EXPLOITING CLOUD SYNCHRONIZATION TO HACK IOTS

Size: px

Start display at page:

Download "EXPLOITING CLOUD SYNCHRONIZATION TO HACK IOTS"

Scott Ball
6 years ago
Views:

1 SESSION ID: SBX1-R1 EXPLOITING CLOUD SYNCHRONIZATION TO HACK IOTS Alex Jay Balan Chief Security Researcher

2 2

3 IoT = hardware + OS + app (+ Cloud) wu-ftpd IIS5.0 RDP Joomla app 3

4 EDIMAX Smart Power Outlet 4

5 Features and Setup Key features Easily switch on/off via mobile app Manually or scheduled notifications Power meter Wireless setup via mobile app Setup flow Download the app Plug the plug (sic!) The app searches for and connects to the EdiPlug Setup hotspot The user specifies the WiFi network to be used Setup ends Optional Setup alerts requires credentials for SMTP 5

6 Device behavior After the app sends the wifi details, the device connects to the local network and sends an UDP broadcast of 22 bytes (hardcoded) First thing it does once connected (and periodically after that) is to check for network connectivity with a quick connection to 6

Device behavior Hello, I m alive! to www.myedimax.com via UDP with details about the device.

7 Device behavior Hello, I m alive! to via UDP with details about the device. MAC address The device enters a loop in which it constantly sends UDP messages to in order to keep a connection active in the NAT table and receive UDP messages 7

LAN chatter Lighthttpd running on port 10000 used to receive commands from the mobile app.

8 LAN chatter Lighthttpd running on port used to receive commands from the mobile app. All commands require authentication and the creds are well hidden in the app (read: 99% of all users won t find or change them) We used these captures to extract the default creds. admin:1234 8

9 APP-Device interaction. More UDP security UDP message to Relevant fields: id value and auth value Id value = device mac Auth value = hashed user:password (default admin:1234) 9

APP-Device interaction. More UDP security www.myedimax.

10 APP-Device interaction. More UDP security The cloud sends an UDP message to the power outlet with connectivity information about the app (IP, port) and the auth hash The device generates a hash for its stored credentials and compares it with what it receives from the cloud If the hash doesn t match, it generates an error code (1120), conversation ends and the app gets no reply back If everything is ok, the device connects to the cloud relay which sends an OK signal to the app which also connects to the relay server establishing a tunnel to enable communication between the app and device 10

11 Triggering actions on the power outlet Any interaction from the app triggers the device to send back a full status and information about it ON/OFF Other actions Pre-requisites: Device MAC Device password (default admin:1234) There is no prompt to change the password and the actual setting is hidden a few screens away in the settings 11

12 Controlling the device remotely As simple as sending Tell this device to turn off the with the MAC address as identification Can be sent to all 16M mac addresses with no issues 12

13 Bonus feature notifications Scheduled on/off actions can trigger notifications to the owner Configuring the notifications requires a working account and the app requests the credentials for SMTP authentication 13

15 Obfuscation!= Encryption 15

16 B64 of actual user password 16

17 So far We can sniff and decrypt some sensitive data We can turn off (or on) virtually any of these power outlets in use right now What s next? WHAT S BETTER THAN ALL OF THOSE? 17

18 IF YOU RUN SYSTEM COMMANDS WITH RECEIVED DATA YOU RE GONNA HAVE A BAD TIME

19 Received creds are checked with a system command Setting the password to: asd;telnetd => echo n admin:asdf; telnetd md5sum Note: password is limited to 32 chars 19

20 Command injection Starting telnet is still not proper RCE, though, since the device is on a private network So we need to find a way to execute a connect-back shell in 32 chars

21 2 letter domains to the rescue! We were way beyond the character limit So we registered a 2 letter domain 21

22 A little stager script 22

23 Impact Difficult to defend against Full network compromise IoT botnets

24 Takeaways We need a security certification system for IoT, that looks at more than military grade encryption We need to educate or otherwise stimulate the vendors to have a proper incident response process and unattended update mechanisms We need to educate the users to get to get tools that can handle the security of their non-traditional devices. At the very least vulnerability checkers 24

25 Ask me

IoT The gift that keeps on giving

IoT The gift that keeps on giving Contributors labs@bitdefender.com Radu Alexandru Basaraba - rbasaraba@bitdefender.com Alexandru Lazar allazar@bitdefender.com Mihai Moldovan - mimoldovan@bitdefender.com