Upload
beyondtrust
View
36
Download
2
Embed Size (px)
Citation preview
Bought a smart toy for Xmas?
Who am I?
An IoT security researcher
Part of a team of 50 who carry out extensive research in to IoT security at @pentestpartners
We help manufacturers secure their IoT products
Known for public research in to hacking Mitsubishi vehicles, My Friend Cayla, wi-fi kettles, Samsung smart TVs, fridges and much more
First, some fun
A Wi-Fi kettle
A Wi-Fi enabled kettle, essential for every home
Comes with mobile app, from which kettle can be boiled
Offers stunning time saving, at a £100 premium over a regular non-smart kettle
How to hack a kettle
#1 port scan
#2 take it apart
#3 locate chipset manuals
#4 review source code
#5 find code fails
#6 make tea!
Wi-Fi is trackable. Find kettles to steal Wi-Fi security key from:
Their latest releasesiKettle 3.0 – much more secure. I would use one!
Coffee machine 2.0, uses a chipset that doesn’t offer much security
Latest products much
improved
Now for some swearing
My Friend CaylaInteractive kids doll
Voice recognition, listens continuously whilst powered on
“Internet Safe” “Kid friendly”
Anti-profanity filters
… so can we make her swear?
… could someone use her to spy on kids?
Hacking Cayla
Wikipedia API
Evil API
No Bluetooth PIN
Voice recognition
Local Q database + ‘badwords’
MITM
Modify unencrypted data in transit
Evil phone, modified app
Modify SQLite DB contents
Tamper with anti-swearing process
API call broken when Wikipedia enforced SSL!
Putting it right
Manufacturer clearly doesn’t ‘get’ security
“We will be issuing an update to the mobile app to fix the issues raised” – except they didn’t
Implementing SSL will help, so long as certificate pinning is enforcedOtherwise, MITM again
But, Bluetooth promiscuity cannot be fixed, as there is no security of pairing process
Vendor updates the app
Our attack stopped working a while back, after the application was finally updated
They ‘fixed’ it by encrypting the database contents with SQLcipher
Er – ignoring the issues that actually mattered
My Friend Freddy Bear
Nothing changes…
Whilst reverse engineering the iOS version of Cayla’s app, another researcher (Tim Medin) found a ‘machine gun’ sound file in her code
Action Cayla?
Freddy Bear shipped last Xmas, equally vulnerable
Slightly more annoying
German app is different to UK & US apps…
Even swearier
Teksta Toucan
Same vendor as Cayla
Same security flaws
This Toucan needs to be banned urgently!
Teksta Tekno puppy
No Bluetooth, BUT has voice recognition
Firmware contained on flash memory with no read-out protection
BB-8
Firmware pushed from mobile app over http
Potential to intercept and modify. Turn to the…
Cool vendor – reported and fixed in 10 days!
Anki Cosmo
Smart toys CAN be secure
Unique keys per device, loaded at factory
Why can’t all smart toys be like this?
Things that listen
Samsung Internet TV
Audio sent to Nuance Communications for voice->text conversion
Both directions plaintext
Echo!Amazing voice recognition and sensitivity, will respond to any voice without training
Alexa voice/IoT integration is pretty secure
What do you control with it? The amazing August smart door lock?
Stand outside window, say ‘unlock door’ ?
Are you having a laugh?
Stand outside window, ‘unlock BMW’
Car on drive unlocks, code key, drive off?
Nespresso ProdigioBut it can get more interesting
This machine integrates Bluetooth remote control PLUS ecommerce functionality
Interesting value add for manufacturer
The mobile app has permissions to make calls silently without user interaction!
We can take control of it, but more concerning is potential to tamper with payment processes
Samsung Smart Fridge
Samsung RF28HMELBSR Smart Fridge
View Google calendars, weather, recipes, TV etc
Did I say ‘utterly pointless’?
SSL connection is not ‘pinned’ so hacker can intercept and steal your email credentials from your refrigerator!
Kids Tablets
Tesco Hudl, £120 – popular gift for kidsHudl based on Rockchip CPU
Ran native Android
Rockchip CPU exploit allows read from firmware in addition to write
Read any user data without needing the PIN
Factory reset did not wipe data
Tesco replaced hudl with hudl 2 shortly after we reported this. Cool vendor
2017 – it’s still happening
Despite extensive media coverage, several vulnerable products continued to ship after hudlwithdrawn
Aldi Medion Lifetab
Argos MyTablet
But also withdrawn in 2015
However, VTech Innotab Max is STILL SHIPPING in 2017.
Only yesterday VTech settled hacking case with FTC for $650,000
Holding your IoT to ransom
Ransomware
Could we take control of a smart thermostat?
Could we lock the user out and hold their heating/cooling to ransom?
A likely candidate found on Amazon
Quick check of FCC search suggested ARM/Linux
Unpacking firmware
BINGO! We have the filesystem
Examining firmware
Remember SQL injection for web applications?
We can carry out similar attacks against filesystems using command injection
User input is not validated in some cases
The upload function for the screen background image is not validated correctly, so arbitrary commands can be executed
The developer gave no thought to attackers getting hold of the firmware:
More developer issuesThis dev really didn’t think their code would ever be seen!
Taking control
Now we can upload a shell and gain full control of the thermostat, it even survives a reboot – APT?
Create an IRC channel so we can control the stat remotelyChange the screen lock PIN to lock the user outChange the screen background to some ransomwareSend on/off messages to boiler & a/c 3 times per second until they fail
All because a filename was implicitly trusted by device
Smart watches
Kids Tablets
Tesco Hudl, £120 – popular gift for kidsHudl based on Rockchip CPU
Ran native Android
Rockchip CPU exploit allows read from firmware in addition to write
Read any user data without needing the PIN
Factory reset did not wipe data
Tesco replaced hudl with higher spec hudl 2 shortly after we reported this. Cool vendor!
2017 – it’s still happening
Despite extensive media coverage, several vulnerable products continued to ship after hudlwithdrawn
Aldi Medion Lifetab
Argos MyTablet
But also withdrawn in 2015
However, Vtech Innotab Max is STILL SHIPPING in 2017
Mirai: kills Facebook for 2 hours
IoT DVR for CCTV
Hard disc on the DVR records your CCTV
You can view your CCTV remotely on a mobile app
Opens port 80 inbound from the internet
Could we steal personal data AND take down the internet with one device?
MVPower DVR
~44,000 on shodanhq.com
Search for
“JAWS/1.0”
MVPower DVR – Very bad... Easy to bypass web authentication by changing cookie values
dvr_usr = <anyusername>
dvr_password = <anypassword>
MVPower DVR – It gets worse....
Remote root shell availablehttp://<hostname/IP>/shell?<command>
Available whenever the webserver is runningWeb server needed to use the device
Can’t get much worse.....can it?
MVPower DVR – appalling privacy invasion
Still images of your CCTV video sent to developers email address
Apparently this was pre-release testing firmware that made its way in to production
No response to disclosure attempts, until we Rickrolledhim, frame by frame
ConsequenceMirai v1 knocked many social networks off the internet for ~2 hours in October 2016
Lack of persistence means that botnet operators are competing for control, so no huge botnets have yet been built
Vulnerabilities overlooked in just one IoT device (XM-based DVRs) allow creation of a botnet capable of >>1Tb/s of DDoS
This risk is significant: are your IoT devices the next source of an attack?
New Laws around IoT
My Friend Cayla
German telecoms regulator bans Cayla
On grounds that she has ‘covert audio bugging capability’
EUR 25,000 fine for possession
Legal cases around IoT emerging
US Senate draft IoT security bill
A great step in the right direction
US government departments and agencies may not use IoT devices that do not comply with basic security standards
Some issues requiring debate, though this bill is almost beautifully simple
Efforts in the EU
Various EU publications and drafts
ENISA making progress
Julia Reda (Greens/EFA)
“State of the Cyber: 10 proposals for improving IT security in the EU”
Standards and good guidance
It is already out there:
OWASP
IoTSF
GSMA
etc
Plenty of lobbyists and IoT researchers!
@iamthecavalry
@internetofshit
Regulation, Legislation and Litigation
@thekenmunroshow
@pentestpartners
Blog: www.pentestpartners.com – full of useful advice
If you need help with your IoT security, call us