IoT Pressure Cooker: What Could Go Wrong

hey can you guys hear me okay thumbs up cool all right uh start from the back yes awesome cool uh hi everyone my name is ben actus you can follow me on twitter at benro this is a 20-minute edition of iot pressure cooker what could go wrong i'm giving a 60-minute one in austin b-sides austin's next week so thanks for coming by the way this is gonna be a lot of fun uh about me motivation uh how it should work all the things wrong with it or part of it and then i have a demo video because i didn't want to bring the thing on the flight so okay who am i uh i started at mitre in the area here

phenomenal ffrdc i did a bunch of mobile reversing there i built a lot of network sensors there is a really great website called open security training that info if you want to see me with hair teaching about netflow analytics and hunting that's up there too then i went to lookout in san francisco which was absolute blast i got to tear apart android and ios malware all day and most recently i'm at synac and for those that don't know synap is like a combination bug bounty program vol scanner and what i do is i build all the mobile attacking tools which you'll see from the talk so what we do is i all the tools that

how do you at scale reverse statically look for phones and dynamically look for phones and i also tear apart a lot of iot devices before they come to market too at night i'm a troll on twitter i do own a side business called cyber merchants of deaf so if you want training in any of these things come talk to me after the talk so all right uh my work did fly me out here so i'm gonna do a quick pitch uh if you like bug bounties if you like attacking mobile apps web apps hosts go sign up uh bug bounties we pay them uh only difference is we do a kind of little technical assessment so if you

say you know how to hack web apps before we let you touch a customer's web app infrastructure we make sure you know your stuff it's a smaller crowd and what i like is the payouts are really fast because it's only one group of people vetting them and because of that it's a smaller kind of competition circle so please go check it out if you like this stuff especially students in the audience too okay how did this come from who's heard of the internet of twitter account couple people so this really was the the inspiration um i saw this on twitter and i'm like this is funny and uh i don't know if you can see in the

bottom but someone made a funny little dad joke this basically said is the next like iot botnet gonna be a potnet and uh i liked it right yeah um so i started looking at it and this is literally five minute findings like i am not exaggerating this so within five minutes i just started gripping around in the mobile app and i saw they're sending things over http and i'm like that's weird what are they downloading and they're downloading these dot cooker files and don't worry explain how all this stuff works and i'm like huh what's a dot cooker file so i unzipped it it's just a zip file and it has these like weird binary values

i'm like huh that's weird it also stole all of them on world readable world writable storage directory on android which could be bad uh so anyway i sent my boss an email and i was like patrick plain text communication sends executable code stores executable code in a directory anyone can touch pretty sure i give a talk on this can i buy it and he's like absolutely this will be fun so like any good uh security researcher person uh we sent a disclosure letter so here's my company letterhead i talked to legal and i wrote a letter and i was like hey uh dear instapot you have an application an iot app you send data insecurely you

store data in securely and we're pretty sure we can modify temperature heating and timing and pressure remotely right and they don't really have like a security team so i sent it to like the general help desk queue oh it gets better guys um so it sat there for 20 days and also we said like if you don't respond in 60 days we can go public right so uh sat there for 20 days and then nancy s closed it without saying anything so i went to like our attorney and i was like what do i do and he's like oh ping him again i'm like okay so i opened it up and i was like you still haven't patched

it and like as a week ago it's still not patched if you want to play with this later and nancy closed it the next day without saying anything so right here's a talk regular use cases so it's pretty simple the idea is you like unbox this big pressure cooker you sync over bluetooth low energy then you launch your little mobile app you select a recipe right i like gifs in case anyone couldn't tell you wait and then you eat some yummy food right and like the product's cool just they built it really bad right oh thank you so weird things i've reversed thousands of apps no exaggeration i've never found a mandarin poem unused in the code base before

so i'm like what does this mean so i've threw it in google translate and it's like kind of sweet it's a little kind of like emo and depressing but it's like i thought it was cute so um no security volume here i just thought it was funny uh other bad things uh yes this is what do you think it is so they were so in android you have like a slash assets folder and that's like images uh i don't know graphics things you use sometimes right they have all these uh xml key pair mappings the actual integer binary value you send over blue energy bluetooth low energy to control things like heating gear elements this is probably bad and if it's unclear

yes they definitely outsource to some asian company to actually do the code base they also have the pressure state values in there too so we'll get into this why this is bad later so my goal is i just want to be able to break everything so i looked at a lot of the code and we're going to dive into that so first question is those like binary files remember the dot cooker ak zip files i unzip those and i had to understand how to parse that so the plan was i have to figure out what how each binary weird hex name file name corresponds to an actual uh recipe file and then i had to map out

what those values mean so this is ono editor and you can see the really really long file name in the top and then it's about in 10 byte increments how big these files are you so you can see a weird kind of pattern emerging each of these is like aa555a01 is each different step in a cooking recipe and then there's various bytes after that to correspond to different instructions so the first thing we've got to do is figure out how each of these weird file names corresponds to like ben's favorite pork and rice recipe right so uh i pulled a bunch of files off the phone and i noticed the current running recipe is stored in like a

secure area it's the only thing they store securely and i'm like well i don't really want to go through a dozen recipes so i pulled out this sql-lite database and it had a beautiful one-to-one mapping of all the weird file names to the actual custom recipes or recipe human readable names it also leaks it in logcat too so now i can i know what the recipe file corresponds to like the weird hex name and i can actually start messing with stuff now so first things first i probably should have read the manual because it would have saved me like two weeks of reversing because turns out you can make custom recipes and i didn't know that

and what's nice about the custom recipe is they have things like heat for a period or heat to a pressure and i was literally in a four-hour car ride with my girlfriend and i made every variation of every single step and then i just dipped all the files and it was super easy so this is the only hardcore reversing part of this of the talk but basically how it works is when you make a custom recipe it looks for a string and it's a bunch of if statements so if it sees something like heat for a period it calls for the appropriate method and that meth and then there's methods for every single instruction right

and each have different integer values and then it calls a build command so this one build heat for a period throws a 14 into that build command method and that there takes a hash map and converts that to a big giant byte array that then gets thrown into the bluetooth low energy kind of functions and i'll get into more on this in the austin talk so let's look at the custom recipes first things first heat percentage so it offset 0d that's what's actually doing the heating percentage so you can see it goes 4 8 c and then 10 there right and that's basically when you want like little pressure cooker to stay at a certain

heating percentage so this doesn't really do much right uh time modification is a more fun one right so oh by the way anytime you see the little evil baby that's ways you can mess with someone's recipes remotely um so you could easily like take some of these pre-made ones which you get into the attacks later on and undercook or overcook food because you know where in the offset to change these instructions right so like my friend willy's in the audience if willy has his favorite chicken rice recipe it cooks for 30 minutes i can make that cook for like one minute or like 100 minutes right so that's kind of fun led settings i couldn't make it do any cool emojicons

or anything um but it's just like they're at offset 0e so other fun stuff heat to a temperature was cool so like my first thing is like i want to make this thing blow up right um unfortunately the max value in the gui is 284 degrees fahrenheit and it is the max byte value i can put in there but the lowest gui value is 86 degrees fahrenheit and that's only 39 in the hex so you could do a lower value which is pretty cool so that's kind of interesting uh pressure low versus high the only officially supported values in the app is 20 and 30. but they don't do kind of any error checking so you could kind of

throw these weird values to change like weird states and that's a for future work too led settings so i talked a little about this a few slides ago there's actually a bunch of others in here and i'm still kind of systematically mapping out like unknown ones so there's like none hot up down there's also like yogurt food and a few other weird ones right um but there's a bunch of bites that i have to try for every instruction sound options so you if you want to play like obnoxious game boy sounds here's what you change um and again you see it's weird it's like 20 40 60 and then four it's not music it's like 16 bit sound

files it's really gross so you can do that too and the rest are just static values so we know how to control timing right we know how to control temperature we know how to control pressure and we know how to make obnoxious sounds right so like let's do something with this um so my plan to kind of prove this to you guys is i made a custom recipe with no sound and we're going to go to a known uh temperature and then it's going to do other things that it shouldn't be doing so i have a little video here um do we have an audio jack are we going to wing it with the mic

wing it okay we have an audio jack now don't okay so we're going to wing it so i'm going to hold the mic close to this and hopefully you guys can hear it and if not i'll i'll articulate it so hey everyone i'm actus and here is yes a test case of the iot pressure cooker behind me the goal of this test case is i want to show you what the expected behavior of a custom recipe that has not been modified looks like so that way when i modify the next step you can see it's clearly deviated from the set instructions so first things first i have the pressure cooker synchronized over bluetooth low energy with a nexus 5

test phone right here you can see it says connected instapot pressure cooker now what i've done is i've went and made a custom recipe that's really really simple and i'll show you right now what i'm doing is i'm scrolling through all the recipes i've had and i'm selecting this a proof of concept three or apoc-3 and pretty simple all it is is going to heat to desired temperature and then stop so hitting start here um and there's a few so the kind of core ingredients of this recipe is heat to 86 degrees fahrenheit the reason i did 86 degrees fahrenheit is it's the lowest threshold i can set the graphic user interface and additionally since

uh water is kind of like at room temperature in the cooker right now it's we can get it to that value the quickest so a few things i can also show you which is kind of interesting here we can see the kind of desired temperature here so it's at 84 so we should hit it really really quick uh right now it's sending this heat to 86 degrees fahrenheit command over bluetooth low energy [Music] if you can see it behind me you can see like a little moving icon it says on there's a little rotating eye symbol with a moving circular object behind it

so boom off that was it pretty simple it hit that degrees okay so that so that's what should happen okay now i mess with stuff and you'll see different things uh so again quick things um because it's only 20 minutes i have to cuddle a lot of the steps but uh modified the files you could either do this in downloading or because it's on a shared directory and i changed the attributes and i just threw it on the phone and we're going to click that same recipe again

back back i've put some new cold water in there i've also trimmed my beard to be more handsome and we also push those files to the phone the modified ones so as you recall from my longer bearded video that you just saw the uh only instruction that should happen here is it's going to hit roughly 86 degrees and it's going to stop it's not going to beep it's not going to make noise you're not going to see any led changes either here we are on the phone i pushed the modified files at this point and you can see connected instapot so now let's go back to all of our lovely recipes i'm going to go down to my

beautiful well-known across the world proof of concept recipe uh many awards for taste and you can see yeah it's been you can see it no longer says introduction it says modified right and for the little script value sorry inverted here um you can see that it says only heat to 86 degrees fahrenheit and we should see a different temperature here so let's try it so i'm going to start and boom you see on first off so i go back to my dashboard and right now i'm waiting for this to kind of update here so while i'm waiting to update uh we can go through a few kind of attack scenarios with this right so the first

thing is um i can see it on and you can see [Music] cool heating level step 103 which is really really cool because our original instruction was only one step so now you can see three steps are happening yeah heats 125 degrees fahrenheit which is not 86 degrees which we put in so boom we can actually control stuff here pretty neat right um now a few things right so we did kind of cheat a little using a rooted device so i could easily figure out what recipe i want to modify now if you didn't really care you could modify all of them right the actual recipe files themselves are stored on that shared directory so you

can do it there another trick you could do is also modify it in transit when it's downloaded because these files are just sent over plain text http it's just as if it doesn't check integrity which we've obviously proved um so yeah so the good news is you can't set it at a higher temperature than what was intended right it still max out at 284 degrees fahrenheit however you could do a lot of obnoxious things you could uh cook the lower values you can cook to play a box of sounds you could end early there's a lot of things you can do in that regard um so yeah all right 122 degrees it should stop at

125 ish uh and then you're gonna hear a couple beeps and that'll be our very clear indication that this this has been modified cool see it also says behind me food [Music] trying to point at the thing right there right that was not in the original instruction either and this one should also i think wait for another minute and that's going to make some more beeping noises behind me so yeah clear demonstration we're changing the commands which is pretty cool um i haven't been able to get to explode but you could under cook food you could change things that doesn't cook could ruin food yeah pretty neat um and the fix is actually pretty easy

for these guys all they have to do is um you know don't store stuff in the sd card and do things over http anyway thanks for that so what else do i got here yeah like i said man in the middle if you're a network attacker you could mess with this a bunch um the other thing i was thinking on the flight like i could make like a potnet or like ransomware or like i ruin your food until you pay me money um which could happen right and then based on this i'm really hesitant how they're keeping track of state so um i even i've just scratched the surface i'm like sending malicious ble input to this

thing um so yeah there's a bunch of other things so we have about a minute left uh so i'll take questions and then for future work uh you could totally make a meta plug-in for this which would be really cool um and then i mentioned the fuzzing the actual bluetooth stack so thank you for your time i had fun and yeah i'll leave it up thanks cool