Threat CON 2018 - Exploiting Cloud Synchronisation to Mass Hack IoTs
By Alex "Jay" Balan
Slides : https://2018.threatcon.io/media/2ndDay/Exploiting_Cloud_Synchronisation_To_Hack_IoTs_By_Alex_Jay_Balan.pptx
It's already a well known fact that IoT is currently a gift that keeps on giving when it comes to producing security papers. You can blindly walk into a store, buy a device at random and in 2 weeks you'll be exchanging emails with the manufacturer to plug their holes. Most hacks against smart devices require either proximity or some other form of direct access (port forwarding/UPnP). That being said, what if devices could be hacked up to full remote code execution and root access without direct access and from the other side of the world? And what if the number of devices susceptible to this attack could be large enough to be the next big IoT botnet?
In this talk we'll describe the methods and tools used in IoT vulnerability research and our findings on a very popular smart plug: breaking their so-called encryption to capture sensitive data, remote control of the plug and full remote code execution by exploiting the mobile app - cloud - smart plug synchronization protocols. Al this while the plug is "safely" in a home, behind NAT. The talk will include - An updated overview on the tragi-comic state of IoT - Some stats from our honeypots - Quick intro to the device and company in question - Tools and methodology used during the research - Demo on how trivial is to break their "encryption" - Demo on full RCE from across the world - Fun stuff from the present, after the manufacturer produced "a fix".
This talk will focus on the EDIMAX smart power outlet. Vendor notified. Patch issued. Nobody applied it (not a vulnerability in itself but their update UX is unusable). Vulnerabilities outlined in a few words - All communication with the power outlets is relayed by the EDIMAX cloud and the credentials are a hard-coded password (1234) and the device MAC address.
- Providing the MAC address to the EDIMAX cloud anyone can turn the power outlets on and off (for starters)
- The setup process asks the user for email credentials for e-mail notifications. Yes, in 2018 they don't have their own SMTP server and they want to use yours. When the power outlet synchs with the cloud it also synchs its settings including your e-mail credentials and instead of encryption they're using a proprietary protocol on port 9001 and the cleartext stream is bitflipped by 6 bytes. Long story short, it's obfuscation, not encrypted and an attacker on the wire can get the user's settings, including e-mail creds
- A command injection vulnerability (the power outlet uses a system command to validate the provided password). Telling the edimax cloud to change the password of a device (again, the identifier is the MAC address) to blah;command will make the power outlet execute md5sum blah;command. From that point to connect-back shell from a fully natted device with no port forwarding is just one step and it makes for a really really cool attack.
Website : http://threatcon.io
Twitter : https://twitter.com/threat_con
Facebook : https://www.facebook.com/threatcon
Видео Threat CON 2018 - Exploiting Cloud Synchronisation to Mass Hack IoTs канала THREAT CON
Slides : https://2018.threatcon.io/media/2ndDay/Exploiting_Cloud_Synchronisation_To_Hack_IoTs_By_Alex_Jay_Balan.pptx
It's already a well known fact that IoT is currently a gift that keeps on giving when it comes to producing security papers. You can blindly walk into a store, buy a device at random and in 2 weeks you'll be exchanging emails with the manufacturer to plug their holes. Most hacks against smart devices require either proximity or some other form of direct access (port forwarding/UPnP). That being said, what if devices could be hacked up to full remote code execution and root access without direct access and from the other side of the world? And what if the number of devices susceptible to this attack could be large enough to be the next big IoT botnet?
In this talk we'll describe the methods and tools used in IoT vulnerability research and our findings on a very popular smart plug: breaking their so-called encryption to capture sensitive data, remote control of the plug and full remote code execution by exploiting the mobile app - cloud - smart plug synchronization protocols. Al this while the plug is "safely" in a home, behind NAT. The talk will include - An updated overview on the tragi-comic state of IoT - Some stats from our honeypots - Quick intro to the device and company in question - Tools and methodology used during the research - Demo on how trivial is to break their "encryption" - Demo on full RCE from across the world - Fun stuff from the present, after the manufacturer produced "a fix".
This talk will focus on the EDIMAX smart power outlet. Vendor notified. Patch issued. Nobody applied it (not a vulnerability in itself but their update UX is unusable). Vulnerabilities outlined in a few words - All communication with the power outlets is relayed by the EDIMAX cloud and the credentials are a hard-coded password (1234) and the device MAC address.
- Providing the MAC address to the EDIMAX cloud anyone can turn the power outlets on and off (for starters)
- The setup process asks the user for email credentials for e-mail notifications. Yes, in 2018 they don't have their own SMTP server and they want to use yours. When the power outlet synchs with the cloud it also synchs its settings including your e-mail credentials and instead of encryption they're using a proprietary protocol on port 9001 and the cleartext stream is bitflipped by 6 bytes. Long story short, it's obfuscation, not encrypted and an attacker on the wire can get the user's settings, including e-mail creds
- A command injection vulnerability (the power outlet uses a system command to validate the provided password). Telling the edimax cloud to change the password of a device (again, the identifier is the MAC address) to blah;command will make the power outlet execute md5sum blah;command. From that point to connect-back shell from a fully natted device with no port forwarding is just one step and it makes for a really really cool attack.
Website : http://threatcon.io
Twitter : https://twitter.com/threat_con
Facebook : https://www.facebook.com/threatcon
Видео Threat CON 2018 - Exploiting Cloud Synchronisation to Mass Hack IoTs канала THREAT CON
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
THREAT CON 2019 - Hacking Human Lives via Body Area Network by Vignesh C
THREAT CON 2022- Attacking Access Control Models in Modern Web Applications By Imran Parray
THREAT CON 2019 - Securing the SDLC in the real world by Jim Manico
THREAT CON 2019 - Depth of effective macro campaign by Aniruddha Dolas and Prashant Tilekar
THREAT CON 2022- Automation for Manual Bug Bounty Hunters By Eugene Lim (spaceraccoonsec)
THREAT CON 2019 - Nepal’s level of preparedness to deal with cyberwarfare attacks by Yogesh Ojha
THREAT CON 2022- XSS Curioxssity by Ahmad Ashraff
Threat CON 2018 - Building and Developing Communities (keynote) by Matt Suiche
Day 2 - THREAT CON 2021 | Virtual Edition
THREAT CON 2022 - Gajabaar, An InfoSecurity Mentorship – Design To Deployment by Prasant Adhikari
Threat CON 2018 - License managers: The Phantom Menace
THREAT CON 2019 - Bypassing iOS Security by Georgia Weidman
THREAT CON 2019 - XSS is dead?(Keynote) by Mario Heiderich
Threat CON 2018 - How To Effectively Manage Your Org's Cloud Security Posture
THREAT CON 2022 - Attacking Java For Fun and Profit By Vladimir Dashchenko
Threat CON 2018 - The OWASP Top Ten Proactive Controls 2018 by Jim Manico
Day 1 - THREAT CON 2021 | Virtual Edition
THREAT CON 2022 - Frida Unleashed By Bharath Kumar & Akshay Jain (Bounty Track)
THREAT CON 2022 - Operation Earth Berberoka by Jaromir Horejsi