Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The (Io)Things you don't even need to hack. Should we worry?

1,303 views

Published on

The prevalence of computers in form of so called "smart" devices embedded in our everyday environment is inevitable. From pentester's perspective, the adjective "smart" at first glance can hardly be used to describe their inventors and ambassadors.

Based on a few examples (i.a. BTLE beacons, smart meters, security cameras...) I will show how easily "smart" devices can be outsmarted. Sometimes you don't even need any 'hacking' skills, or the default configuration is wide-open. But are we doomed? What are the conditions for real threat? Can the vulnerabilities be exploited anonymously and as easily as in web application? Where is the physical border the intruder would be likely to cross? The risks involved are usually different, but does it mean we don't have to worry? Are we sure how to use securely the emerging technology?

Published in: Internet
  • Is it possible to improve your memory? How can I improve my memory recall? more info... ■■■ https://bit.ly/2GEWG9T
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Sharpen your mind with brain pill. learn more info.. ★★★ https://tinyurl.com/brainpill101
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

The (Io)Things you don't even need to hack. Should we worry?

  1. 1. The (Io)Things you don’t even need to hack. Should we worry? Sławomir Jasek Confidence, 26.05.2015
  2. 2. Pentester / security consultant. Assessments and consultancy regarding security of various applications - web, mobile, embedded, ... Since 2003 / over 400 systems and applications Sławomir Jasek
  3. 3. What is IoT? Things you don’t even need to hack: IP cameras Industrial equipment Bluetooth low energy devices Smart meters Should we worry? How can we help? Agenda
  4. 4. INTERNET OF THINGS
  5. 5. Another buzzword (?). Several definitions and a bit of confusion. Just like a few years back „cloud”, „big data” or „mobile”. Let's simplify: network-connected devices with embedded processing power. Add the mobile, cloud and big data, of course ;) What is „Internet of Things”?
  6. 6. IoT - Variety http://www.talk2thefuture.com/internet-of-things-english/
  7. 7. IoT - Variety http://www.beechamresearch.com
  8. 8. IoT - Variety http://postscapes.com/what-exactly-is-the-internet-of-things-infographic
  9. 9. IoT – prevalence prediction http://www.audiotech.com/trends-magazine/internet-things-begins-take-shape/
  10. 10. CASE #1: IP CAMERAS
  11. 11. The best-priced IP camera with PoE and ONVIF Management standard (was supposed to) assure painless integration of the video in my installation. Camera
  12. 12. WWW interface
  13. 13. WWW interface
  14. 14. This has to be false positive, right?
  15. 15. PORT STATE SERVICE VERSION 23/tcp open telnet Busybox telnetd 80/tcp open tcpwrapped 554/tcp open rtsp? 8899/tcp open soap gSOAP soap 2.7 9527/tcp open unknown 34561/tcp open unknown 34567/tcp open unknown 34599/tcp open unknown Services
  16. 16. Debug service
  17. 17. John the Ripper? Online hash crack? md5crypt(?) = $1$RYIwEiRA$d5iRR(...) anyone? No need to hack, search „password” and the name of device in Russian
  18. 18. # binwalk firmware.img DECIMAL HEX DESCRIPTION ------------------------------------------------------------------ 0 0x0 uImage header, header size: 64 bytes, header CRC: 0x4F9FDADF, created: Thu Apr 17 10:22:14 2014, image size: 3428352 bytes, Data Address: 0x80000, Entry Point: 0x580000, data CRC: 0xD5BE4969, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: gzip, image name: "linux" 64 0x40 CramFS filesystem, little endian size 3428352 version #2 sorted_dirs CRC 0x9bbb241e, edition 0, 1159 blocks, 175 files Alt: get filesystem contents by firmware rev
  19. 19. # mount -o loop,offset=64 firmware.img /mnt/loop # ls -l /mnt/loop drwxrwxr-x 2 543 31 4096 Jan 1 1970 bin drwxrwxr-x 2 543 31 4096 Jan 1 1970 boot drwxrwxr-x 2 543 31 4096 Jan 1 1970 dev drwxrwxr-x 5 543 31 4096 Jan 1 1970 etc drwxrwxr-x 2 543 31 4096 Jan 1 1970 home drwxrwxr-x 2 543 31 4096 Jan 1 1970 lib (...) Alt: get filesystem contents by firmware rev
  20. 20. # tcpdump host camera.local 18:48:41.290938 IP camera.local.49030 > ec2- 54-72-86-70.eu-west- 1.compute.amazonaws.com.8000: UDP, length 25 What the? Unsolicited connection to „cloud service”
  21. 21. „Cloud service” – HRLP
  22. 22. „Cloud service” – we clome
  23. 23. „Cloud service” – we clome
  24. 24. „Cloud service” FAQ
  25. 25. The same most probably applies to your smart TV, home installations, refrigerators, microwaves, babysitters, keylocks, toothbrushes, internet-connected sex toys... PWN-ing these kind of devices does not involve „hacking” and does not impress. This is boring, obvious and well-known for years. Aka „junk hacking”. Also frequently used to spread FUD by some antivirus companies. „Junk hacking” http://seclists.org/dailydave/2014/q3/52
  26. 26. THE DEVICE SUPPLY CHAIN AKA does anybody care?
  27. 27. Device supply chain Board Support Package - drivers, bootloader, kernel-level SDK Broadcom, Texas Instruments, Intel, WindRiver... Original Device Manufacturer – web interface, SDK, cloud... usually unknown from China, Taiwan etc. Original Equipment Manufacturer – composing, branding ODMs + support, license, warranty... Value Added Reseller / Distributor End user
  28. 28. Device supply chain Board Support Package - drivers, bootloader, kernel-level SDK Broadcom, Texas Instruments, Intel, WindRiver... Original Device Manufacturer – web interface, SDK, cloud... usually unknown from China, Taiwan etc. Original Equipment Manufacturer – composing, branding ODMs + support, license, warranty... Value Added Reseller / Distributor End user Features! Price! Features! Price! Features! Price! Features! Price!
  29. 29. Device supply chain Board Support Package - drivers, bootloader, kernel-level SDK Broadcom, Texas Instruments, Intel, WindRiver... Original Device Manufacturer – web interface, SDK, cloud... usually unknown from China, Taiwan etc. Original Equipment Manufacturer – composing, branding ODMs + support, license, warranty... Value Added Reseller / Distributor End user Security? ? ? ?
  30. 30. BUT SHOULD WE WORRY?
  31. 31. That depends on the device and usage scenario. For most - you are supposed to be aware and treat the devices accordingly: • just don’t connect this type of hardware directly to the Internet via public IP. • and monitor the outgoing traffic, too. But should we care about the others? Should we worry?
  32. 32. Self-powered and lens-less cameras for IoT http://www.cs.columbia.edu/CAVE/projects/self_ powered_camera/ Image sensors that can not only capture images, but also generate the power needed to do so. http://www.rambus.com/documentation/emerging- solutions/lensless-smart-sensors Replace the lenses with ultra-miniaturized diffractive sensor, extract the image with computation: extremely small, low-cost „camera”
  33. 33. Publicly available IP cameras
  34. 34. Publicly available IP cameras
  35. 35. Publicly available IP cameras
  36. 36. Publicly available IP cameras
  37. 37. Publicly available IP cameras
  38. 38. Publicly available IP cameras
  39. 39. Indexed „public” cameras (rough IP-based geolocation) + exact location (crowdsource?) + Cloud, Big Data (face recognition?) = PROBLEM? And what if someone connects the dots? https://www.flickr.com/photos/opensourceway
  40. 40. INDUSTRIAL INSECURITY
  41. 41. Thousands of interfaces publicly available. Trivial to discover, already scanned & catalogued likewise cameras. Modbus-TCP, Serial-TCP, default passwords or password-less web management interfaces... I won’t reveal the links here ;) Industrial insecurity
  42. 42. Industrial insecurity – public interfaces Default password
  43. 43. Industrial insecurity – public interfaces
  44. 44. Industrial insecurity – public interfaces
  45. 45. Read RFIDs mounted in privileged trucks to automatically open the gate. Industrial RFID reader
  46. 46. PORT STATE SERVICE VERSION 23/tcp open telnet Busybox telnetd 4007/tcp open pxc-splr? 4684/tcp open unknown 10001/tcp open tcpwrapped Service Info: Host: UHF-RFID-Dev Industrial RFID reader – port scan
  47. 47. No need to hack - just RTFM
  48. 48. Command-line „client”
  49. 49. $ echo -e "xAAxBBx01x01x11x01xAAxCC" | nc <IP> 4007 | hexdump 0000000 bbaa 0101 8111 aa00 aacc 07bb aa00 aacc 0000010 07bb aa00 aacc 07bb aa00 aacc 07bb aa00 0000020 aacc 07bb aa00 aacc 07bb aa00 aacc 07bb 0000030 aa00 aacc 07bb aa00 aacc 07bb aa00 aacc (...) 0000350 aacc 07bb aa00 aacc 07bb aa00 aacc 07bb 0000360 aa00 aacc 07bb aa00 aacc 07bb aa00 aacc 0000370 07bb aa00 aacc 01bb 1101 ffc1 0103 0247 0000380 1353 ed6b ccaa bbaa 0007 ccaa bbaa 0101 0000390 c111 0300 0001 5302 6b13 05ed aa00 aacc (...) ...and now we can clone the tag
  50. 50. The incoming vehicles are also traditionally verified by security staff. The device is available in restricted LAN only. The tag can also be scanned from the truck itself. BUT: you have to be aware of the technology shortcomings and not to alter the above conditions! Should we worry?
  51. 51. BLUETOOTH SMART - AKA Bluetooth Low Energy, BLE, Bluetooth 4
  52. 52. Bluetooth Smart != Bluetooth 3 Completely different stack – from RF to upper layers. Designed from the ground-up for low energy usage. Network topology a) Broadcaster + Observer b) Master + Peripheral
  53. 53. Broadcast - beacon https://www.flickr.com/photos/jnxyz/13570855743 UUID (vendor) 2F234454-CF6D-4A0F- ADF2-F4911BA9FFA6 Major (group) 45044 Minor (individual) 5 Tx Power -59 The mobile app can measure precise distance to specified beacon. You can read the values using free mobile BTLE scanner
  54. 54. Beacons – emulation #1: LightBlue https://itunes.apple.com/us/app/lightblue-bluetooth-low-energy/id557428110 Available for iPhone, iPad, Mac You can enter exact same values as existing beacon
  55. 55. # hcitool cmd 0x08 0x0008 1E 02 01 1A 1A FF 4C 00 02 15 84 2A F9 C4 08 F5 11 E3 92 82 F2 3C 91 AE C0 5E FD E8 AF C8 C5 00 Beacons – emulation #2: Bluez
  56. 56. # hcitool cmd 0x08 0x0008 1E 02 01 1A 1A FF 4C 00 02 15 84 2A F9 C4 08 F5 11 E3 92 82 F2 3C 91 AE C0 5E FD E8 AF C8 C5 00 Beacons – emulation #2: Bluez
  57. 57. # hcitool cmd 0x08 0x0008 1E 02 01 1A 1A FF 4C 00 02 15 84 2A F9 C4 08 F5 11 E3 92 82 F2 3C 91 AE C0 5E FD E8 AF C8 C5 00 iBeacon data broadcast iBeacon prefix (constant) UUID: 842AF9C4-08F51-1E39-282F- 23C91AEC05E Major: FD E8 = 65 000 Minor: AF C8 = 45 000 TX power
  58. 58. Additional info on products based on precise location. Rewards for visiting places. Indoor guide, help to navigate the blind etc. Your home or toys can automatically react to you. Be warned that your bike or car is no longer in the garage. Beacons – some example usage scenarios
  59. 59. Beacons – additional info based on location
  60. 60. Abuse?
  61. 61. OTHER BLE DEVICES Beacons are just the beginning...
  62. 62. 1. Buy SDK+devices from selected vendor (Nordic, TI...) 2. Import ready-to-use sample code. 3. Add your bright usage scenario (and sometimes a bit of hacking). 4. Create convincing bootstrap webpage + videos. 5. Run successful Kickstarter campaign. 6. Profit! How to make your own BLE device?
  63. 63. Electric plugs, lightbulbs, locks, kettles, sensors, wallets, socks, pans, jars, toothbrushes, bags, plates, dildos, sitting pads, measuring your farts devices, calorie-counting mugs... „It was just a dumb thing. Then we put a chip in it. Now it's a smart thing.” (weputachipinit.tumblr.com) Crowdfunding: a new kind of celebrity. Too often ridiculous meets big money. Beacons are just the beginning... www.myvessyl.com
  64. 64. They have been assured the communication is unbreakable because they use AES. I showed an intruder may get close the unsuspecting victim’s phone once (even with autounlock feature off), to be able to get full control over the car for consecutive times without consent of the victim. Other BLE devices www.loxet.io
  65. 65. SMART METERS
  66. 66. BLE Broadcast smart meter BLE module with photodiode
  67. 67. Smart meter: BLE broadcast # hcidump -X -R > 0000: 04 3e 1e 02 01 00 00 1d 61 35 6f 12 00 12 02 01 .>......a5o..... 0010: 06 0b ff 12 82 07 00 f4 2f 12 00 dc 05 02 0a 08 ......../....... 0020: aa . > 0000: 04 3e 1e 02 01 00 00 1d 61 35 6f 12 00 12 02 01 .>......a5o..... 0010: 06 0b ff 12 82 06 00 01 30 12 00 dc 05 02 0a 08 ........0....... 0020: a7 . > 0000: 04 3e 1e 02 01 00 00 1d 61 35 6f 12 00 12 02 01 .>......a5o..... 0010: 06 0b ff 12 82 24 00 49 30 12 00 dc 05 02 0a 08 .....$.I0....... 0020: a9
  68. 68. Smart meter: BLE broadcast # hcidump -X -R > 0000: 04 3e 1e 02 01 00 00 1d 61 35 6f 12 00 12 02 01 .>......a5o..... 0010: 06 0b ff 12 82 07 00 f4 2f 12 00 dc 05 02 0a 08 ......../....... 0020: aa . > 0000: 04 3e 1e 02 01 00 00 1d 61 35 6f 12 00 12 02 01 .>......a5o..... 0010: 06 0b ff 12 82 06 00 01 30 12 00 dc 05 02 0a 08 ........0....... 0020: a7 . > 0000: 04 3e 1e 02 01 00 00 1d 61 35 6f 12 00 12 02 01 .>......a5o..... 0010: 06 0b ff 12 82 24 00 49 30 12 00 dc 05 02 0a 08 .....$.I0....... 0020: a9
  69. 69. Smart meter: BLE broadcast 12 82 07 00 f4 2f 12 00 dc 05 02 0a 08 12 82 06 00 01 30 12 00 dc 05 02 0a 08 12 82 24 00 49 30 12 00 dc 05 02 0a 08 12 82 07 00 50 30 12 00 dc 05 02 0a 08
  70. 70. Smart meter: BLE broadcast 12 82 07 00 f4 2f 12 00 dc 05 02 0a 08 12 82 06 00 01 30 12 00 dc 05 02 0a 08 12 82 24 00 49 30 12 00 dc 05 02 0a 08 12 82 06 00 50 30 12 00 dc 05 02 0a 08
  71. 71. Smart meter: BLE broadcast 12 82 07 00 f4 2f 12 00 dc 05 02 0a 08 12 82 06 00 01 30 12 00 dc 05 02 0a 08 12 82 24 00 49 30 12 00 dc 05 02 0a 08 12 82 06 00 50 30 12 00 dc 05 02 0a 08 Temp. impulses Total number of impulses
  72. 72. In fact, we didn’t even have to. Wow, we can sniff the power usage of a victim! That looks like a serious vulnerability, doesn’t it? But is it really? OMG! We have „hacked” it! https://www.flickr.com/photos/viirok/2498157861
  73. 73. Conditions to exploit: - distance 5-10 m from my house The impact: - A „not so anonymous” intruder can monitor my power usage and deduce e.g. my presence at home. But: my presence at home is also perfectly visible from 5.3 km distance. And I can detect the intruder, too ;) BLE Broadcast smart meter - risk
  74. 74. You can also reset this device – I haven’t bother to set the password ;) As well as take a brick and break my window, but I honestly hope you won’t. BTW https://www.flickr.com/photos/memestate/2840195/
  75. 75. RF SMART METERS
  76. 76. Additional head mounted on the water meter transmits the indication wirelessly to mobile collectors. Several hundred thousands (and counting) installed in Poland. Wireless smart meters
  77. 77. RTL DVB-T USB stick ~ 40 PLN Free software (e.g. GNU Radio) Great beginner’s video tutorial: http://greatscottgadgets.com/sdr/ Hacking wireless: Software Defined Radio
  78. 78. http://www.uke.gov.pl/pozwolenia-radiowe-dla-klasycznych-sieci- radiokomunikacji-ruchomej-ladowej-5458 Public list of operators, frequencies etc.
  79. 79. Isolate the signal
  80. 80. GFSK demodulation – GNU Radio
  81. 81. How about a better gain?
  82. 82. 1. The data is transmitted clear-text or without proper encryption. 2. The precision of transmitted data is higher than needed for billing. 3. Be in the range of wireless transmitter - max few hundred meters. 4. (A not-so-common-yet knowledge of wireless signals decoding) Risk for the end-user – conditions to exploit Image: http://www.taswater.com.au/Customers/Residential/Water-Meters
  83. 83. (this meter just broadcasts the indication) Presence? - it would be easier to observe e.g. parked cars or lights. Personal habits? - when does he bath (or not?), make laundry - whether has a dishwasher, - how big is the family... Emulate tampering alarm signal for the bad neigbour? Risk for the end-user – impact
  84. 84. If the device would broadcast too detailed indication, a regulation could prohibit it. (there are actually such regulations for energy meters) How much would it cost to replace several hundred thousand devices? Risk for the operator?
  85. 85. Risk for the operator? 868 Mhz transmitter 8 PLN Arduino 30 PLN 6 x 3 = 18 PLN TOTAL: 56 PLN
  86. 86. The hypothetical yearly bill
  87. 87. The hypothetical yearly bill
  88. 88. SUMMARY
  89. 89. It depends. The risk is not always obvious. An intruder may hack the thing, but in the end it may not matter. But you may also implement seemingly safe use scenario that may dramatically increase the risk. The physical presence condition does reduce the attack possibilities significantly. The risk may increase in time – new tools, exploits, adoption of technology. Should we worry?
  90. 90. Wanna-be-hackers • Act in good faith to reduce potential for harm. • You won’t impress us with hacking speaking dolls to say naughty words or teledildonics to vibrate abnormally ;) • Please do take real risk into consideration, and the impact on involved parties, too. Pentesters • Adapt new skills, labs for the emerging market • Sometimes it’s just enough to RTFM Enthusiasts, hackers, pentesters, consultants...
  91. 91. Confront your ideas with security professionals. Startups: • Bugcrowd www.bugcrowd.com • Free consultancy www.securing.pl/konsultacje (form in PL), contact us for EN. Drop us your device and we’ll see what we can do in our spare time. Proactively predict the future compliance (the FCC, EU, governments are working on). Educate the users, design secure by default devices – e.g. enforce non-default passwords. Vendors, inventors, entrepreneurs...
  92. 92. Understand the technology and associated risks – be aware of it’s shortcomings and secure usage scenarios. Depending on risk (e.g. industrial, urban, government, medical...), consider security assessment of your configuration. Get used to the loss of privacy. You are no longer in control of your data – no matter if you use the technology or try to avoid it. Demand the security. End-users
  93. 93. Demand the security! Board Support Package - drivers, bootloader, kernel-level SDK Broadcom, Texas Instruments, Intel, WindRiver... Original Device Manufacturer – web interface, SDK, cloud... usually unknown from China, Taiwan etc. Original Equipment Manufacturer – composing, branding ODMs + support, license, warranty... Value Added Reseller / Distributor End user Security !!!
  94. 94. And for the Happy(?)-End – the pentester’s view Features at low cost compromising on security is just obscene ;) Let’s do it better!
  95. 95. Thank you, looking forward to contact! slawomir.jasek@securing.pl MORE THAN SECURITY TESTING

×