IoT The gift that keeps on giving

Transcription

1 IoT The gift that keeps on giving Contributors Radu Alexandru Basaraba - rbasaraba@bitdefender.com Alexandru Lazar allazar@bitdefender.com Mihai Moldovan - mimoldovan@bitdefender.com Host: Alex Jay Balan Chief Security Researcher

2 2

3 3

4 4

5 Chapter 1 The crazy state of IoT Chapter 2 From China with love First findings Quick crash course into IoT hacking Demo Chapter 3 The gift that keeps on giving 5

6 6 CHAPTER 1: The crazy state of IoT

7 RENTED A CONNECTED CAR ONCE 7

8 SMART EVERYTHING Smart lightbulb & WiFi repeater Smart Portable fish finder Smart Lightbulb Smart Thermostat Smart Yoga Mat Smart Music Player Smart Barbie doll Smart Power Outlet Smart Coffee Maker 8

9 9 IT TAKES A SPECIAL KIND OF CRAZY TO TRY THIS

10 THE MOST COMMON ISSUES Undocumented hardcoded passwords Weak or no encryption Command injection Very old services WiFi configuration hotspots Bad UX on Firmware updates THE MOST DANGEROUS ISSUES Port forwarding / UPnP Device cloud mobile app cloud sync poor input validation => command injection 10

11 MOST IOT SECURITY PAPERS ARE FOCUSED ON PROXIMITY BASED ATTACKS MITM the Bluetooth key exchange Get shell on some device in your house Etc Attacks that require proximity have their charm 11

12 MASS HACKS NEED MORE LOVE 12

13 IOT IS JUST HARDWARE + OS + APP (+ CLOUD) wu-ftpd IIS5.0 RDP Joomla app 13

14 WHY IS THAT A PROBLEM? No standards or security reviews for 90% of what s out there Each company builds their own app with almost no experience with how security works 14

15 CHAPTER 2 FROM CHINA WITH LOVE 15

16 IDOORBELL & NEO COOLCAM 16

17 SETTING IT UP STANDARD LINKSYS ROUTER

18 SETTING IT UP SETUP FLOW 18 flow is identical for both the doorbell and webcam

19 FROM A PERFECTLY GOOD ROUTER

20 TO SWISS CHEESE

21 SHODAN SAYS THIS HAS GREAT POTENTIAL

22 AT THIS POINT WE WENT THROUGH THE USUAL FIRST STEPS Wireshark Mobile app unpacking Check for weak encryption Check webapp for various vectors Etc We realized that we ve become used to a number of stupid things and cheered when we found things that should be common sense Encryption in cloud communication (yey!) No encryption on direct connections (boo!) 22

23 SO

24 YOU SEE AN INPUT FIELD YOU FUZZ IT Sadly, the good folks at Neo Shenzhen decided not to let us have too much fun. Crash on the first try The RTSP server didn t crash with the same method, though (yet)

25 I M A SIMPLE MAN. I SEE A CRASH, I GET AROUSED 25

26 HOOK-UP TO SERIAL

27 GREAT SUCCESS! NO CREDENTIALS THOUGH

28 GOT ROOT? Pause boot loader: pass init=/bin/bash to kernel Use dumb shell to add telnetd to startup

29 FIRST FINDS UNDOCUMENTED USERS 29

30 FIRST FINDS AND THIS - ONE BINARY TO RULE THEM ALL (BECAUSE WHY NOT?) Webserver RTSP server Authentication for webserver Authentication for RTSP 30

31 DEBUG TIME! cp -r / /path/to/sdcard 31

32 HTTP AUTH When checking auth at libs_parsedata will copy the content of those two arguments onto the stack without checking if they fit, resulting in an out of bound write 0x460 allocated on stack 32

33 HTTP AUTH ASLR is enabled However. No PIE = it will always load at the same address We ll use ROP gadget at 0x0007EDD8 To put the address of the stack pointer (which now contains our command) into R0 Then call the system function to execute our command GET /?usr=<204bytes><command>&pwd=<328bytes><0xd8ed07> HTTP/ * checksec.sh -

34 THE ALMIGHTY EXPLOIT 34

35 RTSP Tried to fuzz user/pass again didn t get so lucky this time Back to basics field & value implied to have 256bytes (0x100) each Unlimited sized strings scanned into field & value The RTSP server uses digest authentication and it seems they implemented it themselves.poorly 35

36 RTSP EXPLOIT Same binary we ll use the same gadget from http. The request looks like this: DESCRIBE rtsp://<ip>:554/ RTSP/1.0 Authorization: Digest <296 bytes><command>= <548 bytes><0xd8ed07> 36

37 37 DEMO

38 20 YEARS AGO CALLED. ROOT SHELL BY PASSING 200 CHARS TO LOGIN RING A BELL TO ANYONE? 38

39 FROM CHINA WITH LOVE - KEY TAKEAWAYS Setup flow requests a password change but there are 2 undocumented users that device owners don t know exist A really lame overflow leads to RCE. Base system provides ASLR but the app architecture decided it d be a good idea to not use it Seriously, check & disable UPnP on your routers It s hard to tell how many affected devices are in the wild since we don t know how many (other) vendors use this firmware but at this point we re looking at more than 200k RCE for other models will require adding other targets to the exploit 39

40 THE GIFT THAT KEEPS ON GIVING We need a security certification system of sorts for IoT that looks at more than military grade encryption We need to educate or otherwise stimulate the vendors to have a proper incident response process and unattended update mechanisms We need to educate the users to get to get tools that can handle the security of their non-traditional devices. At the very least vulnerability checkers There are vulnerabilities discovered in apps every day but at the rate IoT is developing we ll have stuff to talk about for ages IoT security papers is a low hanging fruit. Almost everything is not only broken but also, sometimes, unfixable Focus on remote exploits and mass hacks since that s what the bad guys are going to focus on 40

41 Ask me anything.