Bought a smart toy for Xmas?

Who am I?

An IoT security researcher

Part of a team of 50 who carry out extensive research in to IoT security at @pentestpartners

We help manufacturers secure their IoT products

Known for public research in to hacking Mitsubishi vehicles, My Friend Cayla, wi-fi kettles, Samsung smart TVs, fridges and much more

First, some fun

A Wi-Fi kettle

A Wi-Fi enabled kettle, essential for every home

Comes with mobile app, from which kettle can be boiled

Offers stunning time saving, at a £100 premium over a regular non-smart kettle

How to hack a kettle

#1 port scan

#2 take it apart

#3 locate chipset manuals

#4 review source code

#5 find code fails

#6 make tea!

Wi-Fi is trackable. Find kettles to steal Wi-Fi security key from:

Their latest releasesiKettle 3.0 – much more secure. I would use one!

Coffee machine 2.0, uses a chipset that doesn’t offer much security

Latest products much

improved

Now for some swearing

My Friend CaylaInteractive kids doll

Voice recognition, listens continuously whilst powered on

“Internet Safe” “Kid friendly”

Anti-profanity filters

… so can we make her swear?

… could someone use her to spy on kids?

Hacking Cayla

Wikipedia API

Evil API

No Bluetooth PIN

Voice recognition

Local Q database + ‘badwords’

MITM

Modify unencrypted data in transit

Evil phone, modified app

Modify SQLite DB contents

Tamper with anti-swearing process

API call broken when Wikipedia enforced SSL!

Putting it right

Manufacturer clearly doesn’t ‘get’ security

“We will be issuing an update to the mobile app to fix the issues raised” – except they didn’t

Implementing SSL will help, so long as certificate pinning is enforcedOtherwise, MITM again

But, Bluetooth promiscuity cannot be fixed, as there is no security of pairing process

Vendor updates the app

Our attack stopped working a while back, after the application was finally updated

They ‘fixed’ it by encrypting the database contents with SQLcipher

Er – ignoring the issues that actually mattered

My Friend Freddy Bear

Nothing changes…

Whilst reverse engineering the iOS version of Cayla’s app, another researcher (Tim Medin) found a ‘machine gun’ sound file in her code

Action Cayla?

Freddy Bear shipped last Xmas, equally vulnerable

Slightly more annoying

German app is different to UK & US apps…

Even swearier

Teksta Toucan

Same vendor as Cayla

Same security flaws

This Toucan needs to be banned urgently!

Teksta Tekno puppy

No Bluetooth, BUT has voice recognition

Firmware contained on flash memory with no read-out protection

BB-8

Firmware pushed from mobile app over http

Potential to intercept and modify. Turn to the…

Cool vendor – reported and fixed in 10 days!

Anki Cosmo

Smart toys CAN be secure

Unique keys per device, loaded at factory

Why can’t all smart toys be like this?

Things that listen

Samsung Internet TV

Audio sent to Nuance Communications for voice->text conversion

Both directions plaintext

Echo!Amazing voice recognition and sensitivity, will respond to any voice without training

Alexa voice/IoT integration is pretty secure

What do you control with it? The amazing August smart door lock?

Stand outside window, say ‘unlock door’ ?

Are you having a laugh?

Stand outside window, ‘unlock BMW’

Car on drive unlocks, code key, drive off?

Nespresso ProdigioBut it can get more interesting

This machine integrates Bluetooth remote control PLUS ecommerce functionality

Interesting value add for manufacturer

The mobile app has permissions to make calls silently without user interaction!

We can take control of it, but more concerning is potential to tamper with payment processes

Samsung Smart Fridge

Samsung RF28HMELBSR Smart Fridge

View Google calendars, weather, recipes, TV etc

Did I say ‘utterly pointless’?

SSL connection is not ‘pinned’ so hacker can intercept and steal your email credentials from your refrigerator!

Kids Tablets

Tesco Hudl, £120 – popular gift for kidsHudl based on Rockchip CPU

Ran native Android

Rockchip CPU exploit allows read from firmware in addition to write

Read any user data without needing the PIN

Factory reset did not wipe data

Tesco replaced hudl with hudl 2 shortly after we reported this. Cool vendor

2017 – it’s still happening

Despite extensive media coverage, several vulnerable products continued to ship after hudlwithdrawn

Aldi Medion Lifetab

Argos MyTablet

But also withdrawn in 2015

However, VTech Innotab Max is STILL SHIPPING in 2017.

Only yesterday VTech settled hacking case with FTC for $650,000

Holding your IoT to ransom

Ransomware

Could we take control of a smart thermostat?

Could we lock the user out and hold their heating/cooling to ransom?

A likely candidate found on Amazon

Quick check of FCC search suggested ARM/Linux

Unpacking firmware

BINGO! We have the filesystem

Examining firmware

Remember SQL injection for web applications?

We can carry out similar attacks against filesystems using command injection

User input is not validated in some cases

The upload function for the screen background image is not validated correctly, so arbitrary commands can be executed

The developer gave no thought to attackers getting hold of the firmware:

More developer issuesThis dev really didn’t think their code would ever be seen!

Taking control

Now we can upload a shell and gain full control of the thermostat, it even survives a reboot – APT?

Create an IRC channel so we can control the stat remotelyChange the screen lock PIN to lock the user outChange the screen background to some ransomwareSend on/off messages to boiler & a/c 3 times per second until they fail

All because a filename was implicitly trusted by device

Smart watches

Kids Tablets

Tesco Hudl, £120 – popular gift for kidsHudl based on Rockchip CPU

Ran native Android

Rockchip CPU exploit allows read from firmware in addition to write

Read any user data without needing the PIN

Factory reset did not wipe data

Tesco replaced hudl with higher spec hudl 2 shortly after we reported this. Cool vendor!

2017 – it’s still happening

Despite extensive media coverage, several vulnerable products continued to ship after hudlwithdrawn

Aldi Medion Lifetab

Argos MyTablet

But also withdrawn in 2015

However, Vtech Innotab Max is STILL SHIPPING in 2017

Mirai: kills Facebook for 2 hours

IoT DVR for CCTV

Hard disc on the DVR records your CCTV

You can view your CCTV remotely on a mobile app

Opens port 80 inbound from the internet

Could we steal personal data AND take down the internet with one device?

MVPower DVR

~44,000 on shodanhq.com

Search for

“JAWS/1.0”

MVPower DVR – Very bad... Easy to bypass web authentication by changing cookie values

dvr_usr = <anyusername>

dvr_password = <anypassword>

MVPower DVR – It gets worse....

Remote root shell availablehttp://<hostname/IP>/shell?<command>

Available whenever the webserver is runningWeb server needed to use the device

Can’t get much worse.....can it?

MVPower DVR – appalling privacy invasion

Still images of your CCTV video sent to developers email address

Apparently this was pre-release testing firmware that made its way in to production

No response to disclosure attempts, until we Rickrolledhim, frame by frame

ConsequenceMirai v1 knocked many social networks off the internet for ~2 hours in October 2016

Lack of persistence means that botnet operators are competing for control, so no huge botnets have yet been built

Vulnerabilities overlooked in just one IoT device (XM-based DVRs) allow creation of a botnet capable of >>1Tb/s of DDoS

This risk is significant: are your IoT devices the next source of an attack?

New Laws around IoT

My Friend Cayla

German telecoms regulator bans Cayla

On grounds that she has ‘covert audio bugging capability’

EUR 25,000 fine for possession

Legal cases around IoT emerging

US Senate draft IoT security bill

A great step in the right direction

US government departments and agencies may not use IoT devices that do not comply with basic security standards

Some issues requiring debate, though this bill is almost beautifully simple

Efforts in the EU

Various EU publications and drafts

ENISA making progress

Julia Reda (Greens/EFA)

“State of the Cyber: 10 proposals for improving IT security in the EU”

Standards and good guidance

It is already out there:

OWASP

IoTSF

GSMA

etc

Plenty of lobbyists and IoT researchers!

@iamthecavalry

@internetofshit

Regulation, Legislation and Litigation

@thekenmunroshow

@pentestpartners

Blog: www.pentestpartners.com – full of useful advice

If you need help with your IoT security, call us