Owning the Smart Home with Logitech Harmony Hub

good afternoon everyone here we will be listening to a very interesting lecture by Joe on literally owning the smart home the good old Logitech smart hub which ironically I put into my home the other day except my wife didn't know that I changed the firmware such that every random time she would say turn on the lights it would actually set off the sirens so after the seventh time she hit me and I was very quickly undone but for the most part you guys are gonna have a great talk in front of you so off you go Joe thanks thank you all right it's good a presenter view here we go alright so owning a smart home I'm gonna talk about

the Logitech Harmony hub smart home hub I had a lot of fun doing this research and it'll be a fairly short talk get you out of here in about 15 minutes or so but let's get into it who-who am I so I live in San Diego my name is Joseph Bingham I work for tenable right now I've always kind of been into reverse engineering and before before coming to tenable I was working at Symantec doing malware reverse engineering and was there for several years before I came to tenable I've been at tenable for about eight years we make necess probably most of you guys know that or maybe at least happy you guys know about necess so before this zero

day research team was formed a tenable I was writing Nessus exploit plugins and this new team is kind of came out with the IPO animal did have recently did an IPO and we formed this new team it's a small team just that it's a pure research team it is zero day vulnerability analysis and research and then the main purpose of it is just to publish analysis and intelligence reports and find vulnerabilities so that you I guess I might as well mention than the other guys on the team David wells he's just came out with a really cool zoom vulnerability zoom the messaging client probably most corporate most companies probably use it it's a command injection vulnerability really

cool Jakob Baynes is on the team he's done some really interesting micro tech research on router OS we have Jimmy see Bri he's found a ton of vulnerabilities and some dental software and building security premises card building access stuff and Chris line is also on the team who has done a ton of web application security and published a lot of good information and research on that all right so we're going to talk about the logitech harmony hub I'm gonna give you guys a little background on the device try and get you interested in it and there's a lot of them I'm extrapolating that there's a million of the devices I'm extrapolating that from basically the app store I don't have a whole lot

of information on them because the services there's nothing you could query on show it in and there's not a whole lot information on how to see how many they're out or how many of them there are out there but you have store their Harmony app has a million plus downloads on it so I don't know we'll have to ask a large it to company devices there are but there's a lot of them will go into the vulnerabilities a little bit and then what and then the implications what can you do when you lose control of your smart hub all right so let me get you guys interested in the device first recline your seat maybe a little bit and

close your eyes what we call the smart home today I think in five to ten years they're just going to call it their home you know smart lights smart locks all that kind of stuff is gonna become more ubiquitous I think and let's go through a little scenario well Logitech I mean Logitech has the Harmony hub Google Amazon Apple Samsung Philips all have centralized smart hubs so Logitech is not the only one but these device are you know all over the place and they're very attractive from an attacker point of view because you exploit one device and you control everything in the home so all right close your eyes guys ready your alarm clock slowly sounds the

house gently turns the lights on you hear a familiar click as downstairs the coffee grinder turns on the electric kettle starts boiling the water you lay in bed for five extra minutes as the coffee grinder slowly roasts your coffee as you go downstairs you pour yourself a nice cup of fresh roasted drip coffee I don't know what my problem is I have an unhealthy relationship with coffee but how would you feel if someone you didn't know had access to all of these devices right that's the trouble these centralized devices need to have extra security in them because they have so much oversight into your house into all of the other IOT devices that you connect to it so

another interesting thing about the Harmony hub is that it's fully scriptable so we'll talk a little bit about some of the interfaces more but they have the scripting capability on it and I think that's one of the reasons why people like us like these harmony hubs you can talk to it over XMPP with local scripts you could write Python for it I liked what this guy on reddit said he has some keylogger I guess can you guys read them he has a key logger supposedly that determines when he's writing code has a stereo turn on Rage Against the Machine seems interesting infinite possibilities right all right so reversing and bones talk about the device a little bit we'll talk about the

vulnerabilities maybe I shouldn't call it reversing but well we'll get into it so first step when you're looking at a black box start out with network services it looks good from that standpoint you have three open services on weird ports it's always a good starting point encouraging to you when you're looking at a new device obviously custom protocols custom services are good to look at close source applications generally have a lot more problems with them but yeah service service book our network footprints a good start way easy no effort required just to see what's available to attack from a network standpoint for this case you know it looks really good and as it turns out Logitech implements

functionality over three network services XMPP to do user a user interaction and authentication and like I was talking about earlier scripting there's a WebSocket service which is used for server communication and interaction with the iOS and Android apps and has another unidentified unidentifiable service 82 22 and I'm not going to talk about that in this talk this isn't a full you know there's a huge application code base that will I'll talk about part of it and really this will be a good hopefully springboard for other people that want to continue research into this device then the services that I looked at are all implemented in Lua which is another nice thing about this device and why I

was saying earlier I would hesitate to call it reversing there's no assembly language that you're looking at everything can basically be looked at from a source code analysis point of view alright so step two you want to try and find the devices firmware fireEye last year we released a research research advisory on the harmony hub they had found a remote root ball 'nor ability chain that required man-in-the-middle for I believe it was during a firmware update and yeah but you couldn't trigger an update you have to wait for the device to update I they also had identified vulnerability or weaknesses I guess in the update process that it updated over plaintext HTTP last year the firmware

was updated and the Harmony up update app though while uses SSL the certificates aren't pinned so you can actually still get this still get the firmware during an update the vulnerability that I'm going to vomit there's several vulnerabilities and then the chain that we'll talk about in this talk allows you to remote root the device over the network without authentication without man-in-the-middle and yay the let's see yeah so to get the firmware right you can just basically man-in-the-middle the my Harmony app and allow the device to update plug it in you can get the firmware pretty easily one nice thing about the firmware everything on this device is standard headers standard file formats really easy to analyze it's really easy to look

at really easy to pull all the files out file systems just look at everything which is kind of nice to do when you know a lot of the time you're looking at cut you look just look at this binary file and you're trying to figure out what is this and what are these magic magic magic bytes meaning so it wasn't the case for this device and yeah so the so the file system basically is what we're gonna talk about in this talk and all the application code is in Lua on the file system and you can decompile the Lua basically on the Left here is what compiled blue it looks like and you don't really want to reverse engineer

that you could I guess you could look at Lua into me intermediary language but you're better off just D compiling it there's a link to this github project which is a Lua decompiler you can use a patched version of the Lua Lua 5.1 interpreter using some open wrt patches and allows you to basically just look at source code the open wrt patches where they include like double support shared libraries and op code performance improvements all right so the vulnerabilities we published for vulnerabilities for this device two of them 4x and PPE with authentication issues I'm not going to talk about those the two that we'll talk about in this talk basically allow you to remote root

the device over the network without an interaction or authentication and so we'll talk about those two phones before we talk about the first one let's describe how the device the device interacts on the network so the harmony hub communicates with the user application on the local network which could be the Android app or the iOS app or the my harmony PC application the device communicates with Logitech servers to do user user authentication to do synchronization time server stuff like that and the app application can also communicate with logitech service if you're not on the local network it can communicate with the device through logitech servers and recent I guess two weeks ago they the last update to the

firmware added AES encryption to some of the local network communication and the shared key is provided from the Logitech servers to the Harmony device as well as to the user application so for the false first vulnerability we'll look at this time server synchronization all right so the vulnerabilities should be relatively easy to spot in this code especially since I already told you what it was command injection see if this thing works here yeah so you can see down here there's an OS execute of this clock set string basically the the command the string disk gets passed straight to the operating system without any validation you can see in the patched version on the right they have added some date

validation for integers so this is remote server OS command injection now I called the second out the second vulnerability application command injection the habakkuk accepts commands from logitech servers over the LAN on the web socket service and on the top this handle post function here basically validates the origin of the request and in a perfect world it should you know verify that the request actually came from a logitech server but it uses this check Origin function down here and all it does is actually validate that the request had a header in it an origin header that had the string dot my army comm so the end result of this is just that the origin can be forged by a

remote attacker and the application command can be sent to the hub by any remote host and it will process it horrible but really good news from an attacker point of view right so get excited like alright what can we do now the the hub implements a ton of different commands this is just a short really short list of some of the commands you can do you can basically you know add devices remove devices interact with any of the devices attached to the hub modify them you can trigger firmware updates and do different package control what I ended up being able to do was you know there's a ton of different ways to skin a cat

basically you have all the tools and so I ended up using this setup account provision command so what can you do once you have this remote root of the device I said basically you can control modify add remove devices anything that's connected to it and it's crazy from an attacker point of view because you compromised one device and you have access to everything in the house so you have things like smart locks security systems sensor security sensors cameras microphones entertainment systems appliances and the list goes on and on there's I think they have support for like 270,000 different devices crazy amount of IOT stuff in your house that could be controlled by this so anyways I ended up trying it out

here's my proof of concept on this deadbolt at home my wife was not happy I should add sound effects

kind of sounds cool in it when it unlocks it's like and then I should also know it like in this attack I bound to a local address just cuz I was on the local network but if the device you know we're exposed to the to the Internet any Roman remote address would be able to do this so yeah that's yeah that's it I guys if you guys have any questions feel free I have a link here to the to our security research page there's a lot of research on this I had a lot of fun looking at this device just because it was you know fun to look at easy easy to analyze easy to look at source code and

then I have a full write-up on our blog basically detailing with proof of concepts hit me up on Twitter if you have any questions and I'll be around that's it thanks guys so we have one question here in the back here we go sir stage Center floor Center sorry I missed the beginning are you releasing this just right now cuz I just checked your medium post went up three minutes ago yeah it's it was scheduled for I don't know like 3:30 or something okay so this was not previously released information yeah not the the blog post wasn't released previously we have a tra basically a research advisory that lists the sea bees there's no there is

actually a brief proof-of-concept on that too but the blog post will have like a very detailed discussion of yeah I said it does okay great thank you sure well that looks like everyone so thank you Joe yeah thanks