Panel - Home Invasion v2.0
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 112 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/38965 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2139 / 112
3
6
8
9
13
14
15
16
17
22
23
24
25
29
32
33
36
37
39
42
45
47
49
53
60
61
64
65
66
71
76
79
80
82
89
103
106
108
00:00
Water vaporMoment (mathematics)QuicksortHookingPoint (geometry)InternetworkingStandard deviationWindowControl flowPlastikkarteInformation technology consultingData managementComputer animation
00:46
SoftwareInformation securityInformation securityInformation technology consultingSoftware engineeringDivision (mathematics)Mobile appService (economics)Cartesian coordinate systemData managementSpacetimeSoftware testingNP-hardBitPlastikkarteComputer animation
01:18
PlastikkarteInformation securityGroup actionSmart DeviceProduct (business)PlastikkartePort scannerSmartphoneLaptopSoftwareMoment (mathematics)Topological vector spaceAndroid (robot)1 (number)SubsetCASE <Informatik>IPSecTelecommunicationCode division multiple accessQuicksortTerm (mathematics)Bookmark (World Wide Web)Sampling (statistics)DemosceneComputer animation
04:38
PlastikkarteComputer clusterTouchscreenSoftwareRight angleWindowSoftware testingSystem callThermische ZustandsgleichungComputer animation
05:29
PlastikkarteRadio-frequency identificationInformation securitySoftwareInterface (computing)Computer programComputer animation
06:50
Scripting languageComputer networkSystem callSpywareModule (mathematics)PlastikkarteCodeSystem callOrder (biology)Sign (mathematics)PasswordSoftwareUser interfaceConnected spaceServer (computing)Interface (computing)Mobile appModule (mathematics)Instance (computer science)Right angleTelecommunicationSpywareComputer animation
08:01
PlastikkarteMobile appStreaming mediaWeb browserIP addressSoftwareAuthenticationConnected spaceWireless LANToken ringSuite (music)VideoconferencingMultiplication signInheritance (object-oriented programming)Instance (computer science)Computer animation
09:02
Similarity (geometry)CodeDirectory serviceModule (mathematics)SpywareLibrary (computing)Structural loadScripting languagePlastikkarteServer (computing)Revision controlVulnerability (computing)Streaming mediaWeb browserServer (computing)Connected spaceCodeModule (mathematics)Scripting languageElectronic signatureSign (mathematics)Level (video gaming)Directory serviceLibrary (computing)Control flowComputer filePiRevision controlElectronic mailing listVulnerability (computing)VideoconferencingReal numberProcess (computing)MathematicsType theoryOrder (biology)Electronic visual displayMultiplication signSpywareRootRight angleComputer animation
12:31
PlastikkarteRight angleGoodness of fitoutputWhiteboardInheritance (object-oriented programming)LaptopGroup actionWebcamVirtual machineVideoconferencingWeb 2.0Token ringMobile appGame controllerProduct (business)MereologyPoint (geometry)Connected spaceGodAuthenticationServer (computing)Web browserComputer animation
15:16
CuboidSoftware testingFunctional (mathematics)Computer programInteractive televisionProduct (business)Right angleCommunications protocolConfiguration spaceAuthenticationSoftwarePasswordResultantLocal area networkDebuggerFront and back endsCartesian coordinate systemVulnerability (computing)Freeware
17:11
RootAuthorizationRevision controlGroup actionSoftwareInformation securityOpen sourceRootPlastikkarteCuboidComputer forensicsData miningPoint (geometry)Vulnerability (computing)Decision theoryAuthorizationLibrary (computing)AuthenticationInformationSharewareMetropolitan area networkRoutingRevision controlMobile appMultiplication signComputer animation
18:34
GodSharewareService (economics)Computer fileQuery languageRange (statistics)Group actionScripting languageNeuroinformatikCommunications protocolInformationGame controllerBroadcasting (networking)State of matterComputer-assisted translationEvent horizonDirectory serviceSelf-organizationSoftwareSource codeComputer animation
20:00
VideoconferencingSharewarePresentation of a groupCuboidGodMultiplication signBackupBoolean algebraSource codeComputer animation
20:33
Bridging (networking)SharewareSoftwareBridging (networking)Right angleGame controllerMusical ensembleLaptopPhysical systemInternet forumComputer animation
21:15
Bridging (networking)InformationVideo game consoleLocal ringState transition systemInformationMusical ensembleLaptopGame controllerSoftwareBridging (networking)Electronic mailing listProcess (computing)Shared memoryVirtual machineStatisticsWeightUser interfaceGroup actionLevel (video gaming)Computer animation
22:31
Bridging (networking)Execution unitPlastikkarteConfiguration spaceVirtual machineInformationSmartphoneBenutzerhandbuchFunctional (mathematics)Musical ensembleMobile appCartesian coordinate systemSeries (mathematics)DiagramPasswordAuthenticationLevel (video gaming)Android (robot)Game controllerFlow separationComputer animation
24:25
PlastikkartePersonal identification numberDefault (computer science)Cartesian coordinate systemArmPersonal identification numberDefault (computer science)Mobile appRight angleComputer animation
25:19
Product (business)Water vaporFirewall (computing)Game controllerCore dumpComputer networkSoftwareInternetworkingEncryptionMobile appRight angle
26:26
PasswordCuboidAuthenticationPoint (geometry)QuicksortRight angleCartesian coordinate systemCloud computingUser interfaceEmailComputer animation
27:10
InternetworkingVideo game consoleControl flowAuthenticationData modelPasswordTransport Layer SecurityAuthorizationGame controllerSystem callEmailProduct (business)BitSuite (music)Address spaceOrder (biology)Set (mathematics)PasswordAuthorizationRevision controlPhysical systemNeuroinformatikCombinational logicPersonal identification numberRight angleTime zoneCellular automatonOpen setGoogolInternetworkingComputer animation
29:50
Software configuration managementQuicksortDenial-of-service attackHookingMixed realitySoftwareWaveGateway (telecommunications)CuboidOpen setComputer animation
30:28
FirmwareBackupCodeSoftware testingRevision controlServer (computing)WebsiteDefault (computer science)Video game consoleAuthenticationAuthorizationDemonProxy serverInheritance (object-oriented programming)RootVector potentialServer (computing)PasswordRootRevision controlUser interfaceCodeTurbo-CodeInternetworkingWeb browserRemote procedure callDefault (computer science)Interface (computing)BackupSet (mathematics)FirmwareComputer architectureExecution unitProxy serverVideo game consoleAuthenticationConnected spaceMoment (mathematics)Control flowDemosceneFirewall (computing)InformationSystem administratorAuthorizationGroup actionWrapper (data mining)Prisoner's dilemmaEnthalpyScripting languageLink (knot theory)Vulnerability (computing)Computer configurationAcoustic shadowHash functionMessage passingComputer fileConfiguration spaceFlow separationFile archiverRoutingVector potentialOrder (biology)Network topologyDifferent (Kate Ryan album)MathematicsWeb 2.0SoftwareGame controllerSoftware testingFunctional (mathematics)Dependent and independent variablesRight angleCross-site scriptingTraverse (surveying)BitBookmark (World Wide Web)WebsiteCrash (computing)Sweep line algorithmComputer animation
37:28
VideoconferencingBitLevel (video gaming)Crash (computing)Suite (music)SoftwareTouchscreenComputer animation
38:30
Electronic visual displayStandard deviationTouchscreenComputer animation
39:05
Electronic visual displayMenu (computing)WindowDivergenceProxy serverPort scannerSuite (music)EmailWeb crawlerPersonal identification numberTable (information)AuthenticationQuicksortCodeZoom lensScripting languageInformation securitySynchronizationState of matterRight anglePurchasingPasswordBlock (periodic table)Level (video gaming)Computer animation
Transcript: English(auto-generated)
00:00
So the title of this talk is Home Invasion 2.0. And we're going to be talking about smart home technologies. So we envision Home Invasion 1.0 as a guy breaking in a window and stealing your TV, you know, the standard sort of stuff. And Home Invasion 2.0 is what happens when you hook all sorts of things up to the Internet that you really shouldn't.
00:24
Or that you really should think about a lot more. So before we start into talking about all this stuff, I'd like to take a moment to introduce ourselves and explain just very briefly why you are listening to us and not some guy trying to sell you water on the sidewalk about these devices.
00:45
So my name is Daniel Crowley, aka Unicorn Furnace, and I am a managing consultant on the application security services team of Trustwave's Spider Labs division. My name is Jennifer Savage. I am a software engineer and a security contact for Tabbed
01:01
Out. We make a mobile app that lets you pay your bar tab with your cell phone. So a bit of a hard space for security. I'm David Bryan, senior security consultant with Trustwave's Spider Labs penetration tester. So why are we here? We're here to talk about smart home technologies. What I mean when
01:25
I say smart home technology is various devices in your home that are not traditional network connected devices like laptops and smart phones and printers and scanners and things like that, more odd non‑traditional devices. So we're going to talk about some
01:42
of what those are in a moment. Anybody here like science fiction? Show of hands. My favorite kind of science fiction is dystopian science fiction. For those of you not familiar with the term, dystopian science fiction is about a world which has some sort of technology
02:03
that has gone awry. So some dystopian science fiction is very serious, like 1984, although that's maybe not exactly science fiction. But some of them are very, very tongue in cheek. There's a movie that we heard about from several people where it's like a smart
02:26
home and it starts attacking and trying to kill the people in it like there's a scene with a garbage disposal or something. Anyway, we have yet to see it and if anybody knows the name of the movie, I would love to know that because I really want to watch it now. What is it? It was iRobot? Fair enough. I didn't want to see that because it looked
02:47
like they completely ignored Asimov's book. Anyway, usually dystopian fiction tries to serve as a warning for the future because science fiction so often becomes science fact. All of you probably have cell phones in your pocket. If you're smart they don't have
03:02
the Wi‑Fi or Bluetooth enabled. And if you have a CDMA phone, maybe it's smart to just turn it off entirely. Anyway, so that was originally from the Star Trek communicator. So pretty bad ass, right? But science fiction becomes science fact and dystopian science fiction usually serves as a warning to people who would make these technologies
03:24
as to how they need to ‑‑ the considerations that they need to take into account when making these devices. And unfortunately the push to be first to market with a device with some new technology often gets in the way of listening to these warnings, making the important considerations and this seems to be the case based on our research.
03:44
So we took a look at a subset of the devices out there which connect to a network in your home. We're not going to be discussing every technology because there are a lot of them. And some notable ones that we did not include in this talk, there is an Android powered oven. Which ‑‑ yeah. Because there have never been any problems with Android
04:07
and an oven is perfectly safe. Mom, I jail breaked the oven. So smart TVs, there were some talks at Black Hat about smart TVs which were kind of interesting. IP security cameras. But this is just a sample of these things. But we ‑‑ and it's
04:26
wide open. There doesn't seem to have been a lot of review on this stuff. So maybe hopefully this talk will inspire you to go out and take a look at smart home technologies if any that you have in your home or maybe your friend's home. So right now on the market, like Dan was saying, we have locks, thermostats, fridges,
04:46
toilets, lights and toys. But in the future, we're going to have entire smart cities. They're building one right now in South Korea. It's called Songdo. Cisco is involved in the networking there. But they're describing it as a place where you can walk up to a
05:04
window. The window is actually a screen that you can interact with. You can call home, talk to your kids. The city will schedule your day for you. It will schedule buses leaving and arriving and everything. And I would love to go test that. I don't know about the rest of you. But I think it's an absolutely awesome place to go and hack
05:24
if we could just get permission to do that, right? So I'm going to talk today about a toy that was in my daughter's room. I have a daughter whose name is Ada. She's almost two. She'll be two in a month. And this is a toy
05:45
I bought when I was a very busy mom still breastfeeding, not getting enough sleep. And I wanted to be able to go into the other room and check on her and do it through my laptop and take a nap and make sure she was still asleep in her crib and whatnot.
06:01
And it has a camera in it and a microphone. So you can do that with this. It also has a speaker. You know, you can program it to wake you up in the morning, tell you when it's lunchtime, all kinds of stuff. It has an RFID reader and little RFID toys that she can run up to the bunny and hold it up to the bunny. It will read the RFID.
06:21
It will do whatever you program it to do through their online interface. Additionally, it has a USB port in the pack, a little bunny tail USB. And this is how you program it to connect to your Wi‑Fi network. It occurred to me when I was no longer a sleep deprived mother that I needed to test the
06:45
security of this device that was in my daughter's room. And I found a lot of problems with it. So the first one is that in order to set up the Wi‑Fi network, you enter your SSID and password into their web interface. It's transmitted, completely unencrypted,
07:06
no SSL to their servers. The API calls that are used in order to communicate between, for instance, the iPhone app, the Carrot servers and the Carrots itself, it goes from the interface to the Carrot servers to the Carrots. Those API calls
07:28
are completely unencrypted and SSL as well. So you can eavesdrop on them. And the setup package that you download, you download again over an unencrypted connection,
07:44
there's code signing. So they did something right here. But the code signing, there's a way of bypassing it using a technique I call Python module hijacking. It's a little known attack and I'll teach it to you today.
08:02
So what you're looking at here is a request made through the Carrots API for the video stream from the bunny. It has an authentication token, that's one time use. It doesn't make sure that it's always being consumed by the same IP address. So you can just literally
08:21
copy and paste it out of burp suite, for instance, or anything else and put it into your web browser and spy on the video stream. That was the first major problem. I would do things like go to the coffee shop, open up the iPhone app and check on my daughter, make sure she's still asleep, you know. And I would use the coffee shop wireless
08:45
network without having tested to make sure that this connection was over SSL. So if you're a parent, you might be really scared to hear that that was happening. I know it freaked me out. So here's an example of viewing the video stream just through the
09:07
web browser. So if you happen to have a connection between the Carrot servers and the ability to eavesdrop on a connection between the Carrot servers and the person
09:22
downloading the Wi‑Fi setup script from the Carrot servers in order to set up their money, and you can man in the middle that connection, you can replace the download of the setup script with your own setup script, and in that version of the setup script,
09:42
you can get around the code signing using something called Python module hijacking. So if you've ever done DLL hijacking or LD pre‑load vulnerability, anything like that, basically Python has something called the Python path, and your Python path is a
10:01
list of places that Python will look for your modules that you import. So the first place it always looks is the same directory that the script is in. This is a problem because as an attacker, I can place a Python file that is the same name as one of the modules used by your script in the same directory as your script, if I have the ability
10:23
to do that, and your script, when it runs, will run under the same permission level, my module. So I can get it to run my code. So ‑‑ What's nice about this is that the setup script is signed using GPG and they check
10:44
the signature before they run it, but this doesn't ‑‑ this technique doesn't require modifying the code as Jen said. Right. So the code signing doesn't check the modules, so that's why this gets us around the code signing. Now, interestingly enough, the auto run Wi‑Fi script actually uses a simple JSON ‑‑ it imports simple JSON,
11:08
so ‑‑ and then it never uses it anywhere in the script. It never uses anything from that library in the script. I don't know why it imports it, but we were able to just create a simple JSON.PI file that did what we wanted and throw it in the same
11:23
directory as the setup script we downloaded and we had a bunny break. So just to recap, an attacker could man in the middle the insecure connection to the carrot server, replace the user's download with their malicious version, use a vulnerability
11:43
to make the carrots run their code, that's the module hijack we just went over, and potentially have a bunny botnet on their hands. There's also a potential for like a tag‑and‑release type attack where you get a carrots, buy it from carrots or from Amazon, eBay, whatever, just buy a whole bunch of these things, root
12:02
all of them, because when you go through the setup process a second time, not everything changes, it's not like you wipe the whole thing when you go through the setup process, so you could own a whole bunch of these things and then sell them on eBay or return them or something like that. So you, again, bunny botnet.
12:21
All right. So let's ‑‑ I think that's a slower method. So we're going to real quick display a video in which we eavesdrop on the video camera on the carrots. We cannot hear this. Why can't we hear this? Is the board turned up for the audio input on
12:41
the laptop? Good. All right. Carrots app for the iPhone, the carrots controller app, and I'm going to move the carrots' ears using the app. This will send a request via the carrots API to the
13:02
carrots server, and then the ears respond by moving. Now, I happen to be eavesdropping on that request over here, and if I look at the request itself, I can grab from it an authentication token. It's a one‑time use token, but what I found is that I can
13:22
reuse this, actually, and use it to capture video instead. So I'm going to grab the interactive ID and the one‑time use token, copy it, go over here to my web browser, paste it in, and change the action. So here it says the action is the year moving.
13:46
We're going to change the action to webcam, and let's see, it needs to be webcam action equals video. Hit enter. And now, on the machine that I'm using to eavesdrop on
14:09
the carrots, I get a handy dandy webcam feed. Hi, guys. So this is eavesdropping on the carrots' toys webcam. Suddenly, the bunny becomes really creepy,
14:28
right? I thought it was cute before. My daughter still thinks it's cute, and we leave it in her room unplugged and she runs up to it and hugs it and I'm like, thank God, it's unplugged. But I wanted to mention the fact that if you're eavesdropping, there
14:46
is a start and a stop request that gets sent as part of the API calls, and the token after the stop request gets sent, the token is no longer reusable. However, if you're man‑in‑the‑middle in the connection, you can drop that stop request
15:01
and instead continually send something called a keep‑alive request, and then at that point, you just have control over the bunny going forward as long as you maintain your keep‑alive. So this is a product called the Belkin‑Wemo
15:21
switch. First of all, I'd like to say that Belkin was real cool about all of this. We were going to reach out to Belkin and tell them about what we found, but they actually fixed everything before we could even tell them about it. So good on them for that. And they actually sent ‑‑ guys ‑‑ yeah. Thank you. Yes. And what's more,
15:43
they came to our black hat talk and approached us afterwards and told us, hey, thanks for finding this stuff. By the way, we have a program where if there's people finding security vulnerabilities in our stuff, you know, we can get them products for free so that they can do more testing because they recognize that we're doing free work
16:01
for them. I don't ‑‑ yeah. So ‑‑ thank you, Belkin. But the Belkin‑Wemo switch is kind of an interesting little thing. It's a little box with a plug, a male and female electrical plug. You plug the back end into the wall and plug something
16:21
into the front end and then whatever you have plugged in, you can turn that on and off from a network using an iPhone application from Belkin. And so the way that this works is over a protocol called UPnP. Has anyone heard of UPnP before? Right. So UPnP was designed for network auto configuration. And as a result,
16:48
you can't have like zero interaction auto configuration if you have to put in a username and password. So UPnP as a protocol does not require authentication. It doesn't involve authentication. So that's interesting. Right? And so what
17:04
this means because the interaction is via UPnP is that you can control the functions of this device as long as you're on the same local network as it. So Belkin doesn't have what I would consider a proper fix for this yet. But what they do is in the iPhone app, as soon as you like use it for the first time, it tells you,
17:24
hey, just so you know, anybody on the same network as this thing can control it. So be careful where you put it. So it's not a proper fix. But they're at least giving enough information to the user for them to make some security decisions or understand the potential risk that comes with being able to control this without any authentication.
17:45
But on top of that, in an older version, they had a vulnerable LibUPnP library. Which meant remote no auth root. So pretty cool stuff. And this is just a little Linux box, it turns out. So you could turn this thing into a point of persistence on the
18:04
network. And a friend of mine I was talking to about this and he was saying, man, this is cool stuff because if you're a forensics dude and you're trying to investigate a breach, you're probably not going to look at this little box on the wall as the source of attacks. And this thing hooks up to your Wi‑Fi network so you could do maybe sniffing
18:24
depending on what kind of card is in there. I haven't honestly found out. But you could at least launch attacks from it if you were to compromise it. So interesting stuff there. And I would like to show you a little demo here if it works. So the demo
18:40
really hates me. So we're going to talk about the Belkin WeMo. I'm going to show you how to turn this on and off from your computer. So the WeMo is an electrical outlet that you can control over the network. The protocol involved is called UPnP. So NMAP has a nice NSE script called broadcast UPnP info which tells us all the
19:05
events and hosts within multicast range that will respond to UPnP queries. So it gives us the descriptor XML file for each one. So I'm going to take that and feed that to a tool here called UPnP request generator. And so it goes through
19:28
and enumerates all the devices, services and actions and organizes them into various directories. So we want the basic event service because that has
19:41
things that we want like set binary state which turns the WeMo on and off. So we're going to cat set binary state. And it gives us the post request that the UPnP request generator has made. And we're going to give that to
20:01
burp repeater so we can make that request. And I need to change this to either a 1 or a 0. We can see by the fact that there's no ‑‑ All right. So the demo gods really hate me because this little box broke like two hours before my black hat presentation. So I went to the backup demo and it
20:22
stopped like this last time. I have the video. So let me just ‑‑ no. Okay. Well, all right. We'll skip that. We'll skip that. But just you can turn it on and off from the network. But we have more demos to show you. So we'll move on to the Sonos bridge.
20:43
So Sonos is a sound system. And basically this is a little bridge device all of these speakers connect to. And then your laptop or your mobile phone or anything like that connects to the Sonos bridge. And you can feed it music from the controllers and it goes out to the speakers all over your house, right?
21:03
So pretty handy. And there's a really active community of people hacking on their own Sonos and the Sonos forums. It's kind of a fun little community of people. But the issue I have with the Sonos is that it spills all of
21:22
this information, excessive information about your controller. So if your personal laptop has all of your music on it and you're using that for anything really else besides controlling the Sonos, you know, all that information is kind of ‑‑ here, I'll just show you.
21:44
So right here we're looking at a list of network shares on my machine. Their permissions level and the UUID and group ID of them. Is this net stat? So net stat, why do I need to look at ‑‑ why is the web
22:08
interface exposed on the Sonos bridge on my network showing net stat from my personal machine I installed the controller software on? Why is it doing that? Everybody on my network can see this information.
22:23
Which one is this, the process list, I think? This is the process list from my personal machine. I cannot see that. The list of users, I think, from my machine. I have config and who am I? Who am I
22:44
running as? You get the idea. It's excessive and, you know, it's useful information for an attacker. So we said they were
23:02
smart toilets out there. You call this one. So there's a toilet called the Lixil Satis, a corporation called Lixil in Japan, of course. Name of the toilet is the Satis and it
23:21
has an associated Android application which controls this toilet via Bluetooth and there are several interesting functions on this. You can open and close the lid. You can make it play music. You control the flushing function. There's an air blow dryer from the underneath. There's a bidet.
23:45
So you can control all of this from the ‑‑ your smartphone. Now, as it turns out, there is actually no authentication within the Android application. We didn't buy a toilet and I would have loved to make a bidet spray on stage, but it's like $6,000. I'm not buying a $6,000 toilet.
24:05
We took a look at the Android application and there was no user name and password. We took a look at the user manual. There's nothing for setting up a user name and password. We looked at diagrams after ‑‑ diagram after diagram of information on the control panel. There's no place to enter anything. There's no keypad. There's a
24:22
series of buttons for basic things like flushing. And also, there's ‑‑ the app is weird. There's a ‑‑ so there's a default Bluetooth pin of 0000 and there's a whole bunch of these. I understand why it's a poo, right, because it's a toilet. I understand why it's blushing and has arms and legs because it's Japan. But
24:45
I don't understand the police hat. So this is a poo lease women as well in this Android application in a
25:00
diary that you ‑‑ or a log, if you will ‑‑ of your bathroom activity. The jokes write themselves. They really do. I was trying to figure out a way to slip this particular one in, but I can't. So fuck the poo lease. So anyway, so let's talk about the
25:21
Insteon hub. Just for a minute, imagine, though, that like you're sitting on the toilet and it starts screaming at you and spraying water up your bum. All right. So the Insteon hub, I purchased this product back in December of 2012, so just last year. Got it, set it up on my network, installed it,
25:44
paired it to a bunch of Insteon devices that I have. Insteon is essentially a home networking controlling ‑‑ home control device, right, for home automation. Once I got it set up on my network, installed the iPhone app, then basically
26:01
turned off the Wi‑Fi on my iPhone so it would take and go to the data network, ran TCP dump on my firewall so I could capture all the traffic. And what I discovered was very, very disturbing. I discovered, A, it has no encryption, right? So anybody in between me and the Internet, which is
26:20
a lot of people, could technically see what I'm doing, right? The other thing I discovered was that it has no authentication, right? Out of the box, this thing basically allows you to pull up a Web interface and talk to it without setting any
26:41
sort of authentication on it. So what I did at that point was I emailed support. I'm like, okay, here's this box. I can't put any user name or password on this. How do I enable this? And they emailed back saying, oh, you don't have to worry about that, right? You don't have to worry about that because the application, our cloud
27:02
application takes care of that. Fail. So the other thing that this device allows you to see is time zone, right? Because you have to be able to set sunrise and sunset so you can turn
27:22
on devices, you know, at night when it's dark out. That was kind of disturbing to me because I also found people tend to name these either with their address or their last name, right? I did a little bit of Google searching after that in January and went, oh, this is really creepy. The
27:41
fact that I could go to some city and basically find these devices and control people's home. Now you have to remember that this is also a device that can connect to garage door openers, door locks, alarm systems, motion sensors, surveillance
28:01
cameras. It's pretty creepy. Now, they did fix this in basically what I would call a product recall because in March of this year I got not one email but two emails and then shortly after that they followed up by actually calling me which
28:22
I thought was pretty weird. I've never had a computer call me, right? And I said, oh, I suppose I'll take the new version. So I did grab the new version. And before we were preparing this talk, I think it was about three weeks ago or two weeks ago, I plugged in the device and
28:40
started looking through it and went, oh, okay. They at least have auth on it, right? But it still acts SSL. They have hard coded a user name and password that's base 64 encoded and it's the Insteon ID of the hub which is also
29:03
the last three octets of the Mac address. Anybody see a problem with this? So I thought that was pretty bad. I mean, really what you could do is from the Internet, because all these systems in order to be able to control them from your iPhone when you're on the road,
29:22
you have to port forward in that port, right? So from the Internet, an attacker could typically or very easily run an attack that runs several days trying 16 million combinations. That's not hard at all. And I actually attempted this with burp suite. And it doesn't have any back off. So it kept going.
29:43
It was like, oh, yeah, nope, run pin, run pin, run pin, yeah. So anyway. So next we're going to talk about a little green and white box called the Verilite. The Verilite is similar to the Insteon hub. It's another home automation gateway. It hooks up your Ethernet network to your
30:01
home automation network, whether that's with Z wave or Insteon or X10 or a mix of these and allows you to control it. So it's a pretty neat device. And you can hook it up to a whole bunch of stuff. Again, door locks, garage door openers, motion sensors, carbon monoxide sensors, flood sensors, HVAC controls, all sorts
30:22
of things. So a lot of stuff hooks up to this. And as it turns out, it's got a lot of problems. So just to start, there's no authentication on the web console by default, which means that any Tom, Dick or Harry who can get on your home
30:40
network can control this thing with a web browser. And it's just as easy as like click, click, click, click. Very, very simple. You can set a user name and password on it, but it has several other problems that makes this pretty much irrelevant. So but first let's talk about their authorization, their different user roles. So you have guest user and
31:01
an admin user. There's also an information only user which can see but not control devices. The guest user can control devices but not make permanent changes to the device. And the administrator has full control over the device. So they have different user roles. As a guest user, you can update the firmware. The firmware is not signed.
31:22
The firmware is in a squash FS package so you can just unarchive it, back door it, re-archive it and push it to the thing and then back door. Features. Yeah, so the vendor, by the way, said that all of these things were features until yesterday when they emailed me after my black hat talk and they really want to work with me
31:40
now. Yeah, we saw your black hat talk in several news articles and well, we really think we'd like to work with you. There's also a settings backup option which you download an unencrypted archive from this several configuration files including etsy password and in this
32:01
embedded version of Linux etsy password also contains the hashes so there's no shadow. So you get the hashes for all users including root. So you can crack the password and then SSH in is root. You also get the hashes for any password set on the web interface and the passwords that you set on the local VeroLite
32:22
get synced with their third party server for remote access. So owning it locally means you have control over the internet now. So that's lovely. You also have, and this is my personal favorite, a little bit of functionality which allows you to just test some lua code. So you can run a little bit of lua code
32:42
on the device from the web interface as a guest. Can anybody tell me what user account it runs as? Root. So that's lovely. There's also path traversal. So you can pull any file you want.
33:00
You can get etsy password, crack the hashes, SSH in is root. There's cross site request forgery so you could trick somebody into performing some of the more nasty functions on the web interface using cross site request forgery. And on that note there's also a UPnP interface which even if you've set a user name and
33:22
password on the web interface doesn't require any authentication. So you can control all these things. And there's actually a run lua action on the UPnP interface as well. So you just always when you're on the same network have a way to control this thing to run code as root, just straight up code as root
33:41
using UPnP. No user name and password required. Even if it's required on the web interface. So if that wasn't bad enough they also have a vulnerable libUPnP version. So you can root it that way. There's a server side request forgery problem. So there's a script on the Verilite called proxy.sh which
34:01
basically just takes the URL, visits it grabs the response and gives it back to you. So you can use this thing as a proxy. And that's not so bad because right, who cares, there's all these other ways to compromise it and this is not a terribly big deal. It still should be fixed but it's still not a terribly big deal. Now the thing is, the way the remote access
34:21
architecture, I got it. The way the remote access architecture works is that each Verilite unit makes an SSH connection to a third party server run by the manufacturer. And that reaches out and so when you do that you port forward, it SSHs and port forwards a port on the
34:40
forwarding server back to each Verilite unit. Which means that if you can bypass the firewall on the forwarding server, you can directly access the web interface which of course means ownage. So it means that if you can bypass the firewall in some way, you can own every single Verilite that's out there. So that's not good.
35:00
Because firewalls are completely impenetrable, right guys? But they do at least have a firewall which is good. However, the proxy.sh script that we talked about that allows you to use the Verilite as a proxy also appears to exist, appears and we can't test it because CFAA and we don't like prison. We can't test it
35:20
but there is a script called proxy.sh.php on the forwarding server which takes the URL and guess what it does with it? Same thing as proxy.sh So there's a good chance that this is just a wrapper around proxy.sh or just recoding in PHP. Which means if they have the same vulnerability then you
35:42
can talk to proxy.sh.php and say, hey I want you to go out and fetch 127.0.0.1 port whatever. Which means that you can bypass the firewall accessing every Verilite. Now that's if they're the same and it I'm not sure but it strongly looks like it. So just to
36:00
summarize we have three methods of authentication bypass we have seven methods to gain root two attacks are remotely exploitable because you can use the CSRF in conjunction with the UPnP interface in order to launch attacks by getting somebody to click a link and there's a potential for ownage of every single internet connected Verilite so it's a pretty bad
36:22
scene and now we're going to do some demonstrations for you starting with the carrots. So, Jen? So I just flipped it on here and I'm going to just show you the bunny break I talked about earlier so right now it's loading Linux it's noticing that there's a USB drive in the back and that it contains
36:42
an auto run Wi-Fi script which means it needs to set up the Wi-Fi in a moment it's going to announce that it thinks it's about to set up your wireless connection and instead it's going to play a script I wrote that plays lol.mp3
37:06
I'm going to connect to the internet Alright we're going to hope that burp sweep doesn't crash on us today
37:36
Ready? Ready? Alright so the first one we're going to talk about here is the
37:41
Insteon Hub so we've got this light up on stage connected to an Insteon device and the Insteon hub basically is connected to our little network here So this can everybody see that? Hopefully a little bit better
38:02
So this is basically a raw get request right? There's no video on the screen? Don't unplug it, don't unplug it that made burp crash reliably
38:31
Can you see it? We're not going to be able to see the Do you see what's on my screen?
38:41
No it's not mirrored It's not mirrored Alright do you see something coming across? Cause I have no clue what's on the screen here Can you try turning mirroring back on? Yeah I can do that
39:05
We could do that Alright so here's the raw request Hopefully people can see that
39:23
Zoom out? Alright good so here's the raw get request basically what this is doing is sending to this three script I'm assuming it's some sort of code that's turned on there This request which contains
39:40
this device ID This is the device that's sitting up on stage So if we say go Turns the light off No authentication right? Yay we won Alright I'm going to turn it back on and hand it over to Dan Thank you David Remember that can be connected to your lock
40:02
So they say that if you put a gun on the table in act one you must fire it by act three We have a lock on this table We don't have a gun But we're going to lock and unlock this lock So here's the lock Locked And I can send a UPnP request here
40:21
And you'll note that there's no username password, anything in here And so I can hit go And this changes the state of the lock This is through the vera Yeah Thank you Now I have one more trick and I'm going to need to volunteer from the audience
40:46
Great, thank you monkey For those of you who don't know Vis, this is Vis Thank you for helping us Vis What I'd like you to do is choose a pin
41:02
Any pin Let us know what it is Try to open the lock with that pin It's alive
41:27
So what happens when you put in a pin that doesn't do anything Like 2355 Nothing happens So what I'm going to do here Is add an additional pin
41:43
So you said 2355 2355 So I hit go and we'll give it a second or two To sync up with the Lock there And what I want you to do is go ahead and press the same pin Press 2355
42:02
Let's try this again
42:25
Alright, that does it That's all our demonstrations I hope you enjoyed the show Please tip your entrances One quick thing, conclusion Basically all these devices are internet connected And none of these manufacturers are doing The due diligence to put security into it
42:40
That's a pretty bad thing, right? Malcolm's doing alright though So, thank you