IoT Village - Hacking smart-devices for fun and profit
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Subtitle |
| |
Title of Series | ||
Number of Parts | 374 | |
Author | ||
License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/50719 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
|
00:00
Asynchronous Transfer ModePlastikkarteGame controllerDiagramCodierung <Programmierung>Hacker (term)OpcodeLatent heatEndliche ModelltheorieWindowAttribute grammarSerial communicationFrame problemRemote administrationMicroprocessorTheory of relativityConnected spaceAreaDiagramUltraviolet photoelectron spectroscopyGame controllerGame theoryPhysical systemGoodness of fitFamilyGroup actionConfiguration spaceSmartphoneMereologyField (computer science)WebsiteComputer scienceMessage passingData storage devicePower (physics)Multiplication signCuboidPoint (geometry)Focus (optics)Information securityMetropolitan area networkBookmark (World Wide Web)TwitterNeuroinformatikSoftwareFrequencyCommunications protocolType theoryDifferent (Kate Ryan album)Numerical analysisRight angleBuildingStaff (military)CausalityData structurePlastikkarteSynchronizationVideo gameSerial portVulnerability (computing)MalwareWeb 2.0Point cloudProjective planeFunction (mathematics)Mobile appRemote procedure callFuzzy logicLoop (music)Digital electronicsAlgorithmMixed realitySystem callInheritance (object-oriented programming)Flow separationAuthorizationInstallation artComputer animation
08:36
Hardware description languageAsynchronous Transfer ModePlastikkarteCore dumpUniqueness quantificationControl flowBuildingHacker (term)Smart DeviceGame controllerComponent-based software engineeringComputer-generated imageryModul <Datentyp>Server (computing)Non-standard analysisLocal area networkLipschitz-StetigkeitPoint cloudMobile appLocal ringFocus (optics)Connected spaceConfiguration spacePoint cloudMultiplication signMobile appSerial portGateway (telecommunications)Asynchronous Transfer ModeRemote procedure callBus (computing)SoftwareOrder (biology)Cloud computingServer (computing)Core dumpInternetworkingBitInterface (computing)Focus (optics)Computer hardwareVirtual machinePoint (geometry)Uniqueness quantificationHardware description languagePlastikkarteCommunications protocolAnalogyInheritance (object-oriented programming)Game theoryGame controllerIP addressInformation securityFamilyRemote administrationLocal area networkPhysical systemLaptopEndliche ModelltheorieDirection (geometry)Connectivity (graph theory)Component-based software engineeringCartesian coordinate systemDemo (music)Cheat <Computerspiel>Slide ruleDifferent (Kate Ryan album)Local ringInternet der DingeAndroid (robot)Projective planeFingerprintWebsiteSpacetimeRational numberForm (programming)Wave packetLatent heatFlow separationAnalytic continuationRouter (computing)Hand fanSystem callService (economics)Goodness of fitEntire functionAreaGeometryArc (geometry)Series (mathematics)Ideal (ethics)QuicksortField (computer science)Group actionBoss CorporationCodecProcess (computing)Barrelled spaceInformationRight angleVulnerability (computing)Computer animation
17:12
Focus (optics)Server (computing)Computing platformPoint cloudAsynchronous Transfer ModeMKS system of unitsSmart DeviceHacker (term)Non-standard analysisMobile appHardware description languageSign (mathematics)Set theoryLocal area networkLoginStreaming mediaTouchscreenPasswordLink (knot theory)EmailPhysical systemMathematicsExploit (computer security)Hill differential equationMobile appServer (computing)LoginView (database)SoftwarePasswordSign (mathematics)EmailLink (knot theory)Information securityPoint cloudMultiplication signConnected spaceWebsiteFocus (optics)Vulnerability (computing)Parameter (computer programming)Configuration spaceRandomizationPhysical systemFlow separationExploit (computer security)Electronic mailing listGateway (telecommunications)Point (geometry)Numerical analysisCartesian coordinate systemHardware description languageAuthorizationMathematicsService (economics)PlastikkarteINTEGRALLatent heatCodeAreaHacker (term)Self-organizationSystem callOrder (biology)Right angle2 (number)Network topologyBeer steinIntelligent NetworkWave packetOpen setDistribution (mathematics)Cycle (graph theory)Internet service providerPresentation of a groupGame controllerTouchscreenForm (programming)Local ringComa BerenicesResultantSymbol tableMechanism designComputer animation
25:48
LoginControl flowApplication service providerProxy serverAsynchronous Transfer ModeHacker (term)InjektivitätArmComputer clusterSummierbarkeitParsingError messageNon-standard analysisUniqueness quantificationKeyboard shortcutComputer configurationHardware description languageEmailWindowValidity (statistics)DatabaseElectronic mailing listQuery languageParameter (computer programming)Single-precision floating-point formatApplication service providerMultiplication signPhysical systemInjektivitätPermutationParsingError messageGame controllerServer (computing)Dependent and independent variablesNumerical analysisHardware description languageStatement (computer science)PlastikkarteComputer configurationWebsiteTouchscreenSoftware testingOrder (biology)BitPoint cloudVulnerability (computing)EmailConfiguration spacePasswordForcing (mathematics)Range (statistics)Message passingSheaf (mathematics)Keyboard shortcut2 (number)Workstation <Musikinstrument>Water vaporProcess (computing)Hand fanRight angleExpected valuePoint (geometry)Programmable read-only memoryIdeal (ethics)Arithmetic meanMathematical singularityProxy serverAlgebraSource codeCollineationSign (mathematics)Group actionState observerDemosceneOcean currentTerm (mathematics)ÜberlastkontrolleValue-added networkSquare numberSpeciesArrow of timeCore dumpComputer animation
34:24
LeakInformationSmart DeviceInformation securityAsynchronous Transfer ModeGame controllerPoint cloudConfiguration spaceMathematicsExploit (computer security)Server (computing)Self-organizationComputer fileBlogFamilyPhysical systemGateway (telecommunications)IP addressSoftwareInformation securityFirmwareConfiguration spaceMobile appCellular automatonLocal ringEmailSerial portRepresentation (politics)Point cloudGame controllerInformationPlastikkarteHardware description languageConnected spaceDegree (graph theory)Remote administrationVulnerability (computing)Direction (geometry)Hash functionCloud computingDatabaseBackupWebsiteSheaf (mathematics)SurfaceCodeLogistic distributionFunctional (mathematics)Remote procedure callCondition numberInformation privacyUniform resource locatorAsynchronous Transfer ModeAreaProjective planeSource codeForm (programming)Physical lawService (economics)Series (mathematics)Latent heatLine (geometry)Revision controlLeakGame theoryNumerical analysisInternetworkingVelocitySystem callPower (physics)Insertion lossINTEGRALNatural numberMultiplication signMaizeEvent horizonLevel (video gaming)Shared memoryHypermediaDataflowDemosceneSearch engine (computing)Wave packetHand fan
Transcript: English(auto-generated)
00:00
I really, really appreciate and grateful for being here. So thank you a lot for DEFCON, for DEFCON Charity Village, Sentinel One, and everyone that support me along the way. We'll speak about it also soon. Let's start with the title. So, hacking smart devices for fun and profit. This is a true and genuine story about me trying from exploiting my smart home
00:22
into gaining control of a thousand of smart devices in the entire world. So let's start. So first about me, my name is Barak Sternberg. I also live in beef in Twitter, so make sure to follow. I'm a security researcher and also an author in Sentinel One Labs.
00:40
I have masters in computer science and algorithms. And one of the favorite things I'll have to mention is that I'm also a party lover and a DJ. So you can make sure you follow my mix cloud to see my set and stuff. But besides following our party, which is not so relevant in the Corona period,
01:00
I love to focus on vulnerability research. I love computer security and enthusiastic about network security, IOT, embedded devices, Linux, web apps, and more and more. And also to analyze in malware in the wild. I'm a CTF player and I love a good game of hacking any kind of devices.
01:22
So with this in mind, let's start. So starting this project goes quite well, way back. And when I say way back, I mean really back 2010. What happened in 2010? So first, we are renovating our family home. We are fixing all this home.
01:42
The second most important thing was the Walking Dead first season was just came up. The first season, just to keep in mind, today it's the 10th season already, I think, of the Walking Dead and it's keep counting. Amazing series, must watch one. And well, we installed smart home devices,
02:03
which were the Philips Dynalight. And the Philips Dynalight have software and apps, but they were really, really expensive. Back then it was really high extras and we didn't bought it, just the technician came, installed the softwares and apps to itself and to configure all of our devices,
02:21
all of our smart home systems. And from there on, we didn't have anything to control it. So you can say it's a smart home device, but not quite really. And so we don't have any remote app control. And usually in these scenarios, we can think about ourself as a, well,
02:43
our own technicians that can do it by ourselves, right? So why not do it ourself? So these scary diagrams is not that scary. What you see here is actually the Philips Dynalight controllers that control my smart home devices in my parents' home.
03:04
These actually have been the controllers themselves. So as you can see here, this one is the full electricity diagram downloaded freely from the Philips site. And the interesting thing you can observe here is that, well, each controller controls something, controls specific maybe lights,
03:21
have specific abilities and attributes. So this electricity diagram have on this side, the channels which are directly connected usually to the relays, to the dimmers, to the buttons, to anything. For example, this channel, channel one,
03:41
have powered out electricity to your lights, your light bulb, or maybe to a window, or maybe to a large light system or anything else. So this is on these sides, and this is the relays, the switch on and off stuff. And then on the other side, they are connected as you can see here, the microprocessor, this is the microprocessor. And this microprocessor is very cool
04:03
because it's the thing that connects between the electricity circuits here and the serial, which is here. So on its other end, there is a serial output, which you can obviously understand it might be the controlling area. So when I connect to these devices to configure them,
04:21
I usually use this serial interface and this use something that's called Dynet protocol of the Dynalite Phillips systems. And it's really cool. It's connected by RS-485, which is really, it's not that unique in the sense that many industrial systems
04:41
are actually using this kind of type of serials compared to the usual serial RS-2322. And also what you can understand is that this serial is connected to this building block, which is, what is that? So this is, I bought actually an IP serial adapter,
05:02
and this is a cool serial adapter that is used to connect all up between the serial and the IP. And I am sitting here gently and trying to wait for something to happen, right? Sending commands, maybe seeing something, I don't know. So what happened next is that I tried to send calls
05:23
to these controllers. I'm sending calls to these controllers and nothing happened, nothing. I use this wonderful GitHub repo, which is not complete. It has some several API documentations of Dynet no one, but it's not exactly the Dynet I needed. It's really weird.
05:40
And also the packets. So I could have observed the type of the packets, the type of the packets used to be sent to Dynet. The packets usually are in the structure of sync number, an area code, a command type, and some extra data to navigate
06:01
and to navigate between the different possibilities. For example, I want the light to be in 100% or 50% percentage of light. So I can put this stuff in the extra data area, which is right here. So this is a packet used to be sent
06:23
over a serial connection, as I seen before, as we have seen before, and this is really cool. So I start sending packets, nothing happens. And I remember me and my father are sitting in the saloon like, hmm, why not send in all the packets? And when I'm in all the packets, let's just fast the system, right?
06:42
What could happen, right? Sending all outputs to the controllers could be amazing thing to do, no? Really all, like in 4x range, 256. And it wasn't a surprise that, yeah,
07:00
maybe you laugh right now, but it's actually a real thing. It's a house that people live in that went crazy. So we send all of these commands and all of the sudden, I remember myself sitting in the kitchen and all the lights are flipping crazy windows turning on and off at the same time. And we don't know what is happening. And well, try to remember which command you're sending,
07:22
this fuzzing loop that try to fuzz all these commands. So I did try to fix it to my responsibility, of course. And I tried to fix it and I tried to reverse these commands and some of them have been fixed, but remember these commands, not just for turning on and off the lights,
07:41
it also controls the configuration, the main configuration of the lights and the buttons and everything you can think about. So this is insane. And well, I try to fix it. Yeah, and all of the sudden 6 a.m., I got this message from my mom sending me that,
08:04
well, I hope you guys have fun the other day because I woke up 6 a.m. because all the lights were turning on at the same time. At this point, we've come to a small conclusion that, well, the first one is that Barack is not touching, again, the smart home devices.
08:21
We'll see about that later. But the second one is that, well, we need to install new smart home devices because until we do that, we don't actually have lights and powers and electricity for some things. So yeah, okay, new smart home device. And I was excited because for me, it's another research to do. They didn't know that yet, but for me, it's a whole nother research.
08:43
Okay, so let's continue. So the new smart home devices is the HDL automation devices. And by HDL automation devices, I actually mean a company which is called HDL Automation. And this company is a big company, an amazing one. Actually, I must say to them, thank you
09:03
because they helped me a lot through the disclosure and working with them. And they really consider the security highly in these manners and respect. And also they have more than 10,000 projects around the globe, museums, buildings, hotels, headquarters of some high priority companies
09:23
and stuff like that using their systems. So even airports, if I didn't say that. So it's really, really interesting to investigate these controllers, right? And they have smart controllers for lights, windows, cameras, a sensor, anything, anything you even didn't think about it. Cool.
09:41
So we learn about the HDL automation and we've installed in our new family home, in our family home, the HDL smart home devices. Let's now see how the HDL smart home works. Sorry, so the HDL smart home system have three basic components. And the first component is the HDL demo relay models.
10:04
This is the models which you can observe just right here. These models have on the one direction outside the serial, exactly kind of the same serial you've seen in the Philips Dynalight systems with RS485 connections,
10:22
which they call bus pro of course, because for example, this bus pro is the complete analogy of the Dynet. So this is like the protocols upside on the upper side of the serial connection. Cool, and this is connected to the IP gateway. This IP gateway is actually kind of the same
10:43
as I built an IP gateway to adapt between the serial and the IP connection from the serial to the internet, the entire world. So this is, they have their own smart devices, they have their own unique IP adapter as well. Also Philips have it, but it was really, really expensive. This is why I didn't bought it also in the second time.
11:02
But in our scenario, my parents thought, okay, it's a good idea. Let's buy all the things. So Barack doesn't even have an idea to start and jiggling with this kind of things. Oh boy, they were wrong. And this IP gateway is serial to IP.
11:21
And the third bullet was the HDL cloud service. The HDL cloud servers are actually used mainly for remote connections, but not just remote connections. They used to store the configuration for the smart home devices. They used to connect remotely to fins because you have routers, you have firewall. So this IP gateways is connected
11:41
to this HDL core server cloud servers. And then when you are online on the internet you can connect to their HDL cloud servers with public IP and public IP interface. So you can reach your devices as well. And now a little bit deeper about how they install it.
12:01
So first time installation is quite easy and it works like this. You install the HDL basketball software as a technician. So for example, I am a technician, I'm coming to your home I'm installing the HDL basketball software on my desktop machine. And I connect directly with my PC my technician PC to this IP gateway.
12:22
It's very cool. And when I'm connected to this IP gateway with my HDL basketball I starting to configure all these devices because remember these devices are connected serially to this IP gateway. So I connect to this IP gateway and configure all these ones. And I, that's what they say.
12:40
I then configure the bus for adapter and I have a configuration. Now that I have a configuration, I can use this data this configuration data to upload it, for example to the cloud and save it also on my Android app in other apps as well. So what I do next is register a new account in the HDL on application.
13:00
This is an other application of HDL automation and it's used to control remotely and also locally within the wifi, these smart home devices and when as a technician, I registered this new account I also upload the local configuration to the app itself. So now we remember I have a phone in my hand I registered a new account in this application
13:21
and I upload the configuration from this IP gateway or from my laptop from the bus pro and desktop software to this phone. I upload the configuration to my phone and now the configuration to control everything in my smart home devices is inside my phone. So for my phone, I can also connect to the internet and this is exactly how I backup
13:41
my configuration in the cloud. So after I have the configuration in my phone I upload it also to the cloud and now it's also kept here. Cool, so what happens when a new user comes in and join to our game and wants to also to enter these devices and control them.
14:01
So what happens next is that the first time he download the HDL on app, why does that? Because you need to log into the HDL account that has been open to him directly in order to control all these dimmers and other devices. So we download this HDL on app and you log into the HDL account that has been opened by the technician
14:21
and what he does next, you can actually bet on that that well, yes, he download the configuration from the cloud and when he download the configuration from the cloud, he have all the configuration to fully control these devices over here
14:41
within the wifi or from remote. So I'm a bit cheating here because there are two possibilities to operate these devices and we'll talk about it in the next slide which is the remote and the local mode. So we can operate this HDL system in remote and local connection
15:01
and the difference between them is that the local connection is accessible from wifi usually only from wifi and local networks and the remote is accessible from the wide internet and from anywhere inside the world. And usually it makes a real sense that we want to make a remote control connection about it
15:22
because well, we want to be able to, for example, I have an air conditioner and I want to control this air conditioner before I get home because it's really, really hot today and it's a summer. So I would love it to be operated before I get back home, right? And this is really cool thing and at first time installation,
15:42
the technician actually choose whether to enable and allow remote connections or not. And usually many times because of the reasons I mentioned, the remote connection is enabled. And this is really interesting. Remember that in any scenario, remember that in any scenario,
16:02
we are using the HDL cloud service because in the first scenario of the wifi local connection, we still back up our configuration for new users to come and on the remote connection mode, of course we use these cloud servers to connect back to us. So the third point, the third bullet is always used.
16:22
The HDL cloud servers are amazing, super interesting. Yeah, Internet of Things. Now let's add wifi to all the things and let's see what happens. Cool, so the focus of my research. Yes, we can research one and two, but first my family will kill me again
16:41
if I will destroy all the smart home devices using the connection to the one and two bullets. And the second reason and the most relevant one, because I love your family, but it's not that exciting and relevant. The most relevancy is the hardware. The hardware and the software
17:00
can be really device dependent. And it's going to take a lot of time to investigate and research any specific device because each device has its own capabilities on serial connection, on things. And to reach the point you can really research and find vulnerabilities, takes much more time and much more time from other things which are publicly known
17:21
as cloud servers or websites. So of course I thought that the HDL cloud server which are a critical bottleneck in these connections are really, really an interesting and a great idea to investigate. And also when you think about a CISO view or a view of some people that works
17:42
for the network security and the integrity of the network, you might think that what you need to defend might be, might be not always, is from the outside, from arbitrary outside and from the inside from specific devices. But in this scenario, this cloud server might be okay,
18:03
might be white listed, fully white listed because this cloud server is just connecting to these devices, just connecting to your devices, to your certified devices you put in your systems. But you need to understand even as someone that works for security
18:20
that the bottleneck can be also outside the organization. And also in the third bullet, in servers that you don't even have the code for them and you don't even know what they're actually kind of doing. So this is really interesting in the point of focus as well. But we speak about focus a lot. Let's now speak about the cloud server. So a starting point for this is the AGL on app,
18:43
how it works the AGL on app. So first is the login screen. Yeah, nice login screen. You can see a simple login here and a sign up button also and the forgot password mechanism, which is really cool. And also interesting, forgot password, they actually use walking the same as you think it sends you a reset link to your email
19:04
and you can click on this link and immediately go to this link. But the URL, the URL in the forgot password was really, really interesting. And we'll speak about it later. Sign up, sign up include, you can enter either phone or an email
19:22
and you can also add the password. Well, you should add the password and then you have your Lufin enabled. And after that, you can upload from the app, the configuration you have, you remember this IP gateway where I configure all this stuff.
19:41
So I can upload the configuration from this IP adapter to my phone and from there on, I can upload this to the cloud and I can also download cloud configurations using this app to configure my system, my application to control these devices in my wifi network and stuff.
20:01
So this is the signup. Well, enough chit chat, let's talk about vulnerabilities. So the first vulnerability, really cool, account takeover number one, or let's forget our password together. So let's forget our password. I click on the forgot password and I got this following link. Well, this seemed like a nice naively
20:24
that doesn't gonna affect anyone, right? Well, the main thing you can see here and observe, I make sure you understand that. Well, there are a couple of parameters, really, really interesting. The first one is the time. Time seems like just the time in some format,
20:42
an email, which is actually my email, the email that I want to reset the password now for. And this parameter and these kind of parameters as well. And this is really, really interesting because you can think that maybe something random
21:01
should be placed there, right? Something random that I couldn't fake this kind of link. You could also think that if I change this email to any arbitrary email, it won't work, right? It will be verified in some manner and they won't let me change the password for any arbitrary user. Come on.
21:21
Well, they did. They actually did let me change any user, password by its email to any user. And the way to exploit it, for example, if I'm thinking hacker wise, is to do forget password to my email account, get this link, okay?
21:42
And change only the email, the email area to the victim emails. And from there on, I get fully authorization to change its password. This link need to change the password of this user. I can fully change his password, really cool. And it works, perfect. So let's do it again.
22:02
So account takeover number two, or maybe let's forget our password again. And how can we do it? So let's forget now about the users I already show you about the users and the forgetting the passwords again. And now let's focus about other thing
22:21
that's called the technician user. The technician user is the user that is automatically generated when the user register with its email. So when the user first time register with an email, for example, a technician installed the system and register your HDL account, what he's doing is actually also opens up automatically
22:42
a technician user with the same password as the username, as the original user. For example, I open register with this email at mymail.com. It is automatically also open a technician user at email-debug at mymail.com. And this is really interesting now because the technician user is able to change settings
23:03
and control all system configuration of the smart home devices as well. And this can be really bad, right? If we can hack this technician user, we can also change the cloud configuration. We can also do many, many more things. In these times, I usually ask the crowd
23:22
if they know how to add the system. I guess some of you actually understand where I'm going to, and it's actually really working. So they exploit and to take over any technician user, what you need to do is to find the victim email. Let's say victim at mymail.com and open a new email at this mymail.com service
23:43
at victim-debug at mymail.com. So I opened this new email account and I have it. And yes, what I will do next is just forget my password. I click on forgot password for this victim-debug at mymail.com. And when I do reset password to this account,
24:02
I will be sending, they will send to me their email of link reset, the reset of the password. So I actually can change the victim-debug at mymail.com password. So I actually can get access to all the technician features.
24:22
I can access the technician user. Just to conclude and to make sure everyone is with me, what I'm doing is I'm opening another account for the technician email at victim-debug at mymail.com. And I call the reset password for this email.
24:40
And this is really cool and it's working. And the reason it's working is because they don't verify this email is not there, is not a valid email and they shouldn't send a forget password to this email, to these technician users at all,
25:01
or even find another way to put users for the technician, which is not relevant with this Dash debug. Yes, it's really worked and it made me to take over any account of, well, technician accounts. Very cool. It's working for some email providers, not all of them.
25:20
I feel in the sense that some of them replacing Dash with another. So you can probably be bypassed even in mails that doesn't allow Dash in their username, but I need to think about it even more. Cool. So now we spoke about the pre-authentication vulnerabilities. Let's see what is happening in post-authentication. So let's get our devices
25:40
and start investigating some several API endpoints. And I actually encountered many API endpoints which are open. And some of them were the device by region list. And the device by region list is a very interesting API endpoint. It comes right after the login, you log in and you have a device list
26:00
and you can actually search this device list by the region name, by the region ID, by device ID, by anything you want. So it's really cool. And how you do it, you go to the device section and the parameters to control is the region ID, device ID, device name. So all of these guys are fully controllable
26:22
and very, very interesting. So the first try I did was sending this. This was in the post data body of the message I've been sending. And this data was containing the parameters
26:41
need to be searched for. And as you can observe quite well, there is like the SQL injection I try to put. And well, yes, it did return to me all the devices in the system. But remember to find out if there is an SQL injection in the site or not, it's not enough just to test for this kind of screen
27:01
and to see that I get all the data. I need to do a little bit more than that. And to see that it actually does an SQL statement I fully control of black book wise. Cool. So the second try was something like this and it actually worked again and I got all the devices.
27:21
And also I try to make an invalid SQL statement. And what I got is that I get a response and error response specifically on invalid SQL statements. So yes, I have an SQL injection, very, very cool. I get in all the data, all the data, not in the DB, all the data I have on my devices.
27:42
So there is some way to gain control and to get all the data of the HDL database. So why not extracting more data, right? Well, problems. Some of the problems is that the return columns and specifically the ASP parser.
28:02
So the server, as far as I tell you it's an HDL cloud servers. They have ASP server inside of them, Windows server. And this ASP parser checks the validity of the return columns. So for example, if I do a union SQL injection I need to verify and validate that all my data return
28:20
is correctly to the manner of the ASP parser. And if it's not, I wouldn't be able to pass and get my data. I just get in an error, error response, nothing happens. And well, yes, you might think to yourself, well, just do blind SQL injection, right? That's like SQL timed SQL injection, something like that. But it's not that easy because I am bounded
28:43
in this scenario by not sending so much data. Well, first thing is that I didn't want to alert the system. I didn't want to bomb the system. I didn't want to stress the system or to do anything like that in a sense.
29:00
And well, and the second thing is that even if I do, I will do it, it can take a lot of time because I have more than 11 columns returning from the SQL injection, from this SQL query, not the injection, from the SQL query, more than 11 columns, which means almost 4 million queries
29:22
will require to inspect all the relevant types and values. Because remember the ASP parser also checks for the validity, even of the ranges of some of the values return. Yes, and also it's worth mentioning that, well, I didn't use VPN
29:41
and it's a really good reason not to jiggle with the site and try to brute force arbitrary sites. So yeah, not a good idea. Don't try it at all. And so this is the blind SQL injection idea. As I told you, even timed or pass error yes or no will take a lot of time.
30:01
Cool, but let's forget about this SQL injection. Let's think about another way to bypass the ASP parser. You all must agree with me that if I find another SQL injection that return much, much less columns, I could go over all the possibilities
30:21
with this union SQL injection or something like that and finding out the relevant order to make it work and to return all the data and bypass the ASP parser. So this is exactly what I was going for. So to bypass the ASP parser, I was going to the, you remember the device name. This is the original parameter for the SQL injection.
30:42
I tried to find this device name, the exact name, the exact argument in another API's, another API endpoints. And I actually did find it. I find it in the get room binding device. There is the device name parameter. There is an SQL injection there. You go to the room section, you search by the device binding name and voila, you have an SQL injection.
31:03
Very cool. SQL injection in the same argument. And the most amazing thing here is that only four columns are being returned. Only four columns, that's all. And it's really amazing. So we can do the permutation over all these options
31:22
with the possibility to do all of it really, really in short amount of queries. So permutating over columns order and trying the correct try to make it was doing like this. So here you can see the union SQL injection,
31:40
and here you can see and observe the parameters I've been put. And I just scrambled and printed this one anytime and tried to see if it works. And I also increased the number of columns because I didn't really know the number of columns, but I knew it was around four. I say only four. It was really around four because I had seen
32:01
that the number of columns was four in the data, but it could be maybe one more for the ID or the key saved in the SQL. But it was eventually four, so it doesn't really interesting. And I found that this is working. And to conclude all of this, it was quite amazing to see that
32:20
I'm getting all the database with one single query, one single SQL injection to rule them all, bypassing the ASP parser, and getting all the database, all the things as well. Cool. So at this point, of course, I reached the AGL automation company.
32:42
I did fully coordinate disclosure with them, worked with them silently and helped them a lot. And they also helped me. They were really enthusiastic about helping and securing the system. So it was great for them. And, but let's now speak about how we can act into any arbitrary AGL user.
33:01
For example, you have your own, I don't know, AGL account in your smart home in Dubai, or you have your own smart home in some airport because there are airports and museum in AGL. So you can actually find a scenario of how you can fully control any AGL account.
33:24
What we found the vulnerabilities we have is two SQL injection and two account takeovers. And there are two scenarios to gain full takeover over any user. The first scenario, you know the attackers, and you know the victim's user email. You know the victim's email,
33:41
and you just get from the database, the hashed, salted password, and you now brute force this password. And when you brute force this password, you can get after sometimes the password, of course. And the second option is to do one of the takeovers I've mentioned. Actually, the second one, the technician one,
34:02
is much more silently because when you do account takeover over the technician account, usually the normal accounts use the normal people, all the people that use, normal people in their sense of using the system, they use the normal accounts.
34:20
And they don't use the technician account only for configuration and when something gets wrong. So you can connect and take over only the technician account, and it will work silently and no one will know. The second scenario is where you can control any arbitrary AGL user without an email.
34:42
And now we can do it. For example, you know the company name, you know the phone name of the victim, you know its full name in a sense or something like that. So you can scrape through the AGL database and find its account, find its email, and then go back to the first scenario and add this, its user by any of these possibilities.
35:06
Okay, really, really cool. So we can add any AGL user in the entire world. Let's now go through the security implications to conclude what I've been talking about. So let's start with the easy going security implications, not to frighten all the people so much.
35:21
So the first security implications are the private data leaks, of course, hash passwords, emails, phone numbers, company names, names in general, tremendous amount of data. And also the HDR cloud backup configuration is there, which gives us the following,
35:41
the full smart devices info. And the full smart device info is amazing. What you see here, what you can observe here is exactly from the app. And you can see that this app can control cameras, TVs, security sensors in other manners, and air conditioners also in the server rooms as well.
36:03
Internal network IPs can be exposed using the systems as well, firmware versions, internal network IPs are because they are written inside of the configuration, some of them. And you can actually use some of them to observe and see where are the HDR devices, the IPs, and some of them kind of in the sense.
36:22
And very cool. And also the remote control. So you can actually, again, of course, remote control over these things, and you can adjust, well, as I said before, the air conditioner and the server room, you can make it up to 50 cells use. I don't think they actually support it, but 35 something like that for a week
36:43
would probably destroy the server room, I guess. And also to watch their IP cameras. And so it can be really, really bad. Disable some sensors. Now, I'm sorry for that in advance. This kind of a pure evil, pure evil ideas,
37:00
but we need to discuss them because we need to understand and realize that the security implications, even if I don't have a full RC over any kind of device, that there are tremendous and high impact and costly impacts over the organizations as well that can be done. And the first one is, well,
37:21
you can add internal non-exposed IPSG. Sometimes they are hiding the gateways that controls other system. For example, hidden security areas, hidden secure rooms and stuff like that. You can actually expose them because there is an auto search functionality in the app. Another thing you can do is you can encrypt all the configurations,
37:42
remove all the configuration from the HDL app. And some people can do kind of a run somewhere and blackmail the companies. And until they won't do it, you won't give them back their possibility to control their system, to control the lights, to control their powers, their ACs.
38:01
This can really shut down a company in the logistics, in the industry manner. Logistics manner a lot. Another thing is to use a condition to affect critical locations. And also something I really love, which is called an hidden trigger attack. What is an hidden trigger attack?
38:21
So let's, for example, say that we are not in the wifi. We are not in a local connection, okay? You are smart guys. You block all the remote connections. You keep only the local connections. But remember, the configuration is still on the HDL cloud service. So when the user will update, and it will update its configuration sometimes,
38:42
you can actually connect the button, for example, switch on the lights, to the button that's also switch and adjust the air conditioner to 35 degrees, 35 degrees. So you can connect two buttons, for example, to the same button.
39:00
So the user can just open up the light, but they actually did a lot of other stuff as well. Disable sensors and did a lot of other things. And for this attack, you don't even need the remote mode connection. Even in the local mode, it can be really affect the users in the organization because the configuration is still on the HDL cloud backup database.
39:21
The HDL cloud servers are really affecting the organization as a bottleneck. Also another thing you can do, you can disable and control other critical sensors. Of course, you can disable security cameras. You can disable sensor for overeating, security alerts, and also you name it.
39:41
Well, this is another idea. This is not a direct security issue, but this is another idea I had in mind, which is exploiting the internal network. For example, I can change a cloud configuration file to a malicious one, maybe something that does something on the device. Maybe I can explore the device when they update the configuration file on the device.
40:02
It can be really interesting. It can be ideas for further research and stuff like that. So this is really cool. And it increased the attack surface to the internal network and to the organization as well. Cool, so we are coming to conclusion. And some of the ideas to continue is of course,
40:21
to find a way from the account takeover to getting into the internal network of the organization. Can it be done? How it can be done? Taking over the device, taking over something like something else, maybe taking advantage of the way they control the smart home devices in the network. I don't know, you name it. And another thing is to access from the LAN
40:44
and the Wi-Fi access. For example, I have already a Wi-Fi and LAN access. How to find an RC over one of the smart devices platform, specifically of course, the IP adapter, the IP serial adapter of the HDL gateway devices, which is really cool also.
41:01
And yes, so many amazing ideas can be done. It could be amazing, amazing. I had so much fun working for this project. And I come really to conclusion. I want to thank anyone, starting from the HDL Automation Company for fast fix and coordinated disclosure
41:21
of all the vulnerabilities. HDL Automation, you are really great. And I love working with you guys. The second thing is that I wanted to really thank Arthur Peleg, which is the HDL Israel representative for supporting me along the way and helping me fixing this was also amazing guy.
41:42
And well, of course, thank you to my family for letting me break in their house. But only one time, only one time, hopefully not on the second time, but we'll see about that. And of course, and of course, I'm really thankful for Sentinel One. Sentinel One, thank you for sponsoring and supporting my research.
42:02
Thank you so much. And well, I think this is it. We are coming to reach to a live questions and answers. So if you want to, if you have any questions about my lecture, or if you want to read my full blog, so first I wanted to know that my full blog
42:21
and my full research will be published right now as you speak in the Sentinel Labs blog. So make sure you follow Sentinel Labs and go to the Sentinel Labs site in Sentinel One. And there is my full research with a lot of other code sections and stuff like this. And for now on, I will go to the question and answers
42:41
in the Discord channel, in DEFCON for more questions and answer. And I will be happy to answer any questions you have in mind. And thank you all for listening. Thank you all for coming here. And I hope to see you soon in DEFCON and other even non-corona events. We can see face-to-face also. So thank you very much.