2016 - Ken Munro & Dave Lodge - Hacking the Mitsubishi Outlander & IOT

FKS nice one um guys quickly so I'm Ken this is Dave um Dave's the clever one I'm not um this is some stuff you probably saw bits of this in the press in the past um we've got some new stuff to tell you today we've never disclosed the actual disarm codes for the alarm so you get that fresh today that's new there's also some stuff that happened at the weekend on wiggle which I thought was uh fascinating so this is kind of a the most detailed talk we've done we've kind of skipped over the detail for fear of teaching people to steal cars um but we're going to tell you everything today so uh feel free and my car is actually

out front it's parked there anyone wants to after this we can go and do some live demos we got it all video for today but it's there the Wi-Fi is enabled I'll give you the Wi-Fi key and you can have a play if you want and turn my lights on steal my car great um so this is that's actually my car that's my Mitsubishi Outlander you can see I did this talk in Defcon because I'm using us terminology it's a four-wheel drive and it's got battery and petrol and it's okay um they claim 32 M range on Ley they mean 18 I reckon I've never got more than about 20 um it's all right though because you

don't have the whole range anxiety thing you do with a pure electric car um because you can just drive it for miles on petrol if you want fuel econom is horrific that 156 MPG they quote on the adverts I do not know where they got that from it does mine does about 30 miles per gallon on petrol because it's lugging around loads of batteries um I've got a Tesla on order can't wait that's a proper car um background we got into car hacking a few years ago um buddy of mine bought an i I3 got it really early doors he got an ey it as well um we had a bit of a play around

with that and found a bunch of bugs in the way they do the connected Drive implementation for the I series Vehicles there's an extension to the AAL ey remotes and it's nuts you can um force a password reset it gives you a temporary password which is five lowercase Alpha and you can brute it and then once you youve got the username and password you can provision another mobile app decate the car and unlock it which is just nuts and um disclosure with that didn't go very well um that's another story don't seem have much luck with disclosure and car manufacturers but there you go um so anyway The mitp Outlander it comes with a mobile app I've got it here um it's

not currently connected to my car because the Wi-Fi range is shocking um that's it what's really weird about this anyone here got a mobile app for their car yeah most of them use web services apis mobile data yeah right this is really odd it connects directly to the vehicle over Wi-Fi so you got to be in physical range so one of the functions of course is finding your car in a car park which is a bit stupid because you've got to be within Wi-Fi range so 30 OD meters um it just makes no sense the main function of the um the mobile app is well two big things and chap here who's got one clearly knows about this

um it helps you set up a charging profile so if you want to charge up your car on a Ley then you want to do it overnight on economy 7 when it's cheap as chips um so it can let you set up a charging profile from your house if it's cold in the morning obviously you can set the preheater and you can get it going it's nice and toasty warm um great fantastic um but just really weird they' done it over Wi-Fi which is massively limiting the range on the Wi-Fi access point is shocking about five me I mean yeah I can't even see the car's just out there and I can't see it over Wi-Fi

right now um which makes no sense um and it does a bunch of other stuff so you can set some preheat pre-cool turn AC on a hot day that sort of stuff great um this is very different to Volkswagen Audi some of the highed Audi have got a Wi-Fi access point for internet access which I still don't really understand because surely you just tether off your own phone or use mobile data I don't know it makes no sense to me stupid um but the MMI systems you often see Audi MMI as an SSID if you're out traveling um they're worth having a look at on wiggle as well um so this is the stupid thing obviously it's B do Wi-Fi you've

got to set up um encryption and they give you the SSID and PS printed on a piece of paper in the manual and this is really nuts is you can't change the psk it's factory set you cannot modify it but you can change the SSID which Muppet thought of that you know I'll tell well let them change the bit that doesn't matter and not let them change the bit that's really important nuts so got that had a bit of a look um and there's massive issues here so the first issue is SSID okay so it's a very predictable format we'll come back to that later the psk is static and short and really really really easy to crack

so it's um full lowercase Alpha but the Char sets only 21 characters not full 26 and then it's six numbers and we put that on 4 970s and it cracked it in two and a half days now yeah whatever it took a bit of a while but of course you're cracking it offline so you can go out capture the handshake and then crack it and come back and you've got the car if you want to do it quickly I suppose you can put it in somewhere in the cloud AWS or something like that we we priced it up at about a thousand bucks to um crack on the Fly using AWS but yeah that's a lot of money um people say yeah

,000 lot of money 40,000 quig car don't know kind think that might work make that investment I don't know um so I hooked up to um uh the connection had a bit of a look at it and um saw this this was actually in the car park at my kids school um that's actually my mate's Outlander um hence the different SSID and just saw pretty obviously a binary protocol um so looking interesting we uh managed to fingerprint the Wi-Fi module as a gain span um that's always good fun by far the most popular great stuff um gives you DHCP gives you an access point gives you a static address um port's open but there's not really much going

on there we could find but port 8080 was much more interesting wasn't it yeah um so obviously we middled it there and uh had a bit of fun um Dave this is the bit where he is I'm doing this unrehearsed and on fly yeah there you go slides this may [ __ ] up so obv so I'm not actually going to show any real demos here so I'm just going to sort of go along the process to do so normally if you're trying to do internet things are packing you stick something like host APD make a fake Wi-Fi sniff it can't do this the AP is on the actual car so I spent ages looking around with trying to decode the

actual uh WPA sniff from a w shot and I just thought hold on I'm on an Android phone it's rooted I can just ruin W shock on it's a program called insector NG basically W Shar for Android is great um so doing that here we have basically the the the actual conversation looks a bit dull really you can see some strings in here like um there's the AP name there and there's what looks like a an address there and there's a VIN there but when you do a hex you can actually start to see some patterns so I assume people here have done bits of reverse engineering we can you can start seeing some effects here so here we have

for example the bik F2 and then the response to that is 2f sort of a bit pattern we got it again F6 6f and if you notice there's where am I going um there are actual length bites here so bite after that is the actual length of the packet so we can start adding all these things together um and you can start seeing in in a few ones you getting these F9 packet sorry the F6 packets and there's always some data following it um so in this case we can see the SIDS and we can all have this together um and actually add them and what it does is basically it will connect to your car dump all the variables from the

car and actually extract them and put them in a brand new file which is stored somewhere on your Android device um where do you put those files which ones do you want the the files uh they mean oh it's in here it's on the desktop yeah oh no oh no it's on the windows it's on the Windows box isn't it oh there you go is it I don't know let's have a look we practice this can you tell you can tell this is well rehearsed and practiced I haven't got it on there okay we we had we extracted the Faz of Android and basically just dumps them all into a huge massive file which we can then

basically look through and get the information from so the a bit of reverse engineering showed us there's some important packet structure so um where's your next slide there you go yeah so here we have the basic packet structure so we have F6 which is a common one for issuing a command length of packet the command zero is saying I'm issuing a command one is saying I'm doing acknowledgement a command one or more by of parameters and then check which is basically everything added up mod 256 very simple one so light on for example is a command of 10 parameter of one but there's a special one which is setting which is Commander type 15 and

that basically takes a SE ID and um a value to set to the car so that one we'll discuss later that specific one 17 is an important one that we'll talk about later cool that's where the fun starts so this is the first place we got to this was fairly straightforward and you can see this live if we go out to the car a bit later and lights come on great fantastic that was easy that we we managed to figure out that quite early on the next bit was the hard bit that yeah that took a bit more time so it's a very easy to turn the lights on you can do this in flight you can go drive up behind other

cars and turn the lights on for them you feel want that's quite good fun um is there really a security consequence no drains the battery a little bit they turn themselves off again after 15 seconds so it's no great shakes um the other thing you do because you can set up a charging profile the other thing you can do is you can you can actually then to a vehicle go to it and say right preheat or pre-cool which is quite good fun if the car's out there in on the sunny day you can actually really roast the hell out of it or you can cool it down in winter so it's really annoying the other problem of

course you can keep it um discharging all the time so you turn up to your electric car and there's no battery power left which is a little bit annoying in the morning I have to say um so again not really a massive significance it's just you know you just drive it on petrol it just doesn't matter that much however I'm afraid you're going have to put it with me in this video um with then went h l further and figured out probably the most significant point about this which is managed to figure out how to turn the alarm off Dave uh and that's pretty much that string that I showed you earlier okay so what we've done here just to

wind the window down so you don't have to smash it you probably just about hear down here so the um it's going off right um move on one and then if you send it that which we've never disclosed before you then disable the alarm and you can then stick your hand in merrily and you can it's all off it's not working and uh because you got access to Interior you can also flip the door handle you're in so that point things are getting a bit serious um and that's where we decided to try and disclose the Mitsubishi they still got a bit of a two deal on there um once you've got access to iner of the

vehicle you've got access to Diagnostics ports so then you can code a key hey that's the fun got the car um you can either smash the window which I haven't done because it's a bit expensive to keep replacing it or you can actually pry the door um frame open slightly as well and if you've ever locked your keys in your car I don't know who's done that who who would have done that Dave um you can also get a feeler like the A and RAC do they can actually flip the door handle from inside which is all right it's a bit of fun um yeah there uh we've actually scripted this up Dave do you

want to run to our nice lovely little script so um we published this if you want it you stick it on the GitHub at some point yeah I'll stick that on the GitHub so yeah I'm lazy I don't like repeating binary commands I messed around fors using different replayers and I thought Sol it python um there's it's not really that exciting it basically takes a socket and then just basically takes it down to lights on lights off alarm on alarm off y um I I I'll admit when we initially did this Ken wanted me to not touch the app because he wanted to make sure if we went to the states we wouldn't for fou

the dmca or anything like that yeah yeah it's all in the app So eventually I just after hacking around for AES I just went to the app and here is the decompiled app it's not even obus skated and you'll find in uh we want yeah yeah we we want basically CMD make and here we have in a class Called Death message are all the basic messages are can be passed not all of those are valid instruction strings and we haven't fuzzed it because um if I break his car I'm sacked there is another issue as well is the Wi-Fi connection is really really flaky only accept one request every 15 seconds or so um so you try and fuzz it

it's just disastrous it just Falls over it's just not good so everything you need to do is in there brilliant he makes life so much so easy which is just Bonkers everything you want to do all the commands are in there um right so fixing it so it's actually incredibly easy to resolve this bug um you can actually uh tell the Wi-Fi access point on the vehicle to switch yourself off um the way you do that is um trivial you just go to the mobile app this is why we disclos you can go to the mobile app and in the functions of the mobile app is cancel Vin registration that's the pairing process that sets uh connects

the phone to the car and that if you um unpair all the phones from the vehicle the access point goes to sleep you can only rewake it by then pressing the remote um control key 10 times and that then puts the access point into a pairing mode again so it's really easy to fix um we published that and said that we fix it with 10 presses mitab then published a solution that involved pressing the remote 30 times okay fair enough um the dealers apparently used that process when you sold a car to a dealer and they're reselling it they um they go through this 30 key press thing and it resets the car back to factory which is cool

it's fine um the big consequence to this for me though is it's a Wi-Fi device you know most Wi-Fi devices you know sit on your shelf and their routers uh this one's got four-wheel drive and you can use wiggle because you know the SSID format to um find them there they are um we found about 6,000 hits on wiggle for the SSID format remotes uh whatever um some of those on the road most of them are parked at people's houses and that's what I kind of like about this is you can actually use wiggle to find a car to Target you can then go and find it parked at the owner's house capture the handshake cracked the key and pinched

the car which is a bit crazy right now we did a pre and post so we did that's the 3-w week window on wiggle for before disclosure and that was 3-we window after disclosure so clearly a lot of people have turned them off when they got 400 hits compared to 6,000 but still 400 Outlanders out there that we could see in a 3-e window that um had Wi-Fi enabl which is crazy I mean you got to be pretty nuts to leave Wi-Fi on your vehicle that allows it to be pinched but there's a massive thing happened on um on Saturday uh Mitsubishi approached wigle.net the war driving guys and asked them to suppress all the ssids of

Outlanders wow and I thought was we were trying to think is there actually a legitimate reason for you know these Outlanders you know wiggle to actually support that I couldn't see why they should um I just thought it was an interesting angle you know Mitsubishi going to an independent third party and saying can you not disclose these and I suppose actually yeah it's a ticket to go and hack a vehicle so why not um I think we should talk about um longer term fixes though um obviously being a Wi-Fi module it does support firmware update the problem is is the update process comes from the mobile app and they're expecting the consumer to stand by their vehicle and push a firmware

update to the Wi-Fi module over Wi-Fi what and this Wi-Fi connection is flaky ad so the opportunity to Brick it is quite significant um we haven't finished looking through the binaries um there's very little debug information in there actually um there's no debug information Yeah so basically the binary downloads to the games module um so which runs a couple of web servers so uh is actually embedded in the APK of the Android app so you need to update the Android app to update it um yeah um I think it's also worth talking about disclosure as well this is um bit of a train wreck really so we rang with specii um and had a conversation with them and they said

okay can you send us some details of this yeah of course we can so we sent them everything we had so here's what the problem is here's how we think you could fix it um here's what we think you should do and they said yeah great okay and then they didn't respond to us so we gave another call 10 days later and said what are you going to do guys and I kid you not the guy said to me we've had no reports of this in the field from anywhere in the world we don't consider it to be an issue we're not going to fix it what at which point I was I was utterly stumped I didn't know what to

say so I over the course of a FIV minute conversation said well I've got no other choice because it's my vehicle and lots of other vehicles someone else will work this out this isn't complicated we're going to have to tell the Press he said that's fine speak to the Press we'll tell say the same to you as as we will to them wow okay so I picked up the phone called a couple of journalists and said look you know missp aren't taking this seriously what do we do they're not going to fix it so the BBC became involved and now mitp you think it's a very serious problem they're going fixing it right now what really In fairness I I think

the disclosure subsequent I think it it it came to them on this the same day as they were going through their emission Scandal I think they had a bit of a bad day but there still no excuse not to listen to a researcher and you know he's got valid concerns I mean what should have happened obviously is we made you know did the disclosure and you'd expect then say yeah great you know pretty much like GM did with a Jeep pack um yeah got that validated it it's going to it's going to take six months to fix it it's fine okay we'll keep quiet until then but they didn't they told us they weren't going to do anything yeah right

okay brilliant um there's still quite a bit of work we want to do on this um is is my daily drive so it kind of needs to work so uh we've actually found the module um and in fact SM be been quite good since then we went down to see them in uh s ancestor well there's just the Sea of these Outlander hybrids with the Wi-Fi still running oh what okay um and we spent some time they got a car that just been shipped in from Japan so look can you validate it on latest software latest version it all worked so it's all fine so they know it's a serious bug um they also showed us um in the end where

the Wi-Fi module was located it's behind a panel it's a costal body Network model clear tier one um the next place you want to go is unmount that but annoyingly it's stuck behind the entire boot liner it's going to be quite a job to get it out so work on that get it out scrape the firmware see what else is doing see how it interfaces with a can see what other stuff it does um something we're looking at at the moment is there is functionality within the mobile app to pop the door locks but we can't get it to work and we're not really sure why um we just we sit there banging our head against the dashboard I

spent a day fuzzing that ESS yeah and just to make things easy to rather than store um your SSID and psk in the mobile app securely they roll their own storage and un encrypted SQL like database get in don't you love it um there's also some other functions we've been investigating that's one uh change gun status I'm not quite sure what that's supposed to do but we're we're kind of working I I think actually that means charge gun status so is it plugged in at the wall but yeah maybe that's a special export version we don't know about hey bit of fun um so that kind of wraps up the car hacking stuff I I just cannot get over

how unbelievably straightforward this was I mean it was it was a couple of days of hitting our heads against Wheels but we got there in the end I just can't get over how simple this was you know this is a vehicle and we've exposed it to theft you know it doesn't get much worse than that does it um I really want to see if we can connect to the Wi-Fi modules um and do more stuff while the car's moving obviously a bit more risky bit more Charlie Miller and Chris valc that'd be quite cool um but I guess MIT be will get it sorted uh soon enough this they did promise US a resolution and said they're going to

give us a shout once they fixed um the bug was and get us have a quick look at the code but they still done nothing about it that I'm aware of so instead they call wiggle God knows um we're going to do because we've got some more time we've got what crack you half an hour we're going to move on to do some stuff on I malware in a minute if that's okay anyone got any questions on the car stuff yes the owner of an Outlander my

yeah if you press so the sequence you go through is you press lock and unlock 15 times in sequence one two one two yeah it's really irritating and the car will then beep at you I think twice and that forces the um Wi-Fi module to unpair and shut power itself down so it's actually fixed at that point it does beat

yeah was a a Dutch researcher came to see us at death gon and got so a little bit further than you but not quite where we' got to but yeah so clearly people were realizing but this car's been on the market for 3 years I'm amazed that nobody else had had a look at it and thought wow that's nuts yeah yeah yeah fantastic well there you go so I I don't know if any other vehicle that uses Wi-Fi for the mobile app like this if anyone does find one please shout I'd love to have a look at it I genuinely think they'd used Wi-Fi just to do the whole thing on the cheap um so setting

up you know a GSM module to do over their com so you need you're thinking of a SIM card you're thinking of um uh some costings in from airtime providers you've got an API to write you've then got to host it you've got it's just much more complicated and and costly but you can do it on the cheap and make a real hash job of it by doing it this way get in okay um said SSI you could change but psk could yeah still the yeah um I've got a feeling the psk is derived from the MAC address um which is what I've been concentrated on cuz uh the ROM is built it the the basically the firmware for

the device is built directly into the APK so I've extracted that I'm going through I trying to disassemble it see it's simple arm code is relatively easy to disassemble so I've been going through there to see whether I can actually work out the psk and where it gets it from which that would be a sory if I can manage that yeah that that's it's just yeah like you say finding a times to question at the back there you hav't mentioned it or maybe you haven't I missed it can you start the car um so you can code a new key if you've got the right um module to plug into the onboard diagnostics Port you

can code a new key so yes you can then start the car you can't start the car from the mobile out you could actually could you Rec the key from the DAT you got from the mobile app not from the mobile app no yeah so there isn't the functionality to start the vehicle I some Vehicles they you know the remote start to heat it up but because you've got battery power from the the onboard batteries you don't need that in order to heat the vehicle so there was no function there for it unfortunately great any more questions Yeah question on PR key again because you mentioned that the uh it's stored in plain text in the app yeah but why does

the app need need to key because it connects to Wi-Fi already right yeah so you kind of yeah uh apps save more things than they need to save yeah yeah but what it does it actually controls your Android uh Wireless so it requires permissions to actually change your network on it so um so basically you go into the app and you'll enter the key and and the app will change it for you pain but that's how it's a bit silly but that's how it does it yeah it's it's just a it's not a well written app by any stretch no it it's it's quite flaky lots of the restrictions as well like um the app won't allow you to turn your

lights on if the doors if the cars open uh you send the raw packets that restriction is gone so that just has a little thing say if the doors car's unlocked don't allow you to send this this packet it's all done client side which is crazy yeah yes pretty much just making the classic assumption that you're only going into his face of a car through the app why we do that use it as intended hey cool all right we'll move on oh question the back did you just get lucky when you bought the car Happ to there there is a story about that um when I did the original disclosure I I I talked through actually uh a friend of

mine had one and I was in the car park at my kids school and noticed an L ID and he was the only other car on the car park we were there late and I said what's this and he said that's my car really um so we did the initial part piece of research on his vehicle um but then when we got to the point of sending traffic to it we thought it's probably a bad idea if we accidentally brick someone else's car so then we went and bought our own so we could brick mine instead I know yeah bit of a stupid thing um yeah that's definitely the most we've ever spent on a research project I

I'll give you that cool lawyers contact because we previously with researchers complain about vendors getting lawyers involved when you say you're going to go public yeah so um we have had no no nothing legal forit speech we went down they invited to see them as soon as the BBC made contact with them to violate the story I think they then realized they've made a major hat but of course the BBC now had the story so we're going to run with it whatever they invited us down we're actually really good and we gave them a lot of advice and suggestions and things they could do and I think you know I'd rather that would have happened

pre-disclosure but they just weren't listening so we had no choice um yeah there was been no legal issues that I'm aware of obviously touch wood lots of wood but we're talking four months back now so you know heard nothing I think there's a question to two guess

so the key coding device I last look looks it's about 400 quid I think it's actually relatively cheap um Andy's probably a man on that one um but yeah the key coding kit isn't expensive but getting a hold of the keys is going to be more more Troublesome but yeah so you can still it's just another couple of steps and bit more kit but the odb2 port which you need to use to get to it is right inside underneath the drivers and it's fully accessible it's pretty much on every modern car you can get to the OBD OBD that's one you can get to it relatively easy because it has to be within um a certain distance from the

driver Y Cool all right cool we'll move on a bit guys so um I don't know if you saw we um we talked um at Defcon about um You probably all saw our lovely thermostat with a bit of um bit of ransomware on it and where this came from I went to a talk um at cescon actually uh and there was a talk about iot ransomware and I was quite expecting it to be very tecal involved it turned out it was quite theoretical um and there was no real proof of concept so we've been having a look around and looking at various different stats um to see if actually we could do it for real to

really prove the point to see if actually was possible to see if there was a functional enough thermostat out there that we could actually get some decent malware running on and I think during that you know research um uh time we actually discovered there's a huge amount of stuff out there some much more functional than others and really the key to it is choosing the device that you look think is going to be most likely to be vulnerable um we had to do this talk pre-disclosure in Vegas so we OB fiscated and redacted everything um these are now disclosed although I have still redacted the vendor names from these because um actually In fairness the guys is one we ran put rans

somewhere on we're actually really good it's like really unusual I disclosure process like yeah thanks guys that's cool can we can you give us about four weeks to fix it and we'll do some new firmware cool get in unlike every other iot vendor um I think one of the crazy things to do um we still start seeing with it people buy stuff and I think a great example of This was um Nest acquired resolve and then terminated it so everyone who bought stuff spent money on it said n it doesn't work anymore sorry um interesting as well reading the t's and C's there's not that many T's and c's with it devices actually say don't

reverse engineer this okay cool excellent that's how good fun isn't it um and there's one I've actually got it with me this is the first one we had a go at my bag of scar um where is it so this is the first one we looked at this um was quite interesting because this is the one we talked about at um infos SEC and it's got the JTAG ports enabled in live production devices why the hell would you do that surely you know there one of the things you do in production kit is you disable all non-essential IO just get rid of it it's got a Wi-Fi thing it's nice color screen um it's no OS

nice and easy um it's quite custom it's actually quite a nice bit of Kit um I would recommend this one when I can tell you brand it is um we couldn't find a remote code execution but to kind of prove a point we messed around with it and discovered yeah you can actually change the splash screen and tell someone that hey we locked your thermostat out that was really a very basic privy concept it wasn't fully functional okay um it proved a point but it wasn't functional um ransomware it didn't really do it so we had to try someone else and that's this one DAV have you've got one with you y I've got one now there is a reason why I have

this exciting looking bit of electronics here and I I assure you this is totally not electrical safe okay so it's um I don't know whether you any of you have moed around with Maat or anything to do with heating on General things they generally tend to be low voltage so that you don't need electrici to change them hence why I got my DC power supply so I'm actually going to boot this up here here's the thermostat and I will be booting this up now screen things oh no I'm still live that's good not the boot screen yeah cool it works that's just going to Bo CU I'm going to need that in a bit Yeah so if you're looking around

for stuff that you think you're going to be able to get some code execution on I'd go for something as functional as possible and a good clue to that is just seeing how good the screens are how good are the displays is it running some sort of Linux based OS because if you are you're going to have lots of functionality and that's where we got a bit lucky with this one um if you're going to do some research one of the first things to do frankly guys is don't even bother getting the um getting your screwdriver out just look at the FCC website everything's there they've got photographs um everything's um needed boards the chips um chipsets

everything's on the FCC website just go and do a search and you'll find everything you want to do you don't need to start breaking things removing sales it's all there tells you exactly what to look for um it's all there we took one apart in fact we're taking Lots apart now actually might have bricked a couple of them but that's another story um nice and functional um actually quite nicely designed and built quite like that um lots of stuff to play with there um um stuff on there now it starts to get interesting Dave so essentially it's a Linux based iot device so you got everything built in you can get in through ubot you've got buzy box you've

got Ash it makes a bit harder to Shell but it's still there it's not quite as easy as bash the by default there's nothing actually open there is a HTP API but it's bit pant um and it's a cloud service for a remote connectivity so the basically it connects to an a PC application which uses through the web interface face which uses air now anybody actually used air before air is basically the desktop equivalent of Flash and we all know how secure flash is um so everything that it writes can be used through the SD card that we have there and then you then go up into the actual uh um device itself yeah the idea

is is that you use the air app because it's much easier to program a schedule um than it is by trying to do it using on the on display um stuff is it not working uh the gods are cursing me today excellent okay reboot it um so that looked like a really interesting way to go um it's just easier to program it this way but they really didn't think too much about it and um the slightly scary part is the firmware is in the air app get in okay so that's make life nice and easy it means we don't have to was uh mess around um you can pull the binaries bin walk it that's it job done

okay so we've got the file system which just make life so easy um everything we need is on there um it was one great big binary which is unusual fair enough running as roots unsurprisingly um Dave essentially it's it's the old thing don't run things as route um so it basically loads files directly from it um you can read what it says on the screen there yeah sure um run it through JS beautify and you start to get you know much easier stuff to read um lots of commands execute running is root and there was no validation um that particular one you see there ex command line no validation so you can inject commands Joy we're in it's all

right um actually when we were doing this I haven't screenshotted this but um going further through you started finding all sorts of other random stuff in there um some um coded some stuff saying if SSL SSL failed that was the [ __ ] SSL command okay wow he didn't expect his code to be read by somebody else um yeah the uh challenging bit was actually getting root so just put ping everywhere to see if we could get any sort of commands out and boom what you're seeing here is basically the SD card to update the screen saver so there's a screen saver you can upload it to a gallery so you can have like screen

saver showes your kids or your dogs or whatever you need as if you really screen save on the on on now the first one we found we can inject on was the name of the boot image so when it shows you the um the the pretty screen um you can inject on that one we reckon there were loads of other injection points but we couldn't bother to find them because we found the one we wanted it was all just fine um you want to get shell so net cat cross compile it so it runs nice and easily um and then once you don't have much space to run stuff did that and it got net cat and we were there had

a shell and it's all working Dave so yeah um it's pretty much get a shell tell it in you're in there as rout and that's it once you're in there you can persist your thing unfortunately the actual stat here that hack what did have the hack on but then I cocked it up so uh just in Readiness so uh we actually have um screenshot here of what it should be saying so this is the Hacked screen um we actually this is actually on the screen sa is a sort of way of fixing it um because well don't don't try and do these things live and then accidentally nearly no Bri your device um so the way we constructed the malware

was quite simple so it's got a lock pin so to keep the kids out and stop people messing around with this there's a there's a four-digit pin that locks it um so what we did was just can change that lock pin remotely every 30 seconds so the user is never going to be able to get back into it and throw up a comedy um image saying we've locked your thermostat um uses an ic. net old school it works um and off you go and that is Branson we running on our thermostat um it's local it runs you attack it over the SD card it's not remote code execution um I don't think we just disclosed this if it had been remote um

yeah you've got to attack it you've got to get user to try and install it for you or you maybe compromise their device compromise the supply chain or try and resell these in um third parties yeah there's also some additional functionality on that they actually um there's a commercial version of this stat and all the functionality is local you can upgrade this to full commercial functionality um locally so you don't need to do anything to it which is nuts and there you go we're all in um that was it um what would have made this hard for us um first of all firmware really should have been encrypted so we couldn't mess around with it firmware is

not signed so really you know come on guys you know this is 2016 sign your firmware um basic principles come on you know validate validate validate but we're still finding it in live production devices and yeah people say yeah it's only a thermostat but that's not the point yeah the point of this was about the fact that you can do this on functional iot devices it could have been anything we did it this way because it's funny no other reason um but it would been so straightforward to resolve that um we disclos all this the vendor they're fixing it right now I'll be interested to see how long it takes them to actually get some code out um there

we go that was thermostat ransomware any questions by me cool um and came here for the car yeah that's a Blog if anyone's interested in that it's all blogged up on there um as soon as um we can as soon as we yeah conted any of the manufacturers and asked them if they've actually proactively done any testing of their stuff I know I might be living in a in a dream world but um I look get smartphone that sends a question to the vend and basically theyed me to like an electronic testing elect safety testing said yes we haveed it's all just with you

so I mean as I'm sure you guys know we work on lots of other iot shite as well I brought my Wi-Fi Kettle along I brought the swearing dollar long and um don't get don't get out I'm not going to get that out there's also some other things in my um there's also this ring doorbell and it's I think it's quite interesting actually see those iot vendors are actually all over it so ring are actually quite good I I don't think everyone can get security right first time every time but they responded within a couple of hours of notifying them and they fixed it within two weeks and deployed a firmware to the installed base over there which is brilliant

fantastic well done ring you know good job although somebody since found another vulnerability that was disclosed at defcom um so my experience of contacting it vendors and I don't know it's probably remarkably similar to the rest of you you've done iot work is they just don't have a bloody clue you know you ring up when you try and get a hold of a somebody to have a sensible conversation with you discover that actually it's two guys in a office in car Shulton in Su and everything is subbed out all they do is take the product to Market you know it's probably produced in the Far East somewhere they booked the production slot nine months ago and even if they

did want to engage and talk to you and and resolve it they can't stop production so they're going to sh ship it anyway irrespective and if like the kettle there's no way to over the air update it what do they do what choice they now have you know security researcher comes along and says your product's got a problem we go we can't fix it the choice is you know carry on or go bust what do you do you know for iot manufacturers it's it's it's a difficult game so to answer your question is my experience is the majority of I manufacturers don't have a Scooby-Do about security um broadly and this is a really broad um way of looking

at it is that I think the brand names that are getting a lot of attention so for example Nest And Hive have had a lot of attention they had fails in the beginning but I think they're broadly getting better my my personal experience it's the meos so someone see you know Nest has created a brand in Smart iot Gear it's the knockoffs where the real problems are because they're coming in at a much lower price point with similar functionality but of completely forgotten security so you know that's how you find bugs in in these stats there we go any more questions you need to physically change an SD card why is that difference to like Windows laptop you can CD inux

what's the what's the vulnerability the big difference with that one is you can actually do that from boot so yeah so so you need to actually unlock the Windows device to actually run the SD card from that yeah so it's not the per we doing the ransomware it would have been a lot nicer to actually infect over the air but you can necessarily prime it in Advan if you want or just go r yeah it's it's not the perfect but it it proves a point I guess we have got another one that Dave's got at the moment which we think we can get remote code execution on but we haven't finished the work on that one yet yeah

that one uses Mains power so I'm only working with that in my garage where like two rcds in the house my wife would seriously kill me if I if I uh yeah BW the electrics yeah so uh keep an eye so if we do succeed we'll we'll we'll disclose to the vendor hopefully they'll listen and and uh yeah see how we get on any quick um some of the thermostats the actual therat itself is pretty D have Wi-Fi capity but there a h which is a separate piece of Kit is that something youve looked at you looked any that so there's a really interesting actually so um that amazing security vendor VTEC do a uh a home iot hub um they're not

shipping it in the UK yet which is real shame because I want to get my hands on one of those Ian VTEC it's it's bound to be bulletproof right so yeah to answer question yeah you're absolutely right it's it's another Vector another way in yeah just so you know just I if you're interested in this stuff just jump on Amazon and spend a few quid just buying some likely looking gear and just have a play you know get a JTAG have a go see if you can get the firmware and go and own some devices any more questions there guys want the back Android TVs oh funny enough we've got two yeah we' got two of them um I don't know

whether you saw the BB see uh article that that I actually was on TV and everybody text me say you're on TV um might on head it was basically where we did an app that listened into to you and then passed it over to my web server in the background and actually told me what you were saying that works on the Android TV so we actually had a demo set up for that for infos SEC but it didn't work noisy so we could actually TR anything but yeah uh Android TV is very they are Android in the background it's very easy to actually install apps on them yeah it's um we were spent some time in in uh Defcon looking at another

smart Samsung fridge that's really interesting but unfortunately it was R tyen which I just don't know enough about um last year was much easier because it was running straight Android good any other questions cool thanks guys