DeepSec2016 Workshop: IoT Hacking: Linux Embedded, Bluetooth Smart, KNX Home Automation – Slawomir Jasek
“The ongoing rise of the machines leaves no doubt – we have to face them”, says Slawomir Jasek, and adds: “It is hard not to agree with one of the greatest military strategists Sun Tzu: “If you know your enemies and know yourself, you will not be put at risk even in a hundred battles”. Right now it is about time to fill that gap in your skills by confronting the devices, learning their flaws, catalog ways to defeat them, and – above all – develop means to reduce the risk and regain control.” Slawomir’s training consists of several modules:
1. Linux embedded
Linux embedded is probably the most popular OS, especially in SOHO equipment like routers, cameras, smart plugs, alarms, bulbs, home automation, and even wireless rifles. Based on several examples, you will learn about the most common flaws (auth bypass, command injection, path traversal, backdoor services…). We will open a wireless doorlock remotely, hack cameras and take control over other devices. You will also interact with representative specimens which took part in recent DDoS events.
2. Bluetooth Low Energy
One of the most sought after IoT technologies. Learn how it works, about risks and possible attacks. Using among others new BLE MITM proxy tool developed by the author, we will hack various devices: 5 different smart locks, mobile Point of Sale, authentication token, beacons, anti-thief protection and others.
3. KNX home automation
Learn how to take control over the most common home automation system: EIB/KNX.
Following the introduction on the system basics, we will hack the provided demo installation, abusing common misconfiguration weaknesses – in a similar way a luxury hotel in China was hacked a few years back.
Do you want to know more? We asked Slawomir a few more questions about his workshop.
Please tell us the top 5 facts about your talk.
- The training consists of several unique cutting-edge topics.
- Focused on practical exercises we will hack multiple real devices.
- All participants will receive a Raspberry Pi and 2 BT4 dongles – A beginner’s hardware lab for BLE.
- It will be possible to further practice BLE hacking at home, with a specially designed Bluetooth Smart HackmeLock, a vulnerable hardware lock, software- simulated, consisting of a mobile application.
- Regardless if you are a beginner or a skilled pentester, you will learn something new and have a good time.
How did you come up with it? Was there something like an initial spark that set your mind on creating this Workshop?
I was always interested in taking control over surrounding devices. I got my Msc degree in Automatics and Robotics, and for a while I designed secure Linux embedded appliances for national agencies. That is why current vendors’ irresponsibility and insecurity level of most routers, cameras, home automation etc. constantly boggles me. I understand the market demands features produced at low cost, but I believe it is possible to integrate security into the development process. The world won’t change with a snap of one’s fingers, for now we will have to deal with what we have. So I decided to share my collection of hillariously vulnerable devices – the ease of exploitation should be an eye-opener – along with a few -not always straightforward – hacks on how to patch them on your own.
The “initial spark” that led me to more comprehensive Bluetooth Smart research was a local “hacking competition”: the goal was to steal a car protected by an BLE unlocking device. I pointed out several vulnerabilities in the mechanism, which allow you to take full control over it. For that I designed novel attack scenarios and tools, which I presented this year at BlackHat USA (more details: www.gattack.io).
And KNX home automation – I created my own super-smart home installation. Well, in the beginning it was far from perfect, especially for my non-smartphone wife, who could not switch the light on without my help. But I got to know the systems inside-out (including its Achilles’ heel), and recently also organized an online KNX hacking challenge.
Why do you think this is an important topic?
I think a quick scroll through the recent headlines will do as an sufficient answer. Of course the media often overestimate the real risk, but you just can’t ignore the fact anymore that the devices are increasingly surrounding us and are often used as a weapon against us.
Is there something you want everybody to know – some good advice for our readers maybe?
Did I mention the free Raspberry and other goodies already?
A prediction about the future – What do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your workshop?
They rapidly grow in numbers, processing power and network bandwidth. Machines control more and more of our life. No doubt, they will strike again. Next time you better be ready.
Embedded devices – popular architectures, OS-s systems
Device supply chain and why it is difficult to maintain security – BSP, ODM, OEM, SDK…
Linux embedded and its flavours, not only in SOHO devices
One binary to rule them all
Firmware analysis – binwalk & co
Scanning, sniffing – nmap, wireshark…
Exploiting known vulns: metasploit, routersploit
Default credentials lists, hydra, john…
Web interface attacking – Burp Proxy
Identifying serial port and connecting to device’s boot
Analyze firmware images
Locate hidden URLs
Authentication bypass – open wireless doorlock
Excessive services, debug interfaces
Cracking hardcoded telnet root password
RCE – get remote shell in a router
Attack proprietary remote access protocol
Analysis of Mirai botnet and example affected devices
What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?
Usage scenarios, prevalence in IoT devices
Central vs peripheral device
GATT – services, characteristics, descriptors, handles
Security features – pairing/encryption, whitelisting, MAC randomization
Security in practice: own crypto in application layer
Tools and hardware
Reversing communication – mobile application analysis
BlueZ command-line tools
Sniffing soft- & hardware – ubertooth, adafruit, bluehydra…
What can you do with just BT4 USB dongle?
Analysis – hcidump, Android btsnoop log, BLE-replay
BLE MITM – GATTacker, BtleJuice
MAC address cloning
Tips & tricks for MITM attacks
Other tools, PoCs, research…
BLE beacons spoofing – get rewards & free beer
Abuse proximity autounlock of a padlock
Inject arbitrary commands into car unlocking device communication protocol
Spoof encrypted status of a smart doorlock and home automation devices
Intercept indication of “one-time-password” hardware token and authenticate to a bank
Hijack a mobile Point-of-Sale display
Abuse excessive services (e.g. module’s default AT-command interface)
Intercept static authentication password of a padlock
Abusing flaws of custom challenge-response authentication
Attacking encrypted (bonded) connections
A glimpse at a source code – why the vulnerabilities appear?
Troubleshooting and debugging
Takeaway – hackmelock (mobile application + simulated device) to practice BLE hacking at home
Home automation standards review – wired, wireless
KNX/EIB – history, protocol basics
Group address, device address
ETS configuration suite
KNXd (former eibd) and command-line tools
Scanning for KNX-IP gateway from local network
Detecting publicly exposed gateways
Monitor mode – sniffing
KNX security features
Device authentication keys
BONUS TRACK (possible to do at home):
Reversing binary protocol and hijacking communication of mobile application controlling HVAC system.
– Laptop which can run Kali Linux (as virtual machine or natively – e.g. from USB)
– Smartphone with Android > 4.3 will be helpful
– You can bring your own Linux embedded or Bluetooth Smart device
– Basic pentesting and scripting skills – Kali Linux, Burp proxy, nmap, mobile app analysis/decompilation, bash, python, node.js etc. – will be helpful, but are not essential.
Slawomir Jasek is an IT security consultant with over 10 years of experience. He participated in many assessments of systems’ and applications’ security for leading financial companies and public institutions, including a few dozen e-banking systems. Also, he developed secure embedded systems certified for national agencies. Slawomir has an MSc in automation&robotics and loves to hack home automation and industrial systems. Beside current research (BLE, HCE), he focuses on consulting and the designing of secure solutions for various software and hardware projects, protection during all phases – starting from a scratch.