Home Invasion 2.0 - DEF CON 21 - 2013

1,046 views

Published on

A talk discussing vulnerabilities in various "smart home" technologies from home automation gear to a child's toy.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,046
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Home Invasion 2.0 - DEF CON 21 - 2013

  1. 1. © 2012 Home  Invasion  v2.0  
  2. 2. © 2012 WHO  ARE  WE?  
  3. 3. © 2012 Daniel  “unicornFurnace”  Crowley   •  Managing  Consultant,  Trustwave  SpiderLabs     Jennifer  “savagejen”  Savage   •  SoAware  Engineer,  Tabbedout     David  “videoman”  Bryan   •  Security  Consultant,  Trustwave  SpiderLabs     The  Presenters  
  4. 4. © 2012 WHAT  ARE  WE  DOING  HERE?  
  5. 5. © 2012 Science  ficFon  becomes  science  fact     Race  to  release  novel  products  means  poor  security     AIempt  to  hack  a  sampling  of  “smart”  devices     Many  products  we  didn’t  cover    Android  powered  oven    Smart  TVs  (another  talk  is  covering  one!)    IP  security  cameras   The  “Smart”  Home  
  6. 6. WHAT’S  OUT  THERE   NOW?     Locks,  thermostats,  fridges,   toilets,  lights,  toys   EnFre  smart  ciFes  like   Songdo       WHAT’S  IN  THE    FUTURE?    
  7. 7.     Karotz  Smart  Rabbit  
  8. 8. •  Exposure  of  wifi  network  credenFals  unencrypted   •  Unencrypted  remote  API  calls   •  Unencrypted  setup  package                download   •  Python  module  hijack  in                autorunwifi  script Karotz  Smart  Rabbit  
  9. 9. Karotz  Smart  Rabbit  
  10. 10. Karotz  Smart  Rabbit  
  11. 11. Karotz  Smart  Rabbit   Python  Module  Hijacking    •  Python  Module  Hijacking  is  insecure  library  loading   o  Similar  to  LD_PRELOAD  and  DLL  hijacking   •  Python  loads  modules  from  the  dir  of  script  first   •  Karotz  autorunwifi  script  uses  simplejson  module   o  Put  code  to  execute  in  simplejson.py  in  the  same   directory  as  autorunwifi   •  Defeats  code  signing    
  12. 12. Karotz  Smart  Rabbit    An  aIacker  could:     •  MITM  insecure  connecFon  to  Karotz  server   •  Replace  user's  download  with  malicious  version   •  Use  vuln  to  make  Karotz  run  their  own  code!   •  ...Bunny  bot  net?    
  13. 13. © 2012 Belkin  WeMo  Switch  
  14. 14. © 2012 •  Vulnerable  libupnp  version   o  Remote  pre-­‐auth  root   •  UnauthenFcated  UPnP  acFons   o  SetBinaryState   o  SetFriendlyName   •  EULA  used  to  “secure”  the  device.   •  Belkin  has  been  awesome!   Belkin  WeMo  Switch  
  15. 15.     SONOS  Bridge  
  16. 16. •  Support  console  informaFon  disclosure       SONOS  Bridge  
  17. 17.     SONOS  Bridge  
  18. 18.     SONOS  Bridge  
  19. 19.     SONOS  Bridge  
  20. 20.     SONOS  Bridge  
  21. 21.     SONOS  Bridge  
  22. 22. © 2012 LIXIL  SaSs  Smart  Toilet  
  23. 23. © 2012 •  Default  Bluetooth  PIN   LIXIL  SaSs  Smart  Toilet  
  24. 24. © 2012     INSTEON  Hub  
  25. 25. © 2012 INSTEON  Hub  
  26. 26. © 2012 •  Lack  of  authenFcaFon  on  web  console   o  Web  console  exposed  to  the  Internet   §  Time  zone  –  city   §  Name  street     o  Control  all  the  things.     •  Fixed  the  authenFcaFon  with  model  2422-­‐222”R”   INSTEON  Hub  
  27. 27. © 2012 •  SFll  lack  of  SSL/TLS   •  Uses  HTTP  Auth   o  Base64  encoded  credenFals   o  Username:  admin   o  Password:  ABCDEF    ←  INSTEON  ID  and  last  3  of   the  MAC   o  #SecurityFail   o  It  only  takes  16  Million  aIempts     INSTEON  Hub  
  28. 28. © 2012 MiCasaVerde  VeraLite  
  29. 29. © 2012 •  Lack  of  authenFcaFon  on  web  console  by  default   •  Insufficient  AuthorizaFon  Checks   o  Firmware  Update   o  Sekngs  backup   o  Test  Lua  code   •  Path  Traversal   •  Cross-­‐Site  Request  Forgery   •  Lack  of  authenFcaFon  on  UPnP  daemon   •  Vulnerable  libupnp  Version   •  Server  Side  Request  Forgery     •  Unconfirmed  AuthenFcaFon  Bypass   MiCasaVerde  VeraLite  
  30. 30. © 2012 •  Three  methods  of  auth  bypass   •  Seven  methods  to  get  root   •  Two  aIacks  remotely  exploitable  through  SE   •  PotenFal  for  ownage  of  ALL  the  VeraLites!   MiCasaVerde  VeraLite  
  31. 31. © 2012 DEMONSTRATION  
  32. 32. © 2012 CONCLUSION  
  33. 33. © 2012 Daniel  “unicornFurnace”  Crowley    dcrowley@trustwave.com    @dan_crowley   Jennifer  “savagejen”  Savage    savagejen@gmail.com  (PGP  key  ID  6326A948)    @savagejen   David  “videoman”  Bryan    dbryan@trustwave.com    @_videoman_       QuesSons?  

×