Elad Ernst - One Device to Rule Them All

and now we're going about going to go all the way here from here the Middle East to Middle Earth that's right tolkien's Middle Earth so our next talk is about one device to rule them all it is inspired by Tolkien our next speaker please give it up to him is a first time speaker on the B side saliva stage this is El ad Ernst everybody yeah and they'll add is just come back from New Zealand AKA Middle Earth the land of Tolkien and Hobbit and he's going to talk to us about one device one device to rule them all all right you ready to go alad yes the stage is yours let's give it up for him one more time first

time speakers that's what we love here yes a lot thank you so everyone thank you for coming I'm gonna speak on a very cool vulnerability we found that affect thousands of iot devices around the world uh but before I begin so shortly about me I am security researcher actually I'm second generation of security researcher my father with Joseph CTS is also a security researcher and as you always say the more devices you export the less flow you have to watch yeah so this is me and before we start a short motivation so if I'm attacking and I want to penetrate into an organizational Network so in the classic rock there were some a very common vectors so if we will take a look

on these vectors so the most common was trying to exploit application in the DM set for example and then get from there into the network another one was a using client vulnerabilities for example ground vulnerabilities or office viabilities another one was using mail attachments sending eggs in a mail or something like that another common one was using fishing and steering credentials and then I use it for a connecting to the VPN or the server of the company um so if you take a look on all these vectors in the current world all this vectors became much less relevant and each one for me is reason but for example if we take a the DMZ so DMZ

almost disappeared most of the application migrated to the cloud and DMZ became very irrelevant in this world um current variability is still existing much are defined much earlier to exploit and very expensive expensive a male attachment so almost any organization today has a system for for male filtering to prevent this kind of attacks and the efficient as we saw in the last rotation it's much more than less relevant day because of the common of a MFA MFA mechanism so actually this type of attacks still possible but much more are if from the other side we'll take a look on what's happening in the iot world so um the amount of direct devices increased drastically most of the idea devices still

sorry it's still very insecure the amount also increased in the organization Network for example IP phones Smart TVs conference room systems most of them I iot devices still very insecure and still almost no one care about the security variety devices and all these things make iot devices very very very attractive attack Vector for attacking what the problem the challenge is for the attacker is that iot devices most of the time not accessible directly from the internet but behind firewall they are not and they're not accessible they are different so this is what I think we try to exploit in our research so let's talk about our research and so the goal of our research was a

the qualified resolution was basically to find a remote code execution availability on iot devices but we want to find a vulnerability that is cloud to device manipulator it's mean it's mean that vulnerability that we'll be able to exploit without be accessible to the device but exploiting the the the the the issue that the devices communicate with cloud services so we want to actually be able to export in device without having direct access to the device so as a Target we chose a very big OEM so to understand it's very important to understand why what is OEM because it's very common thing in the iot world so uh actually if we take a look around you on iot devices most of

them didn't manufactured by the vendor or branded sorry most of the highest devices didn't manufactured by the the brand that the name is on the iot device most of them actually manufactured in China by a Chinese company and sell to other branded inventors around the world why it is interesting because if we will be able to find vulnerability in a iot device and the vulnerability is part of the software of the OEM so it might be effect all the vendors that buy devices from this OEM so this is a very nice thing so this is our Target and from this point we started our research so we went into Amazon and we ordered a very generic iot device very generic

Android device of this vendor and we started to to explore the device understand what is going on and this Android device you mainly use for Smart TV for streamer and other stuff and and we started to explore the device and we found out that there is outgoing communication from the device in TCP Port 8883 which usually stands for mqt over dlf and so what is impurity so mqt is a very common protocol in iot Words which will be a very lightweight and it's basically contained three main entities the first one is the broker the second one is the clients and the last one is the application server and so the broker the broker is just an

applicative router it's just taking the data transferring the message between the clients and the application server it's not doing anything by itself except transferring the data um usually the broker will be cloud in the server server cloud it can be also managed Services Google have their service Amazon have their service and usually it will listen on TCP Port 1883 or in our case if it's mqt over DLS on 8883 um and very important to to remember that the broker is not the applicative server there is another application server which also communicates with the broker the broker just translating the data between the clients to the application application server um okay the data in the broker organized

in a something that's called topics what is topics so basically think on newsletter that as many sub magazines for example they had food magazine he had fashion magazine and each magazine have Sub sub magazine for example Israeli food magazine energy and food magazine uh if I can do subscription to all of the newsletter magazines I can ask to subscribe just for the food magazine can also subscribe just to the Israeli food markets and so this makes of course the topic is just the name of the topics not the content like in User it's not the Articles and we see example soon so as I said topics hierarchical I mean I can have a father topic and add that

another topic for example a classical we can have we will have a app topic and that will be able to have devices topic and that will be able a topic for each device and for each device we can have subtopics this is the name of topics under which topics we can have data we'll see how it works in the next slide so this is topics and the other entity we have a we have in MPT as the client which usually it's the devices and it can be auditing but usually it's the devices and they communicate with the broker on TCP they're connecting they're initiating the connection to the TCP port and they can basically do two main things they

can publish topics they can publish data to topics and they can subscribe to topics they can ask the broker if someone publish data to this topic give it to me um it's very important to remember that the TCP connection between the clients and the broker is always open that's why the client can not speak with a book for a lot of time but if the client subscribe to some topic and after two hours someone published data to this topic the broker will be able to push the start of the client even the client is behind that or Beyond firewall so this is the client and the last entity we say is the app server which a actual

lie it's just another client it's connected to a broker in the same port communicating the same it can publish a subscribe Etc um so this is the basic of mqtt that you should know for this talk another important thing is the wild card so uh the wild card it's basically a let's stay a client to subscribe not to specific topics but to topic and all is sub topics for example if you have these topics app slash device devices one slash logs and other topics if someone would subscribe to app search devices we will receive messages that publish to all its subtopics so this is very useful and very a common

okay great so this is the basic of mqt let's talk a little bit about the security of mqt um so basically mqt is not encrypted but it can be encrypted like we have in our case mqt over TLS if it's supported by the broker of course uh authentication so mqt basically supports two a main dedication mechanism the first one is username and password the second one is Grant certificate which of course available just if you if we use mqt over TLS uh optimization I'm QT based on ACL that should be defined on the broker by the manager of the broker and the ACL is very simple they can say which client can publish to which topics and which

which client can subscribe to which topics this is the basic uh authorization mechanism of course this good authorization can be achieved just if we have good authentication release because otherwise we can differentiate between clients and so okay this is empty let's go back to our research so we have our device we saw the computer communication we want to to start to understand for what is this communication so we we had a deep connection to the device so connected device with ADB and uh and we found out the APK that actually creating the mq2 connection we extract the APK and try to decompile it and start to decompile it and we actually found out our connections in the APK

which is very nice it's username and password and the hey cool thing that if you speak about it if they use article credentials in the APK probably it's the same credentials for the devices which means probably they don't have good ACL on the Block but let's check it so we have a article credentials we want to try to connect the broadcast so the next thing we'll do will try to use our client to connect the broker so for these things we use a tool that's called a mqtt Explorer which are very a useful tool uh it's it's a gooey just go a client for a mqt and we try the credentials to connect to the broker and

then uh we said the credentials then actually it's worked so we are now connected to the broker but we want to see something so we ask from the booker to subscribe to wildcard I mean give me all the data that everyone sent to any topic so we send a subscribe message to the broker and we it's worked and we started to receive data which is very cool so what can we see here uh so actually we can see a lot of topics that created by many devices a lot of devices of many different vendor I mean this mqt broker is owned by the OEM and there is data of many devices that that sold to many

different vendors and for each device you can see a lot of interesting for example we can see the the internal IP of the device you can see the external iPad device the Wi-Fi name the gear location and a lot of interesting things which is this is meta metadata message that each device and every few minutes like you keep a live message so we can see a lot of data of yeah let's do a short summary we can erase credentials for the mqt broker we can connect to the broker we can actually subscribe a sorry we can actually subscribe to to a a wildcard and you can see data of thousands of devices around the world

uh the next thing we want to do of course is trying to not just passively watching that of other device but also be able to sorry but also be able to send and influence other devices so we went back to the APK and we try to Define to find where is the the function that handles the messages that came from the broker to the client so we found the the function and actually it's very funny but we found a full CNC a switch case which is very cool uh what's happening is that the device is supporting to get messages from a it's supposed to be from the application server but actually we will see if everyone do it but this

type of message that called dusk the many a nice tasks for example taking screenshots taking their list and of course the Cherry of the top we can there is shell task um so yeah um so now we want to check if we can publish messages to other devices because this answer is exist but it's not mean that we have a permission to submit messages to other devices so we created a very simple task Dimension that's basically creating a screenshot and upload it to our server with C URL so we created the message we sent the message to a other device and we got a screenshot which is very cool um so uh it's very cool we can run code on

other devices we can take screenshot but the next question is would we be able to do it not for just a one device but two many devices let's say to all devices that we can see so of course why not we created a very simple python script that will do it and we run the script and it's worked we started to get screenshots and it's very cool because we started to see the screenshot and they're very very many types of screenshots some of them from a private owns one of them from hospitals some of them through bank some of them from private companies conference room a other Smart TVs many many different systems which is very cool

and now we have a lot of a lot of screenshots and we have something interesting to do with them so what we did is created the collage of beside still V so yeah uh which is very cool but the question is what's next um so we actually have screenshots from a lot of devices we have a metadata format of devices and we started to investigate from what is these devices what they use for where they are located uh we have the extra IP of devices we have screenshot we have the Wi-Fi name so we started to work and find out that the device is located in very big hospitals in very big companies in stores mainly

used for digital signs also of course a lot of private houses but all around the world it's very crazy and and we started think okay we can run codon devices we are not need to be we should not we are not accessible to this device directly but we can run code on these devices so maybe we can use leverage these devices to get into the networks they they they they are in so of course within the uh they did this step but this is the idea as we had so we are sitting on the Vise we have a lag in the line of course the first thing that we can do is do very basic uh land

attacks a responder Etc and other types of land tax um we can also if for example we can run code to Smart TV you can ask from the user to download a driver if you want to cast something from our to our TV and then we can run code on the uh this laptop or for example a if a user want to get into a a zoom meeting or Google meet just okay let's just ask credentials they will give it to us um but the question is okay we can run code on these devices but let's say that as an attacker we don't want that array iot devices we'll start behave strange what's mean it's mean most of the iot

devices usually communicate with a the same servers if I will ask a from the other device to download my tool from another server it will be look strange in the external firewall of the organization so um what what you actually actually did is we created we encode our and just send a lot of a a shell task and writing the the the tool to the device using the basically built in uh on device and then what we did created a very simple tunneling tool that can let us do TCP of mqd because this is very easy to do it on qut because as I said the broker is just applicative router it doesn't care about the data that's going through it

so I can actually just put a client that's Sending message to a converting message from DCP to mqt on the other side the same and wave timing tool over the mqt broker that's why even if someone will look on the XM firewall device will be exactly the same so this is mainly the research and let's talk shortly about this closure process so we try to we find the availability about a year ago we tried to contact the OEM in any available Media Mail LinkedIn Facebook Instagram Tick Tock Snapchat Tinder I'm just kidding of course they didn't respond yet until this time a possible reason so the possible reason is it's funny there is new law of the

Chinese government that started on 2021 that's basically say that if Aker want to talk with a Chinese company and tell them that they found the availability you need to speak first with the Chinese government which basically says that the Chinese government collects zero days for all of our other devices which is very scary and we we do reach some of the clients directly and I help them to to solve this a issue so this is the the basic short summary so very cool new attack Vector I think you will see a lot from this attack Vector in the coming series it actually it devices still very secure almost all of them speak with the cloud very

interesting thing to do actually it might be Chinese Vector Chinese vector and it's very scary because most of the reality devices we have today made in China and for art advento so check what you have in your advisor that you got from the OEM and for sissos it doesn't make sense that you you will think of your iot devices different from your business they can be they can be attacked they can be entrance to your network start thinking about them like pieces antivirus manage them and other things so any question and also I just want to thank you all thank my wife and I think I have to tell me that and uh hope you enjoyed

thank you a lot thank you a lot thank you all the way from Middle Earth right here to the Middle East