral devices
– Sensors
– Actuators
• "Cloud" services
• Mobile apps
• Web interface (& other services)

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 9
Target: Domotic IoT Solution
• Central controller or hub (plus remote controllers)
• Wireless peripheral devices: Sensors & Actuators
– Environmental control system
• Heating system
• Shutters
– Lighting system and power plugs
– Physical access (e.g. garage door)
• "Cloud" services, mobile apps, web interface…

(Smart) Home Automation


2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 10
Market(ing) vs. Real Needs

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 11
Domotic IoT Solution: Technologies
• IoT: Internet (TCP/IP) of T…
• Radio/Wireless technologies (proprietary protocols)
– v1: 433 MHz (∼50m)
• Up to 6 paired transmitters (or channels)
– v2: 868 MHz (∼150m) + state feedback
• Up to 32 paired transmitters
• Transmitter, receiver (+ feedback) or transceiver
• USB expansion port: Z-Wave?…
• Absent wireless technologies: Wi-Fi, Bluetooth, ZigBee, etc.
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 12
Target: Blueprint

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 13
Finding the entry…

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 14
Outline
• Hardware components (+buttons/interfaces/ports...)
• Firmware
• "Cloud" services
• Mobile apps
• (Admin/Mgmt.) Web interface (& other services)
• Wireless/Radio communications
• Local storage

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 15
Hardware Teardown

2018 © Dino Security S.L.


All rights reserved. Todos los derechos reservados. www.dinosec.com
Target: Hardware

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 17
Hardware Teardown
• Central controller or hub (Internet to radio/wireless)
• Remote control (up to 3/16 channels)
• Heating system (thermostat schedule)
– Heating controller (software), heater/boiler module (with state
feedback) and temperature sensor
• Lighting (e.g. indoor/outdoor bulbs, ceiling lights, lamps… anything)
– On/off or dimmer module, wall switch, motion or presence
detector, opening detector and power plugs (on/off or dimmer)
• Physical environment and access control
– Shutter module (with state feedback), and door or gate module
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 18
Devices Classification
• Transmitters (∼sensors)
– Remote controller
– Wall switch
– (indoor/outdoor) Motion or presence detector
– (door/window) Opening detector
– Temperature sensor
• Receivers (∼actuators)
– Heater/boiler module
– Shutter module
– Door or gate module
– Lighting on/off or dimmer module
– Power plugs (on/off or dimmer)
• Transceiver
– Central controller or hub
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 19
Hardware Hacking 101 J
• Screwdriver hacking!

857/1 Z punta de horquilla o


punta para tornillo spanner

Thanks to my father!
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 20
Remote Controller
• 3 channels
• NDR433TS:
– NEDI SAW (surface-acoustic-wave) resonator
• Frequency stabilization at 433.920 MHz
• Radio chip: 611S21 * DA17DB
– Unknown (radio chip)
• Found a single Internet reference in
Norwegian for 433.92 MHz
• Google, www.findchips.com, etc.

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 21
Shutter or Door/Gate

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 22
Hub or Central Controller

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 23
Temperature Sensor
• Main (and unique) chip
–…

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 24
Heater / Boiler Module

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 25
Power Plug

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 26
Firmware

2018 © Dino Security S.L.


All rights reserved. Todos los derechos reservados. www.dinosec.com
Target: Firmware

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 28
Firmware Updates
• No auto update capabilities
• Manual download from manufacturer website (or by
contacting support)
• Backup current configuration first J (…via cloud only L)
• Upload '<version>.bin' file via web interface
– Authentication required as "admin" (web interface details)
– No signature (build your own firmware version J and…)
Use <a href="/upload">MPFS Upload</a> to program web pages... (strings)

• Restart
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 29
Firmware Analysis

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 30
Firmware Analysis: Details
• binwalk: Firmware analysis tool
– Found: MPFS v2.1 filesystem, images (PNG, GIF, JPEG, TIFF…),
compressed data (gzip and Zlib), HTML documents, etc.
• No encryption and just… some compression
• "strings is your friend…" (e.g. Google Maps API key)
Version 3.5.2 autologin
Builddate Mar 3 2018 # login as user
Productmodel A8021 admin
FW-Version 186370035640 # login as admin
… usrpass 52d04dc20036dbd8
MPFS-2.1 setpass 7a57a5a743894a0e

https://github.com/ReFirmLabs/binwalk
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 31
Firmware Analysis: Filesystem Format
• MPFS (Microchip PIC File System)
– Indexed web files for auto tag expansion (e.g. ~foo~)
– Plain and compressed files
• Microchip TCP/IP Stack
– Microchip's HTTP(2) web server – MPFS(2)
• Internal memory or EEPROM

https://books.google.es/books?id=V1wLsfO1114C

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 32
Firmware MPFS Extraction
• binwalk custom plugin
– Signature: known MPFS data signatures ("…/magic/filesystems")
• Starts with the string "MPFS{v}{s}{f}" (version, subversion, file entries)
– MPFS{byte}{byte}{leshort} (byte: 8-bit integer; leshort: little endian 2-byte integer)
– Extractor: <missing>
• MPFS extraction tools… L
• MPFS2 extraction tools
– mpfs2-fsutil (--list & --extract)
– https://www.mjoldfield.com/atelier/
2007/12/mpfs2.html
https://github.com/ReFirmLabs/binwalk/wiki/Creating-Custom-Plugins
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 33
Physical Firmware Extraction
• 4-pin JTAG interface
– Joint Test Action Group
• PIC
– TMS, TDO, TCK, TDI
– Pins: 23, 24, 27, 28
• TMS (Test Mode Select)
• TDO (Test Data Out)
• TCK (Test Clock)
• TDI (Test Data In)
• TRST (Test Reset) optional

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 34
"Cloud" Services

2018 © Dino Security S.L.


All rights reserved. Todos los derechos reservados. www.dinosec.com
Cloud Service
• User to cloud
– Direct access to the IoT environment through the cloud
– Web browser (traditional computer or mobile) and/or mobile app
– Registration process
– Backup / Restore capabilities
• Not available through local web server or via mobile app !!!!
• IoT to cloud
– Communication between the IoT environment and the cloud
– Proprietary protocol, enabled by default

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 36
Target: User to Cloud

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 37
TCP/IP Port Mapping
• What do you think of a critical cloud server that has…?
21/tcp
22/tcp … this list of open ports, and more!
25/tcp
53/tcp
80/tcp
110/tcp
143/tcp
443/tcp
465/tcp
587/tcp
993/tcp
995/tcp
3128/tcp
8080/tcp
8081/tcp
8090/tcp
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 38
Cloud Passwords
• At some point, you cannot log in again (web and mobile)
• After logging in, you should receive a Bearer Token
(OAuth 2.0), used for API requests
• Instead, you get a JSON error (interception proxy)
{"code":503,"error":"server_error","error_description":"server_error"}

• Reason: After extensive research…


– Does the vendor even know it?
– If your password is greater than 25 characters (back-end issue)
– Have you heard about passphrases?
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 39
Something Does Not Smell Very Well Here…

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 40
Backup / Restore Capabilities
• Is it possible to access other IoT environment's backups?
– Backups are saved in a proprietary plain text format
• Reverse engineer backup format to extract rooms, device IDs, MD5…
• Is it possible to make backups of other IoT environments? J
• Anonymously?

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 41
Target: IoT to Cloud

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 42
IoT to Cloud
• Proprietary protocol similar to HTTP
– Enough to make standard HTTP(S) interception proxies fail
– Solution: mitm_relay (or NoPE) + Burp (et. al.)
• Custom port (1234/tcp)
• Enabled by default
• No encryption, no integrity, no…thing
• Discloses multiple device IDs: model, firmware version,
MAC address, serial number, and message ID
https://github.com/jrmdev/mitm_relay
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 43
IoT to Cloud: Proprietary Protocol

ABCD/1.0 CONNECT
Model: …
FW-Version: …
MAC: …
SN: …
Message-ID: …

JSON API
ABCD/1.0 KEEP-ALIVE
Message-ID: …
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 44
IoT to Cloud: Admin Access
• Unencrypted: Cloud requesting admin access to IoT
hub…API-REQUEST
ABCD/1.0 ABCD/1.0 API-RESPONSE
X-Token: …
Message-ID: … {…"msg":"API_NOT_AUTHED"}
Content-Length: …

god=admin

ABCD/1.0 API-REQUEST ABCD/1.0 API-RESPONSE


X-Token: …
Message-ID: … {…"msg":"SUCCESS"}
Content-Length: …

user=admin&pass=7a57a5a743894a0e&autologin=0&god=login&…

Full access to IoT hub and the associated IoT environment...

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 45
Mobile Apps

2018 © Dino Security S.L.


All rights reserved. Todos los derechos reservados. www.dinosec.com
Target: Mobile Apps

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 47
Mobile Apps
• iOS and Android

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 48
Username Enumeration in iOS
• In the login page for the mobile app… L
POST /auth HTTP/1.1 (via HTTPS)
Host: cloud.example.com
...

{username: "monica", password: "0123456789abcdef"}

{"code":"101","error":"error","error_description":"Wrong Password"}
{"code":"100","error":"error","error_description":"User not found"}

• And as a bonus, if the username does not exist…


POST /auth HTTP/1.1 (via HTTP)
Host: example.com
...

{username: "monica", password: "0123456789abcdef"}

• Be careful with typos in your username J


2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 49
Web Interface

2018 © Dino Security S.L.


All rights reserved. Todos los derechos reservados. www.dinosec.com
Target: Web Interface

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 51
Web Interface
• Local administrative/management web interface
• Only port 80/tcp open
– HTTPS?
• Settings section (e.g. "/settings/") requires authentication
– Default password: admin – no username?
– Did I mention there is no encryption?
• Traditional or mobile access

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 52
Admin Web Interface (via Mobile)

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 53
Admin Web Interface
• Login page simply requests a password, but…
<html>
<head><title Login</title>~inc:inc/header.inc~</head>
<body>
<div class="login"><h2 >Admin Login</h2>
<div class="login-form">
<input id="user" type="hidden" value="admin">
<input id="password" type="password" placeholder="password">
<button id="login">LOGIN</button>
</div>...

• Change password…
<input id="admin-pass" class="admin-pass" name="admin-pass" type="password"
maxlength="16" disabled>
var pwdvalidator = {required: true, rangelength: [4, 16]};
config('setpass', md5($('#admin-pass').val(), 16));
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 54
Web Interface Passwords
• MD5-related passwords?
Usage: md5(<password>, 16)
File: md5.js

• Dynamic analysis
$ jsc getmd5.js – "IoT"
60a13f2f4c7e11c7

• Static analysis
... if(h==16){return a.substr(8,16)} ...

• Firmware password-like strings…


Firmware:
usrpass 52d04dc20036dbd8 81dc9bdb52d04dc20036dbd8313ed055 --> 1234
setpass 7a57a5a743894a0e 21232f297a57a5a743894a0e4a801fc3 --> admin
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 55
Firmware Upload Capabilities
• Without authentication (obtained via firmware strings…)

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 56
Wireless/Radio Communications

2018 © Dino Security S.L.


All rights reserved. Todos los derechos reservados. www.dinosec.com
Target: Wireless/Radio Communications

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 58
Wireless Communications
• Adding new wireless devices (pairing)
– Pairing 433 & 868 MHz devices
– Wireless devices classification
• Digital modulation for 433 & 868 MHz signals
• Replaying 433 & 868 MHz signals
• Decoding 433 & 868 MHz signals

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 59
HackRF One OperaCake

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 60
OperaCake: Auto-Antenna Selection

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 61
Wireless Devices Classification
• Receivers
– Grab signals and store them in memory (learning function)
• Transmitters
– Generate signals (static or dynamic J)
• Transceivers
– Both (e.g. receivers with state feedback)
• Hub
– Legitimate replay attacks J

Hardware Components
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 62
Digital Modulation for 433 MHz Devices

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 63
Digital Modulation for 868 MHz Devices

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 64
Playing with Wireless/Radio Signals
• Replaying 433 & 868 MHz signals
– "script-kiddie" attacks
• Decoding 433 & 868 MHz signals
– Digital demodulation (reverse engineering radio signals)

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 65
Internet of T…

2018 © Dino Security S.L.


All rights reserved. Todos los derechos reservados. www.dinosec.com
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 67
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 68
2018 © Dino Security S.L.
www.dinosec.com
All rights reserved. Todos los derechos reservados. 69
Heater Module: GRC

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 70
Heater Module: rfcat script

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 71
Conclusions

2018 © Dino Security S.L.


All rights reserved. Todos los derechos reservados. www.dinosec.com
IoT: Internet of T…

• Internet of Troubles

• Internet of Testing

• Internet ot Trust

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 73
Spanish Collection of Proverbs

"Cada uno en su
casa… y
todo DiOs
en la de todos"

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 74
Credits

– Produced by: Raúl Siles

– Sponsored by: Mónica Salas


E&E

– Casting by: IoT vendors

– Supported by: My parents, et. al.

– Music & visuals by: Siletes

– Costume designer: DinoSec

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 75
w w w. d i n o s e c . c o m
@dinosec

Raúl Siles
raul@dinosec.com
Questions?

w w w. d i n o s e c . c o m
@dinosec

2018 © Dino Security S.L.


www.dinosec.com
All rights reserved. Todos los derechos reservados. 77

You might also like