IoT – The gift that keeps on giving

Host:

Alex “Jay” Balan – Chief Security Researcher

abalan@bitdefender.com | @jaymzu

Contributors – labs@bitdefender.com

Radu Alexandru Basaraba - rbasaraba@bitdefender.com

Alexandru Lazar – allazar@bitdefender.com

Mihai Moldovan - mimoldovan@bitdefender.com

2

3

4

5

• Chapter 1 – The crazy state of IoT

• Chapter 2 – From China with love

• First findings

• Quick crash course into IoT hacking

• Demo

• Chapter 3 – The gift that keeps on giving

6 CHAPTER 1: The crazy state of IoT

RENTED A CONNECTED CAR ONCE…

7

SMART EVERYTHING

8

Smart Portable fish finder

Smart lightbulb & WiFi repeater

Smart Lightbulb

Smart ThermostatSmart Yoga Mat

Smart Music Player

Smart Barbie doll

Smart Power Outlet

Smart Coffee Maker

IT TAKES A SPECIAL KIND OF CRAZY TO TRY THIS

9

THE MOST COMMON ISSUES

10

• Undocumented hardcoded passwords

• Weak or no encryption

• Command injection

• Very old services

• WiFi configuration hotspots

• Bad UX on Firmware updates

• Port forwarding / UPnP

• Device – cloud – mobile app cloud sync

• poor input validation => command injection

THE MOST DANGEROUS ISSUES

MOST IOT SECURITY PAPERS ARE FOCUSED ON PROXIMITY BASED ATTACKS

11

• MITM the Bluetooth key exchange

• Get shell on some device in your house

• Etc…

• Attacks that require proximity have their charm

MASS HACKS NEED MORE LOVE

12

IOT IS JUST HARDWARE + OS + APP (+ CLOUD)

13

wu-ftpd IIS5.0 RDPJoomla

app

WHY IS THAT A PROBLEM ?

14

• No standards or security reviews for 90% of what’s out there

• Each company builds their own app with almost no

experience with how security works

15

CHAPTER 2

FROM CHINA WITH LOVE

IDOORBELL & NEO COOLCAM

16

SETTING IT UP – STANDARD LINKSYS ROUTER

SETTING IT UP – SETUP FLOW

18

flow is identical for both the doorbell and webcam

FROM A PERFECTLY GOOD ROUTER

TO SWISS CHEESE

SHODAN SAYS THIS HAS GREAT POTENTIAL

AT THIS POINT WE WENT THROUGH THE USUAL FIRST STEPS

22

• Wireshark

• Mobile app unpacking

• Check for weak encryption

• Check webapp for various vectors

• Etc…

• We realized that we’ve become used to a number of stupid things

• …and cheered when we found things that should be common sense

• Encryption in cloud communication (yey!)

• No encryption on direct connections (boo!)

SO…

YOU SEE AN INPUT FIELD… YOU FUZZ IT

Sadly, the good folks at Neo Shenzhen decided not to let us have too much fun.

Crash on the first try…

The RTSP server didn’t crash with the same method, though (yet)

25

I’M A SIMPLE MAN. I SEE A CRASH, I GET AROUSED

HOOK-UP TO SERIAL

GREAT SUCCESS! NO CREDENTIALS THOUGH

GOT ROOT ?

Pause boot loader: pass init=/bin/bash to kernel

Use dumb shell to add telnetd to startup

FIRST FINDS – UNDOCUMENTED USERS

29

FIRST FINDS – AND THIS - ONE BINARY TO RULE THEM ALL(BECAUSE WHY NOT ?)

30

• Webserver

• RTSP server

• Authentication for webserver

• Authentication for RTSP

DEBUG TIME!

31

cp -r / /path/to/sdcard

HTTP AUTH

32

When checking auth at http://<ip>/?usr=<user>&pwd=<password>

libs_parsedata will copy the content of those two arguments onto the

stack without checking if they fit, resulting in an out of bound write

0x460 allocated on stack

HTTP AUTH

33

ASLR is enabled

However….

No PIE = it will always load at the same address

We’ll use ROP gadget at 0x0007EDD8

To put the address of the stack pointer

(which now contains our command) into R0

Then call the system function to execute our command

GET /?usr=<204bytes><command>&pwd=<328bytes><0xD8ED07> HTTP/1.1

* checksec.sh - http://www.trapkit.de/tools/checksec.html

THE “ALMIGHTY” EXPLOIT

34

RTSP

35

• Tried to fuzz user/pass again – didn’t get so lucky this time

• Back to basics…

The RTSP server uses digest authentication and it seems they

implemented it themselves… .poorly

field & value implied to have 256bytes (0x100) each

Unlimited sized strings scanned into field & value

RTSP EXPLOIT

36

Same binary – we’ll use the same gadget from http. The request

looks like this:

DESCRIBE rtsp://<IP>:554/ RTSP/1.0Authorization: Digest <296 bytes><command>=”<548 bytes><0xD8ED07>”

DEMO

37

20 YEARS AGO CALLED. ROOT SHELL BY PASSING 200 CHARS TO LOGIN RING A BELL TO ANYONE ?

38

FROM CHINA WITH LOVE - KEY TAKEAWAYS

39

• Setup flow requests a password change but there are 2

undocumented users that device owners don’t know exist

• A really lame overflow leads to RCE. Base system provides ASLR

but the app “architecture” decided it’d be a good idea to not use it

• Seriously, check & disable UPnP on your routers

• It’s hard to tell how many affected devices are in the wild since we

don’t know how many (other) vendors use this firmware but at this

point we’re looking at more than 200k

• RCE for other models will require adding other targets to the

exploit

THE GIFT THAT KEEPS ON GIVING

40

• We need a “security certification” system of sorts for IoT that looks

at more than “military grade encryption”

• We need to educate or otherwise “stimulate” the vendors to have a

proper incident response process and unattended update

mechanisms

• We need to educate the users to get to get tools that can handle the

security of their non-traditional devices. At the very least

vulnerability checkers

• There are vulnerabilities discovered in apps every day but at the

rate IoT is developing we’ll have stuff to talk about for ages

• IoT security papers is a low hanging fruit. Almost everything is not

only broken but also, sometimes, unfixable

• Focus on remote exploits and mass hacks since that’s what the bad

guys are going to focus on

41

Ask me anything.

abalan@bitdefender.com | @jaymzu