1. IoT: Analysis & Security
Ethical hacking for connected objects and protocols
Penetration and stress testing
Jad William NEHME
2015
2. 1
ABSTRACT
This report resumes my 6 months end-of-studies internship at Alcatel-Lucent International
as an Ethical Hacker for connected objects in the Device IOT Excellence Center.
It begins with briefly describing Alcatel-Lucent, its history, current status, and future plans.
Then it continues to describe the Internet of things’ evolution and future estimations. Later
on, I describe my internship environment, and proceed to summarize my missions and
achievements from July to December 2015. These includes hacking some connected devices,
analyzing the security of their protocols (Z-Wave, Sigfox, Lora, and Bluetooth), attacking
the z-wave protocol (most used protocol in home automation). It also includes listing some
of the existing Z-wave capable devices in the market today, their prices, advantages and
limitations.
I also describe additional tasks and duties that I was in charge of, like scanning the internal
network using the cyber security tool “Qualys”, hardening the servers’ security
configuration using a “OS Hardening” solution, and organizing a 24 hours Hackathon.
At last, I finish up with talking about the experience I got, and how this internship exceeded
my expectations and strained my skills.
3. 2
ACKNOWLEDGEMENTS
Before getting to the heart of the subject, I would like to start this thesis by expressing my
gratitude for those who taught me a lot during my internship, and for those who had the
kindness to fill the internship with profitable moments and unforgettable memories.
I thank Mr. Frédéric POILVERT, my internship supervisor who ensured getting all my
needs, taught me and gave more than I would ever expect or imagine, and accompanied me
with care, patience and understanding, thank you very much for all of your efforts, your
time, your trust and your faith in me. I thank Mr. Jean-Christophe COIFFIER, Head of The
Device IOT Excellence Center at Alcatel-Lucent, for implicitly giving me lessons in
Leadership, for his support and for the great different discussions we had. Mr. Nicolas
SEILLER’s great technical skills and experience taught me a lot, thank you very much for
those lessons and for the time you gave me. Thank you Mr. Jean-Olivier MESCAM for
extending my duties and giving me the opportunity to develop new skills. I would also like
to thank all the employees for their valuable advices and support during these 6 months.
Gratitude is also addressed to Mr. Ahmed SERHROUCHNI, who, as a responsible for my
internship at Telecom ParisTech, provided me with interesting resources and documents,
advices and tips, so I can make the most out of my time. Thank you for your kindness and
for the support you offered me during and after my internship.
4. 3
Table of Contents
Abstract ............................................................................................................1
Acknowledgements...........................................................................................2
Table of Contents .............................................................................................3
List of Figures ..................................................................................................7
List of Acronyms ..............................................................................................8
Introduction......................................................................................................9
Brief Description of Alcatel-Lucent and my internship....................................................... 9
The internship value ............................................................................................................ 10
Report Content ..................................................................................................................... 11
I / Economic environment: Alcatel-Lucent & IoT .........................................12
A – Alcatel-Lucent................................................................................................................ 12
1. History of Alcatel-Lucent ............................................................................................. 12
2. Alcatel-Lucent today..................................................................................................... 13
B – The internet of things.................................................................................................... 15
1. Introduction: ................................................................................................................. 15
2. The Economic Sector .................................................................................................... 15
3. IoT’s current and future status.................................................................................... 17
II / The internship environment:...................................................................19
A. The social structure ......................................................................................................... 19
B. Operations........................................................................................................................ 20
III/ The internship accomplishments & gained skills ..................................21
A – The internship accomplishments.................................................................................. 21
1. Available tools............................................................................................................... 21
2. The duties...................................................................................................................... 21
Introduction................................................................................................................... 21
My activities .................................................................................................................. 22
Description..................................................................................................................... 23
Task 1: G_Switch Connected Switch........................................................................ 23
Task 2: G_Camera IPCamera................................................................................... 28
Task 3: G_Operator G_MultimediaHub................................................................... 32
Task 4: Bluetooth....................................................................................................... 34
Task 5: S_Camera...................................................................................................... 36
Task 6: Hackathon..................................................................................................... 38
5. 4
Task 7: Gnu Radio ..................................................................................................... 40
Task 8: Z-Wave .......................................................................................................... 41
Task 9: SigFox ........................................................................................................... 46
Task 10: Lora ............................................................................................................. 48
Task 11: Standard procedures and test plans ......................................................... 50
3. Additional tasks............................................................................................................ 52
Introduction................................................................................................................... 52
Description..................................................................................................................... 52
Task 1: OS Hardening............................................................................................... 52
Task 2: Qualys ........................................................................................................... 52
Task 3: TCP replay.................................................................................................... 53
Task 4: Password generator...................................................................................... 53
Task 5: RSA Attack kit.............................................................................................. 54
Task 6: SSL Strip....................................................................................................... 56
B – The internship contribution.......................................................................................... 57
Skills.................................................................................................................................. 57
Difficulties and solutions.................................................................................................. 57
Professional life................................................................................................................. 57
Conclusion ......................................................................................................58
Appendix.........................................................................................................59
A. for Alcatel-Lucent ............................................................................................................ 59
A.1: Alcatel-Lucent Timeline ........................................................................................... 59
A.2: The leadership Team ................................................................................................ 60
A.3: Nozay Site.................................................................................................................. 61
B. for my Business environment and kit ............................................................................ 61
B.1: Hacking Laboratory .................................................................................................. 61
D. for Duties and tasks ........................................................................................................ 62
D.1: Connected Switch...................................................................................................... 62
1. Beacon........................................................................................................................ 62
2. Python ON Script...................................................................................................... 69
D.2: G_Camera Camera.................................................................................................... 70
1. List of interesting queries......................................................................................... 70
D.4: Bluetooth ................................................................................................................... 70
D.6: Hackathon ................................................................................................................. 71
1. Flyer........................................................................................................................... 71
2. Automation Script..................................................................................................... 72
3. Fake SMTP................................................................................................................ 73
Client side: ................................................................................................................. 73
6. 5
Server side:................................................................................................................. 73
Automation script...................................................................................................... 73
D.8: Z-Wave....................................................................................................................... 73
D.11: Standard Procedures .............................................................................................. 74
APK decompilation.................................................................................................... 74
Retrieving framework-res.apk and app.apk ............................................................ 75
Combine lists ............................................................................................................. 75
Fuzz Attack................................................................................................................ 76
Importing Certificates from HTTPS servers ........................................................... 76
SYN-Flood DOS attack.............................................................................................. 77
Factorizing big integers............................................................................................. 78
Breaking x509 RSA Certificate ................................................................................ 79
Python Installation.................................................................................................... 79
Retrieving TLS Certificates from Wireshark .......................................................... 80
TCP Session replay (python)..................................................................................... 81
TCP Session replay without timestamp (Scapy) ..................................................... 82
TCP Session replay with timestamp (Scapy)........................................................... 83
TCP injection without timestamp (Scapy) ............................................................... 84
TCP injection with timestamp (Scapy)..................................................................... 85
E. for Extra work.................................................................................................................. 86
E.1: OS Hardening using “CIS-CAT assessment tool” ................................................... 86
E.3: TCP Replay Attack tool ............................................................................................ 86
F. for Files............................................................................................................................. 87
F.0: Sample Security Reports .......................................................................................... 87
F.1: G_Switch Connected Switch..................................................................................... 87
F.2: G_Camera IPCamera ................................................................................................ 87
F.3: TCP Replay ................................................................................................................ 87
F.4: password generator ................................................................................................... 87
F.5: RSA ATTACK KIT .................................................................................................... 87
F.6: Hackathon.................................................................................................................. 87
R. for References................................................................................................................... 88
Figures and Websites ....................................................................................................... 88
Other references ............................................................................................................... 90
Alcatel-Lucent ............................................................................................................... 90
Internet of Things ......................................................................................................... 90
Bluetooth ....................................................................................................................... 90
GnuRadio & SDR .......................................................................................................... 91
Z-Wave ........................................................................................................................... 91
9. 8
LIST OF ACRONYMS
IOT: Inter-Operability-Testing
DIOTEC: Device Inter-Operability-Testing Excellence Center
IoT: Internet of Things
EIoT: Enterprise Internet of Things
BU: Business Unit
SDR: Software Defined Radio
PKI: Public key infrastructure
AP: Access Point
UI: User Interface
MiTM: Man-in-The-Middle
HSTS: HTTP Strict Transport Security
OOB: Out of Band
TK: Temporary key
SSP: Secure Simple Pairing
FIFO: First in First out
MIC: Message Integrity Code
OTAA: Over-The-Air Activation
ABP: Activation by Personalization
UNB: Ultra-Narrow Band
ISM: Industrial, Scientific and Medical
NDA: None disclosure agreement
API: Application Program Interface
ACK: Acknowledge
PDU: Packet Data Unit
GRC: GnuRadio Companion
10. 9
INTRODUCTION
I did my internship from the 1st of July till the 30th of December 2015 at Alcatel-Lucent
International, 91620 Nozay, France. I was integrated in the Device IOT (Inter-Operability-
Testing) Excellence Center to conduct security analysis and tests on the connected objects.
On a large scale, this internship was an opportunity to learn valuable new things related to
different fields (Internet of things: IoT, Networking and Security, Telecommunication). I
learned how to do full security and functioning analysis of systems and objects, how to
identify potential weaknesses, how to elaborate and conduct suitable tests, and how to
report all the study phases and a synthetized and clear manner. In addition, I defined and
specified some solutions that the devices’ manufacturers should have used to enhance their
devices security.
During this time, my technical skills were significally enhanced as I needed to code lots of
hacking and automation scripts, as I also developed many security tools. My analytical skills
were also strained, as I faced some challenging cases and scenarios.
Besides enlarging my knowledge, this internship allowed me to get a clearer idea about the
path I will be choosing for my career. Working with colleagues of different profiles was an
open door to benefit from their experience, and see things from different perspectives,
allowing me to increase my capabilities to perceive and evaluate future career opportunities.
BRIEF DESCRIPTION OF ALCATEL-LUCENT AND MY
INTERNSHIP
Alcatel-Lucent is a Franco-American global telecommunications equipment company,
headquartered in Boulogne-Billancourt, France. The company focuses on fixed, mobile, and
converged networking hardware, IP technologies, software and services, with operations in
more than 130 countries. Alcatel-Lucent owns Bell Laboratories, one of the largest research
and development facilities in the communications industry, whose employees have been
awarded eight Nobel Prizes and the company holds in excess of 29,000 patents.
My internship in the DIOTEC’s first security testing team, aimed to discover security
weaknesses of currently used and deployed Internet-of-Things protocols, along with testing
the objects for implementation mistakes and errors.
My supervisor Mr. Fréderic POILVERT, once the R&D Competency Development Center
manager for Alcatel Lucent Payment activities, is currently a Project manager and Head of
Ethical hacking laboratories. His managerial experience allowed me and the rest of the
hacking team members to work in a very efficient way as he provided the best conditions to
learn quickly and to be autonomous. His trust made us more responsible, and motivated us
to produce better results. Our weekly and daily meetings and discussions helped us to
converge our perspectives and ideas towards finding better solutions and making the best
decisions.
11. 10
THE INTERNSHIP VALUE
This internship was also an opportunity for me to discover how an international company
has to continuously adapt and develop in order to maintain its leadership in various
technology fields. During the last several years, Alcatel-Lucent has been generating losses
in its financial reports. One of the reasons behind that is that radio technologies are more
or less deployed everywhere, and the industries are heading towards internet solutions for
telecommunicating and offering international services. To survive this era and adapt,
Alcatel-Lucent chose to invest more in new technologies, including Cloud Computing,
advanced IP Networking, IoT …etc.
In the beginning of 2015, and due to these catastrophic financial results, Alcatel-Lucent had
to go with the “Shift Plan”. This re-organization was put in place to come back to a positive
cash flow situation so the company can be seen as a good potential partner for bigger
companies. Due to that, some employees were released, some common departments and
services were brought down, change, or relocated. In April of the same year, Nokia
announced that it would acquire Alcatel-Lucent for €15.6 billion dollars.
Before 2015, the DIOTEC’s main business line was testing mobile chipsets, and developing
Inter-Operability projects. After the first quarter of the year, the Center changed its
strategy, and decided to enter the IoT Market, this decision was intentionally made to
strengthen its position and grow its market share by extending its services portfolio, making
it more stable which would also help it to survive the acquisition process.
The main line is to offer security tests on connected objects and their emerging protocols.
The process began by buying hundreds of commercialized connected objects and running
security tests on them. The next step was to prepare test plans and standard procedures, in
the purpose of developing this new test service. Later on, two Hackathons were organized,
participants were cyber security professionals and students from different schools and
universities. As a result, the DIOTEC security services were recognized and publicly known
in the IoT market. The goal of these newly introduced services, as mentioned before, is to
generate more profit, and guaranteeing that the DIOTEC team will be at the right place in
Nokia’s future organization. This responsibility became an additional motivation for me to
do my best -as an essential part of the team- for achieving the strategic goals of Mr. Coiffier.
16984 15157 15996 15327 14446 14436 13178
5173
524 334 1144 1374 1294
83
0
5000
10000
15000
20000
25000
2008 2009 2010 2011 2012 2013 2014
FINANCIAL SUMMARY
Revenues Loss
Figure 1: Financial summary [28]
12. 11
REPORT CONTENT
I wrote this report based mainly on the lessons my daily practices and assignments taught
me. In addition, discussions and meetings with work colleagues and superiors allowed me
to enrich this report with exact details and exclusive facts. I also used non-confidential
information from the Alcatel Intranet and extranet, and from the DIOTEC presentations.
In order to describe my 6 months at Alcatel-Lucent in a coherent and clear content, I see
that it will be wise to start by presenting Alcatel-Lucent: its history and current situation,
its structure, services, and functioning. I will then proceed with presenting the economic
environment of the internship, and the internet of things evolution.
Later on, I will continue by describing the tasks and missions that I accomplished, the
responsibilities and duties that I was assigned, and I will conclude with the reflections I
made.
Due to the existing of sensitive and confidential information, I will give some companies and
manufacturers generic names, and omit some of the details. Knowing that I will re-include
everything in the APPENDIX section that will be exclusively given for Alcatel-Lucent,
Telecom-ParisTech, and the Lebanese University – Faculty of Engineering.
13. 12
I / ECONOMIC ENVIRONMENT:
ALCATEL-LUCENT & IOT
A – ALCATEL-LUCENT
1. History of Alcatel-Lucent
Alcatel-Lucent was formed when Alcatel merged with Lucent Technologies on December 1,
2006. However, the predecessors of the company have been a part of telecommunications
industry since the late 19th century. The company has roots in two early
telecommunications companies: “Western Electric Manufacturing Company” and “La
Compagnie Générale d'Electricité” (CGE).
Western Electric began in 1869, it started a small manufacturing firm based in Cleveland,
Ohio. By 1880, the company had become the largest electrical manufacturing company in
the United States. In 1881 the American Bell Telephone Company, founded by Alexander
Graham Bell and forerunner of American Telephone & Telegraph (AT&T), purchased a
controlling interest in Western Electric and made it the exclusive developer and
manufacturer of equipment for the Bell telephone companies.
CGE was formed in 1898 by French engineer Pierre Azaria in the Alsace region and was a
conglomerate involved in industries such as electricity, transportation, electronics and
telecommunications. CGE would become a leader in digital communications and would also
be known for producing the TGV high-speed trains in France.
Bell Telephone Laboratories was created in 1925 from the consolidation of the R&D
organizations of Western Electric and AT&T. Bell Labs would make significant scientific
advances including: the transistor, the laser, the solar cell battery, the digital signal
processor chip, the UNIX operating system and the cellular concept of mobile telephone
service. Bell Labs researchers have won 7 Nobel Prizes. In the same year, Western Electric
sold its International Western Electric Company subsidiary to ITT Corporation. CGE
purchased the telecommunications part of ITT in the mid-1980s.
In April 1996, AT&T spun off Lucent Technologies with an initial public offering. Two years
later, Alcatel shifted its focus to the telecommunications industry. Alter on, in April 2004,
TCL Corporation and Alcatel announced the creation of a mobile phone manufacturing joint
venture: Alcatel Mobile Phones. Facing intense competition in the telecommunications
industry, Alcatel and Lucent Technologies merged on November 30, 2006. At the end of the
same year, Alcatel-Lucent acquired Nortel's UMTS radio access business, and during 2007,
the company acquired Tropic networks, NetDevices, Thompson advisory group, and
Tamblin.
On April 15, 2015, Finnish telecommunications firm Nokia announced its intent to purchase
Alcatel-Lucent for €15.6 billion in an all-stock deal. The acquisition aims to create a stronger
competitor to the rival firms Ericsson and Huawei, whom Nokia and Alcatel-Lucent had
surpassed in terms of total combined revenue in 2014. The acquisition is expected to be
completed in early 2016, and is subject to regulatory approval. The Bell Labs division will
be maintained, but the Alcatel-Lucent brand will be replaced by Nokia.
More details about the history are available on the official Website [1]. A timeline for the
most relevant events is in appendix A.1
14. 13
2. Alcatel-Lucent today
Alcatel-Lucent today -Nokia in the near future- is more than ever focused on innovative
projects and new technologies. With lots of investments in the Clouds Computing, Internet
of Things, Fiber Optics, Wireless transmissions, 5G, and others, Alcatel-Lucent is keeping
with today’s rapid evolution, playing the role of a major actor and competitor in these fields.
Its expertise is able to answer the needs and provide solutions for many challenges.
In 2010 the Bell Labs launched the GreenTouch consortium with industrial and academic
partners to increase the energy efficiency of communication networks by a factor of 1000 for
2020 traffic scenarios. And in June, GreenTouch gave this vision concrete form, publishing
a portfolio of technologies capable of bringing down the net power consumption of
communication networks by 98% compared to 2010 state-of-the-art reference networks. To
put this into context, these savings would be the equivalent of the greenhouse gas emissions
of 5.8 million automobiles! On November 4th, CDP (the Carbon Disclosure Project)
announced that Alcatel-Lucent had achieved a perfect score of 100 and was a member of the
CDP A-List.
Alcatel-Lucent is the leading IP networking, ultra-broadband access and cloud technology
specialist. It is deploying its 7950 XRS IP Core Router within the 14 metro network nodes
of nine cities in China. The possibility to evolve to 400G interfaces in its metro backbone
network using the 7950 XRS will allow China Unicom to meet the upcoming customer data
demand and pave the way for the future expansion of high-quality cloud-services while
optimizing costs. Alcatel-Lucent’s 7950 XRS portfolio delivers class-leading scale, efficiency
and versatility to address a wide range of networking requirements. The XRS is deployed
in over 50 networks worldwide.
Alcatel-Lucent, working as consortium leader together with the consulting and technology
multinational company, Indra, has successfully completed the deployment of an IP/MPLS
technology-based information, monitoring, management and control system that will enable
Poland’s maritime authority to increase operational efficiency and safety at ports and in the
Baltic Sea. Alcatel-Lucent in cooperation with Indra was responsible for designing the
technical project specifications, managing implementation, constructing and modernizing
the coast station architecture, integrating and implementing all sub-systems and
technologies.
Alcatel-Lucent is upgrading Orange Romania’s existing long-haul microwave transport
network, allowing Orange to enhance its 4G network capacity and performance as it
continues to expand high-speed ultra-broadband services to enterprises and consumers.
Figure 2: Alcatel-Lucent at a glance [29]
15. 14
Alcatel-Lucent is to expand the deployment of 4G LTE for China Telecom across 12
provinces of China, as demand for high-quality ultra-broadband services and applications
continues to grow rapidly. The LTE service expansion will take place in 12 provinces.
Alcatel-Lucent is also deploying its Carrier Aggregation capability in major cities. This
component of the LTE-Advanced standard allows LTE radios to combine multiple frequency
bands to vastly increase data speeds and lower latency, enabling the service provider to
provide data downloads of up to double speeds today.
Bell Labs, the research arm of Alcatel-Lucent has made a breakthrough in its ambition to
shatter the capacity limits of optical networks as they strive to meet the explosion in traffic
expected from 5G and the Internet of Things. With this demand threatening to outstrip the
capacity limits of current optical fiber networks, at the 2015 IEEE Photonics conference Bell
Labs revealed an optical networking technology that could potentially help operators
address this expansion: a real-time space-division multiplexed optical multiple-input-
multiple-output (MIMO-SDM) system. This world’s first demonstration of the Bell Labs’
pioneered MIMO-SDM technique has the potential to increase today’s 10 to 20 Terabit-per-
second fiber capacities to Petabit-per-second capacity. The successful 6x6 MIMO-SDM real-
time experiment was conducted over a 60-km-long coupled-mode fiber in Bell Labs’ global
headquarters in New Jersey. Using the MIMO-SDM technique, Bell Labs aims to overcome
the capacity limitations imposed by the non-linear ‘Shannon limit’ on current optical fiber.
As mentioned earlier in the report, the DIOTEC is investing more resources in testing the
connected objects:
o Validating their compliance with their corresponding communication protocol
o Conducting security tests and reporting vulnerabilities and weaknesses in order to
improve their resistance to Cyber Attacks
The main goal is to push the vendors and manufacturers to secure their products and
services, and assist them to migrate to verified protocols such as 4G, 5G …etc.
In order to push this strategy, DIOTEC also developed a portable 4G/LTE plug-and-play
network, where all components are virtualized in one box, allowing to create private on-
demand 4G networks. Such networks can be used for connecting IoT devices in a very secure
environment based on the proved LTE security mechanisms.
16. 15
B – THE INTERNET OF THINGS
1. Introduction:
The Internet of Things (IoT) is the network of physical objects or "things" embedded with
electronics, software, sensors, and network connectivity, which enables these objects to
collect and exchange data. The Internet of Things allows objects to be sensed and/or
controlled remotely across existing network infrastructure, creating opportunities for more
direct integration between the physical world and computer-based systems, and resulting
in improved efficiency, accuracy and economic benefit.
The concept of a network of smart devices was discussed as early as 1982, with a modified
Coke machine at Carnegie Mellon University becoming the first internet-connected
appliance, able to report its inventory and whether newly loaded drinks were cold The
concept of the Internet of Things first became popular in 1999, through the Auto-ID Center
at MIT and related market-analysis publications. Radio-frequency identification (RFID)
was seen as a prerequisite for the Internet of Things at that point. If all objects and people
in daily life were equipped with identifiers, computers could manage and inventory them.
Besides using RFID, the tagging of things may be achieved through such technologies as
near field communication, barcodes, QR codes and digital watermarking.
2. The Economic Sector
There are three core sectors of the IoT: enterprise, home, and government, with the
Enterprise Internet of Things (EIoT) being the largest of the three. Regardless of the sector,
IoT finds applications in nearly every field as such systems can be in charge of collecting
information in settings ranging from natural ecosystems to buildings and factories, thereby
finding applications in fields of environmental sensing and urban planning.
Environmental monitoring applications of the IoT typically use sensors to assist in
environmental protection by monitoring air or water quality, atmospheric or soil conditions,
and can even include areas like monitoring the movements of wildlife and their habitats.
Other applications like earthquake or tsunami early-warning systems can also be used by
emergency services to provide more effective aid.
Monitoring and controlling operations of urban and rural infrastructures like bridges,
railway tracks, on- and offshore- wind-farms is a key application of the IoT. The IoT
infrastructure can be used for monitoring any events or changes in structural conditions
that can compromise safety and increase risk. It can also be used for scheduling repair and
maintenance activities in an efficient manner. IoT devices can also be used to control critical
infrastructure like bridges to provide access to ships. Such usage is likely to improve
incident management and emergency response coordination, and quality of service, up-
times and reduce costs of operation in all infrastructure related areas.
Network control and management of manufacturing equipment, asset and situation
management, or manufacturing process control bring the IoT within the realm on industrial
applications and smart manufacturing. The IoT intelligent systems enable rapid
manufacturing of new products, dynamic response to product demands, and real-time
optimization of manufacturing production and supply chain networks, by networking
machinery, sensors and control systems together. Smart industrial management systems
can also be integrated with the Smart Grid, thereby enabling real-time energy optimization.
17. 16
IoT devices can be used to enable remote health monitoring and emergency notification
systems. These devices can range from blood pressure and heart rate monitors to advanced
devices capable of monitoring specialized implants, such as pacemakers or advanced
hearing aids. Doctors can monitor on their smartphones the health of their patients after
getting discharged from the hospital.
The IoT can assist in integration of communications, control, and information processing
across various transportation systems. Application of the IoT extends to all aspects of
transportation systems, i.e. the vehicle, the infrastructure, and the driver or user. Dynamic
interaction between these components of a transport system enables inter and intra
vehicular communication, smart traffic control, smart parking, electronic toll collection
systems, logistic and fleet management, vehicle control, and safety and road assistance.
Another application that the Internet of Things brings to the picture is home security
solutions. Home automation is also a major step forward when it comes to applying IoT.
With IoT, we can remotely control the electrical devices installed in the house.
The IoT also creates an opportunity to measure, collect and analyze an ever-increasing
variety of behavioral statistics. Cross-correlation of this data could revolutionize the
targeted marketing of products and services, meaning that Big Data and the IoT can work
in conjunction.
18. 17
3. IoT’s current and future status
There are several planned or ongoing large-scale deployments of the IoT, to enable better
management of cities and systems. For example, Songdo, South Korea, the first of its kind
fully equipped and wired smart city, is near completion. Nearly everything in this city is
planned to be wired, connected and turned into a constant stream of data that would be
monitored and analyzed by an array of computers with little, or no human intervention.
Another application is a currently undergoing project in Santander, Spain. For this
deployment, two approaches have been adopted. This city of 180000 inhabitants, has
already seen 18000 city application downloads for their smartphones. This application is
connected to 10000 sensors that enable services like parking search and environmental
monitoring.
Experts estimate that the IoT will consist of almost 50 billion objects by 2020. The following
is a list of top 10 countries by IoT devices online per 100 inhabitants as published in 2015.
Figure 3: IoT devices online per 100 inhabitants [2]
Experts estimate that the IoT will consist of almost 50 billion objects by 2020:
Figure 4: Number of connected devices in 2020 [29]
19. 18
The Internet of Things is seen as the next billion market by the industry:
After describing the rapid development of IoT technologies, along with the large scale
deployment, these technologies are being accused to be developed without appropriate
consideration of the profound security challenges involved. In particular, as the Internet of
Things spreads widely, cyber-attacks are likely to become an increasingly physical (rather
than simply virtual) threat. In a January 2014 article in Forbes, cyber security columnist
Joseph Steinberg listed many Internet-connected appliances that can already "spy on people
in their own homes" including televisions, kitchen appliances, cameras, and thermostats.
Computer-controlled devices in automobiles such as brakes, engine, locks, hood and truck
releases, horn, heat, and dashboard have been shown to be vulnerable to attackers who have
access to the onboard network. In some cases, vehicle computer systems are internet-
connected, allowing them to be exploited remotely.
Figure 5: Connected devices Market in 2020 [29]
20. 19
II / THE INTERNSHIP ENVIRONMENT:
A. THE SOCIAL STRUCTURE
Alcatel Lucent has approximately 52600 employees, working in offices in more than 90
countries. Functions are centralized and organized in 17 Central functions under the
leadership of Philippe Camus, the Chairman and the Interim Chief Executive Officer since
Michel Combes has left the company to become chairman of Numericable-SFR and awaiting
the new Nokia Corporation management:
o Alcatel-Lucent International
o Bell Labs
o Business & IT Transformation
o Chief Quality & EHS Office
o Compliance Organization
o COO Transversal Operations
o Corporate Audit Services
o Corporate CTO
o Corporate Security Services
o Finance
o Human Resources
o Intellectual Property Business Group
o IS/IT
o Law
o Public Affairs
o Results Delivery Office
o Sustainability
On top of these central functions, Alcatel-Lucent host also transversal and corporate
functions as follows:
o Transversal functions:
o Sales
o Operations
o Strategy & Innovation
o Quality
o Corporate functions
o Human resources
o Marketing
o Finance & Legal
(The leadership team is illustrated in appendix A.2)
21. 20
B. OPERATIONS
Coming to Operations, they are divided as follows:
o Core networking segment
- IP Routing
- IP Transport
- IP Platforms
o Access segment
- Wireless
- Fixed Access
- Licensing
- Managed services
I will only describe the “Wireless” section in the “Access Segment”, as it is the section in
which I did my internship
(More details can be found on the operations section of Alcatel-Lucent’s website [3])
The Wireless section is organized as follows:
The DIOTEC takes part of the Professional Services, under the Business Unit (BU) ran by
Mr Jim Cocito. It has two sites, the first one is in Nozay, Ile-de-France, France, while the
second one is in Murray Hill, New Jersey, US (at Lucent’s locals). Both sites are managed
by Mr. Jean-Christophe Coiffier, the Head of DIOTEC. Mr. Coiffier chose to adapt a flat
organization structure in the French site, creating a better team sprit as fewer management
layers increased interaction between. It also elevates each employee’s level of responsibility
so he can have more power and he can make some decisions immediately, giving the center
greater agility and mobility.
(The Nozay Site is illustrated in appendix A.3)
22. 21
III/ THE INTERNSHIP
ACCOMPLISHMENTS & GAINED SKILLS
A – THE INTERNSHIP ACCOMPLISHMENTS
During my internship, I had the opportunity to discover the IoT Sector in all its forms, this
allowed me to develop a deep understanding of its challenges from both global and specific
perspectives. To make my description clear and easy to digest, I will start by listing the tools
that I was given access to, and then proceed with describing the main and the side missions
and tasks that I accomplished.
(A picture of the Hacking Lab is in Appendix B.1)
1. Available tools
The hacking laboratories were equipped with both intellectual resources and physical
hacking tools. The computers were ran by Kali Linux & Windows using a dual boot
configuration. We were also given hacking and SDR (Software defined Radio) equipment as
the HackRF One, Ubertooth… Concerning the available devices, the list included smart
watches, Surveillance Cameras, Connected switches and sensors, Smart phones, home
automation devices …
For the intellectual resources, we were given 4 books that were very useful to learn both
basic and advanced hacking techniques. In addition, these books provided information about
many communication protocols (Bluetooth, Wi-Fi…). We also had access to a NAS, where
we shared all the test plans and useful documents we find, it was also a repository for all
the scripts and tools we developed and used.
(A full list is presented in appendix C.0)
2. The duties
Introduction
As described before, the main goal of the internship is to conduct security tests and
evaluations. So there was a first phase to understand the functioning of the device (or the
protocol). This was followed by a full analysis, in order to identify all potential weaknesses
and attack vectors. The third phases is the technical phase, in which the attack environment
is prepared and the attack tools are developed and used. Later on, verified vulnerabilities
are reported along with all the test results.
In order to write professional security reports, I downloaded security penetration test
reports made by three leading Cyber Security companies (Attached with this report F.0),
observed how these reports are structured, combined them, and added more titles and
removed some others, to make a structure that fits best with my needs.
After the study of each connected device, the used tests and procedures are added to the list,
along with specifying their duration, application, and severity. The goal is to enrich the test
list making easier and faster the assessment of other similar devices.
23. 22
My activities
During this internship, I spent my first month conducting security tests on connected
switches, security cameras and multimedia hubs. Surprisingly, for all the cameras I tested,
besides finding many vulnerabilities, none of them was protected against brute force attacks
on the administrator’s password.
After that, I studied the Bluetooth protocol, tested the Ubertooth One, and prepared the
environment for conducting tests on Bluetooth devices. A higher priority task was given to
me at that time, which made me postpone my work on Bluetooth, and start studying the Z-
Wave protocol. This protocol is among the most used protocols for home automation, and
since a Hackathon was planned to be held in November, we chose to make it about home
automation, and so we named the Hackathon “Hack the Home”. In order to be prepared for
this event, I started by studying GnuRadio, an open source Linux software that is used for
controlling SDR equipment and tools. Then I became able, using the HackRF One, to sniff
and visualize Z-Wave signals.
During this time, I was also developing tools to attack RSA Certificates, as some connected
objects used a PKI, and it would’ve been interesting to try to break their certificates. Among
the tools I developed, A script for retrieving the modulus and factorizing it, a kit for testing
certificates for common factors and generating private keys in case of a match.
The Hackathon preparations occupied a long portion of my time. I prepared cryptography
challenges, configured all the equipment, prepared and tested all the attack scenarios, coded
automation scripts to simulate interactive mobile phone applications, smart boxes and
others.
After the big event, being inspired by some tools that were developed by professional teams
who were present in the Hackathon, I was able to configure and run a Z-Wave injection tool.
This tools allows to take control of any Z-Wave communicating device, it also allows to take
the role of that connected device and escalate false reports and alarms to the controller.
Just after reaching my goal and breaking the Z-Wave protocol, I went back to Bluetooth,
and was quickly able to sniff Bluetooth packet and visualize them on Wireshark. And before
getting into hacking Bluetooth connections and move from passive to active attacks, other
priorities came across…
My last work at Alcatel-Lucent was studying SigFox and Lora protocols, analyzing their
performance and security mechanisms, and preparing their test plans. These plans will be
used later on for testing SigFox and Lora devices for clients. I was also charged to transfer
my knowledge to the new apprentice who will continue with the hacking activities in the
DIOTEC.
24. 23
Description
As mentioned before, I will be using Generic names for the equipment as the manufacturer
name is considered as classified, and will only be included in the confidential appendix C
Task 1: G_Switch Connected Switch
Introduction
The G_Switch connected switch allows users to control their devices at home via a mobile
application. This application also allows adding other devices to be remotely controlled. The
switch costs around 40$ and can be bought from the vendor’s website.
Attack Narrative
Footprinting
To begin, I analyzed the establishment phases of the switch. At first, the switch behaves as
a Wi-Fi router, distributing private IP addresses, and broadcasting beacons. The interesting
issue here is that the sent beacons explicitly indicate that the wireless access point does not
support authentication, not even WEP (corresponding beacon is present in appendix D.1.1),
which means that any user with a wireless adapter can listen to all communications
between the Switch and the smartphone connected to it. During the same phase, the user
installs the G_AppName application, connects to the wireless network created by the switch,
and launches the application. Through his smartphone, the user gives the G_Switch object
a name, an icon, and specifies other information. He also chooses a Wi-Fi connection, and
enters its password. Just after submitting the password, the G_AppName mobile application
sends a message to the switch. This message includes the Device, the Wi-Fi SSID, and its
password. These will be used to allow the switch to connect to the wireless access point.
After that, the phone can send ON and OFF orders to the switch.
Stage 1:
Stage 2:
Smartphone sends Home Wi-Fi SSID + password
Switch and Smartphone communicate using the home Wi-Fi
1. to Home Wifi
Figure 7: G_Switch - Phase 2
Figure 6: G_Switch - Phase 1
25. 24
Phase 3:
In case the user chose to activate the remote control option, the switch will then start
automatically reporting to the G_Switch server (ServerIP) every time its status changes.
And if the smartphone is connected through a network different from the switch’s, he will
send the ON/OFF order encrypted to the G_Switch server. Eventually, this server will send
the order to the switch, also by encrypting it in a TLS connection. It is worth mentioning
that even after the phase 3, if the Smartphone is in the same network of the switch, orders
will not be relayed by the server, and instead, the Smartphone will directly send them to
the switch via Wi-Fi.
Man-in-the-middle attack
To start, I launched a MITM attack between the switch and the smartphone at phase 1.
This led to discovering the different XML formats used for exchanging information. This
also allowed me to capture the packet containing the needed information to connect to the
Home Wi-Fi. Below is the content of this packet:
Continuing to stage 2 and 3, we noticed that when the switch and the smartphone are
connected to the same network, the exchanged data is not encrypted, and there is no
protection against replay attacks.
1
Ok
op
2
Ok
op
3
4
5
Internet
POST /upnp/control/smartsetup1 HTTP/1.0
Content-Type: text/xml; charset="utf-8"
HOST: 10.22.22.1
Content-Length: 886
SOAPACTION: "urn:G_Switch:service:smartsetup:1#PairAndRegister"
Connection: close
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:PairAndRegister xmlns:u="urn: G_Switch:service:smartsetup:1">
<PairingData><PairingData><ssid><![CDATA[SSID_Name]]></ssid><auth>W
PA2PSK</auth><password>elbG4dBmMTJR4Uy5O8jFtg==190b</password><encrypt&
gt;AES</encrypt><channel>11</channel></PairingData></PairingData>
<RegistrationData><RegistrationData><DeviceId>353490069904197</DeviceId><Device
Name><![CDATA[ObjectName]]></DeviceName><smartprivateKey></smartprivateK
ey><ReUnionKey>14363488838022</ReUnionKey></RegistrationData></RegistrationD
ata>
</u:PairAndRegister>
</s:Body>
</s:Envelope>
Figure 8: G_Switch - Phase 3.
26. 25
Replay attacks
After deep inspecting packets during the MITM attack, I managed to identify the different
orders coming from the phone and towards the switch. These packets are sent over TCP
with 49153 as destination port. Below are some of the most interesting ones:
Request info:
This request returns information regarding the condition and the current status of the
switch, for example whether it is in “ON” or “OFF” state, the switch’s firmware version, its
friendly name, its MAC Address, deviceID …
ON order:
This is an order sent to the switch that sets his state to “ON”. By replacing the 1 by a 0, the
order will be a change state to “OFF”. A simple python script that can replay ON/OFF orders
is attached in appendix D1.2.
I also developed a simple Java application with a user interface that opens a TCP
connection, sends the order, and then closes the connection. This application can also send
alternating “ON” and “OFF” orders according to a user specified frequency.
(A Screenshot of the tool is in appendix E.3, and the tool is attached with this report F.3).
POST /upnp/control/deviceinfo1 HTTP/1.0
Content-Type: text/xml; charset="utf-8"
HOST: 192.168.1.120
Content-Length: 289
SOAPACTION: "urn:G_Switch:service:deviceinfo:1#GetInformation"
Connection: close
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:GetInformation xmlns:u="urn:G_Switch:service:deviceinfo:1"></u:GetInformation>
</s:Body>
</s:Envelope>
POST /upnp/control/basicevent1 HTTP/1.0
Content-Type: text/xml; charset="utf-8"
HOST: 192.168.1.120
Content-Length: 419
SOAPACTION: "urn:G_Switch:service:basicevent:1#SetBinaryState"
Connection: close
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:SetBinaryState xmlns:u="urn:G_Switch:service:basicevent:1">
<BinaryState>1</BinaryState>
<Duration></Duration>
<EndAction></EndAction>
<UDN></UDN>
</u:SetBinaryState>
</s:Body>
</s:Envelope>
27. 26
Reverse engineering the mobile application
Using a free mobile application we downloaded from the Google play store (SaveAPK), I was
able to retrieve the .apk file for the G_name application. By simply decompressing this file,
we got access to JavaScript and html non compiled files. Later, with some commercial tools
(apktool, Java decompiler, and dex2jar) I succeeded in reverse engineering the application,
giving me the full Java source code.
(The mentioned tools are attached with this report F.1)
Below are some of the classes and functions I found interesting:
I discovered that these are the functions used to encrypt the Wi-Fi password prior to sending
it from the phone. In addition, I found out where the previous classes are initiated, and
when the functions are called.
The code has been intentionally developed in a way to create the maximum confusion for
hackers who would like to reverse it (fake functions, unused code, re-arranged variable’s
name …). So despite having the source code, and knowing the DeviceID used for the
encryption, and after one week of investigation, I was unable to decrypt the captured
encrypted password due to my lack of expertise in mobile applications. So I decided to
proceed with other attacks.
By spending more time on this device, we could explore the hardware part and try to find
the encryption algorithm in the embedded code (guessing that embedded code cannot be as
complex as the one used in the smartphone application)
(The full decompiled mobile application is attached with this report F.1)
DOS SYN Flood attack
To test the robustness of the Switch’s server, I ran a number of SYN Flood attacks. The
result is that less than 200 SYN requests are enough to deny all other users from connecting
to the switch, causing a Denial-of-Service Attack. I also noticed that during the attack, the
port number used by the switch to communicate with the smartphone is automatically
changed, meaning that this attack will not remain effective. However, the port number was
not randomly changing, it was incremented by 1. So it was not difficult to automate the
increment of the port number during the attack whenever the switch stops accepting the
SYN requests.
public class WiFiSecurityUtil
{
private String password = "";
private String type = "";
private String username = "";
private String generatePrivateKey(String[] paramArrayOfString) { }
public boolean addNewWiFiSetting(Context paramContext) { }
public String decrypt(String paramString, Context paramContext) { }
public String encrypt(String paramString, Context paramContext, int paramInt,
String[] paramArrayOfString) { }
public String generateAuthCode(Context paramContext) { }
public String getDeviceID(Context paramContext) { }
}
28. 27
Security Impact
Authentication (Medium)
There is no authentication when communicating with the switch in local, which means that
any device or PC connected to the same network of the G_name switch, can easily take
control of it. However, when it comes to controlling the switch from the internet, it is a much
more difficult task. This protection is provided by encrypting all communications between
the servers, the smartphone, and the switch. Besides, encrypted orders received from the
server are not the same, even if the orders are the same, meaning that there is a certain
protection against replay attacks.
Integrity (Medium)
In the case of a local connection (phone and switch in the same network), a man-in-the-
middle can easily alter the orders without being detected by the switch. Which means
changing “ON” orders to “OFF”, or vice versa.
Availability (High)
I noticed that a DOS SYN Flood attack can easily be conducted, denying the user from
controlling the switch. Although a simple protection mechanism is deployed, its resilience
to this attack is not enough. In case the attacker is not connected to the same network but
had access to an intermediate node, he can monitor and identify the port number used to
communicate with the switch. Although this weakness may exist in many connected objects
and home automation systems, I see that it is worth mentioning at least once.
Privacy (High)
During the first initialization stage, I declared that once the access point is itself a
standalone wireless AP, any user or attacker can connect to it, and retrieve the encrypted
Wi-Fi password. This can be decrypted using the mobile application source code. Once done,
the attacker can connect to the home network, compromising the security of all connected
objects, including the G_name Switch & personal computers
Proposing solutions
Authentication and integrity
It is recommended to use encryption when exchanging information between the smartphone
and the G_name Switch, a strong encryption algorithm can easily be implemented, and
would minimize the impact on authentication. The secret key can be exchanged between the
smartphone and the switch during the first initialization stages. It is also advised to add
timestamps or sequence numbers to the content before being encrypted, to mitigate against
replay attacks.
Availability
Changing the port number was a good solution to stop SYN Flood DOS attacks. However,
this protection would be much more effective in case the new port numbers were chosen at
random, instead of incrementing the last used value by 1.
Privacy
In order to protect the Home Wi-Fi password while being transmitted, the temporary
connection between the switch and the smartphone should be secured. Although WEP
protection may be acceptable since the period required for the connection establishment is
short, we recommend the deployment of WPA or WPA2 because Wi-Fi attacking techniques
are becoming faster every day. The WPA unique shared key can be given to the client, or
hardcoded on the switch.
29. 28
Task 2: G_Camera IPCamera
Presentattion
The G_Camera IP Camera allows users to view the video stream from the internet or from
any connected network. It can be connected to a FTP server to save the recorded video. It
can be linked to an email to send notifications whenever movement is detected. This camera
also has an internal memory to save photos and short videos whenever something is moving.
Attack Narrative
Brute Force Password attack
In order to login, I conducted a brute force attack on the password for the user “admin”. At
first, I used two commercial tools, the results were negative. Then, using a local proxy, I ran
a brute force attack by modifying the password field in the authentication packet, and
replacing the content with values from a password wordlist downloaded from the internet
and encoded in base64 with the string “admin:”. This time, the password was revealed
Command list discovery
I also noticed the use of queries containing “param.cgi”. Searching on Google allowed me to
find and download a PDF containing CGI commands “FI9821W-CGI-Commands” (Attached
with this report F.2). So I became able to reboot the camera or make a remote reset. Other
commands allowed the retrieval and the change of video parameters (setting contrast=0 will
replace the video stream with a black image), alarm settings, and others…
Adding users
Running a directory listing attack revealed many unprotected files, including
“http://IP_Address/web/js/index.js”. Going to its parent directory “http://IP_Address /web/js/”
uncovered other JavaScript files including “sys_users”,”sys_logs”, and other files used to set
or modify camera parameters and settings. While reading the file sys_users.js, I found a
function called “addUser()” that explicitly builds and sends a specific URL for adding a user,
or updating it. Using that information, I managed to form a custom URL to add a user I
named “hacker” (“http://IP_Address/cgi-bin/hi3510/param.cgi?time=1440159507412&cmd=
updateuser&user3=hacker:hacker:3:Normal”). Logging in with this fake account allowed
me to view the video, but did not give access to the system settings page. I also noticed that
users created using this URL do not appear in the administrator’s user list.
Privilege escalation
After further inspection of the authentication process, I discovered that after submitting the
username and password using the function “checkuser.cgi” (“192.168.1.144/cgi-
bin/hi3510/checkuser.cgi?-time=1440764987428”), the server returns two variables:
check=1 and authLevel=”3” (if we logged in with “hacker”). The authLevel is a value that
will be saved in the cookies in plaintext. Later, all queries will contain the cookies, including
this value. I noticed that once authLevel is saved, it is not verfified by the IPCamera server,
so modifying the cookies with a developer tools plugin allowed me to have administrator
privileges and have access to the system settings page. This means disabling alarms,
manually choosing and deleting videos, changing administrator password, clearing logs…
Reverse Engineering the Firmware
Going through G_Camera forums, I found a particular thread [4]where there was a
Firmware download link [5]. After analyzing the firmware, I located the JFFS2 bytes, and
managed to reverse engineer it, and go through all its directories and files. This means that
the firmware can be modified and installed remotely on the camera. A vulnerability that
can lead to modifying or freezing the video stream, sending unauthorized notifications to
hackers, or changing all the behavior of the camera.
30. 29
More Commands
Going the firmware’s parent directory [6], uncovered unprotected internal files, including
firmware update versions, documentation files, plugins… Among these files resided
G_Camera_doc (The document is attached to this report F.2). This document had detailed
description of IPCamera CGI commands, their syntax, and their returned values.
These commands allows to get all login credentials, Wi-Fi pass, and email & FTP server
credentials. They can also format the SD Card, clear both system and access logs, reboot or
reset the camera, and finally create undetected users and change the administrator’s
password. (A list of the most interesting queries is listed in appendix D.2.1)
Deleting System logs
The system logs available to the administrator show logs concerning the start of alarms, but
not about user login, modified settings …. To clear these logs, we can connect with the
“hacker” account, and use the button “clear”. After pushing this button, we captured the
corresponding request(“http://IP_Address/cgi-bin/hi3510/dellog.cgi?-time=1440762847985”)
and discovered that it deletes all logs having their timestamp bigger than the sent value
(14407628847985). So to delete all logs at once, it was enough to send this unauthenticated
request: “http://IP_Address/cgi-bin/hi3510/dellog.cgi?-time=0”.
Covering tracks
Access logs are not accessible from the user interface. However, they can be accessed using
“http://IP_Address/log/accesslog.txt”. This link contains all the requested queries and called
functions, saved each on a new line with its time and date, and the source IP address from
which it originated. This can be used for forensics, to detect an intruder, or a brute force
attack. Content of this file is emptied after a reboot, or can be easily deleted using this
command: “http://IP_Address /cgi-bin/hi3510/cleanlog.cgi?-name=access”.
Summary of results
Initial tests on G_Camera IPCamera revealed that the login interface was immune to some
brute force attack tools, but not all of them. In addition to that, by running a local proxy and
monitoring exchanged packets through Wireshark, information was leaked, including
Firmware version, used commands and queries, and hidden directories.
Searching the discovered commands on the internet, resulted in finding a documented file
containing CGI commands. Some unauthenticated commands allowed making a system
reset, system reboot. Internal unprotected files allowed adding a low privileged user
account. Logging in with this user allowed access to the video stream, but not the
administrator page. After deep inspection of the exchanged packets, a camera side
vulnerability was discovered. This vulnerability allowed me to have the maximum level of
privileges.
I managed to find on the G_Camera online forums a link to download the firmware. Using
this link I managed to find other versions of firmware, documentation files …etc. This
uncovered lots of queries that can be used to get login credentials for all users, saved videos
and pictures, Wi-Fi password, configured email and ftp credentials, and finally system and
access logs. In addition, an intruder can cover his tracks by remotely deleting all log files,
he can also delete all saved videos by remotely formatting the SD Card.
31. 30
Security Impact
Authentication (High)
Authentication here is at high risk, since it can be attacked through various vectors:
o As described in “more commands”, any internet user can open this link
“http://IP_Address /cgi-bin/hi3510/getuser.cgi” and get immediately a list of all users
who can log to IPCamera, along with their passwords. This means that the
password’s strength will not have an effect on protecting authentication, and anyone
can log in as an administrator or any other user
o Any hacker can also create a new user, and use a fake authentication to connect to
the camera as a legitimate user.
o A Brute force attack is possible, since there is no limit on the number of failed login
attempts; neither there is a minimal duration to be respected between two failed
attempts.
o A hacker conducting a man-in-the-middle can simply run Wireshark to view the
users’ passwords. Passwords of all users are sent as cookies in each exchanged
packet with the IPCamera, they are encoded in base64
Authorization (High)
Authorization is also at risk, since any logged in user can change his cookies and set
“authLevel=255” to obtain the highest authorization level and gain administrative
privileges.
Confidentiality (High)
Data exchanged between the administrator and the UI are not encrypted, that means that
any man-in-the-middle can sniff packets and view all the communication in clear.
Concerning the video stream, the IPCamera uses RTP over UDP, and sends the live video
also in plaintext, allowing any man-in-the-middle to use captured packets to rebuild the
video stream.
Integrity (Medium)
There are not integrity checks on the data exchanged between the user and the IPCamera,
so a man-in-the-middle can easily, and without detection, alter or delete commands packets
passing through his computer. He can also modify the video stream, without being detected.
Availability (High)
The availability of the service provided by this camera appears to be quite fragile, as less
than 1500 SYN packets were enough to cause a DOS attack. This amount of generated
packets does not need powerful computers, so this attack can be conducted by anyone
equipped with good software. To recover from this attack, a hard reboot is usually required.
Besides, since the administrator’s password can be changed by sending an unauthenticated,
crafted URL, denying the administrator from connecting to his account, the availability is
proven to be weak.
Privacy (High)
We mentioned earlier the presence of functions that can be called to retrieve all the users’
credentials, the Wi-Fi password, the administrator’s email credentials, and the ftp login
credentials (If applicable). These functions are not accessible to the administrator via the
system settings, nor via other means. Some of these functions are not called or used by the
user interface, so we can why they were added.
32. 31
Proposing solutions
Encryption
A strong encryption system should be implemented to secure the communications between
the connected users and the IPCamera. It is recommended to use HTTPS instead of HTTP
and to use public keys certificates, these certificates can be signed by the G_Camera private
certification authority, and can be manually installed by users in their browsers (One-time
procedure). Although this solution provides a high level of security, it requires a small effort
from the user. However, an alternative solution would be to use symmetric encryption, using
a strong encryption algorithm with a sufficiently large key (AES, 3-DES …). This key can
be generated and shared using Diffie-Hellman key exchange algorithm.
Cookies verification
As described before, the server does not verify the authLevel value sent by the user. This is
a server side vulnerability that can be easily solved. By correcting this bug, operators (users
with least level of privilege) would not have access to the system settings page.
Enforce Authentication
Many unauthenticated requests are accepted by the IPCamera (Creating a new user …). In
case an encryption system was deployed, authenticating the messages by the password will
not be required. However, if it was chosen not do use encryption, then it is highly
recommended to authenticate each message sent to the IPCamera, and verify the
authentication before returning any value or executing an order.
Secured Streaming
Replacing RTP with SRTP would be a suitable solution for video streaming, since the stream
will be encrypted, which will stop hackers and traffic sniffers from violating the privacy of
the camera users, and enforce the confidentiality of the transmitted bytes.
Add a timestamp
To deny an attacker from replaying encrypted captured packets, a timestamp should be
attached to each exchanged message, so it can be verified on the server side before treating
continuing to the rest of the message content.
Integrity Checks
In case the choice was not to encrypt all content, a shared key can be secretly exchanged,
and used to attach each message with its HMAC value. This value will be unique for every
message if a salt or a timestamp was involved. It means that besides integrity check, it will
help mitigating against replay attacks
Hiding directories
During these tests, hidden directories were very useful to find JavaScript files, and other
useful scripts. It is recommended to forbid the access to all unnecessary directories, limiting
the potential sources of information leakage.
Reducing functions
Many discovered functions are declared and attached to the service; however, not all of them
are implemented in the user interface. It would be wise to either delete these functions;
either deny their use, since some of them can lead hackers to infiltrate the administrator
page, or to force the Camera to a reboot or a reset.
33. 32
Task 3: G_Operator G_MultimediaHub
Introduction
G_Operator G_MultimediaHub is a box that allows the users to share files by inserting a
USB Stick into it. It also allows to play songs through HiFi speakers, control Bluetooth and
NFC devices, and create a guest Wi-Fi that can be secured with WPA/WPA2. It costs about
80$ and can be found on the official website.
Attack Narrative
The G_MultimediaHub uses an initialization method that is similar to the connected switch.
When started, the hub becomes a standalone access point, creating an open Wi-Fi. Users
start by connecting to this wireless network, and then when attempting to visit any website,
they’ll be directed to the G_MultimediaHub’s main page. On this page, there is a list of
available wireless access points. The user chooses his home SSID and enters the Wi-Fi
password. After that, the G_MultimediaHub stops its access point, and connects to the home
network. Once connected, any user on the same network can access this hub, access its
shared files, control its paired Bluetooth and NFC devices, and modify all its configuration.
As a first test, launched Wireshark during the initialization phase, and found out that the
Wi-Fi password is sent in plain text. Sending a password in plain text in an Open and none-
secured network is very dangerous, as anyone with a wireless adapter can very easily steal
the home wireless password. This is a screenshot of the captured packet containing the Wi-
Fi password (It is marked in yellow for confidential reasons.)
Another weakness, is that the G_MultimediaHub’s web page does not require
authentication. Any user connected to the same network can access this hub and its media.
In addition, there is a possibility to change the Hub’s configuration during the initialization
phase. Since the Hub can be used to create a wireless access point for guests, there is an
option that once activated, merges the two networks, meaning that any guest connected to
the guest network, will also be connected to the home network, and access all its connected
devices and media.
Figure 9: G_Operator G_MultimediaHub Wi-Fi password packet
34. 33
Security Impact
Authentication (High)
There isn’t any authentication mechanism implemented
Confidentiality (High)
Data exchanged between the users and the UI is not encrypted.
Integrity (High)
None
Privacy (High)
This hub receives the Wi-Fi password in plaintext over an OPEN network. This allows any
sniffer -no matter how long or strong the Wi-Fi password was- to get access to the home
network, access all data on the multimedia hub, and all the machine connected to that
network.
Proposing solutions
Encryption
The Hub should be accessed using HTTPS instead of HTTP, since the hub is used to transfer
shared files.
Protect Wi-Fi password
It would be good to encrypt the password before sending it, or even better to create WPA or
WPA2 instead of an OPEN network
Authentication
Add a login page to forbid any connected user from accessing the shared files and paired
devices.
35. 34
Task 4: Bluetooth
I worked twice on the Bluetooth protocol. The first time was just to understand the protocol,
to prepare the tools and the environment, and the next time was to use the Ubertooth to
sniff Bluetooth packets, and visualize them on Wireshark after configuring and installing
the required plugins.
Protocol Study
The Bluetooth 4.0 operates on 79x1MHz channels, from 2400MHz to 2483.5MHz. During
communications, each packet is sent over a different channel, a frequency hop theme is used
with around 1600 hops/sec. The communication model is based on a Master-Slave model,
where the Master can communicate with 7 slaves at the same time. It can be on the same
network with 255 slaves, these slaves can be inactive, parked, or active. They all share the
master’s clock, and they may become Master.
Concerning the security part, the greatest weaknesses are during the key exchange process.
Bluetooth Smart uses a custom key exchanged protocol, which is a three stage process:
During the first stage, a confirm value is calculated to make sure both communicating
parties have the same temporary key and established the same random numbers that will
be used later in the process. The second and the third stages are about exchanging the short
and the long term keys. The main issue is with the first stage, during which the temporary
key is determined in one of the three following pairing methods:
o Just Works
o 6-digit PIN
o OOB (Not Broken)
Quoting from the Bluetooth Core Spec “None of the pairing methods provide protection
against a passive eavesdropper during the pairing process as predictable or easily
established values for TK are used […]” (TK being a reference to “Temporary Key”). When
the devices begin pairing, they start to exchange values in plaintext. These values include
random numbers, and the confirm value that is calculated at the end of the first stage.
Confirm = AES (TK, AES (TK, rand XOR p1) XOR p2)
All of the values in the previous formula are sent as plaintext except for the TK. If the used
pairing method was “Just Works”, the TK is always 0. If the method was a 6-digit PIN, then
the number of possibilities is 999,999. In this case the TK can be brute forced in less than 1
second. After having the TK, it is very simple to find the Short Term key, and then the Long
Term Key, and finally all session keys. This attack is a 100% passive attack, the end user
can never know if someone has broken his key exchange process. The only secure way to
exchange long term keys is to pair in a faraday cage.
However, there is an active attack that can force a re-pairing process, so a new long term
key would be generated. Since any Bluetooth adapter can be used as a slave or as a master,
Ubertooth can be used as a Bluetooth client, and can forge the victim’s MAC address. When
the master wants to establish a connection with the victim’s slave using the long term key,
the attacker will increase its transmitted power and will tell the master that he does not
have any long term key, requesting a re-pairing process. At this stage, the attacker will go
back to sniffing mode, and will listen to the communications between the master and the
slave, and how the master will start a re-pairing operation with the real slave, leading to
finding the long term key.
The only available solutions is to either use OOB as a pairing method, either to use the SSP
(Secure Simple Pairing) to exchange and generate the long term key.
36. 35
Sniffing
There are many free or open source tools and applications to sniff and attack the Bluetooth
protocol. I will list some of the most common of them:
o On Android phones: Bluetooth finder, bt-crawler, Bluescan…
o On Linux: hcitool, BtScanner, Hci lescan…
This is in addition to the Ubertooth open source project. Since the Ubertooth One SDR was
available for us to use, I used this guide [7] to build the project. Later on I installed all the
required dependencies, and prepared the environment for using Ubertooth. After that, I
started sniffing Bluetooth packets on the terminal and installed the Wireshark Bluetooth
plugins.
I could not visualize the Ubertooth device among the devices shown in Wireshark, however,
I managed to direct the Ubertooth capture into a “FIFO” file, and then configured this file
as an input for packets in Wireshark. And since the plugins where already installed,
Wireshark was immediately able to decode them and parse them exactly how Ethernet
packets are parsed. Below is a screen shot of the Bluetooth capture I was able to sniff.
Below is a screenshot of a Wireshark Bluetooth capture:
(The procedure I followed to bind Wireshark with Ubertooth is described in appendix D.4)
Figure 10: Bluetooth Wireshark Capture
37. 36
Task 5: S_Camera
Introduction
The S_Camera home is a smart IP camera, for which, additional features were added. It
allows getting live streaming on the user’s smartphone, it also sends movement notifications
and alerts. It has an air quality sensor and 2 built-in microphones and one built-in speaker.
These features allows the detection of air pollution caused by external air pollution, kids
diapers… They also give the users the possibility to have a live chat with their baby
monitored by this camera, play for him some music to sleep while changing its color. It can
be ordered from the official Website for around 200$. That website also contains more
information concerning the camera’s properties and features.
Footprinting
Hacking the S_Camera home was a real challenge, as all communication go through the
vendor’s cloud. To start, S_Camera home is mainly a home security camera that has more
features than the regular surveillance IP cameras. It can be connected to an iPad to view
the video stream, to listen to live recorded voice through its built-in microphone, to modify
its video settings and configuration, and to control it, meaning you can change it color, make
it play some music…
In a first phase, I discovered that the tablet does not establish any connection with the
Camera. All controls and orders sent from the iPad are sent over the internet, and for the
video stream, the video is also sent from the vendor’s servers. The same goes for the camera.
As it does not have a direct connection with the iPad, it sends its video streams over the
internet and receives orders from the servers. Below is a sample illustration:
After further observations, I found out that all communication between the camera and the
cloud is encrypted, as TLS is used. And since I am not authorized to conduct security tests
on the vendor’s servers, I did not find a potential attack vector on those communications.
But when it came to the communications between the tablet and the servers, the video
stream was protected, but not the control orders. Meaning that we were able to view the
commands transmitted in plain text, whether they serve to change the color, modify the
music volume, start the music, modify the video settings…
Internet
Figure 11: S_Camera Home
38. 37
Attack Narrative
My first attempt was to try to create a TCP connection with the same server and using the
same destination port. The server did not accept to create the connection, and so this
attempt failed. So I figured that the server uses only one connection to communicate with
the Camera. My goal became to be able to inject packets in this same connection. The
challenge was that the camera sends reports and information to the server every few
seconds, changing the sequence numbers of the connections, and that the “Timestamp”
option was also used. This means that to successfully inject packets, I need to have correct
values of the Sequence number, TSval and TSrec.
To mount this attack, I used scapy-radio, an open source project that allows to sniff, craft
and manipulate packets by controlling the network adapter without the intermediary of the
system kernel. This python-based tool is very powerful since it gives us access to all the
fields of the frame before sending it. After getting familiar with the tool’s libraries and built-
in functions, I manage to code the following script:
The function “sniff()” will filter the sniffed packets, and for each match, it will call the
function “pkt_callback” sending the packet as a parameter. In the definition of
“pkt_callback”, I do another filtering, and once I identify a packet sent from the iPad to the
server, I copy its headers in a new packet, I modify the sequence number, increase the
timestamp values by 10 ms, and use this new packet to send the information I need.
The attack was more against the TCP protocol than against the camera itself, however, the
fact that the vendor’s servers do not accept more than one TCP connection, and that its
lifetime was measured in hours, even when no packets are exchanged, made the Camera
vulnerable against such type of attacks. In fact, to recover from such an attack, we had to
restart the iPad, and wait for more than 12hours. Even uninstalling and then reinstalling
the iPad application was not enough to start a new connection with the server.
Proposed solution
I would propose to add authentication and integrity to the process by encrypting a hash with
a shared secret key that can be exchanged using any of the previously established TLS
connections. Or if possible, and since all other communications use TLS, it would be a good
idea to use it also for the camera control plane.
def pkt_callback(pkt):
pkt.show()
if ((pkt[IP].src=="192.168.2.123") and (pkt[TCP].dport==5222)):
a=IP(ttl=64,flags=2,src=pkt[IP].src,dst=pkt[IP].dst)
c="""GET / HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0
Iceweasel/31.6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
"""
b=TCP(sport=pkt[TCP].sport, dport=pkt[TCP].dport, seq=pkt[TCP].seq+209,
ack=pkt[TCP].ack,flags=pkt[TCP].flags, window=pkt[TCP].window, options=[('NOP',
None),('NOP',None),('Timestamp',(pkt[TCP].options[2][1][0]+10,pkt[TCP].options[2][1][1]
))])
send(a/b/c)
sniff(iface="wlan1", prn=pkt_callback, filter="ip and tcp and port 5222 and host
192.168.2.123", store=0)
39. 38
Task 6: Hackathon
Introduction
The Device IOT Excellence center, after organizing a successful Hackathon (Hack the
camera) few months ago, decided to organize a new Hackathon that will be concerned with
home automation: “Hack the Home”. he goal of this Hackathon is to show for the public how
dangerous is to install none-secured connected objects at home, and how much important is
to rely only on tested and verified communication protocols to control the home.(The flyer
for this Hackathon is in appendix D.6.1)
My roles in this Hackathon were to propose hacking scenarios with the rest of my colleagues,
to configure and test the scenario environment, to automate all the required human
intervention by coding automation scripts and simulating mobile applications. I also offered
to prepare a couple of cryptography challenges, since I am very experienced in this domain.
Automation scripts
Scanning for networks
In another scenario, I had to scan for a specific Wi-Fi networks, and if found, to connect,
send a packet to the access point, and then disconnect. To do that, I modified the
WPA_Supplicant file located in “/etc/wpa_supplicant/wpa_supplicant.conf”. I removed the
auto-update option and manually added the SSID connections I wanted to look for. I then
wrote a bash script that will run in a loop, execute “iwconfig wlan1 down” followed by a
“iwconfig wlan1 down” to force the Wi-Fi adapter to keep searching for the specified SSID
and connect to it when found. In every loop, the script will try to ping the access point, if he
gets a reply, it means he is connected to the correct network, and so he launches the python
script. If he does not receive a response for the ping, he assumes that he is not connected,
and so he sleeps for 1 minute before restarting the scan for the desired SSID. I made the
script in a way that it would record every output in a log file. To launch this script on boot,
I added the path to my script to the file “rc.local”. The bash script is added to appendix D.6.2
Emulating android application
I had to automate a user that is using a mobile application to activate a smart switch. To do
that, I had to replay 13 TCP connections while respecting the time interval between each
connection. I launched Wireshark, and I recorded all the connections, and then wrote a
python script that would open the connections, send packets, and then close the connections.
Fake SMTP
In another scenario, I had to automate the sending of emails, so a participant would
establish a man-in-the-middle attack, intercept these emails, and retrieve the attached files.
In order to send such emails, I used sendEmail to communicate and push emails to a fake
SMPT server I installed on a linux machine using python. The corresponding used scripts
are described in appendix D.6.3
Cryptography challenges
To validate some scenarios, participants had to solve cryptography challenges. I made two
challenges. To first one would be solved using the common factor vulnerability to crack a
4096bit certificate. The second is to factorize a 256it modulus and calculate the private key.
In addition, there was a third challenge given by Mr. Gwenel, Representing “AFTI”.
(The challenges and their solutions are attached in appendix F.6)
4096 bit challenge
The goal of this challenge was to calculate the private key so participant can decryt a file
containing a map for a hidden safe, and another encrypted file. The available files are:
- 20 x 4096bit certificates (2 of them have a common factor)
- Encrypted file
40. 39
256 bit challenge
For this challenge, participants should extract the modulus from the certificate, and
factorize it to get the private key. This private key will allow them to decrypt a file
containing a lock code for the safe containing the treasure.
Gwenel Challenge
The goal of this challenge was to decrypt a message containing a sequence that should be
used to turn on and off connected light bulbs. The encryption function is provided with the
challenge, so participants can understand it and implement a decrypting function. The
cryptanalysis to be used is based on the Chinese remainder theory.
I solved this challenge as if I was a participant, in order to improve my cryptography skills.
Results
During this hackathon:
- 8 teams of 4 were competing
- 6 schools and 3 big companies were represented
- There was a total of 15 scenarios, 10 of them were successfully hacked
- Each team solved 4 scenarios as an average
- More than 150 connected devices were deployed and attacked
- There was more than 46 professional and academic visitors and spectators
As a direct result of the event, IoT devices vendors started contacting the DIOTEC checking
whether or not their products were tested or hacked. Other companies also came with their
connected objects so we can run security tests and provide them with a full security
assessment.
41. 40
Task 7: Gnu Radio
Introduction
GNU Radio is a free & open-source software development toolkit that provides signal
processing blocks to implement software radios. It can be used with readily-available low-
cost external RF hardware to create software-defined radios, or without hardware in a
simulation-like environment. It is widely used in hobbyist, academic and commercial
environments to support both wireless communications research and real-world radio
systems.
Installation
There are many methods to install Gnu Radio. A user can choose to use a complete build
script [8]. He can chose to manually [9] install the dependencies, all the libraries, and then
compile and install. Or, the easiest way, he can install GnuRadio using PyBombs [10], which
is a graphical tool that installs all dependencies, and solves most of the installation problems
that might occur.
Test with HackRF
To get familiar with gnu radio, with HackRF, I followed an online tutorial, and manage to
generate the cyclic graph that allows demodulating the FM frequencies and listening to the
radio stations. Below is a screenshot of the corresponding GRC graph:
Figure 12: GnuRadio FM receiver
42. 41
Task 8: Z-Wave
Introduction
Z-Wave is a radio communication protocol that has a popular use in IoT devices. It uses the
ISM band (868.42MHz in Europe), and a FSK modulation scheme. Z-wave is a closed
protocol, it is a property of sigma design. Developers and users have only access to the
controller’s API, which is provided by Sigma. The only way to get a full documentation of
the physical and access layers is through buying a developer kit from sigma design for 3000$
after signing a strict NDA.
Communication
The communication model is based on Master-Slave model,
where the master is called the controller, and the slaves are
the connected devices (nodes). Each controller can be
connected to 129 nodes. The Z-wave network is identified by
its 32bit HomeID, which is the Controller’s unique ID. All
communicating nodes in the same network share the same
HomeID, but are identified by their NodeID, which is the ID
provided to them by the controller once they joined the
network.
To add a node to a controller’s network, a human physical intervention is required. First,
the user should press 3 times on the controller’s inclusion button, so it enters the inclusion
mode and start listening to the joining-requests. Just after that, the user should press three
times on the Node’s button. The same physical intervention is required during the exclusion
process. Even though the Z-wave’s range can reach up to 50m, the distance should be less
than 2-3 meters during the inclusion/exclusion process.
During communication, controller first sends a request to the node, waits for the ACK, then
waits again for the response, and finishes up by sending an ACK for the response. Security
is defined in the Z-wave protocol, however it is considered as an optional feature. Many
articles talk about the security in the Z-Wave protocol, telling that even when security is
implemented, the initial key exchange process is vulnerable since the initialization vector
used to encrypt the first exchanged values is composed of zeros. There was no Z-wave devices
among the lab devices where security was implemented, so I was not able to verify the
information concerning key exchange process.
Protocol vulnerabilities
As I said before, security is not mandatory, and therefor rarely implemented due to
consumption and computation limitations in the connected objects. This means that once
someone gains access to the access layer of the protocol, he can easily control all Z-wave
nodes in range.
In addition, according to the Z-wave protocol, a node cannot be connected to more than one
controller at the same time, so it must be excluded from the first controller before connecting
it to the second. However, on some Z-wave devices, we were able to disconnect a node 1 from
the controller A and connect it to the controller B, using only the controller B. This can be
dangerous since a social engineer can use his skills to make the user press 3 times on the
node, and connect it on a hacker’s controller.
Existing attack tools
Some Z-Wave capable devices and dongles are provided by sigma design, while others are
SDR devices that were modified or tuned with software to operate on the Z-Wave frequency.
Figure 13: Z-Wave Network [30]
43. 42
Z-Stick (30$)
The Z-Stick is a Z-Wave controller. It can be connected on any computer so the users and
developers can use its API to control its Z-wave network.
Users do not have access to the HomeID, they can only include devices. On windows the
Aeon labs IMA Tool allows them to view the nodes that are connected to this controller. I
installed this tool and I was able to add and excludes nodes to the controller, and test this
dongle. This is a typical use of the Z-Sitck:
I started finished a tutorial [11] using C# that allowed me to program this Z-stick and
become able to control its nodes. This tutorial improved my understanding of the Z-Wave
protocol and made me ready to go further with my attacks. Below is an example that turns
on a Z-wave switch:
public static void Main()
{ SerialPort sp = new SerialPort();
sp.PortName = "COM4";
sp.BaudRate = 115200;
sp.Parity = Parity.None;
sp.DataBits = 8;
sp.StopBits = StopBits.One;
sp.Handshake = Handshake.None;
sp.DtrEnable = true;
sp.RtsEnable = true;
sp.NewLine = System.Environment.NewLine;
sp.Open();
byte nodeId = 0x06; //6 is an example
// Set state to 0xFF to turn the device on and 0x00 to turn it off
byte state = 0xFF; // On
byte[] message = new byte[] { 0x01, 0x09, 0x00, 0x13, nodeId, 0x03,
0x20, 0x01, state, 0x05, 0x00 };
message[message.Length - 1] = GenerateChecksum(message);
sp.Write(message, 0, message.Length);
sp.Close(); }
Figure 14: Z-Stick typical use case [27]