by RSS Axelle Apvrille  |  May 10, 2017  |  Filed in: Security Research

Welcome back to our monthly review of some of the most interesting security research publications.

Previous edition: March 2017

What happened to your home? IoT Hacking and Forensic with 0-day - from TROOPERS 17, by Park and Jin

Figure 1: Hacking a vacuum cleaner

The authors hacked a vacuum cleaner, which, besides cleaning, also includes an embedded camera and microphone.

The hack wasn’t easy because the vacuum wasn’t too badly secured. The authors however found 2 vectors:

1. They connected on the UART port. This port is for debugging and displays a shell, provided you know the user id and password (which they did not.) However, the authors were still able to gather some information, such as the kernel version.

2. The vacuum can also be controlled remotely through Wi-Fi. Unfortunately, its Wi-Fi protocol isn’t secured (clear text) and the Wi-Fi AP and password can be read easily. Using the Wi-Fi vector the vacuum can be controlled remotely, and, for example, be turned into a tool for spying.

A vacuum cleaner as a spy machine? For average folks at home, this may perhaps a bit far-fetched, although it could, for instance, be used as a good presence indicator for burglars (but there are many other indicators that can be used for this. . . ) Instead, think about vacuum cleaners being used in enterprises, government offices and agencies, or embassies! Nice non-human spies! The only downside: cleaning usually occurs outside working hours (but that’s not necessarily true for places which run 24/7).

BLE authentication design challenges on smartphone controlled IoT devices: analyzing Gogoro Smartscooter - from TROOPERS 17, by Cha and Dai

The authors of this session hacked an electric smart scooter. The scooter is designed to be unlocked using either a smart key fob, or your mobile phone. They found out that the scooter’s lock/unlock is performed over Bluetooth Low Energy.

To unlock a scooter,

1. You send a BLE packet to the scooter

2. The scooter responds with a random challenge

3. You respond with the appropriate response for this challenge. This is verified on the scooter, and if correct, the scooter is unlocked.

After some tests, the authors discovered that the scooter and the key fob or the mobile phone share a common secret – a secret key. Once you gain access to this secret key it becomes easy to generate the challenge response, and then lock/unlock the scooter. Unfortunately, this secret key is not properly secured on mobile phones, and can be found in the Documents directory of the mobile device. . .

The talk also mentions how scooters are identified. This is an interesting hack where the developers are able to identify your scooter by creating a BLE service where the UUID is customized with the BLE MAC address of your scooter. The hack does not particularly secure the locking/unlocking of the scooter, but it helps address BLE packets to the identified scooter.

Figure 2: Gogoro Smartscoote

The vacuum and scooter talks are interesting because, contrary to many other IoT developments, these devices took security into account during development. Unfortunately, in both cases, it wqsn’t enough as they failed to properly secure all parts.

As a result, a vulnerability was spotted and exploited. By the way, it is important to note that these attacks are not very technical and quite easy to reproduce. Basically, in both cases, the issue was the width of the attack surface: they forgot to secure some areas.

Spotless Sandboxes: Evading Malware Analysis Systems using Wear-and-Tear Artifacts - from IEEE S&P 2017, Miramirkhani, et al,

This academic paper presents a new way to detect sandboxes. As sandboxes are being improved to look more and more realistic (so that malware does not easily detect them), the authors warn the community that they are other ways to detect sandboxes. Most notably, one method is based on how realistic past use of the sandbox has been. The technique relies on the fact that sandboxes are usually installed on a fresh OS, and after analysis, the environment is reset to its original status, thereby scrubbing out any record of its use.

On the contrary, real a OS ages and each of our actions modifies its status, causing the cache to grow, etc. For attackers or malware, a fresh OS can therefore be an indicator of a sandboxing environment.

To put it simply, the paper presents sandbox detection by aging. To thwart this detection vector, a sandbox can be hardened by automatically aging it.

People need to keep in mind that (1) because sandboxes are detectable, they can fail to analyze some samples, and (2) not just elite malware is able to evade sandboxes. That being said, sandboxes remain useful in the field because they can help spot many non-evading malware variants, and considering the loads of malware we face, any automated help is always welcome ;)

Miscellaneous

Troopers 17 videos

• Rafael Scheel, Hacking smart TV via rogue DVB-T signals

– the Crypto Girl

“If you think research is expensive, try disease!” - Mary Lasker (1900-1994)

by RSS Axelle Apvrille  |  May 10, 2017  |  Filed in: Security Research