reversing internet of things from mobile applications · password and phone number of the alarm....
TRANSCRIPT
![Page 1: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/1.jpg)
Reversing Internet of Things from Mobileapplications
Axelle Apvrille - FortiGuard Labs, Fortinet
Insomni’hack, Geneva, March 18, 2016
![Page 2: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/2.jpg)
Reversing Internet of Things (IoT) is difficult
Different hardware
Different OSLinux, Windows Mobile,Android, Contiki, RIOT,
TinyOS, Brillo...
Different formatsELF, BFLT...
Researche.g firmware.re
Why reverse IoT?
I To understand how(in)secure they are
I To detect andprotect againstviruses and exploits
Insomni’Hack 2016 - A. Apvrille 2/24
![Page 3: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/3.jpg)
So, how do we get started?
Focus first on themobile app
Apktool, dex2jar, IDAPro...
It’s faster First step
Insomni’Hack 2016 - A. Apvrille 3/24
![Page 4: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/4.jpg)
Real examples
Insomni’Hack 2016 - A. Apvrille 4/24
![Page 5: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/5.jpg)
Real examples
Insomni’Hack 2016 - A. Apvrille 4/24
![Page 6: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/6.jpg)
Real examples
Insomni’Hack 2016 - A. Apvrille 4/24
![Page 7: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/7.jpg)
Recon Jet Smart Glasses - Toothbrush - Safety Alarm
Insomni’Hack 2016 - A. Apvrille 5/24
![Page 8: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/8.jpg)
A shell on the glasses
I Enable USB debugging on the glasses
I Add udev rule
I Add vendor in/.android/adb usb.ini
$ adb devices
List of devices attached
291052171 device
$ adb -s 291052171 shell
shell@android:/ $
Insomni’Hack 2016 - A. Apvrille 6/24
![Page 9: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/9.jpg)
System properties
shell@android:/ $ getprop ro.boot.bootloader
U-Boot_1.1.4-4.4-SUN^0-dirty
shell@android:/ $ getprop ro.build.description
lean_jet_sun-user 4.1.2 JZO54K 11 release-keys
The glasses are using Android 4.1.2 - Jelly Bean
Insomni’Hack 2016 - A. Apvrille 7/24
![Page 10: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/10.jpg)
Hardware investigations
Hey, what hardware is it using?
/system/board
properties/soc/revision:OMAP4430
/system/lib/hw/sensors.conf:
I STM LSM9DS0 accelerome-ter/gyroscope/compass
I STM LPS25 pressure
I TI TMP103 temperature
I Recon Free Fall
I Avago Tech APDS9900 ambientlight
Insomni’Hack 2016 - A. Apvrille 8/24
![Page 11: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/11.jpg)
System applications
shell@android:/system/app $ ls
...
ReconCamera.apk
ReconCompass.apk
ReconItemHost.apk
...
Pull them, analyze themApktool, dex2jar, JEB, baksmali...
Insomni’Hack 2016 - A. Apvrille 9/24
![Page 12: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/12.jpg)
Data leak
Events : Start/
Pause …Battery level
+ Logcat, dmesg
ZIP Hard-coded password
Sent during synchronization
HTTPS
Recon Instrumentsservers
Recon Jetglasses
Insomni’Hack 2016 - A. Apvrille 10/24
![Page 13: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/13.jpg)
Example of data{
"component": "battery_monitor",
"data1": "99%; 4172mV",
"data2": "Charging USB",
"data3": "29",
"event_type": "BatteryMeasurement",
"time_stamp": "1434115258015"
},
{
"component": "ActivityManager",
"data1": "com.reconinstruments.
jetconnectdevice/.ReconnectSmartphoneActivity",
"data2": "",
"data3": "",
"event_type": "PauseActivity",
"time_stamp": "1434115211239"
},
Insomni’Hack 2016 - A. Apvrille 11/24
![Page 14: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/14.jpg)
Vulnerability status
Vulnerability foundVendor contacted
Issue fixed in Recon OS 4.4 (February 2016)
Insomni’Hack 2016 - A. Apvrille 12/24
![Page 15: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/15.jpg)
Smart Glasses - Beam Toothbrush - Safety Alarm
Insomni’Hack 2016 - A. Apvrille 13/24
![Page 16: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/16.jpg)
Why are we investigating toothbrushes?!
Attackers don't care about your teeth, but ...TRUE
TARGETED BUSINESS
RANSOMWARE
UNDESERVED REWARDS
INFECTION VECTOR
Free toothpaste not attractive to attackers
Insurance fraud might become an incentive
“I'll tell your mom you don't brush your teeth!”
Ransom kids pocket money
Your toothbrush infects other devices
Profile user & familySell health plans, hi-tech
PRIVACY ISSUES?
LOW REVENUE
WATCH THIS IN THE FUTURE?
WATCH THIS IN THE FUTURE?
Insomni’Hack 2016 - A. Apvrille 14/24
![Page 17: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/17.jpg)
Classes and fields: we work out the mappings
Insomni’Hack 2016 - A. Apvrille 15/24
![Page 18: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/18.jpg)
So, what?
Device Smartphone Cloud
● Firmware● Hardware● Flash● Battery: level● Motor: control speed● Gyroscope: 3 axis● Accelerometer: 3 axis● Auto off timer● Bluetooth: MAC addr● Serial no
User name,Birthdate,
Email,Zip
Stars ...
User name,Birthdate,
Email,Zip
Stars ...
*.beamtoothbrush.com/
Dentist map database
Discount database
User database
SYNC HTTPS
BLE
Insomni’Hack 2016 - A. Apvrille 16/24
![Page 19: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/19.jpg)
Now you’re ready for wiser investigations...
Now, it’s going to be easier & faster to continue the reverseengineering.
Talk to your toothbrush?
Send BLE ATT packets to service/characteristics
I Firmware OTA service C05FC343-C076-...
I Beam service 04234F8E-75...
I Battery level 6DAC0185-E...
I Accelerometer 0227F1B0-FF...
I Auto off and quadrant buzz 19DC94FA-7B...
I ...
Insomni’Hack 2016 - A. Apvrille 17/24
![Page 20: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/20.jpg)
Smart Glasses - Toothbrush - Meian Home Safety Alarm
Insomni’Hack 2016 - A. Apvrille 18/24
![Page 21: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/21.jpg)
There’s an Android app for the alarm
I Protect your house against burglars
I Controllable by SMS
But it’s not very user friendly...
Comply to a strict SMS formatting
So, they created an Android app to assistend-users
Insomni’Hack 2016 - A. Apvrille 19/24
![Page 22: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/22.jpg)
(Known?) Security issue
In the outbox, the SMS contains thepassword and phone number of thealarm.You get it? You control thealarm!
Fake data, of course :D
Let’s suppose you are a wise person and erase the SMSYou are wise, aren’t you?
Insomni’Hack 2016 - A. Apvrille 20/24
![Page 23: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/23.jpg)
With the Android app, it’s worse!
Weak protection for password: we can recover alarm’s phonenumber, password, delay, emergency phone...
Your credentials are at risk even if you erased the SMS!
Without the app, 1 security issue.With the app, 2 security issues !!!
Insomni’Hack 2016 - A. Apvrille 21/24
![Page 24: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/24.jpg)
Recap’ (1/2)
How to reverse Internet of Things
1. Get the mobile application, reverse it
2. Then, use what you have learned to go deeper down and e.g.inspect hardware, protocols etc.
Insomni’Hack 2016 - A. Apvrille 22/24
![Page 25: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/25.jpg)
Recap’ (2/2)
I One vulnerability found and fixed
I We know what hardware is used
I We know how to communicate with the toothbrush!
I We know where stars and challenges are handled
I One vulnerability found, advisory published
I Don’t use the app!
Insomni’Hack 2016 - A. Apvrille 23/24
![Page 26: Reversing Internet of Things from Mobile applications · password and phone number of the alarm. You get it? You control the alarm! Fake data, of course :D Let’s suppose you are](https://reader034.vdocuments.us/reader034/viewer/2022042022/5e7915a29a52c66db96636ee/html5/thumbnails/26.jpg)
Thanks for your attention!
@cryptax or aapvrille (at)fortinet (dot) com
http://www.fortiguard.com
http://blog.fortinet.com
Awesome slides? Thanks! That’s LATEX
Insomni’Hack 2016 - A. Apvrille 24/24