More Related Content Similar to Home Invasion 2.0 - DEF CON 21 - 2013 (20) Home Invasion 2.0 - DEF CON 21 - 20133. © 2012
Daniel
“unicornFurnace”
Crowley
• Managing
Consultant,
Trustwave
SpiderLabs
Jennifer
“savagejen”
Savage
• SoAware
Engineer,
Tabbedout
David
“videoman”
Bryan
• Security
Consultant,
Trustwave
SpiderLabs
The
Presenters
5. © 2012
Science
ficFon
becomes
science
fact
Race
to
release
novel
products
means
poor
security
AIempt
to
hack
a
sampling
of
“smart”
devices
Many
products
we
didn’t
cover
Android
powered
oven
Smart
TVs
(another
talk
is
covering
one!)
IP
security
cameras
The
“Smart”
Home
6. WHAT’S
OUT
THERE
NOW?
Locks,
thermostats,
fridges,
toilets,
lights,
toys
EnFre
smart
ciFes
like
Songdo
WHAT’S
IN
THE
FUTURE?
8. • Exposure
of
wifi
network
credenFals
unencrypted
• Unencrypted
remote
API
calls
• Unencrypted
setup
package
download
• Python
module
hijack
in
autorunwifi
script
Karotz
Smart
Rabbit
11. Karotz
Smart
Rabbit
Python
Module
Hijacking
• Python
Module
Hijacking
is
insecure
library
loading
o Similar
to
LD_PRELOAD
and
DLL
hijacking
• Python
loads
modules
from
the
dir
of
script
first
• Karotz
autorunwifi
script
uses
simplejson
module
o Put
code
to
execute
in
simplejson.py
in
the
same
directory
as
autorunwifi
• Defeats
code
signing
12. Karotz
Smart
Rabbit
An
aIacker
could:
• MITM
insecure
connecFon
to
Karotz
server
• Replace
user's
download
with
malicious
version
• Use
vuln
to
make
Karotz
run
their
own
code!
• ...Bunny
bot
net?
14. © 2012
• Vulnerable
libupnp
version
o Remote
pre-‐auth
root
• UnauthenFcated
UPnP
acFons
o SetBinaryState
o SetFriendlyName
• EULA
used
to
“secure”
the
device.
• Belkin
has
been
awesome!
Belkin
WeMo
Switch
26. © 2012
• Lack
of
authenFcaFon
on
web
console
o Web
console
exposed
to
the
Internet
§ Time
zone
–
city
§ Name
street
o Control
all
the
things.
• Fixed
the
authenFcaFon
with
model
2422-‐222”R”
INSTEON
Hub
27. © 2012
• SFll
lack
of
SSL/TLS
• Uses
HTTP
Auth
o Base64
encoded
credenFals
o Username:
admin
o Password:
ABCDEF
←
INSTEON
ID
and
last
3
of
the
MAC
o #SecurityFail
o It
only
takes
16
Million
aIempts
INSTEON
Hub
29. © 2012
• Lack
of
authenFcaFon
on
web
console
by
default
• Insufficient
AuthorizaFon
Checks
o Firmware
Update
o Sekngs
backup
o Test
Lua
code
• Path
Traversal
• Cross-‐Site
Request
Forgery
• Lack
of
authenFcaFon
on
UPnP
daemon
• Vulnerable
libupnp
Version
• Server
Side
Request
Forgery
• Unconfirmed
AuthenFcaFon
Bypass
MiCasaVerde
VeraLite
30. © 2012
• Three
methods
of
auth
bypass
• Seven
methods
to
get
root
• Two
aIacks
remotely
exploitable
through
SE
• PotenFal
for
ownage
of
ALL
the
VeraLites!
MiCasaVerde
VeraLite
33. © 2012
Daniel
“unicornFurnace”
Crowley
dcrowley@trustwave.com
@dan_crowley
Jennifer
“savagejen”
Savage
savagejen@gmail.com
(PGP
key
ID
6326A948)
@savagejen
David
“videoman”
Bryan
dbryan@trustwave.com
@_videoman_
QuesSons?