Your SlideShare is downloading. ×
0
© 2012
Home	
  Invasion	
  v2.0	
  
© 2012
WHO	
  ARE	
  WE?	
  
© 2012
Daniel	
  “unicornFurnace”	
  Crowley	
  
•  Managing	
  Consultant,	
  Trustwave	
  SpiderLabs	
  
	
  
Jennifer	
...
© 2012
WHAT	
  ARE	
  WE	
  DOING	
  HERE?	
  
© 2012
Science	
  ficFon	
  becomes	
  science	
  fact	
  
	
  
Race	
  to	
  release	
  novel	
  products	
  means	
  poor...
WHAT’S	
  OUT	
  THERE	
  
NOW?	
  
	
  
Locks,	
  thermostats,	
  fridges,	
  
toilets,	
  lights,	
  toys	
  
EnFre	
  s...
 	
  
Karotz	
  Smart	
  Rabbit	
  
•  Exposure	
  of	
  wifi	
  network	
  credenFals	
  unencrypted	
  
•  Unencrypted	
  remote	
  API	
  calls	
  
•  Unenc...
Karotz	
  Smart	
  Rabbit	
  
Karotz	
  Smart	
  Rabbit	
  
Karotz	
  Smart	
  Rabbit	
  
Python	
  Module	
  Hijacking	
  
	
  •  Python	
  Module	
  Hijacking	
  is	
  insecure	
  ...
Karotz	
  Smart	
  Rabbit	
  
	
  An	
  aIacker	
  could:	
  
	
  
•  MITM	
  insecure	
  connecFon	
  to	
  Karotz	
  ser...
© 2012
Belkin	
  WeMo	
  Switch	
  
© 2012
•  Vulnerable	
  libupnp	
  version	
  
o  Remote	
  pre-­‐auth	
  root	
  
•  UnauthenFcated	
  UPnP	
  acFons	
  ...
 	
  
SONOS	
  Bridge	
  
•  Support	
  console	
  informaFon	
  disclosure	
  
	
  
	
  
SONOS	
  Bridge	
  
 	
  
SONOS	
  Bridge	
  
 	
  
SONOS	
  Bridge	
  
 	
  
SONOS	
  Bridge	
  
 	
  
SONOS	
  Bridge	
  
 	
  
SONOS	
  Bridge	
  
© 2012
LIXIL	
  SaSs	
  Smart	
  Toilet	
  
© 2012
•  Default	
  Bluetooth	
  PIN	
  
LIXIL	
  SaSs	
  Smart	
  Toilet	
  
© 2012
	
  	
  
INSTEON	
  Hub	
  
© 2012
INSTEON	
  Hub	
  
© 2012
•  Lack	
  of	
  authenFcaFon	
  on	
  web	
  console	
  
o  Web	
  console	
  exposed	
  to	
  the	
  Internet	
  ...
© 2012
•  SFll	
  lack	
  of	
  SSL/TLS	
  
•  Uses	
  HTTP	
  Auth	
  
o  Base64	
  encoded	
  credenFals	
  
o  Username...
© 2012
MiCasaVerde	
  VeraLite	
  
© 2012
•  Lack	
  of	
  authenFcaFon	
  on	
  web	
  console	
  by	
  default	
  
•  Insufficient	
  AuthorizaFon	
  Checks	...
© 2012
•  Three	
  methods	
  of	
  auth	
  bypass	
  
•  Seven	
  methods	
  to	
  get	
  root	
  
•  Two	
  aIacks	
  re...
© 2012
DEMONSTRATION	
  
© 2012
CONCLUSION	
  
© 2012
Daniel	
  “unicornFurnace”	
  Crowley	
  
	
  dcrowley@trustwave.com	
  
	
  @dan_crowley	
  
Jennifer	
  “savageje...
Upcoming SlideShare
Loading in...5
×

Home Invasion 2.0 - DEF CON 21 - 2013

511

Published on

A talk discussing vulnerabilities in various "smart home" technologies from home automation gear to a child's toy.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
511
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Home Invasion 2.0 - DEF CON 21 - 2013"

  1. 1. © 2012 Home  Invasion  v2.0  
  2. 2. © 2012 WHO  ARE  WE?  
  3. 3. © 2012 Daniel  “unicornFurnace”  Crowley   •  Managing  Consultant,  Trustwave  SpiderLabs     Jennifer  “savagejen”  Savage   •  SoAware  Engineer,  Tabbedout     David  “videoman”  Bryan   •  Security  Consultant,  Trustwave  SpiderLabs     The  Presenters  
  4. 4. © 2012 WHAT  ARE  WE  DOING  HERE?  
  5. 5. © 2012 Science  ficFon  becomes  science  fact     Race  to  release  novel  products  means  poor  security     AIempt  to  hack  a  sampling  of  “smart”  devices     Many  products  we  didn’t  cover    Android  powered  oven    Smart  TVs  (another  talk  is  covering  one!)    IP  security  cameras   The  “Smart”  Home  
  6. 6. WHAT’S  OUT  THERE   NOW?     Locks,  thermostats,  fridges,   toilets,  lights,  toys   EnFre  smart  ciFes  like   Songdo       WHAT’S  IN  THE    FUTURE?    
  7. 7.     Karotz  Smart  Rabbit  
  8. 8. •  Exposure  of  wifi  network  credenFals  unencrypted   •  Unencrypted  remote  API  calls   •  Unencrypted  setup  package                download   •  Python  module  hijack  in                autorunwifi  script Karotz  Smart  Rabbit  
  9. 9. Karotz  Smart  Rabbit  
  10. 10. Karotz  Smart  Rabbit  
  11. 11. Karotz  Smart  Rabbit   Python  Module  Hijacking    •  Python  Module  Hijacking  is  insecure  library  loading   o  Similar  to  LD_PRELOAD  and  DLL  hijacking   •  Python  loads  modules  from  the  dir  of  script  first   •  Karotz  autorunwifi  script  uses  simplejson  module   o  Put  code  to  execute  in  simplejson.py  in  the  same   directory  as  autorunwifi   •  Defeats  code  signing    
  12. 12. Karotz  Smart  Rabbit    An  aIacker  could:     •  MITM  insecure  connecFon  to  Karotz  server   •  Replace  user's  download  with  malicious  version   •  Use  vuln  to  make  Karotz  run  their  own  code!   •  ...Bunny  bot  net?    
  13. 13. © 2012 Belkin  WeMo  Switch  
  14. 14. © 2012 •  Vulnerable  libupnp  version   o  Remote  pre-­‐auth  root   •  UnauthenFcated  UPnP  acFons   o  SetBinaryState   o  SetFriendlyName   •  EULA  used  to  “secure”  the  device.   •  Belkin  has  been  awesome!   Belkin  WeMo  Switch  
  15. 15.     SONOS  Bridge  
  16. 16. •  Support  console  informaFon  disclosure       SONOS  Bridge  
  17. 17.     SONOS  Bridge  
  18. 18.     SONOS  Bridge  
  19. 19.     SONOS  Bridge  
  20. 20.     SONOS  Bridge  
  21. 21.     SONOS  Bridge  
  22. 22. © 2012 LIXIL  SaSs  Smart  Toilet  
  23. 23. © 2012 •  Default  Bluetooth  PIN   LIXIL  SaSs  Smart  Toilet  
  24. 24. © 2012     INSTEON  Hub  
  25. 25. © 2012 INSTEON  Hub  
  26. 26. © 2012 •  Lack  of  authenFcaFon  on  web  console   o  Web  console  exposed  to  the  Internet   §  Time  zone  –  city   §  Name  street     o  Control  all  the  things.     •  Fixed  the  authenFcaFon  with  model  2422-­‐222”R”   INSTEON  Hub  
  27. 27. © 2012 •  SFll  lack  of  SSL/TLS   •  Uses  HTTP  Auth   o  Base64  encoded  credenFals   o  Username:  admin   o  Password:  ABCDEF    ←  INSTEON  ID  and  last  3  of   the  MAC   o  #SecurityFail   o  It  only  takes  16  Million  aIempts     INSTEON  Hub  
  28. 28. © 2012 MiCasaVerde  VeraLite  
  29. 29. © 2012 •  Lack  of  authenFcaFon  on  web  console  by  default   •  Insufficient  AuthorizaFon  Checks   o  Firmware  Update   o  Sekngs  backup   o  Test  Lua  code   •  Path  Traversal   •  Cross-­‐Site  Request  Forgery   •  Lack  of  authenFcaFon  on  UPnP  daemon   •  Vulnerable  libupnp  Version   •  Server  Side  Request  Forgery     •  Unconfirmed  AuthenFcaFon  Bypass   MiCasaVerde  VeraLite  
  30. 30. © 2012 •  Three  methods  of  auth  bypass   •  Seven  methods  to  get  root   •  Two  aIacks  remotely  exploitable  through  SE   •  PotenFal  for  ownage  of  ALL  the  VeraLites!   MiCasaVerde  VeraLite  
  31. 31. © 2012 DEMONSTRATION  
  32. 32. © 2012 CONCLUSION  
  33. 33. © 2012 Daniel  “unicornFurnace”  Crowley    dcrowley@trustwave.com    @dan_crowley   Jennifer  “savagejen”  Savage    savagejen@gmail.com  (PGP  key  ID  6326A948)    @savagejen   David  “videoman”  Bryan    dbryan@trustwave.com    @_videoman_       QuesSons?  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×