IOT SECURITY: CONSUMER DEVICES AND THE EXTENDED CORPORATE NETWORK - PowerPoint PPT Presentation

IOT SECURITY: CONSUMER DEVICES AND THE EXTENDED CORPORATE NETWORK

Get CPE Credits for this Webcast • Attendees of this Webcast are eligible for 1 CPE credit • Self-report on your organization’s website • Keep the email invitation as confirmation for possible future audits • More info: http://bit.ly/R7CPE

Speakers Tod Beardsley Mark Stanislav Michael McNeil Research Manager Senior Security Consultant Global Product Security & Rapid7 Rapid7 Services Officer Philips Healthcare

Hacking IoT Baby Monitors Mark Stanislav, Sr. Security Consultant

What Does an Internet-Connected Monitor Offer? • “Connected” Features (via a Web Site and/or a Mobile Application) • Viewing a live stream locally (the home’s Wi-Fi) or remotely (Internet) • Controlling the camera’s position via pan, tilt, and zoom functionality • Communicating audio through the monitor (i.e. two-way audio) • Playing music or other recorded audio clips (i.e. bring your own lullabies) • Manage device preferences such as the audio volume and “night vision” • Share access and provide privileges to other people (e.g. family, friends) • Access recordings for humidity, temperature, noise, and/or motion alerts • Remote (e.g. SaaS, FTP) and local (e.g. Micro SD) DVR recordings

A Mess of Dependencies and Attack Surface • Many IoT baby monitors leverage third-party services, firmware, and software • Some vendors put a lot of trust in their supply chain without testing security • Implementation errors or failure to comply with best practices also occurs 
 • Complex ecosystems means that there are plenty of ways to screw up: • Mobile applications, cloud services, backend services, web applications, firmware, hardware, network protocols, wireless protocols, & cryptography • It’s difficult for a single IoT vendor to be proficient in security across all of it 
 • The frameworks, protocols, and design patterns of IoT are still very much in flux

SO, HOW DO WE HACK THESE THINGS?

Via Dumping Firmware Pomona SOIC Clip + Bus Pirate flashrom to Dump Flash binwalk to Extract Filesystems

Via Brute Force of Various Means Hash Cracking with cudaHashcat Scouring Google for Useful Details

Via Serial Console (UART) JTagulator 
 U-Boot Configuration (or Bus Pirate, Shikra, etc.) UART Scan & Connect

Via JTAG (e.g. Dumping Memory via GDB) Not a baby monitor … but you get the idea!

Via Mobile Applications Acquire Firmware with dex2jar + JD-GUI for Android View API Calls with mitmproxy (esp. SSL/TLS) Find API End-Points with Clutch + strings for iOS

Via Network Analysis Uncover Network Services with nmap View Protocol Details with wireshark

Via Web Applications Hidden Administrative Web Interface XSS on Camera Cloud Web Service

THE BABY MONITORS

A Variety of Vendors, Styles, Costs, & Features Amazon 
 Two-Way Vendor Model Price Pan Tilt Zoom Wi-Fi Ethernet Rank* / Stars Audio ✓ ✓ ✗ ✗ ✗ ✗ Gynoii GCW-1010 $89.34 #56 / 3.8 ✓ ✓ ✓ ✓ ✓ ✓ iBaby M3S $169.95 #243 / 3.4 ✓ ✓ ✓ ✓ ✓ ✗ iBaby M6 $199.95 #31 / 3.7 ✓ ✗ ✗ ✗ ✓ ✓ Lens LL-BC01W $54.99 #149 / 2.8 ✓ ✓ Philips B120/37 $77.54 #N/A / 2.2 ✗ ✗ ✗ ✗ ✓ ✓ ✓ ✓ ✓ ✗ Summer 28630 $199.99 #64 / 3.1 ✓ ✗ ✗ ✓ ✓ ✗ TRENDnet TV-IP743SIC $69.99 #N/A / 3.5 ✗ ✗ ✗ ✓ ✓ ✓ WiFiBaby WFB2015 $259.99 #156 / 3.2 ✓ ✓ ✓ ✓ ✓ ✓ Withings WBP01 $204.60 #101 / 2.9 * Amazon Ranking Based on Category “Baby > Safety > Monitors”, Which Includes Non-IoT Baby Monitors

THE FINDINGS

Withings WBP01 - $204.60

Disabled Doesn’t Quite Mean What it Used To 20 Minutes Later … 
 The Stream Still Works! After a stream exists, “disabling” it via the app doesn’t actually stop it …


 
 When Obfuscation Goes Wrong, or, Not at All? At first, this looks like a really poor attempt at an obfuscation method to “hide” the password for this web service account. 
 On further review, however, the mchunk method simply returns at the start of the for loop, yielding the output from the input to be a concatenation of “ff” and the integer passed as a parameter. 
 Was this obfuscation intended to be enabled? Did someone give up on their dream of confusing reverse engineers? The world may never know …

WiFi Baby WFB2015 - $259.99

Nothing Makes Sense to Me Any More Unauthenticated Log With Stream Details Hardcoded SSL Cert … That’s Not Even Used …

UPnP Bugs: Alive and Well in Baby Monitoring UPnP RCE Bugs, CVE-2012-5958 & CVE-2012-5959

Lens Peek-A-View (LL-BC01W) - $54.99

If You Needed Some Free Cloud Storage 


 [redacted] An FTP Account Per Camera, Apparently Used for Configuration Backups

Backdoor Credentials Galore Hidden Web Interface Credentials Cracking the Linux ‘admin’ Password This account has functional ‘root’ privilege due to ugly permissions The Live Stream Passes Credentials in URL over HTTP

Gynoii GCW-1010 - $89.34

Unencrypted Web Services - Local and Cloud Local Administrative API Calls Hidden Device Web Interface Vendor Cloud API Calls Third-Party Streaming Service None of these services or APIs use any encryption and often pass sensitive credentials and keys

TRENDnet TV-IP743SIC - $69.99

2-for-1 — Unencrypted Web Service + XSS [redacted] Either MITM a User or Just BYOJS to their DOM:)

A Remote Shell Waiting to Happen … Username: root Password: admin Telnet Available, Just Not Default Pro Tip: Remove Remote Access Services, Don’t Just Disable Them!

iBaby M3S - $169.95

Uncovering Backdoor Linux Accounts & Access An nmap Scan Reveals Telnet :) Username: admin Password: admin Password is “Protected” by UNIX Crypt * FYI, there is no ‘root’ on here, only ‘admin’

iBaby M3S - A Historical Look at Software? ✦ U-Boot: 1.1.3, released August 14th, 2005 ✦ OpenSSL: 0.9.8e, released February 23rd, 2007 ✦ Linux Kernel: 2.6.21, released April 26th, 2007 ✦ BusyBox: 1.12.1, released September 28th, 2008 
 ✦ UNIX Crypt: First appeared in 1979, limited to 8-character passwords ✦ Telnet: Developed in 1968 — SSH-1 came out in 1995 …

Encryption! Just Not Great Choices For it :) Encrypted Backups … with a Hardcoded Password? Stream Encryption … with XXTEA?

iBaby M6 - $199.95

Cryptography? Naw, They Are Just Babies … Unencrypted Web Service Login Telnet & Unencrypted HTTP on Device Unencrypted Mobile API Calls

This is the iBaby Cloud Web Site Today … … and What is Now Returned on Login … Login for Camera Owners

But a Few Months Ago, Direct Object Reference! <—Proper Account “Attacker” Account—> No Authorization/Privilege Given to Our “Attacker” Account

Full Access to All Audio & Motion Alert Videos “Attacker” Account—> [redacted] [redacted] [redacted] [redacted] Don’t let the broken images fool you … there’s live data ready to be viewed! View Source -> Find AVI Filename -> Access Static CloudFront URL

Unauthenticated Access to Unencrypted Videos Mobile API Call for Alert Video Retrieval Example AVI Thumbnail File [redacted] [redacted] [redacted] Video Downloads via Amazon CloudFront [redacted] ✦ URLs are not requested via HTTPS ✦ No IAM credentials or signed URLs

… and Some Weirdly Exposed Web Applications? Apparently There’s a Private Wiki. What For? No Clue. … But an Admin Site? Now That’s an Interesting Find!

Philips In.Sight B120/37

Everything Old is New Again … My IZON Research - 2013 My InSight Research - 2015 The question is … Did security issues fixed by one camera manufacturer ever trickle into devices also leveraging the same firmware?

A Quick Look at “Old” Security Issues Still There No SSL on Backend Web Service Insecure Firmware Upgrade Process Multiple Hardcoded Linux Accounts Telnet Enabled by Default (Until Recently) Shout out to Paul Price for his research into the In.Sight M100 which shares a few issues from my old Stem Innovation IZON research and subsequent research into the In.Sight B120. Check out his site detailing this and other research at ifc0nfig.com!

A Few Newer Issues. But Wait, There’s More! :) Backdoor Telnet Enablement Script Username: root Password: b120root Multiple XSS on Web Service Portal Predictable ‘admin’ Web Service Password

Unauthenticated Administrative Camera Access User HTTP Reverse Proxy Camera Internet Clear Text Clear Text Clear Text Home Network Web Service 
 HTTP/80 When a remote end user requests their camera’s stream, an HTTP reverse proxy is opened on a public host & port number, directly to the camera’s backend web service, allowing for a remote attacker to achieve the following: ✦ Unauthenticated and unencrypted video/audio stream access to the user’s camera ✦ Full administrative access to the camera’s powerful backend web service ✦ This includes manipulating camera configuration or even re-enabling Telnet