smart homes lab 3...a radio-based link between bulbs and a hub researchers found a bug in the zigbee...
TRANSCRIPT
Smart HomesLab 3
Eric Zeng & Keanu Vestil
Upcoming Due Dates
● Homework 3 is due tomorrow● Lab 3 was just released, due on Friday, Dec 11th● Final Project is due Monday, Dec 14th (finals week)
What is a smart home?
What makes a home “smart”?
What are some examples of smart home devices?
Are there any smart devices you are excited about?
What is a smart home?
Connected cameras
Sensors: motion, light, open/close, temperature, moisture Smart speakers & assistants
Smart lights Smart locks Smart thermometers
Smart toys
Other smart appliances
Is security for smart homes different than security for other devices?
Smart homes are different in many ways:
● Smart home devices can collect data on and change the physical environment
● Many startups are introducing new smart home devices, with questionable security and privacy practices
● Smart home devices are proliferating faster than computers
But share some fundamental similarities
● Smart home devices are just small computers, can have the same vulnerabilities as any computer
What does a smart home look like under the hood?Cloud-based devices (clients)
RouterPhilips Hue bulbs
Philips Hue servers
Amazon Echo
Amazon Echo servers
control interface on phone
Standalone devices (servers)
Router
FosCam
Threat Modeling: Possible Adversaries
Remote adversariesAttackers that only can interact with the smart home over the internet
Physical and nearby adversariesAttackers standing outside of the house, with direct or indirect physical access (e.g. touch, sound, wireless)
Device manufacturers and companies
Companies that provide cloud services for smart homes, e.g. Amazon, Samsung
Other people in the homeSpouses, children, parents, roommates, guests, etc.
Activity: Smart Home Threat Modeling
Group 1: Remote adversaries
Group 2: Physical and nearby adversaries
Group 3: Device manufacturers and companies
Group 4: Other people in the home
https://canvas.uw.edu/courses/1396608/quizzes/1345976
Pick an adversary type, join the breakout room with that number
Learn about this type of adversary and discuss with your group
Answer the following questions:1. What goals could this type of adversary
have? What assets might they be interested in?
2. What kinds of vulnerabilities could this type of adversary exploit?
3. How might this type of adversary carry out an attack?
Pick 1 (or more) person to present to the class
Remote Adversaries
1. What goals could this type of adversary have? What assets might they be interested in?
2. What kinds of vulnerabilities could this type of adversary exploit?
3. How might this type of adversary carry out an attack?
Remote Adversaries: Botnets
● Imagine you found the same vulnerability on tens of 1000s of identical devices○ They’re all standalone cameras - i.e.
servers● Exploit: try running your attack on every IP
address in the IPv4 address space○ 0.0.0.1, 0.0.0.2, … 255.255.255.255
● What can you do with 10,000s of small computers?
Mirai Botnet (2016)
● Responsible for 2016 DDoS attacks on Dyn, a DNS provider○ Took down down GitHub, Twitter, Reddit, Netflix, and Airbnb○ Rapidly sent requests to servers faster than they can be processed
● Vulnerability exploited: default usernames and passwords● Mostly infected CCTV cameras and routers● Original purpose? Minecraft video game scam
○ https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/
Source: Imperva. Geo-locations of all Mirai-infected devices uncovered so far in 2016
Nearby Adversaries
1. What goals could this type of adversary have? What assets might they be interested in?
2. What kinds of vulnerabilities could this type of adversary exploit?
3. How might this type of adversary carry out an attack?
Nearby Adversaries: Attacking Wireless Protocols
● Philips Hue Smart Lights use the Zigbee protocol, a radio-based link between bulbs and a hub
● Researchers found a bug in the Zigbee chip that could let any Zigbee transmitter trigger a factory reset and then take control of Zigbee lights from up to 400 meters away
● Demonstrated its possible to use a drone to fly around and turn off all smart lamps in a city
Nearby Adversaries: Triggering Voice Assistants
● Shout at Alexa from an open window○ Can put things into shopping cart,
set alarms, control other smart devices
● Mixed remote/physical attack: get TV or speakers to say “Alexa” or wake-up word
Device Manufacturer Adversaries
1. What goals could this type of adversary have? What assets might they be interested in?
2. What kinds of vulnerabilities could this type of adversary exploit?
3. How might this type of adversary carry out an attack?
Device Manufacturer Adversaries: Audio Data
● Amazon Echo voice recordings sent to workers for transcription○ To provide better training data for voice recognition
● Workers heard audio from when users didn’t realize they were being recorded● Recordings captured private conversations, background noise in the house,
crying children, singing in the shower etc.
Other Users as Adversaries
1. What goals could this type of adversary have? What assets might they be interested in?
2. What kinds of vulnerabilities could this type of adversary exploit?
3. How might this type of adversary carry out an attack?
Multi-User Security and Privacy Issues in Smart Homes
Privacy- Violating others’ privacy by looking at video/audio recordings, device logs
Conflict- Disagreements about how to use devices (e.g thermostat)- Disagreements intensified by devices (e.g. recording of an argument)
Abuse- Harassing and spying on other people using smart home devices
- Monitoring behavior with cameras and sensors- Using smart speakers to harass with noises, voices, etc.
Lab 3
Lab 3 Overview
● Your task: compromise a (virtual) smart home and start a fire!○ Locate the smart home devices an IoT
search engine○ Find and exploit vulnerabilities○ Use hacked devices to access other devices
Here’s what you know
The smart home may contain these devices (and more!):● Husky Speaker: An internet connected speaker that accepts and plays audio
files● Husky Voice Assistant: Allows you to control smart home devices using voice ● HuskyCam: A simple internet connected speaker
(read the spec for more info!)
You also have access to:● Nidan - a search engine for publicly accessible IoT devices
Create an account at https://cse484.cs.washington.edu
Nidan Overview
An IoT search engine (reduced version of Shodan)● Query is comprised of tokens: field filters or keywords
○ Tokens specify AND conditions, and are separated by whitespace ○ Field filters can be inclusive (default) or exclusive (prepend ‘-’)○ Keywords are searched for in data field
● e.g. “nginx port:80” will find deviceson port 80 with “nginx” in their data
Other useful fields:● Location: city, area_code, country_name, ...● Configuration: ip, os, isp, transport, ... ● Check the spec for all of the fields on Nidan
Locating Devices
Let’s say we want to find HuskyFridge, Husky Speaker, and Husky Lock on Nidan● What are the IP addresses of the
devices?● Why can we only see 1 device on
Nidan?Local Network
Public Network
Answer: We can only see one device because the rest are hidden from the public internet, because of Network Address Translation
Local Networks and NATs
● To conserve IP addresses, each home network (router) is assigned 1 IP address, but not each device on the network ○ Only 2^32 addresses in IPv4
● NAT allows each home router to assign IPs to devices to an internal address space (192.168.x.x)○ Internal, so it won’t conflict with other
home networks● Port forwarding
○ If you run a home server, that other devices can talk to, you can map the public IP and a port to an internal port
○ Non-port forwarded devices can’t be contacted externally
External IP:Port25.44.179.7:5000
Internal IP:Port192.168.0.3:1234
Local Network
Public Network
192.168.0.3 192.168.0.4 192.168.0.5
Strategy: Lateral Movement
0. Compromise a device on a network1. Reconnaissance
○ Look for other devices on the network and their internal addresses/ports
2. Privilege Escalation○ Look for credentials that can be used to
gain access to the other devices or elevate the current privileges
3. Gaining Access○ Compromise another device, then rinse
and repeat until you achieve your goal
🔑
🔑
192.168.0.4192.168.0.3 192.168.0.5
Local Network
Public Network
SOCKS Proxy Setup: Terminal
The target devices are only accessible on UW’s network, so we need to proxy through attu.Run: ssh -N -D <port> <csenetid>@attu.cs.washington.edu● Windows users: this should work in PowerShell. If not, follow the instructions
for PuTTY in the spec.● Select a port that isn’t in use. 1000 and above should work.● If you see an error like this, then try a different port like 12345
❌ ✅
curl for PowerShell users
On your version of PowerShell, curl might be an alias for Invoke-WebRequest, which works slightly differently.
Alternative options:● ssh into attu and issue your command from there
○ Do not include the proxy option, because don’t need it
● Use PuTTY and the terminal that it spawns● Install curl for Windows: curl.se