DEFCON 22: Hack All the Things

hack-all-the-things-defcon-22

This morning I went to a fantastic talk called Hack All the Things. It was presented by GTVHacker. If you don’t recognize the name, this is the group that hacked the GoogleTV. They haven’t stopped hacking since that success, and this talk is all about 20+ devices that they’ve recently pwned and are making the info public (that link still had oath when I checked but should soon be public).

The attacks they presented come in three flavors: UART, eMMC, and command injection bugs. I’m going to add the break now, but I’ll give a rundown of most of the device exploits they showed off. I found all amusing, and often comical.

UART Hacks

UART connections on a PCB are usually pretty easy to spot. Most often they are 3 or 4 pins in a line or a square. Since pretty much everything runs Linux so once you have a serial connect pwning the device is familiar. Let’s look at some hardware:

  • Epson Artisan 700/800 printer and the Belkin Wemo both have UART exploits.
  • Greenwave reality smart bulbs ship with open U-boot which will let you issue commands at boot up to open root shell access.
  • File transporter (cloud/nas; was a kickstarter by drobo). Buildroot-based. The UART header is actually populated on this!
  • Vizio CoStar LT (ISV-B11). At boot it looks for fs.sys on USB. Research discovered this is U-Boot file which the device is looking. Give it your own crafted U-boot image and you pwn the device.
  • Staples Connect: wifi, zigbee (UART) — short out pins 29 and 30 on the NAND chip corrupts the U-Boot at power-up and gives U-Boot access which is an easy avenue to opening a root console.

eMMC Hacks

eMMC is basically an SD card on a chip. If you can patch into the data lines you can own the data on the device and monitor transactions. Usually you get at the pins by soldering to nearby resistors. Here’s some devices pwned with this method:

  • Amazon Fire TV
  • Hisense Android TV (rebranded Google TV)
  • LG Smart Refrigerator (LFX31995ST)
  • Vizio Stmart TV (VF552VXT)
  • Sony BDP-S5100 (Blu-Ray)
  • LG BP 530 (Blu-Ray)

Injection attacks:

Whether you know the term or not you should already be familiar with injection attacks. This is best described as poorly implemented user interfaces; places you can enter text that don’t scrub for commands.

  • Motorola RAZR LTE Baseband (processor separate from Android). This is done over a USB network connection.
  • PogoPlug can be attacked with injection via web interface
  • Netgear Push2TV set-top box. You can interrupt the boot loader through the UART. You can also get into the root shell for a second or two during boot. You can even inject via the nickname of the box to run commands as root.
  • Ooma Telo router. ssh is already running (LAN only) but it is firewalled by default. You can inject a command via the web interface IPtables field to bring down that firewall. (default root password is !ooma123).
  • Netgear NTV200-100NAS. Everything on the box is signed. Another injection via web interface. Updates are downloaded over http. You can pull down an app, inject your symlink, and dump your own commands onto the device to open a root shell.
  • ASUS cube (Google TV). The team giving the talk put an app on the Play store to get root but Google pulled it down (apparently they don’t like apps that crack their precious hardware). You can use the built-in media app to inject through its SMB mounting feature.

Getting fun:

  • Summer Baby Zoom WiFi. “Secure” baby monitoring device according to their marketing. There is a hard coded username and password for uploading firmware. This can be injection attacked with a simple ‘curl’ command.
  • Samsung SmartCam. There is a LAN-accessible script that checks passwords but not for new users. This can be exploited to make the system think you’re adding a new user; when asked to set the password you’re actually resetting the root password.

The “holy crap you need to buy one of these” hardware was saved for last:

wink-hub

Wink Hub is an amazing piece of pwned tech. Fifty buck gets you a box billed as a gateway for your home devices. The board has six radios on it (WiFi, Bluetooth, Z-Wave, Zigbee, 433MHz Lutron, and 433MHz Kidde). It will interface with multiple peripherals like door locks, smoke detectors, propane gauges, humidity/temperature/light sensing.

Pwn it like crazy. A command Injection bug is present in the code which runs a sudo command passing values in through POST variables. Theses are not escaped and make for an easy attack vector.

Comments

  1. Liam Jackson says:

    Awesome hacks. Each one of these devices could easily be a seperate post (though I’m sure others would dis-agree).

    I mostly like to see hacks which save me money (e.g. a 25 quid device that when loaded with linux will do the job of a 100 quid device) or the “we only had X, Y and Z and no money, so we reprogrammed X and canabalised Y to make Z more awesome”

    But I can easily read about exploits like this for days.

  2. Landon says:

    Missed the talk but it sounds like it was quite awesome!

  3. haddyhad says:

    I have a now rooted wink hub here. Now just have to figure out how to block firmware updates. Hopefully this will become a popular open source platform.

  4. gdogg says:

    Pretty good talk, except my ‘prime’ seat by the camera (i.e. front center) meant no free prizes (usb serial adapters) because the throwers didn’t want to block the cameras.

  5. ianmcmill says:

    I would really really really love to see the Artisan rooted! No more I have to rip out only the rods and a crap load of dirt cheap DC motors but mainboards with a color touch tft. WTFBBQ !

  6. dr memals says:

    those that do not learn from history and doomed to repeat it.

  7. Rob says:

    Hat tip to the entertaining and inspiring Allie Brosh (http://hyperboleandahalf.blogspot.com) for the inspiration for the “hack all the things” graphic. :-)

  8. winkwink says:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,534 other followers