ken munro pentest partners iot forum 2016

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP

Vulnerabilities in the Internet of Things

or

How weak mobile app code led us to a bunch of IoT bugs


Warning:

This presentation may containhot liquids

(and swearing)


Basic mobile app security principle:

Write it securelyObfuscate the code to make reverse

engineering really tough


What’s the problem?

Huge increase in attack surface:

Mobile app security

Web app security

API security

Mobile device security

IoT device hardware/firmware security

RF security

For a manufacturer of ‘things’…


My Wi-Fi Kettle

Er yeah. Why?

Nice idea, if pointless

Future potential quite interesting

Coffee machine ships mid October

Security-fail central


Attacking a kettle

#1 port scan

#2 disassembly

#3 locate chipset manuals

#4 review source code

#5 find code fails

#6 0wnage


How to reverse Android apps

First, get the APK, can use ADB to extract it from phone

Then decompile using Dex2Jar or Jadexhttps://github.com/pxb1988/dex2jar

Figure out how the app works

Edit Dalvik bytecode using APKTool (smali)https://ibotpeaches.github.io/Apktool/

Or simply edit resources it uses

Recompile, sign with any key, distribute

https://github.com/pxb1988/dex2jar

https://ibotpeaches.github.io/Apktool/


Attacking a kettle

Other crazy consequences:

Write your own client software – kudos to Mark J Cox

Geo-locate unconfigured wireless kettles

Geo-locate configured wireless kettles

‘Steamy windows’ attack, run up victim’s power bill

WIP: exploding kettle


Their latest releases

iKettle 2.0

Wi-Fi coffee machine

New app

New fun

More caffeine fueled

reverse engineering


My Friend Cayla

Remember our swearytalking doll?

A year is a long time in security…


Attacking a kids doll

#1 hardware issues

#2 disassembly

#3 root phone

#4 locate local database

#5 modify content

#6 redeploy


Hacking Cayla

Wikipedia API

Evil API

Bluetooth

Voice recognition

Local Q database + ‘badwords’

MITM

Modify unencrypted

data in transit

Evil phone, modified app

Modify SQLite DB contents

Tamper with anti-swearing process

API call broken when Wikipedia enforced SSL!


Putting it right

Manufacturer clearly doesn’t ‘get’ security

“We will be issuing an update to the mobile app to fix the issues raised” – except they didn’t

Implementing SSL will help, so long as certificate pinning is enforced

Otherwise, MITM again

But, Bluetooth promiscuity cannot be fixed, as there is no security of pairing process


Vendor updates the app

Our attack stopped working a while back, after the application was finally updated

They ‘fixed’ it by encrypting the database contents with SQLcipher

Er – ignoring the issues that actually mattered


My Friend Freddy Bear

Nothing changes…

Whilst reverse engineering the iOS version of Cayla’s app, a researcher found a ‘machine gun’ sound file in her code

Action Cayla?

Freddy Bear shipped this Xmas, equally vulnerable

Slightly more annoying


The media don’t help

CSI Cyber contacted us about My Friend Cayla

A talking doll involved in a murder. So we wrote a technically plausible ‘hack’ for them

In the end they just dubbed a Barbie-alike!


Hello Barbie

Totally different security model

BUT

Wi-Fi PSK stored on board

Potential to intercept mike

Some other data cached on board

…and parents can create accounts to view child’s activity


Samsung Smart Fridge

Samsung RF28HMELBSR Smart Fridge

View Google calendars, weather, recipes, TV etc

Did I say ‘utterly pointless’?

Spectacularly fails to properly encrypt your Gmail password

Drive past your house, attack fridge, steal your email


Samsung Washing machine

Samsung WW10H9600EW ‘smart’ washer

Work in progress, but allows remote control of your washing machine

Similar control to smart fridge

Wi-Fi network primary attack vector

Amusing conversation with installer:“Can I plumb it in for you?”

“No thanks, I’m not using it for washing”

-> very confused look

At least SSL certs are validated


Hoover Wizard


Hoover Wizard

Ready for a train wreck?

Time to look at the mobile app code

Static oauth tokens for API

Plain text control on local network

with ‘encription’

Can we set fire to it?


Ring Wi-Fi doorbell

Remove doorbellUnscrew two T6 Torx screws,

Push setup button on rear of bell

Connect to embedded web server running on Gainspan Wi-Fi module

Users Wi-Fi PSK displayed in plain text…


Ring Wi-Fi doorbell

For once, a vendor that actually responded quickly and effectively

Acknowledged bug within about 20 minutes of Twitter DM

Fix pushed within 2 weeks

But, still trackable:


Internet scales

FitBit Aria internet scalesConnects to your network over Wi-Fi

Shares weight & fatness through Fitbit online services

Set up guest-only IDs the user by weightDon’t eat too many pies overnight

Sends your home SSID to FitBit servers at registration, potential to identify user

Fitbit could therefore geolocate you with wigle.net

Nothing on the board appears to be encrypted

Limited processing power & storage


Setup mode PSK disclosure

Put kettle in to setup mode –either push reset button, or take out batteries

Navigate to URL here

PSK disclosed in plain text

Found & reported, fixed in firmware 38

How we found it:


UART

SPI


JTAG


Star Wars

Remember this guy?

Surely BB-8 can’t have vulnerabilities?


Wearables

Wi-Fi eminently more trackable than other RF technologies

Mostly due to war driving and wigle.net

Though still potential with BlueTooth, BT LE, Zigbee, Z-Wave

802.11ah HaLow concerning

What do you sync your device with?


Wearables – smart bra

Innovative approach to heart rate monitoring

Some discussion about being able to assess other stats, such as body temperature

Not quite shipping yetwww.omsignal.com

Can’t wait…

http://www.omsignal.com/


Wearables – tracking

The HRM in the smart clothing syncs with a smart phone and fitness app

StravaMapMyRunNike+Runkeeper

And Runtastic, which had a lovely vulnerability that allowed unauthenticated live tracking…


Tracking by fitness apps

Privacy for various activity tracking apps is dreadful

Runkeeper, MapMyRun, Strava, RuntasticAll had privacy settings off by defaultGenerally hard to find and configure privacyStrava in fairness mailed users on day2 to show how

Most had sequential session IDs

Runtastic had the shocking real-time tracking bug, even when profile set to private

Only Nike+ seemed to get security & privacy ‘right’


iSpy Tank

Wi-Fi access point with tracks

Static creds to web interface

Take control from outside the victim’s house

Go spy!

Thermostats, LightwaveRF etc etc all being investigated


In summary

IoT product vendors have a lot to learn about security

So do some mobile app coders

Finding these bugs would have been really tough if the code was properly obfuscated

Check out your mobile app code; look for the basics:

Is it obfuscated / encrypted?

Static credentials / static keys

Plain text communications / SSL pinning


IoT Security Foundation

There’s hope yet!

Various bodies attempting to bring good practice to IoT manufacturers

Some progress by US FDA towards medical device security standards

IoT SF shortly to deliver initial self-cert for IoT security, followed by more robust compliance


The Internet of Things isa scary place

Be cynical, don’t adopt technologies that aren’t proven secure

@thekenmunroshow@pentestpartners

Blog:www.pentestpartners.com

ken munro pentest partners iot forum 2016

Technology