hello everyone thank you for coming and we are wearing scat you said you do two showers such at.com our presentation today is to talk about the scooty of small speakers we found unexploited some well abilities to attack Assam valid speakers such as Shami a a speaker and Amazon echo first

place name introduce Matt image and myself nutrition is a squaddie research Alton simply team he had fun several well abilities in enjoy and he was the Speaker of Hagin boss and he worked with us to complete all the work of horse daddy unfortunately he's not Howard today and this is my teammate chairman Zhang he's also security researcher front and supply team and he's top 100 in the world had an ace to offer mal see and here at a book horn and what I had to talk about the web browser security and the man line is we and you commit and you can come in Nikki I'm a security researcher detention 30 also about 100 winner gig Pam and speaker of haggling in the post and POC and here we would like to send some people especially negative and he may expedite was another support nursed Nami introduced the

tension played team our team confront ensign security plan phone Department now we are focusing on the security researcher of AI Alta to assist mobile devices in the past two years we have found more than 17 security vulnerabilities for many companies such as Google and iPod and you can contact us sue at played attention calm before we start our presentation let's take a brief look at all tonight first we will give an introduction to smile speaker and then we will talk about the attack surface or smothered speakers then we will show the details of remote attack show me a a speaker and how to breaking a Mizzou Michael at not we will summarize our research smaller speakers

is the most popular Mahanta Z's in the past two years Amazon Google iPod understand Chinese and winters has released their own smothers speaker products the Amazon echo family is the

most populous male speaker on the market it has more than 30 mini users and the many people are wearing interests what we're interested in is security so we choose is our search target

another research target is Jame a speaker sham is because were popular in China because it can control many small atrocities in Xiaomi ecosystems next night evening Aliza attack surface of the small speaker in smothers speaker architecture is many include three parts the first the first part is male speaker device the secondary is crossover and the nasta is mobile phone application the text surface of this architecture contains contains many parts the first part is the hardware interface and the network of Wars of the speaker device the second part is the scottie over the mobile phone application the third party is the skirty of the crossover and there's a nice party the security of the communication protocol peach insane then I will talk about how we can explore more temporal abilities to remoter attack show me a speaker this include fell apart show me a speaker had

appeared in system based on open wrt it iterates the SH service or desire border and the firmware of the speaker committal OD is an Impala HTTP request but we cannot replace the firmware with the man in the media attacks because of his security mechanism in addition it opens up another worker purse and the five four three two one is the communication part of the me ryos protocol mile protocol is used to

configure and control mohanty was this man Apache on me it is in corrupted the panel protocol after allies in the firmware of Jamia speaker we found that the data included in the mail package while paddling into you path commanders and is QT the path shown me a speaker with root permission so if we can simulate thomas malthus's to communicate with the jamia speaker we can use this protocol to it's cute Ruta commander which is a route commander Kushan well uppity in nine new order to exploit this vulnerability we first needed to establish collection with the speaker and past the association of male part protocol this we are required to obtain a a scheme for connection because his king as total this token is sixteen Peters tree to kill this token we need to use the me home application to repent the speaker to attack the omec account then I extracted the token from the applications telophase we found interface was Authority availability so we can only need to get the to us idea to am to UM band I need to speaker device and we found that you a society can be obtained by sniffing in the nine

after cutter the token we can use some tours to collect the shamea speaker pepper Mia Oh protocol there we can't understand you pass commanders to the speaker the first commander is used to modify the drug beer configure fear and the second commander is to turn over the top beer password authentication felony we needed to start the top beer after is

cutie disease cubed commanders we can fix the success burning to assess the ssh of mira speaker and logging without passwords and it means we have obtained the root permission of the speaker your

addition we found out another one ability yog program called message agent which is used to include key key communication between the speaker and cloud servers well user control sunless because the function your mobile phone the application communicates with the cloud server first then the cloud service and the device ID and commander to the message agent then the message edge where is QT the commander we found the two special web interfaces why is remote you bus which she can call the you bus service remotely and a Lada is yuba remote OTA the the commanders and the bio coordinate is in the face will be acute either using the system function so which is a remote assistant commander excuse availability there are

two pieces of the well ability codes that are Eliza the in the using add a pro one cell felony calls the u-pass service and the second a felony in work is the system function since these to learn about web interfaces have a technical education if we want to explore this vulnerable remotely we have to get the users cookie for the speaking bonding in the natural research we fund to access one abilities encounter Tommy calm which allow us to remote honestly are not number of me I a speaker users cookies so now we we can explore these vulnerabilities to companies attaching of remote any opportune the root permission of me a a speaker now not take a brief look at the

first demo video this video demonstrated the two one abilities we mentioned the

first part of the video demonstrated the connecting to the speaker we are SSH in the night and control the play a piece of audio

because this yummy ASP God doesn't speak English so we can tell the CEO Chinese meaning we know winner chicken dinner you just taken that video the week she misses me smaller speaker is the remote controller past the attack after can enter a URL

okay now we were finished the section on Samir speaker now to talk about how to predict in a maniacal these include six parts and now we are quickening talk about the previous four parts and the inspirati tail and the audio video we appreciated by my teammates first let's have a pillow fight not have a brief look at the Amazon echo in turn uni we need the second generation echo family of the Amazon echo device to use similar hardware and assistance so we choose the I co-taught as our test to Isis Amazon echo that has the purines fair OS which is actually a system based on Android in the turns and s in UNIX and ASR locks the portal order and they either had a USB interface but a cannon used for charging we also focused on that were posed by scanning as a bikini which had

to carry the firmware for non turn are awake are lasting so we choose to start with the hardware and he started the front we are directly from the flat shape in order to extract the firmware from the flagship we need to probe prepare a lot of hardware to us which included the hot air gun soldering you are reporting to us and so on

okay this is the second demo video this video shows how to do so disorder the trip from the PCP in seat minis and is then reborn in the cheap - Civitan we top out the video speed the most important ascared is to choose a suitable temperature and be careful okay when we disorder the disorder and

the reporting the chip we needed to choose a suitable cheap adapter according to the cheapest data sheet Amazon echo use the PGA to to unpackage IMCP chip which we can isn't impact aperture on Taba or ebay and we also camp a universal emmc reader and are connected to that adapter to the USB reader device so that we can read it under either the phone we are content in the mCP trip easily and this is a disk

partition information we extracted from the flash chip it contains many parts such as the preloader button order putting my sister and so on when we call

it the firmware we had another important scene to do tell is to modify the firmware to create Amazon echo thought with the route permission this can help us quickening to Pakistan well abilities because the Amazon echo that turned on se-eun occurs and the logger to the put an order we cannot drag attorney modify the boot image to a tree root we need to close a see in UNIX and then others the superuser a binary file to the system and start and then we need to open the season a DB function we add these operations to a shell script that Stodden auto not mag attorney so that I returned the system ports it can make sure we can color the egg hotel Frannie's USB interface and get the root permission

after completed this oh okay sorry and this is the starter demo video to shows how to solder in the trip after company

this is a modification we need to resort the flash chip packet to the PCB this video demonstrate how to reorder the chip area to the PCB in three minutes and to save time we also double the video speed okay

before we complete these operations we have cut a routine I co-taught and okay my party is over thank you for listening now place the welcome mat he made chairman Zhang

okay hello everyone and now I'm going to give a talk about how to turn an echo to an eavesdropping device on the basis of software earlier my partner has give a great talk about how to hack into the echo device on the basis of hardware the physical hack is very important without that exploiting will be much difficult for me so how many steps would

it take to hack into a device the first attacker exploited and then the victim connects to the hacker and that's the hacker to whatever he or she wants to do yes the step is simple but on a well-protected system since we all get a little complicated since we already caught the firmware and debugging environment we are able to check the restrictions that a modem has set up for us so first please allow me to introduce

protections we need to bypass first there are three firewalls or firewall acting's the system use IP tables to allow only a few ports from accepting connections and the the selinux is also enabled we managed to find a binary with high privileges to bypass it this binary is the vulnerable program using the fixture and it has a webserver activated to communicate with it we must pass a client or NKT TLS handshake that means we must get a certificate and other things but those certs are obtained from the clouds and organizing in other word we need to gather cards and pronouncing information of other devices so a checker is always happy to

see there's a web server available that explains why we choose this binary to be our target in the next few slides please allow me to introduce some background information so we can go through these things more clearly

so what w80 which is a whole home audio daemon it is a huge binary runner at the root and with network access and is able to record a voice also the most excited part is it would open a web server the HTTP server runs on port 5 5 4 4 3 and it accepts control comments but things

are not going as we wish it to be the HTTP server introduced clients often KDT is handshake that means we must have a server certificate client certificates and a private key to communicate with it that it sounds difficult but we have also noticed that the physically rooted device can also pass a check and communicate with other devices so the information must be stored in somewhere by reading the document of live occur we know we can stretch all certificates and private key from live curves negotiate function on rooty device to do the trick

the first thing we need to do is to find our rooty device into victim's account our explain is why while we do this later

by auditing eminence websites we have found two XSS and both need to steps of users action so we decide not using them but the XSS here is fatal you can't do privacy or control the device with a cookie obtained from FCSS because Alexa dashboard is the lake of modern protections such as CSP which is a content security policy and HTTP online protects yes by using the s XSS you can get the same results of what we will talk later but we also found another method which is the quickest and easiest way for us that is to spoof and Amazon websites we have found that every time

when we log into the ELSA there's the open ID login page and there's also a redirect parameter in the URL by modified that parameter it will redirect to any domain which is a subdomain of amazon.com in HTTP since we want to mimic an Amazon's website so we don't want to mess up with the HTTP certificate so we'd like to have an HTTP downgrade redirect and luckily we have found the site associated to redirect to amazon.com it's validating rule allows to downgrade to http it also have some vulnerabilities that could be that could be redirect to other sites which is not belongs to Amazon and leaking some token from Open ID but now the onion C we need is the dumb grade okay we want to spoof

Amazon's website inside victims land but there are two preconditions the first one is the attacker you need to be joined the victims land and the second is we need to find an Amazon domain which resolves to a local address and attacker can be joined in to the land with such IP address and both are not hard to be satisfied you can get a list of subdomains from Google transparency reports then you can disturb DHCP to use the static IP address to join to the land we have

found the app service which resolves to a local address if a checker could join land of victim with that address then start our web server when victim tries to read each app service Tom dong calm in his Auto browser actually the routine victim is visiting the hackers website also because it has a root domain of amazon.com the cookie will be sent to the attacker automatically from the problem to sum up first

the attacker joins the land and when victim logging from the Alexa login page with a redirect parameter set to associate retiree to amazon.com and when weak team finished the logging the page will redirect to associate redirect to amazon.com then these sites we are done great and redirect to F service to amazon.com this domain resolves you a checkers computer and the user we are finally with each the attackers websites with a cookies into it then the attacker bind his device into victims account using the cookie and finally we can communicate with other devices of victim and the first problem is solved we have got a device could pass the first check then we will use that device to each stretch certificates and private keys from negotiate function but first I like to show you a simple picture about the architecture which shows how what has a device info when it starts and why we need to find each planet into victim's account first if you have many devices in your accounts the aware group as a cluster automatically when Alexa T starts it will obtain information from Amazon server and when what starts it will care those information from Elsa T and when a device wants to update something the elessedil will notify the Amazon server and the server will later notify all other devices in that cluster to synchronize because the key will

change when what starts to automate the exploiting later we choose to touch the world the world will periodically send an HTTP request to other devices you know if they are still online by replacing the negotiate function to the assembly called written by us we can the certificates to a local file it is simple and Vallance anyhow to watch so we don't need to crack the complex algorithm since

everything is taking place on attackers device to simplify the environment we have disabled all protections under physically healthy device the code is a little complicated so we are not going to talk about this now you may check our github page to get the full code in assembly so in another word we try to dump those things to three files and use them later in the attack

now we have deals with clients ausangate function authentication problem every time before we want to perform an attack we run the patch the ward to get the certs and private key then we can go to the last step to break the vulnerable program what on victims device since we

are going to attack it there must be vulnerabilities to be exploited so let's back to the binary auditing so we have audited almost every binaries and we found the binary return by Amazon themselves are secured by destroying but we have also noticed that echo is using the very old version of the third-party libraries they are all nearly four years old you can see the fifth you can see the picture it shows they are using some code of Year 2014 so also Amazon tries to apply security patches to them there are still many end days and there day vulnerabilities there goldmine

ok it's time to take the code that is to attack the web server and get control of what and how the feeling for you to audit some code written from four years ago maybe a little relax I guess because old code with the poor test often leads to serious problems it took me a week to find the treasure but when we first find the exploitable function nobody in what caused it luckily Amazon updated the binary 2 months later and we have found that a lot of functions are referencing this function the root cause of the vulnerability is the library has finer has failed a condition check and such a lot of vulnerabilities haven't in synchron's

let's take a look at the questionable code first you can see the compton learns is a useless polite code and seaweed web tries to get the value from htb header and convert it into an integer the atoi accepts negative numbers as input and will return a signed integer what I don't quite understand is why they convert the value from signed integer to and sign here if the virus is unsigned the code if continence is greater than zero is actually equals to if counter lens is not zero so maybe the unsign here is a typo and net the if check net q1 equals to the biggest number of unsigned int so we will also pass a check and then the number plus one is again an integral flow the result is zero Emma log zero is valid because echo system is used in DL malach awesome as Emma log algorithm as the menu says even input is zero it can still allocate just more buffer for you to writing net in the mg read call there's a heap buffer overflow we'll talk about this loom and there's a minor one the post data bracket content lens assigned to zero we are at zero at negative one position leave the string not 0 terminated that is a potential information leak because this if this function is used to get the parameters value so it just like the chess bad move my list you atutor loose okay let's prep to the hip after all flow the topless malach Chioma log zero will allocate sixteen bytes that means eight bytes of a metadata plus eight bytes buffer well we can write about a tattoo in the empty read data read from HTTP request is written into buffer the good thing is this function will fix the input to lens so if we are giving the huge number as we did it we have fixed our learns to Rio de talents remains in the stock buffer then it will copy the data from sake - Emma lock buffer so you will try to post the string lunders and HBase there'll be a hip buffer overflow so do you remember the size of Emma lock is controlled by user we can send content learns to control it if we don't send the for HTTP request by omitting the terminating return carriage and newline the Emma lock key buffer will remain in the memory without being freed when we need to free the buffer we could simply send the remaining within carriage and new line then the connection is closed and the buffer is freed by the way the MG read will write anything including zero charge to buffer so it is very common for us to exploit since we can control

the content of heap one thing we wanted most is a vulnerability to bypass a SAR that will be cool for us to do the heapify overwrite and hips very later

first let's talk about the he pries hip spree part if we want to exploit it we must try to control area to put our shell code in the anonymous memory is a good place large heap allocation requests cause the m lock to use m mapped and anonymous memory is controlled by the m map special variant of the arm lock although there's a hundred of threads running in the background there's only we want to allocate such huge memory because algorithm of the m map the the address is started from predict poor wrench even when SAR is enabled you may check the article in our reference in the last page of this list to know the detail in our case we have got an address that has a good chance to be located we have got this value by just run the program again and again and it is as pure experience value

so after we can we have got a buffer to put our shellcode we may also need an information leak to do the rest of things the IOT device is different from the desktop applications there's no screen for us to know the results so if the leak the data is sent to us through the network that will be great finally an information leak of lab occur in FTP connection is proved to be exploitable by the way this is an end a vulnerability so labcoat don't give the POC but we try to reproduce this problem from live across patch and test cases we see to trigger this vulnerability we need to reuse a core handle that means we need to use same handle to connect to the same FTP server not destined twice

ok let's back to the program logic of what we have found the control comment his name is download audio normally it should download only a single file and the co handle is closed but we have thought into the code deeper and found that if the extension is PRS it's a way of parse the POS file and use the same curve object to download every file in it and from the second connection curve where we will reuse the FTP handle and trigger the vulnerability the picture shows the detail of the file we use PHP redirect to bypass the protocol restriction of what also if the POS downloaded successfully what were used to catch and we are not accept the same request twice that means if curse FTP function fail to leak any bites unless it is restarted what will not accept our download request again and we don't want to see this happen so we check the code branch and found if one of the URL points to a file that doesn't exist there'll be no catch so we can send the same request as many times as we want t?o really can address

we use the pricing script to automatically adjust the payload and finally you have found the size 103 we are reused a freed hip area which contains an address point to a function of a curve and based on this address we can calculate the loading address of a curve and furthermore address of every libraries because the LT taught SL will load DT needed libraries in sequence so you can simply calculate next or previous libraries at address by plus or minus the length of our adjacent as a library so we have everything we need so

how do we execute a code the web server is powered by open SSL an SSL object is created when our request is coming so if you happen to read the source code you will find there are many function pointers in that object when live C which web wants to response something to the client SSL rights is caught so all we need to do is to override the SSL right pointer and to simplify we have found a fast way to trigger SSL right it was send more form HTTP version well this is a coding the older version of lab CVT web this code only work safely in Linux you may try whatever happen if you come has it even Visual Studio in summary we have got six

attacking primitives the first one is to restart the world so we can cause we can cause an exception in what in case we can't lead leak at address or start for a long time we may want to restart the program and give it another try and other five primitives are also listed here so now all we need to do is to compile them to get a remote code execution so now it's time to pong

we have to say it has a possibility to fail because the background stress are messing up the heap and another reason is in the last step the memory condition is a little like to fall into a risk condition problem we have a connection to overwrite the ssl objects of another connection if anything of the thread be written is called before the Overton's is done it's a way of feel or if any background thread caused a CCTV desafio to for for piles testing gadgets we have 14% chance to set the PC value to it but the real life gadget is 6 time longer and the success rate is down to about 8% but the good news is what we are respond of after it after is well sorry the good news is the what will be respond after crash automatically so we can do the exploit again and again that that is to entrust entrust the heck to time the average success time is about 13 minutes in our laboratory with about 10 tries if we can control the PC we

need the last thing to start evil joking that means a shellcode we use function offset from library plus leaked libraries load address to get the function address in memory we added to handler for 6 agree and support with infinite loop in our shellcode to prevent any background stress from crashing the process we have also not the lengths of metadata of the memory page where shellcode are placed to prevent this page from being freed we try to use the class or the recorder to record a voice and send it by TCP to attacker and the voice is recorded in PCM format and the shellcode could be found in our github page too and finally you can see we have deals with every problems what is now turning to if dropping program is is it was dropping in the background and sending every voice data to the attacker do you want to watch the video of course we have prepared a demo video which shows the whole story

[Music] this is a normal echo dot and the left

part is a tacher server and the right part is exploiting script when the exploit suggests the victim will come up to us and you can see log is shown on the left

oh do we have any meeting tomorrow yes oh do we have any meeting tomorrow yes

yeah that's it

so you don't need to worry about this the vulnerabilities we have found have all reported to the developers and fixed in the June 2018 Amazon has already automatically updated echo devices with security patches and the vulnerabilities we have mentioned are already or fixed and you can found a code and contact information our github page and last a little head tips from our experience the first to hack an IOT device you need to get the firmware first and is that it is good to master all kinds of soldering and firmware extraction methods and web plus binary vulnerability is often equals to remote code execution and the most important thing is to be patient your hard work will finally pays off and so thank you for listening and sense my partner too if you have any [Applause]