craig&young& vert&security&researcher& · 2018-06-22 · iot&village&...
TRANSCRIPT
Smart Home Invasion Craig Young
VERT Security Researcher
IoT Village
Brief Introduc:on
• Craig Young, Tripwire VERT Security Researcher • Research vulns and write ASPL checks for IP360 scan engine • Blogger on Tripwire State of Security • SOHOpelessly Broken tracks 1 & 2 winner at DEF CON 22
• Found and demonstrated 10 router 0-‐day flaws to win track 0 • Team VERT had 5x as many points in track 1 than 2nd place
• Iden:fied 100+ CVEs in 2013 & 2014 alone
IoT Village
Mo:va:ons
• Home improvement stores now sell several DIY smart home hubs • Control ligh:ng, locks, cameras, H/VAC & more from anywhere
• Consumer targeted embedded devices have a poor security record
• We must ask a few basic quesEons to evaluate the risk... • Why would someone target a smart home hub? • What is the a\ack surface of a smart home hub? • How can consumers minimize exposure to a\ack?
IoT Village
Tes:ng Grounds
Tripwire analyzed the top selling hubs on Amazon.com to get answers:
Wink Hub Vera SmartThings Hub
IoT Village
Presenta:on Outline
ü Home automation 101ü Consequences of compromiseü Reviewing attack surfaceü Case Study 1: Wink Hubü Case Study 2: Veraü Vera Demoü Case Study 3: SmartThings Hubü Closing Remarksü Questions (XKCD)
IoT Village
Introducing The Smart Home
Graphic by Washington State University via nih.gov
IoT Village
Hubs put the Smart in Smart Home
• Hubs bridge the gap between PAN and WAN • Connect to home LAN via Ethernet and/or 802.11 (Wi-‐Fi) • Intelligence gets outsourced to the cloud
• Reduces specifica:ons required for hub • External access without firewall or UPnP configura:on
• Common Benefits: • Smartphone Control • Remote control of devices with monitor and alert capability • Automated profiles to simplify mul:-‐step ac:ons
IoT Village
ZigBee Primer
• IEEE 802.15.4 PHY/MAC • ~2.4GHz @ 250kbps • Up to 255, 10m hops
• 2 yr minimum ba\ery life • Supports varied topology
• Star, Tree, & Mesh • AES128 supported • Developed & licensed by
IoT Village
ZigBee Research
Prac:cal a\acks have been successfully demonstrated against ZigBee networks:
• KillerBee A\ack Framework Joshua Wright, ToorCon 11 • Replay A\acks • Key Provisioning A\acks • Eavesdropping
• KisBee 802.15.4 Capture Device [email protected] • Small • Ba\ery Powered • Open Source
IoT Village
Z-‐Wave Primer
• ITU G.9959 PHY/MAC • ~900MHz @ 100kbps • Up to 4, 30m hops
• Mesh network topology • Supports AES128 • Developed by Zen-‐Sys
• Sold to Sigma Designs
IoT Village
Z-‐Wave Research
Black Hat USA 2013 – Introducing Z-‐Force Honey, I’m Home!!! Hacking Z-‐Wave Home Automa:on B. Fouladi & S. Ghanoun • Passive key intercep:on
• Install :me (boring) • Eavesdropping & Replay
• Replay possible if nonce is not used • Null byte temp key used
• A\ackers can spoof ZC to reset key • Successful deadbolt key reset PoC
IoT Village
Well, an a\acker could...
Monitor sensors to remotely case the home
Quickly iden:fy where people are in a home
Open locks without authoriza:on
Disable sensors & alarms to stay unno:ced
Access LAN, DDoS zombies, a\ack proxy, etc.
What’s the worst that could happen?
IoT Village
• Replay a\acks (when no nonce) • Key intercep:on & reset a\acks • Device node impersona:on & jamming
End device wireless subversion (ZW/ZC/BT)
• Magnet to defeat window sensor • Infrared light to defeat mo:on sensor
Physical countermeasures to sensors/devices
• 802.11 trickery • HTTP Exploita:on
A\acking the hub
Reviewing the A\ack Surface
IoT Village
A\ack Vectors Pros and Cons
End device subversion • Pro: Leaves li\le forensic evidence • Con: Requires knowledge of specific device and special gear Physical Countermeasures against sensors/alarms • Pro: Points for style (Hacking like James Bond!) • Con: Increased risk of failure in the field A\acking the HUB • Pro: Control of the hub exposes all PAN and LAN nodes • Con: Requires knowledge of targeted hub
IoT Village
Case Study 1: Wink Hub by Quirky
Wireless Protocols: • Z-‐Wave • Zigbee • Bluetooth • Wi-‐Fi • Lutron • Kidde
TCP Scan: • HTTP (TCP/80) • SSH (TCP/22)
Exposed Interfaces: • HTTP • API • Android/iOS
IoT Village
What does Google say about Wink?
UART on the GTVHacker’s Wink Hub
Hack all the things: 20 devices in 45 minutes DEF CON 22, GTVHacker (now: h\ps://www.exploitee.rs/) Command injecEon in PHP script • Failure to sani:ze exec() input • Trivial direct or CSRF exploita:on • Patched shortly aser DEF CON 22
Local root any firmware • Hardware hacked to break kernel loading • UART now provides U-‐Boot shell
IoT Village
The VERT Approach
VERT’s Wink sEll had the command injecEon • This provided a quick path to explore • Discover update URLs and analyze PHP • fgrep –nr SELECT /var/www/ àBUGS!!!
UnsaniEzed SQL was plenEful! • Mul:ple GET based injec:on points • Back-‐end database is SQLite • Can this lead to root access?
• In this case, YES!!!
IoT Village
Escala:ng from SQLi to RCE
fgrep revealed mulEple SQL queries constructed with untrusted user-‐input • These vulnerabili:es were s:ll present in November 2014 firmware • The SQLi could occur directly or via CSRF Going from SQLi to complete system compromise • Wink hub has a writeable file-‐system including the web root where PHP is processed • SQLite can create files containing new DBs with the ATTACH command • Injec:on of an ATTACH+INSERT can create a file with par:ally controlled content • Two steps to root command exec:
• Create /var/www/shell.php with <?php exec(“$_GET[‘cmd’]”) ?> • Request h\p://wink/shell.php?cmd=<COMMAND>
IoT Village
Impact on Wink Hub
Root via HTTP GET!!!
Once a system is popped, it exposes: • Security keys for wireless nets
• WLAN and PANs • Devices can be subverted by a\ackers
• Learn the target home’s schedule • Open locks and disable alarms • Make yourself at home...
IoT Village
Exploi:ng Wink Hub
• CSRF for code exec in 2 requests • URL #1 plants backdoor PHP • URL #2 executes payload
• Direct TCP Connec:ons • Wink Hub in DMZ/NAT zone • Visitor with LAN access
• Nearby A\acker • Standard Wi-‐Fi cracking • Forcing Wink Hub into AP mode
IoT Village
Forcing Wink Hub into AP Mode
Wink Hub broadcasts an open AP for out-‐of-‐box setup • ssid="WINKHUB-‐${hwaddr:6:12}-‐$randchars4” • Se�ngs are provisioned via smartphone and the AP is disabled
On each boot, Wink reverts to open AP if net is down aZer 90 sec • Trigger a reboot while jamming the Wi-‐Fi connec:on and the open AP is back! • A\acker can flood the air with spoofed 802.11 DEAUTH frames to keep Wink offline
• Scenario #1: Owner no:ces disrup:on and reboots Wink Hub • Scenario #2: Burglar resets power from external breaker
• The open AP makes it trivial to exploit Wink Hub to load a backdoor
IoT Village
Wink Hub Mi:ga:on
Upgrade to the latest firmware! • Many vulnerabili:es fixed • Quirky used a bounty program for help
Limit exposure to HTTP interface • Enable Wi-‐Fi isola:on if possible • Consider placing Wink on a different subnet from main LAN
IoT Village
Case Study 2: Vera by MiOS Verde
Wireless Protocols: • Z-‐Wave • Insteon • Wi-‐Fi
TCP Scan: • HTTP (TCP/80) • DNS (TCP/53) • SSH (TCP/22)
Exposed Interfaces: • HTTP • SSH • Android/iOS (plugin)
IoT Village
What does Google say about Vera?
Home Invasion 2.0, Black Hat US 2013 Daniel Crowley (Trustwave TWSL2013-‐019) MulEple VulnerabiliEes Found • Execute LUA scripts as root • Replace firmware • Use device as proxy to bypass firewall Local root any firmware • Hardware hacked to break kernel loading • UART now provides U-‐Boot shell
IoT Village
VERT Analysis
• Lack of authen:ca:on • No CSRF Protec:on • Root Command Injec:on • Firewall Bypass (as noted by TWSL) • Risk from ‘cloud’ intruder
IoT Village Trust All ‘Local’ Access?!
The Vera Situa:on
• Deprecated UI5 firmware out of box
• No in product update to UI7
• Updated UI7 RC available on net
• No authen:ca:on by default
• Exploitable flaws persist
• Vendor considers LAN users as ‘Local’
• LAN requests trusted by default
• No plan indicated for patching
IoT Village
Responsible Disclosure
The vulnerabiliEes found by VERT are sEll 0-‐day • Specific details are embargoed for now • These issues are trivial to find and pose serious risk
DemonstraEon • I consider CSRF as the biggest threat to Vera users • JavaScript can be used to find and exploit LAN devices
IoT Village
Smart CSRF
Iden:fy • WebRTC + STUN disclose subnet • Fallback to common range brute force
Hunt • Crawl the LAN for target device • JavaScript for feedback or spray and pray
Pwnage • Small reverse shell payload • A\acker gains root access
IoT Village
WebRTC Reference
IoT Village
Less Talk More Ac:on
IoT Village
Vera Mi:ga:on
• Turn that S#!T Off! • No :metable communicated for patch release • Design creates a gaping hole in your LAN
• For exisEng deployments (if you must have it...) • Keep the system up to date with UI7 • Enable ‘Secure Vera’ op:on
IoT Village
Case Study 3: Smart Things Smart Hub
Wireless Protocols: • Z-‐Wave • Zigbee • Wi-‐Fi
TCP Scan: • Telnet (TCP/23)
Exposed Interfaces: • Android/iOS/Windows
IoT Village
Previous Research?
Minimal Published Research Before VERT’s Audit
Veracode report in April 2015 indicated good security posture
Smart Hub Exposes Minimal Local Ahack Surface
Infrastructure A\acks Nearby Radio Exploita:on
IoT Village
VERT Audit of Smart Hub
Trust Issues (CVE-‐2014-‐9063 & CVE-‐2014-‐9064) • Back-‐end SSL valida:on not implemented • The nature of the pla�orm exposes security relevant access • Exploits require privileged network access • ISP or State level access needed
IoT Village
Previous Reports
Two others reported the Smart Things SSL FAIL: • NCC Group: • h\ps://www.nccgroup.trust/us/our-‐research/internet-‐of-‐things-‐security/
• Dan Bastone, Gotham Digital Science • h\p://blog.gdssecurity.com/labs/2015/3/4/
smar\hings-‐ssl-‐cer:ficate-‐valida:on-‐vulnerability.html
IoT Village
Smart Hub Status
SSL trust checks implemented in firmware update
Back-‐end breach could sEll pose danger to end users
Zigbee/Z-‐Wave stacks were not reviewed in this audit
IoT Village
Closing Remarks
• The reliance on cloud infrastructure may be a risk • Vendor breach yields privileged insight into homes • Service disrup:on may be unavoidable
• Credible threats can and do originate from LAN/WLAN • Malicious site content (malver:sing, watering hole, ...) • Browser extension infec:on • Smartphone malware
IoT Village
Thanks!
Craig Young -‐-‐ @CraigTweets h\p://www.tripwire.com/vert
Special Thank You to ISE & DEF CON for hosEng the 1st IoT Village!
QuesEons?