Remote attacks against IoT

hello everybody yeah so my name is Alex I work as chief security researcher for a company called BitDefender we are based out of Romania and we have a couple of offices here in the US I'm gonna start with the bad news apparently doing kernel upgrades just before doing your the most your demos it's not necessarily the best of ideas so my wireless driver in my Kali Linux in my virtual machine that was supposed to be the lab for the whole thing kind of failed thankfully I don't have backups knowing that the demo gods are usually against me I did prepare movies with everything that we've done in the lab so you're gonna see everything let me tell

you a few things about myself I amongst other things I manage the bug bounty program at the company you guys feel brave enough jump in try your luck we do pay all of our awards I'm also working as a spokesperson or if you want to say evangelist for our IOT security project and I work with several things that do IOT vulnerability research basically we have toasters refrigerators cameras and so on and so forth I'm gonna start with a quick email a short email that I got a few days ago I was in the state's you know I come here quite often and I rented a car and since it was a registered I registered it on my name

because why not you know I put my email address and so on and so forth and I just got this email from them telling the status of my car so the rental you know the rental service didn't change anything in there and now I can just get status updates on my Chrysler I think it was yeah like mileage what it's done you know where it's being so nice a further it's pretty cool okay so let me start with my usual speech about IOT so IOT is the craziest of things that are happening in this day and age the way I like to say it is that we used to try and put you know knit via zero Linux or

Nord devices back in the day you know attach some graphical some display device and something like that back in 2000 and right now we won't have or in the near future we won't have the possibility to purchase something that's not connected everything you know this mic will PA be connected soon those speakers will be IP connected actually there's a number of speakers which already are IP connected the bottom line is that you will not have have the possibility to purchase a device that you used to buy like then it wasn't connected and you won't have the possibility to buy it without a connection attached straight so everything becomes smart and the biggest problem with that right now is

that the manufacturers are idiots and I'm being I'm being very nice now trust me everybody in seats all insist on putting their own operating system and when I say their own I mean a ten-year-old busybox with everything that that that's in it instead of using some sort of standards I mean Google put up brillo which is an operating system for IOT Amazon has put up Amazon IOT cloud infrastructure and nobody is using them now these devices were not chosen you know by accident each one of them we've tested except for the yoga mat and the portable fish finder because those are my favorite each one of the others was had has some sort of vulnerability in them and this

is the one that we're going to show today the power outlet the Barbie doll I don't know if you read about it some guys managed to actually hack through the cloud into the Barbie doll and talk to the kid in the house so it's like an educational doll where you would you know teach the kid math you know do geography English and all that stuff it would talk to the kid daughter probably but at some point you know all that stuff comes from their cloud and if you can hijack that stream one way or another the guys were able to you know talk to the kid some nasty things so oh one other thing I wanted to put this in

there's even the IOT space is so crazy that there's even such a thing as as I've come to realize first I could eat smart drugs I know you've probably heard of a plant called marijuana it's popular here in the US right yeah so I was at this conference this event by these IOT vendors and a lot of you know makers of IOT a lot of hardware vendors you know and these guys have a device that you would stick to your head I need to talk with the mobile application that would synchronize with their cloud and it would control your mind the way they presented it is was that it would make you more calm or more energetic and it's

actually on sale right now so yeah it's called thing and when I put it on I said that well I'm a calm person usually so I turned it up to more energetic and well it had the dial and you could turn it 1 2 3 when I got to four point five I felt like this cold shiver down my spine and I blacked out so I fell you know I took it off at 3 and on the ground and I was like hell man that's some heavy [ __ ] right here yeah and and these guys are selling this stuff and I was thinking some you know some Kingston scenario where you would you know try to hack into their cloud

and then you know control all the mobile devices that control the thing and fry everybody's brains out and shockingly enough it seems like a plausible scenario it's scary as hell man so let me go very quick through the most common issues that we've seen in IOT Mira yeah this is Mira yeah you are familiar with the me right botnet right so we've seen a plethora of devices that come with telnet open one two three four five six and the thing is not documented in the manual so you have a mobile application you set a password on the device for the mobile application to talk to the device but it also has a tonot for open that

nobody tells you about as a fun fact you can see this very handsome guy taking a picture of himself with a security system with a coffee-shop security system because admin admin and elite hacker skills the problem with encryption somebody brought it up yesterday is that some of them use obfuscation instead of encryption probably because of limitations in the hardware but it's very easily reversible as we're gonna see in not in the demos but in another presentation command injection well yeah these are some of those common vulnerabilities that you find in application we're going to detail a bit about it about when we talk about this but basically we've seen in a number of devices stuff like this so you have HTTP

IP address and I'll Delphi l CGI name a girl name equals something this is parsed by the system so you can you know the semicolon reboot or semicolon telnet D and whatnot or any out of command which is supported by that operating system okay another thing varial services we have a product that actually does IOT security and it also does some sort of vulnerability assessment on those devices a home user product and we've gathered some reports and we've seen devices with as much as 300 vulnerabilities per one device why because it had it was a very new device no more than 22 years old but the operating system on it was ten year old busybox 10 year old t httpd 10 year old

ftp server and so on and so forth and you know in ten years can gather a lot of vulnerabilities in one service so that thing had about three services exposed with all the probabilities gathered in ten years Wi-Fi configuration hotspots basically many devices create a Wi-Fi hotspot in the initial setup not all of them turn it off afterwards we've seen a smart doorbell that the way you can kick off the you can initialize that hotspot you press the doorbell five seconds so basically an attacker can you know come to your door press the doorbell for five seconds nasty nothing is heard inside so there's no notification on the mobile app nothing and then the hot spot kicks

in you can connect to it and then you can turn it into the doorbell because it had a telnet open as well and get the Wi-Fi password of that home network bad you eggs on for more updates we're gonna show this in the last slide it's it's about you know mmm unless your name is nest or whatever Google application or Amazon or somebody that's a very big company most other companies are very bad when it comes to updating the former on their devices it's not intuitive it's not automatic it's not even mobile friendly even though they're managed by a mobile application it forces the user to go to a download website download the and then have the skills and patience to

actually run from some magic to put that former on the device it's quite horrible anyway back to the topic of the day this is a power outlet from aeramax it's very cool it enables you to remotely turn on and off the power it also enables you to have scheduled sessions where you would say I want the power turned on between those hours it enables you to have email notifications you would put in your email address and you would get email notifications whenever something happened with the power outlet it's a very convenient tool another thing that it does you know the most common use case is that people use their air conditioners plugged into it and instead

of keeping the air conditioner turned on the entire day before you leave work 15 minutes before you get home you turn on the power outlet and there you go you save some power I've looked it up actually yesterday evening it had about 60 reviews on Amazon all positive so there's a lot of people using this thing and if you ask me it's one of those very cool gadgets that you would want to buy and put into your house this is me before we started to look at it and this is the culprit here so how does it work you you put it into you plug the power in the power you open up the mobile

application the mobile application finds a hotspot that the power outlet creates connects to it you enter the wireless password and your wireless network the power outlet stores them and then it works you can you know remotely manage it that's the default setup now since it has the option to send emails and they're probably afraid that they're gonna you know be blocked by spam filters they're asking you for your email and password so they can use your SMTP server now I don't know how many of you think this is a good idea especially since you can imagine they're stored in plain text but that's not the biggest problem trust me but the bottom line is you know you

put it in you set it up you put your Wi-Fi password you put your email password on it you know and everything is okay and then you start managing it so we started to look at away behaved we saw that it sends a quick broadcast and it sends a few clear text packages you know and then it kicks in a connection to Google to check its connectivity if that connection fails the power outlet fails it doesn't work anymore okay after does that it says hello I'm alive to edimax calm in that packet it's an XML file you know it sends a few information about itself this is me this is my MAC address and that's actually the most

important thing to remember this is me this is my MAC address this is where I am sometimes it sends more information like this is my IP address you know I'm okay register me and well yeah and an important thing to mention is that the device enters the loop with air Emacs VI UDP to keep a connection open in the connection tractable for NAT so basically this enables it to keep a connection upwards with aeramax even if it's UDP and also receive something like push notifications from very max even though it's behind NAT what else it has a quick small HTTP server that allows the application you know to talk to it you know it's what it uses to

communicate with the outside world and in the initial launch error that we noticed we saw this and that is actually we found that there's a password associated with the power outlet something that was not in the documentation and that is of course admin one two three four and this is actually the point where it alls goes to hell with with that we the thing because this admin one two three four is actually going to be the key behind everything that we're going to do this in the MAC address so it says hello era max I'm here you know this is me this is my IP address and also this is my password it sends it hashes its own

credentials you know and any command that it receives will be checked against those credentials okay eddie max sense says okay this is you right and just so you know this is a relay which is the cloud and then there is the mobile application at that IP address that wants to talk to you so you see that 89 122 158 176 that's the mobile app trying to communicate with the power outlet so what happens here oh very important you see this authentication value so the cloud sends a hash to the power outlet sink and the mobile application comes to you with this hash right and then the power outlet hashes its own credentials and if the hashes match then the

communication is established in the cloud relays some sort of a tunnel virtual tunnel if you will between the two okay this is basically the same thing next so the first thing we tried to do was to impersonally the mobile application to try to send a comment to the power outlet and tell it to turn off and on we realize that oh and also I'm sorry this is a bit too I'm a bit how should I put this no coffee and I've been trying the whole morning to set up my the demo in the fact that it felt kind of you know messed me up okay so an interaction with the app triggers the device to send back

the full status and information about it and this is very important because let me try to show something here mirror I don't have a packet captured already come on so I hope that you can see this okay so this is an ASCII dump or a road I'm sorry from Wireshark of what that packet looks like it the initial packet that's the power of that sense you know when initially boots up we looked at it and we realized that it's as simple as bit flipping so it's just a few bits that are flipped and when you decode it

you can plainly see everything that's here and actually the worst part of it is that it sends this so if there's anybody that has difficulty seeing let me know because I can zoom in so sorry this is Billy there you go so yeah that's the basics T four of the email address of this email address which which is in plain text so basically the what it does you know when the application tries to talk to it it sends a full status to their cloud saying this is my this is my configuration and this is what I'm doing right now and that configuration includes your email and password which you said because you want to receive

email reports and again they've asked for the password and the email because they want to use your SMTP server the problem is that the encryption thing that they're using is justification it doesn't look like much when you initially see it on the wire it's not using the standard port like port 80 or port 433 443 is port 7000 something and it looks like garbage but it took us like 15 minutes to figure out what it actually was and reverse it and you know create a script that you could actually decrypt things on the fly if you're you know brave enough so yeah if you have this thing in your house anybody that sniffs around can see your email

password onwards we also turn it on and off let me see if I can find the movie okay in order to turn it on and off the prerequisites are the device's MAC address and that password that we've mentioned I think I should specify that if you look hard enough like five clicks away in the Advanced Settings there is a password input field in the mobile application and you can only see some stars there and you can change that password but as it turns out nobody actually does because nobody knows that field exists and nobody bothers to do it so if you have the MAC address of the power outlet and this password which usually people don't

change you can actually turn it off and on using this very simple string you know you send power state on and it works so as I was saying I came prepared this is a movie of another demo done with this power outlet on the right hand you see the lamp plugged into it in Romania and on the left hand side you see me in Beijing on stage doing the thing so [Music]

and you can actually do this to all power outlets from this vendor so it's kind of cool now we've seen that we can oh and the schedule on/off can trigger notifications to the owner block yeah we've seen this oh and this is how the wire sure capture looks like so arguably initially you would say that it no it doesn't look like much you cannot decode it but it's quite easy actually so we can sniffing decrypt data we can turn it off and on but what's better than that right so we didn't want to stop at just you know seeing whether or not it can be turned on and off so what we did is we

we hijacked an update of the former and we got the former and we've been walked it and we looked into it and yeah if you're on system commands with receive data you may have a bad time now if there are any questions so far ok week so this is the way one or agent binaries look so the way that what it does is remember I told you it hashes its own credentials this is what it does it's limited to four my mouse

this is the magic so echo - n username/password pipe md5sum now if you send you can remotely change the password of the device so if you send if you set the password to ABC semicolon reboot the moment it's going to do this echo - and admin column ABC it's gonna execute my command so the only problem that we had with this was that ok we could start telnet which was fine we successfully started it but we that didn't feel like a natural remote code execution because it was proximity-based right we would have to be in the same network to telnet into it so we wanted to reverse back or connect back shell right so there's a big there's a big

limitation here the password cannot bigger than 32 characters so when you set that password with the command injection with the semicolon it cannot be bigger than 32 characters and also it's busy box so being busy box on meep slowing the little endian you don't have a lot of commands available so what can you do in 32 characters well

little domine and we found the command stick with the treats so this is it actually semicolon go to TMP FTP get a and you have to say downloaded file name a and a looks like this it resets the password back to its old self and then it fetches a Metasploit payload execute it and send you back yourself basically in a we can have as much as we want the whole point was string in on the device within a we can have thousands of so

again this is from the way you know the command was successful and we thank it so here we monitor the FTP server to see when the power of the next was and in order to fetch the script and we get nervous because it takes a while whether it is it gets a executed instantly and then it fetches hang on

okay I'm sorry about this apparently there's no fast forward on this so we're gonna have to see this just one more time okay start the exploit monitor the FTP server I just wanted to show you the two connections made to the FTP server initially it got the first script then immediately afterwards the script got executed and download the the Metasploit payload anyway and we got a shell with this shell open the only challenge and actually if you guys can help with this it would be highly appreciated was what we can do you know in a I think it's less than five Meg's of space on it so we wanted to do some people ring we

wanted to do some other attacks eventually we're going to end up writing an agent that's like less than one make future development what we're showing is that we can get the Wi-Fi password we're showing that the power outlet is indeed on land it has a private IP address no direct connection from the internet and you can do basically everything that you want you are route and you have so a fun thing that a friend told me was that and I only realized it after the presentation was that you can actually give to this to people so if your red teaming we can take this here's a gift from us you know you can put it in your data center or whatnots

and yeah they're gonna be none the wiser it's actually a viable scenario so IOT attacks are very difficult to defend against mainly because you have no idea they're there I mean you're running your red team's your pen test your whatnots and maybe you're doing them on your PB X's and your IP phones and probably your Smart TVs because you know that they're smart but there's god knows how many devices either in your company or your house that are connected then you forgot about them and something like that and the challenge is is that there's only only now security solutions for IOT are starting to pop up based on either anomaly detection on different other mechanisms it's you know it's an

emerging market right now for IOT security and without a solution like that there's literally nothing you can do we actually played a joke on a friend he said that so what if you can turn off my lights he had some you know smart light bulbs whatnots and they had a thing they would talk unauthenticated if you just use some proper strings in their community in that communication you know it happens nobody's perfect and he said so what if you can turn off my lights so we went to his place at 10 p.m. and we started messing with his lights and eventually after about 15 minutes he got out and he called me a [ __ ] I know it's you

cut it out and so how did that make you feel and he said well quite powerless because the only thing that I could have done was turned off the power or take out the light bulb but then I would be in the dark anyway so all there was literally he fell like powerless to defend against anything that would come his way so it's it's quite tricky as we've seen it can lead to full network and compromise if it runs Linux actually we're at that stage where Linux is worse than Windows you know because on Windows they're actually installing antivirus solutions so ATMs with Windows have antivirus installed on them you know ATMs with Linux don't so if it runs Linux and if

it's if it's a smart device there's a good chance that it can be compromised if it has cloud it can be compromised remotely so it can lead you can use it to pivot and lead to a full network compromised and as we've seen IOT botnets now Mirai and hajime which was his successor and there's another version we call it mole it we trapped it with our honey pots it's a happy scenario because you know it only telnet or gets into devices which have port forwarding enabled or they are directly exposed in the Internet once these types of exploits start to come out you're going to see botnets that exploit devices which are behind firewalls which are significantly in

larger numbers then I don't know whatever camera IP camera which is you know directly exposed and it's very scary because these devices again devices that are behind firewalls not exposed are so many right now people say I'm behind NAT I don't care you know I mean my little small area network nobody can do anything to me well if he talks to a cloud if it has any kind of communication with the outside world there's the possibility of doing command injection in that okay bonus lights while we were you know preparing the demo we saw this screen

and we're like okay and the really screwed up part was that you could press nothing but okay on that number like oh man those guys are edimax are badass man I mean look at the balls on this guy's they do not allow the user to skip the upgrade a [ __ ] up or demos but props for them good job Eddie max it's awesome so we're like okay we have the movies we're all good but okay and we press okay and this is what happened yeah and unfortunately as much as we wanted to we couldn't do the upgrade yeah so takeaways hacking IOT devices significantly easier the hacking pcs especially because there's no control measures implemented names of them

unless you know like the 10% I'm being generous here 5% of the smart devices that we've seen are actually responsibly designed and this mostly Google Amazon and Apple many users and this is actually the biggest problem when you purchase a smart device and we're not encouraging people to stop purchasing smart devices I mean there are some that say okay I'm gonna go under a rock and I'm not gonna buy anything that smart even though I still have a tablet a mobile phone maybe a SmartWatch and the computer and the router and acceptable for my TV and who else what else people should buy smart devices because they're cool they make our lives easier but they should come to

people like us to test the security of those devices and my guess is that one way or another if not from us the company that I represent or from somebody else everybody's gonna start buying IOT security devices so it's gonna be just like antivirus like traditional antivirus get an IOT antivirus or something and that's it I would like to thank you first of all for you know having time to and you know apologize again for the demos being screwed up again doing upgrades before presentations is not a good idea please [Laughter]

so evil twin we've seen some coffee makers that do that actually so there is a coffee maker that will connect to a network called default so if you pass by it and you'd sent the authentication packets and you can force it to connect to even you have a default Network popped up you can force it to connect to your network and extract Wi-Fi credentials from its initial Network yeah yeah pretty much yeah but then again you're gonna catch a lot of mobile phones before you catch coffeemakers please 16 million about three days through tour so yeah you can brute-force all the MAC addresses it's not that many and you can actually do it through tour and we can own the world

it's scary yeah please know it let me be very clear no we haven't done that please we did tell them they were opening their communication even though they barely spoke English but they said are going to publish an update and they did look we gave them 60 days notice when we initially talked to them and that was more than 60 days ago so they did publish an update is just that they're up their interface is [ __ ] so what can you do any other questions

where if we actually do hear it it tries to talk to the router take over DHCP and then manage the manage the network if you're a home user if you get the thing that we're selling and I don't want to be here selling anything just it's kind of uncomfortable doing that but we can talk about it afterwards okay again I get the question so generically speaking the way this can be mitigated is that either at the router level or an additional device that's plugged into the network will monitor the traffic done from and towards the devices and and then each company develops its own technology some people do anomaly detection where you would see you know

that your TV talks to Samsung it's supposed to talk to Samsung your TV talks to a mobile application using the specific user agent that should be okay and then you design that you do machine learning buzzwords and you design that designate that is normal traffic and whatever you see all your bounds from that normal traffic is suspicious that's one one approach the other approach would be to actually have something like snort or sericata or bro and do actual you know pretty similar but different technology another approach is to do actual pre-emptive sort of vulnerability assessment it's one of the things that we're doing there's a number of methods it just has to be implemented either

either at the router level or additional device in the network so it can be mitigated please

I'm sure you're gonna have to say that louder because it's so important please and when you're saying you you mean you the user or the developers from edimax you say right of course the answer to your question is yes that would be better okay that's it please I can't blame them for that I don't think there's only so few companies we were having this discussion in a different talk of yesterday there is only so few companies that do update over HTTPS most products and most companies do it over HTTP plane and just digitally signed the packet so they're not time tempered with HTTPS is expensive when it comes to download okay then I would like to thank

you again and yeah you