Anda di halaman 1dari 150

IoT HACKING - 101

Arun Magesh(@marunmagesh)
Mounish Periasamy

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Goal of the course
• Learn more about IoT security and internals
• Understand tools and techniques to exploit IoT devices
• Get skills to perform
• Embedded reverse engineering
• Firmware and binary analysis
• Conventional attack vectors
• Comprise of both demos + hands-on exercise
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Working in groups

• We will be mostly working in groups for most of the lab exercises


• Get to know your partner well
• Highly encouraged to exchange ideas during class and come up with a
solution for challenges

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


What are we going to cover

• Understanding IoT devices from a pentester perspective


• Firmware reverse engineering
• Firmware based exploitation
• Hacking a Smart switch
• Few Demos (if we have time)

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Thought Exercise

Imagine you have a refrigerator connected to the Internet. It tells you


when you are low on food and sends you pictures nightly.
• What kinds of data is being collected?
• Where does your data travel?
• How many different organizations could see your data?

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Thought Exercise – 2

• What are some security and privacy risks to you as a user?

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


What is IoT
• Internet of Things or Smart Devices
• Physical objects interacting with the outside
world
• Used for ease to the user, and for automation,
monitoring, and data collection purposes
• Thermostats, Smart plugs, TVs, ICS, Cars,
Refrigerator, Kettles, Egg trays, Toys etc.

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Offensive IoT Exploitation
Current State of IoT security

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


IoT platforms
• AWS IoT
• ARM mbed
• Ioteclipse.org
• IBM Bluemix , etc.
• Whatever be the platform, the vulnerabilities will be quite similar and
the pentesting approach won’t change

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


IoT Landscape

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Why IoT security?

• Everything is getting “connected”


• New “smart” devices coming up every month
• Adoption by both consumer and enterprise segment
• Not a lot of research done compared to traditional security domains

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Isn’t IoT secure already? Sure!

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Isn’t IoT already secure?

http://thehackernews.com/2016/09/ddos-attack-iot.html
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Current state of IoT security

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Current state of IoT security

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Current state of IoT security

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


IoT model (IBM) - what can be attacked?

RADIO
COMMUNICATI
ON
WEB AND
INFRASTRUCTUR
E
HARDWARE
DEVICE OR
MOBILE APPS
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Present day Smart Home

http://auxtek.com/smart-home/
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Previous IoT vulnerabilities
*All the vulnerabilities mentioned have now been patched by the vendor

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Google Nest

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Google Nest

• Firmware download happens over HTTP


• Not encrypted
• Log files leak PII
• Could MITM and put malicious firmware to run on the device
• Communication over Zigbee (now Thread)

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Philips Hue

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Philips Hue
• Consists of a Smart Hub + Individual lightbulbs
• Control it over Wi-Fi using your mobile application
• Hub to device communication over WiFi
• Hub to bulb communication over Zigbee
• Can take over a lightbulb & cause a permanent blackout (
http://www.dhanjani.com/docs/Hacking%20Lighbulbs%20Hue%20Dhanjani%202013.pdf)

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Baby Monitors

Source : http://arstechnica.com/security/2015/09/9-baby-monitors-wide-open-to-hacks-that-expose-users-most-private-moments/
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Baby Monitors

Source : http://arstechnica.com/security/2015/09/9-baby-monitors-wide-open-to-hacks-that-expose-users-most-private-moments/
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Baby Monitors

Source : http://arstechnica.com/security/2015/09/9-baby-monitors-wide-open-to-hacks-that-expose-users-most-private-moments/
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Baby Monitors

Source : http://arstechnica.com/security/2015/09/9-baby-monitors-wide-open-to-hacks-that-expose-users-most-private-moments/
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Belkin Wemo

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Belkin Wemo

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Belkin Wemo

• Issues with firmware download


• Bootloader accessible for a few seconds in recovery
• Make it persistent and kill the process
• Root.

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Lifx smart bulb
• Uses AES encryption
• After dumping the firmware, could be analysed using IDA pro
• AES key revealed
• Problems between Hub <==> server and mobile app <==> hub
communication
• Identified by Contexis

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Fisher price smart toy

Source : https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-smart-toy-hereo-gps-platform
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Case Study : Hacking a rifle
• Research done by Runa A Sandvik and Michael Auger, presented
at BlackHat 2015
• Rifle powered by linux
• Had HTTP server running
• Mobile applications
• Serial gives U-boot with a password
• Able to get root and admin APIs
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Hacking Refrigerators

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Hacking Refrigerators

• Runs on Android v 2.3 - really, really outdated


• Can be controlled by a mobile app
• Options to access : Wifi, Radio, USB
• UART access allowed, grants root shell

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Hacking Fitbit

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Hacking Fitbit

• Unencrypted Bluetooth traffic – easily sniffed


• Network traffic – sensitive information is base64 encoded
• Lots of users personal information unprotected on the servers
• Login over HTTP
• No authentication in sync protocol

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Hacking Fitbit

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Hacking medical devices
• Pacemakers
• Barnaby Jack
• Could hijack and control pacemakers wirelessly
• Potentially kill a person
• Insulin pumps
• Jay Radcliffe
• Full meal insulin delivery control
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Mapping attack surface and previous
vulnerabilities

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Mapping attack surface for IoT devices

• Looking at the overall architecture


• Understanding different components involved
• Figuring out what could go wrong with each component
• Planning the threat vectors

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Mapping attack surface for IoT devices

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Attack surface in IoT devices
• What could possibly go wrong in the entire device architecture

• Could be divided into 4 categories :


• Device security vulnerabilities
• Firmware based vulnerabilities
• Mobile, Web and Network security issues
• Radio communication based vulnerabilities
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Security in IoT devices

• What has your experience been with IoT devices?


• Fail open / fail close for security devices?
• How do you analyse the security of any IoT device?
• How can an IoT attack happen in real life scenario?

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


IoT verticals
• Smart Homes, smart personal security systems, smart meters
• Autonomous Vehicles and Robots
• Critical Infrastructure, Smart cities, Connected public safety systems, Pipelines,
Refinery, Oil and Gas pumps, Connected transportation
• Medical Devices, Health monitoring devices, Hospitals, Virtual patient observations
• Wearables, Necklaces, Beauty products, Lingerie
• Retail / Shopping
• Etc.
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
@internetofshit

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Setting up IoT pentest lab

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


IoT pentest lab

• Setting up a lab for IoT is different from setting up a lab for “traditional
pentest”
• You need hardware along with the software
• Need to focus on different components - firmware, hardware, mobile,
web and radio

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


OIE Lab Manual

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Setting up an IoT pentest lab

• Built our own custom distro - AttifyOS


• Tools installed in /home/oit/tools with labs in /home/oit/lab
• Runs best with VMWare player/fusion

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Additional note

• In order to extract the VM – use 7-zip or any other similar software on


Windows

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Tools included
• Software/Firmware/Conventional analysis -
• binwalk • radare
• firmware analysis toolkit • Burp Suite
• firmware mod kit • nmap
• IDA • apktool
• hopper • dex2jar
• gdb • jadx
• qemu • nmap etc.

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Flow of the class

• Introduction
• Firmware analysis
• Conventional attack vectors

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Let’s get started!

• Launch AttifyOS
• Please check if internet connection is working properly inside VM
• Ability to copy files between VM and host

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


IoT Pentest methodology

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


IoT Pentesting methodology

• Just a summary of all the things that we need to do in an IoT pentest


• Based on our experience
• Also a quick idea of what we will be doing in the 2-days course

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Conducting an IoT pentest
• Get the device if you can – there’s very less what you can do with just the firmware and not the
complete solution.
• If possible, get 2 devices
• Reconnaissance
• Obtain more information about the target device before even opening the device.
• Look at the FCC ID and search FCC database to find the internal pictures, datasheets and other
confidential information
• Browse through support pages, community forums, xda-developers, irc channels etc.
• Get datasheets, information about previously discovered vulnerabilities, security updates, job
postings for identifying technology being used, similar looking devices on Alibaba etc.

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Conducting an IoT pentest – 2
• Hardware Teardown
• Crack open the casing. Follow copper. Remove hardware protections if any.
• Identifying Buses and Interfaces – get a cheap microscope
• UART serial interfacing
• Dumping memory over I2C and SPI
• Connect and debug over JTAG
• See if you can dump the entire firmware
• If required, remove EEPROM and then analyse it

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Conducting an IoT pentest - 3
• Analyse the mobile and web components
• Reverse mobile application to reveal sensitive information - API keys, sensitive
URLs, communication mechanism etc.
• Look for vulnerabilities in the web interface – classic Web app pentesting
• Network
• scan the device over network
• What ports are open? Services running? Any public exploits available?
• Any custom services – fuzz testing

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Conducting an IoT pentest - 4
• Firmware analysis
• Extract file system from the firmware
• Identify if any encryption is being used
• Sensitive info – API keys, sensitive URLs, hardcoded credentials, outdated
components etc.
• Emulating and debugging firmware binaries
• Checksum and integrity verification
• Vulnerabilities such as command injection, stack overflows, etc.
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Conducting an IoT pentest - 5

• Radio communication
• Identify which communication protocols are in use
• Protocol version and implementation based issues
• Sniff, replay, MITM and fuzz
• Might need to invest $$$ in getting the correct devices

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Firmware

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Firmware

• Combination of all code running on the device


• Almost all embedded devices
• How is getting access to firmware useful for a pentester?

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Usage of firmware for pentesters

• Find hidden secrets - backdoor, passwords, API keys, private certificates


• Vulnerabilities in individual binaries
• Emulate firmware binaries or firmware itself
• By a competitor to understand and prepare a similar device
• Creation of malicious firmware image

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


How to obtain the firmware?

• Vendor website, Support and community forums or Google search


• Dumping it from the device’s flash chip
• Sniffing the OTA update mechanism
• Reversing mobile application or similar software reversing

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Downloading from vendor’s website

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Downloading from vendor’s website

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Downloading from vendor’s website

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Firmware vulnerability analysis
• Extract the firmware and look for specific component related security
issues
• Config files and hardcoded secrets
• Use qemu to emulate firmware binaries and firmware
• Attach it to a debugger and analyse
• Reverse patches and diff two different versions of a firmware

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Analysing Firmware binaries

• Firmware binaries could have different extensions such a .bin/.img/.pkg


or even come in a .zip package
• Run strings and hexdump on it
• What does a firmware actually contains?
• How do you identify the offset of a particular component in the
firmware?

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Inside a firmware

• Bootloader
• Kernel
• File system
• other resources

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


File system types

• SquashFS
• CramFS
• JFFS2
• YAFFS2
• ext2

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Common compressions

• LZMA
• Gzip
• Zip
• Zlib
• ARJ

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


SquashFS

• One of the most common file types in embedded devices


• Could use utilities like unsquashfs and the modified version of
unsquashfs (with lzma decompression)
• Key thing is to identify the offset of where the file system starts in the
binary file

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Extracting file system from firmware
• Find out where is the Squashfs header located in the firmware
• Use dd to dump the contents to a new bin file containing only the file
system
• unsquashfs from the FMK package to extract the squashfs file system

• You will be now able to see the file system


• Try it out on Dlink_firmware.bin

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Firmware extraction with Binwalk

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Firmware extraction with Binwalk

• Tool written by Craig Heffner (@devttys0)


• Extracts file system from firmware, performs decompressions, perform
entropy analysis and diff different firmware
• Use Binwalk to extract file system from the TP-Link MR3020 firmware

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Binwalk

• binwalk firmware-name
• binwalk -e firmware-name
• binwalk -E firmware-name
• binwalk -W first_file second_file

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Entropy analysis using Binwalk

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Firmware exercises

• Dlink firmware located in the labs folder


• Extract the Dlink firmware using binwalk
• Find the telnet credentials from the firmware
• Additional firmware labs

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Firmware binary emulation

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Why to do emulation?

• To understand more about the individual binaries


• Analyze their functionality
• Attach a debugger to even interact with it further

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Emulating firmware binaries

• Enter Qemu!
• Identify what architecture is the binary meant for
• Find the corresponding qemu binary
• Use chroot to change the root directory for the binary when it runs
• Qemu + chroot

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Emulating firmware binaries

• Try to emulate busybox from WNAP320 firmware

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Emulating a complete firmware

• Can you emulate an IoT device without the hardware ?


• Need to find the hard disk image with the correct kernel and init
• Need to fix up NVRAM issues (configurations which depend on physical
hardware) and other library issues
• And then finally run it in a Qemu instance

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


LD_PRELOAD

http://man7.org/linux/man-pages/man8/ld.so.8.html
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
NVRAM faker

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Emulating a firmware with Firmadyne

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Clearing previous data of Firmadyne

• sudo sh ./reset.sh

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Emulating firmware using Firmadyne

• sudo python fat.py

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Emulating a firmware

• Why emulate a complete firmware?


• Emulating using FAT
• Bring the device to the network as a real physical device
• Run additional scanning tools and scripts to identify more
vulnerabilities

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Backdooring a firmware

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Backdooring a firmware - steps

• Goal is to backdoor the firmware to give us a backdoor shell access


• Ensure that we are able to emulate the firmware using FAT
• Extract the firmware using FMK
• Add script to have the firmware give you a shell as soon as it boots up
• Build the new firmware and run it in emulation

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Emulating a firmware

• Just like we did earlier


• ./fat.py
• Enter the firmware name and brand
• Get the IP address
• Navigate to that IP in your browser

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Firmware-mod-kit

• Useful for modifying firmwares


• Need to modify the shared-ng.inc to put the correct path of binwalk in
order for it to function properly
• extract-firmware.sh and build-firmware.sh
• What would you do if you could modify a firmware?

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Backdooring a firmware

• Will add a netcat listener to Dlink Firmware


• Requirements :

• #1 : Should automatically start at boot up

• # 2 : Need to write and compile code for MIPS architecture

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Making malicious code start at system boot

• Find scripts which get executed when the device starts

• Should focus on scripts which run as root

• /etc/init.d is a good place to start looking

• Scripts which start other services such as ssh or telnet


© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Writing and compiling code for MIPS
• Can write a simple C backdoor and compile using GCC for MIPS

• Backdoor source already in your VM (originally from


https://gist.github.com/OsandaMalith/a3b213b5e7582cf9aac3 )

• Cross compile it for the MIPS platform

• Let’s go ahead and put it at the location determined in the previous step
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Running the backdoored firmware

• Once done, go to fmk root directory


• ./build-firmware.sh folder-name/ -nopad –min
• Even though it gives error message at the end, the firmware is build
• Emulate the new firmware using FAT
• nc firmware-ip 9999

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Debugging emulated binaries
• Qemu can be launched with -g parameters to launch with GDB debugging

• -e might also be needed to set environment variables

• Launch gdb for that architecture in another terminal / host

• Set remote target as the ip address and host

• Now you can debug binaries running emulated and using gdb
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Encrypted firmware

• Firmware might be encrypted using XOR or AES etc.


• Need to figure out the key in order to decrypt it
• XOR – how to identify and analyse
• We have an encrypted firmware in the lab folder

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Hands-on Encrypted firmware

• Step 1 : Do a hexdump and see strings which are often repetitive


• Step 2 : Use the xordecrypt.py to create a decrypted binary from the
firmware image
• Step 3 : Run binwalk and confirm that the firmware has been decrypted

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Firmware security protections

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Web Application vulnerabilities

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Web Application security

• IoT devices often have a web interface


• Manage and control the devices
• Often has different user levels which could lead to authorisation flaws
• Vulnerable to typical web application security flaws

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


What kind of vulnerabilities exists
• Command Injection
• CSRF
• XSS
• SQLi
• Information error message
• Others – XXE, SSRF, LFI, RFI, Serialization bugs, etc.
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Vulnerabilities in IoT devices
• Insufficient authorization and authentication checks
• Privacy issues
• Lack of secure communication channel
• Denial of service attacks
• Brute-force of username and password based attacks
• Business logic flaws
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Recent vulnerabilities discovered

Source : https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Getting started with Web app security

• Tools to use for pentesting web applications –


• Proxy tool – BurpSuite, MITMProxy, Charles etc.
• Browser features - Chrome Developer tools, Firebug etc.
• Security Scanners – w3af, nikto, arachni, OWASP Zap etc.
• Individual tools for various vulnerabilities

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Getting started with Web app security

• We won’t cover web application security in-depth in this course


• Tons of material for that available online
• Apply the same skillsets while pentesting the web interface of an IoT
device

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Additional communication protocols
• MQTT:
• Publish/subscribe
• Message broker
• Only meant for remote communications
• CoAP:
• By default UDP, enabling to run on low resources
• Can interact with additional protocols
• Useful for both local and remote communications
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Getting started with Burp

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


BurpSuite 101
• Most popular proxy tool among security professionals
• Easy to use
• Contains a number of tools including proxy, intruder, repeater, decoder
and additional plugins
• Can write additional scripts for Burp and use it
• Alternatives – MITMproxy, Fiddler, Charles etc.

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Setting up BurpSuite for our lab

• Set the browser’s proxy to 127.0.0.1 and port 8080


• Make sure you intercept request and response
• Launch up Burp
• Start listening on port 8080

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Getting started with BurpSuite

• Once you have the traffic intercepted, you can modify and then send it
to the web application
• Ability to modify both request and response
• Repeater functionality

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Exploiting Command Injection

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Command Injection
• One of the really useful bugs
• Statement is wrapped in a command. For example – passthru() or exec()
• Application takes the user input and executes it
• Emulate the Netgear WNAP320 firmware and exploit the boardDataWW.php
for command injection
• Blind command injection - http://firmware.re/vulns/acsa-2015-001.php

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Identifying command injection

• We already have the firmware image


• Run binwalk on the image to extract the file system
• Analyse the PHP files and see how the input is being handled
• Can we execute malicious commands?

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Command Injection

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Successful command Injection

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Successful command Injection

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Exploiting command injection

• Adding our previous backdoor to the device


• Does wget binary exists on the device
• How can we transfer binary and execute it

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Analysing a Smart plug

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Smart Plugs

• One of the most popular IoT device in the market


• Helps a user control the on/off of a device using a smartphone
application
• How exactly can you exploit these kind of devices?

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Kankun smart plug

(http://www.amazon.in/Smartphone-control-electrical-Wireless-Android/dp/B00N8N5NNK )
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Analysing Kankun mobile app

• Kkeps is the firmware of Kankun smart plug


• The smart plug comes with a mobile application - smartwifi.apk
• Let’s reverse the mobile app and see if we can find the firmware
download URL
• jadx smartwifi.apk

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Analysing Kankun mobile app

Calling the Native method encode using JNI

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Additional things you can do with mobile app

• Look for common mobile app related vulnerabilities


• Vulns which can help you gain access to other user accounts or access
to sensitive data
• Sensitive URLs, API keys, native libraries for analysis
• How does the mobile app communicate with the device and server? –
possible to craft malicious requests

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Additional things you can do with mobile app

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Password cracking with firmware
• Once we have the file system from the firmware extracted, we have
access to all of the files
• Use the passwd and shadow files to crack the password
• John the ripper
• Note : this might take a while to perform in real life. We already know
of the password because of
http://www.anites.com/2015/01/hacking-kankun-smart-wifi-plug.html

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Password cracking with firmware

• john wordlist=password.list to_crack

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Conventional Attack techniques

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Conventional attack techniques
• How do you start with attacking a Linux box ?
• Nmap ?
• Scan the device for various services
• See versions of services running
• Vulnerable to any public vulnerability
• Brute forcing
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Network based exploitation
• Get connected to the WiFi network on which the device is connected
• Put the VM to bridged mode
• Find out the device’s IP and MAC address
• Run a arp –a from the VM connected in bridged mode
• Scan all the ports
• Attack the device
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Scanning for a device

• There are bunch of smart plugs connected in the room


• Choose whichever is closest to you
• SSIDs are marked on the device
• Connect your VM to bridged mode
• Identify the IP address by an arp -a

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Nmap 101
• Most popular port scanner
• Could be used along with additional scripts
• Scan for both TCP and UDP ports
• nmap ip-address
• nmap -sV ip-address
• nmap -sU -p 1-65535 ip-address
• nmap -A -Pn -T4 ip-address
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
SSH password brute force

• Did you find any ports open?


• SSH maybe?
• Brute force the password
• Use the password.list in your labs/additional/ folder

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


SSH password brute force
• medusa -h ip -u user -P password-file -M module -F

• hydra -l user -P password-file service://ip:port

• Once you have cracked SSH password, log in.

• Let’s do further exploitation


© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Smart Plug – Reversing encryption

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Analysing smartwifi.apk mobile app

• Once we have decompiled the app, look for interesting components


• How does the app communicates with the device
• Is it using any encryption or encoding

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Reversing encryption
• We can use tools such as IDA Pro/Radare/Objdump
• Various smart plug encryptions have been broken in the past
• Kankun: https://packetstormsecurity.com/files/132210/ by Payatu
• TP-Link smart plug :
https://www.softscheck.com/en/reverse-engineering-tp-link-hs110/ by Lubomir
Stroetmann
• Lots of other vulnerabilities in Smart Plugs such as Dlink Smart plug (
http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/)
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
Analysing kkeps firmware

• Let’s run binwalk on the firmware and extract the file system
• Are there any interesting binaries which we could use for analysis?
• What additional information we can extract from the firmware file
system or the mobile application.
• Let’s open up IDA pro and analyse this ARM library

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Analysing Kankun native binaries

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Analysing native libraries
• libNDK_03.so is the native ARM library present
• Need to understand ARM instructions in order to completely
understand (later videos in the Offensive IoT Exploitation series)
• What does objdump (or IDA) tells us
• Can we identify the AES password
• Full disclosure of this vulnerability at PacketStorm

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Analysing ARM library

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Analysing ARM library

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


What to do with the password

https://plus.google.com/109112844319840106704
© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com
What can we do with the password

• Decrypt packets from the captured communication


• Wireshark => Packet => Copy bytes as hex => Decode hex and decrypt
with AES key (kcrypt.py by Payatu)
• Control the smart plug by sending on and off commands
• Use kkeps_controller.py and from
https://github.com/0x00string/kankuncontroller

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Decrypting network communication

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com


Conclusions

• Hope you enjoyed the class!


• Please fill up the feedback forms.
• Contact : arun@attify.com or mounish@attify.com
• Good luck with exploiting all the IoT devices.

© Attify, Inc.| www.offensiveiotexploitation.com | secure@attify.com