From Feeding to Learning: Uncovering Hidden Dangers in Smart Devices for Pets and Kids - Roland Sako

yeah so hi everyone thank you for coming to the talk I'm happy to be here for the second time I was here last year for a workshop about fuzzing so my name is Rand Saku I'm a security researcher at kasperski ICS unfortunately uh my colleague Nikolai frolov couldn't come to the talk because he got a Visa issue in last minute so I'm going to give the talk by myself so we are as I said we are security researchers uh we mainly focus on Automotive Research so uh searching for vulnerabilities in cars and stuff related to Automotive also IC devices so industrial control system iot uh consumer iot or industrial iot and then we do bunch of vulnerability research

through fuzzing and reverse engineering we also give some training sometimes uh I'd like to give a shout out also to all of my colleagues from the team because uh since we did the research ourself there are also some huge support from our team members and managers so um just a shout out to my colleagues there so what I'm going to talk about today is two small little devices that are interesting uh fun and uh so that's going to be a smart PR feeder and a smart educational robot that is using Ai and you probably think why does it matter it's just a small little device it's a smart pet feeder nothing critical and as you can

see as we will be seeing during the presentation uh it doesn't matter if it's critical or not it still has an impact let's get started with with the smart bre feeder so uh I do have a cat I don't know if any of you guys have PA at home a cat or a dog I do have a cat um it's very useful to have such devices because um first of all you don't have to manage the schedule for feeding the cat or the dog or whatever or pet you have uh you can do it in advance and say for example every day at 8:00 in the morning there's going to be that amount of food on the table uh you can also

remotely access it uh there's a camera there's a microphone you can talk to the pep interesting device and one thing most of the time I do before I get started with the research in that case we ordered a device it took a few uh days to come I had to look at the FCC database so FCC is uh the organism that regulates the um telecommunication in the US so every single device that you have uh that communicate on the any frequency has to comply with the FCC so basically they have to yeah yeah okay they have to fill documentation with the details with test setup internal pictures Etc and they have to comply and the good thing is

everything is then is public I think you probably if you look at your phone or something that you have at home you will see this FCC logo and there's an ID so which with this FCC ID you can access to the information that is public and that case what was interesting to me was the internal pictures so I look at the internal pictures and I said this so basically it seems like it's just a smart camera in a big box with some mechanisms to dispense the food so pretty interesting sometimes it's also good for me to have this kind of picture because I can see what is on the PCB and I can get my tool ready in

order to get the correct adapters and stuff in advance in that case the the picture of quality is not very good so I couldn't see nothing okay so now that I get the device first step is to get it connected you have to install the app create your account and put your Wi-Fi name and password and it will generate the QR code you show the QR code to the pet feeder camera and you just get connected to the network nothing special first thing first I set up a proxy and uh you see there's a bunch of uh https request and one HTTP request in clear text uh funny enough not really funny but um most of the requests are using https

with certificate pinning I was able to see that because I instrumented the app so I could see the traffic the last request is using HTTP and it has bunch of parameters including my phone number which is used as a user ID and then there's also the command name which uh says um uh sync feed list for now we don't really know what it is but it doesn't really matter now I'm looking for the low hanging fruit so the very easy stuff so it's connected to my network I'll do a quick nmap scan and what I see is uh there's a tet Port open good news for me at least so now that's a very good start for me

because it's like very easy to exploit in principle I mean just connect to it only thing is they set up a password and the username so I needed a way to extract the username and password first thing I do is just crack open the device thanks to the FCC ID pictures I could see where the PCB is located without destroying the device completely and as you can see it's just a simple little chip uh that talks SPI so usually the firmware is stored there so I just need to extract the information and then I get access to the firmare there are different ways to do that I had a tool that is called bus pirate so bus pirate is the tool that is

able to talk different protocols uh it can talk SPI so I use that connect it to the pins correctly and use Flash form which is a open source software to extract um to to program such chip for some reasons I had some issue so I had to move to another solution and other solution is a bit more destructive so I use the hot Haun and I unsolder the chip put it on the chip programmer and read it out like very straightforward I had the old content good now in order to continue the research I had to to sold it back uh that's not for me I didn't want to do it because of laziness but also I

thought if I need to change something inside the device and then just keep going for testing I didn't want to unsolder resolder Etc I just SKT it like this and I just kept it on the adapter on the breadboard put the connection point to the PCB and then just continue working with that so once you once you read everything from the chip uh I use binwalk to see what is inside to extract the information nothing special just a embedded Linux file system with everything that we know this now we moved from uh like Little Hardware stuff to software problems let's say software research um I told you there was um a taet network uh server run

I didn't have the credentials so automatically I go to the shadow file I see the hash of the password next step I try to crack it so I set up my basement with uh no just kidding I just Googled the the hash and I found it first results funny thing is uh many of the cameras from high silicone and some other brands are using the same credential for some reason I don't know if probably be part of hdk and then you use the default credentials but doesn't really matter I got the password connected to the device and I'm [Music] root um I get root access so I get full power to the device only thing you need

to uh keep in mind is that you need to be on the local network the same local network this attack doesn't work from outside of the network but it's still interesting then um looking to the file system I saw something interesting in the start of script so at the beginning of the device there is a a script called run Alex that is run that is responsible for launching a binary that is called mqtt Alex with an IP address and this is basically connecting to mqtt server in order to receive the um voice command so basically that device can be controlled with the mobile application but also with the voice command through uh Alexa so started reversing the binary in the

main not very visible there but yeah in the main function you see there is a mqtt init authentication so what the first thing it does is connect to the mqtt broker with the credentials and the credentials are out coded into the binary so basically if I install any mqtt client I could connect remotely to the broker and then access to all of the information and once the device connects it does a bunch of uh subscribe so mqt works on a pops up uh principle so means that you subscribes to a topic and then whenever someone publish on that topic you receive the information in that case there was uh the main topic was voice and then you have the commands and after

that you have a secret ID and the secret ID is a secret ID for each device this is how it works so whenever you do just uh voice command it will send uh a message in Json format with voice shoot is the command and then the secret ID so basically if I know the secret ID of a user I could send any commment that I want so how this secret ID is generated uh not so complicated uh it's basically using bunch of information that are static and one information dynamically which is the MAC address of the device doesn't really matter because since we're in [Music] mqtt and the secret ID is part of the topic what I could just do is create uh

take um mqtt client connect to the broker and then with that connection subscribe to all the subtopics so basically you connect you subscribe to voice and then use a wild card which means that every subtopic will be uh the topics that you're interested in once you do that you get all of the information that is going on in the mqtt server and then further uh this is a test mptt broker so of course we're not going to test it on production from the vendor I just set up my own Mt server with the same credential I had my device connect to it to see what is going [Music] on what you can do is not very critical

at that point I can just extra feed the the pets uh indefinitely have it like going that [Music] way another interesting fact is if you look further on the parsing code that is uh basically most of the time where the critical issues are the memory issues are you can see that um the code assume that the values are not nil there's no Integrity check there's nothing checking the size of uh the received packet Etc and uh doing some very little uh dump fuzzing I could make the binary crash so basically if you send a message to any device uh and you miss one of the field you will just crash the binary so you have a do attack very uh

easily and then I was interested in how the backend communication was done from the device to the back end I found the function that are responsible for communicating and interesting interestingly enough I saw that it was only using curl and doing bunch of HTTP requests not even encrypted and there we go we have have our CMD which is the topic and then we have the upload key which is the same for every device so basically everything is done through HTTP and um if you're in a position where you can be a man in the middle you can just thinker with everything that you want and finally the update process uh very interesting um I rarely

s this kind of uh kind of things they seem have their update um file on a on a server it's a zip file that is encrypted with the password and the password is hardcoded into a script that is in the device so basically um if you manage to get access to the back end you create your malicious update file you encrypt it with the same password and then you can potentially have their other device infected so yeah somehow someone had to uh put all of this little issues into this device and make it not very uh very [Music] secure uh vendor communication uh unfortunately wasn't that good so I started we started uh communicating with the vendor October

2022 and until February 2023 we didn't have any answer and then in March we had some uh contact with the vendor and uh we asked them to establish some encrypted communication so uh give give um give us a direct gpg key so we can uh send everything encrypted no answers so we just published so let's say that the vendor communication was not very successful okay so next one uh is a small little robot that is also a fun device for kids so basically it allows you to uh give it to your kid so they can help um the kid do the homework uh learn a new language do some mathematic physics and stuff like this uh the vendor claim that every

single bit of information is encrypted protected and uh that's for your privacy and the privacy of your child so nothing to worry about first thing we do is to connect the device to our Network and uh start monitoring the traffic and first thing we see is HTTP request [Music] everywhere there we go again there we go again next thing again uh we take the device tear it apart apart look at the PCB bunch of components in our case we not really interested into all of these uh components we go straight to the memory and uh so this is the picture where I got started to put the pin by pin because I didn't have the correct reader

at the end it's the huge mess because there's wire everywhere uh but at the end we managed to extract data from the emmc and then we started analyzing the firmware interesting things is uh we look at the USB configuration we saw that there is ADB enabled and whenever we connected to the computer or we start uh connecting after the third line there and we see ADB for 5 Second and then disappear why that uh so basically when the device gets started there is then um um main uh main application that this is the launcher who is responsible to uh interact with the configuration and check whether the ADB is activated or not and basically it does it by checking a

file and that file will manage to just change from enable no to enable yes and then connecting to the device through USB we add root access through ADB so now let's go back to the back end so the backend is also very interesting um interesting in in a sense that is not really good but the password is a a six uh digit and character a mix of digital character only six in uh size which is pretty weak and then they're using the serial number as a login and still regarding the password this is the function that is um responsible for generating a password so that's pretty weak so basically it's just taking a bunch of like small small

little data and converting to exod decimal and that's pretty much it even better so you connect to the you communicate with the Bon using the login uh API you put a random password and you still get a token so basically there is a function that check for the authentication that does nothing they just return you a token so it doesn't really matter if you have the correct password or not you just get the token and you just get

access and we keep going so we have another endpoint get app configuration here uh also a little bit weird so basically if you connect to that endpoint and you provide the robot ID then you can Burch bunch of information so you get the chart name the age which is not very critical that much if you choose the first name and the age but then you have the the exact location of that robot and then to check authentication same thing you provide the robot ID and you get the username password uh the parent email phone number and some useless information but still uh basically you get all the credential for every you can enumerate all the credential for all the user for

that robot and um also some that I didn't know about before uh we get started with this research but uh they are using jungle rest framework which is a framework that I not really aware about but that what we detected is they had the debug enabled to through which means that we could enumerate a bunch of information so for example we can see all of the endpoint we could see error messages in details and uh we managed to figure out that they were using aor in order to handle the video stream so the video stream allows the parents to call the kids through the robot and then have some visual conversation and um whenever you send

that request without providing providing nothing you get a token for free so we can communicate using Agora for just uh without providing any proof of uh being the own of the robot and in order to use the Agora API you need the token so the token that you got for free last SL then you need the Agora app ID which is the same for every own of the robots and then you need the serial number so the serial number as we saw previously is very easy to guess or to enumerate and then uh what we this is just like trying to make a call to robot a second robot that we bought and it worked out straightforward

very easy to uh export so basically anyone who get access to uh a robot ID or simply enumerated the all the robot ID that are existing can make a call to any children that are owner of this robot and then the mobile application also an interesting uh thing so whenever we need to pair uh mobile application with the device or need to change the the owner of the the robot you have to provide either the email address or the phone number and after that you will receive a OTP code which is a six digigit or or letter and then you have five minutes to put it and during our testing we noticed that there is no um

protection for Brute Force so basically you can try as much as you can as you want within this 5 minutes and there's no limit so oops so yeah at some point you you'll manage to just crack and just get in so once you get in the application from another person you can uh detach the robot from that actual parents and usually uh when you get the first pairing this is a code that is shown on the robot screen that you have to put on the mobile application and um as we saw previously this uh password is the one that is uh detect generated in the password field there so you can easily get it even without having any

credential from the users and then finally the updating process is also uh pretty weird because uh it's simply a script that is downloaded from a server and there's no signature uh there's no uh Integrity check so basically if someone managed to get into the server and then change it and put some commands over there uh you can uh get remote code execution very easily uh vendor communication uh that case was pretty successful so March uh 2023 uh we communicated with the vendor for the first time and after a couple of week they got back to us and they acknowledge um they so they confirmed that they received the report and then they were going to verify it and then

after a few months they anal the security issues and they actually fixed them a couple of week after that also and then we decided to publish the [Music] results uh thank you for your attention if you have any question just let me know otherwise there is all the detail of the research for the robot for the pet feeder we already have a like small paper with some more [Music] details doesn't yeah okay any questions have any [Music] questions that was pretty interesting especially because we live in that age and time where we are using small devices we are there to make our life easier but apparently at the cost as you explained what do you think um

vendors should have in mind when they uh design these things obviously we have seen some issues but they are not responding uh and then you just go ahead and you publish your uh research but what they should do in order what's that fine line maybe where it is secure but then it's still like friendly like an easy to set up to have that user experience I mean first thing in general is to first of all answer the whenever we try to communicate with the vendor just answer um another thing is um I thought it was already clear that you should not assume as a uh iot device maker that people would not access to the device itself so for

example with the pet fter uh having all this hardcoded password credentials um typically if you doing software vity research you're not going to probably get into the credential uh as you can see with like very little basic uh let's say Hardware what I just did is extract the firware from the chip it doesn't imply any sort of advanced knowledge in Hardware uh and not even uh pricey equipment I could access to the internals and again this is really some second research that we do outside of our normal Duty so it's just to proof that spending a few hours on some kind of devices like this you can already find some like very critical um critical

issues sometimes it's also because people take uh device from a Chinese brand un name then they put the name on it and then they just don't check nothing and the most important thing for them is to have everything working in term of functionality but then security becomes really after but um I don't think there's more recommendation for this iot makers more than traditional uh software manufacturer it's just uh yeah be aware of the attack vectors and also for the users especially whenever you choose some kind of devices like this and thinking they are not critical because they fundamentally they are not very critical devices but it gives an ATT access to confidential data and it can

also be some kind of Bridge to conduct attack to other devices at home so yeah that's great thank you any other question yeah first of all thank you it was really cool talk also to like show your your inner working so thanks for that um do you in your role right do you think over the years is it getting better or worse because you mentioned a few things right that they seemingly doing right but then obviously lots of other flaws so you mentioned certificate pinning but then also I don't know you were still able to bypass it and get to the commands and stuff right do you think on the whole yeah so is it getting better

or worse basically uh it is getting better because uh so for example the first device is using Toya smart which is a framework to develop iot devices it's I think it's Chinese is pretty good uh if you order devices from AliExpress or some other places sometime they using this framework so basically it's well tested pretty much uh the problem comes from so if you uh focus on the first um exchange what I that you mention so there is some Birch of https request and then one single HTTP one um my assumption is they took the uh twoe smart framework to do the basic stuff and then they added stuff afterwards and the stuff that they added they didn't

pay attention to any sort of security and there are more and more framework to work with that are secure that allows them to get started at least with something that uh it's not too bad let's say um so yeah if they start using existing stuff that are Prov to be pretty much secure and then they do correct implementation is already a good stuff yeah

thank you so much that was very great thanks again for uh coming back to Christina thank you