This morning I went to a fantastic talk called Hack All the Things. It was presented by GTVHacker. If you don’t recognize the name, this is the group that hacked the GoogleTV. They haven’t stopped hacking since that success, and this talk is all about 20+ devices that they’ve recently pwned and are making the info public (that link still had oath when I checked but should soon be public).
The attacks they presented come in three flavors: UART, eMMC, and command injection bugs. I’m going to add the break now, but I’ll give a rundown of most of the device exploits they showed off. I found all amusing, and often comical.
UART Hacks
UART connections on a PCB are usually pretty easy to spot. Most often they are 3 or 4 pins in a line or a square. Since pretty much everything runs Linux so once you have a serial connect pwning the device is familiar. Let’s look at some hardware:
- Epson Artisan 700/800 printer and the Belkin Wemo both have UART exploits.
- Greenwave reality smart bulbs ship with open U-boot which will let you issue commands at boot up to open root shell access.
- File transporter (cloud/nas; was a kickstarter by drobo). Buildroot-based. The UART header is actually populated on this!
- Vizio CoStar LT (ISV-B11). At boot it looks for fs.sys on USB. Research discovered this is U-Boot file which the device is looking. Give it your own crafted U-boot image and you pwn the device.
- Staples Connect: wifi, zigbee (UART) — short out pins 29 and 30 on the NAND chip corrupts the U-Boot at power-up and gives U-Boot access which is an easy avenue to opening a root console.
eMMC Hacks
eMMC is basically an SD card on a chip. If you can patch into the data lines you can own the data on the device and monitor transactions. Usually you get at the pins by soldering to nearby resistors. Here’s some devices pwned with this method:
- Amazon Fire TV
- Hisense Android TV (rebranded Google TV)
- LG Smart Refrigerator (LFX31995ST)
- Vizio Stmart TV (VF552VXT)
- Sony BDP-S5100 (Blu-Ray)
- LG BP 530 (Blu-Ray)
Injection attacks:
Whether you know the term or not you should already be familiar with injection attacks. This is best described as poorly implemented user interfaces; places you can enter text that don’t scrub for commands.
- Motorola RAZR LTE Baseband (processor separate from Android). This is done over a USB network connection.
- PogoPlug can be attacked with injection via web interface
- Netgear Push2TV set-top box. You can interrupt the boot loader through the UART. You can also get into the root shell for a second or two during boot. You can even inject via the nickname of the box to run commands as root.
- Ooma Telo router. ssh is already running (LAN only) but it is firewalled by default. You can inject a command via the web interface IPtables field to bring down that firewall. (default root password is !ooma123).
- Netgear NTV200-100NAS. Everything on the box is signed. Another injection via web interface. Updates are downloaded over http. You can pull down an app, inject your symlink, and dump your own commands onto the device to open a root shell.
- ASUS cube (Google TV). The team giving the talk put an app on the Play store to get root but Google pulled it down (apparently they don’t like apps that crack their precious hardware). You can use the built-in media app to inject through its SMB mounting feature.
Getting fun:
- Summer Baby Zoom WiFi. “Secure” baby monitoring device according to their marketing. There is a hard coded username and password for uploading firmware. This can be injection attacked with a simple ‘curl’ command.
- Samsung SmartCam. There is a LAN-accessible script that checks passwords but not for new users. This can be exploited to make the system think you’re adding a new user; when asked to set the password you’re actually resetting the root password.
The “holy crap you need to buy one of these” hardware was saved for last:
Wink Hub is an amazing piece of pwned tech. Fifty buck gets you a box billed as a gateway for your home devices. The board has six radios on it (WiFi, Bluetooth, Z-Wave, Zigbee, 433MHz Lutron, and 433MHz Kidde). It will interface with multiple peripherals like door locks, smoke detectors, propane gauges, humidity/temperature/light sensing.
Pwn it like crazy. A command Injection bug is present in the code which runs a sudo command passing values in through POST variables. Theses are not escaped and make for an easy attack vector.
Awesome hacks. Each one of these devices could easily be a seperate post (though I’m sure others would dis-agree).
I mostly like to see hacks which save me money (e.g. a 25 quid device that when loaded with linux will do the job of a 100 quid device) or the “we only had X, Y and Z and no money, so we reprogrammed X and canabalised Y to make Z more awesome”
But I can easily read about exploits like this for days.
^^This subset of HAD content is my main reason for reading.
Likewise. This is exactly why I come here.
100% agreement
seriously. If they tagged their posts better I could filter for this subset (RE? pwning?) and see 100% good content.
Missed the talk but it sounds like it was quite awesome!
I have a now rooted wink hub here. Now just have to figure out how to block firmware updates. Hopefully this will become a popular open source platform.
It gets automatic firmware updates? Never seen that before. Did a cursory glance at it and didn’t get any firm answers on how it operates. Block via firewall to whatever servers it gets updates from. Since you can inject sudo commands I assume iptables on the device itself is an option. If it gets updates from an application running on a local computer (i.e. control app or whatever) then just block internet access on that machine. Windows firewall can do the job.
Yes I believe these are the urls to block:
hub-api.winkapp.com
hub-updates.winkapp.com
wink-hub-images.s3.amazonaws.com
Sent a tip in last week about a teardown (http://community.smartthings.com/t/wink-hub-teardown/3288) of the wink hub. I’m glad to see someone else was as curious as I’ve been about the hackability of these. They’re currently $49.99 at Home Depot but they have a promotion going on until 9/3/14 (http://www.homedepot.com/c/Electrical_Offers) where you can get it for $0.99 if you buy 2 wink-enabled products or $24.99 if you buy 1 wink-enabled product.
It’d be great to see a site/forum for development on this device.
Pretty good talk, except my ‘prime’ seat by the camera (i.e. front center) meant no free prizes (usb serial adapters) because the throwers didn’t want to block the cameras.
Sorry you didnt get one. Ping me on twitter (@zenofex) and I’ll give you a USB-To-TTL if you are still at the conference.
I would really really really love to see the Artisan rooted! No more I have to rip out only the rods and a crap load of dirt cheap DC motors but mainboards with a color touch tft. WTFBBQ !
those that do not learn from history and doomed to repeat it.
Hat tip to the entertaining and inspiring Allie Brosh (http://hyperboleandahalf.blogspot.com) for the inspiration for the “hack all the things” graphic. :-)
She does awesome webcomics. Alot.
Wink Hub Root How-To: http://winkhubroot.wordpress.com/2014/08/16/rooting-the-quirky-wink-hub/
With Quirky imploding, how do people feel about the Wink Hub now? It looks like you can still root it, a long as you do it before you configure its internet access and block its attempts to auto-update. If I’m going to root it, should I even care about the problems Quirky has been having? I had also been looking at the Smartthings Hub, but Wink is half the price and adds Bluetooth and 433MHz support…
By the way, the blurb about the Pogoplug is just slightly wrong. It can be compromised simply by going in over SSH, and eventually sticking and mounting a flash stick containing your own software.
They still don’t understand why we like that little guy so much.
Hacked by ahnoonymus