This document summarizes a presentation about insecure and obsolete Internet of Things (IoT) devices. It discusses how to obtain old IoT devices, disassemble them to identify components, reverse engineer interfaces like UART and JTAG, extract file systems, and use tools like OpenOCD to hack the firmware. It also covers software-defined radios and how emergency sirens can potentially be hacked by spoofing radio signals. The presentation aims to show how trivially many IoT devices can be hacked and encourages securing obsolete technology before it becomes a bigger problem.

1. INSECURE OBSOLETE AND TRIVIAL:
THE REAL IOT
BSIDES ROC 2017
JUSTIN BERRY
&
PRICE MCDONALD

2. ABOUT:US

3. O’RLY?

4. METHODOLOGY

5. WHERE DO WE GET THE THINGS?
• Beta Programs
• https://www.betabound.com/tp-link-router-
private-beta/
• https://beta.linksys.com/
• https://www.beta.netgear.com/signup/
• Flea Markets
• Ebay
• Craigslist
• Garage Sales

6. DISASSEMBLY “VOIDING THE WARRANTY”

7. TAMPER RESISTANCE/DETECTION/ALERTING
They mean different things, but may not matter either way.

8. COMPONENT IDENTIFICATION
What do you
see?

9. COMPONENT IDENTIFICATION(2)
• EOL 802.11G router SoC (System on Chip)
• 200 Mhz MIPS32 core
• Supports Serial or Parallel Flash
• One JTAG and two UART Ports
• 336 ball FBGA (Fine-pitch Ball Grid Array)
• 32M-BIT Parallel NOR Flash Memory
• 3V only
• 48-pin TSOP (Thin Small Outline Package)
• CMOS DDR400 RAM
• 66-pin TSOP II

10. ARTS AND CRAFTS TIME

11. FINDING GROUND
• Using the MultiMeter we can figure out which of the pins
on our headers connect to ground and which have
voltage.
GroundVoltage
Specifically
3.3v
• Got Ground?

12. PHYSICAL
COUNTER
MEASURES

13. COMMON INTERFACE TYPES
• UART - Universal Asynchronous Receiver/Transmitter
• SPI – Serial Peripheral Interface
• I2C – Inter Integrated Circuit
• JTAG – Joint Test Action Group – Hardware Debugging
Interface
• CAN – Controller Area Network (Cars/ATM/etc)
• RS232- Serial Interface used on many legacy devices

14. PINOUT REVERSING
• SALEAE LOGIC ANALYZER
• ~100 BUCKS ON THE LOW END @
HTTPS://WWW.SALEAE.COM
• ALSO, EDU DISCOUNTS AVAILABLE UP TO 50%
DEPENDING ON MODEL.
• KEEP IN MIND THAT LOGIC ANALYZERS ARE SAMPLING WHICH
CAN CAUSE ARTIFICIAL DATA DEPENDING ON THE SAMPLING
RATE AND THRESHOLDS.
• WORKS FOR I2C, UART, SPI, JTAG, CAN, ETC, ETC

15. CONNECTING TO INTERFACES
• Bus Pirate
• Less of a learning curve
• Slower transfer speeds
• Supports UART, SPI, I2C and JTAG
• Shikra
• No UI but faster transfer speeds as a result
• Supports UART, SPI, I2C and JTAG
• TIAO USB Multiprotocol Adapter
• No UI but faster transfer speeds as a result
• Supports UART, SPI, I2C, JTAG, RS-232
• Supports multiple connections from same device
• Slightly less reliable in my experience

16. CONNECTING TO UART
The command used to connect to a UART serial adapter will vary by
device and OS but will generally be similar to the command below.
sudo screen /dev/[device id] baud rate
Or the the case of the Device ID below for the Shikra:
sudo screen /dev/ttyUSB0 115200

17. WE NOW HAVE SHELL!
HOPEFULLY
But now what?

18. NO TECH HACKING

19. NO TECH HACKING(2)

20. FILE SYSTEM FIDDLING
Often times embedded device manufacturers leave important file systems
unmounted.
Another good Resource:
http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_

21. PILFERING FILE SYSTEMS
But, How do we get the file system off of the target device?

22. SSH WHOOPS?

23. OPTIONS FOR CONNECTING TO JTAG
Good Better Best
$45 $60-$600 $5000-
$20000

24. JTAGULATOR

25. HOW TO CONNECT WITH OPENOCD
The command to initiate openocd is : openocd –f interface –
f target
But now what? There are errors and stuff!!!!!
#openocd on

26. HOW TO CONNECT WITH OPENOCD(2)
Silly openocd!
That’s more like it J

27. USING OPENOCD

28. REVERSE ENGINEERING
• Binary Ninja
• Free version available
• Limited Architecture Support
• Learn one IL to reverse them all
• Ida Pro
• Paid Version required for disassembly
• ARM decompiler available but $$$$
• Also very good debugger
• Radare2
• Free multiplatform support
• No decompiler available

29. OTHER NICE TO HAVES

31. NOW TIME FOR THE HACKING!

32. SDR – WHAT DOES IT MEAN?

34. WHAT IS SDR?

35. RTL-SDR
500 KHZ - 1.7 GHZ
RX ONLY
$25
HACKRF ONE
1 MHZ - 6 GHZ
RX/TX @ HALF-DUPLEX
$315
USRP
70 MHZ - 6 GHZ
RX/TX @ FULL-DUPLEX
$900
DIFFERENT THINGS

36. CAUSES TORNADOES
Only way to stop the noise was “to unplug the radio systems and
the repeater”
Could have recorded the commands during a system test or
actual tornado, and then played them back.
Source: https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-
spoof-alarm-says-city-manager/
Controlled by tone combinations used by the Emergency Alert
System broadcast over the National Weather Service's weather
radio – Spoofed?
Can also be controlled by Dual-Tone Multi-Frequency (DTMF) or
Audio Frequency Shift Keying (AFSK) encoded commands from
a dispatcher or command center terminal sent over UHF radio
frequencies -- 700 MHz range.

37. THE SOFTWAREZ

38. FM RADIO DEMO

39. PAGER DEMO

40. SO WHAT DOES THIS HAVE TO DO WITH ANYTHING?

41. HINT:

42. SURELY A SIMPLE REPLAY WON’T WORK

43. MAIN ALARM DEMO

44. FREQUENCY DESENSITIZATION

45. MORAL OF THE STORY?

46. Q & A

47. RESOURCES
• SDR-RADIO.COM
• GREATSCOTTGADGETS.COM
• GNURADIO.ORG
• RTLSDR.ORG - ##RTLSDR
• GRANDIDEASTUDIO.COM/HARDWARE-HACKING-TRAINING/
• XIPITER.COM/TRAINING.HTML
• EEVBLOG.COM
• EMBEDDED.COM/ELECTRONICS-BLOGS/BEGINNER-S-CORNER/

48. CONTACT INFORMATION
TWITTER: @PRICEMCDONALD
EMAIL: JKBERRY924@GMAIL.COM
EMAIL: PRICEMCDONALD@GMAIL.COM
COALFIRE:
TWITTER @COALFIRELABS
HTTPS://COALFIRELABS.COM