1 00:00:00,110 --> 00:00:04,670 Daniel Crowley So, The title of this talk is Home Invasion 2.0 and we are going to be 2 00:00:04,670 --> 00:00:07,910 talking about smart home technology. 3 00:00:07,910 --> 00:00:14,539 We envision that home invasion 1.0 is a guy breaking in your home and stealing a TV, you 4 00:00:14,539 --> 00:00:20,540 know, standard sort of stuff. In home invasion 2.0, is what happens when you hook all sorts 5 00:00:20,540 --> 00:00:25,060 of things up to the Internet that you really shouldn't, or that you really should think 6 00:00:25,060 --> 00:00:32,060 about a lot more. Before we start talking about all the stuff, i'd like to take a moment 7 00:00:33,660 --> 00:00:39,340 to introduce ourselves and explain just very briefly why you're listening to us, and not 8 00:00:39,340 --> 00:00:44,079 some guy trying to sell you water on the sidewalk about these devices. 9 00:00:44,079 --> 00:00:50,829 Daniel Crowley So, my name is Daniel Crowley AKA a unicorn furnace and I am a managing 10 00:00:50,829 --> 00:00:54,760 consultant on the application security services team, of trust wave spider labs division 11 00:00:54,760 --> 00:01:00,440 Jennifer Savage My name is Jennifer Savage, I am a software engineer and a security contact 12 00:01:00,440 --> 00:01:06,110 for tabbed out we make a mobile app that lets you pay your bar tab with your cell phone 13 00:01:06,110 --> 00:01:08,770 So, a bit of a hard space for security. 14 00:01:08,770 --> 00:01:14,850 David Bryan I'm David Bryan senior security consultant with Trustwave spider laps. Penetration tester. 15 00:01:14,850 --> 00:01:14,920 16 00:01:14,920 --> 00:01:21,920 Daniel Crowley So why are we here? We're here to talk about smart home technologies 17 00:01:23,840 --> 00:01:30,650 what I mean when I say a smart home technology is various devices in your home that are not 18 00:01:30,650 --> 00:01:35,590 traditional network connected devices like laptops and smart phones and printers and 19 00:01:35,590 --> 00:01:42,290 scanners and things like that More odd, non-traditional devices. So we're gonna talk about what some 20 00:01:42,290 --> 00:01:49,290 of those devices are in a moment. Anyone here like science fiction? show of hands? Excellent. 21 00:01:49,700 --> 00:01:54,720 So, my favorite kind of science fiction, is dystopian science fiction. For those of you 22 00:01:54,720 --> 00:02:01,720 not familiar with the term, dystopian science fiction is about a world which has some sort 23 00:02:01,799 --> 00:02:05,920 of technology that has gone awry. 24 00:02:05,920 --> 00:02:12,630 So some dystopian science fiction is very serious, like "1984" Although, that's not 25 00:02:12,630 --> 00:02:19,630 exactly science fiction, but some of them are very very tongue in cheek there's a movie 26 00:02:20,980 --> 00:02:26,390 that we heard about from several people where you know, like, it's like a smart home and 27 00:02:26,390 --> 00:02:29,970 it starts attacking and trying to kill the people in at like there's a scene with like 28 00:02:29,970 --> 00:02:34,810 a garbage disposal , or something anyway we have yet to see it and if anybody knows the 29 00:02:34,810 --> 00:02:38,129 name the movie I would love to know that cuz i really wanna watch it now. Anyway. 30 00:02:38,129 --> 00:02:42,050 (audience member, inaudible) Daniel Crowley What is it? 31 00:02:42,050 --> 00:02:46,670 it was, iRobot? Fair enough, okay yeah, I didn't wanna see that because it it looked 32 00:02:46,670 --> 00:02:52,640 like they completely ignored Asimov's book. but anyway on so anyways. usually dystopian 33 00:02:52,640 --> 00:02:57,430 fiction tries to serve as a warning for the future. because science fiction often become 34 00:02:57,430 --> 00:03:01,660 science fact. all you probably have cell phones in your pocket if you are smart they don't 35 00:03:01,660 --> 00:03:07,790 have the wi-fi or bluetooth-enabled and if you have a CDMA phone here, maybe it's smart 36 00:03:07,790 --> 00:03:09,989 to just turn it off entirely. 37 00:03:09,989 --> 00:03:16,989 But that was originally from the Star Trek communicator, so pretty badass right? but 38 00:03:17,569 --> 00:03:21,900 science-fiction become science fact and dystopian science-fiction usually serves as a warning 39 00:03:21,900 --> 00:03:26,870 to people who would make these technologies as to the considerations that they need to 40 00:03:26,870 --> 00:03:29,830 take into account when making these devices. 41 00:03:29,830 --> 00:03:34,690 Unfortunately the push to be the first to market with the device, with some new technology, 42 00:03:34,690 --> 00:03:39,599 often gets in the way of listening to these warnings making the important considerations, 43 00:03:39,599 --> 00:03:44,659 and this seems to be the case based on our research. 44 00:03:44,659 --> 00:03:48,150 We took a look at the subset of the devices out there which connect to a network in your 45 00:03:48,150 --> 00:03:54,409 home, were not going to be discussing every technology, because there are a lot of them 46 00:03:54,409 --> 00:03:58,340 and some notable ones that we did not include in this talk. 47 00:03:58,340 --> 00:04:05,340 There is an android powered oven, (laughter) because there's never been any problems with 48 00:04:06,540 --> 00:04:08,599 android. And an Oven is perfectly safe. 49 00:04:08,599 --> 00:04:11,250 Jennifer Savage Mom, I jailbreaked the oven. 50 00:04:11,250 --> 00:04:11,970 ( Laughter) 51 00:04:11,970 --> 00:04:17,150 Daniel Crowley So, Smart TV's. There were some talks at Black Hat about Smart Tv's which 52 00:04:17,150 --> 00:04:24,150 were kind of interesting. IP security cameras, but this is just a sample of these things, 53 00:04:24,439 --> 00:04:30,129 but it's wide open. There doesn't seem to be a lot of review on this type of stuff, 54 00:04:30,129 --> 00:04:34,349 but hopefully this talk will inspire you to go out and take a look at smart home technology, 55 00:04:34,349 --> 00:04:37,419 if any that you have in your home or maybe your friends home. 56 00:04:37,419 --> 00:04:44,419 Jennifer Savage So right now on the market, like dan was saying, we have locks, thermostats, 57 00:04:44,710 --> 00:04:51,710 fridges, toleits, lights and toys. but in future we are going to have entire smart cities. 58 00:04:52,960 --> 00:04:59,699 They're building one right now in South Korea. It's called Songdo. Cisco is involved in the 59 00:04:59,699 --> 00:05:05,009 networking there but they're describing it as a place where you can walk up to a window, 60 00:05:05,009 --> 00:05:09,649 the window is actually a screen you can interact with. You can call home, talk to your kids, 61 00:05:09,649 --> 00:05:16,289 The city will schedule your day for you, it will schedule buses leaving and arriving and 62 00:05:16,289 --> 00:05:19,490 everything. I would love to go to test that, I don't know about the rest of you, but I 63 00:05:19,490 --> 00:05:25,129 think that it's an absolutely awesome place to go and hack, if we could get permission 64 00:05:25,129 --> 00:05:29,819 to do that, right? 65 00:05:29,819 --> 00:05:36,819 So, i'm going to talk today about a toy that was in my daughters room. I have a Daughter 66 00:05:39,249 --> 00:05:45,899 whose name is Ada she is almost 2, she'll be 2 in a month and this is a toy I bought 67 00:05:45,899 --> 00:05:52,020 when I was a very bust mom still breastfeeding not getting enough sleep and I wanted to be 68 00:05:52,020 --> 00:05:57,409 able to go in the other room and check on her. And do it through my laptop and take 69 00:05:57,409 --> 00:06:01,289 a nap and make sure she was still asleep in her crib and what not. 70 00:06:01,289 --> 00:06:07,419 It has a camera in it and a microphone so you can do that with this. It also has a speaker, 71 00:06:07,419 --> 00:06:11,499 ya know, you could program it to wake you up in the morning to tell you when it's lunchtime 72 00:06:11,499 --> 00:06:17,919 all kinds of stuff. It has an RFID reader, and little RFID toys that she can run up to 73 00:06:17,919 --> 00:06:21,889 the bunny and hold it up to the bunny, it will read the RFID it will do whatever you 74 00:06:21,889 --> 00:06:28,889 program it to do through their online interface. Additionally, it has a USB port in the pack, 75 00:06:29,460 --> 00:06:36,460 a little bunny tail usb and this is how you program it to connect to your wi-fi network. 76 00:06:37,189 --> 00:06:44,189 It occurred to me, when I was no longer a sleep deprived mother, that I needed to test 77 00:06:44,839 --> 00:06:51,839 the security of this device that was in my daughters room. And I found a lot of problems 78 00:06:53,259 --> 00:07:00,159 with it. So, the first one is that in order to setup the wi-fi network you enter your 79 00:07:00,159 --> 00:07:06,740 SSID and Password into their web interface, it's transmitted completely unencrypted, no 80 00:07:06,740 --> 00:07:13,740 ssl to their servers, the API calls that are used in order to communicate, for instance 81 00:07:15,679 --> 00:07:22,679 between the iPhone app and this Karotz servers and the Karotz itself, goes from the interface 82 00:07:23,300 --> 00:07:30,300 to the Karotz servers to the Karotz , those API calls are completely unencrypted in SSL 83 00:07:31,059 --> 00:07:37,279 as well, so you can eavesdrop on them. 84 00:07:37,279 --> 00:07:44,279 The setup package that you download, you download again over an unencrypted connection, there 85 00:07:44,610 --> 00:07:50,759 is code signing, so they did something right here. But the code signing, there is a way 86 00:07:50,759 --> 00:07:55,770 to bypass it, using a technique I call python module hi-jacking, it's a little known attack 87 00:07:55,770 --> 00:08:02,770 and I will teach it to you today. So, what you're looking at here is a request made through 88 00:08:05,580 --> 00:08:12,580 the Karotz API for the video stream from the bunny. it has an authentication token, that's 89 00:08:13,249 --> 00:08:19,749 one time use. It doesn't make sure that it's always being consumed by the same IP address, 90 00:08:19,749 --> 00:08:26,479 so you can literally just copy and paste it out of burp suite for instance or anything 91 00:08:26,479 --> 00:08:32,240 else, and put it into your web browser and spy on the video stream. That was the first 92 00:08:32,240 --> 00:08:38,690 major problem. I would do things like go to the coffee shop, open up the iPhone app and 93 00:08:38,690 --> 00:08:45,690 check on my daughter, make sure she's still asleep and i would use the coffee shop's wireless 94 00:08:45,839 --> 00:08:52,839 without having tested to make sure that this connection was over ssl. So, if you're a parent, 95 00:08:54,899 --> 00:09:01,899 you might be really scared to hear that was happening. I know it freaked me out, heres 96 00:09:01,959 --> 00:09:08,949 an example of viewing the video stream just through the web browser. 97 00:09:08,949 --> 00:09:15,949 So, if you happened to have a connection between the Karotz servers and the ability to be able 98 00:09:18,089 --> 00:09:23,990 to eavesdrop on a connection between the servers and the person downloading the wifi setup 99 00:09:23,990 --> 00:09:30,870 script from Karotz servers in order to setup their bunny and you can MITM that connection 100 00:09:30,870 --> 00:09:37,870 you can replace the download of the setup script with your own setup script and in that 101 00:09:40,720 --> 00:09:45,230 version of the setup script you can get around the code signing using something called python 102 00:09:45,230 --> 00:09:52,230 module hijacking. So if you have ever done DLL hijacking or LD_PRELOAD Vulnerability, 103 00:09:54,009 --> 00:10:01,009 basically python has something called python path and your python path is a list of places 104 00:10:01,949 --> 00:10:05,579 that python will look for your modules that you import. 105 00:10:05,579 --> 00:10:11,180 So the first place that it will look is always the same directory that the script is in. 106 00:10:11,180 --> 00:10:16,980 This is a problem, because as an attacker I can place a python file that is the same 107 00:10:16,980 --> 00:10:21,459 name as one of the modules that is used by your script in the same directory as your 108 00:10:21,459 --> 00:10:27,959 script, if I have the ability to do that and your script when it runs will run under tha 109 00:10:27,959 --> 00:10:34,579 same permission level my modules. so I can get it to run my code. 110 00:10:34,579 --> 00:10:41,579 Daniel Crowley What's nice about this, is the setup script is signed using GPG and they 111 00:10:43,399 --> 00:10:47,759 check the signature before they run it, but this doesn't technique doesn't require modifying 112 00:10:47,759 --> 00:10:49,279 the code, as Jen said. 113 00:10:49,279 --> 00:10:54,399 Jennifer Savage Right, so the code signing doesn't check the modules so that why this 114 00:10:54,399 --> 00:11:01,399 gets us around the code signing. Now, interesting enough, auto run wifi script actually uses 115 00:11:02,500 --> 00:11:09,500 a simplejson.py, it imports simplejson and it never uses it anywhere in the script. It 116 00:11:11,180 --> 00:11:17,800 never uses anything from that library in the script, I don't know why it imports it. We 117 00:11:17,800 --> 00:11:23,060 were able to just create a simplejson.py file that did what we wanted and throw it in the 118 00:11:23,060 --> 00:11:30,060 same directory as the setup script we downloaded and we had a bunny break. 119 00:11:31,220 --> 00:11:38,220 So, just to recap, an attacker could man in the middle the insecure connection to the 120 00:11:38,250 --> 00:11:43,180 karotz server, replace the users download with their malicious version, use a vulnerability 121 00:11:43,180 --> 00:11:47,180 to make the karats run their code, that's the module hijack we just went over, and potentially 122 00:11:47,180 --> 00:11:49,050 have a bunny bonnet on their hands. 123 00:11:49,050 --> 00:11:54,999 Daniel Crowley There is also potential for a tag and release attack where you get 124 00:11:54,999 --> 00:12:00,980 the karots, buy the karotz from amazon or ebay, or whatever. Just buy a whole bunch 125 00:12:00,980 --> 00:12:06,089 of these things, root all of them, because when you go through the setup process a second 126 00:12:06,089 --> 00:12:10,290 time not everything changes it's not like you wipe the whole thing when you go through 127 00:12:10,290 --> 00:12:14,759 the setup process, so you could own a whole bunch of these things and then sell them on 128 00:12:14,759 --> 00:12:20,589 ebay or return them or something like that. So you've again... bunny botnet. 129 00:12:20,589 --> 00:12:24,639 Jennifer Savage Right. So, I think that's a slower method tho. But, real quick were 130 00:12:24,639 --> 00:12:31,240 going to display a video in which we eavesdrop on the video camera on the Karotz. 131 00:12:31,240 --> 00:12:38,240 Karotz for the iPhone, Karotz controller app, I'm going to move the Karotz ears using the 132 00:12:43,319 --> 00:12:50,319 app, this will send the request via the Karotz API to Karotz server and then the ears respond 133 00:13:00,629 --> 00:13:07,629 by moving. Now, I happen to be eavesdropping on that request, over here. If I look at the 134 00:13:16,990 --> 00:13:22,279 request itself, I can grab from it an authentication token it's a one time use token, but what 135 00:13:22,279 --> 00:13:26,259 I found is that I can reuse this actually. And use it to capture video instead. So I 136 00:13:26,259 --> 00:13:33,259 am going to grab the interactive ID and the onetime use token, copy it, go over here to 137 00:13:42,809 --> 00:13:49,809 my web browser, paste it, and change the action. So here the action is ear moving, we are going 138 00:13:55,360 --> 00:14:02,360 to change the action to webcam. It's going to be webcam action equals video, enter. and 139 00:14:05,170 --> 00:14:12,170 now in the machine that I am using I can eavesdrop into the Karotz, I get a handy dandy welcome 140 00:14:12,389 --> 00:14:19,389 feed. HI guys!! So, this is eavesdropping on the Karotz's toys webcam. 141 00:14:25,939 --> 00:14:30,149 Suddenly, the bunny becomes really creepy, right? 142 00:14:30,149 --> 00:14:31,309 (Laughter) 143 00:14:31,309 --> 00:14:35,860 I thought it was cute before, my daughter still thinks its cute and we leave it in her 144 00:14:35,860 --> 00:14:42,860 room unplugged and she runs up to it and hugs it and stuff and I'm like thank god it's unplugged. 145 00:14:42,870 --> 00:14:47,430 I wanted to mention the fact that if you're eavesdropping there is a start and a stop 146 00:14:47,430 --> 00:14:54,430 request that gets sent as part of the API calls.The token after the stop request gets 147 00:14:55,209 --> 00:15:00,040 sent, the token is no longer reusable, however if you are MITM the connection you can drop 148 00:15:00,040 --> 00:15:05,519 that stop request and instead continue to send something called a keep alive request. 149 00:15:05,519 --> 00:15:10,639 At that point you just have control over the bunny going forward as long as you maintain 150 00:15:10,639 --> 00:15:12,589 your keep alive. 151 00:15:12,589 --> 00:15:19,589 Daniel Crowley So, this is a product called Belkin WeMo Switch. First of all,I'd like 152 00:15:23,180 --> 00:15:28,759 to say that Belkin was real cool about all of this. We were going to contact Belkin and 153 00:15:28,759 --> 00:15:33,579 tell them all about what we found, but they actually fixed everything before we could 154 00:15:33,579 --> 00:15:36,680 even tell them about it. So, good on them for that. 155 00:15:36,680 --> 00:15:39,720 (audience member inaudible) (Cheers ) 156 00:15:39,720 --> 00:15:45,009 Yes, thank you, and what's more is they actually sent guys to our Black Hat talk and they approached 157 00:15:45,009 --> 00:15:50,730 us and they told us. Hey, thanks for finding this stuff, by the way we have a program where 158 00:15:50,730 --> 00:15:55,990 if there is people finding security vulnerabilities in our stuff we can get them products for 159 00:15:55,990 --> 00:16:00,829 free, so that they can do more testing. Because they recognize that we are doing free work 160 00:16:00,829 --> 00:16:02,149 for them. 161 00:16:02,149 --> 00:16:03,220 (Applause ) 162 00:16:03,220 --> 00:16:10,220 Yeah, so, thank you Belkin. But the Belkin WeMo Switch is a cool little thing. It's a 163 00:16:11,089 --> 00:16:18,089 little box with a plug, male and female electrical plug, you plug the back end into the wall 164 00:16:20,309 --> 00:16:23,800 and plug something into the front end and then whatever you've plugged in, you can turn 165 00:16:23,800 --> 00:16:30,800 that on and off from a network using an iPhone application from Belkin. And the way that 166 00:16:33,589 --> 00:16:40,589 this works is over a protocol called UPnP. Has anyone heard of UPnP before? Right. So, 167 00:16:41,730 --> 00:16:48,730 UPnP was designed for network auto configuration, so as a result you can't have zero interaction 168 00:16:50,360 --> 00:16:55,100 auto configuration, if you have to put in a user name or password. so UPnP as a protocol 169 00:16:55,100 --> 00:17:02,050 does not require authentication, it doesn't involve authentication. So, that's interesting, 170 00:17:02,050 --> 00:17:08,490 right?. So what this means because the interaction is via UPnP is that you can control the functions 171 00:17:08,490 --> 00:17:15,490 of this device so long as you are on the same LAN as it. So Belkin doesn't have what I would 172 00:17:15,750 --> 00:17:22,399 consider a proper fix for this yet, but what they do is in the iPhone app as soon as you 173 00:17:22,399 --> 00:17:27,809 use it for the first time, it tells you hey, just so you know anybody on the same network 174 00:17:27,809 --> 00:17:32,570 as you can control it, so be careful where you put it. So, it's not a proper fix but 175 00:17:32,570 --> 00:17:36,429 they're at least giving enough information to the user for them to make some security 176 00:17:36,429 --> 00:17:43,179 decisions or understand the potential risk that comes with being able to control this 177 00:17:43,179 --> 00:17:44,470 without any authentication. 178 00:17:44,470 --> 00:17:51,470 But on top of that, in an older version, they had a vulnerable Lib UPnP, library, which 179 00:17:52,399 --> 00:17:59,399 meant remote no auth root. So, pretty cool stuff. and this is just a little linux box 180 00:17:59,890 --> 00:18:04,710 it turns out. So you could turn this thing into a point of persistence on the network. 181 00:18:04,710 --> 00:18:11,710 A friend of mine I was talking to about this, he was saying man this is funny stuff because 182 00:18:11,710 --> 00:18:16,340 If you're a forensics dude and you're trying to investigate a breach you're probably not 183 00:18:16,340 --> 00:18:20,799 going to look at this little box on the wall as the source of attacks. And this thing hooks 184 00:18:20,799 --> 00:18:26,340 up to your wifi network so you could do maybe sniffing, depending on what kind of card is 185 00:18:26,340 --> 00:18:30,870 in there. I haven't honestly found out, you could at least launch attacks from it, if 186 00:18:30,870 --> 00:18:35,390 you were to compromise it. So, interesting stuff there. I'd like to show you a little 187 00:18:35,390 --> 00:18:39,740 demo here, if it works. 188 00:18:39,740 --> 00:18:41,590 So the demo gods really hate me. 189 00:18:41,590 --> 00:18:45,779 Video So we're going to talk about the Belkin WeMO, we're going to show you how to turn 190 00:18:45,779 --> 00:18:52,779 this on and off from your computer. So, the WeMo is an electrical outlet that you can 191 00:18:52,840 --> 00:18:59,840 control over the network with a protocol involved called UPnP, so NMAP has a nice Nse Script 192 00:19:00,460 --> 00:19:07,460 called broadcast UPnP info, which tells us all the hosts within multicast range that 193 00:19:07,630 --> 00:19:14,460 will respond to UPnP query. So, it gives us the descriptor XML File for each one, so I'm 194 00:19:14,460 --> 00:19:21,460 going to take that and feed that to a tool here. Called UPnP Request Generator, and that 195 00:19:26,710 --> 00:19:33,710 goes through and enumerates all the devices, services and actions and organizes them into 196 00:19:33,789 --> 00:19:40,789 various directories. So, We want the basic events service, because that has things that 197 00:19:42,539 --> 00:19:49,539 we want like Set Binary State which turns the WeMo on and off. So we're going to set 198 00:19:50,130 --> 00:19:54,600 binary state. (Inaudible) 199 00:19:54,600 --> 00:20:01,600 The post request that the UPnP Request generator has made and were going to give that to Burp 200 00:20:02,159 --> 00:20:08,769 Repeater so that we can make that request, and I need to change this to either to a 1 201 00:20:08,769 --> 00:20:13,399 or a 0. See it's boolean here, and we can see by the fact that there is no illumination 202 00:20:13,399 --> 00:20:15,109 (Video cuts off ) 203 00:20:15,109 --> 00:20:20,350 The demo gods hate me because this box broke two hours before my Black Hat presentation, 204 00:20:20,350 --> 00:20:27,350 So I went to back up video demo and it stopped like this. I have the video, but well skip 205 00:20:32,690 --> 00:20:38,950 that but we have more demos to show you. 206 00:20:38,950 --> 00:20:45,950 Jennifer Savage So Sonos is a sound system and basically this is a bridge device all 207 00:20:49,000 --> 00:20:56,000 these speakers connect to and your laptop or mobile phone connects they connect to the 208 00:20:57,080 --> 00:21:04,080 bridge and it goes out to all the speakers over your house. So, pretty Handy and there 209 00:21:05,950 --> 00:21:11,460 is an active community of people hacking on their own Sonos and the Sonos forums, and 210 00:21:11,460 --> 00:21:18,460 it's a fun little community of people. The issue I have with the Sonos is it spills excess 211 00:21:22,289 --> 00:21:29,289 active information about your controller so if your personal laptop has music on it and 212 00:21:30,450 --> 00:21:37,450 you're using that that for anything, really, besides controlling the Sonos, all that information 213 00:21:39,769 --> 00:21:46,769 is kind of ‑‑ here, I'll show you. So right now we're looking at a list of network 214 00:21:47,220 --> 00:21:54,220 shares on my machine and there permissions level, their UID and group ID, and is this 215 00:21:58,929 --> 00:22:05,929 Net Stat? . Why do I need to look ‑‑ why is the web interface exposed on the Sones 216 00:22:10,480 --> 00:22:17,480 bridge showing Net Stat from my personal machine I installed the controller software on? Why 217 00:22:17,990 --> 00:22:24,210 is it doing that? Everybody on my net can see this information. This is the process 218 00:22:24,210 --> 00:22:31,210 list, I think. This is the process list from my personal machine. The list of users, I 219 00:22:37,299 --> 00:22:44,299 think, from my machine IF config, and who am I, running as? You get the idea. It's excessive 220 00:22:48,130 --> 00:22:55,130 and it's useful information for an attacker. 221 00:22:59,350 --> 00:23:06,350 So we said they were smart toilets out there (Laughter.) 222 00:23:08,080 --> 00:23:15,080 You called this one. So there is a toilet called the "Lixil Satis," it's a company in 223 00:23:16,159 --> 00:23:23,159 Japan, name of the toilet is the "Satis" and it has an associated Android application which 224 00:23:24,309 --> 00:23:30,970 controls this toilet blue tooth and there are several interesting functions on this. 225 00:23:30,970 --> 00:23:37,970 You can open and close the lid, you can make it play music, you control the flushing function, 226 00:23:38,049 --> 00:23:45,049 there is an air blow dryer from the underneath, there is a Bidet, and you can control all 227 00:23:45,799 --> 00:23:52,799 of this from your smart phone. So, as it turns out there is no authentication within the android 228 00:23:54,409 --> 00:23:59,149 application‑‑ we didn't buy a toilet and I would have loved to have make a bidet "spray" 229 00:23:59,149 --> 00:24:06,149 on stage but it's $6,000, I'm not buying a $6,000 toilet. But we looked at the Android 230 00:24:06,340 --> 00:24:11,610 application and there was no user name and password, there is nothing for setting up 231 00:24:11,610 --> 00:24:18,360 a user name and password. We looked at diagram after diagram of information on the control 232 00:24:18,360 --> 00:24:22,769 panel there is no place to enter anything, there is no keypad, there is a series of buttons 233 00:24:22,769 --> 00:24:29,769 for things like flushing and also the app is weird! (Laughter.) 234 00:24:29,820 --> 00:24:36,250 There is a default blue tooth pin of 0000 and there is a whole bunch of these. I understand 235 00:24:36,250 --> 00:24:42,669 why it's a pooh, because it's a toilet and i understand why it's blushing because it's 236 00:24:42,669 --> 00:24:46,490 Japan! (Laughter.) But I don't understand the police hat 237 00:24:46,490 --> 00:24:53,490 (laughter). So this is a "Poohliceman" and there are several of these "poohlicemen" and 238 00:24:55,779 --> 00:25:02,779 "Poohlicewomen" as well in this Android app. It's in a diary or a "log", of your bathroom 239 00:25:05,190 --> 00:25:09,139 activity, the jokes write themselves, they really do. 240 00:25:09,139 --> 00:25:16,139 I was trying to figure out how to slip this one in, but I can't so "fuck the Poohlice" 241 00:25:20,000 --> 00:25:27,000 let's talk about the INSTEON hub. Let's say the toilet starts screaming at you and sprays 242 00:25:27,010 --> 00:25:29,220 water up your bum. 243 00:25:29,220 --> 00:25:36,220 David Bryan The Instion Hub. Purchased this product back in December of 2012, so 244 00:25:37,570 --> 00:25:44,570 just last year, got it, set it up on my network and installed it and paired it to Instion 245 00:25:45,799 --> 00:25:46,990 devices I have. 246 00:25:46,990 --> 00:25:53,990 INSTEON is essentially a home networking Home control device, for home automation. Once 247 00:25:55,360 --> 00:26:02,360 I got it set up in my network, installed the iPhone app, turned off the wifi on my iPhone 248 00:26:02,370 --> 00:26:08,970 so it would go to the data networks, ran TCP dump on my firewall so I could capture the 249 00:26:08,970 --> 00:26:15,970 traffic and what I discovered is very disturbing. A, it has no encryption, so anybody in between 250 00:26:17,700 --> 00:26:24,519 me and the internet, which is a lot of people, could see technically see what I'm doing, 251 00:26:24,519 --> 00:26:31,519 right? The other thing I discovered was that it has no authentication. Right? Out of the 252 00:26:34,570 --> 00:26:41,570 box this thing allows you to pull up a web interface and talk to it without setting authentication 253 00:26:42,240 --> 00:26:49,240 on it. What I did is e‑mailed support and I'm like, okay, here is this box, I can't 254 00:26:50,899 --> 00:26:55,000 put any user name or password on this, how do I enable this? And they e‑mailed back 255 00:26:55,000 --> 00:27:00,200 saying "you don't have to worry about that" you don't have to worry about that because 256 00:27:00,200 --> 00:27:01,480 the cloud application takes care of that. You don't have to worry about that because 257 00:27:01,480 --> 00:27:08,480 our cloud application takes care of that, no, fail! 258 00:27:13,519 --> 00:27:19,909 The other thing that this device allows you to see is time zone because you have to know 259 00:27:19,909 --> 00:27:26,909 when is sunrise and sunset because you have to turn on devices when it's dark out. That 260 00:27:28,120 --> 00:27:34,450 was disturbing because I found people tend to name these with their address or last name. 261 00:27:34,450 --> 00:27:41,450 I did Google searching after that in January and went, oh, this is creepy. The fact that 262 00:27:41,950 --> 00:27:48,950 I could go to some city and basically find these devices and control people's home. This 263 00:27:50,250 --> 00:27:57,250 is also a device that can connect to garbage door openers, door locks, alarms, motion sensors, 264 00:28:00,200 --> 00:28:07,200 surveillance cameras, it's pretty creepy. They did fixed this in what I would call a 265 00:28:10,110 --> 00:28:17,110 product recall because in March of this year I got not one email but two and shortly after 266 00:28:19,320 --> 00:28:24,840 that they followed up and called me. Which I thought was weird. I've never had a vendor 267 00:28:24,840 --> 00:28:31,840 call me and I said oh I suppose I'll take the new version so I did grab the new version 268 00:28:36,179 --> 00:28:40,440 and about three weeks ago or two weeks ago I plugged in the device and started looking 269 00:28:40,440 --> 00:28:47,440 through it and they at least have "auth" on it, but it still accesses cell. They have 270 00:28:52,610 --> 00:28:59,610 hard coded a user name and password, it's base 64 encoded and it's the Insteon ID of 271 00:29:00,899 --> 00:29:07,899 the hub which is the last three digits of the Mac address, anybody see a problem with 272 00:29:09,409 --> 00:29:16,409 this? So I thought that was bad. Really, what you could do is from the internet because 273 00:29:16,549 --> 00:29:21,470 all these systems in order to be able to control them from your iPhone when you're on the road 274 00:29:21,470 --> 00:29:28,200 you have to port forward in that port so from the internet an attacker could easily run 275 00:29:28,200 --> 00:29:35,200 an attack that runs several days trying 16 million combinations, that's not hard at all! 276 00:29:36,299 --> 00:29:42,450 I actually attempted this with Burp suite and it doesn't have any back‑off so it kept 277 00:29:42,450 --> 00:29:46,620 going, wrong pin wrong pin wrong pin. 278 00:29:46,620 --> 00:29:53,620 Daniel Crowley Next we're going to talk about a little green and white box called 279 00:29:53,700 --> 00:29:58,080 the VeraLite, it's similar to the Insteaon hub, it's another Home Automation gateway.It 280 00:29:58,080 --> 00:30:05,080 hooks up your Ethernet network to your home automation network, either with z wave x10 281 00:30:05,299 --> 00:30:10,460 or a mix of these and it allows you to control it. it's  ‑‑ this is a neat device, you 282 00:30:10,460 --> 00:30:16,370 can hook it up to a whole bunch of stuff, door locks, garbage door openers, carbon monoxide 283 00:30:16,370 --> 00:30:23,370 sensors, flood sensors, HVac controls, all sorts of things. A lot of stuff! As it turns 284 00:30:28,110 --> 00:30:33,610 out it's got a lot of problems. So just to start, there is no authentication on the web 285 00:30:33,610 --> 00:30:40,610 console by default which means that any Tom, Dick, or Harry who can get on your home network 286 00:30:41,149 --> 00:30:48,149 can control this with a web browser. You can set a user name and password put it has other 287 00:30:49,970 --> 00:30:56,970 issues that make this irrelevant. First their authorization, user rolls. You have guest 288 00:31:00,320 --> 00:31:05,899 user and an admin user and there is information only user which can see but not control devices, 289 00:31:05,899 --> 00:31:11,200 the guest user can control devices but not make permanent changes and the administrator 290 00:31:11,200 --> 00:31:18,200 has full control over the device. So as a guest user you can update the firmware. The 291 00:31:19,809 --> 00:31:26,039 firmware is not signed! (Laughter.) It's in a squashed FS package, you can backdoor 292 00:31:26,039 --> 00:31:33,039 it, rearchive it, and then backdoor it and the vendor said all of these things were features 293 00:31:36,649 --> 00:31:40,120 until yesterday when they e‑mailed me after my Black Hat talk and they want to work with 294 00:31:40,120 --> 00:31:47,120 me now! We saw your Black Hat talk and several news article and we would like to work with 295 00:31:48,960 --> 00:31:50,000 you. 296 00:31:50,000 --> 00:31:56,419 There is a settings back‑up option which you download an unencrypted archive from this 297 00:31:56,419 --> 00:32:03,419 with several include files and in this imbedded version of Linux it contains the hashes, so 298 00:32:04,580 --> 00:32:11,580 there is no shadow and you get the hashes for all users, including root so you can crack 299 00:32:11,899 --> 00:32:16,990 the password and crack in as SSH in as root and you get the root for any passwords set 300 00:32:16,990 --> 00:32:23,570 on the web interface and the passwords that you set on the local get synced with their 301 00:32:23,570 --> 00:32:28,519 third‑party server, for remote access, so owning it locally means that you have control 302 00:32:28,519 --> 00:32:34,480 over it, over the internet now. So that's lovely. You also have ‑‑ and this is 303 00:32:34,480 --> 00:32:40,370 my personal favorite a little bit of functionality which allows you to test Lua code, so you 304 00:32:40,370 --> 00:32:45,970 can run a little bit of Lua code on the device from the web interface as a guest, and can 305 00:32:45,970 --> 00:32:52,970 anybody tell me what user account it runs as? Root! That's lovely. 306 00:32:53,899 --> 00:33:00,899 There is path traversal, so you can pull any file you want. You can get password, crack 307 00:33:02,679 --> 00:33:08,190 the hashes, SSHN as root. There is cross‑site request forgery so you can trick somebody 308 00:33:08,190 --> 00:33:15,190 into performing the nasty functions on the web interface using cross‑sight request 309 00:33:15,899 --> 00:33:22,899 forgery and on that note there is a UPnP interface which doesn't require authentication so you 310 00:33:25,429 --> 00:33:32,200 can control all these things and there is a run Lua action on the UPnP interface and 311 00:33:32,200 --> 00:33:37,399 when you're on the same network you have a way to control this thing to run code as root, 312 00:33:37,399 --> 00:33:44,399 just straight up code as root using UPnP. No user name and password required even if 313 00:33:44,960 --> 00:33:49,480 its required on the web interface. If that wasn't bad enough they have vulnerable 314 00:33:49,480 --> 00:33:56,480 versions, that you can root. There is a server side request forgery problem, so there is 315 00:33:57,889 --> 00:34:04,490 a script called proxy.sh, which takes the URL, visits it, grabs the response and gives 316 00:34:04,490 --> 00:34:10,070 it back to you, so you can use it as a proxy. And that's not bad because who cares there 317 00:34:10,070 --> 00:34:14,330 is all these other ways to compromise it and it's not a terribly big deal. It should be 318 00:34:14,330 --> 00:34:21,330 fixed but its still not a terribly big deal. The way the remote access architecture works 319 00:34:26,210 --> 00:34:33,210 is that each Vera Lite unit runs a third‑party connection run by the manufacturer and so 320 00:34:36,440 --> 00:34:40,870 when you do that you port forward, it SSH's and parts forward on the forwarding server 321 00:34:40,870 --> 00:34:47,280 back to each unit. Which means if you can bypass the firewall on the forwarding server 322 00:34:47,280 --> 00:34:54,280 you can directly access the interface and which means ownage, and you can own every 323 00:34:56,540 --> 00:35:03,540 VeraLite that is out there, that's not good, because firewalls are impenetrable, right, 324 00:35:03,750 --> 00:35:10,750 guys? The proxy script that we talked about that allows you to use the vera lite as a 325 00:35:11,870 --> 00:35:16,400 proxy also appears to exist, appears, and we can't test it because of the CFAA and we 326 00:35:16,400 --> 00:35:23,400 don't like prison, we can't test it but there is a script called proxy.SH.PHP on the forwarding 327 00:35:24,530 --> 00:35:31,180 server which takes the URL and guess what? Same thing ‑‑ proxy.SH. so there is a 328 00:35:31,180 --> 00:35:38,180 good chance that this is just a wrapper around proxy.SH or just a recoding in PHP Which means 329 00:35:39,890 --> 00:35:46,160 that they have the same vulnerability then you can talk to it and say I want you to fetch 330 00:35:46,160 --> 00:35:53,160 whatever port, which means that you can by‑pass the firewall, accessing every vera lite. Now, 331 00:35:53,720 --> 00:36:00,720 that's if they're the same and I'm not sure but it strongly looks like it. Just to summarize 332 00:36:01,260 --> 00:36:07,180 we have three methods of authentication, we have seven methods to gain root, two attacks 333 00:36:07,180 --> 00:36:12,950 are remotely exploitable because you can use CSRF in conjunction with the UPnP interface, 334 00:36:12,950 --> 00:36:16,910 in order to launch attacks by getting someone to click a link and there is the potential 335 00:36:16,910 --> 00:36:23,310 of the ownage of every single internet connected VeraLite so it's a bad scene and now we're 336 00:36:23,310 --> 00:36:28,290 going to do some demos for you starting with the Karotz. 337 00:36:28,290 --> 00:36:35,290 I am going to show you the bunny break I talked about earlier. It's loading Linux 338 00:36:38,330 --> 00:36:42,860 and noticing that there is a USB drive in the back and it contains an auto run wifi 339 00:36:42,860 --> 00:36:49,860 script and it needs to set up the wifi and it's going to announce that it thinks it's 340 00:36:50,000 --> 00:36:56,430 about to set up your wireless connection and instead it's going to play a script I wrote 341 00:36:56,430 --> 00:36:57,610 that plays LOL.Mp3. 342 00:36:57,610 --> 00:37:04,610 Bunny "I'm going to connect to the internet." (Music Playing.) 343 00:37:20,100 --> 00:37:27,100 (Applause.) We're going to hope that Burpsuite doesn't 344 00:37:33,880 --> 00:37:40,880 crash today. We're going to talk about the Insteon hub, this is connected to a device, 345 00:37:42,490 --> 00:37:49,490 we've got this light on stage and the hub basically is connected to our network here. 346 00:37:53,020 --> 00:38:00,020 Can everybody see that? Hopefully a bit better. This is basically a raw "get" request. There 347 00:38:08,230 --> 00:38:15,230 is no video on the screen? Don't unplug it, that made Burp Crash reliably. 348 00:38:21,830 --> 00:38:28,830 (Laughter). Can you see it? 349 00:38:32,780 --> 00:38:36,670 Yes. All right. We're not going to be able to 350 00:38:36,670 --> 00:38:43,540 see the ‑‑ can you see what's on my screen? No, it's not mirrored. 351 00:38:43,540 --> 00:38:50,540 Do you see something coming across? I have no clue what's on the screen. 352 00:38:52,020 --> 00:38:59,020 Zoom out. Can you turn mirroring back on? Did you want me to just do it without showing 353 00:39:13,940 --> 00:39:20,940 them the screen? We could do that. (Applause.) 354 00:39:23,480 --> 00:39:29,390 Yeah, all right. So here is the raw get request, hopefully people can see that. Zoom 355 00:39:29,390 --> 00:39:36,390 out? So basically what this is doing is sending to this three script some sort of code that's 356 00:39:36,630 --> 00:39:43,630 turned on there, this request which contains this device ID. This is the device that is 357 00:39:44,000 --> 00:39:51,000 sitting up on stage. So if we say "go" turns the light off, no authentication, right? Yea, 358 00:39:51,540 --> 00:39:57,780 we won. Turn it back on and hand it over to Dan. 359 00:39:57,780 --> 00:40:01,840 Jennifer Savage:Remember that can be connected to your lock. 360 00:40:01,840 --> 00:40:07,270 DAN: Thank you, David. So they say if you put a gun on the table in act 1 you must fire 361 00:40:07,270 --> 00:40:14,270 it by act 3. We have a lock on this table, we're going to lock and unlock the lock. I 362 00:40:19,150 --> 00:40:26,150 can send a UPnP request here and there is no user name and password, anything in here 363 00:40:27,080 --> 00:40:32,160 so I can hit go and this changes the state of the lock. 364 00:40:32,160 --> 00:40:39,160 Jennifer This is through the Vera. (Applause.) Thank you. I have one more trick and I 365 00:40:40,600 --> 00:40:47,600 need a volunteer from the audience. For those of you who don't know "Vis" this 366 00:40:58,420 --> 00:41:05,420 is "Vis" choose a pin, any pin, let us know what it is and try to open the lock with that 367 00:41:08,070 --> 00:41:15,070 pin. It's alive! 368 00:41:16,630 --> 00:41:23,630 All right, yep. Locked. 369 00:41:28,030 --> 00:41:34,750 What happens when you put in a pin that doesn't do anything, like 2355 nothing happens. 370 00:41:34,750 --> 00:41:40,680 So what I'm going to do here is add an additional pin. 371 00:41:40,680 --> 00:41:46,690 (Laughter.) You said 2355? 372 00:41:46,690 --> 00:41:49,170 Yeah. So 2355 and I hit go. We will give it a 373 00:41:49,170 --> 00:41:55,610 second or two to sync up with the lock there and what I want you to do is press the same 374 00:41:55,610 --> 00:42:02,350 pin, press 2355, try this again. (Beeps. ) 375 00:42:02,350 --> 00:42:09,350 Try it again? 2355 376 00:42:10,160 --> 00:42:17,160 (Beeps and unlocks) (Applause.) 377 00:42:20,570 --> 00:42:27,570 All right. That does it. That's all our demonstrations. I hope you enjoyed the show. 378 00:42:30,190 --> 00:42:36,510 Please tip your waitresses. Conclusion, all these are internet connected 379 00:42:36,510 --> 00:42:40,820 and none of these manufacturers are doing the due diligence to put security into it. 380 00:42:40,820 --> 00:42:45,260 That's a pretty bad thing. Belkin is doing all right, though. 381 00:42:45,260 --> 00:42:46,710 Thank you. (Applause.)