IoT Hacking: Linux Embedded, Bluetooth Smart, KNX Home Automation

Presented at DeepSec 2016 „Ten“, Unknown date/time (Unknown duration).

The workshop consists of several modules: 1. Linux embedded Linux embedded is probably the most popular OS, especially in SOHO equipment, like routers, cameras, smart plugs, alarms, bulbs, home automation, and even wireless rifles. Based on several examples, you will learn about the most common flaws (auth bypass, command injection, path traversal, backdoor services...). We will open a wireless doorlock remotely, hack cameras, and take control over other devices. 2. Bluetooth Low Energy One of the most sought after IoT technologies. Learn how it works, about risks and possible attacks. Using a new BLE MITM proxy tool developed by the author, we will hack various devices: smart doorlocks, mobile Point of Sale, authentication tokens, beacons, anti-thief protection and others. 3. KNX home automation Learn how to take control over the most common home automation system: EIB/KNX. Following the introduction on the system basics, we will hack the provided demo installation, abusing common misconfiguration weaknesses - similarly a luxury hotel in China was hacked few years back. SYLLABUS: 1.)LINUX EMBEDDED Theory introduction Embedded devices - popular architectures, OS-s systems Device supply chain and why it is difficult to maintain security - BSP, ODM, OEM, SDK... Linux embedded and its flavours, not only in SOHO devices One binary to rule them all Firmware images Tools Firmware analysis - binwalk & co Scanning, sniffing - nmap, wireshark... Exploiting known vulns: metasploit, routersploit Default credentials lists, hydra, john... Web interface attacking - Burp Proxy Practical exercises Identifying serial port and connecting to device's boot Analyze firmware images Locate hidden URLs Authentication bypass - open wireless doorlock Excessive services, debug interfaces Cracking hardcoded telnet root password Abusing backdoors RCE - get remote shell in a router Attack proprietary remote access protocol Analysis of Mirai botnet and example affected devices 2.)BLUETOOTH SMART Theory introduction What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions? Usage scenarios, prevalence in IoT devices Protocol basics Advertisements, connections Central vs peripheral device GATT - services, characteristics, descriptors, handles Security features - pairing/encryption, whitelisting, MAC randomization Security in practice: own crypto in application layer Tools and hardware Reversing communication - mobile application analysis BlueZ command-line tools Sniffing soft- & hardware - ubertooth, adafruit, bluehydra... What can you do with just BT4 USB dongle? Analysis - hcidump, Android btsnoop log, BLE-replay BLE MITM - GATTacker, BtleJuice MAC address cloning Tips & tricks for MITM attacks Other tools, PoCs, research... Practical exercises BLE beacons spoofing - get rewards & free beer Abuse proximity autounlock of a padlock Inject arbitrary commands into car unlocking device communication protocol Spoof encrypted status of a smart doorlock and home automation devices Intercept indication of "one-time-password" hardware token and authenticate to a bank Hijack a mobile Point-of-Sale display Abuse excessive services (e.g. module's default AT-command interface) Intercept static authentication password of a padlock Abusing flaws of custom challenge-response authentication PRNG weaknesses Attacking encrypted (bonded) connections A glimpse at a source code - why the vulnerabilities appear? Troubleshooting and debugging Takeaway - hackmelock (mobile application + simulated device) to practice BLE hacking at home 3.)EIB/KNX Theory introduction Home automation standards review - wired, wireless KNX/EIB - history, protocol basics Group address, device address Typical topology KNX/IP gateways Tools ETS configuration suite KNXd (former eibd) and command-line tools knxmap nmap scripts Practical exercises Scanning for KNX-IP gateway from local network Detecting publicly exposed gateways Monitor mode - sniffing Reading/writing Brute-force addresses KNX security features Device authentication keys KNX Secure BONUS TRACK (possible to do at home): Reversing binary protocol and hijacking communication of mobile application controlling HVAC system.

Presenters:

• Slawomir Jasek - SecuRing
  Slawomir Jasek is an IT security consultant with over 10 years of experience. He participated in many assessments of systems' and applications' security for leading financial companies and public institutions, including a few dozen e-banking systems. Also he developed secure embedded systems certified for use by national agencies. Slawomir has an MSc in automation&robotics and loves to hack home automation and industrial systems. Beside current research (BLE, HCE), he focuses on consulting and the designing of secure solutions for various software and hardware projects, protection during all phases - starting from a scratch.

Links:

• https://deepsec.net/archive/2016.deepsec.net/speaker.html#WSLOT240

Similar Presentations:

• Black Hat USA 2016 / GATTacking Bluetooth Smart Devices - Introducing a New BLE Proxy Tool
• DeepSec 2017 „Science First!“ / Smart Lockpicking - Hands-on Exploiting Contemporary Locks and Access Control Systems
• BruCON 0x09 (2017) / Hacking Bluetooth Smart locks Workshop