Hardware hacking hit the news quite often in 2017, and a lot of pentesters tried to jump into the band wagon and discover the joy of hacking things rather than servers or applications. But most of them are only looking for rootz shellz and p0wning embedded Linux operating systems rather than doing what we really call "hardware hacking". In this talk, we are going to hack a Bluetooth Low Energy smartlock, from its printed circuit board to a fully working exploit, as well as its (wait for it) associated mobile application you need to install to operate this thing. This talk is not only an introduction into the field of hardware hacking, but also a good way to dive into electronics and its specific protocols, and of course into microcontrollers and System-on-chip reverse engineering. We will cover some electronics basic knowledge as well as tools and classic methodologies when it comes at analyzing an IoT device and will provide tips and tricks based on our experience but our failures too.

1. FROM PRINTEDFROM PRINTED
CIRCUIT BOARDS TOCIRCUIT BOARDS TO
EXPLOITSEXPLOITS
(PWNING IOT DEVICES LIKE A BOSS)(PWNING IOT DEVICES LIKE A BOSS)
| Hack in Paris '18@virtualabs

2. ABOUT MEABOUT ME
Head of Research @ Econocom Digital Security
Hardware hacker (or at least pretending to be one)
Speaker @ various conferences
Special interest in Bluetooth Low Energy since 2
years

3. A detailed reference
guide on how to p0wn
IoT devices
A list of tools you may
use to test devices
WHAT THIS TALK IS NOTWHAT THIS TALK IS NOT

4. IT IS ALL ABOUT HOW TO THINKIT IS ALL ABOUT HOW TO THINK
AND ANALYZE AND EXPLOITAND ANALYZE AND EXPLOIT
LET'S DO IT THE HACKER WAY !LET'S DO IT THE HACKER WAY !

5. METHODOLOGYMETHODOLOGY

6. EXISTING METHODOLOGIESEXISTING METHODOLOGIES
Rapid7's methodology (7 basic steps)
OWASP IoT Project (not really mature yet)

7. PCB REVERSE-ENGINEERINGPCB REVERSE-ENGINEERING

8. COMPONENTS IDENTIFICATIONCOMPONENTS IDENTIFICATION

9. MEMORY EXTRACTIONMEMORY EXTRACTION

10. SOFTWARE REVERSE-ENGINEEERINGSOFTWARE REVERSE-ENGINEEERING

11. SNIFFING WIRED COMMS.SNIFFING WIRED COMMS.

12. SNIFFING WIRELESS COMMS.SNIFFING WIRELESS COMMS.

13. FIND VULNS & ATTACK !FIND VULNS & ATTACK !

14. OUR VICTIM SMARTLOCKOUR VICTIM SMARTLOCK

15. STEP #1: TEARDOWNSTEP #1: TEARDOWN

16. USE THE RIGHT TOOLSUSE THE RIGHT TOOLS

18. KEEP CALM !KEEP CALM !

19. STEP #2: GLOBAL ANALYSISSTEP #2: GLOBAL ANALYSIS

20. ELECTRONICS ENGINEERS AREELECTRONICS ENGINEERS ARE
HUMANS TOOHUMANS TOO
Components position based on their global role
Connectors and components producing heat placed
near the edges

22. nRF52832
2.4 GHz Bluetooth
Low Energy capable System-on-Chip
COMPONENTS IDENTIFICATIONCOMPONENTS IDENTIFICATION
DRV8848
Dual H-Bridge Motor driver

23. FUNCTIONS VS. COMPONENTSFUNCTIONS VS. COMPONENTS

24. STEP #3: RECOVER SCHEMATICSSTEP #3: RECOVER SCHEMATICS

25. PICTURES + SOFTWARE FTWPICTURES + SOFTWARE FTW
Using high-res pictures (or multimeter), follow
tracks and vias
Determine protocols used for Inter-IC
communication
Draw a simplified schematics

26. FOLLOW TRACKS AND VIASFOLLOW TRACKS AND VIAS

27. DETERMINE PROTOCOLS USEDDETERMINE PROTOCOLS USED

28. SIMPLIFIED SCHEMATICSSIMPLIFIED SCHEMATICS
Use Inkscape, Adobe Illustrator, MS Visio, or
whatever
Draw only the interesting stuff, we do not want to
counterfeit

31. STEP #4: GET FIRMWARESTEP #4: GET FIRMWARE

32. USE DEBUGGING INTERFACES !USE DEBUGGING INTERFACES !
Offers a proper way to access Flash memory
Found in > 50% of devices we have tested
Requires the right adapter to connect to

33. DUMPING FIRMWARE WITHDUMPING FIRMWARE WITH
OPENOCDOPENOCD
$ openocd -f interface/stlink-v2.cfg
-f target/nrf5x.cfg -c init -c halt
-c "dump_image /tmp/firmware.bin 0x0 0x80000"

34. WHEN DEBUGGING IS NOTWHEN DEBUGGING IS NOT
ENABLED, ABUSEENABLED, ABUSE OTAOTA !!

35. OVER-THE-AIR UPDATESOVER-THE-AIR UPDATES

36. OR DUMP EVERY AVAILABLEOR DUMP EVERY AVAILABLE
STORAGE DEVICE 😎STORAGE DEVICE 😎

38. FIRMWARE DUMPED !FIRMWARE DUMPED !

39. SPARE AREA IS EVILSPARE AREA IS EVIL

40. REMOVE OOB DATA !REMOVE OOB DATA !
(AND USE ECC TO FIX ERRORS)(AND USE ECC TO FIX ERRORS)

41. STEP #5: DETERMINE TARGETSTEP #5: DETERMINE TARGET
ARCHITECTUREARCHITECTURE

42. ANSWER THE BASIC QUESTIONSANSWER THE BASIC QUESTIONS
What architecture is this ?
Does it run an OS ?
Does it use a FS ?

43. WHAT ARCHITECTURE IS IT ?WHAT ARCHITECTURE IS IT ?
ARM CORTEX-M0 (ARMV7-M)ARM CORTEX-M0 (ARMV7-M)

44. DOES IT RUN AN OS ?DOES IT RUN AN OS ?
NOPE.NOPE.

45. DOES IT USE A FS ?DOES IT USE A FS ?
NOPE.NOPE.

46. NRF51 SOFTDEVICENRF51 SOFTDEVICE

47. SOFTDEVICE VERSION ?SOFTDEVICE VERSION ?
EASY-PEASYEASY-PEASY !!
$ strings firmware-original.bin | grep sdk
/home/benoit/workspace/nrf51/firmware/sdk/sdk13.0/components/l
/home/benoit/workspace/nrf51/firmware/sdk/sdk13.0/components/s
/home/benoit/workspace/nrf51/firmware/sdk/sdk13.0/components/s
/home/benoit/workspace/nrf51/firmware/sdk/sdk13.0/components/l
/home/benoit/workspace/nrf51/firmware/sdk/sdk13.0/components/l
/home/benoit/workspace/nrf51/firmware/sdk/sdk13.0/components/l
/home/benoit/workspace/nrf51/firmware/sdk/sdk13.0/components/s

48. QUICK REMINDERQUICK REMINDER
It runs an OS or use a known FS:
You'd better drop binaries in IDA Pro
It uses no FS and looks like a crappy blob of data:
You'd better figure out the architecture and
memory layout.

49. STEP #6: DISASSEMBLE !STEP #6: DISASSEMBLE !

50. SPECIFY TARGET ARCHITECTURE ANDSPECIFY TARGET ARCHITECTURE AND
LAYOUTLAYOUT
Configure CPU accordingly
Configure memory layout if required
Perform a quick sanity check (strings xrefs, ...)

53. AUTOMATED SDK FUNCTIONSAUTOMATED SDK FUNCTIONS
DETECTION AND RENAMINGDETECTION AND RENAMING
We developed our own tool to ease So Device-
based firmware reverse-engineering
It helps detecting So Device version and
automatically rename SDK exported functions

54. 0:00 / 2:36

55. NRF5X-TOOLS AVAILABLE ON GITHUBNRF5X-TOOLS AVAILABLE ON GITHUB
https://github.com/DigitalSecurity/nrf5x-tools

56. MOBILE APPS TOOMOBILE APPS TOO

57. STEP #7: SNIFF ALL THE THINGSSTEP #7: SNIFF ALL THE THINGS

58. SNIFF/INTERCEPTSNIFF/INTERCEPT
COMMUNICATIONSCOMMUNICATIONS
May require various hardware: SPI, I2C, WiFi, BLE,
nRF24, Sigfox, LoRa, ...
PCAP compatible tools are great
Beware the cost (a lot of $$$) !

59. BLUETOOTH LOW ENERGY MITMBLUETOOTH LOW ENERGY MITM
https://github.com/DigitalSecurity/btlejuice

60. HOW OUR SMARTLOCK WORKSHOW OUR SMARTLOCK WORKS
(BASED ON A MITM ATTACK)(BASED ON A MITM ATTACK)
1. App retrieves a Nonce from the lock
2. App encrypts a token and send it to the lock
3. Lock decrypts token and react accordingly

61. BY THE WAY ...BY THE WAY ...
The mobile app authenticates the smartlock only by
its exposed service UUID:

62. STEP #8: FIND BUGS & VULNSSTEP #8: FIND BUGS & VULNS

63. SEARCH BUGS & VULNSSEARCH BUGS & VULNS
Default password/key
Escape shell
Buffer overflow
Misconfiguration
...

64. SMARTLOCK SECURITYSMARTLOCK SECURITY
FEATURESFEATURES
Relies on a Nonce generated by the smartlock to
avoid replay attacks
True AES-based encryption used, cannot break it
Resisted to fuzzing, we did not managed to force
open the lock

65. BUT ...BUT ...

66. ... IS IT «RANDOM» ?... IS IT «RANDOM» ?

67. I'VE ALREADY SEEN THAT ...I'VE ALREADY SEEN THAT ...
(SOURCE: XKCD)(SOURCE: XKCD)

68. SECURITY ISSUESSECURITY ISSUES
Spoofing: App does not authenticate the smartlock
it connects to
Random Nonce is not random at all !

69. SO WHAT ?SO WHAT ?
An attacker may spoof the smartlock to force the
App to send an encrypted token
He/she may be able to replay a valid token as the
nonce is always the same

71. STEP #9: EXPLOIT !STEP #9: EXPLOIT !

72. SPOOF SMARTLOCKSPOOF SMARTLOCK
Use NodeJS with Bleno FTW
Exploit based on our Mockle library
https://github.com/DigitalSecurity/mockle

73. SPOOFING SMARTLOCKSPOOFING SMARTLOCK
$ sudo node capture-token.js
[setup] creating mock for device XXXXXXX (xx:xx:xx:6b:fc:88)
[setup] services registered
[ mock] accepted connection from address: 5e:74:79:1e:5f:a9
> Register callback for service 6e4...ca9e:6e4...ca9e
> Read Random, provide default value 1.
> End of transmission
[i] Token written to `token.json`

74. REPLAY TOKENREPLAY TOKEN
$ sudo node replay-token.js
BTLE interface up and running, starting scanning ...
[i] Target found, replaying token ...
done

75. 0:00 / 1:23

76. BUG IS NOW FIXEDBUG IS NOW FIXED

77. CONCLUSIONCONCLUSION

78. TO BE IMPROVEDTO BE IMPROVED
We have been using this methodology intensively
since the last two years
There is space for improvements, obviously
Vendor fixed (some) of the vulnerabilities we
demonstrated

79. PRO TIPSPRO TIPS
Take your time and document all the things
Read datasheets carefully
Learn how to master Inkscape, it helps a lot
Start from the bottom (PCB) and go up !

80. PRO TIPS (CONT'D)PRO TIPS (CONT'D)
As usual, know your tools and how to use them
Share and learn from others (many cool tricks to
discover)

82. PRACTICE !PRACTICE !
Soldering (tiny wires)
Desoldering with hot air gun
Use the scope
Use the scope again
Code on embedded devices
...

83. CONTACTCONTACT
QUESTIONS ?QUESTIONS ?
@virtualabs
damien.cauquil@digital.security