Every once in a while you get lucky and a piece of cool gear lands on your bench to tear down and explore. On that measuring stick, Kristin Paget hit the jackpot when she acquired a fascinating piece of current generation cellphone infrastructure. She’s currently researching a carrier-grade LTE eNodeB and walked through some of the findings, along with security findings of two IoT products, during her talk on the Laws of IoT Security at the 2017 Hackaday Superconference.
Evolved Node B (eNodeB) is the meat and potatoes of the LTE cellular network. It connects the antenna to backhaul — this is not something you’d expect to see on the open market but Kristin managed to pick one up from a vendor at DEF CON. Hearing her walk through the process of testing the hardware is a real treat in her talk and we’ll get to that in just a minute. But first, check out our video interview with Kristin the morning after her talk. We get into the progress of her eNodeB research, and touch on the state of IoT security with advice for hardware developers moving forward.
In the interview Kristin mentions that WiFi is certainly not the most secure choice for connected devices and she definitely drives this point home in her Supercon talk.
The first of three hardware devices she takes on is a WiFi connected lightbulb. We’ve all done the dance with WiFi connected “smart” items: connect to its AP with your phone, load a webpage and type in your WiFi credentials to the “Thing” can get on your AP. In this case after you enter your WiFi credentials the lightbulb got on the network but continued to serve up it’s own AP — with a easily searchable default password. Of course the issue being that your WiFi credentials are served up in plain text on the lightbulb’s config screen so anyone in range can get to your home WiFi credentials. Brilliant.
The Laws of IoT violated here are easy to understand and apply almost universally. Don’t hand out plain text credentials. Choose to use unique provisioning credentials so not just anyone can get to the config interface. Separate user privileges from owner privileges. And don’t leave the provisioning AP up once the device is connected to the target network.
Next on the chopping block is a first generation Amazon Dash button. These have been favorites for hacking since they came out. But of course Kristin isn’t going to be happy with watching the router for the MAC address to appear. She walks through sniffing traffic on the button and dissecting the certificate validation used. The surprising find is that all of the first generation Dash buttons expect SSL with an expiry in 2015 or they won’t work. Designers need to include a way to refresh keys or users will end up locked out of devices in the wild. Dash solved this just by dropping all of the SSL security used.
This brings us to the juicy part of the talk: the LTE eNodeB. Since this is carrier grade, this is designed to be in use for 10 or more years and in this case is a software-defined radio ready to upgrade as new technology emerges. Getting into the OS is almost comical: Kristin found the bootspew on one of the serial ports and realized it was running uBoot. How did she realize that? The boot process gives you a 5 second countdown to enter it with a keypress. Dropping into uBoot made it easy to start a shell and Kristin’s inspection of /etc/passwd included hashes and multiple accounts that shared UIDs. It’s a delight to see how she worked through all of this.
The first step to designing more secure hardware is to understand the mistakes that have become all too common. From simple and cheap lightbulbs to elite infrastructure, Kristin makes an excellent case that we as hardware developers must be codifying and following a set of IoT security laws to make connected hardware work for us as an asset and not a liability.