RevEng All the IOTs

thanks everybody for attending the talk today as that introduction alluded to we're talking about hardware hacking I think the title of the talk was reverse engineer all the IO T's and that's basically what we did so we'll get into that in a second just a quick little introduction of who we are so you know I'm Jerry I'm on the left I worked at MUSC currently also I'm in the DSU doctoral program I like beer I'm married and had kids so that's good stuff I'm Tyler so do a little bit of red teaming some software development I'm also an adjunct instructor DSU's as well as a full time doctoral student there I also heavily involved with gen cyber for

those unfamiliar with that okay so high level what are we doing here so basically as I kind of mentioned each of us selected a IOT device different devices and basically we're kind of given carte blanche to just tear it apart get into it see what we could find see if we could find any zero-days or you know undocumented vulnerabilities how far we could push it with any tools that we had access to obviously we're focused on finding vulnerabilities but any any part of the device whether it was you know the hardware itself the board the software the firmware the OS any network traffic coming off that everything was pretty much game I'm pretty sure all three of us were able to

fully compromise the device in in in one way or another so that was pretty cool I did I should in full disclosure like I originally had started I I did a network attached storage device but I originally had started with a like wireless lock that they have you know like you can walk up and like you know scan it and the door lock will go I spent like three weeks on that and couldn't get anywhere so I like admitted defeat and then went for like a way easier target with network attached storage device so okay so why do we even care about IOT devices I'm sure given the audience in this room you're all very aware that IOT devices

are like a hot mess right now they're easy to attack vendors aren't spending a lot of money protecting them they're spending a lot of money marketing them and putting cool features that sell not you know security doesn't sell let me write bot not as we all know have those hard-coded vendor passwords built right in and you know if you don't know that bot not just scans basically they're not looking for these IOT devices and then tries the default Craigs and sees if it can own it and then the newest version the IOT Reaper that's just just recently this month is using the same mirai framework basically and checks those credits but it also checks I think for

nine different vulnerabilities as well and exploits in the back end and as I mentioned economics of information security dictates that vendors aren't going to spend any money to invest in security because there's no return on that investment why do we do this reason why we all kind of different devices we were all in a reverse engineering class as part of our requirements for a doctoral degree let's talk about dr. Jared Aman basically at the beginning of course she said you guys have two or three weeks to identify some device that you want to go after want to attack and then basically let us loose it said go for it and kind of we had we had an open

discussion in class about kind of what everyone was doing the weeks leading up to it and then every week we kind of had like an update to the class that we had to have so it's kind of where all this this I would see work comes from it's kind of why we all had different vices to okay so now the actual meat right so you know we basically Tyler you selected yep the window in sight right yep so I went after the hardware specifically is kind of my mentality going in and I did look at some of the software side to things a little bit but not too much so I thought hardware's would be a little bit

different for me it's not my experience on my background does assume many of us in this room right a lot of us probably have more experience on the software side of things so we want to spend time learning Bo you know how do you go about attacking hardware how do you go about extracting the firmware and things like that so the what we mo insight if you're unfamiliar with this device it's basically just a Wi-Fi connected plug in the wall so you can control power to whatever you plug into it right so one of the reasons why I chose this its consumer hardware you can go down the Best Buy you can pick it up for like 40

bucks right now second reason because it is 40 bucks like I was going after the hardware I didn't care if I bricked it alright I knew I was going to plugging stuff in playing with a multimeter things like that so if I bricked it not a big deal and go get another one pretty easily also like I said before in the first couple weeks we had an open discussion throughout the class and started to see this trend of a lot of our classmates going for things like IP cameras not knockoff things like that I don't want to try something else and then the last reason is because as a Wemo device if you're unfamiliar with

Wemo its platform so I kinda had this theory in my head about if you can pop one Wemo device you can get them all all right so I think Belkin has eight or nine products and then we mode is actually an implemented on more brands as well so all I really wanted to do was like on your your Wi-Fi connected crock pot at home so I could like turn it off while you're trying to cook dinner right more seriously though like there's there's a lot of these different devices I think you know if you're taking neighborhood take ten houses they're more likely to have any one of them than just the specific one I looked at so I really

wanted to take a look at the Wemo stuff perfect yeah so first things first like after going to pick it up basically set up the device to play with it I started figuring out what count what was the important functionality how I was talking out so what features you need to enable to get the the critical functionality working so for instance the the cloud connected port right the part the part that allows you to remotely monitor the device or change it from outside your house or at work or whatever that's not enabled by default so kind of point around with that seeing what's available to you there are a few other things too few other options that

come with the app that that are worth looking at but like I said more towards the hardware side so tear down do research on how to go about tearing apart these hardware devices these stickers are really interesting so like I peeled the sticker off and that was actually hiding the screws but you'll come to find that the stickers will actually hide other things like debugging ports on the back of devices so if you can just find if you pull the sticker off sometimes you actually find a bug reports that you can actually connect it you don't have to go through the following steps to like connect to it with your jtagulator your bus PI or

whatever to just sort of pulling things off of it so obviously being careful as one thing starting to pull the shell apart the you can kind of see in the top left picture that there's two to suit or two separate boards so and some devices the board sit across from each other on the shell and they're connected through some wires I actually almost pulled those apart and broke it when I was taken apart and then once he actually gives apart there's information everywhere there's no people developing these are trying to type that right so on the Left it's pointing to supports really and to me that looks like for open unused ports in a row right with some text next to the

Texas kind of to me that just screams the bugging ports right so I'm thinking alright we're trying to get serial connection to this device it might be running something like open wrt and you know open up your t's pretty famous right now for always having default creds so that's probably one the first things I went after in the middle there you start to see some chips with some some writing on there so the raw link RT v 350 chip it's basically the the system runs a whole bunch of different things on it the next one is a wind bond chimp then a chip that I didn't really look into on the right is a small chip

actually get into that one later and once you start looking at this information right we started doing our OSINT start looking around the internet so we start to find the product sheets for these different chips so the our team 5350 chip and then that wind bond chip this is actually the spec sheet for the small one that was right there and that one's a little bit more important later on so electricity you started with debugging ports right I mentioned earlier that one go for a serial connection try to connect to it try to get on it maybe get an easy route on it so basically what I did is took a multimeter and started poking around

great just trying to find out what the resistance where I find resistance to where I could find electricity flowing through those plugin ports so if I could find something flowing from one to one or one side a different probe you can kind of start to assume like okay this one might be transmitted this port might be the ground and kind of flip back and forth based on the information you get and you don't need to have it powered on to do that so part where I'd really recommend having a little better I didn't because I started doing this and I was just kind of holding in my hand and wasn't real easy to do some

test probes would have been really nice at the time and then after a while kind of poking around checking for resistance and then actually powering on and looking for current things like that was actually able to identify which ports for which it's the top one was ground the third one down was the the receive and bottom was the transmit that the second one is actually a way to power the board without actually plugging it in so the fourth one there the second one down I was actually able to pull another jumper off the the tool I show next and basically power this little boards this is just a portion of the entire thing I was actually able to our

on and actually get a serial connection without having to have the whole thing you know put back together and plug it in against the wall and doing that sort of thing so to do that we have the bus pirate so the bus prior it's basically just a prototyping board it's good for testing stuff it allows you to basically take a USB from your computer to the mini USB on the board and then you have that little header there so you have the 10 different pins to jump off of and they do different things so I like the way the dangerous prototypes people who make it describe it basically a hacker multi-tool that talks to electronic

stuff you are and I to s-sarah I to see and SPI and and a handful more so when I got my bus private I had some assumptions right kind of my limited knowledge of Hardware transmit/receive vice versa and on the next one down and then maybe just power and ground so my son was actually right in the beginning right so I was actually like sitting there holding this device in my kitchen I plugged her stuck some jumpers in and I was actually able to get it powered up but on my on my screen lights dropping and the number kind of berries so this point to one of those frustrating moments of like I thought I have this

and then all of a sudden spite shopping about seeing where I thought I would see right I was thinking like okay it's gonna be serial connection pop into like a Cisco router or something like that but that took a little bit more research so after learning about the bytes drop actually before figuring out what it actually meant it's kind of playing around with it and holding my hand and see things like it's a different length a bunch one will pop up and it'll kind of pause and a bunch more will pop up so you know it looks like post-dated to me great and then after some more research talk about so that it is based more so the buffer

fills up that it's reading from it just drops the bytes without actually playing the screen unless you use I think it's like the R option to read them onto the screen but otherwise to actually get to a real serial shell there's something called the UART macro so this macro basically use a transparent background to put it into a mode that allows it to talk just like serial on a Cisco device like when you plug in something like that you get a prompt you see all the post data all the different self having's and you can type to it and all those sort of things so actually after figuring that out I was actually able to

get a serial connection work I found that on I got to that prompt there wasn't a default password so that was pretty disappointing can I was kind of thinking you know like what about boot mode right so as its running up you know a matching four to jump into this different mode look at the environment variables things like that and try to mess around those so know what back kind of up the rabbit hole a little bit more back to that other chip so that other little small chip it's win bond and then some big long number and then it's more data out of those data sheets that I showed you earlier the headers earlier

so these rocks are really important what I'm about to do next but worrying about how this chip works some of the things that are required for it so one or two really important ones I didn't know that I needed a time right I thought I needed to use ground power transmit and receive actually has it needs the chip select input and it also needs the clock input can't power on this little chip so once after figuring that'll out test clip and their test clips designed specifically for chips like that I'm stick it on and then kind of see myself after he came off the ribbon from the test clip breadboard and then jumped it to the

bust pirate and that went to my laptop I was actually able to finally have like after a lot of debugging on this right and trying to figure out which pins go where and having the spec sheet to like know which pins were which ones at the top and the first one you see that it says win bond flash hit short in the middle and then it says the the chip name and then says no operations are specified so that was like it's a successful connection was made but I didn't tell it to do anything and that was like like seats you have to get the flag moment right those like I finally got something and then I just told it to

read and dump to a binary file left so that actually took a lot longer and then eventually once it's done you can do a bin walk on it and you actually got down to the image the images on it the binary data and from here I was actually able to extract the entire file system and at that point I started to look at the software side of things so I started pull some of the binders off started look at the configs that were on in some of the data that's more for the software side know what Jerry and Corey talked about a little bit what they did there so moving on so I attacked a network attack attached

storage device i've redacted the vendor because i don't know the degree of how cool these finds are or whatever but i just wanted to avoid like this being televised and then getting an email from the vendor so if you really want to know what vendor it is you probably could figure it out based on some of the slides i have but there's like you know whatever attempt at redaction here so you can see here like this is a high low my lab setup was fairly this is the device itself pretty simple I've got a Cisco switch with a span important feeding into a laptop running Wireshark just I can watch the traffic as there is traffic that goes out to the

internet and then there's my research laptop for doing all sorts of stuff so initially you know I was very fortunate again I said that I tried to do like a lock first and then that was a little too challenging so I went for a slightly easier target like this this vendor was really convenient for its end user population to post its firmware on their website so I was able to pull that firmware down now it's worth knowing that it isn't a complete cakewalk because the firmware is only partial like when you boot the device up and run it it actually starts building out another piece of its file system structure and it reaches out to the

Internet to pull down some files so it wasn't a complete poem right there but so I get the I get the the firmware and I'm able to run yeah Ben walk on right so I run Ben walk on it oh this light looks terrible in this so if you could read this you'd be seeing that it's actually like I'm gonna find the file system I actually used to carve off this first row and then for some unknown reason which took a lot of troubleshooting and like irritation and frustration you basically when it when you DD off that top row it's the actual file system for the NAS device but it's it's actually in a gzip format so you

just have to basically which like that's the frustration because I thought that was the image when I pulled it down and then eventually I figured out that it was an archive version so anyways I pull it down and then I've got the firmware and I can actually look at it and at that point is it gonna be the next one yeah so at that point I have most of the file system for this network attached storage device again I haven't I haven't I've just downloaded the firmware for the vendor I don't own the actual navs at this point even though my lab looks like it and I was able to find the shadow account on the file I

mean on the file system so let me actually just jump immediately so for though just a quick little thing like in shadow file that's where you know the passwords are basically except they're hash so the format is it's the username so you know Jerry : and then the algorithm that was used to hash it your password the salt applied to the password password excuse me in the actual hashed password so you can see in the file system that I had yeah yeah so root the account root right basically dollar sign 1 is md5 which is like the worst hash and then there's no salt convenient right and then there's a hash password so basically they use like

a really broken hash and no salt so I put I pulled it to entries from the shadow file one called admin and one called root they just ran John the Ripper on it took like I thought it actually didn't work because it took less than a second like it immediately just spit out and the username and password were 1 2 3 4 so that was like thanks vendor right like super terrible password so anyway so now I have the root password I try to do a little bit more and I realized that the firmware is missing like an entire piece of the system like it just doesn't make sense like I'm confused so I I try to I didn't

put this in my slides but there's this thing called how do you pronounce a human team you team you like you know timeout qem EU it's basically a processor emulator effectively and you can use it like everybody has Intel chips or whatever but there's these IOT devices they're using like kind of weird processors or you know weird chips and stuff so anyways this software emulates it I tried like hell to get it to work and after like three days I just went on Amazon and bought the NAS device cuz it figured it'd be so much easier which it was thankfully right so then I get the NAS device and I can just get right in

and get the with root access to the OS underneath so other kind of findings that I have some slides too this is more like a high level as I mentioned the passwords are stored and securely the root account 1 2 3 4 is the password there's a backdoor application so this one's kind of juicy right it's literally called back to open back door Sh it's not it's not accessible from the front end and it it literally relies on a UPnP library to it reaches out you're basically your your router like so you know your Comcast router the thing that pushes you to the internet and attempts to use UPnP to open up an SSH tunnel or

a listening SSH process there's a lot of reliance on third party apps I don't know how if this is even a finding or not but it's worth noting so like this has Linux on it but it's like Linux 3 or something it's like you know several several versions old it runs busybox to run a lot of its busybox allows you to kind of encapsulate lighter versions of the standard UNIX process binaries and that was like a really old version so there's tons of vulnerabilities already published for a lot of these third-party softwares that the system's relying on so even if the vendor patched their server they'd have all these like horrible exploitable vulnerabilities from their other apps and then there's a

whole bunch of private keys that I found just for fine ok so I already talked about that oh look at that I put little arrows in there I just thought this was worth noting so like if you look at this vendor they're their documentation they give you and everything they're like oh yeah we have all these other open ports are just running like listening you know I found it interesting that there's a ton of undocumented listening services that you can kind of interface with on the device just by default there's world read a world readable config files where they actually store passwords in the clear so I enabled like dynamic DNS on this one because I

actually use showed an and found several of these devices on the internet and I was like like maybe I'll you know see if I can exploit someone's thing and then I was like oh I like my job so so right so I was like oh maybe I'll configure clear text passwords not not the best practice again vendor here's that open backdoor thing I was talking about I think I have a little shout out here so this is in a cgi file called remote help CGI which is inaccessible from the front end in general but you can see here it calls open backdoor Dutch Shell passes it some parameters and we'll look at the source code of that in a second because it's a

shell flower right so this clear text but you can see you can kind of see here but basically it'll add and we'll see this in the shell script it'll add a new account to the shadow file called NS a rescue angel now let's just let's just assume I had to assume that that was a typo and they meant as rescue angel but it's still wicked suspicious right weird this time document an unlisted program called open backdoor creates an account called NS a rescue angel you know so here's the code I know it's tough to see I'm sorry I wasn't really sure how this was gonna work but this is from the shadow file you can see it created it now what's

interesting is right now that that account isn't like you can't log in is that account right now but if you look in the code it basically creates a copy of the shadow file uses the first couple of things to create a key for that account pushes it into the shadow file and then basically checks to see if SSH is running if it's not it started to see is that the town that's running if it starts it so you know you tell me what that's doing it seems pretty clear what they were doing there but maybe they have a maybe it's like how they do tech support but they just forgot to tell the consumer that

a feature and then yeah this I probably should they've got private keys which I assume you can see in the next slide I did want to point out some positive things this fender did not just be a total white blanket so if you go there to their api's that they they interface with the device to pull things they are doing a great job is at least some kind of encryption transmission protection perspective they got a pluses from koalas SSL labs so that's not terrible and I think the private key is used in establishing that connection one of the things I wanted to do we have a future work slide one of the things I wanted to do was set up

kind of a man-in-the-middle thing where I basically pretended to be the device and then connected up to that API to see what kind of functionality was provided I messed with it a little bit but I got frustrated and then I ran out of time so I unfortunately I didn't do that so yeah okay oh and then just a couple I probably already touched on these things I tried fuzzing as well I don't know if anyone's got any experience with fuzzing but it's like it's kind of like forensics almost where you almost like have to be that's what you do and you're really good at it or you just terribly suck at it like I don't know that's the

case in general but I am I tried fuzzing for like probably 15 hours over the course of a couple days and got nowhere like just a bunch of crappy results and so and then that emulator thing I just spent 150 bucks to buy that and this device could fall to me or I cuz the admin password is one two three four and it definitely would file to IOT reproduce there's a bunch of vulnerabilities on it so Corey yeah I decided to attack my router because like Tyler said a lot of people were doing IP cameras and stuff like that in Karcher c7v - so it's just your run-of-the-mill consumer wireless router you can pick up at Best Buy or something

like that this particular one was released in 2013 it's got your standards like for LAN ports when port 2 USBS for like printer sharing or mass hard drive something like that the hard drive or hard drive the hardware it's a mid space processor it's using a qualcomm atheros system on a chip it's clocked at around 700 20 megahertz 128 megabytes of RAM and little bit of flash memory so my strategy for going about this was to start off with some open source research find out what all was out there this was like the sixth iteration of the firmware so there was a lot of other vulnerabilities that have already been discovered and hopefully fixed they weren't all addressed in the

in the changelog so I went and tested some of those then network scanning see what services are running what can we connect to from there I went into some web application scanning a little bit of binary analysis and then at the end I'll talk about the smartphone application that allows you to administer it as well so with the open source research there was a few different vulnerabilities like I mentioned the two that really stuck out was the CDE 2015 30 35 and 30 36 so 30 35 was a directory traversal with the HTTP server I tested that with a script and netstat not vulnerable anymore so that's good and then 30 36 was a stack-based buffer overflow in decay

codes at USB kernel module I found the proof of concept on exploit DV comm tried it and it didn't appear to work or it failed I don't know it's the POC you know 100% worked all the time but from what I could tell that that vulnerability was patched as well so that's just a screenshot of netstat one of their scripts to check that directory traversal the next thing I did was go into the vendor site there's a wealth of information that they provide to us for some of the software that the vendors using on there so with the firmware used been walked to extract the file systems and wasn't too surprised it's just your standard Linux file

system there I was able to kind of poke around in it look in the the Etsy directory and this RCS file is sort of like the startup script files and the @c RCD directory and I like the developers for put some comments in here that really helped me narrow down what I was going to look at so start right there on 34 and it's kind of hard to read so these two binaries right here particularly of interest and that's what I got into the binary analysis later on here in the slides and then also I found like the static web pages I got the Etsy password file the shadow file and those were just the default credentials admin

admin you could pretty much look those up than the documentation and then the GPL code version of the software it was using so with that I did some poking around to try to figure out are there any CDs for those that maybe aren't particularly associated with the router so next I was just did a nmap scan not too much I've been FTP I had to turn that on but I wanted to test it I also had the version number of it which eventually leads to a CD I'll talk about here in a second and then SSH was limping so I was really interested in trying to connect over SSH a little bit of problems with that and then HTTP was

it was for the administration so jumping back just real quick to the vs ftp program that was fun herbal to the CV from 2011 oh seven 62 and it's just a denial service attack but I was able to find exploit code for it on exploit DV comm and successfully used that vulnerability so that's what the screenshot showing once you use that it essentially makes the BSF TP think that too many people were connected and it'll just deny everyone else access so with the SSH I knew that I had the username and I had the password I knew it was the drop bear SSH server from the GPL code as well as from the nmap scan but every

time I tried to SSH into it it would give me this PTY allocation request failed and basically couldn't open up a terminal on it so I wasn't really sure what to do for a while with that did some searching around the internet and it turns out that the smartphone app called tether that's this is the way that it communicates and later on I was able to dig in and find out that it uses port forwarding so if you use port forwarding and this - in trying to create a show or anything it'll just enable port forwarding and my local port 8080 would forward to localhost:8080 on the router okay so next I tried to do

some web application scanning a lot of vulnerabilities were found in the web application there was like a command injection that I tried that one had been fixed and basically it did some vulnerability scans it really didn't find much a lot of it had to do with cross-site scripting attacks and the vendor when you connect to the administration portal it generates this random URL every time so I figured that did a pretty good job of stopping any cross-site scripting attacks that part in yellow is always going to be something different every time you connect so with those two router programs I did a little bit of binary analysis and the UC lighted was it would load up configuration data if the

configuration data wasn't there then it would create it it basically had that hard-coded in it it would also handle firewalls and routes and then the httpd I always assumed from the beginning that that was the web server right for the web page and then it launched all of these other games as well like SSH these two guys are one of them is for tp-link debugging and then this one is used by the tethered smartphone application so just real briefly walking through that process you usually start off by looking at the strings of different binaries so how do you see lighted and looking through all these leads and things like that and then I could find

in the code where it was actually calling that and making that happen as well as the function that loads up the default settings or also pulls the settings like what Jerry was talking about how it creates this extra files on the file system as its loading up it pulls that out of VRAM so that kind of clued me into what that was doing and then with httpd I found that every static web page that I found in the firmware had a corresponding function inside of httpd and basically that was the server-side logic of serving that up it would open up the static page and then return it back and then this was the part that I found interesting was

during the startup of HTTP it would go through and this is just a snippet of a big long function but it would start all of these different services as it was going through I did try to use qmu that's how you pronounce it not really sure so qmu I tried to use that my intentions were to do a little bit of fuzzing on httpd and you see lighted but what I found out was I don't I can't emulate the MV RAM or I'm sure I could if I really spend a ton of time on it but it didn't say false when I try to run it or would tell me that the i/o control failed because it

it couldn't load up from the address that it was looking for one of these talked about it read from config flash failed things like that so I abandoned that part and just kind of moved on to the smartphone application because I thought it was pretty neat that you can install this app you wouldn't have to use the web portal and you could just use this tether app to do everything that you could normally do through the web portal so this was just an alternative way like I said it communicated over SSH using port forwarding and it uses the same credentials as the web app so the way that I went about analyzing that was I

got a copy of the apk and ID compiled it that's how I found out that it uses SSH in port forwarding and then I went through the process of man in the middling SSH so what I did was I forwarded my own port 20002 to the routers port 20002 on my machine and that's the port that the TP t MPD is listening on for tether I used this to sort of demand in the middle debt attack and then artsleuth to target my cell phone and that just waited for the other to connect on it did a little packet capture and I could see the protocol in plaintext of what was going on so this is just a screenshot of a snippet of the

decompiled apk it was partially off he skated so made it kind of a pain to step through it but not all of it was actually skated and there was obviously some some nice debugging messages in here that helped me understand what was going on and traced through it this is the packet capture in plain text and we can see it's like sending what all clients are connected their MAC address and this is basically when you first log in and it tells you all of your guests and stuff like that so I found this tool called net thumb that's used for trying to reverse engineer protocols doing protocol analysis and this is kind of where I left off with the project was I

was trying to figure out what was the grammar and the vocabulary for that protocol and was there anything in it that I could try to take advantage of so I got a kind of grouped up in the different areas and I basically ran out of time and I just haven't had time to pick it back up since then but as far as future work that's the direction that I'd want to keep sort of pushing in is figuring out what all is this protocol about so yeah at the end any of us in the class that found vulnerabilities we did do a responsible disclosure we contacted us cert dr. Dumont helped us out with that a lot of it didn't really go too far and

I felt like my project never really got finished so I didn't pursue the following up with tp-link at the time just to let him know that I could see their protocol or something like that or that they were vulnerable to a 2011 CVE

it's a lot of work to be responsible so for future work obviously I would pick up with that vertical analysis we're also interested in looking at similar tech we had those discussions throughout the course and really a lot of the the problems and issues and things we were finding were similar across all of the devices that everyone in the class was trying to tackle

so in conclusion it seems like these IOT device manufacturers are just trying to push out devices really quick and security is sort of the last thing on their mind not and a good takeaway from this is that it's really important that you keep out with your firmware and try to stay on top of updating it so that you're not vulnerable to these types of CBE's either any questions [Applause]