This morning I went to a fantastic talk called Hack All the Things. It was presented by GTVHacker. If you don’t recognize the name, this is the group that hacked the GoogleTV. They haven’t stopped hacking since that success, and this talk is all about 20+ devices that they’ve recently pwned and are making the info public (that link still had oath when I checked but should soon be public).
The attacks they presented come in three flavors: UART, eMMC, and command injection bugs. I’m going to add the break now, but I’ll give a rundown of most of the device exploits they showed off. I found all amusing, and often comical.
UART connections on a PCB are usually pretty easy to spot. Most often they are 3 or 4 pins in a line or a square. Since pretty much everything runs Linux so once you have a serial connect pwning the device is familiar. Let’s look at some hardware:
- Epson Artisan 700/800 printer and the Belkin Wemo both have UART exploits.
- Greenwave reality smart bulbs ship with open U-boot which will let you issue commands at boot up to open root shell access.
- File transporter (cloud/nas; was a kickstarter by drobo). Buildroot-based. The UART header is actually populated on this!
- Vizio CoStar LT (ISV-B11). At boot it looks for fs.sys on USB. Research discovered this is U-Boot file which the device is looking. Give it your own crafted U-boot image and you pwn the device.
- Staples Connect: wifi, zigbee (UART) — short out pins 29 and 30 on the NAND chip corrupts the U-Boot at power-up and gives U-Boot access which is an easy avenue to opening a root console.
eMMC is basically an SD card on a chip. If you can patch into the data lines you can own the data on the device and monitor transactions. Usually you get at the pins by soldering to nearby resistors. Here’s some devices pwned with this method:
- Amazon Fire TV
- Hisense Android TV (rebranded Google TV)
- LG Smart Refrigerator (LFX31995ST)
- Vizio Stmart TV (VF552VXT)
- Sony BDP-S5100 (Blu-Ray)
- LG BP 530 (Blu-Ray)
Whether you know the term or not you should already be familiar with injection attacks. This is best described as poorly implemented user interfaces; places you can enter text that don’t scrub for commands.
- Motorola RAZR LTE Baseband (processor separate from Android). This is done over a USB network connection.
- PogoPlug can be attacked with injection via web interface
- Netgear Push2TV set-top box. You can interrupt the boot loader through the UART. You can also get into the root shell for a second or two during boot. You can even inject via the nickname of the box to run commands as root.
- Ooma Telo router. ssh is already running (LAN only) but it is firewalled by default. You can inject a command via the web interface IPtables field to bring down that firewall. (default root password is !ooma123).
- Netgear NTV200-100NAS. Everything on the box is signed. Another injection via web interface. Updates are downloaded over http. You can pull down an app, inject your symlink, and dump your own commands onto the device to open a root shell.
- ASUS cube (Google TV). The team giving the talk put an app on the Play store to get root but Google pulled it down (apparently they don’t like apps that crack their precious hardware). You can use the built-in media app to inject through its SMB mounting feature.
- Summer Baby Zoom WiFi. “Secure” baby monitoring device according to their marketing. There is a hard coded username and password for uploading firmware. This can be injection attacked with a simple ‘curl’ command.
- Samsung SmartCam. There is a LAN-accessible script that checks passwords but not for new users. This can be exploited to make the system think you’re adding a new user; when asked to set the password you’re actually resetting the root password.
The “holy crap you need to buy one of these” hardware was saved for last:
Wink Hub is an amazing piece of pwned tech. Fifty buck gets you a box billed as a gateway for your home devices. The board has six radios on it (WiFi, Bluetooth, Z-Wave, Zigbee, 433MHz Lutron, and 433MHz Kidde). It will interface with multiple peripherals like door locks, smoke detectors, propane gauges, humidity/temperature/light sensing.
Pwn it like crazy. A command Injection bug is present in the code which runs a sudo command passing values in through POST variables. Theses are not escaped and make for an easy attack vector.