Write Your Mobile App and Firmware Securely Protect the Code to Make Reverse Engineering Really Tough

Basic IoT security principles:

Write your mobile app and firmware securely Protect the code to make reverse engineering really tough

Ensure you can update in the field…

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP What’s the problem?

Huge increase in attack surface:

Mobile app security Web app security API security Mobile device security IoT device hardware/firmware security RF security

For a manufacturer of ‘things’…

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP My Wi-Fi Kettle

Er yeah. Why?

Nice idea, if pointless

Future potential quite interesting

Coffee machine ships mid October

Security-fail central

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Attacking a kettle

#1 port scan

#2 disassembly

#3 locate chipset manuals

#4 review source code

#5 find code fails

#6 0wnage

Other crazy consequences:

Write your own client software – kudos to Mark J Cox

Geo-locate unconfigured wireless kettles

Geo-locate configured wireless kettles

‘Steamy windows’ attack, run up victim’s power bill

WIP: exploding kettle

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP “It’s OK” says the vendor

…the hack requires specialist knowledge and one would have to be very lucky to find a user with an iKettle

And v2.0 iKettle

Interactive kids doll

Voice recognition, listens continuously whilst on

Careful control over content

Can we make her swear?

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Attacking a kids doll

#1 hardware issues

#2 disassembly

#3 root phone

#4 locate local database

#5 modify content

#6 redeploy

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Hacking Cayla

Evil phone, modified app Wikipedia API MITM Voice recognition Bluetooth Modify unencrypted data in transit

Evil API

Local Q database + ‘badwords’

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Vendor updates the app

Attack stopped working recently, after application updated

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Samsung Internet TV

Audio sent to Nuance Communications for voice->text conversion

Both directions plaintext

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Internet TV

Samsung said:

“Samsung takes consumer privacy very seriously and our products are designed with privacy in mind.

Our latest Smart TV models are equipped with data encryption and a software update will soon be available for download on other models.”

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Internet TV

So I went out to Costco and spent nearly £2,000 on this In the name of research…

Updated firmware….

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Internet TV

Samsung said:

“ ” Clearly ‘economical’ with their press release

Different codec, different voice activation

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Another firmware update…

Update 1302 (?) applied a few months ago

Encryption now in place between TV & Nuance. AT LAST!

So, run a voice based web search using the on board browser

Wireshark: All encrypted

AND THEN: search term sent to Youtube plaintext

FINALLY: another update released

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Samsung Smart Fridge Samsung RF28HMELBSR Smart Fridge

View Google calendars, weather, recipes, TV etc

Did I say ‘utterly pointless’?

Spectacularly fails to properly encrypt your Gmail password Drive past your house, attack fridge, steal your email

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Wi-Fi doorbell

Remove doorbell Unscrew two T6 Torx screws,

Push setup button on rear of bell

Connect to embedded web server over Wi-Fi Users Wi-Fi PSK displayed in plain text…

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Internet scales

FitBit Aria internet scales Connects to your network over Wi-Fi Shares weight & fatness through Fitbit online services

Set up guest-only IDs the user by weight Don’t eat too many pies overnight

Sends your home SSID to FitBit servers at registration, potential to identify user Fitbit could therefore geolocate you with wigle.net Nothing on the board appears to be encrypted

Limited processing power & storage

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Setup mode PSK disclosure

Put kettle in to setup mode – either push reset button, or take out batteries

Navigate to URL here

PSK disclosed in plain text

Found & reported, fixed in firmware 38

How we found it:

UART

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP JTAG

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP In summary

IoT vendors have a lot to learn about security So do some mobile app coders

Finding these bugs would have been really tough if the code was properly obfuscated Check out your mobile app code; look for the basics:

Is it obfuscated / encrypted? Static credentials / static keys Plain text communications / SSL pinning

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP If a security researcher makes contact about a vulnerability in your system, TALK TO THEM

@thekenmunroshow @pentestpartners

Blog:www.pentestpartners.com

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Mobile Devices

What do you control IoT devices with?

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Internet vibrators

Video chat, but with ‘extras’

Emerging field of ‘teledildonics’

Version we examined wrote temporary video files to Android ‘external storage’ among many issues

Phone lost/stolen/hacked? Bad day, selfie video hell

Default Bluetooth PIN of 0000

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Rockchip: original Tesco Hudl

Apps for IoT devices run on smartphones & tablets Cheap tablets often offer cheap security! Hudl based on Rockchip, ~97% native Android, minimal customisation or additional security Rockchip exploit allows read from firmware in addition to write rkflashtool Force Hudl into Bootloader mode Read flash memory…

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Argos MyTablet

My Shiny Pink Bush Bought out of interest a few weeks ago

Spent some time trying to compromise it Main challenge: finding which CPU it uses, then finding the entry point to the bootloader

Can cause it by opening case, removing several screws removing EM shield from CPU, acts as heatsink, causing overheat + hard reboot Also by enabling ADB, reboot, force in to bootloader (cheating) Or press the vol up + vol down keys. Doh!

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP So secure the Phone/Tablet

Set a PIN – 6+ digits at least Patterns are a great way to make PINs easier to remember BUT, common usage and lack of repeated numbers significantly reduces PIN entropy First number: probably 1,3,7 or 9 (corners) Second number: likely adjacent 3, not repeated Etc: follow the grease smear or shoulder-surf Patterns much easier for the thief to see

Total entropy on a 6 digit PIN drops from 1M combinations to about 1500!

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Android Memory Scraping

Rough explanation

Disassemble phone, find JTAG port

Source custom JTAG connector

Source RIFFbox

Learn Polish

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Cracking your PIN - iPhone

If you have a 4-digit PIN, we used to be able to crack it in under 20 seconds

…but then Apple fixed it for iPhone >4S and iPad >1

Be aware of this if you have an old phone that you’ve given to a child

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Cracking your PIN - iPhone

But now, we have a new device, costing £120, that cracks any iPhone 4 digit PIN in <17 hours

Even if you have ‘10 attempts and wipe’ enabled 6 digit PINs should be a minimum Crack then takes up to 3 months Slows the attack down enough for a theft to be reported, password changed and possible remote wipe of the device, if accessible That of course assumes it’s locked Get used to an 8 digit PIN if you can Set a PIN for Find My iPhone, or the thief will turn it off!

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Hacking iPhones Here’s how to steal your network and email password from an iPhone, just by walking past:

fake Wi-Fi access point iPhone joins network automatically

Tries to synchronise email, MITM Serve back a self signed SSL certificate

Really weak alert, user accepts

iPhone sends us its email/domain password

By walking past an iPhone, users can easily be duped into giving us their business email password

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Hacking voicemail

Bypass the PIN, access the voicemail Press button for 3 seconds

Say ‘voicemail’ to Siri or Voice Control

Make free calls, intercept your voicemail, hack your voicemail etc. SO TURN OFF SIRI, Cortana etc

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP If a security researcher makes contact, TALK TO THEM

Ken: @thekenmunroshow

Blog: www.pentestpartners.com

[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP