BSidesPhilly cg04 IoT devices are one of the biggest challenges Charles libertyunix Sgrillo

all right morning everybody my name's Doug still I work for on a red team for a large financial firm and I'm here to introduce David Skrill oh he has a an awesome talk plan for the challenges faced when kind of auditing and testing Internet of Things which is a hot topic today and he's taken a pen testers mindset and kind of applying it to the Internet of Things and he's an awesome giveaway where he's going to teach you how to set up a kind of a tool kit for testing auditing these things for what under 100 under hundred yeah yeah so without further ado let's roll oh thank you all right so good good morning good

afternoon won't try to keep everyone too long before lunch but uh so yes I'm a pen tester information security consultant and so the talk and the kind of the premise of this talk is my introduction and working through the IOT space from the pen testers point of view so outside of pen testing on the professor here at Rexel university teach courses in digital forensics computer forensics cyber security etc also a member and one of the leaders of Philadelphia security shelves so that's a local community here that we do a lot of training and hands-on workshops we've partnered with Drexel so a lot of our meetings are here so if anyone's interested you can find me after the

talk I'm outside of all the computer and work very involved in hockey part of the team u-s-a development program for inline hockey so I coach and have played on the women's national team I coach and it played on the men's national team that's a little bit about me so what's the agenda for today we're going to talk about the risk of IOT we all know that there is a risk and when taking the the pentesters approach obvious very much you know looking for either a framework or some sort of baseline to be able to audit these devices so we're going to take a look at the OWASP Internet of Things top 10 we're going to define that

as what we call our IOT attack surface so within this Internet of Things what are all the different ways and avenues that we can get access to these devices one of the biggest learning curves and challenges as I moved into testing IOT tools was the software-defined radio and the new Wireless spectrums that are being used from ZigBee and z-wave etc we'll talk about that will talk about IOT and physical security and then more importantly we'll talk about what to put on your machine from a testing perspective some of the tools that I came across in my research that are new to me and that I'm still learning but are very useful in the IOT space and

then again as mentioned you know how to get started within this space for under 100 bucks and then we'll open the floor for us in QA so I've run a cybersecurity practice my practice uses the nest cybersecurity framework for most of our audits so one of the first thing I did in venturing into the IOT space was what is NIST have to say about it we know that there's a risk because of the lightweight encryption because these devices are so small they can only compute to such a strength and that's the where we're at from an encryption standpoint where does cyber security stand on the physical system so again the initial purpose of the NIST

cybersecurity framework was for our critical infrastructure one of my biggest concerns is one of the reasons I started researching this space is my wife's diabetic my wife wears an insulin pump and they mailed us one that was bluetooth with the smartphone and we just shipped it back I know we're not there yet from an IOT space I'm interested in how we can make these devices more secure RFID is kind of what sold as new so even RFID technologies being integrated into i/o things even things like farms and managing cattle is now an Internet of Things issue because putting chips and animals to be able to track them so what's the security of that and then again our industrial systems and

the cloud so that's NIST's perspective of the IOT risk so what's the OWASP IOT top 10 what's it considered again very similar to the web application project it's a checklist of what to look at when you're auditing an IOT device so what's its web interface from a web interface perspective just go reference the OWASP top 10 web

for open access points and then dump that traffic I'm gonna get whatever you're doing when you're setting up that IOT device so that's back to someone with a backpack just patrolling the neighborhood being able to watch anyone in the neighborhood register their IOT devices and the screenshot is simply it this was me taking a smart light switch and connecting it to my home network and again this was a simple JSON request that the outlet was then pushing to the mobile app to allow the mobile app to do that synchronization and bring this smart switch on to my Wi-Fi network big privacy advocate as most people in this room are so what are these devices collecting where are they storing it how

is it shipping it out there's some of the things you want to look at when you know testing in the IOT space insecure cloud interfaces so there was a really interesting talk Def Con 24 when I attended its called back during the front door if anyone's interested in checking it out but what the research showed is that we can take all the requests for these smart devices especially locks and they're held server-side so if we send the unlock command as the admin the door will open so intercepting these mobile device communications through the tools like man-in-the-middle proxy etc and looking at is this API talking purely server-side you can simply just send whatever command you want if you have

the right information and get the lock to open where's the real risk in that I see a lot of Airbnb and I see a lot of people using these devices to allow one person some one-time entry into their home and not really taken into consideration that person could come back a month year later and again they have that unique identifier of the lock and they're just changing the server side request from guest to admin and then they're able to unlock the door so there's a very interesting talk back to the mobile interface so more creds in the clear depending on how this mobile device communicates with the application and then what's the account lockout so

does the IOT device do any sort of account lockout or can we just try any sort of password combination until we get in insufficient security configurability what that basically means is because these devices are so small and meant for mesh networking etc they don't store a lot of logs there's no forensic analysis of what happened within this IOT device if it's the point of compromise so back to the privacy what is this device actually store what information can we use from a monitoring and logging standpoint unsecure firmware and software so how does this IOT device upgrade of its firmware some manufacturers are getting better and can encrypt the firmware on download but again if you're in the middle of the

application sometimes it's not even encrypted it's set in the clear and we'll walk through it a small demo you know what to do with that firmware and how you can start you know reverse engineering what's actually on this IOT device and then with direct physical access you can always have compromise so in the IOT space and kind of my 2018 objective is to get much more involved in the physical eye our T implementation so looking at things like JTAG ports and the USB and being able to actually extract the firmware directly from the hardware is something I'm already interested you know learning a lot more about so with IOT comes a lot of wireless communication so one of the

first systems I looked at and it would had very much to do with what I was doing at the time I was implementing access control systems so these were systems that used a lot of RFID so that's a typo that should be a lot brighter but RFID low-frequency is going to use between 125 and 135 megahertz but again this is basically our key fob systems to get into the building so I looked at this from a cybersecurity perspective and what we looked at in taking a look at the access control architectures it follows all the different systems have a very generic format there's the door readers in and out the request for exits except for

these are our nodes they ultimately all get wired back to a central tcp/ip device something that I can actually get Ethernet and then the rest of the translation goes to the app front end usually sometimes at the desktop client most of the ones we looked at we're web interfaces so with the web interface what's the first thing you want to look at is the API the company that we tested actually had a very cool solution it's actually find all the nodes on the network so they had a free tool was meant for the engineers but in the pen test you can just download the tool now find the central hub that's going to be all this analog

to tcp/ip translation what we noticed in discovering this panel was again back to those hard-coded credentials and just a lack of complexity in the IOT space is the API had a hard-coded command or user name and password so you could interact with it so what can we do with the API that we're going to interact with we can pull down every card that's in the system so now we have every user ID from a key fob standpoint and what levels of access they have access to and the access levels are very interesting because we have the employee access all doors office access basically and looking through this dump you're able to then create your own card because you're

gonna want all doors access always and the one that got us in the door was the fact that we were able to disable the alarm so we made our key part of the you know shutting off the alarm system within the access control unit so when we presented the key at the client site the door opened we disabled the alarm none of the cops were called etc and it was a valid key within the system so if you're familiar with access control there's something called a door contact so even if we were to pick the lock and they had the right alert setup that that door contact opened without an official authentication there could have been an

alert or something that at least alluded that we were entering the building from a camera standpoint we basically were able to just grab the pictures of the cameras in real time very James Bondish and then again be able to see the front door as we approached it to make sure that everyone had left the building locating cameras simple nmap scan for 5 5 4 is going to be a lot of the port's they use in operating but show Dan is going to be a phenomenal resource especially what people think that their IP camera systems are hidden they're basically just under the assumption because you don't know their IP you're not going to find them so they're very

easy to locate within show Dan and that was kind of phase one of my exposure to IOT and when what kind of came out of that was you know what I call IOT version 2 which was all sensor network based so still at that point in my research and study it was still everything was tcp/ip related so we were looking at TI's and nodes and everything had an IP address and could be scanned when you look at things like ZigBee and z-wave though they kind of lose that touch so I was very confused when I first started venturing in to what is you know the IOT sensor networks and what are all these smart devices and again within IOT the

biggest phrase that I hear is what's old is new so I had to go back and actually learn about digital analogue communication so this is very simply how we're going to send stuff we're going to talk about capturing with a software-defined radio from system the system and how we encode that information on one of three ways it can be done via the amplitude of the signal so we can go up or down within the frequency Channel and then also the frequency so the repetitive nature of that signal and then again the phase the phase is the difference between the sine and the cosine so let's imagine a wireless weave and then the second time around it doesn't go that low and then

around so that's going to be phase again in implementing or executing one of those you're going to be able to get to the zeros and ones of this signal and we'll walk through what that looks like from an IOT perspective and one of the interesting thing that's kind of missing from the tcp/ip spec that that's very important in the IOT space is what's called a preamble so all these devices are meant and they're always listening so they're always looking for that beacon or that request very small amounts of data are sent between these devices so they have to set up their communication channels so there's an initial preamble that says hey I'm about to speak and then there's the

acknowledgement and then there's an actual data that gets passed to the IOT device and from a graphics perspective this is really what we're dealing with we have the zeros and ones and then modulate it into that signal then we can demodulate and get back to the zeros and ones a lot of advancement and testing the IOT has gone a long way since the software-defined radio I'm having the ability to do a lot of this computation computer side versus hardware side was a big advancement from a research standpoint so we got one thing I just wanted to bring out and I came across at a bunch of times in my readings is the difference between analog modulation and

digital so when you're talking digital modulation you'll hold things such as key shifting and then within the analog space it's simply just modulation so whenever you're talking digital modulation you'll hear things like amplitude frequency again key shift King excuse me so within digital modulation what are the different ways we can send these zeros and ones that we're going to talk about from an IOT perspective again we mentioned amplitude frequency and phase I'm going to butcher this but all set quadrature phase-shift King got it that time it was that was a tough one this week but that's gonna be used in a z-wave and ZigBee and again that's a combination of amplitude and phase shift shift King excuse me so again from a

visual inspection because I've been talking a lot this is what we're talking about when we look at digital data what's amplitude shift King again the frequency and then the phase changing so one of the first protocols I took a look at was Bluetooth Low Energy uses frequency hopping across the spectrum this allows it to operate at various different channels and send data at different channels it operates again in the 2.4 gigahertz is M band if you're familiar with the uber tooth one with we'll discuss in a little bit that's going to be a device that will allow you to capture this traffic and have some analytics on the data for reference point the uber tooth is not a bluetooth

dongle so it cannot do Bluetooth functions it's completely meant for sniffing you still will need to utilize an on-board Bluetooth card in conjunction with it if you don't have one dependent if it's a Raspberry Pi etc you can have a little extender to get that onboard USB bluetooth function when you're advertising in the Bluetooth space to actually get connectivity to a device you use certain channels so 37 38 and 39 that's when you're advertising looking for that connection so from a sniffing standpoint if you're looking for a device that's constantly beaconing those would be the channels you want to take a look at again in the maroon we have our regular wireless channels and then everything else is going to be what

the Bluetooth low-energy spectrum operates on so what's in this packet what's what's actually under the hood of Bluetooth Low Energy we have what's known as the local link control and adaptive layer protocol and basically this is a protocol that - hop those channels and you do that frequency spectrum hopping that was in the previous slide and know what channel what data was set on etc as far as knowing who they're communicating to we have the access address so within that information even though we're hopping on various channels and communicating that addresses it's ultimately going to be our destination etc and then there's the initial payload and then we have our message integrity check like most

physical layers one of the most interesting protocols I came across because again it's very new is z-wave so this is used a lot in home automation so when we look at the Samsung smart home etc a lot of these devices are using what's known as z-wave protocols from a physical perspective and actually sniffing the traffic it's going to be at 908 42 or 916 so they're gonna be the frequencies that you're going to look at when taking a look at z-wave and mesh networking is something that's very important when you look at IOT versus traditional communication all these devices are meant to be able to be failover and find multiple routes so abusing that from a pentesters viewpoint

can we get these devices to jump off their network and now join meiyan so what's that look like so again what's a closer look at z-wave what's actually under the hood home and source ID again because you're going to be routing through multiple machines in a mesh network you're going to need your home and source and then basically again if you look the physical frame we have the preamble to which we discussed earlier and then there's a frame control again to specify that because we're using very small amounts of data we have to control how much is in there and then we actually have our destination ID so home and source is going to be the first hop

so sources the device home is going to be that next hop in the network and then ultimately our destination is going to be mostly the hub so if you look at Samsung smart home all the z-wave sensors are meant for your doors and your locks in motion and then the hub does that TCP to z-wave translation where that device can listen on that frequency and then also communicate out to the cloud and talk to your Samsung app that tells you whether or not your smart device is working or not within the application frame of z-wave it's very interesting we have what's known as the command class and then the command and then the parameter so let's

look at the light bulb for example the command class could be global config of lights all right so that's within the command what we're actually gonna touch the light the command itself could be change the color we're looking at for example philips hue and then the parameter would be simply what color we're going to change that to so when analyzing these packets you know change the colors of the lights and now you have a quick way of knowing right here's the preamble here's the sync here's the data and I know that data is different because this part of the binary and the actual raw signal that we're capturing that must be what's the light switch or

must be the color etc and that's part of the reverse engineering that we'll discuss again mention ZigBee a bunch of times it's going to operate within the same spectrum as Bluetooth that 2.4 is M band it uses carrier sense multiple ition avoidance and that's very interesting in my research because a lot of these networks are Djamel so because if anyone's unfamiliar with that term basically when you're waiting the talk on the wireless channel you listen first and you ask the question is anyone else talking before I jump in and start communicating well ZigBee uses that there's been a lot of research and simply just jamming that channel what does that do from the IOT and the

automation from a security standpoint if that device can't send the acknowledgment back to the hub that the windows been open etc what does that look like again very low latency we're not sending a lot of information through this network and then this is a good visual representation of anyone who's unfamiliar with the difference between against star cluster tree and mesh your traditional computer networks are going to be either star cluster tree and then mash is really the uniqueness of IOT cuz all these devices again meant to failover and they don't communicate through each other so they're very interesting so again within the ZigBee packet again just like the z-wave same structure format we're gonna have that

preamble we're gonna have this to sync the data frame and then the close of the connection what's in the data frame ZigBee can have a little bit more security control so there is some lightweight encryption with ZigBee destination and source just like within the z-wave is going to be the same concept we're gonna be able to route through devices so we need to know what's our first hop and ultimately what's our end goal and then there's actually the data payload and then the checksum at the end another interesting part about the ZigBee protocol is because we're doing again mesh network we're doing device to device and then throughout the rest of the topology it will share a network key with everyone

so depending on how your IOT device distributes that network key that could be a vulnerability is it hard-coded into every ZigBee device or every version of that device from a manufacturing standpoint there's been a lot of research and that's the case and so if you capture one of these network e's you can go around and decrypt any of the other clients or home users etc and then there's what's known as the link key so the link key is going to be from me to you but then we also have a network key to encrypt our communication across the whole ZigBee network it operates again within the 2.4 IM ban and operates on channels 11 through 26 so 16 channels

total I mean Europe it uses a different frequency channel so some of the tools of the trade some of the tools I came across in doing IOT research that again I didn't use as a traditional pen tester when you look at a IOT device I started in the camera space so I could scan the camera I could use nikto to enumerate the the web etc but I didn't know much about some of the other tools so what was my setup in conducting my research went out and the big proponent of system76 they make Linux based laptops little pricey but again some great hardware from an OS standpoint being a pen tester I stuck with Kali

so again and if anyone that's unfamiliar you can get everything that Kali has the offer with that first command so Kali packages all their tools there's a certain reap repo for just forensic sweets or just GPU for cracking if you do the calorie Linux all you're going to get everything for SDR everything for the uber tooth all your tools kind of within one install there's then tools that we're going to add to that one of the first ones that I came across later in my research that I felt is called the universal radio hacker so in first identifying these signals I was doing what most people were doing at the time and hak5 has videos on it but you

capture the the raw wave with the SDR and then you would go into audacity and really stretch the file out and real you know WAV format look at the frequency so this universal radio hackers are very slick tool that can do a lot of that computation for you and helps you organize your IOT research blue Hydra is another great tool for using in conjunction with the uber tooth bin walks for analyzing firmware thermodyne takes that a step further and actually creates databases and we'll discuss that and then apktool is going to be for reverse engineering android applications from a hardware standpoint I had a hack RF yardstick one goober tooth one a proc smart that's

four RFID cloning and then a very small or Drina nano for some of the other IOT stuff miscellaneous and the most important part is a patient wife if you're married because I come home from work after work in a full day and then there's another four hours of I'm really trying to figure out what z-wave is I'm not going to come up for dinner and I'll put the kids to bed and my wife's amazing she's very supportive so I'm able to conduct a lot of my research after hours so first tool bin walk when you get a binary file whether it's from a web download sometimes you can go directly to the website and download the

latest firmware and then you're flashing it yourself so directly from the web you can get it at a hardware level you could extract it you could intercept it so either way we're making the assumption that you've gotten hold of some firmware bin file this tools would allow you to analyze what file systems on the bin it's going to extract it etc very useful again a firm and I'm very useful tool and one of the things I didn't touch on and describing it's really its main purpose is it can emulate the firmware so without needing the flash this binary file to an actual piece of hardware to really see what it's about you can emulate it directly within

Fermin I'm and then actually emulate the RAM too so if you're looking for buffer overflows etc you can do direct memory access and really see what you're doing to the IOT device it stores everything in a database so it's all searchable and this way if you're dealing with multiple binaries you have one place to organize it again any time I'm an Android user so when I was looking at the mobile apps everything was within the Android space apktool is going to be a very slick tool that can decompile the APK to its original form let you see the source code make some changes and then roll it back up into an application you can then push to your

phone one of the interesting things in my very basic because I'm not an Android developer at all was what's known as the androidmanifest.xml so if you're pulling off this application and you're curious on what security features it's actually taking from your phone when it gets installed this file is going to have all the services that it needs to interact with Android from an API perspective so I found that very interesting and just taking a look at these apps and going all right what's this IOT app actually need and what's it actually requesting of my device and again the universal radio hacker interfaces with most of the SDR platforms especially the RTL SDR which we'll discuss in a bit you can capture

replay etc blindly without even analyzing so one of the first projects I did with this was capture the car key replay the car key and we know about the rollin codes within the fobs but just working on that capture and replay within this tool was pretty useful so again putting it all together for under 100 bucks if you're interested in IOT and kind of where to start from a research perspective from a hardware arduino nano so when we talked about pulling the physical firmware off the devices you can use the Nano with a little bit of soldering and some code to test for JTAG pins and actually know what ports are what within the board and

actually extract that firmware rtl-sdr again 20 bucks this is going to receive only so if you're looking to send within your research you're gonna have to up your your budget but if you're simply just looking to capture some stuff and see how things work it's $20 a very cool project that I did with that is setting it up to monitor aviation so I live right by Trenton Airport so I was able to set this up and you see the flights coming in and mapped on the Google map a very interesting project so project number one again trying to stay within budget you want to learn how to capture signals this is a simple smart light that's you

know it's not a wireless or anything to the extent of a z-wave or signe but this is a simple wireless protocol that you can sniff again the device is ten bucks but it's meant for just turning the outlet on and off for example the Christmas trees so if you're just looking to capture look up its FCC ID and know what are some of the schematics of this device this is a good place to start project number two maybe the Raspberry Pi is out of your price point but you need them a small computer to run all this hardware I present to you the Pogo plug this was designed as a Western Digital kind of my cloud but

that got discontinued but with a little googling and some Linux you can flash this device to run arch arch erm runs beautiful in this device so for ten dollars you now have you know your quote-unquote Raspberry Pi or microcontroller so from a demo standpoint always mentioned Murphy's Law before I jump into any demo first thing we'll take a look at my own time yeah perfect long time because we'll take a look at that zap device to that little home wireless outlet for your Christmas tree and here's where the real does this work or not I may have to skip this demo as you can see my interface is a little flustered but we should be good

so we'll start a new project we'll just call it Bob and now we're gonna record a signal

choose a hack RF and finding the frequency of this device you would look at the back of the the outlet piece every device that wants to talk wirelessly has to register with the FCC and have an FCC ID you can then look that up on the internet and you'll find out what frequency this device operates on so we click record and now we have a quick capture what is simply the on of this device and we then save it and if we close this we're now going to be in the position to actually analyze it so we can go in and here's where you would choose your modulation it can auto detect but even in second guessing

yourself if we take a look at the signal that's not going to work there we go they do anymore we can see some sort of frequency so we have one small part of the signal and then it speeds up and then one small and then it speeds up and then within this tool they're also able to go right into the analysis of it where you can start if you had multiple recordings just mark the differences within this captured it's kind of see what's the preamble what's the sink what was maybe that value we're changing on or off etc so very useful and then again to the generator you can do a blind replay to see if this device has any sort of

checksum this know if this is a repeated signal etc but can I capture the unlock once and kind of on golden next device is a very simple horrified e-reader so this is called the proxmark so this is what when we talked about interacting with that physical security system this is what was used to make our own fob and the facility code of it is etc

just let me have I usually do ttyl it's against my hands here

so now we're gonna low-frequency hid really there so now we just told the proxmark to listen for you know your generic key fobs so now we have that captured facility code for anyone that's unfamiliar with RFID the reason you have a facility code and then a unique number of the fob is imagine you want to use the fob across multiple facilities so you could program certain facilities to use certain codes and then he could use the fob across multiple places so again one of the things I like to just speak on is IOT s everywhere so you got to have that hacker mindset so I was a chuck-e-cheese my kids a huge skee-ball fan and I had Chuckie Cheese move

towards I came in with my whole pocketful of the coins from last week and they're like we don't take those here's a card and I was like oh so what kind of cards this so if we wanted to just search within the high frequency spectrum within this we'd be able to identify if I could tell you what type of card this was but without any knowledge of it and then we could start to go down the rabbit hole what type of encryption could it be using is it is it as simple as this where we could just clone it and have a copy this is actually a pretty good key fob from a security standpoint so kudos the Chucky

one of the where we had on time all right so we have time for to fit one more demo in yeah so the next thing I wanted to talk about was firmware I showed a picture of the outlet sync whether or not or what the outlet was doing when it jumped so we see so we know if we extract this firmware that we're gonna get a Linux file system that we'll be able to explore and take a look at so now we're in now we're in the Linux file system of this firmware so one of the first things I tend to do when looking at firmware and going back to the OWASP top 10 is that hard-coded

passwords so a quick grep for telnet and we see within the system all the different scripts that have telnet in it or at least the word telnet one of the first things that comes to mind and what I notice is this Etsy script miscellaneous telnet so that looks like it's going to start a telnet service for this IOT device I could also see an option for login and the word image sign so let's take a look at the Etsy scripts miscellaneous own let's cat the tone that so now this is the telnet script that's going to initiate upon this router be included and if we look here over this part of the screen will see

that the login is this username and then it's looking for the variable of image sign which we identified earlier when we took a look at the strings of that file and if you can see image sign is simply a cat of Etsy config image sign so if you go back within the directory

it's no it's excuse me

there is a long story short I can't see the other end of the screen it's a hard-coded password within this firmware so that would be the process of using some simple tools just as hex dump grab strings all the ones that we were told not to use in the last presentation to basically look at this firmware from a hands-on for spectrum to see again is there any hard-coded passwords that's basically everything I had from a demo perspective you know given you know some of the Murphy's Law that I love mentioning for that reason but then again just thank you questions and answers and again thanks for having me always a pleasure to be at b-sides

anybody have any questions I've had some sake going along with uh what you said about Android apps so if you're not really like Indian right apps too much right there is a tool on github called quark QA RK that will pull the app and show you the vulnerabilities in less than two minutes so it's like a vulnerability scanner for Android apps yup master job little of common of these things

so from a security standpoint do you recommend using something like a ZigBee or z-wave protocol over something like MQTT over traditional Wi-Fi I mean to that point it's still it all comes down to the implementation I think the protocol has methods of being secure they've rewritten and they fix some things but it really comes down to engineering side implementation of what that device is actually doing back to that network and linky that's not something that's built into the protocol so sometimes and how you implement and get that across can be the vulnerability so either way regardless of what spectrum the protocol and the method of transferring the data stays the same so the vulnerability tier points going to

exist whether it's director over the Wi-Fi any other questions going once going twice going twice all right no thank you guys all for attending