With the emergence of IoT, which stands for Internet of Things, our daily life is being convenient more than ever. IoT market today grow continuously. To manage a plethora of IoT devices at once, it is changing to the way to control all IoT devices easily and conveniently, rather than operating IoT devices independently. Since the IoT Hub can control the connected IoT devices, it is at high risk for serious damage such as malicious control by an attacker, privacy invasion, leakage of personal information in case of security breaches. We will present the overall process of exploitation in IoT hub from acquiring root shells to analyzing the multiple IoT Hub firmware for showing how we derive the vulnerabilities. We made a data flow diagram(called as DFD) through the network packet analysis, firmware analysis, security threats we defined, and vulnerabilities. Subsequently, We will also discuss the vulnerabilities found in recently commercialized IoT Hub, and introduce the critical threats that could be derived from the vulnerabilities. Finally we will show the live demonstration of the full-chain exploitation scenarios in smart home such as “opening door lock, sniffing password and Eavesdropping through the device's microphone control”. By doing so, we will contribute improvement of the security of IoT Network and smart home with the awareness of the threats of IoT Hub.

1. I KNOW WHAT YOU DID LAST NIGHT
Pwning The State-Of-The-Art the IoT Hub

2. About us
Jisub Kim
Offensive Security Researcher
Web Security, Embedded Security
Playing CTF with $wag
Hongryeol Lim
Offensive Security Researcher
Embedded security, Network Security

3. Introducing the IoT Hub

4. What is IoT Hub?
IoT Hub

5. MOTIVATION

6. IoT Market Share
Ref. Fobes

7. Extra Attack Surface
exploit
Dominate Home IoT Network

8. Choice Vendor
1. Market ratio 2. Preference
Not
Found
Amazon
best seller
Not
Found
- Corp. P
- Corp. W
- Corp. S
Domestic
Mobile Carrier
Choice vendor
- Corp. L
- Corp. K
- Corp. S
Choice vendor3.ManyIoTSeller
abroad
Korean
domestic
Not
Found

9. Getting Firmware

10. Our Plan
• Released on website
• Firmware provisioning
• Serial communication
• Etc.

11. Released on website
• Provides firmware publicly
• depends on vendors

12. Firmware provisioning
Ref) Hacking SSL with ssl strip, Black Hat 2009
Update Server
IoT Hub
Getting firmware link when firmware is updating
SSL Strip

13. Serial Communication
• Used for debugging embedded systems
Trying to JTAG
connection
UART
Connection
Find UART pin

14. Our plan
• Released on website
• Firmware provisioning
• Serial Communication
• Etc.

15. Our plan
• Released on website
• Firmware provisioning
• Serial Communication
• Desoldering
• Side channel attack

16. Desoldering
• Removal of solder and components from a PCB using Heat gun
• Very hazardous, it needs very skillful technique
Heat gun

17. Desoldering : eMMC
• The structure of SD Card and eMMC are similar
• Can SD Card reader read it ?
eMMC Pinout SD Card Pinout
eMMC SD Card
DATA 0, 1, … DATA 0, 1, …
VSS VSS
VCC VCC
VDD VDD
CLK CLK
CMD CMD
… …
Pinout Name

18. Desoldering : eMMC
• Attempt to connect to the same pin as SD card in eMMC
Connect the same pin Try to read

19. Desoldering : eMMC
• Attempt to connect to the same pin as SD card in eMMC
• But.. The connection failed
Connect the same pin Try to read

20. Desoldering : eMMC
Mount the extracted eMMC And it works!

21. Desoldering : NAND Flash
Desoldering NAND Flash Extracted NAND Flash

22. Desoldering : NAND Flash
• Materialize the SPI Commuication using GPIO pins of RasPi
Connect to NAND Flash with Ras-PiNAND Flash Pinout
Ref) Reverse Engineering Flash Memory for Fun and Benefit, Black Hat 2014

23. • Materialize the SPI Communication using GPIO pins of RasPi
Desoldering : NAND Flash
Ref) Reverse Engineering Flash Memory for Fun and Benefit, Black Hat 2014

24. Desoldering : NAND Flash
• We could see the string FCB which is a block signature of NAND
flash memory
Extracted data from NAND Flash
* FCB: Flash Control Block

25. Desoldering : NAND Flash
• Through binwalk, We checked the firmware in dump.bin
Binwalk Results for dump.bin

26. Side channel attack
Different security techniques depending on vendor

27. Side channel attack
U-Boot
CFE
Other
Redboot
RouterBOOT
BOOTLOADER SHARE
https://wikidevi.com/wiki/Property:Stock_bootloader/full
Most hubs were using U-Boot

28. Side channel attack
Memory
Loading stored
kernel images
Kernel Memory Load,
file system mount
EmbeddedBootProcess
Boot loader
Flash memory
Initialize
peripheral device
U-Boot boot loader
Initialization task
main_loop()
cli_loop
main_loop()
OS Boot
If fail
run_preboot
bootdelay
cli_loop
autoboot_
command
Returnto
CustomShell!

29. Side channel attack
Memory map is overwritten
when autoboot_command is executed
U-Boot Start OS Boot
Main_loop DOES NOT HANDLE the return value

30. Side channel attack
Make an error through glitching Got the shell, CVE-2018-19916
Ref) http://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/

31. Define Attack
Surface

32. For effective analysis
• Well-defined attack surface
• Detailed threat modeling
• Understanding data flow

33. Data Flow Diagram (DFD)

34. STRIDE
Element of DFD Spoofing Tampering Repudiation
Information
disclosure
Denial of
Service
Elevation of
Privilege
External Entity × × × × × ×
Data Store × ×
Process × × × × ×
Data Flow × × ×
Total 2 12 4 15 7 2

35. Attack Library

37. And then?
• We are going to talk about some of the interesting 0-days that
we have included in our attack library

38. Scenario

39. Scenario
• Hack your home !
• Love is an open door
• Control plugs
• Change door lock password
• Eavesdropping

40. Scenario
Change door lock password and eavesdropping magic show
exploit
Dominate Home IoT Network

42. Scenario : Eavesdropping
Eavesdropping in IoT Hub

43. Scenario : Eavesdropping
• Some Hubs have a microphone for voice recognition
• We can upload a plug-in to the hub
• Can we tap the sounds via this function?
Eavesdropping in IoT Hub

44. Scenario : Eavesdropping
• To use microphone, we decompiled and analyzed voice
recognition plug-in
Decompile Voice Recognition plug-in Part of the code activating the microphone
Eavesdropping in IoT Hub

45. Scenario : Eavesdropping
• We analyzed the data sent to the server to get the voice
recognition result
Use i2s to get the microphone's raw buffer The process of sending the data buffer to the server
Eavesdropping in IoT Hub

46. Scenario : Eavesdropping
• In the previous process, we simply made plug-in for
eavesdropping
Create VoiceSnifffer.java
: client’s Accept function for server socket
: Create stream that can write socket
: Use i2s to get the microphone's raw buffer
: Write the raw buffer to the stream
: ServerSocket using port 3000 created before the function
Eavesdropping in IoT Hub

47. Scenario : Eavesdropping
• I KNOW WHAT YOU DID LAST NIGHT
• $ nc [HUB-IP] 3000 | play –t raw –r 48k –e signed –b 16 –c 2 –
Eavesdropping in IoT Hub

48. Attention please ~

49. Countermeasure

50. Countermeasure
• If hub had no bounty → Only company analyzes vulns
• If hub had bounty → Company + hackers analyze vulns
• The company can cooperate with hackers all over the world
• Eliminate the threats in advance!

51. Countermeasure
START BUG BOUNTY!

52. Bug bounty : A hacker’s view
• Just for fun, money, and honor
• Not discovered vuln will be a challenge for hackers
• They can make money by finding a bug

53. Bug bounty : A developer’s view
• Improve security products via the bug reported by hackers
• Learn through the collected bug report
• They can make hackers around the world your helper

54. Conclusion

55. Conclusion
• IoT hub is getting safer
• But there are still many vulnerabilities
• For hackers, finding vulnerability will be a new challenge
• For developers, they will be an opportunity
• Cooperation between hackers and developers could create the
world safer.

56. Hongryeol Lim (arcadia@aias.io, @arcadia0moon)
Jisub Kim (plumssi9@gmail.com, @JisubK)
T H A N K Y O U

57. Mentor of Pwnhub
• Jongho Lee (@hellsonic)
• RAON SECURE
• DEFCON Winner, DEFKOR
• Kitaek Lee (@zizihacker)
• SAMSUNG R&D
• Offensive Security Researcher
• Uiseong Park (@zairo)
• RAON SECURE
• Security Researcher
• Hanbyeol Ji (@onestar)
• RAON SECURE
• Security Consultant

58. Member of Pwnhub
• Jisub Kim (@jskim)
• Dongyoung Kim (@KDY)
• Hakjin Kim (@eunice)
• Kanghyun Choi (@b4sh5i)
• Sujeong Bang
• Hongryeol Lim (@arcadia)
• Jinho Jo (@wwwlk)

59. Special thanks to
• @2doll
• @HACKTAGON