Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Jad NEHME - Alcatel-Lucent - Report

  • Be the first to comment

Jad NEHME - Alcatel-Lucent - Report

  1. 1. IoT: Analysis & Security  Ethical hacking for connected objects and protocols  Penetration and stress testing Jad William NEHME 2015
  2. 2. 1 ABSTRACT This report resumes my 6 months end-of-studies internship at Alcatel-Lucent International as an Ethical Hacker for connected objects in the Device IOT Excellence Center. It begins with briefly describing Alcatel-Lucent, its history, current status, and future plans. Then it continues to describe the Internet of things’ evolution and future estimations. Later on, I describe my internship environment, and proceed to summarize my missions and achievements from July to December 2015. These includes hacking some connected devices, analyzing the security of their protocols (Z-Wave, Sigfox, Lora, and Bluetooth), attacking the z-wave protocol (most used protocol in home automation). It also includes listing some of the existing Z-wave capable devices in the market today, their prices, advantages and limitations. I also describe additional tasks and duties that I was in charge of, like scanning the internal network using the cyber security tool “Qualys”, hardening the servers’ security configuration using a “OS Hardening” solution, and organizing a 24 hours Hackathon. At last, I finish up with talking about the experience I got, and how this internship exceeded my expectations and strained my skills.
  3. 3. 2 ACKNOWLEDGEMENTS Before getting to the heart of the subject, I would like to start this thesis by expressing my gratitude for those who taught me a lot during my internship, and for those who had the kindness to fill the internship with profitable moments and unforgettable memories. I thank Mr. Frédéric POILVERT, my internship supervisor who ensured getting all my needs, taught me and gave more than I would ever expect or imagine, and accompanied me with care, patience and understanding, thank you very much for all of your efforts, your time, your trust and your faith in me. I thank Mr. Jean-Christophe COIFFIER, Head of The Device IOT Excellence Center at Alcatel-Lucent, for implicitly giving me lessons in Leadership, for his support and for the great different discussions we had. Mr. Nicolas SEILLER’s great technical skills and experience taught me a lot, thank you very much for those lessons and for the time you gave me. Thank you Mr. Jean-Olivier MESCAM for extending my duties and giving me the opportunity to develop new skills. I would also like to thank all the employees for their valuable advices and support during these 6 months. Gratitude is also addressed to Mr. Ahmed SERHROUCHNI, who, as a responsible for my internship at Telecom ParisTech, provided me with interesting resources and documents, advices and tips, so I can make the most out of my time. Thank you for your kindness and for the support you offered me during and after my internship.
  4. 4. 3 Table of Contents Abstract ............................................................................................................1 Acknowledgements...........................................................................................2 Table of Contents .............................................................................................3 List of Figures ..................................................................................................7 List of Acronyms ..............................................................................................8 Introduction......................................................................................................9 Brief Description of Alcatel-Lucent and my internship....................................................... 9 The internship value ............................................................................................................ 10 Report Content ..................................................................................................................... 11 I / Economic environment: Alcatel-Lucent & IoT .........................................12 A – Alcatel-Lucent................................................................................................................ 12 1. History of Alcatel-Lucent ............................................................................................. 12 2. Alcatel-Lucent today..................................................................................................... 13 B – The internet of things.................................................................................................... 15 1. Introduction: ................................................................................................................. 15 2. The Economic Sector .................................................................................................... 15 3. IoT’s current and future status.................................................................................... 17 II / The internship environment:...................................................................19 A. The social structure ......................................................................................................... 19 B. Operations........................................................................................................................ 20 III/ The internship accomplishments & gained skills ..................................21 A – The internship accomplishments.................................................................................. 21 1. Available tools............................................................................................................... 21 2. The duties...................................................................................................................... 21 Introduction................................................................................................................... 21 My activities .................................................................................................................. 22 Description..................................................................................................................... 23 Task 1: G_Switch Connected Switch........................................................................ 23 Task 2: G_Camera IPCamera................................................................................... 28 Task 3: G_Operator G_MultimediaHub................................................................... 32 Task 4: Bluetooth....................................................................................................... 34 Task 5: S_Camera...................................................................................................... 36 Task 6: Hackathon..................................................................................................... 38
  5. 5. 4 Task 7: Gnu Radio ..................................................................................................... 40 Task 8: Z-Wave .......................................................................................................... 41 Task 9: SigFox ........................................................................................................... 46 Task 10: Lora ............................................................................................................. 48 Task 11: Standard procedures and test plans ......................................................... 50 3. Additional tasks............................................................................................................ 52 Introduction................................................................................................................... 52 Description..................................................................................................................... 52 Task 1: OS Hardening............................................................................................... 52 Task 2: Qualys ........................................................................................................... 52 Task 3: TCP replay.................................................................................................... 53 Task 4: Password generator...................................................................................... 53 Task 5: RSA Attack kit.............................................................................................. 54 Task 6: SSL Strip....................................................................................................... 56 B – The internship contribution.......................................................................................... 57 Skills.................................................................................................................................. 57 Difficulties and solutions.................................................................................................. 57 Professional life................................................................................................................. 57 Conclusion ......................................................................................................58 Appendix.........................................................................................................59 A. for Alcatel-Lucent ............................................................................................................ 59 A.1: Alcatel-Lucent Timeline ........................................................................................... 59 A.2: The leadership Team ................................................................................................ 60 A.3: Nozay Site.................................................................................................................. 61 B. for my Business environment and kit ............................................................................ 61 B.1: Hacking Laboratory .................................................................................................. 61 D. for Duties and tasks ........................................................................................................ 62 D.1: Connected Switch...................................................................................................... 62 1. Beacon........................................................................................................................ 62 2. Python ON Script...................................................................................................... 69 D.2: G_Camera Camera.................................................................................................... 70 1. List of interesting queries......................................................................................... 70 D.4: Bluetooth ................................................................................................................... 70 D.6: Hackathon ................................................................................................................. 71 1. Flyer........................................................................................................................... 71 2. Automation Script..................................................................................................... 72 3. Fake SMTP................................................................................................................ 73 Client side: ................................................................................................................. 73
  6. 6. 5 Server side:................................................................................................................. 73 Automation script...................................................................................................... 73 D.8: Z-Wave....................................................................................................................... 73 D.11: Standard Procedures .............................................................................................. 74 APK decompilation.................................................................................................... 74 Retrieving framework-res.apk and app.apk ............................................................ 75 Combine lists ............................................................................................................. 75 Fuzz Attack................................................................................................................ 76 Importing Certificates from HTTPS servers ........................................................... 76 SYN-Flood DOS attack.............................................................................................. 77 Factorizing big integers............................................................................................. 78 Breaking x509 RSA Certificate ................................................................................ 79 Python Installation.................................................................................................... 79 Retrieving TLS Certificates from Wireshark .......................................................... 80 TCP Session replay (python)..................................................................................... 81 TCP Session replay without timestamp (Scapy) ..................................................... 82 TCP Session replay with timestamp (Scapy)........................................................... 83 TCP injection without timestamp (Scapy) ............................................................... 84 TCP injection with timestamp (Scapy)..................................................................... 85 E. for Extra work.................................................................................................................. 86 E.1: OS Hardening using “CIS-CAT assessment tool” ................................................... 86 E.3: TCP Replay Attack tool ............................................................................................ 86 F. for Files............................................................................................................................. 87 F.0: Sample Security Reports .......................................................................................... 87 F.1: G_Switch Connected Switch..................................................................................... 87 F.2: G_Camera IPCamera ................................................................................................ 87 F.3: TCP Replay ................................................................................................................ 87 F.4: password generator ................................................................................................... 87 F.5: RSA ATTACK KIT .................................................................................................... 87 F.6: Hackathon.................................................................................................................. 87 R. for References................................................................................................................... 88 Figures and Websites ....................................................................................................... 88 Other references ............................................................................................................... 90 Alcatel-Lucent ............................................................................................................... 90 Internet of Things ......................................................................................................... 90 Bluetooth ....................................................................................................................... 90 GnuRadio & SDR .......................................................................................................... 91 Z-Wave ........................................................................................................................... 91
  7. 7. 6 Sigfox.............................................................................................................................. 92 Lora ................................................................................................................................ 92 Others ............................................................................................................................ 92
  8. 8. 7 LIST OF FIGURES Figure 1: Financial summary [28] .......................................................................................... 10 Figure 2: Alcatel-Lucent at a glance [29] ............................................................................... 13 Figure 3: IoT devices online per 100 inhabitants [2] ............................................................. 17 Figure 4: Number of connected devices in 2020 [29] ............................................................. 17 Figure 5: Connected devices Market in 2020 [29].................................................................. 18 Figure 6: G_Switch - Phase 1.................................................................................................. 23 Figure 7: G_Switch - Phase 2.................................................................................................. 23 Figure 8: G_Switch - Phase 3.................................................................................................. 24 Figure 9: G_Operator G_MultimediaHub Wi-Fi password packet ....................................... 32 Figure 10: Bluetooth Wireshark Capture............................................................................... 35 Figure 11: S_Camera Home .................................................................................................... 36 Figure 12: GnuRadio FM receiver .......................................................................................... 40 Figure 13: Z-Wave Network [30]............................................................................................. 41 Figure 14: Z-Stick typical use case [27].................................................................................. 42 Figure 15: Z-Wave Sniffing ..................................................................................................... 45 Figure 16: Z-Wave Network Map............................................................................................ 45 Figure 17: Z-Wave Injection .................................................................................................... 45 Figure 18: SigFox Protocol ...................................................................................................... 46 Figure 19: Lora Network Topology [16].................................................................................. 48 Figure 20: Lora OTAA ............................................................................................................. 49 Figure 21: TCP Replay............................................................................................................. 53 Figure 22: Password Generator .............................................................................................. 53
  9. 9. 8 LIST OF ACRONYMS IOT: Inter-Operability-Testing DIOTEC: Device Inter-Operability-Testing Excellence Center IoT: Internet of Things EIoT: Enterprise Internet of Things BU: Business Unit SDR: Software Defined Radio PKI: Public key infrastructure AP: Access Point UI: User Interface MiTM: Man-in-The-Middle HSTS: HTTP Strict Transport Security OOB: Out of Band TK: Temporary key SSP: Secure Simple Pairing FIFO: First in First out MIC: Message Integrity Code OTAA: Over-The-Air Activation ABP: Activation by Personalization UNB: Ultra-Narrow Band ISM: Industrial, Scientific and Medical NDA: None disclosure agreement API: Application Program Interface ACK: Acknowledge PDU: Packet Data Unit GRC: GnuRadio Companion
  10. 10. 9 INTRODUCTION I did my internship from the 1st of July till the 30th of December 2015 at Alcatel-Lucent International, 91620 Nozay, France. I was integrated in the Device IOT (Inter-Operability- Testing) Excellence Center to conduct security analysis and tests on the connected objects. On a large scale, this internship was an opportunity to learn valuable new things related to different fields (Internet of things: IoT, Networking and Security, Telecommunication). I learned how to do full security and functioning analysis of systems and objects, how to identify potential weaknesses, how to elaborate and conduct suitable tests, and how to report all the study phases and a synthetized and clear manner. In addition, I defined and specified some solutions that the devices’ manufacturers should have used to enhance their devices security. During this time, my technical skills were significally enhanced as I needed to code lots of hacking and automation scripts, as I also developed many security tools. My analytical skills were also strained, as I faced some challenging cases and scenarios. Besides enlarging my knowledge, this internship allowed me to get a clearer idea about the path I will be choosing for my career. Working with colleagues of different profiles was an open door to benefit from their experience, and see things from different perspectives, allowing me to increase my capabilities to perceive and evaluate future career opportunities. BRIEF DESCRIPTION OF ALCATEL-LUCENT AND MY INTERNSHIP Alcatel-Lucent is a Franco-American global telecommunications equipment company, headquartered in Boulogne-Billancourt, France. The company focuses on fixed, mobile, and converged networking hardware, IP technologies, software and services, with operations in more than 130 countries. Alcatel-Lucent owns Bell Laboratories, one of the largest research and development facilities in the communications industry, whose employees have been awarded eight Nobel Prizes and the company holds in excess of 29,000 patents. My internship in the DIOTEC’s first security testing team, aimed to discover security weaknesses of currently used and deployed Internet-of-Things protocols, along with testing the objects for implementation mistakes and errors. My supervisor Mr. Fréderic POILVERT, once the R&D Competency Development Center manager for Alcatel Lucent Payment activities, is currently a Project manager and Head of Ethical hacking laboratories. His managerial experience allowed me and the rest of the hacking team members to work in a very efficient way as he provided the best conditions to learn quickly and to be autonomous. His trust made us more responsible, and motivated us to produce better results. Our weekly and daily meetings and discussions helped us to converge our perspectives and ideas towards finding better solutions and making the best decisions.
  11. 11. 10 THE INTERNSHIP VALUE This internship was also an opportunity for me to discover how an international company has to continuously adapt and develop in order to maintain its leadership in various technology fields. During the last several years, Alcatel-Lucent has been generating losses in its financial reports. One of the reasons behind that is that radio technologies are more or less deployed everywhere, and the industries are heading towards internet solutions for telecommunicating and offering international services. To survive this era and adapt, Alcatel-Lucent chose to invest more in new technologies, including Cloud Computing, advanced IP Networking, IoT …etc. In the beginning of 2015, and due to these catastrophic financial results, Alcatel-Lucent had to go with the “Shift Plan”. This re-organization was put in place to come back to a positive cash flow situation so the company can be seen as a good potential partner for bigger companies. Due to that, some employees were released, some common departments and services were brought down, change, or relocated. In April of the same year, Nokia announced that it would acquire Alcatel-Lucent for €15.6 billion dollars. Before 2015, the DIOTEC’s main business line was testing mobile chipsets, and developing Inter-Operability projects. After the first quarter of the year, the Center changed its strategy, and decided to enter the IoT Market, this decision was intentionally made to strengthen its position and grow its market share by extending its services portfolio, making it more stable which would also help it to survive the acquisition process. The main line is to offer security tests on connected objects and their emerging protocols. The process began by buying hundreds of commercialized connected objects and running security tests on them. The next step was to prepare test plans and standard procedures, in the purpose of developing this new test service. Later on, two Hackathons were organized, participants were cyber security professionals and students from different schools and universities. As a result, the DIOTEC security services were recognized and publicly known in the IoT market. The goal of these newly introduced services, as mentioned before, is to generate more profit, and guaranteeing that the DIOTEC team will be at the right place in Nokia’s future organization. This responsibility became an additional motivation for me to do my best -as an essential part of the team- for achieving the strategic goals of Mr. Coiffier. 16984 15157 15996 15327 14446 14436 13178 5173 524 334 1144 1374 1294 83 0 5000 10000 15000 20000 25000 2008 2009 2010 2011 2012 2013 2014 FINANCIAL SUMMARY Revenues Loss Figure 1: Financial summary [28]
  12. 12. 11 REPORT CONTENT I wrote this report based mainly on the lessons my daily practices and assignments taught me. In addition, discussions and meetings with work colleagues and superiors allowed me to enrich this report with exact details and exclusive facts. I also used non-confidential information from the Alcatel Intranet and extranet, and from the DIOTEC presentations. In order to describe my 6 months at Alcatel-Lucent in a coherent and clear content, I see that it will be wise to start by presenting Alcatel-Lucent: its history and current situation, its structure, services, and functioning. I will then proceed with presenting the economic environment of the internship, and the internet of things evolution. Later on, I will continue by describing the tasks and missions that I accomplished, the responsibilities and duties that I was assigned, and I will conclude with the reflections I made. Due to the existing of sensitive and confidential information, I will give some companies and manufacturers generic names, and omit some of the details. Knowing that I will re-include everything in the APPENDIX section that will be exclusively given for Alcatel-Lucent, Telecom-ParisTech, and the Lebanese University – Faculty of Engineering.
  13. 13. 12 I / ECONOMIC ENVIRONMENT: ALCATEL-LUCENT & IOT A – ALCATEL-LUCENT 1. History of Alcatel-Lucent Alcatel-Lucent was formed when Alcatel merged with Lucent Technologies on December 1, 2006. However, the predecessors of the company have been a part of telecommunications industry since the late 19th century. The company has roots in two early telecommunications companies: “Western Electric Manufacturing Company” and “La Compagnie Générale d'Electricité” (CGE). Western Electric began in 1869, it started a small manufacturing firm based in Cleveland, Ohio. By 1880, the company had become the largest electrical manufacturing company in the United States. In 1881 the American Bell Telephone Company, founded by Alexander Graham Bell and forerunner of American Telephone & Telegraph (AT&T), purchased a controlling interest in Western Electric and made it the exclusive developer and manufacturer of equipment for the Bell telephone companies. CGE was formed in 1898 by French engineer Pierre Azaria in the Alsace region and was a conglomerate involved in industries such as electricity, transportation, electronics and telecommunications. CGE would become a leader in digital communications and would also be known for producing the TGV high-speed trains in France. Bell Telephone Laboratories was created in 1925 from the consolidation of the R&D organizations of Western Electric and AT&T. Bell Labs would make significant scientific advances including: the transistor, the laser, the solar cell battery, the digital signal processor chip, the UNIX operating system and the cellular concept of mobile telephone service. Bell Labs researchers have won 7 Nobel Prizes. In the same year, Western Electric sold its International Western Electric Company subsidiary to ITT Corporation. CGE purchased the telecommunications part of ITT in the mid-1980s. In April 1996, AT&T spun off Lucent Technologies with an initial public offering. Two years later, Alcatel shifted its focus to the telecommunications industry. Alter on, in April 2004, TCL Corporation and Alcatel announced the creation of a mobile phone manufacturing joint venture: Alcatel Mobile Phones. Facing intense competition in the telecommunications industry, Alcatel and Lucent Technologies merged on November 30, 2006. At the end of the same year, Alcatel-Lucent acquired Nortel's UMTS radio access business, and during 2007, the company acquired Tropic networks, NetDevices, Thompson advisory group, and Tamblin. On April 15, 2015, Finnish telecommunications firm Nokia announced its intent to purchase Alcatel-Lucent for €15.6 billion in an all-stock deal. The acquisition aims to create a stronger competitor to the rival firms Ericsson and Huawei, whom Nokia and Alcatel-Lucent had surpassed in terms of total combined revenue in 2014. The acquisition is expected to be completed in early 2016, and is subject to regulatory approval. The Bell Labs division will be maintained, but the Alcatel-Lucent brand will be replaced by Nokia. More details about the history are available on the official Website [1]. A timeline for the most relevant events is in appendix A.1
  14. 14. 13 2. Alcatel-Lucent today Alcatel-Lucent today -Nokia in the near future- is more than ever focused on innovative projects and new technologies. With lots of investments in the Clouds Computing, Internet of Things, Fiber Optics, Wireless transmissions, 5G, and others, Alcatel-Lucent is keeping with today’s rapid evolution, playing the role of a major actor and competitor in these fields. Its expertise is able to answer the needs and provide solutions for many challenges. In 2010 the Bell Labs launched the GreenTouch consortium with industrial and academic partners to increase the energy efficiency of communication networks by a factor of 1000 for 2020 traffic scenarios. And in June, GreenTouch gave this vision concrete form, publishing a portfolio of technologies capable of bringing down the net power consumption of communication networks by 98% compared to 2010 state-of-the-art reference networks. To put this into context, these savings would be the equivalent of the greenhouse gas emissions of 5.8 million automobiles! On November 4th, CDP (the Carbon Disclosure Project) announced that Alcatel-Lucent had achieved a perfect score of 100 and was a member of the CDP A-List. Alcatel-Lucent is the leading IP networking, ultra-broadband access and cloud technology specialist. It is deploying its 7950 XRS IP Core Router within the 14 metro network nodes of nine cities in China. The possibility to evolve to 400G interfaces in its metro backbone network using the 7950 XRS will allow China Unicom to meet the upcoming customer data demand and pave the way for the future expansion of high-quality cloud-services while optimizing costs. Alcatel-Lucent’s 7950 XRS portfolio delivers class-leading scale, efficiency and versatility to address a wide range of networking requirements. The XRS is deployed in over 50 networks worldwide. Alcatel-Lucent, working as consortium leader together with the consulting and technology multinational company, Indra, has successfully completed the deployment of an IP/MPLS technology-based information, monitoring, management and control system that will enable Poland’s maritime authority to increase operational efficiency and safety at ports and in the Baltic Sea. Alcatel-Lucent in cooperation with Indra was responsible for designing the technical project specifications, managing implementation, constructing and modernizing the coast station architecture, integrating and implementing all sub-systems and technologies. Alcatel-Lucent is upgrading Orange Romania’s existing long-haul microwave transport network, allowing Orange to enhance its 4G network capacity and performance as it continues to expand high-speed ultra-broadband services to enterprises and consumers. Figure 2: Alcatel-Lucent at a glance [29]
  15. 15. 14 Alcatel-Lucent is to expand the deployment of 4G LTE for China Telecom across 12 provinces of China, as demand for high-quality ultra-broadband services and applications continues to grow rapidly. The LTE service expansion will take place in 12 provinces. Alcatel-Lucent is also deploying its Carrier Aggregation capability in major cities. This component of the LTE-Advanced standard allows LTE radios to combine multiple frequency bands to vastly increase data speeds and lower latency, enabling the service provider to provide data downloads of up to double speeds today. Bell Labs, the research arm of Alcatel-Lucent has made a breakthrough in its ambition to shatter the capacity limits of optical networks as they strive to meet the explosion in traffic expected from 5G and the Internet of Things. With this demand threatening to outstrip the capacity limits of current optical fiber networks, at the 2015 IEEE Photonics conference Bell Labs revealed an optical networking technology that could potentially help operators address this expansion: a real-time space-division multiplexed optical multiple-input- multiple-output (MIMO-SDM) system. This world’s first demonstration of the Bell Labs’ pioneered MIMO-SDM technique has the potential to increase today’s 10 to 20 Terabit-per- second fiber capacities to Petabit-per-second capacity. The successful 6x6 MIMO-SDM real- time experiment was conducted over a 60-km-long coupled-mode fiber in Bell Labs’ global headquarters in New Jersey. Using the MIMO-SDM technique, Bell Labs aims to overcome the capacity limitations imposed by the non-linear ‘Shannon limit’ on current optical fiber. As mentioned earlier in the report, the DIOTEC is investing more resources in testing the connected objects: o Validating their compliance with their corresponding communication protocol o Conducting security tests and reporting vulnerabilities and weaknesses in order to improve their resistance to Cyber Attacks The main goal is to push the vendors and manufacturers to secure their products and services, and assist them to migrate to verified protocols such as 4G, 5G …etc. In order to push this strategy, DIOTEC also developed a portable 4G/LTE plug-and-play network, where all components are virtualized in one box, allowing to create private on- demand 4G networks. Such networks can be used for connecting IoT devices in a very secure environment based on the proved LTE security mechanisms.
  16. 16. 15 B – THE INTERNET OF THINGS 1. Introduction: The Internet of Things (IoT) is the network of physical objects or "things" embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data. The Internet of Things allows objects to be sensed and/or controlled remotely across existing network infrastructure, creating opportunities for more direct integration between the physical world and computer-based systems, and resulting in improved efficiency, accuracy and economic benefit. The concept of a network of smart devices was discussed as early as 1982, with a modified Coke machine at Carnegie Mellon University becoming the first internet-connected appliance, able to report its inventory and whether newly loaded drinks were cold The concept of the Internet of Things first became popular in 1999, through the Auto-ID Center at MIT and related market-analysis publications. Radio-frequency identification (RFID) was seen as a prerequisite for the Internet of Things at that point. If all objects and people in daily life were equipped with identifiers, computers could manage and inventory them. Besides using RFID, the tagging of things may be achieved through such technologies as near field communication, barcodes, QR codes and digital watermarking. 2. The Economic Sector There are three core sectors of the IoT: enterprise, home, and government, with the Enterprise Internet of Things (EIoT) being the largest of the three. Regardless of the sector, IoT finds applications in nearly every field as such systems can be in charge of collecting information in settings ranging from natural ecosystems to buildings and factories, thereby finding applications in fields of environmental sensing and urban planning. Environmental monitoring applications of the IoT typically use sensors to assist in environmental protection by monitoring air or water quality, atmospheric or soil conditions, and can even include areas like monitoring the movements of wildlife and their habitats. Other applications like earthquake or tsunami early-warning systems can also be used by emergency services to provide more effective aid. Monitoring and controlling operations of urban and rural infrastructures like bridges, railway tracks, on- and offshore- wind-farms is a key application of the IoT. The IoT infrastructure can be used for monitoring any events or changes in structural conditions that can compromise safety and increase risk. It can also be used for scheduling repair and maintenance activities in an efficient manner. IoT devices can also be used to control critical infrastructure like bridges to provide access to ships. Such usage is likely to improve incident management and emergency response coordination, and quality of service, up- times and reduce costs of operation in all infrastructure related areas. Network control and management of manufacturing equipment, asset and situation management, or manufacturing process control bring the IoT within the realm on industrial applications and smart manufacturing. The IoT intelligent systems enable rapid manufacturing of new products, dynamic response to product demands, and real-time optimization of manufacturing production and supply chain networks, by networking machinery, sensors and control systems together. Smart industrial management systems can also be integrated with the Smart Grid, thereby enabling real-time energy optimization.
  17. 17. 16 IoT devices can be used to enable remote health monitoring and emergency notification systems. These devices can range from blood pressure and heart rate monitors to advanced devices capable of monitoring specialized implants, such as pacemakers or advanced hearing aids. Doctors can monitor on their smartphones the health of their patients after getting discharged from the hospital. The IoT can assist in integration of communications, control, and information processing across various transportation systems. Application of the IoT extends to all aspects of transportation systems, i.e. the vehicle, the infrastructure, and the driver or user. Dynamic interaction between these components of a transport system enables inter and intra vehicular communication, smart traffic control, smart parking, electronic toll collection systems, logistic and fleet management, vehicle control, and safety and road assistance. Another application that the Internet of Things brings to the picture is home security solutions. Home automation is also a major step forward when it comes to applying IoT. With IoT, we can remotely control the electrical devices installed in the house. The IoT also creates an opportunity to measure, collect and analyze an ever-increasing variety of behavioral statistics. Cross-correlation of this data could revolutionize the targeted marketing of products and services, meaning that Big Data and the IoT can work in conjunction.
  18. 18. 17 3. IoT’s current and future status There are several planned or ongoing large-scale deployments of the IoT, to enable better management of cities and systems. For example, Songdo, South Korea, the first of its kind fully equipped and wired smart city, is near completion. Nearly everything in this city is planned to be wired, connected and turned into a constant stream of data that would be monitored and analyzed by an array of computers with little, or no human intervention. Another application is a currently undergoing project in Santander, Spain. For this deployment, two approaches have been adopted. This city of 180000 inhabitants, has already seen 18000 city application downloads for their smartphones. This application is connected to 10000 sensors that enable services like parking search and environmental monitoring. Experts estimate that the IoT will consist of almost 50 billion objects by 2020. The following is a list of top 10 countries by IoT devices online per 100 inhabitants as published in 2015. Figure 3: IoT devices online per 100 inhabitants [2] Experts estimate that the IoT will consist of almost 50 billion objects by 2020: Figure 4: Number of connected devices in 2020 [29]
  19. 19. 18 The Internet of Things is seen as the next billion market by the industry: After describing the rapid development of IoT technologies, along with the large scale deployment, these technologies are being accused to be developed without appropriate consideration of the profound security challenges involved. In particular, as the Internet of Things spreads widely, cyber-attacks are likely to become an increasingly physical (rather than simply virtual) threat. In a January 2014 article in Forbes, cyber security columnist Joseph Steinberg listed many Internet-connected appliances that can already "spy on people in their own homes" including televisions, kitchen appliances, cameras, and thermostats. Computer-controlled devices in automobiles such as brakes, engine, locks, hood and truck releases, horn, heat, and dashboard have been shown to be vulnerable to attackers who have access to the onboard network. In some cases, vehicle computer systems are internet- connected, allowing them to be exploited remotely. Figure 5: Connected devices Market in 2020 [29]
  20. 20. 19 II / THE INTERNSHIP ENVIRONMENT: A. THE SOCIAL STRUCTURE Alcatel Lucent has approximately 52600 employees, working in offices in more than 90 countries. Functions are centralized and organized in 17 Central functions under the leadership of Philippe Camus, the Chairman and the Interim Chief Executive Officer since Michel Combes has left the company to become chairman of Numericable-SFR and awaiting the new Nokia Corporation management: o Alcatel-Lucent International o Bell Labs o Business & IT Transformation o Chief Quality & EHS Office o Compliance Organization o COO Transversal Operations o Corporate Audit Services o Corporate CTO o Corporate Security Services o Finance o Human Resources o Intellectual Property Business Group o IS/IT o Law o Public Affairs o Results Delivery Office o Sustainability On top of these central functions, Alcatel-Lucent host also transversal and corporate functions as follows: o Transversal functions: o Sales o Operations o Strategy & Innovation o Quality o Corporate functions o Human resources o Marketing o Finance & Legal (The leadership team is illustrated in appendix A.2)
  21. 21. 20 B. OPERATIONS Coming to Operations, they are divided as follows: o Core networking segment - IP Routing - IP Transport - IP Platforms o Access segment - Wireless - Fixed Access - Licensing - Managed services I will only describe the “Wireless” section in the “Access Segment”, as it is the section in which I did my internship (More details can be found on the operations section of Alcatel-Lucent’s website [3]) The Wireless section is organized as follows: The DIOTEC takes part of the Professional Services, under the Business Unit (BU) ran by Mr Jim Cocito. It has two sites, the first one is in Nozay, Ile-de-France, France, while the second one is in Murray Hill, New Jersey, US (at Lucent’s locals). Both sites are managed by Mr. Jean-Christophe Coiffier, the Head of DIOTEC. Mr. Coiffier chose to adapt a flat organization structure in the French site, creating a better team sprit as fewer management layers increased interaction between. It also elevates each employee’s level of responsibility so he can have more power and he can make some decisions immediately, giving the center greater agility and mobility. (The Nozay Site is illustrated in appendix A.3)
  22. 22. 21 III/ THE INTERNSHIP ACCOMPLISHMENTS & GAINED SKILLS A – THE INTERNSHIP ACCOMPLISHMENTS During my internship, I had the opportunity to discover the IoT Sector in all its forms, this allowed me to develop a deep understanding of its challenges from both global and specific perspectives. To make my description clear and easy to digest, I will start by listing the tools that I was given access to, and then proceed with describing the main and the side missions and tasks that I accomplished. (A picture of the Hacking Lab is in Appendix B.1) 1. Available tools The hacking laboratories were equipped with both intellectual resources and physical hacking tools. The computers were ran by Kali Linux & Windows using a dual boot configuration. We were also given hacking and SDR (Software defined Radio) equipment as the HackRF One, Ubertooth… Concerning the available devices, the list included smart watches, Surveillance Cameras, Connected switches and sensors, Smart phones, home automation devices … For the intellectual resources, we were given 4 books that were very useful to learn both basic and advanced hacking techniques. In addition, these books provided information about many communication protocols (Bluetooth, Wi-Fi…). We also had access to a NAS, where we shared all the test plans and useful documents we find, it was also a repository for all the scripts and tools we developed and used. (A full list is presented in appendix C.0) 2. The duties Introduction As described before, the main goal of the internship is to conduct security tests and evaluations. So there was a first phase to understand the functioning of the device (or the protocol). This was followed by a full analysis, in order to identify all potential weaknesses and attack vectors. The third phases is the technical phase, in which the attack environment is prepared and the attack tools are developed and used. Later on, verified vulnerabilities are reported along with all the test results. In order to write professional security reports, I downloaded security penetration test reports made by three leading Cyber Security companies (Attached with this report F.0), observed how these reports are structured, combined them, and added more titles and removed some others, to make a structure that fits best with my needs. After the study of each connected device, the used tests and procedures are added to the list, along with specifying their duration, application, and severity. The goal is to enrich the test list making easier and faster the assessment of other similar devices.
  23. 23. 22 My activities During this internship, I spent my first month conducting security tests on connected switches, security cameras and multimedia hubs. Surprisingly, for all the cameras I tested, besides finding many vulnerabilities, none of them was protected against brute force attacks on the administrator’s password. After that, I studied the Bluetooth protocol, tested the Ubertooth One, and prepared the environment for conducting tests on Bluetooth devices. A higher priority task was given to me at that time, which made me postpone my work on Bluetooth, and start studying the Z- Wave protocol. This protocol is among the most used protocols for home automation, and since a Hackathon was planned to be held in November, we chose to make it about home automation, and so we named the Hackathon “Hack the Home”. In order to be prepared for this event, I started by studying GnuRadio, an open source Linux software that is used for controlling SDR equipment and tools. Then I became able, using the HackRF One, to sniff and visualize Z-Wave signals. During this time, I was also developing tools to attack RSA Certificates, as some connected objects used a PKI, and it would’ve been interesting to try to break their certificates. Among the tools I developed, A script for retrieving the modulus and factorizing it, a kit for testing certificates for common factors and generating private keys in case of a match. The Hackathon preparations occupied a long portion of my time. I prepared cryptography challenges, configured all the equipment, prepared and tested all the attack scenarios, coded automation scripts to simulate interactive mobile phone applications, smart boxes and others. After the big event, being inspired by some tools that were developed by professional teams who were present in the Hackathon, I was able to configure and run a Z-Wave injection tool. This tools allows to take control of any Z-Wave communicating device, it also allows to take the role of that connected device and escalate false reports and alarms to the controller. Just after reaching my goal and breaking the Z-Wave protocol, I went back to Bluetooth, and was quickly able to sniff Bluetooth packet and visualize them on Wireshark. And before getting into hacking Bluetooth connections and move from passive to active attacks, other priorities came across… My last work at Alcatel-Lucent was studying SigFox and Lora protocols, analyzing their performance and security mechanisms, and preparing their test plans. These plans will be used later on for testing SigFox and Lora devices for clients. I was also charged to transfer my knowledge to the new apprentice who will continue with the hacking activities in the DIOTEC.
  24. 24. 23 Description As mentioned before, I will be using Generic names for the equipment as the manufacturer name is considered as classified, and will only be included in the confidential appendix C Task 1: G_Switch Connected Switch Introduction The G_Switch connected switch allows users to control their devices at home via a mobile application. This application also allows adding other devices to be remotely controlled. The switch costs around 40$ and can be bought from the vendor’s website. Attack Narrative Footprinting To begin, I analyzed the establishment phases of the switch. At first, the switch behaves as a Wi-Fi router, distributing private IP addresses, and broadcasting beacons. The interesting issue here is that the sent beacons explicitly indicate that the wireless access point does not support authentication, not even WEP (corresponding beacon is present in appendix D.1.1), which means that any user with a wireless adapter can listen to all communications between the Switch and the smartphone connected to it. During the same phase, the user installs the G_AppName application, connects to the wireless network created by the switch, and launches the application. Through his smartphone, the user gives the G_Switch object a name, an icon, and specifies other information. He also chooses a Wi-Fi connection, and enters its password. Just after submitting the password, the G_AppName mobile application sends a message to the switch. This message includes the Device, the Wi-Fi SSID, and its password. These will be used to allow the switch to connect to the wireless access point. After that, the phone can send ON and OFF orders to the switch. Stage 1: Stage 2: Smartphone sends Home Wi-Fi SSID + password Switch and Smartphone communicate using the home Wi-Fi 1. to Home Wifi Figure 7: G_Switch - Phase 2 Figure 6: G_Switch - Phase 1
  25. 25. 24 Phase 3: In case the user chose to activate the remote control option, the switch will then start automatically reporting to the G_Switch server (ServerIP) every time its status changes. And if the smartphone is connected through a network different from the switch’s, he will send the ON/OFF order encrypted to the G_Switch server. Eventually, this server will send the order to the switch, also by encrypting it in a TLS connection. It is worth mentioning that even after the phase 3, if the Smartphone is in the same network of the switch, orders will not be relayed by the server, and instead, the Smartphone will directly send them to the switch via Wi-Fi. Man-in-the-middle attack To start, I launched a MITM attack between the switch and the smartphone at phase 1. This led to discovering the different XML formats used for exchanging information. This also allowed me to capture the packet containing the needed information to connect to the Home Wi-Fi. Below is the content of this packet: Continuing to stage 2 and 3, we noticed that when the switch and the smartphone are connected to the same network, the exchanged data is not encrypted, and there is no protection against replay attacks. 1 Ok op 2 Ok op 3 4 5 Internet POST /upnp/control/smartsetup1 HTTP/1.0 Content-Type: text/xml; charset="utf-8" HOST: 10.22.22.1 Content-Length: 886 SOAPACTION: "urn:G_Switch:service:smartsetup:1#PairAndRegister" Connection: close <?xml version="1.0" encoding="utf-8"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <s:Body> <u:PairAndRegister xmlns:u="urn: G_Switch:service:smartsetup:1"> <PairingData>&lt;PairingData&gt;&lt;ssid&gt;&lt;![CDATA[SSID_Name]]&gt;&lt;/ssid&gt;&lt;auth&gt;W PA2PSK&lt;/auth&gt;&lt;password&gt;elbG4dBmMTJR4Uy5O8jFtg==190b&lt;/password&gt;&lt;encrypt& gt;AES&lt;/encrypt&gt;&lt;channel&gt;11&lt;/channel&gt;&lt;/PairingData&gt;</PairingData> <RegistrationData>&lt;RegistrationData&gt;&lt;DeviceId&gt;353490069904197&lt;/DeviceId&gt;&lt;Device Name&gt;&lt;![CDATA[ObjectName]]&gt;&lt;/DeviceName&gt;&lt;smartprivateKey&gt;&lt;/smartprivateK ey&gt;&lt;ReUnionKey&gt;14363488838022&lt;/ReUnionKey&gt;&lt;/RegistrationData&gt;</RegistrationD ata> </u:PairAndRegister> </s:Body> </s:Envelope> Figure 8: G_Switch - Phase 3.
  26. 26. 25 Replay attacks After deep inspecting packets during the MITM attack, I managed to identify the different orders coming from the phone and towards the switch. These packets are sent over TCP with 49153 as destination port. Below are some of the most interesting ones: Request info: This request returns information regarding the condition and the current status of the switch, for example whether it is in “ON” or “OFF” state, the switch’s firmware version, its friendly name, its MAC Address, deviceID … ON order: This is an order sent to the switch that sets his state to “ON”. By replacing the 1 by a 0, the order will be a change state to “OFF”. A simple python script that can replay ON/OFF orders is attached in appendix D1.2. I also developed a simple Java application with a user interface that opens a TCP connection, sends the order, and then closes the connection. This application can also send alternating “ON” and “OFF” orders according to a user specified frequency. (A Screenshot of the tool is in appendix E.3, and the tool is attached with this report F.3). POST /upnp/control/deviceinfo1 HTTP/1.0 Content-Type: text/xml; charset="utf-8" HOST: 192.168.1.120 Content-Length: 289 SOAPACTION: "urn:G_Switch:service:deviceinfo:1#GetInformation" Connection: close <?xml version="1.0" encoding="utf-8"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <s:Body> <u:GetInformation xmlns:u="urn:G_Switch:service:deviceinfo:1"></u:GetInformation> </s:Body> </s:Envelope> POST /upnp/control/basicevent1 HTTP/1.0 Content-Type: text/xml; charset="utf-8" HOST: 192.168.1.120 Content-Length: 419 SOAPACTION: "urn:G_Switch:service:basicevent:1#SetBinaryState" Connection: close <?xml version="1.0" encoding="utf-8"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <s:Body> <u:SetBinaryState xmlns:u="urn:G_Switch:service:basicevent:1"> <BinaryState>1</BinaryState> <Duration></Duration> <EndAction></EndAction> <UDN></UDN> </u:SetBinaryState> </s:Body> </s:Envelope>
  27. 27. 26 Reverse engineering the mobile application Using a free mobile application we downloaded from the Google play store (SaveAPK), I was able to retrieve the .apk file for the G_name application. By simply decompressing this file, we got access to JavaScript and html non compiled files. Later, with some commercial tools (apktool, Java decompiler, and dex2jar) I succeeded in reverse engineering the application, giving me the full Java source code. (The mentioned tools are attached with this report F.1) Below are some of the classes and functions I found interesting: I discovered that these are the functions used to encrypt the Wi-Fi password prior to sending it from the phone. In addition, I found out where the previous classes are initiated, and when the functions are called. The code has been intentionally developed in a way to create the maximum confusion for hackers who would like to reverse it (fake functions, unused code, re-arranged variable’s name …). So despite having the source code, and knowing the DeviceID used for the encryption, and after one week of investigation, I was unable to decrypt the captured encrypted password due to my lack of expertise in mobile applications. So I decided to proceed with other attacks. By spending more time on this device, we could explore the hardware part and try to find the encryption algorithm in the embedded code (guessing that embedded code cannot be as complex as the one used in the smartphone application) (The full decompiled mobile application is attached with this report F.1) DOS SYN Flood attack To test the robustness of the Switch’s server, I ran a number of SYN Flood attacks. The result is that less than 200 SYN requests are enough to deny all other users from connecting to the switch, causing a Denial-of-Service Attack. I also noticed that during the attack, the port number used by the switch to communicate with the smartphone is automatically changed, meaning that this attack will not remain effective. However, the port number was not randomly changing, it was incremented by 1. So it was not difficult to automate the increment of the port number during the attack whenever the switch stops accepting the SYN requests. public class WiFiSecurityUtil { private String password = ""; private String type = ""; private String username = ""; private String generatePrivateKey(String[] paramArrayOfString) { } public boolean addNewWiFiSetting(Context paramContext) { } public String decrypt(String paramString, Context paramContext) { } public String encrypt(String paramString, Context paramContext, int paramInt, String[] paramArrayOfString) { } public String generateAuthCode(Context paramContext) { } public String getDeviceID(Context paramContext) { } }
  28. 28. 27 Security Impact Authentication (Medium) There is no authentication when communicating with the switch in local, which means that any device or PC connected to the same network of the G_name switch, can easily take control of it. However, when it comes to controlling the switch from the internet, it is a much more difficult task. This protection is provided by encrypting all communications between the servers, the smartphone, and the switch. Besides, encrypted orders received from the server are not the same, even if the orders are the same, meaning that there is a certain protection against replay attacks. Integrity (Medium) In the case of a local connection (phone and switch in the same network), a man-in-the- middle can easily alter the orders without being detected by the switch. Which means changing “ON” orders to “OFF”, or vice versa. Availability (High) I noticed that a DOS SYN Flood attack can easily be conducted, denying the user from controlling the switch. Although a simple protection mechanism is deployed, its resilience to this attack is not enough. In case the attacker is not connected to the same network but had access to an intermediate node, he can monitor and identify the port number used to communicate with the switch. Although this weakness may exist in many connected objects and home automation systems, I see that it is worth mentioning at least once. Privacy (High) During the first initialization stage, I declared that once the access point is itself a standalone wireless AP, any user or attacker can connect to it, and retrieve the encrypted Wi-Fi password. This can be decrypted using the mobile application source code. Once done, the attacker can connect to the home network, compromising the security of all connected objects, including the G_name Switch & personal computers Proposing solutions Authentication and integrity It is recommended to use encryption when exchanging information between the smartphone and the G_name Switch, a strong encryption algorithm can easily be implemented, and would minimize the impact on authentication. The secret key can be exchanged between the smartphone and the switch during the first initialization stages. It is also advised to add timestamps or sequence numbers to the content before being encrypted, to mitigate against replay attacks. Availability Changing the port number was a good solution to stop SYN Flood DOS attacks. However, this protection would be much more effective in case the new port numbers were chosen at random, instead of incrementing the last used value by 1. Privacy In order to protect the Home Wi-Fi password while being transmitted, the temporary connection between the switch and the smartphone should be secured. Although WEP protection may be acceptable since the period required for the connection establishment is short, we recommend the deployment of WPA or WPA2 because Wi-Fi attacking techniques are becoming faster every day. The WPA unique shared key can be given to the client, or hardcoded on the switch.
  29. 29. 28 Task 2: G_Camera IPCamera Presentattion The G_Camera IP Camera allows users to view the video stream from the internet or from any connected network. It can be connected to a FTP server to save the recorded video. It can be linked to an email to send notifications whenever movement is detected. This camera also has an internal memory to save photos and short videos whenever something is moving. Attack Narrative Brute Force Password attack In order to login, I conducted a brute force attack on the password for the user “admin”. At first, I used two commercial tools, the results were negative. Then, using a local proxy, I ran a brute force attack by modifying the password field in the authentication packet, and replacing the content with values from a password wordlist downloaded from the internet and encoded in base64 with the string “admin:”. This time, the password was revealed Command list discovery I also noticed the use of queries containing “param.cgi”. Searching on Google allowed me to find and download a PDF containing CGI commands “FI9821W-CGI-Commands” (Attached with this report F.2). So I became able to reboot the camera or make a remote reset. Other commands allowed the retrieval and the change of video parameters (setting contrast=0 will replace the video stream with a black image), alarm settings, and others… Adding users Running a directory listing attack revealed many unprotected files, including “http://IP_Address/web/js/index.js”. Going to its parent directory “http://IP_Address /web/js/” uncovered other JavaScript files including “sys_users”,”sys_logs”, and other files used to set or modify camera parameters and settings. While reading the file sys_users.js, I found a function called “addUser()” that explicitly builds and sends a specific URL for adding a user, or updating it. Using that information, I managed to form a custom URL to add a user I named “hacker” (“http://IP_Address/cgi-bin/hi3510/param.cgi?time=1440159507412&cmd= updateuser&user3=hacker:hacker:3:Normal”). Logging in with this fake account allowed me to view the video, but did not give access to the system settings page. I also noticed that users created using this URL do not appear in the administrator’s user list. Privilege escalation After further inspection of the authentication process, I discovered that after submitting the username and password using the function “checkuser.cgi” (“192.168.1.144/cgi- bin/hi3510/checkuser.cgi?-time=1440764987428”), the server returns two variables: check=1 and authLevel=”3” (if we logged in with “hacker”). The authLevel is a value that will be saved in the cookies in plaintext. Later, all queries will contain the cookies, including this value. I noticed that once authLevel is saved, it is not verfified by the IPCamera server, so modifying the cookies with a developer tools plugin allowed me to have administrator privileges and have access to the system settings page. This means disabling alarms, manually choosing and deleting videos, changing administrator password, clearing logs… Reverse Engineering the Firmware Going through G_Camera forums, I found a particular thread [4]where there was a Firmware download link [5]. After analyzing the firmware, I located the JFFS2 bytes, and managed to reverse engineer it, and go through all its directories and files. This means that the firmware can be modified and installed remotely on the camera. A vulnerability that can lead to modifying or freezing the video stream, sending unauthorized notifications to hackers, or changing all the behavior of the camera.
  30. 30. 29 More Commands Going the firmware’s parent directory [6], uncovered unprotected internal files, including firmware update versions, documentation files, plugins… Among these files resided G_Camera_doc (The document is attached to this report F.2). This document had detailed description of IPCamera CGI commands, their syntax, and their returned values. These commands allows to get all login credentials, Wi-Fi pass, and email & FTP server credentials. They can also format the SD Card, clear both system and access logs, reboot or reset the camera, and finally create undetected users and change the administrator’s password. (A list of the most interesting queries is listed in appendix D.2.1) Deleting System logs The system logs available to the administrator show logs concerning the start of alarms, but not about user login, modified settings …. To clear these logs, we can connect with the “hacker” account, and use the button “clear”. After pushing this button, we captured the corresponding request(“http://IP_Address/cgi-bin/hi3510/dellog.cgi?-time=1440762847985”) and discovered that it deletes all logs having their timestamp bigger than the sent value (14407628847985). So to delete all logs at once, it was enough to send this unauthenticated request: “http://IP_Address/cgi-bin/hi3510/dellog.cgi?-time=0”. Covering tracks Access logs are not accessible from the user interface. However, they can be accessed using “http://IP_Address/log/accesslog.txt”. This link contains all the requested queries and called functions, saved each on a new line with its time and date, and the source IP address from which it originated. This can be used for forensics, to detect an intruder, or a brute force attack. Content of this file is emptied after a reboot, or can be easily deleted using this command: “http://IP_Address /cgi-bin/hi3510/cleanlog.cgi?-name=access”. Summary of results Initial tests on G_Camera IPCamera revealed that the login interface was immune to some brute force attack tools, but not all of them. In addition to that, by running a local proxy and monitoring exchanged packets through Wireshark, information was leaked, including Firmware version, used commands and queries, and hidden directories. Searching the discovered commands on the internet, resulted in finding a documented file containing CGI commands. Some unauthenticated commands allowed making a system reset, system reboot. Internal unprotected files allowed adding a low privileged user account. Logging in with this user allowed access to the video stream, but not the administrator page. After deep inspection of the exchanged packets, a camera side vulnerability was discovered. This vulnerability allowed me to have the maximum level of privileges. I managed to find on the G_Camera online forums a link to download the firmware. Using this link I managed to find other versions of firmware, documentation files …etc. This uncovered lots of queries that can be used to get login credentials for all users, saved videos and pictures, Wi-Fi password, configured email and ftp credentials, and finally system and access logs. In addition, an intruder can cover his tracks by remotely deleting all log files, he can also delete all saved videos by remotely formatting the SD Card.
  31. 31. 30 Security Impact Authentication (High) Authentication here is at high risk, since it can be attacked through various vectors: o As described in “more commands”, any internet user can open this link “http://IP_Address /cgi-bin/hi3510/getuser.cgi” and get immediately a list of all users who can log to IPCamera, along with their passwords. This means that the password’s strength will not have an effect on protecting authentication, and anyone can log in as an administrator or any other user o Any hacker can also create a new user, and use a fake authentication to connect to the camera as a legitimate user. o A Brute force attack is possible, since there is no limit on the number of failed login attempts; neither there is a minimal duration to be respected between two failed attempts. o A hacker conducting a man-in-the-middle can simply run Wireshark to view the users’ passwords. Passwords of all users are sent as cookies in each exchanged packet with the IPCamera, they are encoded in base64 Authorization (High) Authorization is also at risk, since any logged in user can change his cookies and set “authLevel=255” to obtain the highest authorization level and gain administrative privileges. Confidentiality (High) Data exchanged between the administrator and the UI are not encrypted, that means that any man-in-the-middle can sniff packets and view all the communication in clear. Concerning the video stream, the IPCamera uses RTP over UDP, and sends the live video also in plaintext, allowing any man-in-the-middle to use captured packets to rebuild the video stream. Integrity (Medium) There are not integrity checks on the data exchanged between the user and the IPCamera, so a man-in-the-middle can easily, and without detection, alter or delete commands packets passing through his computer. He can also modify the video stream, without being detected. Availability (High) The availability of the service provided by this camera appears to be quite fragile, as less than 1500 SYN packets were enough to cause a DOS attack. This amount of generated packets does not need powerful computers, so this attack can be conducted by anyone equipped with good software. To recover from this attack, a hard reboot is usually required. Besides, since the administrator’s password can be changed by sending an unauthenticated, crafted URL, denying the administrator from connecting to his account, the availability is proven to be weak. Privacy (High) We mentioned earlier the presence of functions that can be called to retrieve all the users’ credentials, the Wi-Fi password, the administrator’s email credentials, and the ftp login credentials (If applicable). These functions are not accessible to the administrator via the system settings, nor via other means. Some of these functions are not called or used by the user interface, so we can why they were added.
  32. 32. 31 Proposing solutions Encryption A strong encryption system should be implemented to secure the communications between the connected users and the IPCamera. It is recommended to use HTTPS instead of HTTP and to use public keys certificates, these certificates can be signed by the G_Camera private certification authority, and can be manually installed by users in their browsers (One-time procedure). Although this solution provides a high level of security, it requires a small effort from the user. However, an alternative solution would be to use symmetric encryption, using a strong encryption algorithm with a sufficiently large key (AES, 3-DES …). This key can be generated and shared using Diffie-Hellman key exchange algorithm. Cookies verification As described before, the server does not verify the authLevel value sent by the user. This is a server side vulnerability that can be easily solved. By correcting this bug, operators (users with least level of privilege) would not have access to the system settings page. Enforce Authentication Many unauthenticated requests are accepted by the IPCamera (Creating a new user …). In case an encryption system was deployed, authenticating the messages by the password will not be required. However, if it was chosen not do use encryption, then it is highly recommended to authenticate each message sent to the IPCamera, and verify the authentication before returning any value or executing an order. Secured Streaming Replacing RTP with SRTP would be a suitable solution for video streaming, since the stream will be encrypted, which will stop hackers and traffic sniffers from violating the privacy of the camera users, and enforce the confidentiality of the transmitted bytes. Add a timestamp To deny an attacker from replaying encrypted captured packets, a timestamp should be attached to each exchanged message, so it can be verified on the server side before treating continuing to the rest of the message content. Integrity Checks In case the choice was not to encrypt all content, a shared key can be secretly exchanged, and used to attach each message with its HMAC value. This value will be unique for every message if a salt or a timestamp was involved. It means that besides integrity check, it will help mitigating against replay attacks Hiding directories During these tests, hidden directories were very useful to find JavaScript files, and other useful scripts. It is recommended to forbid the access to all unnecessary directories, limiting the potential sources of information leakage. Reducing functions Many discovered functions are declared and attached to the service; however, not all of them are implemented in the user interface. It would be wise to either delete these functions; either deny their use, since some of them can lead hackers to infiltrate the administrator page, or to force the Camera to a reboot or a reset.
  33. 33. 32 Task 3: G_Operator G_MultimediaHub Introduction G_Operator G_MultimediaHub is a box that allows the users to share files by inserting a USB Stick into it. It also allows to play songs through HiFi speakers, control Bluetooth and NFC devices, and create a guest Wi-Fi that can be secured with WPA/WPA2. It costs about 80$ and can be found on the official website. Attack Narrative The G_MultimediaHub uses an initialization method that is similar to the connected switch. When started, the hub becomes a standalone access point, creating an open Wi-Fi. Users start by connecting to this wireless network, and then when attempting to visit any website, they’ll be directed to the G_MultimediaHub’s main page. On this page, there is a list of available wireless access points. The user chooses his home SSID and enters the Wi-Fi password. After that, the G_MultimediaHub stops its access point, and connects to the home network. Once connected, any user on the same network can access this hub, access its shared files, control its paired Bluetooth and NFC devices, and modify all its configuration. As a first test, launched Wireshark during the initialization phase, and found out that the Wi-Fi password is sent in plain text. Sending a password in plain text in an Open and none- secured network is very dangerous, as anyone with a wireless adapter can very easily steal the home wireless password. This is a screenshot of the captured packet containing the Wi- Fi password (It is marked in yellow for confidential reasons.) Another weakness, is that the G_MultimediaHub’s web page does not require authentication. Any user connected to the same network can access this hub and its media. In addition, there is a possibility to change the Hub’s configuration during the initialization phase. Since the Hub can be used to create a wireless access point for guests, there is an option that once activated, merges the two networks, meaning that any guest connected to the guest network, will also be connected to the home network, and access all its connected devices and media. Figure 9: G_Operator G_MultimediaHub Wi-Fi password packet
  34. 34. 33 Security Impact Authentication (High) There isn’t any authentication mechanism implemented Confidentiality (High) Data exchanged between the users and the UI is not encrypted. Integrity (High) None Privacy (High) This hub receives the Wi-Fi password in plaintext over an OPEN network. This allows any sniffer -no matter how long or strong the Wi-Fi password was- to get access to the home network, access all data on the multimedia hub, and all the machine connected to that network. Proposing solutions Encryption The Hub should be accessed using HTTPS instead of HTTP, since the hub is used to transfer shared files. Protect Wi-Fi password It would be good to encrypt the password before sending it, or even better to create WPA or WPA2 instead of an OPEN network Authentication Add a login page to forbid any connected user from accessing the shared files and paired devices.
  35. 35. 34 Task 4: Bluetooth I worked twice on the Bluetooth protocol. The first time was just to understand the protocol, to prepare the tools and the environment, and the next time was to use the Ubertooth to sniff Bluetooth packets, and visualize them on Wireshark after configuring and installing the required plugins. Protocol Study The Bluetooth 4.0 operates on 79x1MHz channels, from 2400MHz to 2483.5MHz. During communications, each packet is sent over a different channel, a frequency hop theme is used with around 1600 hops/sec. The communication model is based on a Master-Slave model, where the Master can communicate with 7 slaves at the same time. It can be on the same network with 255 slaves, these slaves can be inactive, parked, or active. They all share the master’s clock, and they may become Master. Concerning the security part, the greatest weaknesses are during the key exchange process. Bluetooth Smart uses a custom key exchanged protocol, which is a three stage process: During the first stage, a confirm value is calculated to make sure both communicating parties have the same temporary key and established the same random numbers that will be used later in the process. The second and the third stages are about exchanging the short and the long term keys. The main issue is with the first stage, during which the temporary key is determined in one of the three following pairing methods: o Just Works o 6-digit PIN o OOB (Not Broken) Quoting from the Bluetooth Core Spec “None of the pairing methods provide protection against a passive eavesdropper during the pairing process as predictable or easily established values for TK are used […]” (TK being a reference to “Temporary Key”). When the devices begin pairing, they start to exchange values in plaintext. These values include random numbers, and the confirm value that is calculated at the end of the first stage. Confirm = AES (TK, AES (TK, rand XOR p1) XOR p2) All of the values in the previous formula are sent as plaintext except for the TK. If the used pairing method was “Just Works”, the TK is always 0. If the method was a 6-digit PIN, then the number of possibilities is 999,999. In this case the TK can be brute forced in less than 1 second. After having the TK, it is very simple to find the Short Term key, and then the Long Term Key, and finally all session keys. This attack is a 100% passive attack, the end user can never know if someone has broken his key exchange process. The only secure way to exchange long term keys is to pair in a faraday cage. However, there is an active attack that can force a re-pairing process, so a new long term key would be generated. Since any Bluetooth adapter can be used as a slave or as a master, Ubertooth can be used as a Bluetooth client, and can forge the victim’s MAC address. When the master wants to establish a connection with the victim’s slave using the long term key, the attacker will increase its transmitted power and will tell the master that he does not have any long term key, requesting a re-pairing process. At this stage, the attacker will go back to sniffing mode, and will listen to the communications between the master and the slave, and how the master will start a re-pairing operation with the real slave, leading to finding the long term key. The only available solutions is to either use OOB as a pairing method, either to use the SSP (Secure Simple Pairing) to exchange and generate the long term key.
  36. 36. 35 Sniffing There are many free or open source tools and applications to sniff and attack the Bluetooth protocol. I will list some of the most common of them: o On Android phones: Bluetooth finder, bt-crawler, Bluescan… o On Linux: hcitool, BtScanner, Hci lescan… This is in addition to the Ubertooth open source project. Since the Ubertooth One SDR was available for us to use, I used this guide [7] to build the project. Later on I installed all the required dependencies, and prepared the environment for using Ubertooth. After that, I started sniffing Bluetooth packets on the terminal and installed the Wireshark Bluetooth plugins. I could not visualize the Ubertooth device among the devices shown in Wireshark, however, I managed to direct the Ubertooth capture into a “FIFO” file, and then configured this file as an input for packets in Wireshark. And since the plugins where already installed, Wireshark was immediately able to decode them and parse them exactly how Ethernet packets are parsed. Below is a screen shot of the Bluetooth capture I was able to sniff. Below is a screenshot of a Wireshark Bluetooth capture: (The procedure I followed to bind Wireshark with Ubertooth is described in appendix D.4) Figure 10: Bluetooth Wireshark Capture
  37. 37. 36 Task 5: S_Camera Introduction The S_Camera home is a smart IP camera, for which, additional features were added. It allows getting live streaming on the user’s smartphone, it also sends movement notifications and alerts. It has an air quality sensor and 2 built-in microphones and one built-in speaker. These features allows the detection of air pollution caused by external air pollution, kids diapers… They also give the users the possibility to have a live chat with their baby monitored by this camera, play for him some music to sleep while changing its color. It can be ordered from the official Website for around 200$. That website also contains more information concerning the camera’s properties and features. Footprinting Hacking the S_Camera home was a real challenge, as all communication go through the vendor’s cloud. To start, S_Camera home is mainly a home security camera that has more features than the regular surveillance IP cameras. It can be connected to an iPad to view the video stream, to listen to live recorded voice through its built-in microphone, to modify its video settings and configuration, and to control it, meaning you can change it color, make it play some music… In a first phase, I discovered that the tablet does not establish any connection with the Camera. All controls and orders sent from the iPad are sent over the internet, and for the video stream, the video is also sent from the vendor’s servers. The same goes for the camera. As it does not have a direct connection with the iPad, it sends its video streams over the internet and receives orders from the servers. Below is a sample illustration: After further observations, I found out that all communication between the camera and the cloud is encrypted, as TLS is used. And since I am not authorized to conduct security tests on the vendor’s servers, I did not find a potential attack vector on those communications. But when it came to the communications between the tablet and the servers, the video stream was protected, but not the control orders. Meaning that we were able to view the commands transmitted in plain text, whether they serve to change the color, modify the music volume, start the music, modify the video settings… Internet Figure 11: S_Camera Home
  38. 38. 37 Attack Narrative My first attempt was to try to create a TCP connection with the same server and using the same destination port. The server did not accept to create the connection, and so this attempt failed. So I figured that the server uses only one connection to communicate with the Camera. My goal became to be able to inject packets in this same connection. The challenge was that the camera sends reports and information to the server every few seconds, changing the sequence numbers of the connections, and that the “Timestamp” option was also used. This means that to successfully inject packets, I need to have correct values of the Sequence number, TSval and TSrec. To mount this attack, I used scapy-radio, an open source project that allows to sniff, craft and manipulate packets by controlling the network adapter without the intermediary of the system kernel. This python-based tool is very powerful since it gives us access to all the fields of the frame before sending it. After getting familiar with the tool’s libraries and built- in functions, I manage to code the following script: The function “sniff()” will filter the sniffed packets, and for each match, it will call the function “pkt_callback” sending the packet as a parameter. In the definition of “pkt_callback”, I do another filtering, and once I identify a packet sent from the iPad to the server, I copy its headers in a new packet, I modify the sequence number, increase the timestamp values by 10 ms, and use this new packet to send the information I need. The attack was more against the TCP protocol than against the camera itself, however, the fact that the vendor’s servers do not accept more than one TCP connection, and that its lifetime was measured in hours, even when no packets are exchanged, made the Camera vulnerable against such type of attacks. In fact, to recover from such an attack, we had to restart the iPad, and wait for more than 12hours. Even uninstalling and then reinstalling the iPad application was not enough to start a new connection with the server. Proposed solution I would propose to add authentication and integrity to the process by encrypting a hash with a shared secret key that can be exchanged using any of the previously established TLS connections. Or if possible, and since all other communications use TLS, it would be a good idea to use it also for the camera control plane. def pkt_callback(pkt): pkt.show() if ((pkt[IP].src=="192.168.2.123") and (pkt[TCP].dport==5222)): a=IP(ttl=64,flags=2,src=pkt[IP].src,dst=pkt[IP].dst) c="""GET / HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.6.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive """ b=TCP(sport=pkt[TCP].sport, dport=pkt[TCP].dport, seq=pkt[TCP].seq+209, ack=pkt[TCP].ack,flags=pkt[TCP].flags, window=pkt[TCP].window, options=[('NOP', None),('NOP',None),('Timestamp',(pkt[TCP].options[2][1][0]+10,pkt[TCP].options[2][1][1] ))]) send(a/b/c) sniff(iface="wlan1", prn=pkt_callback, filter="ip and tcp and port 5222 and host 192.168.2.123", store=0)
  39. 39. 38 Task 6: Hackathon Introduction The Device IOT Excellence center, after organizing a successful Hackathon (Hack the camera) few months ago, decided to organize a new Hackathon that will be concerned with home automation: “Hack the Home”. he goal of this Hackathon is to show for the public how dangerous is to install none-secured connected objects at home, and how much important is to rely only on tested and verified communication protocols to control the home.(The flyer for this Hackathon is in appendix D.6.1) My roles in this Hackathon were to propose hacking scenarios with the rest of my colleagues, to configure and test the scenario environment, to automate all the required human intervention by coding automation scripts and simulating mobile applications. I also offered to prepare a couple of cryptography challenges, since I am very experienced in this domain. Automation scripts Scanning for networks In another scenario, I had to scan for a specific Wi-Fi networks, and if found, to connect, send a packet to the access point, and then disconnect. To do that, I modified the WPA_Supplicant file located in “/etc/wpa_supplicant/wpa_supplicant.conf”. I removed the auto-update option and manually added the SSID connections I wanted to look for. I then wrote a bash script that will run in a loop, execute “iwconfig wlan1 down” followed by a “iwconfig wlan1 down” to force the Wi-Fi adapter to keep searching for the specified SSID and connect to it when found. In every loop, the script will try to ping the access point, if he gets a reply, it means he is connected to the correct network, and so he launches the python script. If he does not receive a response for the ping, he assumes that he is not connected, and so he sleeps for 1 minute before restarting the scan for the desired SSID. I made the script in a way that it would record every output in a log file. To launch this script on boot, I added the path to my script to the file “rc.local”. The bash script is added to appendix D.6.2 Emulating android application I had to automate a user that is using a mobile application to activate a smart switch. To do that, I had to replay 13 TCP connections while respecting the time interval between each connection. I launched Wireshark, and I recorded all the connections, and then wrote a python script that would open the connections, send packets, and then close the connections. Fake SMTP In another scenario, I had to automate the sending of emails, so a participant would establish a man-in-the-middle attack, intercept these emails, and retrieve the attached files. In order to send such emails, I used sendEmail to communicate and push emails to a fake SMPT server I installed on a linux machine using python. The corresponding used scripts are described in appendix D.6.3 Cryptography challenges To validate some scenarios, participants had to solve cryptography challenges. I made two challenges. To first one would be solved using the common factor vulnerability to crack a 4096bit certificate. The second is to factorize a 256it modulus and calculate the private key. In addition, there was a third challenge given by Mr. Gwenel, Representing “AFTI”. (The challenges and their solutions are attached in appendix F.6) 4096 bit challenge The goal of this challenge was to calculate the private key so participant can decryt a file containing a map for a hidden safe, and another encrypted file. The available files are: - 20 x 4096bit certificates (2 of them have a common factor) - Encrypted file
  40. 40. 39 256 bit challenge For this challenge, participants should extract the modulus from the certificate, and factorize it to get the private key. This private key will allow them to decrypt a file containing a lock code for the safe containing the treasure. Gwenel Challenge The goal of this challenge was to decrypt a message containing a sequence that should be used to turn on and off connected light bulbs. The encryption function is provided with the challenge, so participants can understand it and implement a decrypting function. The cryptanalysis to be used is based on the Chinese remainder theory. I solved this challenge as if I was a participant, in order to improve my cryptography skills. Results During this hackathon: - 8 teams of 4 were competing - 6 schools and 3 big companies were represented - There was a total of 15 scenarios, 10 of them were successfully hacked - Each team solved 4 scenarios as an average - More than 150 connected devices were deployed and attacked - There was more than 46 professional and academic visitors and spectators As a direct result of the event, IoT devices vendors started contacting the DIOTEC checking whether or not their products were tested or hacked. Other companies also came with their connected objects so we can run security tests and provide them with a full security assessment.
  41. 41. 40 Task 7: Gnu Radio Introduction GNU Radio is a free & open-source software development toolkit that provides signal processing blocks to implement software radios. It can be used with readily-available low- cost external RF hardware to create software-defined radios, or without hardware in a simulation-like environment. It is widely used in hobbyist, academic and commercial environments to support both wireless communications research and real-world radio systems. Installation There are many methods to install Gnu Radio. A user can choose to use a complete build script [8]. He can chose to manually [9] install the dependencies, all the libraries, and then compile and install. Or, the easiest way, he can install GnuRadio using PyBombs [10], which is a graphical tool that installs all dependencies, and solves most of the installation problems that might occur. Test with HackRF To get familiar with gnu radio, with HackRF, I followed an online tutorial, and manage to generate the cyclic graph that allows demodulating the FM frequencies and listening to the radio stations. Below is a screenshot of the corresponding GRC graph: Figure 12: GnuRadio FM receiver
  42. 42. 41 Task 8: Z-Wave Introduction Z-Wave is a radio communication protocol that has a popular use in IoT devices. It uses the ISM band (868.42MHz in Europe), and a FSK modulation scheme. Z-wave is a closed protocol, it is a property of sigma design. Developers and users have only access to the controller’s API, which is provided by Sigma. The only way to get a full documentation of the physical and access layers is through buying a developer kit from sigma design for 3000$ after signing a strict NDA. Communication The communication model is based on Master-Slave model, where the master is called the controller, and the slaves are the connected devices (nodes). Each controller can be connected to 129 nodes. The Z-wave network is identified by its 32bit HomeID, which is the Controller’s unique ID. All communicating nodes in the same network share the same HomeID, but are identified by their NodeID, which is the ID provided to them by the controller once they joined the network. To add a node to a controller’s network, a human physical intervention is required. First, the user should press 3 times on the controller’s inclusion button, so it enters the inclusion mode and start listening to the joining-requests. Just after that, the user should press three times on the Node’s button. The same physical intervention is required during the exclusion process. Even though the Z-wave’s range can reach up to 50m, the distance should be less than 2-3 meters during the inclusion/exclusion process. During communication, controller first sends a request to the node, waits for the ACK, then waits again for the response, and finishes up by sending an ACK for the response. Security is defined in the Z-wave protocol, however it is considered as an optional feature. Many articles talk about the security in the Z-Wave protocol, telling that even when security is implemented, the initial key exchange process is vulnerable since the initialization vector used to encrypt the first exchanged values is composed of zeros. There was no Z-wave devices among the lab devices where security was implemented, so I was not able to verify the information concerning key exchange process. Protocol vulnerabilities As I said before, security is not mandatory, and therefor rarely implemented due to consumption and computation limitations in the connected objects. This means that once someone gains access to the access layer of the protocol, he can easily control all Z-wave nodes in range. In addition, according to the Z-wave protocol, a node cannot be connected to more than one controller at the same time, so it must be excluded from the first controller before connecting it to the second. However, on some Z-wave devices, we were able to disconnect a node 1 from the controller A and connect it to the controller B, using only the controller B. This can be dangerous since a social engineer can use his skills to make the user press 3 times on the node, and connect it on a hacker’s controller. Existing attack tools Some Z-Wave capable devices and dongles are provided by sigma design, while others are SDR devices that were modified or tuned with software to operate on the Z-Wave frequency. Figure 13: Z-Wave Network [30]
  43. 43. 42 Z-Stick (30$) The Z-Stick is a Z-Wave controller. It can be connected on any computer so the users and developers can use its API to control its Z-wave network. Users do not have access to the HomeID, they can only include devices. On windows the Aeon labs IMA Tool allows them to view the nodes that are connected to this controller. I installed this tool and I was able to add and excludes nodes to the controller, and test this dongle. This is a typical use of the Z-Sitck: I started finished a tutorial [11] using C# that allowed me to program this Z-stick and become able to control its nodes. This tutorial improved my understanding of the Z-Wave protocol and made me ready to go further with my attacks. Below is an example that turns on a Z-wave switch: public static void Main() { SerialPort sp = new SerialPort(); sp.PortName = "COM4"; sp.BaudRate = 115200; sp.Parity = Parity.None; sp.DataBits = 8; sp.StopBits = StopBits.One; sp.Handshake = Handshake.None; sp.DtrEnable = true; sp.RtsEnable = true; sp.NewLine = System.Environment.NewLine; sp.Open(); byte nodeId = 0x06; //6 is an example // Set state to 0xFF to turn the device on and 0x00 to turn it off byte state = 0xFF; // On byte[] message = new byte[] { 0x01, 0x09, 0x00, 0x13, nodeId, 0x03, 0x20, 0x01, state, 0x05, 0x00 }; message[message.Length - 1] = GenerateChecksum(message); sp.Write(message, 0, message.Length); sp.Close(); } Figure 14: Z-Stick typical use case [27]

×