Basic IoT security principles:
Write your mobile app and firmware securely Protect the code to make reverse engineering really tough
Ensure you can update in the field…
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP What’s the problem?
Huge increase in attack surface:
Mobile app security Web app security API security Mobile device security IoT device hardware/firmware security RF security
For a manufacturer of ‘things’…
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP My Wi-Fi Kettle
Er yeah. Why?
Nice idea, if pointless
Future potential quite interesting
Coffee machine ships mid October
Security-fail central
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Attacking a kettle
#1 port scan
#2 disassembly
#3 locate chipset manuals
#4 review source code
#5 find code fails
#6 0wnage
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP [email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Attacking a kettle
Other crazy consequences:
Write your own client software – kudos to Mark J Cox
Geo-locate unconfigured wireless kettles
Geo-locate configured wireless kettles
‘Steamy windows’ attack, run up victim’s power bill
WIP: exploding kettle
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP “It’s OK” says the vendor
…the hack requires specialist knowledge and one would have to be very lucky to find a user with an iKettle
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP [email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP WI-FI COFFEE MACHINE
And v2.0 iKettle
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP [email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP My Friend Cayla
Interactive kids doll
Voice recognition, listens continuously whilst on
Careful control over content
Can we make her swear?
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Attacking a kids doll
#1 hardware issues
#2 disassembly
#3 root phone
#4 locate local database
#5 modify content
#6 redeploy
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Hacking Cayla
Evil phone, modified app Wikipedia API MITM Voice recognition Bluetooth Modify unencrypted data in transit
Evil API
Local Q database + ‘badwords’
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Vendor updates the app
Attack stopped working recently, after application updated
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Samsung Internet TV
Audio sent to Nuance Communications for voice->text conversion
Both directions plaintext
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Internet TV
Samsung said:
“Samsung takes consumer privacy very seriously and our products are designed with privacy in mind.
Our latest Smart TV models are equipped with data encryption and a software update will soon be available for download on other models.”
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Internet TV
So I went out to Costco and spent nearly £2,000 on this In the name of research…
Updated firmware….
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Internet TV
Samsung said:
“ ” Clearly ‘economical’ with their press release
Different codec, different voice activation
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Another firmware update…
Update 1302 (?) applied a few months ago
Encryption now in place between TV & Nuance. AT LAST!
So, run a voice based web search using the on board browser
Wireshark: All encrypted
AND THEN: search term sent to Youtube plaintext
FINALLY: another update released
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Samsung Smart Fridge Samsung RF28HMELBSR Smart Fridge
View Google calendars, weather, recipes, TV etc
Did I say ‘utterly pointless’?
Spectacularly fails to properly encrypt your Gmail password Drive past your house, attack fridge, steal your email
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Wi-Fi doorbell
Remove doorbell Unscrew two T6 Torx screws,
Push setup button on rear of bell
Connect to embedded web server over Wi-Fi Users Wi-Fi PSK displayed in plain text…
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Internet scales
FitBit Aria internet scales Connects to your network over Wi-Fi Shares weight & fatness through Fitbit online services
Set up guest-only IDs the user by weight Don’t eat too many pies overnight
Sends your home SSID to FitBit servers at registration, potential to identify user Fitbit could therefore geolocate you with wigle.net Nothing on the board appears to be encrypted
Limited processing power & storage
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Setup mode PSK disclosure
Put kettle in to setup mode – either push reset button, or take out batteries
Navigate to URL here
PSK disclosed in plain text
Found & reported, fixed in firmware 38
How we found it:
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP [email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP SPI
UART
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP JTAG
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP In summary
IoT vendors have a lot to learn about security So do some mobile app coders
Finding these bugs would have been really tough if the code was properly obfuscated Check out your mobile app code; look for the basics:
Is it obfuscated / encrypted? Static credentials / static keys Plain text communications / SSL pinning
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP If a security researcher makes contact about a vulnerability in your system, TALK TO THEM
@thekenmunroshow @pentestpartners
Blog:www.pentestpartners.com
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Mobile Devices
What do you control IoT devices with?
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Internet vibrators
Video chat, but with ‘extras’
Emerging field of ‘teledildonics’
Version we examined wrote temporary video files to Android ‘external storage’ among many issues
Phone lost/stolen/hacked? Bad day, selfie video hell
Default Bluetooth PIN of 0000
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Rockchip: original Tesco Hudl
Apps for IoT devices run on smartphones & tablets Cheap tablets often offer cheap security! Hudl based on Rockchip, ~97% native Android, minimal customisation or additional security Rockchip exploit allows read from firmware in addition to write rkflashtool Force Hudl into Bootloader mode Read flash memory…
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Argos MyTablet
My Shiny Pink Bush Bought out of interest a few weeks ago
Spent some time trying to compromise it Main challenge: finding which CPU it uses, then finding the entry point to the bootloader
Can cause it by opening case, removing several screws removing EM shield from CPU, acts as heatsink, causing overheat + hard reboot Also by enabling ADB, reboot, force in to bootloader (cheating) Or press the vol up + vol down keys. Doh!
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP So secure the Phone/Tablet
Set a PIN – 6+ digits at least Patterns are a great way to make PINs easier to remember BUT, common usage and lack of repeated numbers significantly reduces PIN entropy First number: probably 1,3,7 or 9 (corners) Second number: likely adjacent 3, not repeated Etc: follow the grease smear or shoulder-surf Patterns much easier for the thief to see
Total entropy on a 6 digit PIN drops from 1M combinations to about 1500!
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Android Memory Scraping
Rough explanation
Disassemble phone, find JTAG port
Source custom JTAG connector
Source RIFFbox
Learn Polish
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Cracking your PIN - iPhone
If you have a 4-digit PIN, we used to be able to crack it in under 20 seconds
…but then Apple fixed it for iPhone >4S and iPad >1
Be aware of this if you have an old phone that you’ve given to a child
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Cracking your PIN - iPhone
But now, we have a new device, costing £120, that cracks any iPhone 4 digit PIN in <17 hours
Even if you have ‘10 attempts and wipe’ enabled 6 digit PINs should be a minimum Crack then takes up to 3 months Slows the attack down enough for a theft to be reported, password changed and possible remote wipe of the device, if accessible That of course assumes it’s locked Get used to an 8 digit PIN if you can Set a PIN for Find My iPhone, or the thief will turn it off!
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Hacking iPhones Here’s how to steal your network and email password from an iPhone, just by walking past:
fake Wi-Fi access point iPhone joins network automatically
Tries to synchronise email, MITM Serve back a self signed SSL certificate
Really weak alert, user accepts
iPhone sends us its email/domain password
By walking past an iPhone, users can easily be duped into giving us their business email password
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP Hacking voicemail
Bypass the PIN, access the voicemail Press button for 3 seconds
Say ‘voicemail’ to Siri or Voice Control
Make free calls, intercept your voicemail, hack your voicemail etc. SO TURN OFF SIRI, Cortana etc
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP If a security researcher makes contact, TALK TO THEM
Ken: @thekenmunroshow
Blog: www.pentestpartners.com
[email protected] | +44 (0)20 3095 0500 | @PenTestPartners | www.youtube.com/PenTestPartnersLLP