IoT Village - Next gen IoT Botnets 3 moar ownage
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 335 | |
| Author | ||
| Contributors | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/48867 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
MassRootNumberImplementationHacker (term)Goodness of fitTraffic reportingCloud computingMultiplication signSeries (mathematics)Exploit (computer security)AuthorizationComputer animationMeeting/Interview
02:18
Dew pointCloud computingMusical ensembleComputer animationMeeting/Interview
02:50
Intrusion detection systemCloud computingTraffic reportingImplementationDependent and independent variablesVariety (linguistics)Web applicationServer (computing)Computer hardwareIntegrated development environmentSet (mathematics)Internet der DingeWebsiteOperating systemPhysical systemWindowAnalogyCartesian coordinate systemCuboidoutputRight angleSurfaceIP addressVulnerability (computing)Binary codeMereologyFile Transfer ProtocolInjektivitätFunctional (mathematics)WaveTorusType theoryInternet service providerCross-site scriptingWeb 2.0Operator (mathematics)RootComputer animation
05:09
SoftwareTelnetMobile WebTelecommunicationInjektivitätInclusion mapDirectory serviceLocal ringCodeData bufferPiBinary fileInformationMobile appCompilation albumCrash (computing)Buffer overflowCloud computingTelecommunicationPredictabilitySurfaceBinary codeBackdoor (computing)SpeicheradresseIndependence (probability theory)Server (computing)Operating systemInternetworkingPosition operatorRight angleNumberBoom (sailing)Gastropod shellCodeHacker (term)Multiplication signView (database)Order (biology)FlagPiDifferent (Kate Ryan album)RandomizationBuffer solutionFile systemInternet der DingePhysical systemGoodness of fitTelnetSemiconductor memoryOpen setComputer animation
07:31
BootingSpywareBootingMereologyPoint (geometry)RootPasswordSemiconductor memoryFile systemVirtual machineString (computer science)Physical systemRight angleSerial communicationPresentation of a groupInternet der DingeComputer fileComputer animation
08:34
Internet der DingeType theoryTelnetFamilyUser interfaceCorrelation and dependenceService (economics)Denial-of-service attackTrailSoftware testingDifferent (Kate Ryan album)CodeDirect numerical simulationInjektivitätFunctional (mathematics)Binary codeInternetworkingForcing (mathematics)Right angleIP addressComputer animation
10:31
InternetworkingData managementComponent-based software engineeringModul <Datentyp>ArchitectureTelecommunicationEncryptionCloud computingCloud computingInternet der DingeType theoryEncryptionComputer architectureInformation securityConnectivity (graph theory)Connected spacePredictabilityVideoconferencingMobile appAuthenticationSymmetric-key algorithmCartesian coordinate systemImplementationUniqueness quantificationDifferent (Kate Ryan album)Right angleString (computer science)Data managementDescriptive statisticsComputer animation
13:03
Cloud computingCASE <Informatik>Cloud computingGoodness of fitModule (mathematics)Musical ensembleImplementationComputer animation
13:34
Personal digital assistantAuthenticationKey (cryptography)Symmetric matrixUniqueness quantificationInformation securityFunction (mathematics)Presentation of a groupImplementationBlock (periodic table)Computer animation
14:05
Personal digital assistantComputer fileRecursionInternet der DingeInformation securityData managementAuthenticationImplementationElectronic mailing listNumberRootComputer fileEquivalence relationMobile appWordCASE <Informatik>Right angleRow (database)Data storage deviceComputer animation
15:54
Event horizonType theoryAnalogyData managementInformation securityInformationServer (computing)Information securityMobile appIntrusion detection systemRoutingCloud computingSlide ruleComputer architectureConnectivity (graph theory)TelecommunicationInternet der DingeComputer animation
17:17
Scripting languageEmailMobile WebConfiguration spaceRow (database)Cartesian coordinate systemMobile appCloud computingEmailSet (mathematics)Hacker (term)Sheaf (mathematics)Address spaceUniform resource locatorComputer animation
18:34
EncryptionAddress spacePlastikkarteCloud computingInformation securityInformationAddress spaceGoodness of fitNumberSampling (statistics)GodSystem callDemo (music)Computer animation
19:30
Mobile WebNumerical digitImage registrationNumberClient (computing)ImplementationMobile appComputer architectureString (computer science)Process (computing)Cartesian coordinate systemCloud computingIntrusion detection systemNetwork topologyComputer animation
20:50
PasswordAsynchronous Transfer ModeEncryptionTelecommunicationAsynchronous Transfer ModeCloud computingMobile appEncryptionPasswordKey (cryptography)Vector spaceResultantComputer animation
21:35
Fluid staticsSineAuthenticationChemical equationDemo (music)CAN busComputer fontLocal area networkServer (computing)Right angleRemote procedure callMobile appCodeCloud computingComputer virusAreaLocal ringSource codeComputer animation
22:55
Client (computing)DemonArithmetic meanTerm (mathematics)PermianAiry functionDemo (music)CAN busNominal numberLine (geometry)Function (mathematics)Functional (mathematics)PasswordNumberInformationQuery languageMobile appBitRight angleSource codeComputer animation
24:28
Suite (music)PasswordInformationContent (media)Mobile appVideoconferencingAddress spaceInformationEmailPasswordNumberValidity (statistics)Functional (mathematics)Mobile appEngineering physicsSystem callSource codeComputer animation
25:29
Execution unitChord (peer-to-peer)Address spaceClient (computing)EmailComputer animationSource code
26:25
MIDIBootingHost Identity Protocol2 (number)InformationVideo gameGame theoryComputer clusterStreaming mediaComputer animation
27:08
MIDIMotion blurVideoconferencingLatent heatContent (media)BootingMoment (mathematics)EmailFacebookComputer animation
27:44
Normed vector spaceVideoconferencingClient (computing)PasswordParameter (computer programming)Cloud computingData bufferTelecommunicationComputing platformServer (computing)Service (economics)Address spaceEmailAdventure gameRight angleCloud computingBinary codeElectric generatorEndliche ModelltheorieDemo (music)CASE <Informatik>BootingPhysical systemServer (computing)Computing platformComputer fileBuffer overflowVideo gameArrow of timeBuffer solutionFunctional (mathematics)CodeCombinational logicService (economics)Computer animation
29:38
Cloud computingPhysical systemData typeAddress spaceFunction (mathematics)Data bufferScripting languageRevision controlEndliche ModelltheorieNormed vector spaceSign (mathematics)World Wide Web ConsortiumMathematicsGastropod shellRootComputer-assisted translationTouchscreenBuffer overflowMultiplication signMusical ensembleBuffer solutionComputer animationSource code
31:39
Process (computing)Latent class modelDemonJava appletOnline helpDemo (music)Gastropod shellSource codeComputer animation
32:19
Internet forumDemo (music)DemonProgrammable read-only memoryProcess (computing)Mass flow ratePhysical systemData bufferInjektivitätFunction (mathematics)Revision controlParameter (computer programming)Gastropod shellStreaming mediaMultiplication signRootVulnerability (computing)Connected spaceRevision controlUniform resource locatorParameter (computer programming)Cloud computingFunctional (mathematics)Validity (statistics)Function (mathematics)InjektivitätSoftware bugFirmwareSource codeComputer animation
33:19
InjektivitätSurfaceProxy serverTelecommunicationCloud computingProduct (business)Computer programInformation securityoutputPatch (Unix)ImplementationVirtual machineComputer programmingGastropod shellTorusBasis <Mathematik>Right angleDependent and independent variablesBuffer overflowTraffic reportingProduct (business)EmailInjektivitätComputer architectureEvent horizonVulnerability (computing)SpacetimeSoftware bugConnected spacePhysical systemSurfacePoint (geometry)Software testingProcess (computing)Order of magnitudeTerm (mathematics)Cloud computingMechanism designMultiplication signClient (computing)Computer fileWeightFunctional (mathematics)Complex numberUniform resource locatorUltraviolet photoelectron spectroscopyInternet der DingeDigital photographyTelnetBuffer solutionData managementInstallation artSystem callComputer animation
38:44
Vector potentialFraction (mathematics)Type theoryRow (database)MereologyOnline helpMassSystem callHacker (term)SpacetimeMultiplication signFraction (mathematics)Patch (Unix)Independence (probability theory)Internet der DingeComputer animation
40:46
Computer animation
Transcript: English(auto-generated)
00:00
I want to introduce a good friend of the village, uh, Jay Balon, he works at Bitdefender, uh, they do a lot of great research and he's going to expand upon a series of talks he's been doing and research he's been doing about, uh, hacking massive exploits across, you know, 500,000 devices, maybe 450,000. A million devices. Okay, it seems legit, a
00:30
next-gen botnets. Sounds cool? Without any other delays that I might be doing right now, for people to be sitting down in the back and having a good time, um, make sure to speak very
00:42
loudly and clearly into the mic and, uh, enjoy the talk. Thank you everyone for being here. Hello everyone, uh, thanks so much for coming to Citi's talk. Uh, my name is Alex Balon, AKA Jay, I work for this nice company called Bitdefender, probably none of
01:05
you, most of you have heard of it. Um, and this is the team that kind of put together just this research. We've been doing it, IOT, uh, research as of 2013, I would say, something like that. Um, this talk is going to be focused on a specific particular
01:22
topic and that is leveraging, leveraging the cloud implementations to get unauthorized access, uh, root access on as many devices as possible. And we've actually focused on, on, on cloud implementations, or actually bad cloud implementations for, for a while now. And this
01:43
is kind of, I've prepared this small montage about what vendors talk about when they receive a report from us, because we've been sending reports on bad cloud implementations to a number of vendors and every so often we actually get replies saying, you know, that's cool stuff. Uh, unfortunately many times we get no replies,
02:03
because that's how responsible disclosure unfortunately works. But just, you know, for laughs and gigs, this is what, kind of what we imagine happens on the vendor's side when we send our, our counter, our reports through them. And you see, the sound doesn't work. It worked. Hang on. We hacked stuff. Uh, doo doo doo doo doo. So.
02:34
Nobody understands the cloud. This microphone, oh, again. Cloud. Nobody understands the
02:55
cloud. Yeah, well, pretty much actually that was kind of the vibe that we got from, from
03:05
most of the company that we sent our, our, our reports to. Um, essentially, yeah, none of them, or at least most of them don't really understand how to, how to implement cloud, eh, for, for IOT. So with that in mind, I'm just gonna stop, start, kind of move
03:21
into it. So, IOT, we kind of see it as a, this stack of hardware, operating system, and, uh, and cloud. So, it's, it's an analogy that I like to do. What if I told you that IOT is pretty much like a WordPress website? Can, now just for curiosity, show of hands, who sees
03:43
the analogy between IOT and WordPress? Cool, right? I mean, you, you look at this stack, you have, like, for those older, as old as I am, you have, like, hardware, Red Hat 6.2, and Wave TPD, uh, this FTPD server that was known to provide root access to, to Red Hat
04:01
servers back in the, I guess, 1998, 1999, and the likes. Uh, then you had, like, um, hardware, Windows operating system, IS 5.0. Um, and, and the stack goes on, right? So, essentially, IOTs are like hardware, a busy box environment, mostly Linux or whatever, and
04:20
then there's an application layer, which is, in, in most parts, like, this web app, right? And being a web app is, like, susceptible to most of the vulnerabilities specific to a web app. But here's, here's the magic thing about this. You have, like, this huge threat landscape, huge attack surface because of that web app, right? So, like, command injection, all types of injection, like cross-site scripting, all that
04:43
stuff, right? And then you have another layer added on top of it by the manufacturer for IOT functionality, and they have, like, this new whole set of binaries stuck inside that IOT that get input from the cloud, and this is you, you're gonna see what I'm getting with this because the cloud is gonna send input to those binaries, these new binaries, on
05:04
top, in, in, in that operating system, and you're gonna be able to do stuff, like, cool stuff with it. So, essentially, IOTs are just websites running on Linux, and, um, Linux, but with a significantly bigger attack surface due to mobile apps and cloud. If you wanna get into IOT hacking, this is gonna be, like, just a quick crash course on
05:23
stuff to look for. Obviously, look for software, there's still telnet in 2019, like, 6 million telnet servers open in the internet. Uh, definitely the first thing that you look for is the, the way the mobile app communicates with the cloud. That's, that's the golden nugget right there. If you look at the way the mobile app communicates with the
05:41
cloud, it starts impersonating the mobile app and starts fuzzing those requests, you're gonna see, like, a number of very interesting things that the cloud replies back to you. Um, as we, as you're going to actually see later on. Uh, fun thing, um, who here is familiar with the flag pi in, in compilers? Right, so pi is, pi is not used in, in IOT.
06:06
So, essentially, if you get a buffer overflow in a binary on an IOT, you get a shell. You get a command execution and a connect back shell, actually, because a lot of them are behind NAT these days. So, if you get any kind of buffer overflow, any, on, on an IOT, in
06:21
any binary on an IOT, then you get almost a guaranteed remote command execution on that IOT. And that command is gonna be a connect back shell to you, and there you go, boom, shell. Um, the reason why they're not implementing pi, so ASLR is enabled on most operating systems running on IOT, but enabling pi, pi, for those of you who don't know, uh, it
06:42
stands for position independent executable. It's a, it's a flag at compile time, which enables an executable to be moved in memory at random memory addresses in order to not have a predictable memory address to get code execution. So, you can just crash it, so ASLR says where you just crash it, you don't get RC, right? But, you need to compile
07:04
your executables with a pi flag in order to allow it to be moved at different memory addresses to be able to benefit from ASLR. Uh, literally none of the IOTs that we've investigated had any binaries compiled with pi. So, if you get a buffer overflow, again,
07:24
full RC, full compromise. Um, arguably, good old stuff, you know, backdoor creation reuse, and look for cloud chatter. If you want to dump the file system of an IOT, the easiest way to do it and the most popular way to do it is via serial interface, and for those of
07:42
you who didn't know, now you know, you can hijack the bootloader of an IOT much like you would hijack the bootloader, uh, of your Linux machine. So, for those of you who sometimes forget your root password, right? And you like, pause, grab, and like, init equals BNSH and all that stuff. Well, you can do the same thing with IOTs and, uh,
08:05
that's kind of the string over there. Just setm, bootargs, that's the memory, blah blah blah, init equals BNSH at the end of the bootloader. And you can just pause the bootloader via the serial interface and, bam, you get root access. And from that point
08:22
onwards, you just plant a small, let's call it a backdoor or whatever you want to call it, to be able to access the system after the next boot and you dump the file system. Now, we come to the cool part, the first cool part of the presentation. Let's look at traditional IOT botnets. The way it used to be done and the way it's currently being
08:41
done, we're tracking a lot of them with our honeypots, is they iterate IP addresses, check if there's telnet enabled. If there's telnet enabled, then they go like brute forcing telnet and maybe they get in. Uh, then they look for web interfaces and they look for stuff like netgear exploits, like, you know, command injection in the web interface or stuff like that. And we see a lot of that in our IOT
09:05
honeypots, there's like, I don't know, about a few hundred IOT botnets roaming, families roaming around, Mirai is one of them, so there's probably thousands of IOT botnets right now based on the code base of different types like Mirai, Hajime, uh,
09:24
Trivia, if you're curious what they're doing with those botnets, just out of curiosity, anybody know what they're doing with the IOT botnets? Really? Okay, that guy knows. That's, that's right, it's DDoS. Um, are you familiar with the concept of stressor
09:40
services? Right, so those, those services that you pay to stress test your infrastructure or somebody else's infrastructure, right, and, and you get, you get, like, pay, um, I don't know, like, $15 or $25 for, uh, a 5,000 zombie botnet to DDoS for half an hour. And,
10:02
uh, for $25, you can take somebody else's website down. We've seen a direct correlation between the functionalities offered by the stressor services, you know, uh, symflood or, uh, NTP amplified flood or DNS amplified flood and all that stuff, and the functionalities extracted from the binaries in our honeypots. So, there's in a
10:23
direct correlation between the IOT botnets and the online stressor services. So, that's the old way. Now, our prediction is that this is going to be the new way. And with that in mind, let me tell you a few things about how cloud is implemented in IOT.
10:43
Because, you know, direct connection to IOTs is like so last Tuesday, you need, like, port forwarding and you need, uh, direct access to some port on that IOT. So, this is why many vendors implemented the cloud. To relay, um, you know, any commands you would want to
11:03
give that IOT or to give you access to that IOT, uh, if it's a video camera to give you the feed of that IOT, and so on and so forth. And, the re- the way it works is that it provides more efficient management, right? Because you have, like, all this IOT registered to a cloud and the cloud relays commands. Um, it has a modular architecture, so
11:25
nowadays vendors integrate each component of that IOT from different types of vendors, right? And, personally, I think that's a good thing because maybe they don't know how to do their stuff, and maybe somebody else knows better than them, but that's just me. Um,
11:41
as far as cloud goes, this is the rough implementation in most cloud platforms. So, you've seen at security conferences, we provide an IOT security, you know, an IOT cloud platform. There's like dozens of companies that provide that. Their architecture is quite similar. Um, you provide, they generate a unique device ID, which is, uh, like that.
12:07
It's a string, usually 32-bit string, uh, that's kind of non-predictable, and that's roughly the bulk of authentication that happens in IOT clouds. If you know that string, then you can interact with the device. Um, any commands that the application sends are
12:25
just sent, I want to talk to that device ID, and then some of them actually have decent, uh, encryption. We've seen, and thumbs up to the companies that have, um, unique symmetric keys between each app and their cloud and between, between each device
12:42
and their cloud, and that's great. Um, and arguably there is, uh, this is a genetic description, but it applies to 90% of all the things that we've seen so far. And that's great! Anybody see anything wrong with this implementation? Not so far. However, as it
13:05
turns out, when you look in depth, not all cloud implementations, you know, are the good. And actually, a thing that we've discovered is, many of these third party modules that IOT vendors integrate in their stuff are good. However, it very often, it's very
13:26
often the case that it's the way they implement the stuff that's shit. Like so bad. So, for example, Amazon S3. Have you ever heard of bad implementations of Amazon S3?
13:50
Of course not, right? Yeah, well, um, MQTT is this new kid on the block that's actually kinda cool, uh, also poorly implemented by a lot of vendors. So this is kinda what
14:00
we're going to go and talk about further on in this, uh, in this presentation. So a few words on Amazon S3 buckets. How many of you are familiar with how Amazon S3 works? A few. Cool, cool, cool. So you can correct me because this is me just, you know, babbling on about something so you can correct me if I'm wrong. Thank you. Uh, in many cases, the
14:23
bulk of authentication or security that comes with Amazon S3, and I'm talking about the vast majority of implementation is that a device generates a path for a file. So Amazon S3 is used for storage, for those of you who didn't know. So, the device generates a path for a file, and that's the file that I created, and then passes on that path to whoever is
14:44
allowed to read it. That would be the management mobile app of the, you know, uh, IoT device. Now, um, in most implementations of Amazon S3, you cannot do a listing of your bucket, right? So, um, that's the way it's supposed to be. However, um, unfortunately, in
15:09
some implementations, you can. So, just out of curiosity, if you're ever doing kind of research on Amazon S3 buckets, try to go list my own bucket, or even more than that, try to
15:22
go list the root folder of that vendor. And, um, you're gonna be surprised what, about what you're going to find. Um, so we've seen a really big number of vendors allowing the equivalent of recursively listing the root folder of that company. So not that
15:44
bucket of that company. So that means all the devices, all the recordings, absolutely everything that's belonging to that company, and that's, that's ridiculous. Uh, MQTT, um, essentially, you have a device that registered to a server, and it registers to, uh,
16:05
something like, you know, vendor device ID slash topic, where topic is I'm on, I'm off, I can do this, I can do that, I'm doing this, I'm doing that, and so on and so forth. Um, now, arguably, as I was saying earlier, one of the major security components of IoT cloud
16:22
architecture is the device ID. So the way the app communicates is that I've received that I can register to vendor device ID topic and I can read that information. This is MQTT, it's not that complicated. I've learned about it literally 3 weeks ago. That's when I
16:41
added, these slides were added very recently. Um, ideally, security counter merges will prevent attackers from tapping into another device, but it gets worse than that. You can actually, when it's poorly implemented, you can tap into slash root, much like with
17:00
the S3 bucket, you can tap into slash vendor and then get swarmed by absolutely all the vendor. And it can be, again, whenever somebody implements MQTT, again, I'm going to go to a hypothetical scenario here, um, purely hypothetical. We want to hack Irene's baby
17:25
monitor and we want to do a targeted attack, so not just hack everybody, but we want to do a targeted attack against a specific person. And, uh, what we're going to do is just register to slash vendor, get swarmed with all the device IDs, and then we're going to
17:41
use the mobile app API to pull the config for each device ID, because, I don't know if you knew this, when you use a mobile app on IRT, it refreshes its config from the cloud. It sends, I'm this application for this device, for this customer, give me my config. And then it displays it in the settings section of the mobile app. So you can,
18:03
essentially, if you have the device ID, you can pull the config, like name, last name, email address, location, and so on and so forth, for each one of their customers. So when you see the email of Irene popping up, you just correlate, because you see now, that's the device ID corresponding to Irene, so you go to S3 and fetch all her recordings. And, of
18:26
course, again, for some purposes, this is a purely hypothetical scenario. So, onwards, we've related, uh, EdiMax is one of them, it's quite relevant, because you can get like RCE, and
18:42
you can get a number, a lot of information on that, just by knowing the MAC address of the, of the, of the power outlet. And, essentially, you can just iterate all the MAC addresses, like 16 million of them, we can iterate them over Tor, and still get RCE and all that good stuff. And we come to our star of the day. So, as an example of some
19:03
of the things that I've mentioned before, I'm going to talk to you about this, uh, security camera called Godzilla. Um, I think I have a sample here somewhere, so this is
19:21
one sample. Uh, the other one is in my room, and if the demo guys are good with us, we're gonna try to hack it. So, um, here's how it works. There's an API at, uh, apps.garzilla.com, and after the application authenticates, you register an account with
19:41
them, you're assigned something called a client ID by us, by they call it a UID. But we're gonna call it both, but just so you know, it's a client ID. Essentially, this is a bad implementation for Godzilla, uh, and does anybody see anything wrong here? Ours was 408,311. Show of hands who sees something wrong here? How's, I mean, yeah. It's, it's a
20:12
cloud platform did a good job of providing them with, like, really long string device IDs, and they've added a layer on top of that with sequential numbers. So you go, like,
20:25
408,312, 408,313. You can go, like, you can go, like, a hundred, and you're still gonna get somebody's, because there's more, uh, devices per client, so they wanted to have this, this tree architecture where, like, client and devices per client, so, yeah. Uh,
20:41
UID cannot be changed, so if you wanted to secure yourself, tough luck. Uh, and, uh, yeah. It's incremented by one for each account. So, essentially, the user, uh, there's a username and password, actually, that's being used in the communication with the cloud. However, they are hard-coded in the app, and there's, they're the same for all
21:01
of the apps and all of the devices of all of the Garzillas around the world. So, it's cool that they're using the username and password, but not that cool that it's the same and it's hard-coded. Um, the post requests are actually sent using encryption, AS256 with CBC mode, uh, however, the encryption key and the initialization vector are
21:23
hard-coded in the, in the app as well. So, yeah. So, what we did, we kind of, um, and there's also the UID, yeah. So, we kind of re- replicated that, and, um, let's see if we can do our first demo. I hope that the fonts are okay. I can make them bigger. Can
21:51
anybody see? Pretty much. Okay. So, what we're going to do now is kind of try to pull our data from the Godzilla cloud from a server. This is my VPS in Canada. I usually
22:01
like to do a lot of remote code execution, so not local area network, just because that's cooler than local attacks. So, I'm gonna use my VPS in Canada, which obviously is disconnected. Hang on. Hello. So, uh, BD research, Godzilla, and we have this very
22:40
small creep called CMDS, which essentially emulates the mobile app, right? So, again, Python, CMDS.py, I'm gonna, like, get UID from 408-311. Okay. So, uh, so, uh,
23:09
and actually, just for beautification, I'm gonna go, uh, just because I already know what the output is going to look like, I'm gonna pre-defy just a little bit. HTTP grep dash
23:20
v equal, and it's a JSON, so jq it, and there we go. So, it's really not that complicated, it's literally emulating the mobile app, and I can do that for, obviously, 312, I can do that for 313, and I, it's up to about 500,000 and something right now, and
23:43
each one of those people has more than one camera associated with them. So, this is why, you know, Sam was talking about earlier about millions and millions, well, actually, that's not, that's not very far fetched, because if there's like 500,000 users with at least one camera each, you have 500,000 cameras. But more of them,
24:01
many of them have like two or three of cameras, right? So, you get, the information that you get is like the device IDs associated with that camera, so, uh, this one, and then you get the password set for each. Now, mind you, you may want to change that password, but tough luck, because I'm going to see it anyway, by making this
24:22
query, right? Because you can change the device password, but you're not gonna, it's not gonna matter. So, um, there's a number of functions available in that API, one of them is
24:44
now, but it's just for your information, you can alter the user information like password, or email address, and you don't need to use a valid email address to do that. Another one is, send invite, and this is a really cool one, it's an API function of
25:02
Godzilla, that allows you to send an invite for somebody to view your camera. The problem is that, when you do that, uh, there's no notification for the owner of the camera. So, all you gotta do is just call the API, send an invite to yourself, and the owner will have absolutely no idea that you've done that. And, we're gonna try to do that now.
25:24
We have the Godzilla app running on my phone, call, and doo doo doo doo doo. So, I'm
25:45
inviting, uh, that device ID from that client ID, you see? So, device ID, client ID, and my email address. And now, oh, look, I have an invite! How cool! So, I'm gonna accept the
26:12
invite, and, um, yeah, yeah, that's my room, and, uh, this is the camera live right
26:33
now. So, see, the seconds are rolling. So, this is the camera in my hotel room right
26:43
now, just for your information. Which is kinda cool. Um, just for fun and games, we kinda developed a new, um, not so orthodox way of, you know, getting into the streams. Assuming that I'm doing this right, hang on, hang on. One would argue that I was
27:08
supposed to boot this way earlier, so I'm gonna get back to it after this start, it finishes booting. So, um, cancel. Um, so, uh, so, uh, so, uh, so, uh, so, um, moving on. Again, the owner of the camera is completely unaware that somebody has been
27:30
invited, not at the moment of the invite, and not after that. So, you can send invites to everybody, you know, have a, what do they call it on Facebook, live, watch, invite
27:40
your friends, stuff like that, yeah. Um, this is how the email looks like, but you don't really need that, uh, and yeah, just for the hell of it, we, uh, we, uh, we coded this in the, in the start. Sorry. You see, I have this bad habit of insisting
28:12
that I do live demos, and, um, you know, what's life without a little adventure? Live
28:20
demos tend to break or you miss something. Anyway, until my colleague boots, I promise you next generation botnets, right? So, we dumped the firmware, we, we got the binaries, and we ran them through IDA, and, uh, you know, it wasn't very fast until
28:40
we found the buffer overflow in their cloud agent, which is actually a .exe file. So, um, they have this, uh, Cali platform, again, much like many other cloud platforms, and, uh, there's a combination of P2P and relay servers, and there's main 514exe that handles the service's device side. Um, and upon inspection, we found that a function was vulnerable to an
29:06
out-of-bound brides. It's the TK set device model RQ handle. And a specifically crafted buffer, yeah, could send, so, this is the code, uh, and we have in the lower right hand corner, we have those, um, two V29 and V28 and V29, all we have to do is just send
29:26
a, uh, a buffer that's large enough to overflow them, get past them, and then we get, we have, like, system right after that. And we can call system, and we have a command
29:42
execution. Uh, which hopefully we're going to be able to demonstrate. Um, so let's see. So, again, fully remote, we have this, uh, netcat listening, and we're going to try to get a root shell in my room. And hopefully, so, uh, this is the almighty exploit, am I
30:24
sending it what I'm supposed to send it? 221. Oh well. Shit, thank you man. Hahaha.
30:44
Yeah, actually that was exactly the problem. So, um, 222. And you know I should've
31:02
run that in Tmux for screen. Um, yeah, unfortunately the device tends to crash when you
31:23
do the buffer overflow, but hopefully not this time. Yeah. Well, we have movies, as always. So, uh, stuff, demos. So, the movie shows we get a UID, we get a device ID,
32:06
and then we just, and we get a shell. I'm sorry that my shell crashed, but, uh, yeah.
32:23
Happens to the best of us. Yeah, and fun, fun story, probably I'm not going to be able to get a video stream either because the device is kind of down. But long story short, uh, you can get a shell, a very predictable shell, works every time, root access, full root access on all these devices. And there's another vulnerability, uh, that we
32:44
found. Uh, a command ejection vulnerability which is significantly easier to exploit. Um, essentially the, the camera supports something called remote upgrade. Again, everything relayed through the cloud. And the functions takes two parameters, the
33:04
firmware version and the download location. Now, the thing is, if you send a bogus download location, it just has to be up so it can initiate a TCP connection to it, it doesn't have to be valid. It's going to pass the rest of the output to tar. So,
33:23
essentially it's going to do an initial connection to the update location and it's going to pass the, what you call it as the file name to tar. And then that's going to get you a, uh, command ejection, a very easy command ejection actually. Because tar is going to execute your input and then semi-column and then whatever command that you
33:42
want and you're going to like connect back shell to you. And it can actually, on these devices, you can do netcat. They have netcat installed. So you can netcat minus e, bnsh to your, to your machine. As a bonus, uh, and funny story about responsible disclosure, we were stuck with these guys for about four or five
34:01
months. They wouldn't answer our emails. So, um, we kind of didn't publish anything because we are like ethical. Um, or our legal department is very ethical. And, um, then somebody published on reddit, uh, the AWS bucket vulnerability that they found. So,
34:20
they're like, Godzilla AWS bucket vulnerability, zero day in Godzilla. And at that point we were kind of forced to publish our stuff and, you know, we're like, okay, and we have all these other things as well. So we got, uh, we got a call from, from them saying that, uh, they're going to patch their stuff, uh, and they, they didn't. Yeah. I
34:43
just patched the AWS thing. They closed the bucket. But it's, it's kind of, it's kind of messed up for them and I understand where they're coming from. The whole user ID thing is an architecture thing and they already have devices in the market. It's kind of hard to change. Uh, the buffer overflows, they could patch, but I'm going to bet
35:02
that I have like this shitty update pro pro process, unfortunately. So, yeah, it kind of sucks. And then a colleague of mine tells me that, you know, his mother in Puerto Rico has like three of these at home. So, uh, yeah. Now, um, I don't know how we are in, as
35:22
takeaways. Yeah. So IOT is obviously a huge attack surface. I know people ask me, how do, I don't know if, if, um, what's a good or a bad IOT? What should I buy? And I always tell them, you know, there's a few things that you can look out for. One of them is actually the update process. You know, inherently everything is vulnerable, right?
35:41
We're seeing advisories on a weekly basis and all the big stuff, right? Including Google, including us, you know, we, we get like reports about vulnerabilities in our stuff, not on a weekly basis, but you know, it's very important to look at the way people patch their stuff, how they update, if that update is unattended, if there's any chance that somebody didn't update when the update was available. So that's kind of one of the
36:03
first things to look out for. Uh, the, the second I would say would be the, uh, the magnitude of the company or how, uh, how impacted would they be if a vulnerability was found? Let us not forget, and I hope nobody's going to be upset with me saying this, that the system is broken. It's still broken right now in terms of legal stuff. As
36:27
a researcher, there's still a challenge in going outside. Remember that hypothetical scenario? It's a hypothetical because you cannot go outside of your own space to check up, you know, to see if you can go outside of your S3 bucket or see if you can get
36:41
outside of your MQTT topic from a legal standpoint. And at the same time, the system is fundamentally broken because D-Link won, won the lawsuit against FTC. So for those of you who don't know, FTC sued D-Link in February 2015 for Mirai. And everybody was like, okay, good, you know, people should be accountable for their mess, you know,
37:04
their, their screw ups. But, uh, they lost. In October 2015, FTC lost the lawsuit against D-Link and it was so obviously there. Telnet enabled with 1, 2, 3, 4 on millions of devices. I mean, anyway, um, the cloud implementation in many IOTs is broken. It's
37:23
like fundamentally broken. They, they're negligent if not more than negligent. They're like, do you remember? Do you know the cloud? Fuck! Nobody understands the cloud. So
37:40
many, so many companies don't really understand how to do cloud implementations for their stuff, right? And, uh, yeah, look into that. Um, so vendors need to penthouse their products. These guys told me, so, the, the, the director of product management called me on my cell phone. I was like in Singapore doing some, some other event and asked me, why didn't you call us? Well, we tried. Okay. Then I
38:03
asked him, why didn't you penthouse your stuff before putting it in the market? And he said, but we did. No. No, we really did. We, how much did you pay? Seriously. Because seeing that there's a photo with 311 client ID takes 5 minutes with burp. I
38:22
mean, how much did you pay that company to do your security audit before pushing your stuff into the market? Dude, we paid a lot of money. Get, uh, out of here, you know? I mean, so yeah, uh, obviously Rockback bounty programs, um, have very good update mechanisms and again, it's trivial to find RCS in IOTs. Another more, more or
38:47
less honorable mention and this is a call for me to you guys. How many of you are part of a big company and how many of you are independent researchers? So, big company. I
39:05
mean, so you see, uh, because so far we've been able to publish only a fraction of our research trust and we have like this big space with all the things that we've researched and it's insane. Unfortunately I cannot talk about it, you know? And, uh,
39:23
yeah. So, um, because it's easier from a legal standpoint, if we publish something for companies to go after us and the legal team is like, you know, maybe you shouldn't do that. Yeah, I mean, we already have a lot of stuff to do and yeah, maybe, maybe it would be
39:41
best if you just stay on the safe side. You already published some papers, you know? Yeah, you talked at a few conferences. What do you want? And I'm like, we need people to know about this stuff and patch it and fix it because that's why we do what we do. Yeah, but really? So, um, if you're an independent researcher, if you have
40:03
the capability, um, we need more. Um, we need more research on mass hacking IOTs. It's so easy and we need more of this stuff published. So, if you want to get into that and if you want help from us, yeah, we can definitely help. We will be more than happy to help. I mean, I'm not in Silicon Valley saying that I want to make the world a better
40:22
place, but, uh, I mean, there's so many stuff that's not published and it's so dangerous. I mean, the hypothetical scenario of viewing all the recordings of all the people of all those cameras from the beginning of times up until today, it's still, it may be still happening. And, you know, there's a challenge for some, some,
40:43
somebody like me to talk about it. So, uh, with that in mind, I thank you for your time and for your patience. I hope it was enjoyable and, uh, yeah.