Smart HomesLab 3

Eric Zeng & Keanu Vestil

Upcoming Due Dates

● Homework 3 is due tomorrow● Lab 3 was just released, due on Friday, Dec 11th● Final Project is due Monday, Dec 14th (finals week)

What is a smart home?

What makes a home “smart”?

What are some examples of smart home devices?

Are there any smart devices you are excited about?

What is a smart home?

Connected cameras

Sensors: motion, light, open/close, temperature, moisture Smart speakers & assistants

Smart lights Smart locks Smart thermometers

Smart toys

Other smart appliances

Is security for smart homes different than security for other devices?

Smart homes are different in many ways:

● Smart home devices can collect data on and change the physical environment

● Many startups are introducing new smart home devices, with questionable security and privacy practices

● Smart home devices are proliferating faster than computers

But share some fundamental similarities

● Smart home devices are just small computers, can have the same vulnerabilities as any computer

What does a smart home look like under the hood?Cloud-based devices (clients)

RouterPhilips Hue bulbs

Philips Hue servers

Amazon Echo

Amazon Echo servers

control interface on phone

Standalone devices (servers)

Router

FosCam

Threat Modeling: Possible Adversaries

Remote adversariesAttackers that only can interact with the smart home over the internet

Physical and nearby adversariesAttackers standing outside of the house, with direct or indirect physical access (e.g. touch, sound, wireless)

Device manufacturers and companies

Companies that provide cloud services for smart homes, e.g. Amazon, Samsung

Other people in the homeSpouses, children, parents, roommates, guests, etc.

Activity: Smart Home Threat Modeling

Group 1: Remote adversaries

Group 2: Physical and nearby adversaries

Group 3: Device manufacturers and companies

Group 4: Other people in the home

https://canvas.uw.edu/courses/1396608/quizzes/1345976

Pick an adversary type, join the breakout room with that number

Learn about this type of adversary and discuss with your group

Answer the following questions:1. What goals could this type of adversary

have? What assets might they be interested in?

2. What kinds of vulnerabilities could this type of adversary exploit?

3. How might this type of adversary carry out an attack?

Pick 1 (or more) person to present to the class

Remote Adversaries

1. What goals could this type of adversary have? What assets might they be interested in?

2. What kinds of vulnerabilities could this type of adversary exploit?

3. How might this type of adversary carry out an attack?

Remote Adversaries: Botnets

● Imagine you found the same vulnerability on tens of 1000s of identical devices○ They’re all standalone cameras - i.e.

servers● Exploit: try running your attack on every IP

address in the IPv4 address space○ 0.0.0.1, 0.0.0.2, … 255.255.255.255

● What can you do with 10,000s of small computers?

Mirai Botnet (2016)

● Responsible for 2016 DDoS attacks on Dyn, a DNS provider○ Took down down GitHub, Twitter, Reddit, Netflix, and Airbnb○ Rapidly sent requests to servers faster than they can be processed

● Vulnerability exploited: default usernames and passwords● Mostly infected CCTV cameras and routers● Original purpose? Minecraft video game scam

○ https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/

Source: Imperva. Geo-locations of all Mirai-infected devices uncovered so far in 2016

Nearby Adversaries

1. What goals could this type of adversary have? What assets might they be interested in?

2. What kinds of vulnerabilities could this type of adversary exploit?

3. How might this type of adversary carry out an attack?

Nearby Adversaries: Attacking Wireless Protocols

● Philips Hue Smart Lights use the Zigbee protocol, a radio-based link between bulbs and a hub

● Researchers found a bug in the Zigbee chip that could let any Zigbee transmitter trigger a factory reset and then take control of Zigbee lights from up to 400 meters away

● Demonstrated its possible to use a drone to fly around and turn off all smart lamps in a city

Nearby Adversaries: Triggering Voice Assistants

● Shout at Alexa from an open window○ Can put things into shopping cart,

set alarms, control other smart devices

● Mixed remote/physical attack: get TV or speakers to say “Alexa” or wake-up word

Device Manufacturer Adversaries

1. What goals could this type of adversary have? What assets might they be interested in?

2. What kinds of vulnerabilities could this type of adversary exploit?

3. How might this type of adversary carry out an attack?

Device Manufacturer Adversaries: Audio Data

● Amazon Echo voice recordings sent to workers for transcription○ To provide better training data for voice recognition

● Workers heard audio from when users didn’t realize they were being recorded● Recordings captured private conversations, background noise in the house,

crying children, singing in the shower etc.

Other Users as Adversaries

1. What goals could this type of adversary have? What assets might they be interested in?

2. What kinds of vulnerabilities could this type of adversary exploit?

3. How might this type of adversary carry out an attack?

Multi-User Security and Privacy Issues in Smart Homes

Privacy- Violating others’ privacy by looking at video/audio recordings, device logs

Conflict- Disagreements about how to use devices (e.g thermostat)- Disagreements intensified by devices (e.g. recording of an argument)

Abuse- Harassing and spying on other people using smart home devices

- Monitoring behavior with cameras and sensors- Using smart speakers to harass with noises, voices, etc.

Lab 3

Lab 3 Overview

● Your task: compromise a (virtual) smart home and start a fire!○ Locate the smart home devices an IoT

search engine○ Find and exploit vulnerabilities○ Use hacked devices to access other devices

Here’s what you know

The smart home may contain these devices (and more!):● Husky Speaker: An internet connected speaker that accepts and plays audio

files● Husky Voice Assistant: Allows you to control smart home devices using voice ● HuskyCam: A simple internet connected speaker

(read the spec for more info!)

You also have access to:● Nidan - a search engine for publicly accessible IoT devices

Create an account at https://cse484.cs.washington.edu

Nidan Overview

An IoT search engine (reduced version of Shodan)● Query is comprised of tokens: field filters or keywords

○ Tokens specify AND conditions, and are separated by whitespace ○ Field filters can be inclusive (default) or exclusive (prepend ‘-’)○ Keywords are searched for in data field

● e.g. “nginx port:80” will find deviceson port 80 with “nginx” in their data

Other useful fields:● Location: city, area_code, country_name, ...● Configuration: ip, os, isp, transport, ... ● Check the spec for all of the fields on Nidan

Locating Devices

Let’s say we want to find HuskyFridge, Husky Speaker, and Husky Lock on Nidan● What are the IP addresses of the

devices?● Why can we only see 1 device on

Nidan?Local Network

Public Network

Answer: We can only see one device because the rest are hidden from the public internet, because of Network Address Translation

Local Networks and NATs

● To conserve IP addresses, each home network (router) is assigned 1 IP address, but not each device on the network ○ Only 2^32 addresses in IPv4

● NAT allows each home router to assign IPs to devices to an internal address space (192.168.x.x)○ Internal, so it won’t conflict with other

home networks● Port forwarding

○ If you run a home server, that other devices can talk to, you can map the public IP and a port to an internal port

○ Non-port forwarded devices can’t be contacted externally

External IP:Port25.44.179.7:5000

Internal IP:Port192.168.0.3:1234

Local Network

Public Network

192.168.0.3 192.168.0.4 192.168.0.5

Strategy: Lateral Movement

0. Compromise a device on a network1. Reconnaissance

○ Look for other devices on the network and their internal addresses/ports

2. Privilege Escalation○ Look for credentials that can be used to

gain access to the other devices or elevate the current privileges

3. Gaining Access○ Compromise another device, then rinse

and repeat until you achieve your goal

🔑

🔑

192.168.0.4192.168.0.3 192.168.0.5

Local Network

Public Network

SOCKS Proxy Setup: Terminal

The target devices are only accessible on UW’s network, so we need to proxy through attu.Run: ssh -N -D <port> <csenetid>@attu.cs.washington.edu● Windows users: this should work in PowerShell. If not, follow the instructions

for PuTTY in the spec.● Select a port that isn’t in use. 1000 and above should work.● If you see an error like this, then try a different port like 12345

❌ ✅

curl for PowerShell users

On your version of PowerShell, curl might be an alias for Invoke-WebRequest, which works slightly differently.

Alternative options:● ssh into attu and issue your command from there

○ Do not include the proxy option, because don’t need it

● Use PuTTY and the terminal that it spawns● Install curl for Windows: curl.se