SEARCH PATTERNS FOR SUCCESS Analysis of extracted firmware and GNU source releases is one of the most fruitful tools for embedded device hacking. The follow- ing search patterns are among the favorites of VERT researchers.
You don’t need a shell if the device takes commands without authentication. A number of products rely on infrastructure authenti- cation rather than device authentication. Many IoT devices simply have no authentication for connections from the local LAN.
TESTING STRATEGY »»Connect device and/or smartphone through MiTM access point (e.g. bit.ly/SSLMiTM) • Look for credentials being passed that were not selected by the device owner and commands without auth »» a port scan to see what services are exposed via IP Run • Try connecting to each service with nc ip port and openssl s_client –connect ip:port • Fuzz UPnP/SOAP services with command injection and SQL injection locator strings specified as parameters HTTP INTERFACE TESTING Many of the weaknesses found in IoT devices are found in HTTP interfaces for controlling or managing the product. Vulnerable aspects of these systems can commonly be found with quick black box testing. Some of VERT’s techniques involve submitting crafted values to the web server as a form of manual fuzz testing. Developers commonly restrict the crafted input only by client-side limitations. Sometimes this is done through regular expressions within JavaScript or Flash while other times URL parameters are hardcoded into mobile applications. The use of a proxy server such as Burp (www.portswigger.net/), Chrome Developer Tools, or FireBug allow the tester to side-step these restrictions. From there it is a matter of knowing what to look for and how to abuse it.
TIP 1: LOOK FOR PLACES WHERE EXTERNALLY SUPPLIED INPUT MAY BE USED FOR RUNNING COMMANDS. Example #1: Diagnostic functions like ping are often backed with something like system(“ping %s”,cHost); If shell meta-characters are sent to the shell, an attacker can gain command execution.
EXAMPLE INPUTS RESULT IF VULNERABLE
;reboot • ‘reboot’ • $(reboot) • &&reboot • ||reboot Reboots system (using this in the wrong place leads to boot loop)
‘echo <expected value>’ • $(echo <expected value>) Acts the same as if <expected value> were entered
;ping ip • ‘ping ip’ • $(ping ip) • && ping ip • || ping ip ICMP echo sent to ip and response may be delayed waiting
ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE
TIP 2: LOOK FOR USER-SUPPLIED VALUES BEING SERVED AS WEB CONTENT OR INCLUDED IN EXECUTED COMMANDS Wireless SSID Values »»Is SSID rendered within an app’s WebView? (XSS without same-origin-policy possible) »»What happens if you try to connect to the network named “reboot” or “utelnetd –l/bin/sh”? Names »»Device name or owner name commonly displayed without sanitization »»Filenames may be displayed or even used in commands – ext filesystems can have files with “interesting” names
EXTRACTING FIRMWARE FINDING UNPROTECTED PAGES
binwalk –e <firmware file> for P in $(ls www); do curl –v http://ip/$P 2>&1|grep –i “200 o” >/dev/null && echo $P; done
OUTPUT: Recursively extract into ./_firmware/ OUTPUT: Identify requests that don’t give 401 Analyzing the firmware content can reveal a lot: Whitelisted files expose information and even vulnerability: »» Unlinked web content »» curl –v ip/$P 2>&1|grep “HTTP/1.0 200” && echo $P »» Vulnerabilities in scripts and configs »» If ‘foo’ or ‘.foo’ is open, try ‘?foo’ or ‘?.foo’ after query »» Undocumented features in binary strings »» Grep page contents for passwords or tokens »» Other tools: ‘7z x <file>’ or ‘unsquashfs <file>’ »» Look for pages with ‘hidden’ or ‘debug’ in the name
BINARY REVERSING UNCOVERING SECRETS
objdump -d <binary_file> strings <binary_file>
OUTPUT: Recover assembly for proprietary binaries OUTPUT: Text sections, symbols, and more Reverse engineering is time consuming but valuable: Strings is a quick and dirty binary recon tool: »» Find unbounded copies (memcpy, strcpy, etc) »» Check httpd for built-in pages and ACLs »» Reveal unreferenced API calls »» Search for %s in command strings »» Recover crypto keys and other secrets »» Backdoor/hardcoded credentials hide in binaries »» Determine expected message formats »» Locate SQL queries for injection attempts
WiFi RESILIENCE SSL VALIDATION
aireplay-ng -0 <count> -a <ap_mac> -c <dev_mac> ath0 sslsniff -a -s <port> -w log –c cert
OUTPUT: Deauthenticate device from access point OUTPUT: Find certificate validation failures Some basic flaws related to Wi-Fi handling: Some setup is required: »» Device becomes open AP when kept off network »» Connect IoT through Linux router »» Restarting device without net leads to first-time setup »» Apply iptables NAT to redirect SSL ports to <port> »» Will device connect to SSID without password? »» Self-signed signing cert needed »» IoT devices are easy for sniffing handshake »» Logged data means the device trusted forged cert
EXTRACTING SECRETS FROM ANDROID STATIC ANALYSIS EXTRACTING SECRETS FROM ANDROID DYNAMIC ANALYSIS apktool d <IoT control app>.apk “Packet Capture” app, sslsplit/sslsniff with trusted cert
OUTPUT: Extract and decompile Android app OUTPUT: View data sent to device and infrastructure Things to look for: Things to look for: »» Hardcoded device credentials »» Hardcoded credentials sent via HTTP/HTTPS »» Unadvertised URLs on IoT target »» Services and URLs used for device control »» Empty checkServerTrusted method (SSL fail) »» Privacy violations (i.e. exfiltrated data) »» Firmware update URLs »» Firmware update URLs
u Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial organizations, service providers and government agencies. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business context; together these solutions integrate and automate security and IT operations. Tripwire’s portfolio of enterprise-class solutions includes configuration and policy management, file integrity monitoring, vul- nerability management, log management, and reporting and analytics. Learn more at tripwire.com. u
SECURITY NEWS, TRENDS AND INSIGHTS AT TRIPWIRE.COM/BLOG u FOLLOW US @TRIPWIREINC ON TWITTER
