SESSION ID: SBX1-R1 EXPLOITING CLOUD SYNCHRONIZATION TO HACK IOTS Alex Jay Balan Chief Security Researcher Bitdefender @jaymzu
2
IoT = hardware + OS + app (+ Cloud) wu-ftpd IIS5.0 RDP Joomla app 3
EDIMAX Smart Power Outlet 4
Features and Setup Key features Easily switch on/off via mobile app Manually or scheduled E-mail notifications Power meter Wireless setup via mobile app Setup flow Download the app Plug the plug (sic!) The app searches for and connects to the EdiPlug Setup hotspot The user specifies the WiFi network to be used Setup ends Optional Setup e-mail alerts requires email credentials for SMTP 5
Device behavior After the app sends the wifi details, the device connects to the local network and sends an UDP broadcast of 22 bytes (hardcoded) First thing it does once connected (and periodically after that) is to check for network connectivity with a quick connection to www.google.com:80 6
Device behavior Hello, I m alive! to www.myedimax.com via UDP with details about the device. MAC address The device enters a loop in which it constantly sends UDP messages to www.myedimax.com in order to keep a connection active in the NAT table and receive UDP messages 7
LAN chatter Lighthttpd running on port 10000 used to receive commands from the mobile app. All commands require authentication and the creds are well hidden in the app (read: 99% of all users won t find or change them) We used these captures to extract the default creds. admin:1234 8
APP-Device interaction. More UDP security www.myedimax.com UDP message to www.myedimax.com Relevant fields: id value and auth value Id value = device mac Auth value = hashed user:password (default admin:1234) 9
APP-Device interaction. More UDP security www.myedimax.com The cloud sends an UDP message to the power outlet with connectivity information about the app (IP, port) and the auth hash The device generates a hash for its stored credentials and compares it with what it receives from the cloud If the hash doesn t match, it generates an error code (1120), conversation ends and the app gets no reply back If everything is ok, the device connects to the cloud relay which sends an OK signal to the app which also connects to the relay server establishing a tunnel to enable communication between the app and device 10
Triggering actions on the power outlet Any interaction from the app triggers the device to send back a full status and information about it ON/OFF Other actions Pre-requisites: Device MAC Device password (default admin:1234) There is no prompt to change the password and the actual setting is hidden a few screens away in the settings 11
Controlling the device remotely As simple as sending Tell this device to turn off the www.myedimax.com with the MAC address as identification Can be sent to all 16M mac addresses with no issues 12
Bonus feature email notifications Scheduled on/off actions can trigger e-mail notifications to the owner Configuring the e-mail notifications requires a working e-mail account and the app requests the e-mail credentials for SMTP authentication 13
Obfuscation!= Encryption 15
B64 of actual user email password 16
So far We can sniff and decrypt some sensitive data We can turn off (or on) virtually any of these power outlets in use right now What s next? WHAT S BETTER THAN ALL OF THOSE? 17
IF YOU RUN SYSTEM COMMANDS WITH RECEIVED DATA YOU RE GONNA HAVE A BAD TIME
Received creds are checked with a system command Setting the password to: asd;telnetd => echo n admin:asdf; telnetd md5sum Note: password is limited to 32 chars 19
Command injection Starting telnet is still not proper RCE, though, since the device is on a private network So we need to find a way to execute a connect-back shell in 32 chars
2 letter domains to the rescue! We were way beyond the character limit So we registered a 2 letter domain 21
A little stager script 22
Impact Difficult to defend against Full network compromise IoT botnets
Takeaways We need a security certification system for IoT, that looks at more than military grade encryption We need to educate or otherwise stimulate the vendors to have a proper incident response process and unattended update mechanisms We need to educate the users to get to get tools that can handle the security of their non-traditional devices. At the very least vulnerability checkers 24
Ask me anything abalan@bitdefender.com @jaymzu