2016 - Dominic Chell & Hacker Fantastic - Breaking and Entering: Hacking Consumer Security Systems

well okay well um good morning uh Welcome to our talk uh breaking an entering hacking consumer security systems um it's tough being the first talk of the day uh so thanks to everyone for uh making the effort to show up it's uh good to see uh a full house um so who are we well uh I'm Dominic this is Matthew uh we work in the pentest team at MDC uh we've both been involved in the UK infos SEC uh scene for quite some time uh this is the second time I've spoken at bides uh or Manchester bides um one thing I'd like to kind of uh stress about this uh presentation is um it's not just the work that me and Matthew

have done um it's actually a kind of collaborative effort from some of the other guys in our team um it's really the output of um kind of several research nights that we've done um unfortunately the other guys who are involved uh particularly rasvan and Alex uh both on holiday today so we couldn't get them down here but um it's not just the work of himself and Matthew it's pretty much everyone well couple of the other guys MD set um so what is our talk about well um essentially um I'm not going to lie to you it's pretty much a junk hacking talk um effectively we're going to be talking about um what we call consumer secur

systems but these are things like um effectively that you can buy off the shelf um so you might see them in small to mediumsized businesses um you might even have some of them at home um some of the devices we're talking about I've got installed at my house if you actually want to break into my house listen to this talk um effectively it's things like uh IP cameras uh digital Vis recorders um Intruder alarms uh cccv systems um the kind of stuff that you use to kind of uh monitor or protect your um premises um so I first started looking at these devices uh roughly about two years ago uh which was when I got the um system

installed at my house and I'm not going to lie it it was quite an expensive system I got a professional installer to come and set it all up for me um at the time uh the guy who's installing it basically said to me oh you know you need to give this an IP address and uh give me access to your router and I'll uh port forward stuff so you can get to it from your mobile and I was like okay right um I'm going to have a little bit of a look at this before I uh you know put it on my homeland and uh connect it up to the Internet um and unsurprisingly this thing was uh pretty incredibly

insecure and I'll talk about some of the issues that we found in it later on um however these devices are generally quite interesting um mainly because uh they're used as a physical security control or deterrent so if you're actually able to compromise one of these devices uh it might assist you in um gaining physical access to um an environment also what you'll find is um some of these devices are actually Internet connected uh which might means you might actually be able to get a remote uh kind of uh access into you know an organization um and finally what you what you'll hopefully see from the output of this talk is um these kind of devices are a much softer Target um and

not and I don't just specifically mean these devices I mean actually iot in G General iot Security is actually uh light years behind um the security desktop environments um which is why they've become more of a target for um cyber criminals so in the kind of runup to this talk um I started to have a look at uh some of the press that was kind of out there for um these sorts of devices and um some of the stuff I started to see was um things like uh Liz Squad uh creating an iot botn net um several hacker groups creating webcam malware iot devices been used in DOS Nets and then more recently uh how a

vulnerability in um some dlink IP cameras uh affected over um 400,000 devices uh and they these could be trivially compromised so this hopefully uh reinforces why um um it security is a bit of a problem so the first device we looked at um is this hick Vision uh DVR um so this was one of the devices that I got installed at my house um and as I say this this was something that I started looking at round about two years ago this is what the DVR system looks like uh if you're passing as you leave the room you can have a look at it here this is the DVR down here we've taken it to Pieces we've got

um a uart console connected to it so you can have a look at the internals of the board um the hick Vision DVR basically provides all the um recording and management functionality for the CCTV cameras we as I say we first started looking at this about two years ago um so some of the bugs have actually been fixed um and the first the version that I was given when they installed it at my house was uh a version 3.01 of the firmware which is where most of our bugs have been sort of uh researched um but it's worth noting that um actually the firmware upgrade process is is a manual thing um so you've actually got to go to hick vision's um

website you've got to find the right version of the firmware based on the model of the device that you've got um so what I actually think in reality is a lot of these devices that are out there are are kind of set and forget they're probably just still sitting there on the internet with the um whatever version it of the firmware it was shipped with um and I can tell you actually um so on the next slide you'll see some the amount of devices that are out there I've just casually browsed to a couple of them um obviously not touch them because uh you know I'm a professional and um but they are like running like ancient versions

of the firmware uh under Hood this devic is um pretty much just embedded Linux um with busy box on top so um how many of these devices are actually out there well as you can see they're actually pretty prevalent um I had a look on showen and it reckoned there was at least 116,000 in the us alone so if you are interested in making an iot botnet this device is probably a good starting point

um so the way the device works is um essentially it's managed via either a mobile application or your web browser browse to the um you know the default landing page of the device authentication um for the device is um you know as you would expect basic username and password the default credentials for the device are admin and 1 2 3 4 5 and once you're into the web application um it's then possible to to enable uh the telet service and you can log into the device as root and the password is whatever you've said it to on the web interface so far so good um one of the kind of uh most obvious trivial trivial issues that we

noticed when we were looking at this device was there was no kind of account lockout on the web interface which meant you could trivially Brute Force the authentication maybe that's not a problem in itself because um when you configure the device you set it up uh you are actually forced to uh reset the password however unfortunately it actually only allows you to reset it to another numeric value um which as you can guess is trivia brute forceable so um I will uh just quickly show a demo of this hopefully if everything goes to plan awesome so that look Okay cool so um if I could just pin this so I could use both hands just bear with me two

seconds okay so the device is up which is a good good starting point um so this is the device down here it's powered on I'm going to try and do this as a live demo so uh pra to the demo Gods um so I've got a little uh python script which uh should fingers crossed uh just uh Brute Force the uh password for the device and I've not modded the password it's actually just set to the default at the moment but if the passwords set something else it should hopefully find it and you can see it's uh running through the Brute Force now and my little python script should identified the password it'll connect to

the web service enable tetd and then it will kick off a telet session and show you a root shell this is where you applaud thank you so that that's the uh the first first root shell of the day there are more to come um so yeah this was the first uh first device we looked at

this is where you're relying on PowerPoint ah there we go awesome cool so um so this was something that I spotted uh roughly uh two years ago and didn't really think it was much of a big deal to be honest I didn't actually at the time know how many devices of these were sitting on the internet but um so um we started to kind of uh put together some uh data and you know slides for this talk and then I remembered oh yeah I've got this H Vision device that's massively vable um but I couldn't actually remember what the um had set the credentials for uh when we came to look at it um so um and

yeah I just couldn't find the Brute four scripts anywhere that I'd written when the guy was installing it Le this this the script that I've just run now literally I had the guy at my house and he was like oh yeah okay can I plug this into your land and I was like okay I'm going to look at it and while he was setting it up I wrote this like little python script which brute for I was like you're not plugging this thing into my network um so um yeah effectively basically when we came to do this research I didn't have any of the data because it was kind of like two years ago um so I thought all right okay maybe

I just left the password as the uh default password I thought I'll just do a quick Google find out what the default creds are and I'll L on to the device so I looked around and um stumbled on the uh the hick vision manual uh for this device um and what I found was there was actually a supported way to reset the password and which kind of caught my attention I was like wasn't me in a supported way to reset the password so I started looking into it uh and effectively um the way the kind of password uh reset process works is there's a tool that you can just download from hick vision's website um it's called the hick Vision

support Tool uh and effectively uh if you're on the same L as the device it will um give you the serial number and the start time of the device um and then what you need to do you take the start time and you take the serial number you call up HIC vision and you say Okay I want to reset my password and they give you a code which allows you to change the password on the device now obviously this is a bit of a problem because uh if hick Vision can reset the password on your device then anybody who's actually able to reverse the algorithm can also reset the password um so um it turns out actually somebody who

has reversed the algorithm and I didn't actually need to do any research on this I just needed to uh go to IP cam talk um so effectively these guys had um pretty much reversed the process they found out that uh effectively it was a very simple uh bit shifting algorithm you just fed in the um serial number the uh date the device booted uh and it did a little bit of bit shifting and um would give you a reset code that you could put into the device and you could reset the password uh and they provided a little uh basically they've reimplemented this in JavaScript so you can browse to their website and um any of these devices that

are online you can effectively reset the password on them which you know obviously totally undermines the uh need for

authentication um the other thing that um kind of I raised an eyebrow about while I was reviewing the uh manual for this device was actually there's also a supported way to um remotely install some new firmware so um essentially when the device boots um when you turn it on it um connects to this magic IP address which is 1 1920. Z28 um and it will try and connect to this IP address and it will try and download a new firmware image via tftp um so um and the firmware image it downloads is completely unsigned um it basically just it just checks the check Su within the firmware image um so obviously if you're on the same line as

this device um and you can cause a denial of service condition in the device it's got a software Watch Dog on it if you can trigger the software watch doog the device will reboot and when if you're on the same line as it you just set your IP to 19228 and it will download a firmware image from you which gives you a nice little way to uh install a kind of a persistent back door on the device if you are interested in doing um assessments of these devices uh it is pretty useful to have a command shell so um you can do this quite easily because the device is shipped with a uh U Port

enabled all you need to do to get a U command shell is um basically just have a small female molet connector um or you can solder directly to the pins uh which is what we ended up doing um and when the device boots up you'll get a command shell uh on the U console what you'll find is is the device actually gives you access as a guest user um but as I've already mentioned uh we know that the root password is the same as whatever the admin pin is set to and the default is 1 two 3 4 five so this is what um effectively how we got the U shell um basically um what you can

probably see is we well we use the jtagulator um in pass in U pass mode um and the pin configuration was um red is ground um orange is transmit and yellow is receive and if you connect the um connect the device with this configuration you should get a command shell so um Matt will uh just give you a quick run through of the next device that we looked at so uh so Dominic installed an alarm system to stop people like me breaking into his house so uh we decided we take a look at it which was uh essentially it's a a wireless alarm system manufactured by a company called Risco agility uh it's basically a general

purpose computer that has a number of sensors installed around his home for motion and shock detection um it's quite typical of what you see in a consumer um a consumer home alarm system or small business premises system um it's not really the type of thing you see in a a banking Branch or anything like that but uh certainly for the uh the home environment um this uh this device has a a number of fobs which essentially is a wireless key fob a proximity fob that's used for disabling the alarm turning the alarm off and then also you have uh a keypad uh system for inputting a pin code for turn for turning the alarm on

and off again um and what we're seeing is that a lot of Wireless connectivity is increasingly being targeted these days due to the cheap and read available access of general purpose radios or software defined radio platforms so um this is effectively the alarm system that he installed um you can see here the the main panel is effectively where the uh microprocessor is um the various sensors uh on the left here you got a shock sensor and a motion sensor uh that wirelessly sending a signal if they're breached then they change the signal and it sends sends the alarm has been tripped um and you also have the keypad there um from a physical point of view if you're using a UV

lights and some fingerprint powder um you could kind of Target the keypad but we wanted to look at the um uh the wireless connectivity in particular we wanted to look at uh Dominic's Wireless fob so uh we took apart the um the user documentation and actually there wasn't any FCC ID which is normally where we would start for this instead when we opened up the uh the PDFs and manuals we found that uh it actually listed uh the frequency that it was in use on which is part of the ism band here in the UK um which was 868 megahertz and even mentioned that it was using a rolling code so we kind of already had an idea

of whereabouts in the radio spectrum um this particular transmitter would be um but we opened it up anyway um and this is the inside of the wireless fob um you effectively have uh a very few uh components there's a crystal uh oscillator and then this uh th 72032 uh transmitter transceiver uh which is basically in the data sheet tells us what the modulation was which was amplitude shift keying um and it could modulate data up to 40 kilobits a second um and essentially when we reviewed through that data sheet we determined that there was no other modulation supported by this chipset so we knew vaguely whereabouts it was in the radio spectrum um and we also know

uh the modulation uh type that was in use so uh we took a a hack RF um or you could use another SDR and we basically uh did an fft plot pressed the uh button to try and determine the frequency and then once we knew that we basically knock together this uh little new radio flow graph um essentially all this is doing is uh it takes the uh the input source for the radio spectrum um and it's just slightly off from where the transmitter is um it it does some math to move the signal to the center point of the flow graph um we then feed that through a band pass filter so that we

remove The Unwanted part of the radio spectrum and then we take the complex signal and convert it to um a magnitude so we get the actual amplitude of the uh the waveform uh we resample that down to something that we could then hear um and then we also uh we added a multip applied a value to it so that we could get an increased visual of what the waveform actually looked like so um using that we could effectively capture a a signal from the uh from the wireless press um and this is basically what you saw when when you press a button um you would see these bursts of data um which basically there was eight bursts per

button press which is just basically the ones and zeros of the Rolling code uh being transmitted and because we' increase the magnitude we could actually have a look at the uh the modulation scheme um so the fact that it's amplitude shift keying what that means is that the uh the amplitude of the waveform is increased depending um or decreased depending on whether it's a zero or a one so you have here this um 0 0 one one one one 0 0 one so effectively using that flow graph tool like boardline um and knowing the timing we could actually capture back that signal and have a look at the code that was being transmitted to his alarm um

equally because we knew it was rolling code it actually turned out to be quite a trivial thing um to sort of jam and replay there a known attack against rolling codes in that if you capture a rolling code offline or you jam someone's transmission and capture their code and then replay it back to the device um you essentially can uh can uh Replay that signal back and then cause the alarm uh or the or the system that's expecting it to to to to act um this is a a new radio flow graph that just takes the baseband sample um and replays it it's really not much more complicated than that that so uh we've got a little

demo um where we just basically uh captured a signal we'd already previously had the signal um swiped from the uh from Dominic's desk and uh then I went and broke into his house obviously uh I'd love to have you all around my house but uh it's not big enough so we've kind of videoed this one y lovely kitchen do you want to replay that

so yeah we captured the code and went around to Dom's

[Music] house set the alarm off [Music] and then I went in the kitchen and made myself a cup of tea and you could actually hear the alarm and tell us that it had disabled itself so um yeah and then uh you're on the next slide now so pass you back to

Dominic cheers M um it's great great that you've just told everybody how to break into my house as well that's okay they can download the sample come on Mark your o is surely good enough to find out um so uh I'll see if I can just uh pin this to me

this was a bad idea I'll just hold it okay so um the next device that we looked at was um a uh Motorola Scout uh 85 connect um so this device is um essentially uh rebranded for a number of different purposes um the device that we got um was the rspca approved uh pet monitor but it's also exactly the same device for um things like security cameras uh webcams baby monitors all effectively does the same thing um the way the device works is um it basically provides you um with remote access via um the cloud um so you can uh install an app on your phone and you can view what's going on uh via your mobile

phone under the hood the device is um essentially built just using embedded Linux and busy book uh on an arm V5 KNE chip so uh we focused mainly on version 17 of the firmware because this was the device that it was inst this was the version that was it was installed with um however the majority of the bugs that we found in it are still um present in the latest version of the firmware and we have reported some of these to uh Motorola so um how kind of prevalent are these devices well um according to showen they're a lot less prevalent than the uh the other the hick Vision devices but I guess if you're uh building an iot

botn net every device probably counts so um you can probably go and own some of these on the internet um so our approach to uh looking at this device was uh effectively uh we initially grabbed the mobile app um we decompiled the uh Android app uh and it revealed a couple of kind of interesting URLs um effectively these were links to the firmware um so we downloaded the firmware unpacked it and started looking for bugs um there were a number of kind of interesting things that we first found when we unpacked the firmware uh there were a few files that look pretty interesting sitting in the web group um there was one kind of Master binary

process uh which seemed to launch all the services on the device uh via shared libraries and that was something that we looked at um our next kind of Step was to see what was the um kind of footprint on the of the device on the network so uh we ran um a little port scan on the device um to have a look what was going on as you can see there's a couple of uh web servers there's uh a streaming server uh and also a couple of uh random unknown Services when we were Port scanning the device what we noticed was um it kept generating some white noise when we were um and I mean literally through the

speaker it was generating white noise and we're like okay what the hell's going on here um so we eventually narrowed it down to um the service on uh Port 51108 was um pretty much connected to the audio in on of the device so we like okay well if this is connected to the audio in um what can we do with it um so we started just sending like music files to it was trying to see what was going on uh and eventually we figured out if you send the right file type to it which turned out to be some 16bit uh mono encoded wave file um the device would just literally play it unauthenticated on the on the kind of network which you

know is is kind of interesting um but you know it's not a root shell so um the next thing we kind of spotted was um the web service on the device if you go to the landing page dip of the device um there's no kind of web app there or anything like that it's all supposed to be kind of managed through the uh the mobile app um however all the web services were completely unauthenticated um so uh not only that there was no kind of like csrf protection so if you are on the internet and um you are able to kind of figure out the IP of one of these devices you might be able to trigger some of these

bugs um there were kind of um several interesting files sitting in the web rout and I don't think these were supposed to be there um I think they were probably there because the device has been uh repurposed I randomly browsed to some of them and were kind of describing it as a baby monitor even though it was supposed to be a pet monitor from rspca um but basically these things allowed you to do stuff like move the device uh reconfigure the wireless uh or upgrade the firmware which is obviously a little bit more serious because you could potentially use csrf to uh install your own arbitrary firmware on the device so let's have a little uh look at

a demo of uh some of the stuff in this device okay

so um this is the device here and um I know obviously people at the back probably can't quite see it as well but um guys on the front got the best view so um as I said you got this random TCP for which you can uh get to play music if um if you are a bit of a uh Rick asley fan then um like this devices you can also uh get the thing to dance so um guys at the back probably can't see but they uh the device is actually starting to uh move

around uh there is no way to stop this by the way I have to actually I have to actually unplug the thing to to get it to stop kind of play

music I think we had enough of that so I'll just uh just unplug it so I mean

so I mean that in itself is um not a massive issue but you could probably really annoy somebody if you're on the same because that's one of these things um um so yeah it's kind of funny um but you know we wanted some some more interesting bugs um effectively we wanted something that we could compromise the device with um so because we've got the firmware we started to kind of audit some of the um the CGI scripts that were exposed under the way web group um there was one CGI script that looked uh particularly interesting which was this uh has erl upgrade CGI effectively this is a CGI script that was invoked um during the um the

firmware upgrade process um and what we uh what we found in this um CGI script was um there was a very very absolutely you know trivial uh to exploit command injection bug um so this was the uh the CGI script and in um the bit that I've kind of highlighted in red uh is effectively um a uh variable that is passed from from the user um and as you can probably see it's ended up uh getting uh concatenated into a um an operating system command so as you can guess absolutely trivial uh command injection um so I can hopefully demo well I can demo this actually um the uh the bad news is um we did plan to

demo this live uh and I've got the device here uh and we had we got the jtagulator set up uh with what was a UR connection unfortunately um on the train um it must have like the well the solders come off and it's disconnected so um but fortunately I videoed it yesterday because I was worried something like this was going to happen so um we have got a demo here uh I'll just wa this one oh no that's the wrong one that's the one we've already played there we go this one this is one so so we're just using uh B Suite here to uh and you can see I've highlighted the command that we're sending

effectively it is just um a pipe to uh inject the new command uh into the uh the name of the uh the firmware image that we're loading um and I'm just the only data that I'm sending is Fu and uh we send this to um the device this is the uart console so we at the time I had jtagulator connected uh ran this command and you can see uh actually the uh device Echoes the output of the command it's doing which is kind of useful if you're trying to kind of r one of these things uh and it should because the device had got net cat on it as well which was awesome uh it should actually

just kick back a um command shell so this is a net cat listenting that we had and it should Ki back a reverse shell so you can see we've now got uh route access to the device and you can actually uh from the PS output you can see the uh the command that was run which was again pretty useful because we' now rooted the thing

yeah please if that's all right thank you it would have been better if it was live but um so I'm just going to pass you back over to Matthew uh so we had a team of hackers and one device and then uh we left them all fuzzing away and unfortunately when you leave a team of hackers alone with one device and one way of getting rote um they tend to break things so they uh they they broke the device um in a way that we could no longer get it to boot so um a lot of the fuzzing stuff that we were doing um basically broke it and we couldn't turn this thing on anymore um

so to continue fixing it um we needed to fix it so there was a lot of Tears shed we had a lot of pizza um and there was a very sad pony in the office um trying to fix this device so actually we improved it I think um this is what it looked like when we started with the device before we started fix before we fixing it um and it had a lovely kind of nice uh you know home interior sort of Ikea look about it um this is how it ended up um uh basically sprawled out into several pieces with uh wires dragged out everywhere on it and we uh we we you know cut our fingers and thumbs a few

times um so we uh what we discovered when we we ripped this thing apart was that it actually had a couple of different microcontrollers in it it had one for controlling the motors um and it also had a system on chip uh for controlling and and running the OS um the system on chip was manufactured by neaton um and it was actually an arm 9 core um which basically uh ran all of the uh Linux type OS um and one of the things that we found we actually dug out a data sheet uh from a a development trial board which had this uh this sock on it um and that's that's essentially there and then if you if you see this

little picture here we can see there's all these TP labeled points or test points on the PCB um and we actually found that tp4 and five uh were quite important um the reason they were quite important was I don't know if you can see this but this is the the data sheet for the uh the arm sock but in the top right corner um we actually found that the two pins there were labeled as TX and RX with a u in front of it um and we figured that that was probably most likely a uart of some form um so we used a multimeter to basically do a continuity check from these two pin to all the different test

points on the board um to locate that tp4 and tp5 were actually breakouts for these two pins um on the uh on the sock itself so when we sold it on to that we actually uh found that we get another root sha which was uh pretty useful um so we had this broken device we got a root shell on there again um and we uh we did a little hacking and and and fixed up some of the results of the fuzzing and uh we were able to uh to restore it back to a state whereby we could uh now uh continue our research efforts so I'll hand you back Dom [Applause] um so at this point we'd uh pretty much

got a nice kind of uh interactive command shell on the device and we decided oh you know let's try and find some more bugs so um one of the kind of interesting things about the device was um the attack surface was pretty much confined to just one binary uh and this was um a binary called Ms loader and um basically the way it worked was uh when the device booted Ms loader process kicked in um and it had um a bunch of shared libraries for all the different kind of services effectively plugins so it had plugins for um the audio service UPnP the web server this kind of stuff they were all loaded from shared

libraries um one of the things uh we were kind of interested in straight away was um you what kind of protections are in place on on this binary and its um Shar libraries um and effectively there were very little so there was no kind of um position independent executable there were no stack canaries anything like that which is kind of good because uh we wanted to try and exploit some of these bugs that we I'm going to talk about now um so we started to uh re the MS loader binary um effectively because a little bit lazy started looking for some kind of easy wins um and there were kind of lots of potential issues there um

first thing I thought was well we know we found one um command injection in the CGI script there's probably more command command injections in the device let's look for some more command injections so um I started looking at um uh for cross references to system there were uh 88 cross references system which means it's executing a lot of commands on the device um and one of the one that looked the most promising was uh this setup WiFi uh command injection so um now this was interesting for a couple of reasons uh effectively it was a bit of a buy one get one free on the bug because um we looked at it in Ida and uh

we saw something like this um so the first kind of red arrow is uh you can see it's uh taking some um user controlled input uh and it's using Sprint F to uh basically append it to uh a command which ends up getting run in by a system uh which you know kind of interesting we got we found another command injection bug but you sprint f is not great uh and it's it's uh concatenating something to a variable that's sitting on the stack so I thought okay well we've exploited one command injection bug let's have a look what the uh if there's any opportunity to exploit the uh stack Overflow here so um if you

have a look at the um the prologue for the uh function uh you can see what it's actually doing is it's setting up a stack frame of uh hex 84 bytes um so I thought okay what happens if I try and send it a massive you know request here what's going on so I figured out the bit of the um the web service which was um accepting this um variable and I thought and I'll just send it a load of uh a load of A's a load of Y whatever and see what happens um so the bit I've highlighted in uh red is kind of important because uh it shows the length of the uh string that you're sending and

this has to exist so if you were fuzzing this you might not see it because it would just uh reject anything where if the length field doesn't match the uh the bit and green is the length of actually the SSID that you send it uh and the yellow is um what I ended up finding out was uh the value of what the PC register got overwritten as so I ended up sending the device a request like this and I watched what happened on the U console and it just died to death the device uh basically uh detected a crash software watch doog kicked in the thing rebooted was that awesome okay found a stack Overflow um how do we go about

exploiting this well um there were uh a few kind of constraints um so a couple of things I noticed were uh both the Heap and the stack on the device were completely executable which was awesome because uh it meant I could just ex put my shell code on the stack and execute it um something that was uh semi annoying for making this uh super reliable was um that aslr was enabled on the device uh and it was set to conservative mode and what that means is uh effectively The Base address is um very poorly randomized um and what we found was actually you can just root Force The Base address of the device um so if you

want to exploit one of these things you can have a pretty reliable exploit but it takes maybe 20 attempts or so to uh get it working um what was pretty useful um was um there is a software watch doog on the device so the Watchdog is effectively there to detect instability um and if it detects a crash it will cause the device to reboot um which is really annoying for if you're trying to debug the thing um because when you try and debug it it just keeps rebooting when the crash happens um but it's massively useful for exploitation because not when the service crashes and bombs out the device just re boots and you get another try so uh what I found

was um basically I could run the exploit no more than 20 times and and get a command showell reliably um something else that was kind of annoying was um because as I mentioned everything's loaded from this um Ms loader process it all kicks in in child processes now I don't know if anybody's tried debugging Char processes with GDB but GDB does not play nice with children effectively it doesn't really work too well at following um child processes uh which was kind of annoying so effectively um I had to uh figure out a way to disable the Watchdog uh which took me quite some time actually I tried several tricks of um you know just killing the Watchdog process um

unloading the kernel module um I tried like P tracing to the thing and patching out several routines uh eventually I realized I was just completely over complicating it and all I needed to do was just rename some shell script um but yeah effectively once I got uh the kind of watch doog out of the way I managed to get GDB server running on the device and um realized GDB wouldn't work couldn't debug it we ended up working with effectively core files so we crash the device take the core file off uh and analyze it on uh another uh qmu uh VM um so how do we get uh how do we actually exploit the thing well um what

I found was uh the PC register was overwritten uh by whatever values you send it after roughly 176 bytes there were there were some of constraints in that um there was a size limitation on the payload that you could send it you couldn't go over 180 bytes um something that was also kind of uh quite annoying was uh we found that a bunch of the registers were corrupted by our overflow uh including the stat pointer and um basically the Shell Code that I wrote had to um push some arguments to the stat when it was setting up the system call so um I had to basically fix the stat pointer which was actually quite simple to do um I

found there was uh the the payload we sent was corrupted in at least two locations um so and these ended up getting executed so we had to make sure that um when we sent our shellco these two locations got converted to an instruction that wasn't going to modify or crash the process the payload had to be URL safe um so we couldn't send things like carriage return line feed um we couldn't send bytes U we ended up getting around this um just by URL encoding the payload um so the way we exploited it was um because the stack uh was executable we could um effectively overwrite uh the PC register with a hardcoded address of where our Shell

Code was living on the stack which was kind of useful um I got around the size constraints by writing the Shell Code in uh thumb mode because obviously thumb mode is is uh two bytes rather than arm which is four bytes and then I wrote a little uh loader um as part of my shell code to basically evade the other constraints and all the loader did was um effectively fix the value of the stat pointer and then it um I basically sprayed uh initially sprayed the stack with um some uh KN equivalent instructions which would uh set R1 to be um zero and then I used that to uh write zero or write null bytes into my shell

code where I needed them uh then the rest of the loader basically just uh jumped into thumb mode and skipped over um the bits that got corrupted so we we can effectively exploited stack over FL to get a command sh on the device now unfortunately this is um this is the same device that uh the U console died on um or was disconnected so I have videoed this exploit um no worries mate apparently we've only got a few minutes but um so this is uh the python script that I wrote uh effectively uh this is the UR console um showing it's the same IP and run the uh Python scripts you can see the payload it sends or our Shell

Code and uh what it does is uh basically the Shell Code just opens a uh net cat listener on Port 8888 and you can see we've exploited the stack Overflow and we have uh route access against to the [Applause] device now that was only a couple sides but actually it took me about two weeks to do that bloody thing um so um so I thought you know well if there there's one stack Overflow there's probably more uh I had to look at some of the uh apis that were um configured on device and uh it was widely using some of the more insecure apis there's like 311 Sprint FS 59 stri copies a couple of stats um so it probably meant

there are more memory corruption issues and in fact Matt started uh like fuzzing the thing and it was just like crashing left right and Center so if you are interested in uh getting into iot exploitation or arm exploitation uh this device is probably a really good kind of um you know starting point and mat will just uh sum up so uh just to conclude essentially um the way that consumer security systems and internet of things and embedded devices are um pretty much you know they're not as mature as your standard desktop is stating we've been saying the same things for several years now you know processes everything's running as roote um exploit mitigations that you're

finding in smartphones and desktops are pretty much absent um and they're plagued by numerous trival bugs command injections overflows Heap overflows um so there there really are quite a nice Target um for for research purposes and just general hacking on um so that pretty much brings us to the conclusion um so I think we've got a few minutes left now for a a brief Q&A if there are any questions and also uh if you did find this kind of interesting you want to play around these kind of things uh we are hiring so feel free to get in touch questions

Scott um I don't know like uh I reckon Al yeah I mean like ultimately uh security cost money um but when you start seeing like um things in the Press about like uh iot bot Nets and and you know half a million devices getting owned then uh I think people probably will start to take and I think what we'll see is um ultimately it will start to catch up I mean it's a soft target now which is why we started looking at it to be honest but um I think it will eventually catch up with kind of uh desktop security any more another question no no go for it

uh I haven't tested sami's uh the Texas c yeah I mean it's it's entirely possible I mean we just use the hack car as an example but you could probably use any number of platforms for doing that um you could use something like rfcat or another type tool um essentially the the weaknesses are quite the same in many of these systems um that one was just an example of how we did it and we used a hack RF um but you could quite easily take other tool sets that are out there and apply it in the same way to other similar systems as well and plenty of these things that are out there there um

and they're all just as trivial and susceptible to this kind of attack the key the keys themselves are quite large so you would be trying to guess a lot and when an alarm's going off I mean you'd probably be better to play a captured code because the key space would be quite large to guess it in the time that the police were called okay oh one more uh I I I I I would go and get one that's used in a bank or has multiple channels out of it something that's quite high security depending on what you're protecting I mean you got a view on your your assets are Dominic was just protecting a couple of bags of PG tips

so it was you know um yeah I would look look speak to the manufacturer speak and and and get a system that suits your needs preferably one that has multiple channels out that can phone out that maybe isn't using some uh Wireless proximity sensors and is in fact hardwired um that would that would increase the difficulty I mean Wireless in General um is going to introduce an element of risk that someone can can do these kinds of attacks don't connect it to the internet yeah don't connect it to the internet

okay so the manufacturers could release updated Hardware some of the some of the bugs that we did show were patched some of them are not so some of them are still present in current firmware um Unfortunately they do need to update the firmware and push and push out updates and in some cases that's a manual thing so a lot of these devices people buy them install them in their house and leave them there and and over time it's almost like rot that they they will be more and more vulnerable over um a year or so so it it is kind of a prevalent problem in the way that firmware updates are being done on embedded devices in

general so ultimately I believe in full disclosure I mean it's a personal thing for some people but my my opinion is that um full disclosure does work because it forces the vendor's hand to say look there is a problem and that they do need to address it um we try to do a responsible disclosure practice nothing that we've shown here hasn't been sent to the uh vendors in advance so vendors are aware of these issues and and and how the the problems impact their systems um but ultimately we believe that the power is in the consumer's hand and if you show them something as vulnerable um they can then go forward and say hey why isn't this

fixed and start demanding answers from the person who sold them a product have to wrap it up there thank you