Breaking into Embedded Devices and IoT Security

all right good afternoon everyone thank you for I'm going to thank everyone in advance for attending my talk today I always get a strange flash back to the Smirnoff advert when Smirnoff made Aalto huge I mean finnerman remembers so yeah this is my talk on breaking into embedded devices and IOT security so quick Who am I my name is andrew kostas feel free to add me on Twitter I worked for a company called logarithm I work in our labs team primarily doing malware analysis reverse engineering so just want to start with a few disclaimers all views are my own so funnily enough I don't do anything to do with IT security as part of my day job

so all of this but I'm going to talk about is just based on my own kind of research and investigation so of course nothing to do with my employer I'm caveat as well and say I'm not an IT expert and so if you are you know a hardware hacker of sorts then you should be able to get something from this but if you're completely new or venturing into the IOT domain then hopefully you're in the right room you may produce smoke or fire or possibly a combination of both particularly on the hardware side yet to see that I'm software but you never know you may get electrocuted you might brick your device any tools that I talked about apart from hardware

tools of general open-source tools that I use but that doesn't necessarily restrict you to accomplish in the same goals any mention of security vulnerabilities of course solely for educational purposes and so if anyone does venture outside after this talk and starts playing around and hacking around please disclose responsibly so a quick definition from Gartner so Internet of Things is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal States or the external environment so never words things so we're all used to seeing these everyday things in our lives that have kind of taken over and become intertwined with our everyday activities so things such as wearable devices

you know devices that have maybe wireless capabilities RFID proximity location detection you know being as control lights sound that kind of thing so probably all kind of familiar with what that is and I kind of want to go back to a couple of years so one of the kind of main headliners that's made you know big news waves in recent years as the Mirai botnet so 65,000 infections in the first 20 hours the botnet was essentially created by a group of free individuals and the impact that it had was taken down Krebs on security at DDoS speeds of about 600 to 650 gigabits per second and Dyne being the worst hit of them all which was at one point two

terabytes per second pretty pretty large speeds and actually the source code was later posted once they'd accomplished their goals which was primarily just to use the botnet in order to make some money as always is and fundamentally the source code that was later posted by the free individuals really was quite simplistic so how it worked was it sent by it works by sending TCP syn probes to vulnerable devices and it simply just scanned quite a rapid rate open ports 23 and 23 23 which is telnet then it uses a list of or tape takes a list of 62 default credentials and it will just randomly select 10 out of the pool of 62 and then it will just go ahead and in

fact very very simplicity but yet had the momentum to infect over 600,000 devices and in other news I'm just going to touch on a few stories so in 2016 there was a baby monitor which essentially was a wearable sock that you put on your newborn baby and the link between the wearable sock and the base station provided no authentication no encryption and no update mechanisms then in 2017 wearable or implant pacemaker technology used for people that have slow heart rhythm was found to have weaknesses in the transmitter allowing potentially changing of pace battery depletion and even shock so in other words death which is obviously never a good thing then in 2017 some hardware hackers at

DEFCON revealed a $10 hack which consisted of a essentially an SD card reader and some very basic soldering skills to plug in to the flash memory on the PCB board of a device and extracts out an expert rate sensitive information from the flash memory about a month or two ago some vulnerabilities were found in BMW vehicles when so that's necessarily a bad thing anything from you drivers out there hold it to you so out of those 14 vulnerabilities six of which could be exploited remotely couple via Bluetooth and others via via the cellular network and then again a few only a few weeks ago almost IOT botnet as a service for about $20 a month now

exists guaranteeing speeds of up to 300 gigabits per second so kind of just touching on briefly architecture for IOT is is we don't necessarily talk about IOT security in specifically about the device itself there are usually one or two or three components to a typical device so quite often you would have a client that could be a web browser it could be a smartphone app that talks to the device itself and there may be some cloud communication as well either between the client and the cloud or the device and the cloud so want to kind of cover some of these in a bit lower levels so when we talk about components we're really kind of talking about PCB boards so

these are the green fiberglass boards that contain lots of tiny writing solder points insulation transistors resistors and so on then we have memory usually in the form of flash memory EEPROM memory and again as I said in the example team of hackers could quite easily access the flash memory there'll always be a CPU of sorts so similar to how Intel have dominated the market for many years for a server and desktop arm generally are the the de-facto for mobile MIPS over recent years trying to kind of worm their way in try and grab more of the market share but you'll often find one of these two CPUs which will come in useful when you get into the reverse

engineering on the software side you'll also you'll also get a firmware image so this is obviously the file system the operating system a third party software all bundled into the firmware again that can be extracted out or quite often these days vendors just provide a free unauthenticated download to firmware files also lives is a star game also real-time operating system so generally Linux busybox sometimes bsd have yet to see a Windows IOT device but that could make for an interest in projects and then on the actual PCB boards themselves is quite common to find one of the four I would say from my personal experience UART is by far the more the most common JTAG

from the manufacturers points of view is generally more expensive and costly to build in to the device so if we think about common in everyday devices ultimately companies out there are trying to sell gadgets and whatnot for a reasonable cost so UART tends to be the most popular and there's some older ones like SPI and i2c and this is just a really like an old like back in the day you know plugging in a rs-232 cable into a Cisco router or whatever the case may be this is just a way of directly plugging into the PCB board to allow you to start reversing the actual Hardware then commonly you'll find some sort of network interface card so it could be a

Ethernet adapter Wi-Fi ZigBee software-defined radio implementation and then again depending on the implementation of that IOT device there's various protocols that may or may not exist so CANbus is very popular with vehicles Modbus seems to be the de facto standard now for ICS and then you have Co app and MQTT which are generally used for HTTP and cloud communication so some of these may exist but not always but these are just the the very kind of high-level main sort of factors when we talk about IOT components so kind of starting out if you have a device could be a wearable device maybe it's an access point or whatever don't underestimate what you could passively monitor by looking at

the network communication quite often you'll reveal low-hanging fruit just by simply sniffing the air waves or the wired connection and these are just a couple of gadgets so I have but I know some of you probably use the hack RF one and other devices so never kind of not look at the packets flying around the airwaves or of the network sockets it's quite often even before you purchase an IOT device and again not always there'll be an FCC ID number maybe in the item description on Amazon or wherever you're buying the product from this actually gives you a wealth of information because if you pop in that FCC ID number you'll get internal photos external photos documentation user

guides and testing environment specifics so that's always a good place to start because even from the photos alone you can probably glean does it have a UART interface does it have a JTAG interface or maybe it has no interface at all and then it allows you to then go and acquire the tools if you don't already have them in your possession good screwdriver kit often overlooked just a simple 171 piece screwdriver kit off Amazon for under a tenner allows you to obviously take the PCB board out of being casing it just makes life a little bit easier then obviously this is just an example of some access point this is a PCB fundamentally various components

CPU memory maybe some LEDs and obviously if it's a wearable device or you know some other gadget it could be a different color that times may not necessarily have a wireless card on it you'll need a multimeter so the idea behind a multimeter is just testing the pins for taking you arts for example the purpose is when you start finding once you've found the ground on the PCB then you use the red probe so black is ground red would be used to locate how many volts is being emitted if you like from those particular pins so sometimes you may need to power cycle the device just to maybe get a reading because sometimes you may get spikes or you may

only get a reading at startup but you're essentially just trying to see does a signal exist and if so what voltage is that so quite simple most PCB boards or at least in this country of 3.3 volts depending on where you've traveled from that could be different and obviously ease device-specific so if you have doesn't matter if it's a cheaper inexpensive multimeter you just flick it to the setting above 3.3 volts and then just start proving a way to find what those ports are doing and essentially depending on the interface type so JTAG spi uart whatever the case may be you're just trying to find which one is transmitted which one is receive which route which one is VCC and it's a

process of elimination but this isn't too taxing just takes a little bit of time and perseverance optional USB microscope just helps to bring up images so gets you a bit a little bit closer to the action so here we see different pictures of a you arts interface we can see tracing and different patterns and shapes for this for the connectors so it's always a good idea just to scribble down on a pen and paper maybe just draw a you know the 4 or 5 pins or however many pins there may be in a row and obviously just saves on eyestrain because believe it or not you know we all wear glasses right so we yeah anything to save our eyes a cheap

solar and iron so you don't have to be an expert at soldering I mean I haven't done any soldering since secondary school I spent more time just burning the actual soldier than actually sold in anything but um you know as long as you have like a reasonably thin tip on the end of your soda then that should be adequate and then various kind of breakout connectors header connectors jumper cables just allows you to connect one of these devices this is what I have there are other alternatives so I'm sure some of you already know this so the the bus pirate is probably one of the most common ones there's something called the jtagulator by Joe grand great guy

and this is what I opted for just on my own research it just generally the feedback that I saw on various forums that it was just a little bit more reliable and was being actively maintained and supported ultimately you can even pick up just a you arts to USB converter for about 5-10 pounds this particular device as the other ones that I've mentioned they they tend to do JTAG SPI and and other varieties of the interface specification so the idea is once you've figured out which pins go where you've got your cables and then using the you know you do get a nice bit of paper to tell you which which pins are designed for which purpose and you

essentially just plug in and then you pop in your USB adapter and then you bring up whatever your favorite program is if it's Linux maybe screen or good old days of hyper terminal and essentially for a bit of trial and error find the board rate and away you go optionally and this isn't a necessity the difference between a multimeter and this is what's called a logic analyzer so like I said multimeter will tell you if there's a signal there and what you know voltage that signal is being sent the logic analyzer will allow you to kind of find out what is that what specifically what is that signal so it does that by taking a capture and you

can use again this is just my preference but there's other alternatives out there so this is the Sadie logic analyzer software it's a free download essentially it takes a sample and there's a lots of different interface types that are supported on the right hand side there and once you take a capture and you can see the bit rates and binary and potentially the hex decimal conversion which then can be extracted out further to ASCII so it can be very useful for reverse engineering so why hardware what can we do with hardware with these basic tools where it allows us to monitor the bootloader we can get potentially root access to the system just by plugging in some of

you may say well user guide will probably tell you the root username and password and that's true but other things as well like grabbing contents of flash memory or flash in the memory reverse engineering the PCB board for maybe further modifications so for example espionage purposes maybe someone wants to plug in you know micro components are very cheap nowadays but maybe plug in a microphone and have some CT call back you know to spy you know side channel attacks time in attacks as loads of there's various attack vectors that can be taken advantage of just from the hardware alone and you know I'm a hobbyist DJ I think it would be kind of cool to you know as a side project maybe

to make my decks portable and you know add some Wi-Fi it would probably solve a few problems if I'm ever kind of doing a few gigs you know and even if you just look at the kind of everyday things you know on the right is a Logitech mouse on the left is a some Wi-Fi sensor but they're very similar sizes and quite often in a lot of IOT devices most of the bulk is just the external casing closure quite often the circuit buzzer much smaller said perhaps thinking outside the box you know more combinations of modifications rather of devices to get them to do things that they weren't originally programmed to do let me move on to the software side so

simple nmap scan obviously could reveal low-hanging fruit public exploit repositories potentially might show up some results banner grabbin could be quite useful you may just get a four hundred HTTP response code but if you do get some sort of basic information back plug-in to show down it could give you some idea and insight as to how many devices are actually affected I mentioned about passively monitoring using you know wiretap or sniffing the airwaves it's very very scary but very common at least from my own research still to this day how weak authentication and how credentials are just transmitted this is before you've even attempted to log in either to the web interface or you know SSH session or

whatever so usernames and passwords in clear-text you know base64 encoded passwords easily converted in your favorite tool and I mentioned earlier you can pull down firmware so yes we could extract out using the hardware tools that I've mentioned but you know you can almost guarantee you can get to any vendor website and pull down a firmware you know zip file or whatever format it will be and copy it into your machine get some very quick high-level information architecture operating system and so on one of my favorite tools been walk was well really valuable for extracting binaries out of a firmware image so essentially unpacking I mean you can do this using the DD command in Linux

but allows you to see and get confirmation of the filesystem type used and then that could kind of lead you onto maybe using other tools designed for that filesystem so score chef s is a very popular filesystem it's not using everything obviously but you could then download the squash FS utilities and start poking around there but essentially the idea is once you have extracted the firmware then you're just looking at again just another form of you know directory tree you can start poking around searching for things like shell scripts config files private RSA keys and so on you can get ideas and understanding in terms of how the update if it has an update facility and how

that would work what's it communicating to back to the cloud for instance so another one of my favorite tools is the firmware analysis toolkit so this is all open source stuff this is actually just a screenshot from the efi operating system if you're like me and you're lazy and you can't be bothered pulling down tar files and manually making programs then i highly recommend this particular virtual machine distribution it's essentially allows you to pop in your firmware path it drops it into a Postgres SQL database and essentially it will launch the firmware as if you were local to that machine so once it brings up the interface you can browse to it if it was

a I use a simple example a wireless access access point you can get as far up your web browser and just browse to it as if you were actually there and yet you don't ever own or purchase the device you this can all be done just from pulling down the firmware image and then obviously from there you can then start poking around you use and again your favorite tools so this is just a wasp zap sure a lot of you have heard of it you know Burt sweet loads of low-hanging fruit and the webapp side very common to find cross-site scripting everywhere almost at least from my findings this is something that I found occurs in the

admin part of a particular way say which name device the firmware update facility page if you updated or try to update the device with a file type that was not supported get an alert box so then again it goes back to further making modifications to the software may be brief recompile in reflash in the device and getting it to do things it was never designed to do again remote command executions it's very common for remote command execution RCE vulnerabilities to exist so particularly in areas where there's some admin functionality so being able to send a ping or a trace route from the device itself to in order to test its connectivity lots of low-hanging fruit

and this is just on the web app side because we've pulled down the bin walk sorry the the firmware image using bin walk we don't have to concentrate on the web app side we can actually concentrate more on the elf files if you know like I say it's usually a Linux operating system so the format will be elf so from here using radar we can get a lot of information so IOT technology is obviously very old and way behind modern day times the good things to look for are things like the know execute bit not being said so nowadays modern server operating systems we use ASL are DEP ksl are know execute is usually turned off

what that means is that potentially you could quite likely achieve a buffer overflow or at least it makes life a little bit easier analyzing the function lists again from with within radar very quickly see which C functions are called some of the ones that highlighted and not all of them but some of them may be more likely to be vulnerable to buffer overflows for instance so zooming in specifically to spur copy so it's quite common for third-party software to be rushed through for the purpose of IOT and therefore miss calculations are done in terms of buffer length buffer size is not being validated and so on which could all lead to buffer overflows some may argue MIPS disassembly is more

difficult than maybe others but if you have some understanding of Intel x86 in a way MIPS is a little bit easier to follow so just looking at some of these functions could potentially you find you a buffer overflow and the good thing about radar is it allows you to compile shell code within radar so you don't even need to kind of come out to radar to do that again even if you're not even if this screen looks scary then there's a visual mode and again this is personal preference I know I'm sure some of you use Ida Pro binary ninja whatever the case may be so the idea is you can achieve the same results irrespective of

which tool but just a highlight that this can all be done for free so again why software why do we care about the firmware so I've mentioned already web app runner abilities buffer overflows config issues you know other things I haven't mentioned like fuzzing attacks data leakage data being you know leaked out unknowingly essentially any of the normal pen testing type of avenues that you would explore for an everyday server or desktop the same rules apply in but if anything there's more low-hanging fruit with IOT devices so just some general mitigations and just my own views so obviously I've mentioned the DEF CON hackers were able to extract an export rate data from flash memory don't know how much of a

complex reality this is for manufacturers but maybe they need to think about securing interfaces maybe even removing or making it harder to access those interfaces or components on the PCB boards you could probably apply the same rule of thumb for many industries but security perhaps should be considered above profit because ultimately these devices are sold at an affordable price and everything comes back to cost but vendors need to take some you know mature steps in developing secure technologies both on the hardware and the software side encryption on the actual chip and I've mentioned hot making it harder to access flash memory and then moving on to the software so all of my findings and I've only kind of

touched on at high level but just from my own playing around you know there's this basic things like operating system hardening you know leaving things like telnet port open obviously any reason why Mirai botnet was able to you know do so much damage default credentials is another one you know making sure that third-party application or software is tested more vigorously before it gets put into production and then shipped out to you know innocent customers booting some non-root shell so is I think there's kind of improved in that sense but you do still find older maybe more outdated devices that still boot a root shell rate limiting of logins so the reason again why Mirai was successful

was because essentially doing a brute force attack on all these devices there was no way of affecting the kind of throttling back or kind of putting a stop on those login attempts and like I mentioned in the case of the baby monitor there was no auto update or no secure auto update available so lots of things lots of areas that need to be improved and then from kind of zooming out a little bit further beyond the hardware and software you know ite is cut departments need to safely procure and test these devices prior to putting them into production knowing what these devices are and perhaps even going as far as testing them on the security level making sure

that there is nothing untoward once they're put into production keeping track of them in terms of login and patching and continuous monitoring real-time detection we've seen a rise in recent years of DDoS you know botnets and so on so having a good DDoS strategy and prevention is definitely going to help and i know i waas have done some really good attack surface map in with iot but there's always room for improvement for not only industry but government perhaps step in to try and better the situation so quick word on ICS so I know there's a lot of differences and I'm not trying to draw parallels but there are still some similarities worth mentioning so ICS

component so whether it's a programmable logic controller an actuator a sensor and so on these these the hardware and software behind it was typically you know designed and produced some twenty thirty years ago the problem with ICS is that if one of those sensors or if one of those PLC devices is compromised potentially everything downstream is compromised as well and all it could take is just a clever bit of malware that becomes you know becomes executed from an end-user which then goes out and talks to a PLC for instance ultimately if an IOT hacker is able to put their skills over and understand similar concepts and technologies and specifications behind the ICS world then subsequently the same

kind of goals could potentially be achieved there's other factors to consider as well like malicious insiders I mean the the attacks are they don't really change from industry to industry they're still they're still going to be subject to malicious insiders or maybe a sophisticated supply chain attack and it's worth noting but it was only a couple of weeks ago that VPN filter which Cisco Talos initially reported on was pretty much the first of its kind malware that targeted not only IOT devices but also Modbus SCADA connections and communications actually had a dedicated module clearly in the hope that the attackers which are believed to be nation's state-sponsored were hoping to eventually infect an ICS environment by using IOT probably

because they know how insecure IOT is and clearly by the headlines we're seeing an uprise of infections and spread Cisco Talos also claimed stated that they suspect with high confidence that VPN filter required no zero-day exploit ation techniques so again this suggests that they're just attackers are taking advantage of probably low-hanging fruit which seems to be the common theme here so now I've covered a lot but ultimately you know we're seeing IOT devices in our home so if smart heating for the home continues to be phased in you know if these Amazon drones take off like they might do one day you know if home devices continue to evolve that built-in AI capabilities you know if gadgets for the home and not

getting adult gadgets as well not those gadgets I know some of you thought that but you know for these devices continue you know if this problem continues then you know how do we know and it's scary to think how our personal information pertaining to our lives not forgetting our corporate workplaces are going to be not only handled but impacted we've seen last year with shadow brokers and the NSA we know that government agencies stockpiling exploits double pulsar eternal blue for their own secret operations how do we know that that same kind of end goal hasn't already started for IOT devices and ultimately ICS as well how do we know that IOT devices aren't already infected infected or

haven't had their hardware modified in certain organizations unless we actually take these devices apart or at least start questioning the integrity of their security we're not going to know so it is up to us to take responsibility for our due diligence both in our organizations as well as for our home use and ultimately you know like phones and tablets and social media and so on if the car become part of our everyday lives you know IOT perhaps might one day give government agencies as well as a nation-state attackers the power to monitor and control or you know you or your organization as I say so that's it thank you very much for listening and [Applause]