IoT VILLAGE - Exploiting the IoT hub: What happened to my home
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 322 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39909 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Electronic meeting systemTrailInternet der DingeTheory of everythingPresentation of a groupComputer programmingCybersexExpert systemComputing platformStudent's t-testInformation securityOpen sourceSoftwareCuboidCoroutineComputer animation
01:23
Vulnerability (computing)Mathematical analysisPlastikkartePresentation of a groupReal numberData structureThermal conductivityMathematical analysisDifferent (Kate Ryan album)Type theoryVulnerability (computing)Virtual realityFeasibility studyMeasurementCASE <Informatik>Integrated development environmentInternet der DingeObservational study
02:00
InternetworkingPasswordNumberInternet der DingeVulnerability (computing)SoftwareInjektivitätAuthenticationInternetworkingRouter (computing)Ocean currentProcess modelingPersonal area networkProxy serverDenial-of-service attackCASE <Informatik>Computer animation
03:00
InternetworkingRouter (computing)InjektivitätAuthenticationProxy serverRouter (computing)Different (Kate Ryan album)Process modelingCodeSoftwareWebsiteGame controllerCASE <Informatik>Vulnerability (computing)
03:27
PlastikkarteCodeResultantAreaInformationBuffer solutionVulnerability (computing)Information securityInternet der DingeMathematical analysisServer (computing)Element (mathematics)Focus (optics)PlastikkarteSoftwareData managementIntegrated development environmentFlagOnline helpInternetworkingDifferent (Kate Ryan album)CASE <Informatik>InjektivitätMobile WebHost Identity ProtocolTraffic reportingMultilateration
04:39
Data structureGUI widgetTelecommunicationWireless LANCommunications protocolSpherical capConnected spaceRouter (computing)Data structurePlastikkarteServer (computing)Computing platformDiagramService (economics)Multiplication signInternet der DingeMobile appCartesian coordinate systemAuthenticationProcess (computing)Communications protocolHacker (term)FunktionalanalysisRouter (computing)Exploit (computer security)Wireless LANSmartphoneQuicksortComputer animation
07:10
Mathematical analysisControl flowProxy serverChainRead-only memoryCommunications protocolWireless LANStress (mechanics)PlastikkartePoint (geometry)Well-formed formulaMetropolitan area networkSheaf (mathematics)Remote administrationService (economics)Graph (mathematics)ChainServer (computing)Proxy serverSemiconductor memoryMereologyInjektivitätCASE <Informatik>Computer animation
08:15
1 (number)Cartesian coordinate systemCASE <Informatik>Mobile appInformationInjektivitätSheaf (mathematics)Internet der DingeVulnerability (computing)Computer animation
08:56
Default (computer science)EncryptionMetropolitan area networkCommunications protocolKey (cryptography)BodenwelleSheaf (mathematics)Computing platformDataflowLine (geometry)Vector spaceInternet der DingeProcess modelingServer (computing)Data flow diagramDivisorCircleStress (mechanics)Table (information)Process (computing)Computer animation
10:02
Table (information)NumberVector potentialValidity (statistics)Instance (computer science)outputAdditionStrategy game
10:33
Mathematical analysisVulnerability (computing)InformationVulnerability (computing)Internet der DingeMathematical analysisKey (cryptography)Open sourceServer (computing)TwitterInformationFirmwareWeb applicationTelecommunicationData managementCommunications protocolWide area networkGastropod shellRemote procedure callPlastikkarteSerial portMobile appService (economics)Product (business)Computer architectureWireless LANForm (programming)Web 2.0Virtual machineConnected spacePublic key certificateImage registrationSlide ruleAdditionComputer animation
12:23
Process (computing)Vulnerability (computing)Gastropod shellExploit (computer security)Process modelingMathematical analysisComputer-generated imageryCore dumpFlash memoryFirmwareServer (computing)Flash memoryBinary codeUniform resource locatorRevision controlInformationCore dumpFile Transfer ProtocolDirection (geometry)Internet der DingeFunktionalanalysisGastropod shellProcess modelingVulnerability (computing)Well-formed formulaAddition2 (number)CASE <Informatik>Semiconductor memoryQueue (abstract data type)Data storage deviceMultiplication sign
13:56
Gastropod shellBinary filePasswordLoginDefault (computer science)Personal digital assistantFunction (mathematics)DemonReverse engineeringType theoryVulnerability (computing)Gastropod shellTelnetDefault (computer science)Exploit (computer security)DebuggerVariety (linguistics)CoroutineLoginConfiguration spaceFirmwareComputer fileFunktionalanalysisPasswordWell-formed formulaDifferent (Kate Ryan album)Uniform resource locator
14:47
Gastropod shellLoginComputer configurationBootingMedical imagingError messageKernel (computing)Task (computing)Ocean currentFlash memoryPhysical systemPersonal identification numberPassword
15:27
LoginGastropod shellComputer configurationProcess (computing)MereologyScripting languageGastropod shellSet (mathematics)BootingComputer configurationPersonal identification numberString (computer science)RootEqualiser (mathematics)Computer fileSoftwareProcess modelingComputer programmingProcess (computing)Scripting languageIdentifiability
16:00
AuthenticationProxy serverBuffer overflowBackdoor (computing)Local ringData typePartial derivativeUniform resource locatorRandom numberVulnerability (computing)Category of beingComputer wormWeb 2.0AuthenticationNetwork topologyValidity (statistics)CoroutineComputer programmingUniform resource locatorFunktionalanalysisCASE <Informatik>Cartesian coordinate systemForestProxy serverComputer animation
16:47
Uniform resource locatorRouter (computing)AuthenticationProxy serverInjektivitätString (computer science)CodeAuthentication2 (number)Proxy serverUniform resource locatorVulnerability (computing)Medical imagingRemote procedure callRouting
17:15
Focus (optics)Function (mathematics)outputParameter (computer programming)InjektivitätPhysical systemVulnerability (computing)InjektivitätEmailParameter (computer programming)Medical imagingPhysical systemFunktionalanalysisCodeComputer animation
17:48
Function (mathematics)Parameter (computer programming)Stack (abstract data type)Memory managementBuffer overflowPhysical systemVulnerability (computing)ForceInjektivitätCodeDataflowFunktionalanalysisPrinciple of maximum entropyMedical imagingBuffer solutionInformation security
18:26
Function (mathematics)Physical systemBackdoor (computing)FunktionalanalysisConstraint (mathematics)Backdoor (computing)Software developerPoint (geometry)View (database)CASE <Informatik>Perspective (visual)
18:53
Programmable read-only memoryBackdoor (computing)Physical systemKernel (computing)Scripting languageRootLoginLocal ringSystem programmingParameter (computer programming)Directory serviceVulnerability (computing)Normal (geometry)Physical systemPartition (number theory)RootProcess modelingScripting languageLogicComputer fileOcean current
19:46
Gastropod shellLocal ringRootScripting languageSerial portComputer filePasswordPhysical systemNormal (geometry)Arrow of timeSet (mathematics)Local ring
20:21
Gastropod shellCoding theoryPeripheralExploit (computer security)DataflowRemote procedure callCodeServer (computing)Software developerAddress spaceHydraulic jumpReverse engineeringComputer architectureConnected spaceGastropod shellVulnerability (computing)
20:58
Buffer solutionProxy serverElement (mathematics)Process modelingDemo (music)Game controllerAuthenticationProxy serverBuffer solutionDataflowDemo (music)Product (business)Buffer overflowAreaReverse engineeringConnected spaceRemote procedure callTraffic reportingStatistics
21:38
Demo (music)Exploit (computer security)Gastropod shellCodeWeb service
22:05
Demo (music)Proof theoryFlagRemote procedure callGastropod shellComputer fileContent (media)
22:40
AuthenticationTelecommunicationWaveCommunications protocolControl flowVulnerability (computing)Point (geometry)Game controllerInternet der DingeInformationWaveAuthenticationComputer animation
23:19
Control flowFile formatProcess (computing)Game controllerDemo (music)MereologyCartesian coordinate systemComputer wormJava applet
23:47
Open setService (economics)Mobile appDemo (music)Open setInformationCartesian coordinate systemComputer animation
24:29
Demo (music)InformationOpen setCartesian coordinate systemComputer configurationDemo (music)Process modelingConnected spaceMusical ensemble
24:59
Demo (music)Proof theoryPlastikkarteGame controllerScripting language
25:31
Demo (music)Server (computing)TelecommunicationEncryptionMessage passingControl flowCASE <Informatik>Point (geometry)
25:57
Demo (music)TelecommunicationServer (computing)EncryptionMessage passingControl flowCASE <Informatik>Internet der DingeCASE <Informatik>EncryptionKey (cryptography)Metropolitan area networkNumbering schemeTelecommunicationServer (computing)InformationComputer animation
26:37
Control flowCASE <Informatik>EncryptionData bufferServer (computing)AlgorithmAsynchronous Transfer ModeEncryptionShared memorySymmetric-key algorithmKey (cryptography)Buffer solutionVulnerability (computing)DataflowPhysical systemAuthenticationCodeMessage passingAnalytic continuationInformationAreaProof theory
27:34
Communications protocolData managementLeakVulnerability (computing)Internet service providerConnected spaceComputer networkCommunications protocolMessage passingServer (computing)System administratorDependent and independent variablesInformationPasswordDemo (music)Web 2.0
28:05
InformationRootPasswordDemo (music)Communications protocolWeb 2.0System administratorServer (computing)PasswordMathematicsDemo (music)String (computer science)Category of beingPhysical systemInformationElectronic mailing listPoint (geometry)Computer animation
29:08
Denial-of-service attackServer (computing)Service (economics)PermanentDefault (computer science)Hacker (term)Density of statesAbsolute valueCASE <Informatik>CodeVulnerability (computing)Internet der DingeWeightDefault (computer science)PasswordMalwareSystem administratorConfiguration spacePairwise comparisonPole (complex analysis)Mathematics
30:16
Data miningDevice driverInternet der DingeVulnerability (computing)Data miningCASE <Informatik>Computer hardwareRadon transformOpen set
30:53
Data miningData miningWeb pageCodeSystem administratorMereology
31:20
Software bugInformation securityEncryptionFirmwarePasswordUniqueness quantificationSerial portoutputDigital filterDependent and independent variablesVisualization (computer graphics)MereologyPresentation of a groupInternet der DingeInformation securityMathematical analysisVisualization (computer graphics)Rule of inferenceCodePasswordRevision controlWell-formed formulaSelf-organizationNational Institute of Standards and TechnologyFile systemSoftware bugHacker (term)System administratorDependent and independent variablesOffice suiteMeta elementGoodness of fitMaxima and minimaUniqueness quantificationComputer animation
33:39
Time evolutionInformation securityComputer-generated imageryPresentation of a groupInformation securityInternet der DingePlastikkarteService (economics)Machine learningForm (programming)Pattern recognitionComputer animation
Transcript: English(auto-generated)
00:00
So hello, thank you for coming to our presentation. We're gonna talk about exploiting the IoT Hub, which includes attacking the smart home by compromising IoT devices, and some countermeasures for this attack. And I know that the IoT village is also running their data track and CDF track, and maybe this talk is helpful for those who are participating in the tracks.
00:23
So my name is Hyunwoo Lee, and I'm a graduate student of HCL lab at Korea University, and I like to play CDF, and I'm currently participating DEFCON CDF final as DEFCO routine. And I've been researching on Open Source Software targeted forging and contributing to their security
00:41
by reporting the found bugs, and I got some CVEs. And I'm also interested in embedded security such as IoT and SCADA and so forth. We're also mentee of Best of the Best, also known as BOB program, which is a cyber security expert educating platform in Korea.
01:01
Hello, my name is Chang-Hyeon. I'm working in a cyber security consulting team at the company UI Korea. I'm a graduate student of Songyong-gun University, and I'm so excited, but also a little nervous giving my first overseas presentation. Thank you.
01:23
Thank you. So now we will introduce our agenda of this presentation, we'll briefly explain the structure of smart home after the introduction of this overall talk. And we'll analyze real-world case study of threats that may arise in the smart home environment.
01:40
Next, we'll conduct vulnerability analysis for different IoT devices. We found 20 vulnerabilities, and we'll describe their types. And we'll suggest feasible tech scenarios by training these vulnerabilities. Then we'll briefly outline the content measures required to prevent these attacks, and conclude this talk.
02:01
So now let's get started. In 2016, there were mental infections targeting IP cameras and home routers. The attack targeted against a large number of radar-connected devices to form a bond network which was used for large security-dose attack. In fact, the vulnerability used for this attack is quite simple, but fairly critical.
02:22
Attackers can easily compromise those devices just by profiling the password for talent, which means that there was no secret consideration in IoT devices. In 2017, a new internet-based bond network called PerCRI has been discovered targeting over 1,000 IP camera models.
02:43
The use vulnerability for this attack was command injection with authentication bypass, and approximately 120,000 IP cameras were found vulnerable. However, the worst is many of these vulnerable users didn't recognize that their IP cameras were exposed to the internet.
03:01
There are also cases of attacks on different routers which are used widely in the world. Even the exploit codes were released on the exploited website. This attack consists of only two vulnerabilities as well, command injection and authentication bypass were needed to compromise the routers. Likewise, attackers can download and execute
03:21
the model on the device and build up a sensible network to fully take control of the devices remotely. So, now let's focus on the security of smart home. The IoT Hub connects all the smart things in the same network area, and communicate with remote server for management is considered as vital element in smart home environment.
03:45
The Hub device is also connected to the internet, which means it can be attacked as the previous IoT exploit cases. If an externally accessed port is open, or attackers can access the same network area. In fact, Cisco Telos Intelligence
04:00
recently released vulnerability analysis results on Samsung SmartThings Hub device. The found vulnerabilities include command ejection, buffer flow, information leakage, and these vulnerabilities can be chained together to form a full exploit code compromising the Hub device. So, as you know, the IoT threats are still ongoing
04:21
and countermeasures for these threats should be considered urgently, I think. So, we have conducted threat analysis and found many vulnerabilities for the Hub devices made from different manufacturers, and we want to share the results from now on.
04:41
Yes, next, I will talk about the structure of smart home. According to this diagram, smart home services can be broken down into application, platform server, IoT Hub, IoT Things. There are times when there is no need for a IoT Hub,
05:00
but it is present in most smart homes. I will now explain more about the IoT Hub in detail. IoT Hub manages small devices in the smart home. It supports wireless protocol like the C-Wave, Zigbee, Wi-Fi, Bluetooth, and so on.
05:24
Also, to connect to a platform server, it uses diverse provisioning protocols. These protocols include TR069, MQTT, COAP, HTTP on M2M, and custom protocols.
05:42
Next is the process of IoT Hub. The IoT Hub process is composed of four steps. First, the smart home service app will register the IoT Hub with the server. And second, the IoT Hub performs a user authentication through the server.
06:02
Third, the IoT Hub and the Things go through the process of pairing. Finally, the user is able to access the Things through the application. So far, we have covered the functions of the IoT Hub in smart homes.
06:21
Now, we will explain why we chose the IoT Hub as our target. Our first lesson is that once the IoT Hub is taken over, it is very possible to take over everything connected to the IoT Hub. Because of this, there would be many possible scenarios
06:44
like router exploitation. Furthermore, we imagine that through the exploitation of the IoT Hub, we would be able to hack difficult wireless protocol, such as C-Wave. Lastly, our most important reason for choosing
07:03
our target as the IoT Hub was for Bonnie and we are both. Now, we will find out more about the smart home and IoT Hub and the various threats.
07:21
This picture shows a threat that exists in smart home services. I have separated the threat into two graphs. The external parts, which is outside the home and the internal parts, which is inside the home. I have only included points that were important
07:41
in my opinion. In the external section, the primary threat, the supply chain attack of Formula Server and the user bypass and man in the middle. And the internal section, there are memory corruption, command injection, LPE, man in the middle.
08:04
And very important threat is remote control of things. And now we will consider real example of a threat in each section. This case is a mobile application. An example of a threat that can occur outside the home.
08:24
One is able to control another devices using one's own application. There are two examples in the internal section. We will first examine the one concerning the IoT Hub.
08:41
Recently, many vulnerabilities have been discovered in the Samsung IoT Hub. This including threat is RCE, DAS, information disclosure and injection. This one was discovered in the Z-Wave,
09:02
which is a wireless protocol. It is using the default encryption key. Man in the middle attack was possible and now the first has been patched. Let us take a crucial look at the IoT Hub
09:21
to run more precisely and carefully into potential threat of the IoT Hub. We drew a threat model based on slides. As you can see in the flow diagram, the IoT Hub indicated by that dot line is connected to the other section including platform server and things.
09:46
The IoT Hub was many processes and flows. Process is a circle, I mean, just line is flows. A lot of threat and other vectors exist because of this.
10:03
Yes, in the table below which threat is explained, now we will talk about this in detail. Threat number 32 is the potential lack of input validation or poor pairing. We will now present a specific example of an instance
10:24
when the threat was properly exploited. My partner, P1, will take it from here. So from now on, I'm gonna talk about vulnerability analysis for IoT Hub. We analyzed total four products.
10:42
For each product, the MC architecture is classified as ARM and MIPS. Also, JetWave, Wi-Fi, Bluetooth, and RF are used for wireless communication between IoT Hub and smart devices. And the IoT Hub transmits the status information of the device such as firmware information,
11:01
certificates, and secret keys and so on to the server via provisioning so that the remote server can manage the device such as automatic updates, device registration, connection, and communication with mobile application. So, company A uses TR-069 as provisioning,
11:21
that is customer premises equipment, wide area network management protocol, also known as CWMP. And this will be explained in more detail later on our slide. And company C uses the MQTT protocol. MQTT is a machine-to-machine internet of things connected with a protocol.
11:41
And it was designed as an extremely lightweight, probably described messaging transport. To manage IoT Hub devices, there are management services in the form of web application or something else. Web applications are usually developed based on open source such as Go ahead for web server
12:01
and light HTPD, but nowadays it seems to be a trend to customize the source or develop the service directly from the manufacturer. In addition, we confirmed whether we can access to the debugging shell from remote or UART serial debugging port. As you can see, we can get a debugging shell
12:20
by UR for all of the target devices. So, there are six steps to analyze IoT Hub devices. First of all, extract the firmware because the functions need to be analyzed are usually embedded in the firmware. Second, acquire a command shell for debugging. When you access the shell, you will notice
12:41
which processes are running as a key role. Those will mainly handle lots of requests and once the main binary is extracted, we can analyze the vulnerabilities and finally exploit them. There are roughly three ways to extract the firmware. Through the provisioning, the remote server
13:01
checks the firmware version of the Hub device and performs automatic update when the version is not up to date. At the same time, the updated firmware URL information can be obtained and the firmware can be downloaded. Another way to get the firmware is using the UR debugging port. As it can run all commands in the debugging shell,
13:22
we can extract the desired binary through commands like TFTP, FTP GET, cURL NC and so on. Also, we can use JTAG instead of the UR but we'll skip it because it's too expensive. So, if both methods are impossible, there is a way to dump the flash memory directly.
13:41
There are many ways to dumping the flash memory but in our case, we used Arduino UNO equipment. In addition, we can also remove the flash memory shipped through the disordering for memory dump. Next, we need to acquire a debugging shell
14:00
usually using the UR method. Sometimes, it's easy to get a shell if telnet or SS port is open and it's set as a default account which can be easily cracked. And the rewrite tag exploits this type of vulnerability. And usually, a login account is required as you know
14:22
when assessing via UR or telnet. Then, how to log into the shell? Let's suppose the firmware is extracted already obtained in a different way. Then, we can search the hard-coded password or check the password routine by reversing the relevant binary containing the login-related functions.
14:42
Sometimes, the password is written in the config file and we can find it easily. Then, what if you cannot get the firmware or do not know the password? Is there a way to log in even if U-Boot's boot delay option is set to zero? You know, U-Boot is a boot loader handling lots of tasks such as system initialization,
15:03
current image loading and execution. Normally, if the boot delay option is set to enough, we can get it to boot loader prompt and change the kernel image booting option. But otherwise, we'll have to short the NAND flash chip. It's the principle that connects between ground pin
15:21
and the particular pin of the NAND chip because it's current image loading error and can lead to boot loader prompt. After entering boot loader prompt, we can set boot ARGS options by adding indeed equal pin as a string and then reboot. Then, we can get the URL debugging shell
15:41
with the root account. Next, identify main process. Since the program startup commands are usually defined in the startup script file, we can easily find the main process. The network status check command tells you which ports are open and which processes are running.
16:01
There are five categories of vulnerabilities we have found. Let's take a closer look at each one. When sending a payload to a web application, it usually validate the session value and we can bypass the authentication with a simple URL tree.
16:20
As you can see, if the request URL ends in .css, .gref, .jpg and et cetera, the function of validation for a session is not called, which means we can bypass authentication routine. In some cases, the program itself creates a session value with non-random.
16:41
In this case, we can bypass the authentication by generating a forward session value. In fact, this is one of the vulnerabilities using the recently released Jupyter route exploit. As you can see, the first vulnerability is authentication bypass. This was done by putting question mark images strings
17:02
at the end of the URL. Attackers could easily bypass authentication by inserting certain keywords into the entity URL and succeed in remote code execution with a second vulnerability, command ejection. The most common but fatal vulnerability is command ejection.
17:22
The vulnerabilities could be implemented literally by inserting arbitrary commands into certain headers or parameters. This can reliably execute attack codes without the need for bypassing mitigations like DP and ASL. As you can see in the image, if you inject a command into a certain parameter,
17:41
it is passed as an argument of the system function without sanitization, the resulting command ejection. So as you can see, one simple command ejection makes it possible to access to the system remotely. This is the most attractive vulnerability for attackers.
18:02
Now, this is the very typical vulnerability, buffer flow. In fact, many of the IT devices we analyzed didn't have secure coding applied. So we focused on the vulnerable functions like searching copy, S print, mem copy, and so on to find buffer flow.
18:21
As you can see from the image below, the functions are used quite a lot. Now, on some devices, we could find functions that simply execute commands. This function is assumed to be used for debugging from the perspective of developer. However, it is considered as a backdoor from attacker's point of view.
18:41
Unlike most cases, in this picture, the name of the function is too clear that it is a backdoor. However, the function is usually hidden and some constraints should be met to execute commands. Likewise, you can control the device very easily. As you can see, we inserted command creating directory
19:02
on command parameter. Then, we can create the directory successfully. Lastly, local previously escalation vulnerability. There are many ways to elevate privileges on Linux embedded systems. Sometimes, in an embedded system, the privileges are separated as root and user
19:22
so that certain processes run with normal user account. In the account access to Telad is a normal user account. Elevation of privilege is required to execute word commands. Instead of Linux current exploitation, we'll show you privilege escalation
19:41
by using a logical bug, which is user-on-screen file executed as root account. As you can see, the user account is Linaro. It's a normal account. And the rc.local file is a startup script that is executed with root permission. And it executes serial.sh file as a command.
20:03
However, the serial.sh is a user-on-screen file and can be modified as normal user account. If we insert a command to change the password of the root account into the serial.sh file, then we can access to the system with root account successfully.
20:24
Based on the found vulnerabilities, we can develop a final exploit. Peripheral flow can be exploited to remote code execution. To do this, our PTEQD and shellcode development are needed. So you can run shellcode by chaining three gadgets
20:41
that control specific registers, get the address of the shellcode on the stack, and jump to the shellcode. This code is a reverse TCP connection shellcode for MIST architecture that allows you to execute commands from a remotely connected server. So we have developed a complete exploit
21:02
for Company A hub product, and we will demonstrate that we can fully take control of the hub device by combining the authentication bypass with buffer flow. So in first demo, we'll show you the Company A's hub device is fully compromised
21:21
by buffer flow and authentication bypass. So the left side is attacker side. So we have to open the port, a listening port, from remote reverse TCP connection. And the right side is a telesession
21:41
for checking our exploit's success. And this is the UART debugging shell, also checking the exploit's accessibility. And the middle side is attacker side and execute the exploit code by setting target IP.
22:01
The target IP is a web service of the hub device, and we can get a remote shell. For proof of concept, we create a flag pile as contents pwned, and as you can see, the flag file is created successfully,
22:21
and the content is the same, and also in the UART debugging shell. So as you can see, we can execute any commands as we want. So we compromised the hub device successfully.
22:42
So now let's look at which attack scenarios are possible with the identified vulnerabilities. First, it is the scenario that controls the themes. If an attacker gains control of a hub device, all IoT devices connected to the hub can be controlled.
23:02
Usually, hubs and devices communicate wirelessly by Z2A, GCP, and RF, but there is no authentication between them. So we can leverage these points to manipulate command packets to control devices or for status information.
23:21
As you can see, the hub device recognizes the specified of the packet as control code, and based on this, it gives a searching command to the relevant devices. Also, if the main process is implemented as a Java application, you can see that the payload is also sent in a specific format.
23:41
So by delivering packets based on this format, we can control the devices as we want. So this is the second demo. This is a door open sensor. In this demo, we will show that we can forge status information of the smart things, and it can lead to false information on mobile application.
24:05
Because the company only service for Korean customers, so the mobile application supports only Korean, so please understand that, and we have subtitle as English. So as you can see, the application tells
24:20
the door open sensor is open. However, if we send the packet that includes close information for the sensor, then you can see that the application status information is just forged, but still, the door open sensor is open.
24:41
And the next demo, we can disconnect the smart things by sending this connection packet to the hub device. So yeah, as before demo, we can disconnect the device.
25:01
And we can also control the smart bulbs. It's the Phillips Hue Bridge and the Smart Light. If you compromise the hub device, you can analyze many command packets and send a counter packet to the connected smart things. For the proof of concept, we developed a Python script,
25:22
yeah, to control the light bulb. At first, we can turn on the light. So, and also we can adjust the brightness of the light bulb, and so if you set, oh, sorry.
25:42
Sorry, if you set the brightness as middle, the brightness will be dim, and also we can turn off the light. And we can flash the light bulb also. So this means we can control the device as we want
26:01
if we compromise the hub device. Then let's look at the cases of encrypted communication between the server and the hub. Since the updated devices are communicating with servers as encrypted, as SSL or TRS, there is no useful information to be extracted in the case of man in the middle.
26:23
However, one of the devices we have analyzed uses a scheme that the IoT hub itself generates as toward the encryption key in the device, which means that the packet can be decrypted if the hub is compromised. So we analyzed the encryption algorithm
26:41
and found that it is ACE 128 ACB mode. This is a symmetric key. Cypher, so the server and the hub share the same key. Coincidentally, there was a buffer flow vulnerability in the hub device, which you could take over the system and extract the 16-byte encryption key.
27:04
So as you can see, the data area of the packet is encrypted. For proof-of-concept, ACE AES 128 ACB mode authentication algorithm was written in C code. And the corresponding message is decrypted by entering the extracted key values.
27:23
This can be used as a scenario for disconnecting a hub device by sending first information to the server. So my partner Changyeon will talk continuously. Hi, I'm back. This scenario is a little better.
27:41
Some IoT hubs uses TR069 protocol for provisioning with the server. When the server and IoT hub communicate, the HTTP response message is changed and exposing the hub's critical information. We will show the admin web password in the next demo.
28:14
Oh, sorry. Yeah, ready.
28:23
The TR069 protocol is authenticated via two HTTP requests with the server. After authentication, change the HTTP response. This point, yeah.
28:41
Change, just as the server ask for information, this hub is disclosed the admin web password and the string is more, sorry. This is a web admin password
29:03
and we drop the packet. It's so simple in the middle of demo. These vulnerabilities may be used in Bonnet because its IoT devices are connected to internet, which means that those can be used for Bonnet.
29:21
A lot of Bonnet have a code since the B-line Bonnet case. Yes, let me take a closer look at the IoT Bonnet in detail. First, IoT Bonnet is increasing. Bonnet such as B-line, Hajime, and the moon continue to be found.
29:40
Last year, many IoT malware were discovered. Second, the IoT outtake method includes Saturday on the admin web, one day on the officers, and this configuration like the same password, default password. And third, the outtake purpose is evolving.
30:01
In the beginning, IoT Bonnet used the DOS, but today used as PDOS, ransomware, and mining pool. Finally, many countries are causing damage like the B-line Bonnet. So how about the IoT Hub we found?
30:20
We searched through Shoda. We haven't found much, but 70,000 devices has been exposed. Also, the vulnerabilities of IoT Hub can be used as a mining pool.
30:40
There are cases where Bitcoin was mined through OpenWRT Premier. Of course, you need hardware support for mining. It is just one of the many scenario. Two weeks ago, the article came out. It was mining through micro-thick devices.
31:02
According to this article, there was a mining code on the ultimate web page of micro-thick devices. Like this example, mining pools can damaging devices or users. Maybe the IoT Hub is also possible.
31:23
The final parts of our presentation we did IoT security. How should we secure IoT? I think, just I think, there are three necessary steps to follow. Device security, compliance, and detect of anomalies and threat.
31:44
The first is device security. Each device needs each unique password. Share, admin web, and the Wi-Fi password must all be different. Each following password rules. Debugging ports like YART, JTAG must be disabled.
32:04
For codes developed individually, a secure coding is absolutely necessary. And if we have an open source, it must always be updated to its latest version.
32:20
We are able to easily carry out our analysis because three out of the four corporations had not encrypted in their respect formulas. And then, even if the hacker obtained the promo, the file system will not easily be obtained.
32:41
Second, about compliance, IoT security guideline made by international organization must be followed. It is good to keep this guideline as a reference because they explain the security of the IoT ecosystem. A good guideline to follow,
33:02
it is NIST IRA200 made by NIST. But we should not stop here. There are, the guideline are minimal. And security must constantly be maintained. Third, one must be already,
33:22
one must be ready to deal with anomalies and threat detection. To detect anomalies and threat, one must do the following data collection, intelligence analysis, automated response, and visualization.
33:41
So, it's conclusion of our target, our talk, sorry, our talk. To level our presentation, we found many different threat, the IoT hub, and smart home services increasing due to technology like voice recognition, AI, and machine learning.
34:05
Furthermore, the IoT hub is evolving to the forms of AI speakers and WordPress. This is good news for us. We have plenty of research to do in the IoT security. We will find out more findings and research
34:23
about security in the future. Here are the reference and special thanks to Aneztra, Singy, Bongin, and Bumum Park. Thank you for listening to our presentation.
34:41
If you have any question, we are happy to take them. When you come to us, please, we are always open. Thank you.