An awesome real-life case about hacking a petrol station by Yuriy Bilyk on OWASP Ukraine 2017 Security Conference
https://www.facebook.com/events/914991308665427/
3. • WE are Penetration Testers
• WE are ALL Engineers (Almost;)
• WE are OWASP Lviv Chapter
• WE are Legio… oops
blog: http://owasp-lviv.blogspot.com
skype: y.bilyk
TEAM
6. What is IoT Device?
Network Connected
Run some code (Firmware, App, etc)
Billions of Devices
7. IoT Categories
Low Power Dumb Devices
(Smart Sensors)
Low Power Consumption with
some logic inside
Fully Packed (Linux OS, Large
Storage, Fast RAM, GPU, etc)
10. IoT Hacking: What Do You Mean?
Get access to the device OS
(via network, physical ports, etc)
Run custom code
(upload firmware, compile app, etc)
Use as proxy for other attacks
11. IoT Hacking: Is It Hard?
Tonn of vulnerable devices
(hello shodan)
Lack of updates for old devices
Vendors are very passive in
securing devices
12. IoT Hacking: Attack Vectors
Known vulnerability in the OS,
Services, Applications
Usual attacks like BoF, SQLi, RCE,
etc
Hardware Attacks like Side
Channel Attacks, CPU Debugging,
I/O fuzzing, Firmware mods, etc
16. Project Summary
Secure Boot Loader and Password
Protected Console
Signed Firmware & App Updates
SSH access only by key
Ruby Web Application
with separate low privileged user
18. What We Tried
XSS, SQL Injections, CSRF, XXE
Ruby on Rails known exploits
Modified Firmware Upload
Install custom app via update
Linux kernel exploits
RCE via some sort of package processing
21. Think Outside The Box
Devices are similar from the
firmware perspective
Firmware is available to download
Access is possible via Network
and Serial Console
23. Step One: Thoughts
It’s RoR Application
Firmware is exactly the same on
all devices with same version
RoR Uses Cookie Token
24. Step One: Attack
Extract firmware image
Find RoR secret key
Craft session cookie for admin
privileges user
25. Step Two: Thoughts
Web Application Allows to see system
version & releases notes
System version & release notes
stored as files on the files
system
Sound like a plan
26. Step Two: Attack
Modify HTTP request to read other
files on the file system
This vulnerability helped us to
hack boot loader later
27. Step Three: Thoughts
Web App allows to do some system
actions like change date, reboot, etc
App need some sort of root
privileges (for reboot)
To run privileged
commands you need
SUID bit, SUDO, etc
28. Step Three: Attack
RCE in the date change functionality
Web App runs date change shell
scripts w/o input validation
Shell commands injections finally
gives shell with low privileges
31. Step Four: Thoughts
With reverse shell we found several
bash scripts with sudo no password
options
It’s time to get ROOOT
32. Step Four: Attack
Some bash scripts uses relative
commands (w/o absolute path)
Modification of PATH variables
allows to change search order of
commands
Writing our code into shell script
with same name of used
command(s)