Embedded device security is an issue of global importance, and one that has grown exponentially over the last few years. Because of their slow patch cycles and the increasing difficulty of exploiting other,more traditional platforms, they have quickly become a favorite target for researchers and attackers alike. While deeply fragmented, each country has its own unique “footprint” of these devices on the Internet, based largely on the embedded devices distributed by major ISPs. We will use our survey of Japanese devices as an example of how, by fingerprinting and examining popular devices on a given country's networks, it is possible for an attacker to very quickly go from zero knowledge to widespread remote code execution. During this talk, we provide an in-depth analysis of various routers and modems provided by popular Japanese ISPs, devices which we had never heard of on networks we had never used . We discuss how we approached surveying approximate market usage, reverse engineering obfuscated and encrypted firmware images, performing vulnerability analysis on the recovered binaries, and developing of proof-of-concept exploits for discovered vulnerabilities, all from the United States. In addition, we provide recommendations as to how ISPs and countries might begin to address the serious problems introduced by these small but important pieces of the Internet. All vulnerabilities discovered were promptly and responsibly disclosed to affected parties.

1. Embedded Security in the
Land of the Rising Sun
Ben Schmidt (presenter) // @_supernothing
Lord Commander of Security Research @NarfIndustries
Paul Makowski (assistant to the presenter) // @myhndl
Director of World Domination @NarfIndustries

2. this talk: Japanese router hacking
● motivation
● 0knowledge to 0day
● landscape
● attack surface
● vulnerabilities
● exploitation demos
● remediation

3. why hack Japanese routers?
● comparatively little public research
● who doesn’t loves junk hacking?*
● in seriousness, these routers matter a lot
o there are many listening on WAN
o they run notoriously insecure software
* the answer is Dave Aitel: https://lists.immunityinc.com/pipermail/dailydave/2014-September/000746.html
← top countries with hosts listening on
WAN port 1900 (UPnP default).
● Japan is #4
● more on UPnP later

4. 0knowledge to 0day
* there’s still plenty we don’t know
● when we started, we knew nothing about the
Japanese router landscape*
● barriers: language, infrastructure, hardware
acquisition & testing
we hope we don’t set
ourselves on fire...

5. 0knowledge to 0day
● mostly cultural, few technical obstacles
mitigation enabled? good for us?
full ASLR (including PIE) no
NX / DEP? mostly no
stack or heap cookies mostly yes
Such security, many lulz, wow

6. landscape
● a boatload of:
o routers
o modems
o wifi hotspots
o webcams
o internet-connected picture frames
o … much more

7. landscape, con’t
many manufacturers; this is a small sample
(likely)
corp
how to ID models protections good for
us?
OKI distributed as .bin, is actually .tar.gz, contains
ROOTIMG.BIN which is several JFFS2 partitions
XXXXXXXXXXX
XXXXXXXXXXX
XXXXXXXXXXX
XXXXXXXXXXX
...
none

8. landscape, con’t
many manufacturers; this is a small sample
(likely)
corp
how to ID models protections good for
us?
Buffalo binary blob, begins with “bgn” XXXXXXXXXXX
XXXXXXXXXXX
XXXXXXXXXXX
XXXXXXXXXXX
...
encrypted,
(slightly)
modified
RC4 w/ static
key “Buffalo”
Watch https://narfindustries.com/codeblue2014 for more complete list.

9. attack surface
● HTTP
o frequently LAN-facing
● FTP
● …
● UPnP
o frequently WAN-facing

10. speaking of UPnP...
Security Flaws in UPnP:
Unplug, Don’t Play, Rapid7

11. Security Flaws in UPnP:
Unplug, Don’t Play, Rapid7
speaking of UPnP...
we looked here

12. ● Shodan
o 3mil hosts in Japan
o almost none anywhere else
● our research
o ~200,000 hosts in Japan at
any single time
● What would you do with a
200,000+ botnet?
our favorite UPnP daemon: XXXXXX

13. our favorite UPnP daemon: XXXXXX
● case study: CompSci security 101
● every vulnerability you can imagine,
everywhere feasible
o stack & heap buffer overflows
! memcpy, strcpy, sprintf, oh my!
o path traversal
! download passwords in config files
o command injection

14. spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
attacker controlled
attacker controlled

15. spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...here
buffer is overflown...
attacker controlled
attacker controlled

16. spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...here
oh
yeah
and
here
too
buffer is overflown...
attacker controlled
attacker controlled

17. spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...herebut why try
harder?
root command
injection...
...here
oh
yeah
and
here
too
buffer is overflown...
attacker controlled
attacker controlled

18. spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...here
oh
yeah
and
here
too
but why try
harder?
root command
injection...
...here
also
here
buffer is overflown...
attacker controlled
attacker controlled

19. our favorite UPnP daemon: XXXXXX
in other words…
● 4 lines
● 4 remotely
exploitable
vulnerabilities

20. demo: UPnP command injection

22. HTTP: signedness confusion
1. specify a negative Content-Length
2. sanity check does a signed comparison
o the check passes
3. scanf() promotes int to unsigned, copies length
specified
4. overflow heap buffer
5. ???
6. profit

23. demo: HTTP signedness confusion
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((“192.168.1.1”, 2869))
s.send('GET AAAArnContent-Length: -34rnrn')
s.close()

24. HTTP: path traversal
1. http://192.168.1.1:2869/../SuperSecretStuff
2. ???
3. profit
seriously.

25. demo: HTTP path traversal
import requests
print requests.get('http://192.168.1.1:2869/../mainConfig.xml').text

26. why this matters
● what to do with 200,000 home routers?
o violate privacy, capture all traffic
o impersonate victims
o man-in-the-middle, exploit end hosts
o use as basis for covert infrastructure, misattributing
further attacks
o cripple national infrastructure through DDoS attacks

27. more Japanese statistics
● 200,000+: number of routers / modems running the
discussed vulnerable UPnP service on WAN
● 500,000+: number of devices running a UPnP daemon
and listening on WAN on the default port
o can be used to map internal ports, expose additional vulns
● 1,700,000+: number of devices running an HTTP
daemon and listening on WAN on the default port
o 93,000+ of these are not running either Apache or IIS

28. remediation
● patching vulns is a non-starter
o there’s too many, no one cares to find them all
● what we’ve demonstrated is only the
beginning
o seriously, we ctrl-f’ed for system()... profit
● need to start over

29. remediation: manufacturers (1/3)
● use modern exploit mitigations
o userspace: NX / DEP, ASLR*, stack / heap
hardening
o kernelspace: grsecurity
● fail closed: default settings matter
o don’t listen to anything on WAN by default
o if remote admin is required by the customer, require
key-based authentication
(e.g. SSH, CWMP/TR-069 or similar)
* This means PIE. Binaries that are not PIE are not full ASLR.
Anything less than full ASLR is mostly pointless.

30. remediation: manufacturers (2/3)
● privilege separation
o there is no reason to run everything as root*
● sandbox everything: seccomp_bpf()
o Why is your UPnP daemon able to install kernel
modules or read / write outside of its home?
● don’t implement your own HTTP / FTP /
UPnP/ Gopher / whatever service
o obscurity < audited code* Laziness doesn’t count.
It’s 2014; attackers have a lot to gain, you have a lot to lose and embedded devices are often the lowest hanging fruit.

31. remediation: manufacturers (3/3)
● deter physical access
o cut unnecessary debug ports, no JTAG, no serial
o limited effect on determined attackers
● make analysis difficult
o firmware encryption & signing
● scope the set of possible vulnerabilities
o if you must write your own software, why not write it
in Python or Ruby?

32. things that don’t work
● security through obscurity
o yes, someone* has figured out how to extract
YetAnotherObscureFileSystem
● outmoded threat models / thinking your
software isn’t interesting
o attackers target more than end hosts
o there is plenty (sometimes more) value in pwning
infrastructure
* The contributors and projects behind binwalk (https://github.com/devttys0/binwalk) to be specific.

33. remediation: end users
● firewall everything
o only sane approach is to assume compromise on
seldom-updated embedded devices such as
modems and routers
o the catch: many of these embedded devices are
between you and the Internet
● whenever possible, run custom firmware
o let someone else be the easiest target

34. conclusions
● there needs to be more (public) research interest in
Japanese infrastructure
● cultural barriers are surmountable even by curious
people in their spare time
o we conducted this research from the US, without direct access
to Japanese infrastructure or devices
o determined attackers will hardly be slowed
● the fixes are not simple
o vulnerabilities are numerous
o problems run deep

35. thanks
● Google translate
● Yahoo! auctions
● Icons licensed under CC BY 3.0:
o router, modem, wifi, webcam, question mark, flame
by flaticon.com user Freepik
o picture frame by flaticon.com user Icomoon
o thumb’s up by flaticon.com user Amit Jakhu
o video camera by flaticon.com user

36. questions?
?Want to learn more?
Narf offers custom embedded device security training classes in Japanese &
English. Material is licensed & translated from TacNetSol’s world-renowned
EDE course.
For more information, visit our website:
https://narfindustries.com/index.php?id=training