DeepSec 2023 Talk: I Just Wanted to Learn the Water Temperature… – Imre Rad
The story started as a hobby project: I was about to retrieve the current temperature of a non-smart water heater in my apartment. To not void the warranty, I was looking for a non-intrusive solution that purely relies on off-the-shelf smart home gadgets only.
Understanding the undocumented APIs of these IoT devices required reverse engineering the corresponding official mobile applications and eavesdropping on the network communication between them and the cloud management services. Researching this uncovered design flaws in the pairing protocol and vulnerabilities in the implementation that allowed attackers to steal victim sessions and to impersonate these devices for a life-time.
We asked Imre a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- Recognizing digits on a still picture is far from easy (regardless the hype around AI these days)
- Executing an MitM attack targeting two WiFi devices of the same WLAN takes more than just an iptables rule
- Relying on the same password is not a good idea
- Remote attacker persistence – device takeover without network presence or any changes on the flash memory
- The vendor committed to fixing these flaws before this presentation takes place – a multiple quarter project
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
This research is a side-product of my attempt to turn our dumb water heater into a smart one: I decided to build a solution to retrieve the current temperature without making anything intrusive. To accomplish this, I used an IP camera and smart socket with an energy monitoring feature. While working on the integration (reverse engineering the corresponding protocols), I identified a couple of design issues with security implications…
Why do you think this is an important topic?
Onboarding cloud controlled devices is an important topic with a history of security issues across different vendors. The severity of security flaws in this space is usually high and remediation is super expensive because of the volume of devices involved. As such, this topic deserves even more attention by both security researchers and vendors as well.
Is there something you want everybody to know – some good advice for our readers maybe?
Are you interested in smart home related topics or IoT security? Then this talk is for you.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
In the context of IoT security, many researchers focus on gaining code execution on the target gadget. I hope this talk will encourage fellow researchers to not stop there but try to look into the device onboarding protocols as well.
Imre Rad is a highly skilled IT security professional with a sound track record of identifying and reporting vulnerabilities in various open source and commercial applications. He was recognized as being in the top 20 of Google’s Bug Bounty program (Google VRP). Imre was active in the Android space as well, and has identified security gaps both in AOSP itself and in products of Android vendors including Huawei, LG and Lenovo. He discovered and reported various privilege escalation flaws in Microsoft Windows, but also reported security issues to Oracle, Red Hat and a number of other open source vendors. Currently, Imre works at Google in a hardening team helping to ensure the security controls at Google’s Cloud Platform are a step ahead of attackers and still provide a smooth experience for the customers.