IoT Security Research

Author: startimeash

Starting off – how to begin IoT hacking

I thought I’d give some brief references for anyone interested in IoT hacking. My experience here is fairly comprehensive; I have a couple of CVEs already, with a few more in the pipeline. My Masters dissertation was on the topic, and I am writing papers on it as part of my PhD work.

BOOKS:

There are three that should be on any bookshelf. They are:

“The IoT Hacker’s Handbook” by Aditya Gupta

“Practical IoT Hacking” by Fotios Chantzis and Ioannis Stais

“Practical Hardware Pentesting” by Jean-Georges Valle

These three books are a fantastic introduction to both on-board (e.g. JTAG, UART, I2C) and remote (Bluetooth, RFID, Zigbee). I would recommend you read through all three at least once.

HARDWARE:

In terms of hardware, this will depend on what you wish to investigate; the tools required for firmware dumping are wildly different from those needed for Bluetooth attacks. These are the ones I’ve found most useful (prices are approximate in GBP at the time of writing).

RFID: Proxmark3 Easy. This is honestly the best piece of entry level pentesting kit you can buy. It allows you to read and write all manner of RFID tags. There is a big brother version, the RDV4, but you don’t need that when starting out. The Easy should be around £60-70. Pick up some rewritable cards as well for a few pounds and have fun!

Bluetooth: A lot of people swear by the Ubertooth One (about £100 from eBay). Personally I found it really flaky. Instead I would look at a Nordic Semiconductor nRF52840 dongle at around £15. Add to that an Adafruit BlueFruit (based on the nRF51822 chipset) for £25 and that should be enough. If you want to try MitM attacks, then a couple of Raspberry Pi’s and a pair of cheap Bluetooth dongles should be plenty (probably £100 all in)

RF (433/868MHz): A lot of devices still use these reserved bands for communication, and you can capture transmissions using a cheap DVB-T dongle (£15-20). By default these will scan up to about 1.2GHz. For capturing transmissions at higher frequencies then you’ll either need a Yardstick One (about £100) or a HackRF (about £250). The last two have whole ecosystems around them; personally I think they’re more suited to advanced topics.

I have not included anything around Z-Wave and Zigbee as they are not popular protocols in the devices I test (smart locks, mainly). You can find tools to interface with them for a few tens of pounds. I’ve also not included any on-board debugging tools, as that’s not my area of expertise. I would suggest taking a look at the Attify Badge for around £40.

SOFTWARE:

These are the tools I uses in my dissertation:

BLUETOOTH:

BTLEjack – https://github.com/virtualabs/btlejack

Sweyntooth scripts – https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks

BTLEjuice – https://github.com/DigitalSecurity/btlejuice

HomePWN – https://github.com/Telefonica/HomePWN

Gattacker – https://github.com/securing/gattacker

RF:

URH – https://github.com/jopohl/urh

SDR# – https://airspy.com/download/

RFID:

HomePWN – https://github.com/Telefonica/HomePWN

Proxmark3 (Iceman Fork) – https://github.com/RfidResearchGroup/proxmark3

The above should give you plenty to work with. Find some willing test subjects (that you own!); I have found that anything cheap from AliExpress with one or more of these protocols enabled should give you plenty of enjoyment. Same goes for things from eBay and Amazon. I have broken into £10 devices and £310 devices, so take your pick! It’s fun, you get your hands dirty, and IoT hacking is a skill that will be in ever greater demand in the next decade.

Am I an academic now?

So, for the past two years I have been studying for a Masters in Cybersecurity part time, and thankfully managed to pass with a Distinction. Yay! It’s an itch that I’ve been wanting to scratch for a good long while, and I’m glad to have done it.

This leads me on to my next announcement. I’m going to be studying for a PhD in IoT Security part time, alongside my current work commitments. A couple of people have asked me why I’m doing it, so I thought I’d lay out my reasons here:

  1. It sounds like fun! Seriously; I’m a bit of a nerd with this stuff, and the ability to really dig down into the weeds of a topic is really appealing!
  2. I want to discover something new! The thesis has to show originality, and again that appeals. I’m not expecting to discover gravitational waves, or evolution, but having a little bit of the tree of knowledge that I found first is a really cool thought.
  3. I think I’ll be good at it! Having had a 20 year break between undergraduate and Masters study, I wasn’t sure what to expect, but thankfully I managed to pick things up pretty quickly. Speaking to my now supervisor and putting together a proposal, it seems that I have the ability to do this, and that others agree.
  4. I want to be Doctor Allen! Maybe it’s an ego thing, but I like the idea of knowing I can use that title. I’m not going to, but it’s a cool thing, and it’s a validation. So yeah, Dr. Ash!

I’m not doing this for career progression; there are much shorter and cheaper ways of getting qualifications that employers want. I also don’t want to transfer to academia full time – I’ve seen enough to know that I’m happy in my current little niche! So, that’s the announcement. Let’s see what the next six (!) years bring…

Fortessa FTBTLD Smart Lock allows unauthorized users to change the device name. Hilarity ensues…

The Fortessa FTBTLD smart lock is a fairly bog-standard type of generic smart lock, sold in the UK by CEF for around £100, and available on auction sites for maybe 3/4 of that price.

Fortessa FTBTLD smart lock showing the default device name

As can be seen on the sticker on the left hand portion of the lock above, it is configured with a default device name. The lock offers a variety of features, such as auto-locking, key sharing, and so on, and in the main they work pretty well. It’s never going to win any beauty awards, and the app interface is pretty basic, but in the main it does what it sets out to do. Unfortunately, however, there is an issue with the lock allowing unauthorized updates to config parameters that mean it should not be used anywhere outside of the lab.

The tool of choice for this investigation is HomePwn, an IoT testing suite developed by a group of Spanish researchers. It provides a similar interface to Metasploit, and is able to work with a number of different protocols such as BLE and RFID which means less switching between tools.

HomePwn splash screen

Loading up the Bluetooth Low Energy discovery tool, we can see that amongst a bunch of other devices, our Fortessa lock is detected (2nd from the bottom):

Locally detected BLE devices

We can then look to run the read-characteristics tool, with the various options laid out like so:

ble/read-characteristics options

We can then use the discovered MAC address of the lock, and the local BLE adapter, like so:

ble/read-characteristics configuration

Running the command then returns the following (abbreviated):

Fortessa lock name

Note that at this time we have not had to authenticate, and that is correct; the companion app needs to be able to read these fields. However, this particular service is set to READ WRITE. In general, again, this is not necessarily an issue; it may be perfectly reasonable for an unauthenticated user to write to a particular BLE service. In this case, though, the lock name is likely something that we would not want just anyone updating. Unfortunately, that is how the devices is configured. Using the ble/write-characteristics plugin, we can update the lock name without authentication, like so:

Updating the lock name

Checking again with the ble/read-characteristics plugin, we can see that the device name has been updated:

Updated lock name

It should be noted that you don’t need to use HomePwn to do this; something like the nRF Connect app will let you do this from your phone.

So, what’s the big deal? Your neighbor may be able to give your door lock an obscene name, but this can’t do any damage, right? Right?

Well…

Once the lock name is updated, the app refuses to connect, as seen below:

Fortessa app fails to connect

In fact, it will refuse to connect until the power to the lock is cycled by removing the batteries. If you are locked outside of your house, because the battery compartment is on the inside, you can see the issue! I have reached out to the distributor and manufacturer with this finding, but have had nothing back. Whether this can be patched in a firmware update, I can’t say. It seems like something that would be pretty easy to fix, but who knows. For the moment, though, if you have a Fortessa lock, remember to take your keys with you as well…

Smart Lock or Spyware? The eGeeTouch TSA Travel Lock is a bit of both

In a previous post I discussed the Bluetooth pairing issue that means anyone with a sniffer and access to your lock can open it. However, this is not the most concerning aspect of the device. I’m a big fan of static analysis tools, and use a few when investigating IoT devices; they generally provide useful starting points for further investigation, and so it proved here. In this instance, MobSF produced a report that pointed at a couple of insecure Firebase databases (I’ve redacted some of the information below to casual readers from investigating further; of course, it is perfectly possible to recreate exactly what I have done. I have tried reaching out to the manufacturer on a number of occasions regarding this and the Bluetooth issue but have had no response).

eGeeTouch Firebase Databases

Digging down into the data returned from the URL, I had the (mis)fortune of finding my own details, captured as I tested the lock (redacted, although of course the above applies).

The author’s information

The information captured includes the GPS coordinates and approximate address of where the lock was accessed, the time of access, the email address of the user, and whether the device was locked or unlocked. Nowhere in the EULA is it stated that this information will be collected. Aside from why this information is stored at all (I’m assuming some sort of audit trail), it is clear that this represents a severe privacy intrusion. Not only is the device collecting personally identifiable information (PII) about the user, but it is storing it in a location that can be accessed without requiring any authentication. PII, of course, is subject to GDPR regulation in the UK and other, similar restrictions elsewhere in the world. This would seem to be, then, a significant concern for anyone tempted to buy the lock.

The eGeeTouch TSA Smart Lock is Anything But

IoT security devices, such as smart padlocks, need to perform at least as well as their non-smart counterparts if consumer trust is to be gained. Unfortunately, many such devices are fundamentally flawed, with poor design meaning they are simple to subvert. Once such device is the eGeeTouch 3rd Generation Travel Padlock.

The eGeeTouch 3rd Generation Travel Padlock

Available in the UK for £19.90 from Amazon, the lock boasts a number of features, including Bluetooth operation via the companion smartphone app, RFID tag support, and a TSA manual override. So far, so good. However, digging deeper, it is clear that the device should be used with extreme caution. Access to the device is handled via a password set in the app:

eGeeTouch app – password management screen

This password is required when initially pairing the lock with the app; without that the two can’t talk to each other. Setting the password to 080379, we can then look to see how the lock communicates with the app, and vice versa. To do so, we can use btlejack, a Python tool that leverages the Bluetooth LE chipset in the BBC micro:bit development board to hijack the connection and dump the output to a Wireshark format dump file (download it here). Looking at output from a successfully captured session, we can see the following in packet 78:

Authentication capture

The capture indicates a write to the 0xfff8 attribute of the letter a plus our secret code, 080379. The lock then replies with a range of other information, for example the Model Number in packet 89 :

eGeeTouch model number

and the firmware revision in packet 92:

eGeeTouch Firmware

Triggering an unlock event via the app sends the following (packet 95):

Unlock event

whilst a lock event sends the following (packet 101):

Lock event

It seems clear therefore that the operation of the lock, at least via the companion app, is controlled by these three commands; an initial authentication, followed by the relevant lock or unlock code. All three use the “secret” code that was set in the app. How much access can we get knowing that?

The app is currently logged in using the following account:

User account

Let’s then log out and try signing up with a brand new account:

Attacker account

Logging in, we can see that no devices are currently registered:

No devices registered

Clicking the Add Lock button brings up the following:

Lock choice screen

Select the correct device and we are asked for the pairing password. Enter that and:

Success!

The user now has full admin rights over the lock, including, crucially, the ability to change the pairing password and so lock the legitimate owner out. No notification is provided to the original user that their password has been used on another account, so they are none the wiser that the lock is compromised.

The exploit relies on the attacker having the ability to capture the data flowing between the device and the companion app. There are a number of different ways of doing this in addition to the btlejack method; for example, the image below identifies the same back and forward communication as in the PCAP, though in this case it was captured using the Gattacker tool:

Gattacker output

The attack does require a small amount of contact with the device, amounting to a push of the power button on the side of the lock. In a busy environment such as a railway station or airport it is not an impossible obstacle to surmount. In short, the eGeeTouch Travel Padlock should be passed over if you are looking for a reliably secure device.

I will be returning to this lock in a later post, as there are a number of other serious issues that greatly impact its desirability as a consumer product.