hide yo' kids: hacking your family's connected things
TRANSCRIPT
Hide Yo’ Kids
Hacking Your Family's Connected Things
Mark Stanislav - Manager, Security Advisory Services
OR… HOW IOT IS JUST
A LOT OF INSECURE WEB SERVICES
A Mess of Dependencies and Attack Surface• Many IoT devices leverage third-party services, firmware, and software
• Some vendors put a lot of trust in their supply chain without testing security
• Implementation errors or failure to comply with best practices also occurs
• Complex ecosystems means that there are plenty of ways to screw up:
• Mobile applications, cloud services, backend services, web applications, firmware, hardware, network protocols, wireless protocols, & cryptography
• It’s difficult for a single IoT vendor to be proficient in security across all of it
• The frameworks, protocols, and design patterns of IoT are still very much in flux
SO, HOW DO WE HACK THESE THINGS?
Via Dumping Firmware
Pomona SOIC Clip + Bus Pirate flashrom to Dump Flash
binwalk to Extract Filesystems
Hash Cracking with cudaHashcat
Scouring Google for Useful Details
Via Brute Force of Various Means
JTagulator (or Bus Pirate, Shikra, etc.)
U-Boot Configuration
UART Scan & Connect
Via Serial Console (UART)
Via JTAG (e.g. Dumping Memory via GDB)
Acquire Firmware with dex2jar + JD-GUI for Android
View API Calls with mitmproxy (esp. SSL/TLS)
Find API End-Points with Clutch + strings for iOS
Via Mobile Applications
View Protocol Details with wireshark
Uncover Network Services with nmap
Via Network Analysis
XSS on Camera Cloud Web Service
Hidden Administrative Web Interface
Via Web Applications
THE BABY MONITORS
Thanks for nothing, CSI:Cyber
A Variety of Vendors, Styles, Costs, & FeaturesVendor Model Price Amazon
Rank* / StarsTwo-Way
Audio Pan Tilt Zoom Wi-Fi Ethernet
Gynoii GCW-1010 $89.34 #56 / 3.8 ✓ ✗ ✗ ✗ ✓ ✗
iBaby M3S $169.95 #243 / 3.4 ✓ ✓ ✓ ✓ ✓ ✓
iBaby M6 $199.95 #31 / 3.7 ✓ ✓ ✓ ✓ ✓ ✗
Lens LL-BC01W $54.99 #149 / 2.8 ✓ ✗ ✗ ✗ ✓ ✓
Philips B120/37 $77.54 #N/A / 2.2 ✓ ✗ ✗ ✗ ✓ ✗
Summer 28630 $199.99 #64 / 3.1 ✓ ✓ ✓ ✓ ✓ ✗
TRENDnet TV-IP743SIC $69.99 #N/A / 3.5 ✓ ✗ ✗ ✓ ✓ ✗
WiFiBaby WFB2015 $259.99 #156 / 3.2 ✗ ✗ ✗ ✓ ✓ ✓
Withings WBP01 $204.60 #101 / 2.9 ✓ ✓ ✓ ✓ ✓ ✓
* Amazon Ranking Based on Category “Baby > Safety > Monitors”, Which Includes Non-IoT Baby Monitors
Withings WBP01 - $204.60
Disabled Doesn’t Quite Mean What it Used To
After a stream exists, “disabling” it via the app doesn’t actually stop it…
20 Minutes Later… The Stream Still Works!
When Obfuscation Goes Wrong, or, Not at All?
At first, this looks like a really poor attempt at an obfuscation method to “hide” the password for this web service account.On further review, however, the mchunk method simply returns at the start of the for loop, yielding the output from the input to be a concatenation of “ff” and the integer passed as a parameter.Was this obfuscation intended to be enabled? Did someone give up on their dream of confusing reverse engineers? The world may never know…
WiFi Baby WFB2015 - $259.99
UPnP RCE Bugs, CVE-2012-5958 & CVE-2012-5959
UPnP Bugs: Alive and Well in Baby Monitoring
Lens Peek-A-View (LL-BC01W) - $54.99
If You Needed Some Free Cloud Storage
An FTP Account Per Camera, Apparently Used for Configuration Backups
[redacted]
Backdoor Credentials Galore
Hidden Web Interface CredentialsCracking the Linux ‘admin’ Password
This account has functional ‘root’ privilege due to ugly permissions
The Live Stream Passes Credentials in URL over HTTP
Gynoii GCW-1010 - $89.34
Unencrypted Web Services - Local and Cloud
Local Administrative API Calls
Vendor Cloud API Calls
Hidden Device Web Interface
Third-Party Streaming Service
None of these services or APIs use any encryption and often pass sensitive credentials and keys
TRENDnet TV-IP743SIC - $69.99
2-for-1 — Unencrypted Web Service + XSS
Either MITM a User or Just BYOJS to their DOM:)
[redacted]
Telnet Available, Just Not Default
A Remote Shell Waiting to Happen…
Pro Tip: Remove Remote Access Services, Don’t Just Disable Them!
Username: root Password: admin
iBaby M3S - $169.95
Uncovering Backdoor Linux Accounts & Access
An nmap Scan Reveals Telnet :)
Password is “Protected” by UNIX Crypt
Username: admin Password: admin
* FYI, there is no ‘root’ on here, only ‘admin’
iBaby M3S - A Historical Look at Software?
✦ U-Boot: 1.1.3, released August 14th, 2005 ✦ OpenSSL: 0.9.8e, released February 23rd, 2007
✦ Linux Kernel: 2.6.21, released April 26th, 2007 ✦ BusyBox: 1.12.1, released September 28th, 2008
✦ UNIX Crypt: First appeared in 1979, limited to 8-character passwords
✦ Telnet: Developed in 1968 — SSH-1 came out in 1995…
Encryption! Just Not Great Choices For it :)
Stream Encryption… with XXTEA?
Encrypted Backups… with a Hardcoded Password?
iBaby M6 - $199.95
Cryptography? Naw, They Are Just Babies…
Unencrypted Web Service Login
Telnet & Unencrypted HTTP on DeviceUnencrypted Mobile API Calls
This is the iBaby Cloud Web Site Today…
Login for Camera Owners …and What is Now Returned on Login…
But a Few Months Ago, Direct Object Reference!<—Proper Account
“Attacker” Account—>
No Authorization/Privilege Given to Our “Attacker” Account
Full Access to All Audio & Motion Alert Videos
View Source -> Find AVI Filename -> Access Static CloudFront URL
“Attacker” Account—>
Don’t let the broken images fool you… there’s live data ready to be viewed!
[redacted]
[redacted]
[redacted]
[redacted]
Unauthenticated Access to Unencrypted VideosExample AVI Thumbnail File
Video Downloads via Amazon CloudFront
✦ URLs are not requested via HTTPS
✦ No IAM credentials or signed URLs
Mobile API Call for Alert Video Retrieval
[redacted]
[redacted] [redacted]
[redacted]
Philips In.Sight B120/37
Everything Old is New Again…My IZON Research - 2013 My InSight Research - 2015
The question is…
Did security issues fixed by one camera manufacturer ever trickle into devices also leveraging the same firmware?
Shout out to Paul Price for his research into the In.Sight M100 which shares a few issues from my old Stem Innovation IZON research and subsequent research into the In.Sight B120. Check out his site detailing this and other research at ifc0nfig.com!
A Quick Look at “Old” Security Issues Still There
No SSL on Backend Web Service
Telnet Enabled by Default (Until Recently)Multiple Hardcoded Linux Accounts
Insecure Firmware Upgrade Process
A Few Newer Issues. But Wait, There’s More! :)
Multiple XSS on Web Service Portal
Backdoor Telnet Enablement Script
Predictable ‘admin’ Web Service Password
Username: root Password: b120root
Unauthenticated Administrative Camera Access
Camera
Home NetworkInternet
User
Web Service HTTP/80
Clear Text Clear Text Clear Text
HTTP Reverse Proxy
When a remote end user requests their camera’s stream, an HTTP reverse proxy is opened on a public host & port number, directly to the camera’s backend web service, allowing for a remote attacker to achieve the following:
✦Unauthenticated and unencrypted video/audio stream access to the user’s camera
✦Full administrative access to the camera’s powerful backend web service
✦ This includes manipulating camera configuration or even re-enabling Telnet
Finding Exposed Cameras on the InternetThe reverse proxy is setup by the stream provider, Yoics, and has a finite number of enumerable hostnames, each with about ~30,000 possible ports that may be utilized.While this may seem like a lot, an attacker could test this entire range every minute to look for exposed cameras with a simple script or perhaps something powerful like zmap.
Unencrypted, Unauthenticated Remote Camera Access
Now “Friends” Can Remotely Enable Telnet For You! :)
Take David Adrian’s Word For It :)
Baby Monitors — Now With 100% More Track Suit
…Because Car Hacking…
Summer Infant Baby Zoom (28630) - $199.99
Oh, Be Sure to Change Your Password…
Default New User Passwords == Last name (truncated to 8 characters) + Group IDThis is not required to be changed on first login and could be enumerated if someoneknows that you have this device — simply iterate over group ID integers!
Adding a Privileged User to Any & All Cameras
Before… After!
This HTTP call could be ran against all possible IDs
Coordinated Disclosure TimelineInitial Vendor Disclosure July 4th, 2015 — Because America!
CERT Disclosure July 21st, 2015 — 17 Days After Vendor Disclosure Public Disclosure September 2nd, 2015 — 60 Days After Vendor Disclosure
A Modest Baby Monitor Security ChecklistVendor Model Local API
HTTP SSLCloud API HTTP SSL
No Remote Shell
No Hidden Accounts
No Known Vulns
No UART Access
All Streams Encrypted
Gynoii GCW-1010 ✗ ✗ ✗ ✗ ✓ ✗ ✗
iBaby M3S N/A ✓ ✗ ✗ ✓ ✗ ✓
iBaby M6 ✗ ✗ ✗ ✗ ✗ ✗ ✗
Lens LL-BC01W ✗ ✗ ✓ ✗ ✓ ✗ ✗
Philips B120/37 ✗ ✓ ✗ ✗ ✗ ✗ ✗
Summer 28630 ✓ ✓ ✓ ✗ ✗ ✗ ✗
TRENDnet TV-IP743SIC ✗ ✗ ✓ ✗ ✗ ✗ ✗
WiFiBaby WFB2015 ✗ N/A ✓ ✗ ✗ ✗ ✗
Withings WBP01 N/A ✗ ✗ ✗ ✓ ✗ ✗
Scoring Baby Monitors for Overall SecuritySecurity Concern Description of Concern Penalty for
Missing
Local API HTTP SSL All local web service/API calls should be encrypted, regardless of being on a LAN. -20 Points
Cloud API HTTP SSL All Internet-facing web service/API calls should be encrypted, including registration. -30 Points
No Remote Shell The presence of a remote shell (e.g. Telnet, SSH) create additional attack surface. -50 Points
No Hidden Accounts All accounts, whether web services or shell access should be known to customers. -30 Points
No Known Vulns All portions of the camera’s supply chain should be free of serious vulnerabilities. -75 Points
No UART Access Devices should disable direct serial access and definitely not drop to a root shell. -10 Points
All Streams Encrypted All video/audio streams, whether live or recorded, should be encrypted end-to-end. -35 Points
All Cameras Start With 250 Points and Receive Deductions
Baby Monitor by Security Score & GradeVendor Model Price Amazon
Rank / Stars Score Grade*
Gynoii GCW-1010 $89.34 #56 / 3.8 75 F
iBaby M3S $169.95 #243 / 3.4 160 D
iBaby M6 $199.95 #31 / 3.7 0 F
Lens LL-BC01W $54.99 #149 / 2.8 125 F
Philips B120/37 $77.54 #N/A / 2.2 30 F
Summer 28630 $199.99 #64 / 3.1 100 F
TRENDnet TV-IP743SIC $69.99 #N/A / 3.5 50 F
WiFiBaby WFB2015 $259.99 #156 / 3.2 80 F
Withings WBP01 $204.60 #101 / 2.9 95 F
* Grading Scale Based on Points: F: < 150 (<60%) ; D: 150 - 174 (60-69%) ; C: 175 - 199 (70-79%) ; B: 200 - 224 (80-89%) ; A: 225 - 250 (90-100%)
Baby is Unsatisfied
CONNECTED CHILDREN
Fisher-Price Smart Toy® - $85
Smart Toy® - Features and Function✦ An Android-based connected stuffed animal that features Wi-Fi,
Bluetooth, a (poor) camera, and two-way audio functionality
✦ Allows for interaction between a child and the stuffed animal to play games of both educational and entertainment focuses
✦ Features a mobile application for parents that includes setting up a profile for the child and controlling the actions of the device
Getting Inside the Device… Not So Carefully
Android Meets IoT, 1 of 2
USB for Charging USB for Shenanigans Running Android!
Android Meets IoT, 2 of 2
File Transfer Filesystem via adb pull“I Have a Shell” Commands
API = Always Poorly Implemented
API Call Capabilities/api/parent-toy-interface/getToys?customerId=%s Retrieveanychosencustomer’stoydetails,e.g.profileID,toyID,toyName,toyType/api/customer-get-profiles Retrieveanychosenchild’sprofiledetails,e.g.birthday,name,gender&deviceID/api/get-parent-online-status?deviceID= Determineifanychosentoy’sowner(parent)isactivelyusingthemobileapplication/api/get-toy-online-status?token=%s&deviceID=%s Determineifanychosentoyiscurrentlyconnected&active/api/customer-edit-profile Alteranychosenchild’sbirthday,name,andgender/api/parent-toy-interface/updateToys Alteranychosentoy’sassignmenttoanychosenchild’sprofile(i.e.hijackthetoy)/api/customer-create-profile Createacustomprofilethatisassociatedtoanychosencustomeraccount/api/customer-delete-profile Deleteaprofilethatisassociatedtoanychosencustomeraccount
Important API Calls Found to Be Vulnerable
✦ 12 mobile-API calls were determined to not properly authorize that the requesting session was appropriate to create, read, update, and/or delete aspects of customer accounts, profiles, and toys
✦ Outcome? Information leaks, toy hijacking, and account alteration
What’s the Actual Result of This?
✦ Steal every child’s profile data, which includes their name, date of birth, gender, spoken language, and associated toys
✦ Hijack every child’s toy and make the toy perform built-in activities on demand, without the parent or child’s consent
✦ Create, alter, or delete profiles under a customer’s account, which associates to toys and will appear in the mobile app
✦ Leak information about the current activity of the child and/or parent through status indicators provided via the device & app
Altering a Profile’s Details via the Mobile API
Mostly Harmless, But Really Disconcerting to a Parent
Coordinated Disclosure TimelineInitial Vendor Disclosure November 23rd, 2015
CERT Disclosure December 8th, 2015 — 15 Days After Vendor Disclosure Public Disclosure February 2nd, 2016 — 71 Days After Vendor Disclosure
hereO - $179 (Watch) / $0 (Mobile App)
hereO - Features and Function✦ Both a mobile application and ‘smart watch’ (made for children)
tie into a platform allowing for GPS tracking of family members ✦ Features geo-fencing with alerts + full location history ✦ Provides a text message function + ‘panic alarm’ mode
✦ Funded through Indiegogo ($215k) + outside investment ($2M) ✦ The mobile app has been in the iOS store since March, 2014 ✦ Beta versions of the smart watch have been reported in use
✦ I didn’t have one, so, the mobile app was my entire world :)
Thinking Like a Developer… for Bad Things
Sending My User’s Session and ID? Red flag!
User Account Creation
<- My User ID
User Session Creation
<- My Session
<- My User ID<- My Session
Inviting a New User to my ‘Family’ via the API
<- My User ID
What’s Wrong, Exactly?✦ It’s at least weird that an API request with a user’s session (token)
would also send that user’s ID — it’s pretty redundant ✦ If we have a session, the backend already knows the user ID
✦ Often when a request is sent with redundant information, it may mean that the developer is trusting a user-specified parameter that should otherwise be determined by the authorized session
✦ May be a simple developer mistake of using user-controlled data (e.g. $post.userId) versus service-controlled (e.g. $session.userId)
Understanding the Attack Workflow
Email, Email, What-What, the Email
The Attacker is Invited by Pawn
Pawn is Told the Attacker Accepted
Target is Told Attacker was Added
Worried about that last email? We control the user’s name….“THIS IS A SYSTEM TEST, PLEASE IGNORE, joined your family as a friend” :)
Seeing is Believing…
Before Attack Now TrackingAfter Attack
<-Attacker Only <-Target, Too!
Pawn Sends a
UserInvite Request
Attacker Accepts the
Pawn’s Invitation
Attack Executed Against The Target’s Account
Owned.
The Attacker is now part of the Target’s “family” with full privileges!
Coordinated Disclosure TimelineInitial Vendor Disclosure October 24th, 2015
CERT Disclosure November 23rd, 2015 — 30 Days After Vendor Disclosure Public Disclosure February 2nd, 2016 — 101 Days After Vendor Disclosure
Not All Hope is Lost, However :)BuildItSecure.ly: Initiative targeted at sharing technical resources with IoT engineering teams and pairing IoT vendors with pro-bono security researchers.
OWASP IoT Top 10: Provides vendors a list of the top 10 areas of IoT security that should be focused on during development to ensure a secure ecosystem.
Online Trust Alliance: Currently devising the IoT Trust Framework, aimed at providing vendors with clear guidance around IoT privacy and security needs.
Google Projects: Brillo is a hardened, stripped-down version of Android for IoT, while secure Weave is a secure solution for inter-device communication.
…AND REMEMBER…
