Professional Documents
Culture Documents
DEFCON26-Having Fun With IoT-Xiaomi
DEFCON26-Having Fun With IoT-Xiaomi
https://moniotrlab.ccis.neu.edu/
DEFCON 26 – Dennis Giese 6
“Responsible disclosure”?
• Ethical question: “Responsible disclosure”?
– Conflict:
• Rootability vs. Device security
• “Service for the Community” vs. Bug Bounty Program
– Before DEFCON: contacted Xiaomi security team
Yeelink Desk lamp Yeelink/Philips Ceiling Lights Vacuum Robot Gen 2 Lumi Aqara Camera
Philips Eyecare Desk lamp Philips Smart LED Bulb Yeelink Bedside Lamp Yeelink Smart LED Bulb (v2)
Xiaomi Wi-Fi router Xiaomi (Ninebot) M365 Smart Power strip
DEFCON 26 – Dennis Giese 9
Why Vacuum Robots?
https://github.com/MiEcosystem/miio_open
– 85 Million Devices, 800 different models 1
• Different Vendors, one ecosystem
– Same communication protocol
https://iot.mi.com/index.html
– Different technologies supported
– Implementation differs from manufacturer to manufacturer
• Software quality very different
1:
https://www.espressif.com/en/media_overview/news/espressif-systems-integrated-xiaomis-plans-iot-development
DEFCON 26 – Dennis Giese 12
Xiaomi Ecosystem
HTTPS
Xiaomi
WiFi
Cloud
(Mi)
ZigBee
HTTPS
Xiaomi
WiFi
Cloud
ZigBee
Gateway
DEFCON 26 – Dennis Giese 17
App to Cloud communication
• Authentication via OAuth
• Layered encryption
– Outside: HTTPS
– Inside: AES using a session key
• Message format: JSON RPC
• Device specific functions: provided by Plugins
Source: Openstreetmaps
DEFCON 26 – Dennis Giese 20
Example of Communication relations
<-soundpackages, firmware
compass uart_lds uart_mcu maps,logs->
*.fds.api.xiaomi.com (https)
player
0.0.0.0:6665
wifimgr ott.io.mi.com:80(tcp)
device.conf: ot.io.mi.com:8053(udp)
RoboController DID, Key
<-commands,
Miio_client reports->
AES encrypted
AppProxy (local):54322 (tcp)
Android/
0.0.0.0:54321 (udp)
iPhone App
Robot intern IPC
plain json (tcp)
enc(key) json (tcp/udp)
enc(token) json (udp)
Xiaomi Cloud
<-commands,
Miio_client reports->
AppProxy (local):54322 (tcp)
Android/
0.0.0.0:54321 (udp)
iPhone App
Robot intern IPC
/etc/hosts plain json (tcp)
enc(key) json (tcp/udp)
130.83.x.x ot.io.mi.com
enc(token) json (udp)
130.83.x.x ott.io.mi.com
https://github.com/dgiese/dustcloud-documentation
• Proxy or endpoint server for devices
– Acts as Xiaomi Cloud emulation
https://github.com/dgiese/dustcloud
– Reads traffic in plaintext
– May send commands to the device
• Change or suppress commands (e.g. Updates)
• Requirements: Device ID, Cloud Key, DNS Redirection
– …
– models not always compatible
• My inventory: ~42 different models Zhimi
9%
40
45
512 MB RAM
STM32 MCU
4GB
R16 eMMC
SOC Flash
WiFi Module
LIDAR UART
R16 UART
(115200 baud)
STM UART Tx
Rx
(921600 baud)
Tx
R16 512 MB
SOC RAM STM32
MCU
4GB
WiFi Module eMMC
Flash
B D7 D5 D3 D1 D3 D1 CMD RX
D RX TX CMD SCL
E
Recov Confir
F ery m UART2
G RX TX
Line
H IN L
LINE
J IN R
PHO
K NE IN
PHO
L NE IN
PHO MIC1
M NE P
PHO MIC2
N NE P
R
USB- USB-
T LCD9 LCD7 LCD5 LCD3 LCD1 DM0 DP0 USB 1
USB USB- USB-
U LCD8 LCD6 LCD4 LCD2 LCD0 DRV DM1 DP1 USB 2
dd
system_b
miIO.ota {"mode":"normal“, "install":"1",
Update root pw
"app_url":"https://[URL]/v11_[version].pkg",
in /etc/shadow Download
"file_md5":“[md5]",”proc":"dnld install“}
dd
Data
Unpack + dd
Decrypt + image MD5
OK? ok? rebooting
…
2. Download [app_url]
„miIO.ota“
unprovisioned state
Webserver
DEFCON 26 – Dennis Giese 63
SSH
https://xiaomi.flole.de/
– Run without cloud
• Support by third-party tools (e.g. FloleVac, FHEM, etc)
– Run with your own cloud
https://arxiv.org/pdf/1501.03378.pdf
• Idea by Prof. Noubir: Let’s run Tor hidden services on IoT
– Paper from 2015: OnionBots, a stealthy botnet with
compromised IoT devices
• Easy to install in Ubuntu
– Make SSH accessible via TOR
– No need for NAT ;)
https://www.seemoo.informatik.tu-darmstadt.de/
• Daniel Wegemer (aka DanielAW)
• Prof. Guevara Noubir (CCIS, Northeastern University)
http://www.ccs.neu.edu/home/noubir/
• Secure Mobile Networking (SEEMOO) Labs and CROSSING S1
https://sites.bu.edu/tclc/
• Andrew Sellars and Team (Boston University Technology & Cyberlaw Clinic)
Contact:
See: http://dontvacuum.me
Telegram: https://t.me/kuchenmonster
Twitter: dgi_DE
Meet me in26Boston/@DC617
DEFCON – Dennis Giese 85
DEFCON 26 – Dennis Giese 86