IOT SECURITY: CONSUMER DEVICES AND THE EXTENDED CORPORATE NETWORK

Transcription

1 IOT SECURITY: CONSUMER DEVICES AND THE EXTENDED CORPORATE NETWORK

2 Get CPE Credits for this Webcast Attendees of this Webcast are eligible for 1 CPE credit Self-report on your organization s website Keep the invitation as confirmation for possible future audits More info:

3 Speakers Tod Beardsley Research Manager Rapid7 Mark Stanislav Senior Security Consultant Rapid7 Michael McNeil Global Product Security & Services Officer Philips Healthcare

4 Hacking IoT Baby Monitors Mark Stanislav, Sr. Security Consultant

5 What Does an Internet-Connected Monitor Offer? Connected Features (via a Web Site and/or a Mobile Application) Viewing a live stream locally (the home s Wi-Fi) or remotely (Internet) Controlling the camera s position via pan, tilt, and zoom functionality Communicating audio through the monitor (i.e. two-way audio) Playing music or other recorded audio clips (i.e. bring your own lullabies) Manage device preferences such as the audio volume and night vision Share access and provide privileges to other people (e.g. family, friends) Access recordings for humidity, temperature, noise, and/or motion alerts Remote (e.g. SaaS, FTP) and local (e.g. Micro SD) DVR recordings

6 A Mess of Dependencies and Attack Surface Many IoT baby monitors leverage third-party services, firmware, and software Some vendors put a lot of trust in their supply chain without testing security Implementation errors or failure to comply with best practices also occurs Complex ecosystems means that there are plenty of ways to screw up: Mobile applications, cloud services, backend services, web applications, firmware, hardware, network protocols, wireless protocols, & cryptography It s difficult for a single IoT vendor to be proficient in security across all of it The frameworks, protocols, and design patterns of IoT are still very much in flux

7 SO, HOW DO WE HACK THESE THINGS?

8 Via Dumping Firmware Pomona SOIC Clip + Bus Pirate flashrom to Dump Flash binwalk to Extract Filesystems

9 Via Brute Force of Various Means Hash Cracking with cudahashcat Scouring Google for Useful Details

10 Via Serial Console (UART) JTagulator (or Bus Pirate, Shikra, etc.) U-Boot Configuration UART Scan & Connect

11 Via JTAG (e.g. Dumping Memory via GDB) Not a baby monitor but you get the idea!

12 Find API End-Points with Clutch + strings for ios Via Mobile Applications Acquire Firmware with dex2jar + JD-GUI for Android View API Calls with mitmproxy (esp. SSL/TLS)

13 Via Network Analysis Uncover Network Services with nmap View Protocol Details with wireshark

14 Via Web Applications Hidden Administrative Web Interface XSS on Camera Cloud Web Service

15 THE BABY MONITORS

16 A Variety of Vendors, Styles, Costs, & Features Vendor Model Price Amazon Rank* / Stars Two-Way Audio Pan Tilt Zoom Wi-Fi Ethernet Gynoii GCW-1010 $89.34 #56 / 3.8 ibaby M3S $ #243 / 3.4 ibaby M6 $ #31 / 3.7 Lens LL-BC01W $54.99 #149 / 2.8 Philips B120/37 $77.54 #N/A / 2.2 Summer $ #64 / 3.1 TRENDnet TV-IP743SIC $69.99 #N/A / 3.5 WiFiBaby WFB2015 $ #156 / 3.2 Withings WBP01 $ #101 / 2.9 * Amazon Ranking Based on Category Baby > Safety > Monitors, Which Includes Non-IoT Baby Monitors

17 THE FINDINGS

18 Withings WBP01 - $204.60

19 Disabled Doesn t Quite Mean What it Used To 20 Minutes Later The Stream Still Works! After a stream exists, disabling it via the app doesn t actually stop it

20 When Obfuscation Goes Wrong, or, Not at All? At first, this looks like a really poor attempt at an obfuscation method to hide the password for this web service account. On further review, however, the mchunk method simply returns at the start of the for loop, yielding the output from the input to be a concatenation of ff and the integer passed as a parameter. Was this obfuscation intended to be enabled? Did someone give up on their dream of confusing reverse engineers? The world may never know

21 WiFi Baby WFB $259.99

22 Nothing Makes Sense to Me Any More Unauthenticated Log With Stream Details Hardcoded SSL Cert That s Not Even Used

23 UPnP Bugs: Alive and Well in Baby Monitoring UPnP RCE Bugs, CVE & CVE

24 Lens Peek-A-View (LL-BC01W) - $54.99

25 If You Needed Some Free Cloud Storage [redacted] An FTP Account Per Camera, Apparently Used for Configuration Backups

26 Backdoor Credentials Galore Hidden Web Interface Credentials Cracking the Linux admin Password This account has functional root privilege due to ugly permissions The Live Stream Passes Credentials in URL over HTTP

27 Gynoii GCW $89.34

28 Unencrypted Web Services - Local and Cloud Local Administrative API Calls Hidden Device Web Interface Vendor Cloud API Calls Third-Party Streaming Service None of these services or APIs use any encryption and often pass sensitive credentials and keys

29 TRENDnet TV-IP743SIC - $69.99

30 2-for-1 Unencrypted Web Service + XSS [redacted] Either MITM a User or Just BYOJS to their DOM:)

31 A Remote Shell Waiting to Happen Username: root Password: admin Telnet Available, Just Not Default Pro Tip: Remove Remote Access Services, Don t Just Disable Them!

32 ibaby M3S - $169.95

33 Uncovering Backdoor Linux Accounts & Access An nmap Scan Reveals Telnet :) Username: admin Password: admin Password is Protected by UNIX Crypt * FYI, there is no root on here, only admin

34 ibaby M3S - A Historical Look at Software? U-Boot: 1.1.3, released August 14th, 2005 OpenSSL: 0.9.8e, released February 23rd, 2007 Linux Kernel: , released April 26th, 2007 BusyBox: , released September 28th, 2008 UNIX Crypt: First appeared in 1979, limited to 8-character passwords Telnet: Developed in 1968 SSH-1 came out in 1995

35 Encryption! Just Not Great Choices For it :) Encrypted Backups with a Hardcoded Password? Stream Encryption with XXTEA?

36 ibaby M6 - $199.95

37 Cryptography? Naw, They Are Just Babies Unencrypted Web Service Login Unencrypted Mobile API Calls Telnet & Unencrypted HTTP on Device

38 This is the ibaby Cloud Web Site Today Login for Camera Owners and What is Now Returned on Login

39 But a Few Months Ago, Direct Object Reference! < Proper Account Attacker Account > No Authorization/Privilege Given to Our Attacker Account

40 Full Access to All Audio & Motion Alert Videos Attacker Account > [redacted] [redacted] [redacted] [redacted] Don t let the broken images fool you there s live data ready to be viewed! View Source -> Find AVI Filename -> Access Static CloudFront URL

41 Unauthenticated Access to Unencrypted Videos Mobile API Call for Alert Video Retrieval Example AVI Thumbnail File [redacted] [redacted] [redacted] Video Downloads via Amazon CloudFront URLs are not requested via HTTPS [redacted] No IAM credentials or signed URLs

42 and Some Weirdly Exposed Web Applications? Apparently There s a Private Wiki. What For? No Clue. But an Admin Site? Now That s an Interesting Find!

43 Philips In.Sight B120/37

44 Everything Old is New Again My IZON Research My InSight Research The question is Did security issues fixed by one camera manufacturer ever trickle into devices also leveraging the same firmware?

45 A Quick Look at Old Security Issues Still There No SSL on Backend Web Service Insecure Firmware Upgrade Process Multiple Hardcoded Linux Accounts Telnet Enabled by Default (Until Recently) Shout out to Paul Price for his research into the In.Sight M100 which shares a few issues from my old Stem Innovation IZON research and subsequent research into the In.Sight B120. Check out his site detailing this and other research at ifc0nfig.com!

46 A Few Newer Issues. But Wait, There s More! :) Backdoor Telnet Enablement Script Username: root Password: b120root Predictable admin Web Service Password Multiple XSS on Web Service Portal

47 Unauthenticated Administrative Camera Access Camera HTTP Reverse Proxy User Web Service HTTP/80 Home Network Internet Clear Text Clear Text Clear Text When a remote end user requests their camera s stream, an HTTP reverse proxy is opened on a public host & port number, directly to the camera s backend web service, allowing for a remote attacker to achieve the following: Unauthenticated and unencrypted video/audio stream access to the user s camera Full administrative access to the camera s powerful backend web service This includes manipulating camera configuration or even re-enabling Telnet

48 Finding Exposed Cameras on the Internet The reverse proxy is setup by the stream provider, Yoics, and has a finite number of enumerable hostnames, each with about ~30,000 possible ports that may be utilized. While this may seem like a lot, an attacker could test this entire range every minute to look for exposed cameras with a simple script or perhaps something powerful like zmap. Unencrypted, Unauthenticated Remote Camera Access Take David Adrian s Word For It :) Now Friends Can Remotely Enable Telnet For You! :)

49 Summer Infant Baby Zoom (28630) - $199.99

50 Oh, Be Sure to Change Your Password Default New User Passwords == Last name (truncated to 8 characters) + Group ID This is not required to be changed on first login and could be enumerated if someone knows that you have this device simply iterate over group ID integers!

51 Adding a Privileged User to Any & All Cameras Before After! This HTTP call could be ran against all possible IDs

52 Coordinated Disclosure Timeline Initial Vendor Disclosure July 4th, 2015 Because America! CERT Disclosure July 21st, Days After Vendor Disclosure Public Disclosure September 2nd, Days After Vendor Disclosure

53 A Modest Baby Monitor Security Checklist Vendor Model Local API HTTP SSL Cloud API HTTP SSL No Remote Shell No Hidden Accounts No Known Vulns No UART Access All Streams Encrypted Gynoii GCW-1010 ibaby M3S N/A ibaby M6 Lens LL-BC01W Philips B120/37 Summer TRENDnet TV-IP743SIC WiFiBaby WFB2015 N/A Withings WBP01 N/A

54 Scoring Baby Monitors for Overall Security Security Concern Description of Concern Penalty for Missing Local API HTTP SSL All local web service/api calls should be encrypted, regardless of being on a LAN. -20 Points Cloud API HTTP SSL All Internet-facing web service/api calls should be encrypted, including registration. -30 Points No Remote Shell The presence of a remote shell (e.g. Telnet, SSH) create additional attack surface. -50 Points No Hidden Accounts All accounts, whether web services or shell access should be known to customers. -30 Points No Known Vulns All portions of the camera s supply chain should be free of serious vulnerabilities. -75 Points No UART Access Devices should disable direct serial access and definitely not drop to a root shell. -10 Points All Streams Encrypted All video/audio streams, whether live or recorded, should be encrypted end-to-end. -35 Points All Cameras Start With 250 Points and Receive Deductions

55 Baby Monitor by Security Score & Grade Vendor Model Price Amazon Rank / Stars Score Grade* Gynoii GCW-1010 $89.34 #56 / F ibaby M3S $ #243 / D ibaby M6 $ #31 / F Lens LL-BC01W $54.99 #149 / F Philips B120/37 $77.54 #N/A / F Summer $ #64 / F TRENDnet TV-IP743SIC $69.99 #N/A / F WiFiBaby WFB2015 $ #156 / F Withings WBP01 $ #101 / F Baby is Unsatisfied * Grading Scale Based on Points: F: < 150 (<60%) ; D: (60-69%) ; C: (70-79%) ; B: (80-89%) ; A: (90-100%)

56 But Really? 1. The ibaby M6, Summer, and Philips all had what I would consider critical security issues that make them a deal breaker, despite their overall scoring. 2. Only the ibaby M3S had apparent encryption for all streaming of content and even then, it s not exactly industry standard and has its own potential issues. 3. More vulnerabilities likely exist such as RCE, XSS, and CSRF in backend web applications in addition to already noted backdoor credentials/interfaces. 4. Frankly? Nine devices were way too much and while I am satisfied in the issues that were found, there s a lot I probably missed others may find!

57 Conclusions 1. The status quo of security for connected baby monitors is deeply concerning. 2. Even the best cameras tested were well below what I d consider secure. 3. Consumers are woefully unaware that camera security features such as endto-end encryption of audio/video and well defined, secured access don t exist. 4. It s highly unlikely, based on the issues found, that any of these vendors have third-party security audits and/or a security-focused development program. Parents and their children deserve better. Whether you paid $54.99 or $259.99, a minimum level of security should be expected, and achieved, for all baby monitors.

58 Not All Hope is Lost, However :) BuildItSecure.ly: Initiative targeted at sharing technical resources with IoT engineering teams and pairing IoT vendors with pro-bono security researchers. OWASP IoT Top 10: Provides vendors a list of the top 10 areas of IoT security that should be focused on during development to ensure a secure ecosystem. Cloud Security Alliance: Released a guidance document targeted at IoT engineering teams to ensure more security during design/development. Google Projects: Brillo is a hardened, stripped-down version of Android for IoT, while secure Weave is a secure solution for inter-device communication.

59 Thanks! Questions? Mark