Embedded device security is an issue of global importance, and one that has grown exponentially over the last few years. Because of their slow patch cycles and the increasing difficulty of exploiting other,more traditional platforms, they have quickly become a favorite target for researchers and attackers alike. While deeply fragmented, each country has its own unique “footprint” of these devices on the Internet, based largely on the embedded devices distributed by major ISPs. We will use our survey of Japanese devices as an example of how, by fingerprinting and examining popular devices on a given country's networks, it is possible for an attacker to very quickly go from zero knowledge to widespread remote code execution.
During this talk, we provide an in-depth analysis of various routers and modems provided by popular Japanese ISPs, devices which we had never heard of on networks we had never used . We discuss how we approached surveying approximate market usage, reverse engineering obfuscated and encrypted firmware images, performing vulnerability analysis on the recovered binaries, and developing of proof-of-concept exploits for discovered vulnerabilities, all from the United States. In addition, we provide recommendations as to how ISPs and countries might begin to address the serious problems introduced by these small but important pieces of the Internet.
All vulnerabilities discovered were promptly and responsibly disclosed to affected parties.
The 7 Things I Know About Cyber Security After 25 Years | April 2024
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI
1. Embedded Security in the
Land of the Rising Sun
Ben Schmidt (presenter) // @_supernothing
Lord Commander of Security Research @NarfIndustries
Paul Makowski (assistant to the presenter) // @myhndl
Director of World Domination @NarfIndustries
2. this talk: Japanese router hacking
● motivation
● 0knowledge to 0day
● landscape
● attack surface
● vulnerabilities
● exploitation demos
● remediation
3. why hack Japanese routers?
● comparatively little public research
● who doesn’t loves junk hacking?*
● in seriousness, these routers matter a lot
o there are many listening on WAN
o they run notoriously insecure software
* the answer is Dave Aitel: https://lists.immunityinc.com/pipermail/dailydave/2014-September/000746.html
← top countries with hosts listening on
WAN port 1900 (UPnP default).
● Japan is #4
● more on UPnP later
4. 0knowledge to 0day
* there’s still plenty we don’t know
● when we started, we knew nothing about the
Japanese router landscape*
● barriers: language, infrastructure, hardware
acquisition & testing
we hope we don’t set
ourselves on fire...
5. 0knowledge to 0day
● mostly cultural, few technical obstacles
mitigation enabled? good for us?
full ASLR (including PIE) no
NX / DEP? mostly no
stack or heap cookies mostly yes
Such security, many lulz, wow
6. landscape
● a boatload of:
o routers
o modems
o wifi hotspots
o webcams
o internet-connected picture frames
o … much more
7. landscape, con’t
many manufacturers; this is a small sample
(likely)
corp
how to ID models protections good for
us?
OKI distributed as .bin, is actually .tar.gz, contains
ROOTIMG.BIN which is several JFFS2 partitions
XXXXXXXXXXX
XXXXXXXXXXX
XXXXXXXXXXX
XXXXXXXXXXX
...
none
8. landscape, con’t
many manufacturers; this is a small sample
(likely)
corp
how to ID models protections good for
us?
Buffalo binary blob, begins with “bgn” XXXXXXXXXXX
XXXXXXXXXXX
XXXXXXXXXXX
XXXXXXXXXXX
...
encrypted,
(slightly)
modified
RC4 w/ static
key “Buffalo”
Watch https://narfindustries.com/codeblue2014 for more complete list.
11. Security Flaws in UPnP:
Unplug, Don’t Play, Rapid7
speaking of UPnP...
we looked here
12. ● Shodan
o 3mil hosts in Japan
o almost none anywhere else
● our research
o ~200,000 hosts in Japan at
any single time
● What would you do with a
200,000+ botnet?
our favorite UPnP daemon: XXXXXX
13. our favorite UPnP daemon: XXXXXX
● case study: CompSci security 101
● every vulnerability you can imagine,
everywhere feasible
o stack & heap buffer overflows
! memcpy, strcpy, sprintf, oh my!
o path traversal
! download passwords in config files
o command injection
16. spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...here
oh
yeah
and
here
too
buffer is overflown...
attacker controlled
attacker controlled
17. spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...herebut why try
harder?
root command
injection...
...here
oh
yeah
and
here
too
buffer is overflown...
attacker controlled
attacker controlled
18. spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...here
oh
yeah
and
here
too
but why try
harder?
root command
injection...
...here
also
here
buffer is overflown...
attacker controlled
attacker controlled
19. our favorite UPnP daemon: XXXXXX
in other words…
● 4 lines
● 4 remotely
exploitable
vulnerabilities
22. HTTP: signedness confusion
1. specify a negative Content-Length
2. sanity check does a signed comparison
o the check passes
3. scanf() promotes int to unsigned, copies length
specified
4. overflow heap buffer
5. ???
6. profit
26. why this matters
● what to do with 200,000 home routers?
o violate privacy, capture all traffic
o impersonate victims
o man-in-the-middle, exploit end hosts
o use as basis for covert infrastructure, misattributing
further attacks
o cripple national infrastructure through DDoS attacks
27. more Japanese statistics
● 200,000+: number of routers / modems running the
discussed vulnerable UPnP service on WAN
● 500,000+: number of devices running a UPnP daemon
and listening on WAN on the default port
o can be used to map internal ports, expose additional vulns
● 1,700,000+: number of devices running an HTTP
daemon and listening on WAN on the default port
o 93,000+ of these are not running either Apache or IIS
28. remediation
● patching vulns is a non-starter
o there’s too many, no one cares to find them all
● what we’ve demonstrated is only the
beginning
o seriously, we ctrl-f’ed for system()... profit
● need to start over
29. remediation: manufacturers (1/3)
● use modern exploit mitigations
o userspace: NX / DEP, ASLR*, stack / heap
hardening
o kernelspace: grsecurity
● fail closed: default settings matter
o don’t listen to anything on WAN by default
o if remote admin is required by the customer, require
key-based authentication
(e.g. SSH, CWMP/TR-069 or similar)
* This means PIE. Binaries that are not PIE are not full ASLR.
Anything less than full ASLR is mostly pointless.
30. remediation: manufacturers (2/3)
● privilege separation
o there is no reason to run everything as root*
● sandbox everything: seccomp_bpf()
o Why is your UPnP daemon able to install kernel
modules or read / write outside of its home?
● don’t implement your own HTTP / FTP /
UPnP/ Gopher / whatever service
o obscurity < audited code* Laziness doesn’t count.
It’s 2014; attackers have a lot to gain, you have a lot to lose and embedded devices are often the lowest hanging fruit.
31. remediation: manufacturers (3/3)
● deter physical access
o cut unnecessary debug ports, no JTAG, no serial
o limited effect on determined attackers
● make analysis difficult
o firmware encryption & signing
● scope the set of possible vulnerabilities
o if you must write your own software, why not write it
in Python or Ruby?
32. things that don’t work
● security through obscurity
o yes, someone* has figured out how to extract
YetAnotherObscureFileSystem
● outmoded threat models / thinking your
software isn’t interesting
o attackers target more than end hosts
o there is plenty (sometimes more) value in pwning
infrastructure
* The contributors and projects behind binwalk (https://github.com/devttys0/binwalk) to be specific.
33. remediation: end users
● firewall everything
o only sane approach is to assume compromise on
seldom-updated embedded devices such as
modems and routers
o the catch: many of these embedded devices are
between you and the Internet
● whenever possible, run custom firmware
o let someone else be the easiest target
34. conclusions
● there needs to be more (public) research interest in
Japanese infrastructure
● cultural barriers are surmountable even by curious
people in their spare time
o we conducted this research from the US, without direct access
to Japanese infrastructure or devices
o determined attackers will hardly be slowed
● the fixes are not simple
o vulnerabilities are numerous
o problems run deep
35. thanks
● Google translate
● Yahoo! auctions
● Icons licensed under CC BY 3.0:
o router, modem, wifi, webcam, question mark, flame
by flaticon.com user Freepik
o picture frame by flaticon.com user Icomoon
o thumb’s up by flaticon.com user Amit Jakhu
o video camera by flaticon.com user
36. questions?
?Want to learn more?
Narf offers custom embedded device security training classes in Japanese &
English. Material is licensed & translated from TacNetSol’s world-renowned
EDE course.
For more information, visit our website:
https://narfindustries.com/index.php?id=training
Editor's Notes
We conducted this research for fun in our spare time and was done in the US, without direct access to Japanese infrastructure or devices.
We wanted to better understand the devices that we come into contact with in Japan.
Comment on how it’s Yahoo Auctions, not eBay in Japan.
hacking like it’s 1999
Stack hardening is due to using a semi-recent GCC.
Heap hardening is due to linking against a semi-recent glibc.
In neither case, do we expect these mitigations to have been purposefully added.
We decided to look at devices running on a particular major Japanese telecom company.
We went with the lowest hanging fruit.
A determined attacker with more malicious intent would not be deterred by obfuscation.
Only true solution is firmware encryption + signing coupled with physical access hardening.
We went with the lowest hanging fruit.
A determined attacker with more malicious intent would not be deterred by obfuscation.
Only true solution is firmware encryption + signing coupled with physical access hardening.
The Rapid7 report is based on data from IPv4-wide scanning conducted in the 2nd half of 2012.
The report’s takeaway was that UPnP is universally poorly implemented, recommended to firewall off UPnP requests from WAN.
The report did not identify several indigenous Japanese implementations, possibly because the banners are difficult to identify and/or the daemons run on non-standard ports (not 1900).
If Rapid7’s research did hit the Japanese routers we studied, they would fall into “other”, but the report did not dive into any vulnerabilities against these devices.
We actually ran into bug-collision scenarios attempting to write proof of concepts for some of the vulns discussed.
Multiple vulnerabilities in series in the same code path prevented us from gain code execution in at least one case.
Don’t try to fix this UPnP daemon. Burn it with fire.