The IoT Hacker's Toolkit

[Music]

thanks very much I want to start off by apologizing for my voice it's been going downhill and I've been saying if I can just keep it till 2:40 this afternoon when I'm finished and hopefully that holds out so I want to start duplicate ory disclaimer I'm doing this presentation on my own personal effort and what I disclose does not necessarily reflect the views or opinions of my employer disclaimer number two is I'm talking about messing with hardware devices some of these hardware devices plug into the wall if you don't know about electricity please be careful when working on such devices I'm not responsible if you electrocute yourself after this talk so a little bit about me I'm a security engineer I do

blackbox testing and red teaming I'm a hacker in that I like to break things just to see if I can and I'm particularly into embedded devices and the Internet of Things unfortunately if you are allergic to buzzwords you're gonna hear IOT a lot during this talk and I also do some web apps but I think that comes with the territory these days I'm also a little bit of a maker I like to make things out of electronics in addition to breaking things last year I actually made my own an official Def Con badge which was a lot of fun although I only ended up making seven of them but it might have been the most exclusive

electronic DEF CON badge I'm not sure so what is IOT right if you go to Wikipedia you get this really long definition about the Internet of Things is the network of devices vehicles home appliances and other items embedded with electronic software sensors blah blah blah and connects to the Internet but quite frankly I like to take from Supreme Court justice Potter Stewart I know it when I see it so these are devices that I would consider IOT devices right many of you may be wearing a fitness watch of some sort right now many of you may have some sort of little clicker you may be you have a device for tracking your keys when they get lost I have one on my keys

but you know knock on wood I've never needed to use it to actually find my keys but there's also bigger devices right we have smart lightbulbs we have smart home networks and all these sort of things and so at first glance many of these things seem kind of innocuous but it turns out that we're getting more and more this pervasive connection between the internet and what we do and are what we think of as offline lives it turns out that they are still online lives and it turns out that there's other things that kind of border on the edge of IOT devices but I find them fascinating many of you have probably never seen something like this it turns out that

this is in fact what's called a programmable logic controller which is the really fancy term for computer that controls industrial machinery that can kill you if something goes wrong so what is an IOT security researcher trying to accomplish right most of time you're trying to understand how the device functions and understand its security properties so that you can make informed judgments about the risk that that poses to your organization sometimes if you're like me you like to find vulnerabilities both so that you can get them patched and improve the security state but also because as we all know CVEs are the currency of hackers and it's the new altcoin and maybe you just want some

more experience into you hacking things that you haven't tried before there's also the benefit that it's a hack all the things kind of moment because I've heard hacking on IOT referred to as hacking in the 90s because of the lack of mitigations and how easy it is to exploit some of these devices shooting fish in a barrel which is fairly self-explanatory and a CTF on the whole internet and it turns out that these devices vastly outnumber conventional computers already and they're only growing in population even more but it turns out in addition to these opportunities there's challenges for the security researcher IOT devices typically aren't x86-based s-- they are more often running an arm or MIPS CPU or

even a more esoteric architecture so you might need to become familiar with a new architecture that works in different ways they interface in different ways while they all inherently have networking interfaces in order to be considered part of the Internet of Things they also have other interfaces that you might not have ever seen before and while they speak some protocols that you're familiar with like HTTP sometimes they speak protocols that you may never have heard of before like mqtt CANbus or other proprietary protocols so like I said these devices have a bunch of different interfaces some of them have common interfaces like Wi-Fi Ethernet Bluetooth USB II things that you've seen everyday and it's also kinds of security

engagements in the past but it turns out they also have uncommon interfaces like ZigBee and z-wave proprietary interfaces and their interfaces inside the device as well that you can get access to like you art in JTAG and swd and spi and if those sound like just a bunch of acronyms put together to you then that's how they sounded to me when I first started hacking on these devices but it turns out these interfaces are some of the most useful ones when you want to understand how a device works so this is an example of a home hub device which is an automation home automation device intended to talk to you accessories that are manufactured by a variety of

different companies consequently it can speak a number of different protocols and it serves as a gateway between these proprietary wireless protocols and the internet so it has a number of different interfaces which makes it an ideal situation for someone who's interested in taking a look at it and when I say it has a number of interfaces it turns out there's five separate wireless chips on this one board including some things that you're familiar with like Wi-Fi and Bluetooth all the way to highly proprietary protocols like Lutron and kitty but in addition to these five wireless protocols there's this many wired interfaces on this one board there's JTAG interfaces for multiple microcontrollers present on the board

there's a USB plug that is not labeled but it turns out if you hunt through footprints you can find out it's USB there's even an unpopulated Ethernet port and the bottom left we even have a port that to this day I haven't figured out what it's used for so there's some basic tools you're going to need if you want to understand devices that are in the IOT at the hardware level right obvious one is you need some way to get into these devices so a lot of them can be opened with basic screwdrivers but it turns out some of them think they're gonna keep people out if they use a torque screw because you know no

one knows how to buy a torque screwdriver from Amazon some of them it's they've gone a little cheaper they're not using screws it turns out that three cents worth of screws is the difference between profit and not if you're selling your device for four dollars so they use either adhesives or little plastic clips to hold the device together and so you'll use a prying tool like this to get in go ahead and warn you if they're using those plastic clips you're gonna break some of them just gonna happen if you've never seen this before it's a multimeter many people use them to test electrical things including these kind of devices this is about a fifty dollar multimeter you don't have

to spend a huge amount you don't have to buy a high-end fluke which is you know an industrial multimeter but it is useful for understanding how to vise works and what components connect to each other and what those components do because you can use it to determine which pins are connected within a circuit you can use it to determine which pins have power being supplied to them at any given time so it's really easy to get lost in all of the tools that are out there and I think it's important that you think about what capabilities do these tools give me what is it add to my tool set in order to do it because you can buy dozens of

different tools that all give you the same ability and unless you're like me and buy them under the guise of oh I give talks about this so I need all of them so I can compare them and make nice slides it turns out the reality is you don't actually need all of those tools so I want to go through a few different missions that you might be doing against an IOT device and talk about what tools are useful in those space so for example if you want to do a wireless man-in-the-middle this actually isn't very unique to IOT in fact many of you may have done this before really you just need a wireless interface and some

software that's capable of intercepting the traffic you can do it off your standard laptop join the same Wi-Fi network perform an ARP spoofing attack to get a man-in-the-middle position and then redirect traffic if you see HTTP or HTTPS to a local proxy and you can immediately start playing with the traffic it turns out most IOT devices don't do certificate validation so very often you'll do this redirection and you'll immediately start seeing the traffic but maybe you want to try something different you want to actually get your hands on the hardware right that's where things become different between IOT and between typical software applications so if you want to get a local shell a lot of

devices have what's called a UART which is a fancy term for a serial port it's just a serial port that doesn't operate at 12 volts like the old-school serial ports of the 80s it usually is at about 3.3 volts on modern hardware and you can use one of these cables pictured here and you can just connect to the pins to the four pins of the UART and then you're able to interact with the local shell and it turns out many of these devices they don't bother with having authentication or with having complex passwords very often if they have bothered to set a password its route or the name of the manufacturer of the device because they assume no one's

getting physical access the hardest part in most of these cases is figuring out the pin out on this particular board they were kind enough to label all of the pins so that makes it incredibly straightforward on many other boards you'll just see a row of four pins and you'll need to figure it out which is when the multimeter comes in very handy because you can determine which pin is ground by finding another point that you know to be ground such as the input of the power device will have a positive and a ground side and you can compare those pins to find which ones are at the same voltage and then connect to it for

TX and rx there's fancy ways that you can figure out which one is transmitted and which one is receive but I'll be completely honest I try it one way and if that doesn't work I swap the two cables and try it the other way I promise you won't hurt things by transmitting into the wrong side of e ort I've done it dozens and dozens of times so once you're in maybe you want to dump the firmware right like some of you may have some binary analysis experience you have experience with reverse engineering and you want to be able to get access to the firmware in order to figure out what the device is actually doing so it's possible you can

do that over a serial port I've in fact done it over a serial port before where I just use D D off of the last device that stores the firmware and sent it over the network to another system but let's assume that you're not able to do that through the serial port maybe you haven't found a serial port or maybe it's locked down with a password you haven't yet obtained there's an interface that's called JTAG and it turns out it's present on almost all devices even if it's not marked JTAG stands for the joint test action group and it turns out that in the 90s silicon manufacturers got together and said you know what it would be great if

there's an industry standard for testing if our silicon is working correctly and so they came together and they formed JTAG and they created a universal interface that allowed them to test their devices turns out most of these JTAG interfaces also let you interact with the devices and this interaction happens directly in the silicon so that the operating system of whatever device you're operating on doesn't even see it it's actually a special core that's built in to arm and MIPS and PPC processors that lets you interact directly with the hardware on many processors it's possible to disable it but most manufacturers don't seem to do that and I think the reason that they don't do it is because if they get a

device back as being malfunctioning from a customer they want to be able to debug it and this is a testing interface so when they get that device back they can connect to the center face themselves and figure out why the device is not working there's another way to get at the firmware you can actually dump flash chips directly for example I've run into many cases where the flash the firmware update is encrypted when it's sent over the network so I can't just intercept it over the network but in order for the processor to boot from the firmware image it has to be decrypted when it's written to flash so if you can read the flash chips directly you can get access

to the unencrypted firmware some of them are very simple interfaces on the bottom you have a little 8 pin interface and that 8 pin interface is either gonna be one of two things called spi or i2c and it turns out you can just connect directly to that chip and you can actually dump the entire chip and that's more common on cheaper low-end devices on devices that are either more Excel civ need more flash you need higher speed flash they use a type of flash that is a parallel flash which is what's pictured at the top this is exactly the same type of flash chip that is the same architecture of flash chip that it's used in modern SSDs and flash drives so

it turns out that they're well studied and well understood but they're a little bit more complicated because as you note instead of having eight pins they have something like 48 pins the particular board I took a picture of here you'll also note those extra places for soldering chips it's because the manufacturer designed it so that they could use chips from multiple suppliers on the same production run so depending on which chip they use they place it differently on this board but the principle remains the same you can detach this chip and you can place it into a reader and read the decrypted contents directly it turns out that there's a number of different ways to do

it this is a particular actually a software defined radio board that I have and I thought this was interesting because you have a flash chip that contains a firmware right there and you also have two different JTAG pin outs all right next to each other so this one is nicely labeled so that you can actually figure out what things are there but very often they're not labeled and you just have to sort of develop an instinct for what an unlabeled port might be so how do you do this right I said connect to these things and dump the information well it turns out you need some sort of interface between your computer and either the flash chips or

the JTAG ports and these interfaces very often are referred to as Universal interfaces because they can speak a number of different protocols one of the earliest implementations was something called the bus pirate at the top and then there's chips made by a company called FTDI that do it and it turns out you can buy cheap breakout boards for those chips they both have their pros and cons for example the bus pirate actually uses a microcontroller that performs what they call bit banging of all the protocols bit banging just means that it says set this pin high set this pin load in order to speak protocol consequently it's very intensive on the microcontroller which means that it's

actually very slow but it's able to speak virtually any protocol you can implement because it's all written in software on the other hand you have this series of chips from FTDI these are literally designed as a bridge between USB and arbitrary other protocols so they're designed to operate at a high speed for speaking a variety of different protocols so these ones can come on these breakout boards or you can even get a cable where the chip is integrated right there into the head end of the cable and then it just breaks down as little pins that you can plug directly on to things more and more I'm reaching for this over the bus pirate even though

these are a little bit more expensive I find that they're faster and more reliable for dumping firmware images one manufacturers even made a version that they specifically targeted to the security and reverse engineering community which is called the SheiKra but there's a number of other boards and at the end of the day they're all a USB port and some connections to pins so what do you do in order to actually do it right if you're going via JTAG or swd connect via the JTAG interface the pin outs are well documented depending upon what architecture you're looking at you can halt the CPU which tells it to stop running anything so you get a consistent state and you can dump the address space

of the flash and then you can use software to find the different sections of Flash one of the nice things about JTAG is that you can also dump the running RAM so if there's encryption keys or something like that you can also use that to get that out if you're doing spi RI - you see flash which is the little 8 pin flash controllers you'll need to connect to it with the target unpowered or halted and then dump the flash memory from the host there's tools out there that just do that directly because they know they're speaking spi and can do it with a single command line for nand or nor flash it's a little more

complicated when you have those 48 pins you can't typically do it while the device is still in circuit so you actually have to desolder the chip insert it into a reader and then dump the flash using the reader directly so it's a little bit more complicated but it's highly reliable to be able to do that and if you have a sacrificial device if you have multiple ones on an assessment do taking that approach is very efficient and straightforward so finally you want to find the vulnerabilities in the firmware that you've dumped right that's the endgame here is trying to figure out whether or not this is secure so most of the time the images may be compressed have

multiple petitions some of them will be a raw image some of them will have file systems inside of it it turns out there's a bunch of different ways to approach this occasionally they'll be encrypted particularly if you download it from their site instead of dump it from a device sometimes they'll be signed as well if manufacturers doing things correctly but it turns out that more often than not they're not in fact signed so there's a single tool out there that everyone I know in this industry who deals with hardware uses for finding this and it's a tool called bin walk bin walk actually goes through the entire file looking for file signatures within it that indicate that

you have a compressed file system a Linux kernel any number of different types of things and they can actually extract at those different offsets so you can immediately find some OS level issues for example if you extract a file system you might find a shadow file like this one that has the root password hash in it right you throw that into a your favorite cracking tool of choice and you find out that this particular hash comes back to be the very secure password root alternatively you can find service configuration credentials sometimes you find private keys you can I found one device that was pulling their configuration from a private git repository over SSH but had the SSH key

unencrypted on the device so anyone in the world could reach that you'll also find some things in web interfaces many of these devices have web interfaces and this will let you get directly to the source code of it so your black box analysis has now become a white box analysis so when you're looking at binaries right I mentioned they're not always x86 so how do you look at it right many of you are familiar with Ida is very expensive for anyone who you know hasn't had the opportunity to purchase that before if you buy it with the D compilers you might end up spending as much as about $10,000 if you buy Ida and all of the D compilers

available for it but it is probably the most powerful tool in this list binary ninja on the other hand has only really been available for about two years now but binary ninja actually handles a number of architectures and it has an open plug-in architecture for it so people have written additional disassemblers for other architectures and its interface actually is easier to use than Ida and then if you really don't want to spend any money whatsoever can use radar e2 and which is based on the capstone framework for disassembly and that gives you the most options either way you can perform your analysis on the binaries this way so let's say you want to take a

different tack you have a device that does bluetooth and you want to observe the communications it turns out traditional chipsets don't have an easy way to sniff Bluetooth because bluetooth does channel hopping but there's an open-source device out there called the uber tooth one that's designed specifically for sniffing and replaying Bluetooth communications and it works extremely well nordic semiconductors also makes a firmware for some of their chips designed to do sniffing instead of communications at the end of the day you can use either of these and you can actually just dump the packets that you see the Bluetooth frames to a pcap and you can import that into Wireshark which will tell you about the end points and

use will break it down and then you're responsible only for analyzing the application level communications if you have a proprietary wireless interface things get a little murkier you have to delve into the realm of software to find Radio software-defined radio basically means that they're using an FPGA with software loaded onto it in order to represent what would have been a traditional radio interface until about 5 or 10 years ago these radios were at the cheapest several thousand dollars for software to find radio but there's now several models that are available including the hack RF and the blade RF shown here that are available for a few hundred dollars to get into it if you only want to do listening you can also

use a cheap $20.00 dongle and you can observe a wide variety of communications that way but it turns out you'll have to figure out how the communications are modulated and a bunch of other information in fact even finding the signal can be difficult you'll have to figure out either based on time or frequency strength or lookup device on FCC ID IO which sometimes will tell you what frequency it operates on and then you'll have to figure out what modulation they're using beyond that you'll need a way to decode it and then re encode it and in both of these cases there's great resources available for canoe radio because it's an open source project and there's plugins you can use

for it but many of the manufacturers still are using something that doesn't work in exactly the same way as what's out there however with a radio like this you can both observe their communications and you can transmit it for example I have a garage door opener for my apartment complex garage and it took me less than an afternoon as my first like steps into SDR analysis and within an afternoon I was able to find a way to decode that and then begin replaying it for my software-defined radio so there's some other tools you might want to explore logic analyzers sometimes useful logic analyzer I think of it as a networked app for physical buses it lets you plug in and instead of

being a communications endpoint you observe the ongoing communications between two devices so you can see data being loaded from a flash chip into a microcontroller you can see cam bus in your car using a logic analyzer so you can see the different computers in your car talking to each other I really recommend not doing that while the car is moving and it's basically Wireshark for hardware so it's pretty awesome to be able to use that and actually see the protocol on the wire you can also use it to identify protocols and pin outs sometimes find settings for different things because it can tell you what speed of different as a particular interface is operating at because it

actually just operates by repeatedly sampling the signal that's going across there also useful sometimes as a power supply I built this little thing using a module from China it was about $40 total and I can program in any voltage that I want up to about 40 volts out of it you can get these modules already built into boxes like that as well most useful though are the 5 and 12 volts and 3.3 volts because you can feed them directly into boards that you've removed from their casing and be able to power those boards up it's also useful to avoid like the big mess of those wall warts I mean I have an entire box of wall warts at home

where I'm like oh that might be useful someday and then you actually try to get one out of there and they're all tangled together and turns out this is a lot cleaner so a little bit of a summary right there's software and hardware involved in this toolkit in terms of software if you're doing binary analysis you'll need a disassembler D compiler when you're looking at the full firmware image you'll need bin walk to try to find things you also need various extraction tools tar and zip are very common but there's also compression protocol called lzma that's used by a bunch of these different firmware images because it compresses even better you can use tools for fuzzing and testing

can use QEMU is an emulator program to run programs that are not in their native architecture so you can run an arm or MIPS binary directly on your workstation and then there's tools for interfacing like open OCD is a software for talking to JTAG interfaces and flash rom is the tool for dumping spi and I squared see flash and then of course you have networking tools like better cap and ettercap for doing man-in-the-middle Wireshark TCP dump for talking for reading packet protocols and doing other things as well and of course HTTP proxy aim for HTTP communications on the RF side Wireshark is again useful it turns out Wireshark has so many capabilities I never knew about as our new radio and

osmocon SDR is just a bunch of building blocks for camere a do and it really speeds up the development process if you get into that on the hardware side there's a bunch of general tools screwdriver multimeter that UART cable is one of the most useful things I've found in the easiest ways to get into things which is why it appears in both of these lists and then on interfacing the your cable again the FTDI breakout is my favorite their buss pirate and you'll notice again under flash dumper FTDI breakout which is why I said think about the capabilities and ads if you get the FTDI breakout you have both of those covered on the networking side you

obviously want a thern and wireless interfaces surprisingly I wouldn't have to say I wouldn't think that I need to mention you should have an Ethernet interface but if you've bought a laptop in the last three years you have to think about that chip and board level analysis so you can get a logic analyzer oscilloscope our supply right you don't need all of this to get started but you can do various things on the RF side to the Eber tooth one rtl-sdr which is the dongle that was originally designed for receiving over-the-air television hack RF blade RF are two great options for open source software to find radios that can both transmit and receive and then a few

links if you're really interested in this stuff there's so much more to go into right this is just skimming the surface and telling you the basic tools that you can start playing with but there's some great resources on these sites and if you really want to get in-depth I can highly recommend the hardware security training courses they're wonderful they're taught by people are passionate about what they do and are just into breaking hardware professionally so at this point I've run out of time which is great but I will be happy to discuss this with anyone who wants to out in the hallway or I'll be in the CTF room all afternoon because I'm also one of the CTF organizers I

have a link there too to a blog post that has much of the the content here as well as my slides are up at one 337 fYI slash tool kit as well as my blog or Twitter reach out to me if you want any more information or just want to talk about hardware hacking IOT devices so thank you very much [Applause]