With the emergence of IoT, which stands for Internet of Things, our daily life is being convenient more than ever. IoT market today grow continuously. To manage a plethora of IoT devices at once, it is changing to the way to control all IoT devices easily and conveniently, rather than operating IoT devices independently. Since the IoT Hub can control the connected IoT devices, it is at high risk for serious damage such as malicious control by an attacker, privacy invasion, leakage of personal information in case of security breaches.
We will present the overall process of exploitation in IoT hub from acquiring root shells to analyzing the multiple IoT Hub firmware for showing how we derive the vulnerabilities. We made a data flow diagram(called as DFD) through the network packet analysis, firmware analysis, security threats we defined, and vulnerabilities. Subsequently, We will also discuss the vulnerabilities found in recently commercialized IoT Hub, and introduce the critical threats that could be derived from the vulnerabilities.
Finally we will show the live demonstration of the full-chain exploitation scenarios in smart home such as “opening door lock, sniffing password and Eavesdropping through the device's microphone control”. By doing so, we will contribute improvement of the security of IoT Network and smart home with the awareness of the threats of IoT Hub.
The Ten Facts About People With Autism Presentation
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT Hub by Hongryeol Lim, Jisub Kim
1. I KNOW WHAT YOU DID LAST NIGHT
Pwning The State-Of-The-Art the IoT Hub
2. About us
Jisub Kim
Offensive Security Researcher
Web Security, Embedded Security
Playing CTF with $wag
Hongryeol Lim
Offensive Security Researcher
Embedded security, Network Security
8. Choice Vendor
1. Market ratio 2. Preference
Not
Found
Amazon
best seller
Not
Found
- Corp. P
- Corp. W
- Corp. S
Domestic
Mobile Carrier
Choice vendor
- Corp. L
- Corp. K
- Corp. S
Choice vendor3.ManyIoTSeller
abroad
Korean
domestic
Not
Found
12. Firmware provisioning
Ref) Hacking SSL with ssl strip, Black Hat 2009
Update Server
IoT Hub
Getting firmware link when firmware is updating
SSL Strip
13. Serial Communication
• Used for debugging embedded systems
Trying to JTAG
connection
UART
Connection
Find UART pin
14. Our plan
• Released on website
• Firmware provisioning
• Serial Communication
• Etc.
15. Our plan
• Released on website
• Firmware provisioning
• Serial Communication
• Desoldering
• Side channel attack
16. Desoldering
• Removal of solder and components from a PCB using Heat gun
• Very hazardous, it needs very skillful technique
Heat gun
17. Desoldering : eMMC
• The structure of SD Card and eMMC are similar
• Can SD Card reader read it ?
eMMC Pinout SD Card Pinout
eMMC SD Card
DATA 0, 1, … DATA 0, 1, …
VSS VSS
VCC VCC
VDD VDD
CLK CLK
CMD CMD
… …
Pinout Name
18. Desoldering : eMMC
• Attempt to connect to the same pin as SD card in eMMC
Connect the same pin Try to read
19. Desoldering : eMMC
• Attempt to connect to the same pin as SD card in eMMC
• But.. The connection failed
Connect the same pin Try to read
22. Desoldering : NAND Flash
• Materialize the SPI Commuication using GPIO pins of RasPi
Connect to NAND Flash with Ras-PiNAND Flash Pinout
Ref) Reverse Engineering Flash Memory for Fun and Benefit, Black Hat 2014
23. • Materialize the SPI Communication using GPIO pins of RasPi
Desoldering : NAND Flash
Ref) Reverse Engineering Flash Memory for Fun and Benefit, Black Hat 2014
24. Desoldering : NAND Flash
• We could see the string FCB which is a block signature of NAND
flash memory
Extracted data from NAND Flash
* FCB: Flash Control Block
25. Desoldering : NAND Flash
• Through binwalk, We checked the firmware in dump.bin
Binwalk Results for dump.bin
28. Side channel attack
Memory
Loading stored
kernel images
Kernel Memory Load,
file system mount
EmbeddedBootProcess
Boot loader
Flash memory
Initialize
peripheral device
U-Boot boot loader
Initialization task
main_loop()
cli_loop
main_loop()
OS Boot
If fail
run_preboot
bootdelay
cli_loop
autoboot_
command
Returnto
CustomShell!
29. Side channel attack
Memory map is overwritten
when autoboot_command is executed
U-Boot Start OS Boot
Main_loop DOES NOT HANDLE the return value
30. Side channel attack
Make an error through glitching Got the shell, CVE-2018-19916
Ref) http://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/
34. STRIDE
Element of DFD Spoofing Tampering Repudiation
Information
disclosure
Denial of
Service
Elevation of
Privilege
External Entity × × × × × ×
Data Store × ×
Process × × × × ×
Data Flow × × ×
Total 2 12 4 15 7 2
43. Scenario : Eavesdropping
• Some Hubs have a microphone for voice recognition
• We can upload a plug-in to the hub
• Can we tap the sounds via this function?
Eavesdropping in IoT Hub
44. Scenario : Eavesdropping
• To use microphone, we decompiled and analyzed voice
recognition plug-in
Decompile Voice Recognition plug-in Part of the code activating the microphone
Eavesdropping in IoT Hub
45. Scenario : Eavesdropping
• We analyzed the data sent to the server to get the voice
recognition result
Use i2s to get the microphone's raw buffer The process of sending the data buffer to the server
Eavesdropping in IoT Hub
46. Scenario : Eavesdropping
• In the previous process, we simply made plug-in for
eavesdropping
Create VoiceSnifffer.java
: client’s Accept function for server socket
: Create stream that can write socket
: Use i2s to get the microphone's raw buffer
: Write the raw buffer to the stream
: ServerSocket using port 3000 created before the function
Eavesdropping in IoT Hub
47. Scenario : Eavesdropping
• I KNOW WHAT YOU DID LAST NIGHT
• $ nc [HUB-IP] 3000 | play –t raw –r 48k –e signed –b 16 –c 2 –
Eavesdropping in IoT Hub
50. Countermeasure
• If hub had no bounty → Only company analyzes vulns
• If hub had bounty → Company + hackers analyze vulns
• The company can cooperate with hackers all over the world
• Eliminate the threats in advance!
52. Bug bounty : A hacker’s view
• Just for fun, money, and honor
• Not discovered vuln will be a challenge for hackers
• They can make money by finding a bug
53. Bug bounty : A developer’s view
• Improve security products via the bug reported by hackers
• Learn through the collected bug report
• They can make hackers around the world your helper
55. Conclusion
• IoT hub is getting safer
• But there are still many vulnerabilities
• For hackers, finding vulnerability will be a new challenge
• For developers, they will be an opportunity
• Cooperation between hackers and developers could create the
world safer.
57. Mentor of Pwnhub
• Jongho Lee (@hellsonic)
• RAON SECURE
• DEFCON Winner, DEFKOR
• Kitaek Lee (@zizihacker)
• SAMSUNG R&D
• Offensive Security Researcher
• Uiseong Park (@zairo)
• RAON SECURE
• Security Researcher
• Hanbyeol Ji (@onestar)
• RAON SECURE
• Security Consultant
58. Member of Pwnhub
• Jisub Kim (@jskim)
• Dongyoung Kim (@KDY)
• Hakjin Kim (@eunice)
• Kanghyun Choi (@b4sh5i)
• Sujeong Bang
• Hongryeol Lim (@arcadia)
• Jinho Jo (@wwwlk)