BSides Berlin 2022: Christoph Wolff - Meet Hot Owls in Your Area!

so everyone welcome to the last talk of today which is called meet hot olds in your area um and like many of you probably uh since starting working in infosec I've become more and more resentful towards computers because everything is just broken in a mess so uh thinking about other Hobbies like woodworking I kind of turn to bird watching and more specifically all watching so this will be like 45 minutes of me showing you some pictures of old and talking about it laughs first up the snowy owl most of you will probably know that from Harry Potter movies because Harry has all called Hedwig fun fact about that the all in the movie is all white and that's actually a male because the female snowy olds always have these like dark decorations on their feathers a little fun fact about that and you will probably not find a snowy hill anywhere in Germany they live where it's always snowy which is luckily not the case here next up short year at all um the short Year all uh I don't know why it's called that because I don't see any ears at all but um yeah you can find it in Germany it's like in northwest of Germany Northern Australia and somewhere enough of that this is the bound all um the barnhole according to my super credible sources which is of course Wikipedia is the most common oil in the world but in 2021 my company Mod 0 and I we figured out an all that is even more common across the world than this one and it's the meaning oil which you can see here in its natural habitat of my living room behind a plant and according to our research we found that just looking at at this map that we plotted that it's actually even more common if you look at it it's uh it's super common in Europe and North America but it's even living in South America Australia New Zealand even Greenland does not care about the climate at all so yeah as you've probably figured out now this is not actually going to be an old talk uh I hope no one is said about that but in case I also brought a lot of old pictures to make up for it um and before I get into the talk I would like a quick show of hands who here has heard of the meeting all that you just saw okay let's say Okay a couple people like 10 15. uh and who he has heard about security issues before reading the description of this talk okay that's two free people a couple people yeah nice good okay and uh okay great then uh that's that's really good because I mainly just talk about the security research we already published earlier this year so if you're all new to that that's perfect uh first up I'm gonna talk about the old itself how it works then the research we did how we did it and what we found after that then we'll talk about the disclosure real quick and how that went and last but not least last but not least what has been fixed since then uh but before I start I want I would like to introduce you to the all itself uh it's this little guy right here he's wearing his aluminum hat because he's kind of afraid of radio waves you will get why in a second uh let me just put this here and I will also plug it in just so that you can you can see that it's working uh this is super finicky I don't know where they design it like this so this is the all uh it's a 360 degree USB webcam it's a conferencing solution made by all apps and they launched launched the first version in June of 2017 so two years before the pandemic and it has a 360 camera below that aluminum head has speakers they can make noises which will hear in about a second okay I hope all of you heard that um but that's not all it also supports Bluetooth of course it has Bluetooth because there's a companion app of course there's an app which you can download for Android or iOS um the thing also has Wi-Fi because of course it needs wi-fi so you can do some Fleet Management if you happen to have too much money because these are like a couple like thousand Euros per per all so if you have a whole Fleet of those you can manage that online and also if you're connected to Wi-Fi you can get over the air updates overnight which is probably pretty nice your security conscious person you want to get the updates of course you connect it to your Wi-Fi the whole thing is based on Android it just has a standard Qualcomm SOC you would you might find in a high-end Android phone um yeah it's basically an Android phone with a more fancy camera more fancy case and no screen and just just to give a quick reference if you use this in a conference you would put it on a table in the middle just like like a telephone conference solution and everyone would sit around and then if you use it as a webcam you have at the top of a 360 degree view of the room just very very thin strip and then it will start showing the people that are actually talking at the bottom as a normal webcam and they can split it up if two people are talking or three people are talking and also they have three different variants the original meeting all from 2017 the meeting all pro uh which I will talk about today and there's also the meeting all three which they launched this year so let's talk about the research we did first of all this research started as a customer project so everyone involved including us was like well it's a USB webcam what could possibly go wrong turns out quite a lot um and first of all we started with the devices being a black box we just got the device we downloaded the app and just looked at the interaction it was Bluetooth so we started sniffing the Bluetooth traffic or it was Bluetooth energy to be more exact and then later we found out oh the IOS app can push actually updates to the device so the IOS app downloads the updates and then puts it to the device so we use the jbroken iPhone uh got the firmware of the of the file system and then we could analyze that and then that helped quite a lot and the test became much more white box to be more specific what we did we took the update we extracted all the partitions of the update there's a ready-made tool for that by which I mean there's a gist on GitHub by some guys like a small python script that does all that for you and then you get just normal like file system dumps which you can mount in Linux and then look at the file system contents uh on the file system you will find a couple different Android apps which they developed for making the whole internals work uh which I will show about in a second and those can be decompiled quite easily like Android apps are usually written in Java you can decompile Java pretty pretty nicely to basically what the original code was and that gave us a lot of insight how the inner logic works and it also helped us because it gave us the login information for so many back-end Services which were just hard coded in there yeah um just for a quick uh quick uh quick showing you the internals of the all um so at the right half you have what's actually going on inside the all there are five different Services which are important for this talk there is a blue to flow Energy Service which is used to interface with the app itself there's an HTTP server this is the one that receives the over-the-air update if you update via the app so the app will connect to the Wi-Fi that the old opens up then we'll send the Wi-Fi send the update over http and both of these interface with the companion app as I said then below you have the more like backend facing Services there's a whiteboard sharing service to which I will get uh in a minute then there is a bar and client service which is the main back-end Communication Service which does all things like the Fleet Management and then we have Barn comms and this is different from the other two because it actually talks mqtt instead of HTTP we will also get to that later and then also what is kind of interesting about the device is that they opted to do IPC so inter-process communication through a custom RM binary that they built because so this is not a normal Android service It's actually an arm binary and every service of these every service you see here is actually doing IPC via the switchboard so for example if the companion app says to the to uh wants to start up the Wi-Fi it will talk to the ble servers that will talk to the switchboard and then the switchboard will actually talk to the HTTP server and start that up yeah so let's get to the most interesting part what did we find first off we found music a potential copyright infringement so uh the sound you just heard the hoot sound as well as some other like default Android notification sounds those are all on the file system inside the same folder we found this song it's called 10 8 by the artist that Mouse and Mr Bill um if anything about that I've been working with this device for over a year and I was always wondering why this song and just by prepare by preparing when preparing the slides I figured it out it's of course the device is an old and old Mice And The Arches is dead mouse so yeah you get the idea um yeah but we also found some interesting stuff um first up we had some fun with pins why can you set pins well there's an app in the app you can configure things like um for example say The Dead Zone where it would not look for faces to to to show and you can also mess with like the contrast slide and everything make everything look kind of weird so in order to protect yourself for example if you use it during a lecture to protect yourself from both students you might set a passcode so not everyone can just connect and mess with the mess with the lecture and this passcode you need to enter whenever you want to control something with the app and actually change something so you can read everything but to write or to change configuration you need to know the passcode Well turns out not not necessarily so first of all we found a backdoor pin how did we find the backdoor pin we read the documentation because the documentation says hey no worries if you ever lose your PIN just call just tell the support hey this is your software serial and Hardware serial which you can both see in the app uh the hardware series also written on the bottom so we did just that we asked the support and we're like hey guys we lost access this is our software serial this is the hardware serial can you maybe help us and they sure could so they gave us this pin and this is looks kind of weird for a pin right because I was expecting like a couple digits no this is actually a sharp one hash as you might have recognized and yeah so um we get to show one hash which we can use as a pin and it works and we kind of wonder why so there are mainly two possibilities either they set it over the internet but this kind of seems unlikely because then the documentation would have said something about the all needing internet for this which it didn't so much more likely uh the hash was actually derived from one or both of the identifiers we send so either software Hardware serial or both uh turns out yeah this is the show one hash of the software serial and I mean at this point we're like okay that's pretty stupid but whatever it gets uh much stupider um so next up passcode reset so if you have a pin set of course you can also say hey I don't want the pin set so in the app you say hey this is my pin and please stop asking for a pin and then you can use it like you would before and over this is everything is sent over Bluetooth energy so what we did is hey look at the Bluetooth energy traffic and just record the message that deletes the pin set a different pin then we Replay that message and the pin is gone and at this point we were kind of wondering what the hell is going on why is this working did they just forget to check for the pin when resetting the passcode which would be really stupid um yeah turns out it's even more stupid than that so um when looking at the traffic while unlocking the device we saw that the hash of the pin is transferred not the pin itself and we thought okay yeah okay the app takes the pin that you enter hashes it sends it to the device device checks it that's not the case the app actually asked the device hey what is the hash of the pin that is set and then it checks the hash of the pin that you entered compares the two and then it will do your action if that matches so yeah they did validation of the pin in the front end in the app so you can ask the device for its hash and it also explains why it's possible to reset the code without entering the pin because you don't need a PIN for any of those commands it's just in the app it's not actually the device that is verifying anything and at this point we're like okay are you even serious like PIN verification the front end in 2020 or 2021 it was um yeah next up the Wi-Fi so as I said earlier they all can connect to your Wi-Fi if you want to get like over-the-air updates overnight it's by the way pretty scary because the sound that you heard it does it on every boot and if it takes an update it reboots so like at 2 am you wake up and suddenly all this hooting um and so you can connect it to the Wi-Fi itself or you can open up a Wi-Fi on the device so the device will just open like an Android hotspot with to which the app connects and then just pushes the over-the-air update to that HTTP server I mentioned and um yeah there's a beautiful energy command for that and then it will open up in Wi-Fi which has the SSID meeting all underscore the software serial and the password is always hoot hoot um but oh well um what we found what was pretty interesting is actually that the switchboard this IPC which uses like a custom Network protocol that they must have thought of themselves this is suddenly available in that Network so you can check on the IP on the port I think it's six six seven eight nine and connect to that engine just talk to the IPC directly which is already pretty weird and then there's also the web server which I mentioned uh where you can get some basic analytics like how much time has been spent speaking and also upload the new firmware but then also we noticed when we are connected to the device with our phone in the Wi-Fi we still have an internet connection and the first fault was okay um maybe this is just the way this is just the Android device like falling just just the phone falling back to the LTE connection providing internet off that but no no no it turns out if the all is connected to your corporate Wi-Fi or to your Wi-Fi at all and you start up the other Wi-Fi the other Wi-Fi with the password Hood hoot will actually route everything to the other network it does Net masquerading it's just basically a normal Wi-Fi router that will just act like it is an old in your network and um yeah then you can do whatever whatever you want and so the pin stuff is what's not all that serious because I mean then you can mess with the lecture but what's the harm in that but this is really where we thought like what the hell is going on here and at this point it kind of became apparent that we will probably need to disclose to the vendor but we're not quite there yet um we also found some other stuff so there's registration data as I said earlier there's Fleet Management for that you have to register the device have to make an account um and when we looked at the backend communication of the device itself we saw this weird endpoint which you can see here and then we open it in the browser and then it looked like we get a Json of like couple device identifiers uh and some other kind of stuff which they actually tell you in the documentation to never share the software and Hardware serial probably because of the backdoor hash thing and and the the response of the API kind of looks like this by just opening it up it changed like once a day what we saw here but there's like a software serial there's a MAC address of the device there's even the last IP which is kind of interesting by the way all of this info is fake I completely changed everything uh and then you see what kind of product it is and then also kind of need to see the data sharing the user was not given a choice which is kind of weird but okay American company I guess um and then later we looked at the companion app and then we saw kind of the same endpoint but it was providing an old serial number like the software serial so naturally we have our own all we have a Serial we try that and sure enough we receive our registration data and this at the top is literally the whole request that you need to send this authorization header is just just hard coded we got it from the system apps and the response was kind of interesting so we get the hardware serial we get some user information including the email address that signed up for the device we would have gotten the name but we didn't enter a name so this could have said Christoph wolf but in this case it says null um we get the company which is also kind of tough and um yeah and we get the software that's installed also kind of cool if you have some experts for known software you can look you can you can see what's there and you can see the name of the device of the serial Hardware serial again for some reason Mac address I don't know this is super talkative endpoint and then you even get the IP again of our device which we use and it was our office IP and there was even like geolocation as a service so we got some coordinates which were roughly pretty in the neighborhood of where the device was so that's kind of neat but we figured out hey the serial number is just eight digit hex and kind of seems to be generated like block wise so why not let's try write a quick script and just ask the endpoint for like just changing the last two digits for all those serial numbers and sure enough we've got lots of people's registration data and yeah this was also pretty bad we got around 2 000 data sets before we stopped trying um and that that's also what turned out to this use to this nice map so this is all the data we have so these are all customer data that we were able to access and we didn't even try that hard we could have tried to get everything we just stopped after 2000 because it's yeah it stopped being interesting um yeah so that's that and it it gets worse one more time so there's mqtt I I talked about earlier uh the mqtt is actually just a weird kind of backend I never really figured out what the original intention was but for those of you who don't know mqtt is just a messaging protocol so there are topics and you can subscribe to those topics and receive all messages that go there or you can also publish messages so all the subscribers get the messages super common in iot so in order to authenticate to the mqtt service at Amazon the all users client certificates and client certificate and client key SSL client certification and that's pretty good from a security perspective of course in order to get those it actually asks the orlabs API instead of generating them itself which is kind of bad and in order to authenticate it's using these device identifiers like the software serial the MAC address and also the the version of the software which is installed and just as an hmac over it which is kind of bad and also pretty senseless to use an H Vector it's basically just obfuscation uh the certificate you receive is valid until 2015. for some reason um probably because it cannot be valid any longer and the hmac uses the secret just another test parameter one and that's that's just silly and yeah it pretty much it gave us a good chuckle um yeah um but let's go back to attacking game qtt so uh classic attack and mqtt is you use the topic star which is a wild card it just matches all the topics and that work like a charm we started seeing messages from all other roles worldwide and messages to those olds um but at first the traffic was not really that interesting so we saw maybe mainly olds checking in which is what they do when they come online they just te