Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Raúl Siles - IOT: INTERNET OF T... [rooted2018]

575 views

Published on

El dotar de capacidades avanzadas (o "inteligentes") con conectividad a Internet, y a otras redes de datos, a cualquier dispositivo cotidiano o innovador, conocido como Internet de las Cosas (IoT, Internet of Things), conlleva numerosos riesgos desde el punto de vista de seguridad, especialmente si no se toman precauciones y/o se tienen en cuenta desde la fase inicial de diseño de la solución las potenciales amenazas y las vulnerabilidades ya conocidas hoy en día.

Si se lleva a cabo un análisis de seguridad detallado (componentes hardware, acceso físico, interfaz web, apps móviles, servicios "en la nube", comunicaciones wireless/radio/inalámbricas, etc.), ¿que vulnerabilidades presentan las soluciones de IoT más complejas, integradas con apps móviles y servicios "en la nube", y compuestas por un hub o controlador central, y por múltiples dispositivos periféricos inalámbricos, por ejemplo, asociados a un entorno tecnológico de domótica en el hogar?

Published in: Technology
  • Be the first to comment

Raúl Siles - IOT: INTERNET OF T... [rooted2018]

  1. 1. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com IoT: Internet of T… w w w. d i n o s e c . c o m @ d i n o s e c Raúl Siles Founder & Senior Security Analyst raul@dinosec.com March 3, 2018
  2. 2. 2 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com This presentation is inspired by true events. All events, locations, characters, persons, companies, firms, and IoT products J depicted in this presentation, even those based on real devices, are fictitious. Any resemblance to reality is purely coincidental and unintentional.
  3. 3. 3 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com
  4. 4. 4 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Disclaimer • Real devices and details have been sanitized to minimize the risk of vendor identification and massive exploitation. • Live demonstrations and videos have to deal with and overcome these constraints. • Any resemblance of images, screenshots, text, code snippets, and other details… to reality is purely coincidental and unintentional.
  5. 5. 5 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com IoT: Internet of T… • IoT, Internet of Things – Terror – Traps, Tricks, Targets, Threats, Turbulences, Toilets… J – Trends – Topics, Timers… – … • Internet of Testing • Internet ot Trust https://twitter.com/dinosec/status/954283251081928706 (Carles, Javier…)
  6. 6. 6 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com IoT Security Analysis Methodology Hardware components (+buttons/interfaces/ports...)• Firmware• "Cloud" services• Mobile apps• (Admin/Mgmt.) Web interface (& other services)• Wireless/Radio communications• Local storage• "Análisis de los vectores de ataque del Internet de las cosas (IoT)" https://www.ismsforum.es/estudioCEM
  7. 7. 7 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com RootedCON 2016
  8. 8. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target
  9. 9. 9 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Advanced IoT Solutions: Parts List J Central controller or hub• Wireless peripheral devices• Sensors– Actuators– "Cloud" services• Mobile apps• Web interface (& other services)•
  10. 10. 10 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: Domotic IoT Solution • Central controller or hub (plus remote controllers) • Wireless peripheral devices: Sensors & Actuators – Environmental control system • Heating system • Shutters – Lighting system and power plugs – Physical access (e.g. garage door) • "Cloud" services, mobile apps, web interface… (Smart) Home Automation
  11. 11. 11 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Market(ing) vs. Real Needs
  12. 12. 12 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Domotic IoT Solution: Technologies • IoT: Internet (TCP/IP) of T… • Radio/Wireless technologies (proprietary protocols) – v1: 433 MHz (∼50m) • Up to 6 paired transmitters (or channels) – v2: 868 MHz (∼150m) + state feedback • Up to 32 paired transmitters • Transmitter, receiver (+ feedback) or transceiver • USB expansion port: Z-Wave?… • Absent wireless technologies: Wi-Fi, Bluetooth, ZigBee, etc.
  13. 13. 13 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: Blueprint
  14. 14. 14 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Finding the entry…
  15. 15. 15 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Outline Hardware components (+buttons/interfaces/ports...)• Firmware• "Cloud" services• Mobile apps• (Admin/Mgmt.) Web interface (& other services)• Wireless/Radio communications• Local storage•
  16. 16. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Hardware Teardown
  17. 17. 17 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: Hardware
  18. 18. 18 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Hardware Teardown • Central controller or hub (Internet to radio/wireless) • Remote control (up to 3/16 channels) • Heating system (thermostat schedule) – Heating controller (software), heater/boiler module (with state feedback) and temperature sensor • Lighting (e.g. indoor/outdoor bulbs, ceiling lights, lamps… anything) – On/off or dimmer module, wall switch, motion or presence detector, opening detector and power plugs (on/off or dimmer) • Physical environment and access control – Shutter module (with state feedback), and door or gate module
  19. 19. 19 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Devices Classification Transmitters (• ∼sensors) Remote controller– Wall switch– (indoor/outdoor) Motion or presence detector– (door/window) Opening detector– Temperature sensor– Receivers (• ∼actuators) Heater/– boiler module Shutter– module Door or gate module– Lighting– on/off or dimmer module Power– plugs (on/off or dimmer) Transceiver• Central controller or hub–
  20. 20. 20 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Hardware Hacking 101 J Screwdriver hacking!• Thanks to my father! 857/1 Z punta de horquilla o punta para tornillo spanner
  21. 21. 21 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Remote Controller • 3 channels • NDR433TS: – NEDI SAW (surface-acoustic-wave) resonator • Frequency stabilization at 433.920 MHz • Radio chip: 611S21 * DA17DB – Unknown (radio chip) • Found a single Internet reference in Norwegian for 433.92 MHz • Google, www.findchips.com, etc.
  22. 22. 22 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Shutter or Door/Gate
  23. 23. 23 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Hub or Central Controller
  24. 24. 24 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Temperature Sensor Main• (and unique) chip – …
  25. 25. 25 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Heater / Boiler Module
  26. 26. 26 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Power Plug
  27. 27. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Firmware
  28. 28. 28 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: Firmware
  29. 29. 29 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Firmware Updates • No auto update capabilities • Manual download from manufacturer website (or by contacting support) • Backup current configuration first J (…via cloud only L) • Upload '<version>.bin' file via web interface – Authentication required as "admin" (web interface details) – No signature (build your own firmware version J and…) • Restart Use <a href="/upload">MPFS Upload</a> to program web pages... (strings)
  30. 30. 30 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Firmware Analysis
  31. 31. 31 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Firmware Analysis: Details binwalk• : Firmware analysis tool Found: MPFS v2.1 filesystem, images (PNG, GIF, JPEG, TIFF…),– compressed data (gzip and Zlib), HTML documents, etc. No encryption and just… some compression• "strings is your friend…" (e.g. Google Maps API key)• https://github.com/ReFirmLabs/binwalk Version 3.5.2 autologin Builddate Mar 3 2018 # login as user Productmodel A8021 admin FW-Version 186370035640 # login as admin … usrpass 52d04dc20036dbd8 MPFS-2.1 setpass 7a57a5a743894a0e
  32. 32. 32 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Firmware Analysis: Filesystem Format MPFS (Microchip PIC File System)• Indexed web files for auto tag expansion (e.g.– ~foo~) Plain and compressed files– Microchip TCP/IP Stack• Microchip's– HTTP(2) web server – MPFS(2) Internal memory or EEPROM• https://books.google.es/books?id=V1wLsfO1114C
  33. 33. 33 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Firmware MPFS Extraction binwalk• custom plugin Signature: known MPFS data signatures ("…/magic/filesystems")– Starts with the string "MPFS{v}{s}• {f}" (version, subversion, file entries) MPFS{byte}{byte}{– leshort} (byte: 8-bit integer; leshort: little endian 2-byte integer) Extractor:– <missing> MPFS extraction tools…• L MPFS2 extraction tools• mpfs2– -fsutil (--list & --extract) https://– www.mjoldfield.com/atelier/ 2007/12/mpfs2.html https://github.com/ReFirmLabs/binwalk/wiki/Creating-Custom-Plugins
  34. 34. 34 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Physical Firmware Extraction • 4-pin JTAG interface Joint– Test Action Group PIC• TMS, TDO, TCK, TDI– Pins: 23, 24, 27, 28– TMS (Test Mode Select)• TDO (Test Data Out)• TCK (Test Clock)• TDI (Test Data In)• TRST (Test Reset) optional•
  35. 35. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com "Cloud" Services
  36. 36. 36 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Cloud Service • User to cloud – Direct access to the IoT environment through the cloud – Web browser (traditional computer or mobile) and/or mobile app – Registration process – Backup / Restore capabilities • Not available through local web server or via mobile app !!!! • IoT to cloud – Communication between the IoT environment and the cloud – Proprietary protocol, enabled by default
  37. 37. 37 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: User to Cloud
  38. 38. 38 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com TCP/IP Port Mapping What do you think of a critical cloud server that has…?• 21/tcp 22/tcp 25/tcp 53/tcp 80/tcp 110/tcp 143/tcp 443/tcp 465/tcp 587/tcp 993/tcp 995/tcp 3128/tcp 8080/tcp 8081/tcp 8090/tcp … this list of open ports, and more!
  39. 39. 39 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Cloud Passwords At some point, you cannot log in again (web and mobile)• After logging in, you should receive a Bearer Token• (OAuth 2.0), used for API requests Instead, you get a JSON error (interception proxy)• Reason: After extensive research…• Does the vendor even know it?– If your password is greater than 25 characters (back– -end issue) Have you heard about passphrases?– {"code":503,"error":"server_error","error_description":"server_error"}
  40. 40. 40 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Something Does Not Smell Very Well Here…
  41. 41. 41 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Backup / Restore Capabilities Is it possible to access other IoT environment's backups?• Backups are saved in a proprietary plain text format– Reverse engineer backup format to extract rooms, device IDs, MD5…• Is it possible to make backups of other IoT environments?• J Anonymously?•
  42. 42. 42 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: IoT to Cloud
  43. 43. 43 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com IoT to Cloud Proprietary protocol similar to HTTP• Enough to make standard HTTP(S) interception proxies fail– Solution:– mitm_relay (or NoPE) + Burp (et. al.) Custom port (1234/• tcp) Enabled by default• No encryption, no integrity, no…thing• Discloses multiple device IDs: model, firmware version,• MAC address, serial number, and message ID https://github.com/jrmdev/mitm_relay
  44. 44. 44 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com IoT to Cloud: Proprietary Protocol JSON API ABCD/1.0 CONNECT Model: … FW-Version: … MAC: … SN: … Message-ID: … ABCD/1.0 KEEP-ALIVE Message-ID: …
  45. 45. 45 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com IoT to Cloud: Admin Access • Unencrypted: Cloud requesting admin access to IoT hub…ABCD/1.0 API-REQUEST ABCD/1.0 API-RESPONSE X-Token: … Message-ID: … {…"msg":"API_NOT_AUTHED"} Content-Length: … god=admin ABCD/1.0 API-REQUEST ABCD/1.0 API-RESPONSE X-Token: … Message-ID: … {…"msg":"SUCCESS"} Content-Length: … user=admin&pass=7a57a5a743894a0e&autologin=0&god=login&… Full access to IoT hub and the associated IoT environment...
  46. 46. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Mobile Apps
  47. 47. 47 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: Mobile Apps
  48. 48. 48 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Mobile Apps iOS and Android•
  49. 49. 49 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Username Enumeration in iOS • In the login page for the mobile app… L • And as a bonus, if the username does not exist… • Be careful with typos in your username J POST /auth HTTP/1.1 (via HTTPS) Host: cloud.example.com ... {username: "monica", password: "0123456789abcdef"} {"code":"101","error":"error","error_description":"Wrong Password"} {"code":"100","error":"error","error_description":"User not found"} POST /auth HTTP/1.1 (via HTTP) Host: example.com ... {username: "monica", password: "0123456789abcdef"}
  50. 50. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Web Interface
  51. 51. 51 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: Web Interface
  52. 52. 52 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Web Interface Local administrative/management web interface• Only port 80/• tcp open HTTPS?– Settings section (e.g. "/settings/") requires authentication• Default password: admin– – no username? Did I mention there is no encryption?– Traditional or mobile access•
  53. 53. 53 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Admin Web Interface (via Mobile)
  54. 54. 54 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Admin Web Interface • Login page simply requests a password, but… • Change password… <html> <head><title Login</title>~inc:inc/header.inc~</head> <body> <div class="login"><h2 >Admin Login</h2> <div class="login-form"> <input id="user" type="hidden" value="admin"> <input id="password" type="password" placeholder="password"> <button id="login">LOGIN</button> </div>... <input id="admin-pass" class="admin-pass" name="admin-pass" type="password" maxlength="16" disabled> var pwdvalidator = {required: true, rangelength: [4, 16]}; config('setpass', md5($('#admin-pass').val(), 16));
  55. 55. 55 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Web Interface Passwords • MD5-related passwords? • Dynamic analysis • Static analysis • Firmware password-like strings… Firmware: usrpass 52d04dc20036dbd8 setpass 7a57a5a743894a0e Usage: md5(<password>, 16) File: md5.js $ jsc getmd5.js – "IoT" 60a13f2f4c7e11c7 ... if(h==16){return a.substr(8,16)} ... 81dc9bdb52d04dc20036dbd8313ed055 --> 1234 21232f297a57a5a743894a0e4a801fc3 --> admin
  56. 56. 56 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Firmware Upload Capabilities • Without authentication (obtained via firmware strings…)
  57. 57. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Wireless/Radio Communications
  58. 58. 58 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Target: Wireless/Radio Communications
  59. 59. 59 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Wireless Communications • Adding new wireless devices (pairing) – Pairing 433 & 868 MHz devices – Wireless devices classification • Digital modulation for 433 & 868 MHz signals • Replaying 433 & 868 MHz signals • Decoding 433 & 868 MHz signals
  60. 60. 60 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com HackRF One OperaCake
  61. 61. 61 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com OperaCake: Auto-Antenna Selection
  62. 62. 62 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Wireless Devices Classification Receivers• Grab signals and store them in memory (learning function)– Transmitters• Generate signals (static or dynamic– J) Transceivers• Both (e.g. receivers with state feedback)– Hub• Legitimate replay attacks– J Hardware Components
  63. 63. 63 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Digital Modulation for 433 MHz Devices
  64. 64. 64 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Digital Modulation for 868 MHz Devices
  65. 65. 65 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Playing with Wireless/Radio Signals Replaying 433 & 868 MHz signals• "script– -kiddie" attacks Decoding 433 & 868 MHz signals• Digital demodulation (reverse engineering radio signals)–
  66. 66. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Internet of T…
  67. 67. 67 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com
  68. 68. 68 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com
  69. 69. 69 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com
  70. 70. 70 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Heater Module: GRC
  71. 71. 71 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Heater Module: rfcat script
  72. 72. 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Conclusions
  73. 73. 73 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com IoT: Internet of T… • Internet of Troubles • Internet of Testing • Internet ot Trust
  74. 74. 74 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Spanish Collection of Proverbs "Cada uno en su casa… y DiOs en la de todos" todo
  75. 75. 75 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Credits – Produced by: – Sponsored by: – Casting by: – Supported by: – Music & visuals by: – Costume designer: Raúl Siles Mónica Salas E & E IoT vendors My parents, et. al. Siletes DinoSec
  76. 76. w w w.d in o s e c .c o m @ d in o s e c R a ú l S ile s r a u l@ d in o s e c .c o m
  77. 77. 77 2018 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Questions? w w w.d in o s e c .c o m @ d in o s e c

×