The document summarizes research conducted on the security of Internet of Things (IoT) devices. Specifically, the researchers analyzed 3 smart devices - a Belkin WeMo light switch, D-Link Insight switch, and Belkin WeMo NetcamHD+ camera. Their analysis found that while some past vulnerabilities had been addressed, issues still remained. The Belkin devices could still be exploited through XML injection of the UPnP protocol. The researchers were able to flash custom firmware onto one of the devices without the owner knowing. The document outlines the tools and techniques used in the research and provides recommendations for further exploration of IoT security.

1. Ike Clinton and Lance Cook
Analyzing Vulnerabilities in Embedded
Systems

2. What is the Internet of Things?
The Internet of Things(IoT) is a vast and rapidly growing frontier
of new technology that includes a variety of “smart” devices.
It is the network of physical objects or “things” embedded with
electronics, software, sensors, and connectivity.
The IoT can refer to a wide range of devices from heart monitors
to smart fridges.
Connect the world

3. Security of the Internet of Things
How can this interconnected system of “smart” devices affect
security?
What implications will it have on the global internet community?

6. Our Research
Overview of the current internet landscape
Survey of current TTPs for embedded device reverse engineering
and firmware analysis
Practical analysis and penetration test of 3 smart devices.

7. Our Research
Purchased 3 “smart” devices
Become familiar with intended use cases
Analyze default configurations of different devices
Study past/current exploitation techniques
Obtain device firmware through various methods
Analyze firmware and determine potential vulnerabilities
Test exploitation techniques
Report findings

8. Research Timeline
24 Feb: Proposal submitted
March 1: Surveyed current IoT landscape
March 9-13: Researched tools and techniques needed for analysis
March 16-20: Identified devices to order. D-Link device arrives, testing
begins
March 20: Two additional devices ordered (WeMo)
April 28: Testing concludes
May 5: Presentation of findings

9. Belkin WeMo Product Line
 Home automation products
 Light switches, motion sensors, IP cameras, croc pots. . .
 Uses one app to control all devices
 Syncs settings to the cloud
 Allows for remote access
 Embedded devices running on Linux

10. Insight Switch
 “Control your electronics”
 Running linux on a MIPS processor
 Uses UPnP to communicate and punch holes in the router
 UPnP vulnerable to XML injection
 Clever trick to get telnetd running on switch

11. Wemo NetcamHD+
 Cloud controlled Ipcam
 Uses netcam app to control camera
 Saves video/recordings to cloud service
 No local access
 Service intermittent

12. Device History
 Several vulnerabilities disclosed in the past
 Malicious firmware attack
 XML UPnP injection
 Netcam had telnet open by default
 Netcam default admin:admin creds
 Belkin fixed most of them. . .

13. Binwalk
 Firmware analysis tool
 Extracts .bin files
 Can view linux file systems of embedded
devices
 Great for finding default passwords,
grabbing binaries from device for analysis
(IDA), etc
 Also has nice entropy analysis tools

14. msf
 Exploitation framework by HD Moore and
rapid7
 DB of known vulnerabilities
 Modular design
 Also incorporates auxiliary modules, scanners,
post exploitation, and payload encoders

15. Nmap
 Network scanning
 Service discovery
 Banner grabbing
 Other custom scans

16. IDA
 Interactive Disassembler
 Can be compared to ollydbg, gdb,
radare2, etc
 Used to identify buffer overflows
 Other RE tasks

17. Github/Metasploit modules
 /dev/ttyS0
 disconnected.io
 Custom msf modules from github
 Slightly modified ruby code
 Ufuzz

18. Other tools
 Netcat (swiss army knife)
 telnet
 GPG (GNU Privacy Guard) successor of PGP
 Other linux utils for RE and analysis (strings, hexdump, find, grep, etc)
 QEMU

19. The Good
 Wemo provides decent home automation solutions with their products when they work
 Belkin/ D-Link Have addressed most/all of the disclosed vulnerabilities
 Wemo devices no longer store GPG private key on devices
 Netcam no longer has telnet open by default
 Netcam longer has default password on web interface
 Firmware is now encrypted “properly”
 SSL encryption used when devices communicate with cloud service

20. The Bad
 Netcam requires cloud service to operate, no local access
 Service is intermittent at best
 There are still more unaddressed/undisclosed exploits
 Old exploits still work intermittently on fully patched devices
 Belkin never changed the GPG keys . . .
 Legacy hardcoded credentials and blank passwords still exist

21. The Ugly. . .

36. Summary of Findings
 XML UPnP injection still works on other parameters
 Devices still ship unpatched
 Belkin never changed GPG keys. . .
 Can sign and flash our own custom firmware
 Devices could be flashed with malicious firmware without the owner knowing
 Dangerous considering some users wont bother to update

37. Further Research
 More 0-Days?
 Fuzz the other attack surfaces/UPnP commands
 Flash custom firmware onto device
 Discover devices on the internet using shodan/masscan
 Investigate other embedded devices

38. Belkin WeMo Remote Shell and Rapid State Change
Exploit
https://www.youtube.com/watch?v=BcW2q0aHOFo

39. Lessons Learned
 Pay attention to your professor when he lectures on protocols
 Sanitize, sanitize, sanitize
 Vendors are not implementing UPnP properly/securely
 Sometimes logical security > Technical security

40. Resources
 http://binwalk.org/
 https://github.com/phikshun
 http://disconnected.io/
 http://www.devttys0.com/
 https://github.com/issackelly/wemo
 http://www.ioactive.com/pdfs/IOActive_Belkin-advisory-lite.pdf
 http://www.shodan.io
 https://www.scadahacker.com
 http://www.exploit-db.com/
 https://nvd.nist.gov/
 http://1337day.com/exploit/20633
 Various Blackhat and Defcon presentations
 Scholarly journals/whitepapers

43. Special Thanks
 Thanks to The Citadel CSCI department for purchasing the two WeMo devices!

44. Questions?