@SHA2017 Scoutinglandgoed in Zeewolde The Netherlands August 4th to 8th 2017

An autopsy in the IoT: Nabaztag, the Hare.

Marco A. CALAMARI – [email protected] Progetto Winston Smith Hermes Center for Transparency and Digital Human Rights Copyleft 2017, Marco A. Calamari

This material is released under licence Creative Commons Attribution–NonCommercial- ShareAlike 3.0 (CC BY-NC-SA 3.0)

https://creativecommons.org/licenses/by-nc-sa/3.0/

Some images of this presentation are citation or “fair use” of copyrighted works, property of their respective owners.

All trademarks are property of their owners. Your guest

https://www.linkedin.com/in/marcocalamari/

● Marco Calamari, born 1955, nuclear engineer, works as IT consultant, computer forenser and freelance writer.

● Some acronyms: IISFA, AIP, Opsi, HERMES, PWS.

● Passionate about privacy and cryptography, gave small contribution to several FOSS projects: Freenet, Mixmaster, Mixminion, Tor and Globaleaks.

● As Digital Rights activist, is amongst the founders of PWS - Winston Smith Project, and the Hermes Center for Transparency and Digital Human Rights.

● As freelance writer, since 2003 he is columnist of Punto Informatico, with the weekly column Cassandra Crossing,this year crossed the 400th issue (www.cassandracrossing.org) What this talk aim to cover IoT is too young and too fast to possess an history. Only a bunch of separated facts exists; because this, a definitions of IoT and a definition of what make a thing a ToIoT (Thing of of Things) are not agreed, or do not exist at all, As already told in other talks, there is one founding characteristic of ToIoT; to be examples of “” and being objects that hide their internal complexity. To do an interesting autopsy, we identified the First of a Kind for IoT; the first gizmo that started the real IoT, having an impact on more than few people. Nabaztag (born 2003) is IMNSHO this First of a Kind. Created in 2005, in two years sold 150,000+ units. So I’ll try to bother you with all the stuff and infos about Nabaztag that can be included in an hour! IoT start IoT: computers, software, Internet

Objects, not Things is the right term to use. Smartphones, tablets, laptops, cars, TV-sets, washing machines, irons, all of those are objects possessing a single function, function that we use when we want to do what we want with it. Respect to this, we perceive the above objects being simple, because we identify them with their function, and do not consider them complex ones, computer stuffed with a quantity of software in excess of 10,000,000 lines of code. The above is the main characteristic for an object part of IoT, and is also the source of all problems and concerns that IoT rising created. Today’s IoT definition

The is the materialization of what was once theoretically called Ubiquitous Computing and subsequently Pervasive Computing Both features were considered in the past positive and desirable aspects of computer technology. Most of people today still remains of this opinion... IoT issues

The most important possibilities arise from being complex & powerful objects that hide their inner complexity, and contain a lot of sensors, computing power and software.

And, not surprisingly, the most concerning problems arise from being complex & powerful objects that hide their inner complexity, and contain a lot of sensors, computing power and software. IoT issues - 2

Hiding complexity and being powerful are characteristics to be a ToIoT definition; we cannot consider the above as problems that need to be eradicated; you cannot do that without eliminating IoT completely

OTOH software is a feature that can be changed to maintain IoT features reducing at the same time his problems

Software is increasingly being included in IoT objects that we do not perceive as complex or different from the equivalent older ones, because they have mostly the same function, and so seem to be equal to the old ones, just a little more cool. IoT Software

In a very rough way, the amount of software is measured in code lines, that is in the number of rows a programmer writes in a .

These lines, appropriately transformed, become the software we use every day using IoT objects.

When we use software in programs, we perceive it, but in IoT objects we do not perceive it, and so strange an dangerous things can happen. How much software

● In 1969 we went to the Moon with less than 10,000 software lines, and for the Shuttle in the 90s, it was enough to have 400,000.

● A pacemaker can save our life with 100,000 lines, as many as Photoshop 1.0 had; today Photoshop have 3,500,000.

● In 1971, the first version of Unix had 10,000 lines, while Debian 5.0 (Lenny) in 2009 had 65,000,000 (including available applications).

● In 1991, Windows 3.1 accounted for 2,000,000 lines, in 2001 Windows XP 43,000,000

● An "old" supersonic fighter F22 "Raptor" flied with 2,000,000, while a Boeing 787 transport aircraft require 9,000,000 and the well know F35 45,000,000

Iron From 1700 to now: 0 lines of code TV-set In 1935: 0 lines of code Today TV-set Listen & see you, and reports to his master. User manual say this, but you do not care. Has 30+ million lines of code embedded in it. How much software - 2

● Mars "Curiosity" rover explores Mars with only 5,000,000 lines

● The Large Hadron Collider, the largest tool ever built by Man, found the Higgs boson with 50,000,000 lines

● But a recent high end car contains certainly more than 100,000,000 (say onehundredmillion) of code lines

● Think that the DNA of a mouse can be coded with about 120,000,000 of "lines" of code. Are they still "Objects"? Would not it be better to define them as "Subjects"? And anyway, why so much software? What does it do, and for who does it? It works for owner or for producers? The beginning

1991: published on Scientific American the article ‘The Computer for the 21st Century" that describe, without giving a name to this, the process of the “Disappearing Computer”. “The most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it.” 1998: again Mark Weiser condensed the above in a short sentence, "Ubiquitous computing” The beginning - 2

1999 – the term “Internet of Things” is introduced by , an executive director of the “Auto-ID Center”: "I could be wrong, but I'm fairly sure the phrase "Internet of Things" started life as the title of a presentation I made at Procter & Gamble (P&G) in 1999. Linking the new idea of RFID in P&G's supply chain to the then-red-hot topic of the Internet was more than just a good way to get executive attention. It summed up an important insight which is still often misunderstood." Սկիզբը, Նաբազթագ - 3 2003: Nabaztag is born Is the transliteration from Armenian word Hare - “Նաբազթագ". Created in 2003 by Rafi Haladjian and Olivier Mével. Produced from 2005 in more than 100,000 pieces by the French company Violet; Violet then failed, victim of his own success, and was incorporated by Mindscape; Mindscape too shut off, and its assets (including Nabaztag design & software) were purchased by Aldebaran Robotics and became abandonware. My rabbit is the only computing thing that, in 30 years of coexistence, made me look good & smart in my girlfriend opinion. Nabaztag motto is "If you can even connect rabbits, then you can connect anything" (credit: @kinivazquez) Nabaztag on stage Նաբազթագ

Nabaztag main features

It has a button on the head, two ears with step-by-step motors, and encoders to detect ears position from software, 5 multicolored LEDs, an RFID reader, a sound card with microphone and a WiFi card.

It is controlled by a cloud server, originally programmed in Ruby, where Nabaztag owners register their rabbits, and then load plugins to add actions. Nabaztag can move ears and play choreographies with color changing LED’s, can read horoscopes and stock quotes from web sites, and tell the daytime with jokes or puzzles . You can "marry" two rabbits so that if they move their ears to one, the other starts to sing and blink, and position his ears in the same way. Նաբազթագ Opera

Nabaztag genealogy

During the IoT Hare saga, three versions of Nabaztag were produced.

Nabaztag (or Nabaztag v1) contains: ● PIC18F6525 micro controller ● BenQ PC card 802.11b Wi-Fi adapter ● ml2870a Audio-PCM sound generator ● ADPCM converter ● two motors to activate the ears ● TLC5922 LED controller ● a really small amount of memory.

The embedded software handles the TCP/IP stack and Wi- Fi driver. It also implements a virtual machine which is able to execute up to 64 kB of bytecode. A dedicated exists to program the different features of the device. Nabaztag genealogy - 2

Nabaztag:tag (or Nabaztag v2) Out on 12 December 2006, Nabaztag:tag support MP3 audio streaming for Internet radio and Podcasts. Has a microphone for voice activation of some of its services. Has a built-in RFID reader to detect special-purpose RFID tags (i.e. ISO/IEC 14443 Type B) to identify objects where tag was attached.

In October 2008, Violet launched RFID Children's Books with Penguin Publishing House. A market for Zstamps tags and Nano:ztags (little mini Rabbits with Zstamps inside them) was opened The Wi-Fi card was upgraded to support WPA encryption, and use a SoftMAC card which embedded its own 802.11 protocol stack. Nabaztag genealogy - 3 Karotz (or Nabaztag v3) Karotz was released in April 2011 by Mindscape It included an integrated web cam, an USB port (which can be used for power as well as connectivity), and 256 MB of on board storage. Karotz was heavily integrated with Facebook and Twitter.

After only few months, in October 2011, Mindscape was bought by Aldebaran Robotics, that declared "Together we shall go on with this wonderful adventure". But in October 2014 Aldebaran Robotics announced "The end of Karotz's adventures … Karotz's servers ... will be stopped on February 18th, 2015". In 2016 a new English enabled API has been set up from a volunteer initiative called Free Rabbits. Similar initiatives from ad-hoc communities already released server software to revive Nabaztag v2. Nabaztag genealogy - 4

Nabaztag genealogy - 5

The Autopsy Nabaztag autopsy

Nabaztag:tag is the most common of the IoT inhabitant Rabbits. It accounts for 100.000 units in an overall (estimated v1+v2+v3) Connected rabbits population of 150.000+.

So our autopsy will go on on it, thanks to this video from RobotShop.com

The Autopsy is not over (remember, there is software) Nabaztag software

Remember IoT and his software?

The software that make Nabaztag so cool and cuddly?

Nabaztag software has a client part, a server part, and a network application protocol.

A spoiler; interesting things happens in the latter

To keep the presentation short, we’ll describe only Nabaztag:tag (v2); in fact Nabaztag (v1) was a “reduced set” of Nabaztag:tag (v2), and Karotz (v3) an extended one, but overall architecture is similar.

AT the end we’ll close this part and the presentation trying to distill some conclusions. Nabaztag software design Sylvain Huet developed most of the embedded code of all Violet objects.

Sebastien Bourdeauducq developed the Wi-Fi Driver.

Antoine Schmitt has been the behavior designer and Jean-Jacques Birgé the sound designer. They composed the Nabaz'mob opera for 100 Nabaztag.

Maÿlis Puyfaucher is the French voice and wrote all the original phrases told by rabbit.

Few data are available about who exactly developed the communication protocol and the original server software, now abandoned and not available due to “bankruptcy induced” lock-up. Nabaztag: the Client

Nabaztag:tag (v2)

The embedded software is stored in 128 KB of “secure” internal flash and 8KB “Boot Flash ROM”.

It handles also the TCP/IP stack and Wi-Fi driver.

Firmware is built as a blob in a standard way.

It implements a virtual machine which is able to execute up to 64 kB of binary bytecode.

A dedicated assembly language exists to program the device. Choreographies & Plugin can be downloaded and executed in the VM. Nabaztag: the Server

Nabaztag:tag (v2)

After the Violet and Mindscape bankruptcy, several communities start to develop server side software & plugins.

For (v2) the most popular software are OpenNab, written in PHP, and openJabNab, written in PHP & C++.

A dozen of servers worldwide are still running these software, maintained by “aficionados” communities, that quite often run maillist and forums too.

Nabaztag: network protocol Nabaztag:tag (v2) + OpenJabNab

Due to lack of documentation, the network protocol was sniffed & partially reverse engineered.

All client/server communications use the XMPP Jabber protocol (TLS encrypted).

However, when blob need to be transferred, Base64 encoded objects are transferred using HTTP cleartext protocol.

Because the lack of client side computing power, when a text message need to be read by the rabbit, is sent to the server that rasterize it in a MP3 file, then transferred during the XMPP session using plain HTTP. Nabaztag: simple attack

Nabaztag:tag (v2) + OpenJabNab \

It is not difficult to imagine that a custom firmware developed in an economic troubled situation may have lot of bugs waiting to be spotted by attackers.

OTOH, the partly unencrypted communication protocol is too easy to crack to be left alone, so let us poison our home router, and capture a client/server session.

During this session the rabbit was simply asked to say “Hello”.

The recorded session, dumped with Wireshark, give easy access to the HTTP code transferred. Nabaztag: simple attack - 2

Nabaztag:tag (v2) + OpenJabNab \

The content of server rendered MP3 file was easily readable in the HTTP stream.

Using ARPspoof to poisoning again the router, Iptables to mount a local MITM, and BURPsniffer proxy, a setup was prepared to intercept the server -> client communication side, and to replace the HTTP object containing the rasterized MP3 with a different one.

That way, the bunny is served with a modified MP3 saying “I’m possessed, to have me back pay a Bitcoin”

The session was repeated, and the rabbit give a quite different “Hello” to his master. Summing it up Summing it up

Looking to an ToIoT designed in 2003, we can find all problems that plague today’s IoT.

System design has parts with strong design and parts easily crackable. An example: the use of protected stored firmware, but an unencrypted communication protocol

Lack of CPU power caused unacceptable trade off between features and performances vs. security. Privacy of user communications and data is (as more or less always) carelessly implemented.

As “V for Vendetta” character Lewis Prothero may comment here: “Good features win, security lose, and, as always, poor software rulez”. Thanks for attending this talk Q&A time

+------http://www.winstonsmith.org ------+ | il Progetto Winston Smith: scolleghiamo il Grande Fratello | | the Winston Smith Project: unplug the Big Brother | | Marco A. Calamari [email protected] http://www.marcoc.it | | DSS/DH: 8F3E 5BAE 906F B416 9242 1C10 8661 24A9 BFCE 822B | | PGP RSA: ED84 3839 6C4D 3FFE 389F 209E 3128 5698 | +------+ Links

Wikipedia page about Nabaztag https://en.wikipedia.org/wiki/Nabaztag

Nabaz'mob, opera for 100 smart rabbits by Antoine Schmitt and Jean-Jacques Birgé http://nabazmob.free.fr/English.html

Nabaztag WiFi Rabbit Autopsy by RobotShop.com https://www.dailymotion.com/video/xfqajp

Nabaztag is the guest in two episodes of DLTV show https://archive.org/details/dltv_083_episode https://archive.org/details/dltv_176_episode