EXPLOITING CLOUD SYNCHRONIZATION TO HACK IOTS

Similar documents
IoT The gift that keeps on giving

Hello? It s Me, Your Not So Smart Device. We Need to Talk.

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Hacking Smart Home Devices. Fernando Gont

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Single Sign-On Showdown

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Uploading Files. Creating Files

Clover Flex Security Policy

CIT 380: Securing Computer Systems. Network Security Concepts

Network Administrator s Guide

Client VPN OS Configuration. Android

IoT Vulnerabilities. By Troy Mattessich, Raymond Fradella, and Arsh Tavi. Contribution Distribution

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

AplombTech Smart Router Manual

Hacking TP-Link Devices. Fernando Gont

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Bark: Default-Off Networking and Access Control for the IoT. James Hong, Amit Levy, Laurynas Riliskis, Philip Levis Stanford University

BOMGAR.COM BOMGAR VS. TEAMVIEWER UPDATED: 2/28/2017

System Requirements. Network Administrator Guide

Wireless-G Router User s Guide

Managed WiFi: Mobile App Tour

PrecisionAccess Trusted Access Control

The R25 Robot Series

Configuring SAP Targets and Runtime Users

On the Internet, nobody knows you re a dog.

OWASP Broken Web Application Project. When Bad Web Apps are Good

ECCouncil Certified Ethical Hacker. Download Full Version :

Most Common Security Threats (cont.)

NETOP HOST ON A TERMINAL SERVER

PMS 138 C Moto Black spine width spine width 100% 100%

What Ails Our Healthcare Systems?

RU-VPN2 - GlobalProtect Installation for Windows

Peekaboo! I Own You.

Office 365. Send and Retrieve Protected s

Question No: 2 Which identifier is used to describe the application or process that submitted a log message?

Configuring 802.1X Authentication Client for Windows 8

Evaluating the Security Risks of Static vs. Dynamic Websites

Dolby Conference Phone. Configuration guide for Cisco Unified Communications Manager

What someone said about junk hacking

Aventail Connect Client with Smart Tunneling

Worldwide Release. Your world, Secured ND-IM005. Wi-Fi Interception System

Wireless Network Defensive Strategies

Virtual Dispersive Networking Spread Spectrum IP

Two factor authentication for Microsoft Remote Desktop Web Access

About The Presentation 11/3/2017. Hacker HiJinx-Human Ways to Steal Data. Who We Are? Ethical Hackers & Security Consultants

Advantage Cloud Two-Factor Security Process

Contents. 1. Downloading the ios Mobile App Configuration Additional Information... 9 LED indications... 9 Operating the Device...

Configuring Communication Services

Bridging Identity Islands with Continuous, Contextual Identity Assurance

SETUP FOR OUTLOOK (Updated October, 2018)

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

HySecure Quick Start Guide. HySecure 5.0

Pulse Secure Client for Chrome OS

THE NEW LANDSCAPE OF AIRBORNE CYBERATTACKS

Backend IV: Authentication, Authorization and Sanitization. Tuesday, January 13, 15

USER GUIDE WWPass Security for (Thunderbird)

Connect Securely in an Unsecure World. Jon Clay Director: Global Threat

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

Vendor: Microsoft. Exam Code: Exam Name: MTA Security Fundamentals Practice Test. Version: Demo

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

Enroll in Two factor Authentication - iphone

IT Exam Training online / Bootcamp

CIS Controls Measures and Metrics for Version 7

Man-In-The-Browser Attacks. Daniel Tomescu

Snort Rules Classification and Interpretation

Connect to Wireless, certificate install and setup Citrix Receiver

LearnMore:mygrande.com/wifi

Networking and Health Information Exchange Unit 1a ISO Open Systems Interconnection (OSI) Slide 1. Slide 2. Slide 3

Campus Wi-Fi. Set up access to eduroam: the University Wi-Fi network

CIS Controls Measures and Metrics for Version 7

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Virtual Tunnel Interface

Artificial Intelligence Drives the next Generation of Internet Security

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

ESET Remote Administrator v6 Getting Started Guide for MSPs January 2017

Picture. Scott Ziegenfus CEM, CLEP, CDSM, GGP, GPCP, LEED AP Manager, Government and Industry Relations Hubbell Lighting, Inc.

Office 365 and Azure Active Directory Identities In-depth

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Next-Gen Mirai. Balthasar Martin Fabian Bräunlein SRLabs Template v12

Wireless Attacks and Countermeasures

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Tips for Passing an Audit or Assessment

Privileged Access Access Console User Guide 17.1


CLEARVIEW KIT INSTALLATION GUIDE

Grandstream Networks, Inc. Captive Portal Authentication via Twitter

Welcome. Password Management & Public Wi-Fi Security. Hosted by: Content by:

User Guide. Version R94. English

Guide Installation and User Guide - Windows

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

REMOVE TSUWIRELESS WIRELESS NETWORK 2 CONNECTING TO TSU_SECURE WIRELESS NETWORK 7 CONNECT TO TNSTATE.EDU USING MOBILE DEVICE 11

Securing Wireless Networks by By Joe Klemencic Mon. Apr

SET UP VPN FOR WINDOWS 10

CDX REPORT TEAM #8 JACOB CHAPMAN SNEHESH THALAPANENI DEVISHA SRIVASTAVA

Proving who you are. Passwords and TLS

PRACTICING SAFE COMPUTING AT HOME

Securing ArcGIS for Server. David Cordes, Raj Padmanabhan

Application Visibility and Analytics SE Remote Demo Platform Information

Transcription:

SESSION ID: SBX1-R1 EXPLOITING CLOUD SYNCHRONIZATION TO HACK IOTS Alex Jay Balan Chief Security Researcher Bitdefender @jaymzu

2

IoT = hardware + OS + app (+ Cloud) wu-ftpd IIS5.0 RDP Joomla app 3

EDIMAX Smart Power Outlet 4

Features and Setup Key features Easily switch on/off via mobile app Manually or scheduled E-mail notifications Power meter Wireless setup via mobile app Setup flow Download the app Plug the plug (sic!) The app searches for and connects to the EdiPlug Setup hotspot The user specifies the WiFi network to be used Setup ends Optional Setup e-mail alerts requires email credentials for SMTP 5

Device behavior After the app sends the wifi details, the device connects to the local network and sends an UDP broadcast of 22 bytes (hardcoded) First thing it does once connected (and periodically after that) is to check for network connectivity with a quick connection to www.google.com:80 6

Device behavior Hello, I m alive! to www.myedimax.com via UDP with details about the device. MAC address The device enters a loop in which it constantly sends UDP messages to www.myedimax.com in order to keep a connection active in the NAT table and receive UDP messages 7

LAN chatter Lighthttpd running on port 10000 used to receive commands from the mobile app. All commands require authentication and the creds are well hidden in the app (read: 99% of all users won t find or change them) We used these captures to extract the default creds. admin:1234 8

APP-Device interaction. More UDP security www.myedimax.com UDP message to www.myedimax.com Relevant fields: id value and auth value Id value = device mac Auth value = hashed user:password (default admin:1234) 9

APP-Device interaction. More UDP security www.myedimax.com The cloud sends an UDP message to the power outlet with connectivity information about the app (IP, port) and the auth hash The device generates a hash for its stored credentials and compares it with what it receives from the cloud If the hash doesn t match, it generates an error code (1120), conversation ends and the app gets no reply back If everything is ok, the device connects to the cloud relay which sends an OK signal to the app which also connects to the relay server establishing a tunnel to enable communication between the app and device 10

Triggering actions on the power outlet Any interaction from the app triggers the device to send back a full status and information about it ON/OFF Other actions Pre-requisites: Device MAC Device password (default admin:1234) There is no prompt to change the password and the actual setting is hidden a few screens away in the settings 11

Controlling the device remotely As simple as sending Tell this device to turn off the www.myedimax.com with the MAC address as identification Can be sent to all 16M mac addresses with no issues 12

Bonus feature email notifications Scheduled on/off actions can trigger e-mail notifications to the owner Configuring the e-mail notifications requires a working e-mail account and the app requests the e-mail credentials for SMTP authentication 13

Obfuscation!= Encryption 15

B64 of actual user email password 16

So far We can sniff and decrypt some sensitive data We can turn off (or on) virtually any of these power outlets in use right now What s next? WHAT S BETTER THAN ALL OF THOSE? 17

IF YOU RUN SYSTEM COMMANDS WITH RECEIVED DATA YOU RE GONNA HAVE A BAD TIME

Received creds are checked with a system command Setting the password to: asd;telnetd => echo n admin:asdf; telnetd md5sum Note: password is limited to 32 chars 19

Command injection Starting telnet is still not proper RCE, though, since the device is on a private network So we need to find a way to execute a connect-back shell in 32 chars

2 letter domains to the rescue! We were way beyond the character limit So we registered a 2 letter domain 21

A little stager script 22

Impact Difficult to defend against Full network compromise IoT botnets

Takeaways We need a security certification system for IoT, that looks at more than military grade encryption We need to educate or otherwise stimulate the vendors to have a proper incident response process and unattended update mechanisms We need to educate the users to get to get tools that can handle the security of their non-traditional devices. At the very least vulnerability checkers 24

Ask me anything abalan@bitdefender.com @jaymzu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback