by RSS Axelle Apvrille  |  Nov 17, 2016  |  Filed in: Security Research

Besides conference sessions, DefCamp 2016 also ran various competitions in the hacking village. I wandered about the critical infrastructure area - an amazing model kit of a train, station, and solar panels all controlled by Siemens and Schneider PLCs - but mostly, of course, at the IoT village.

Illustration 1. Critical Infrastructure village with model kit, PLCs, and SCADA supervision monitor

At the IoT village, several connected devices were available to be hacked: web cameras, a water sensor, a coffee maker... I lost some time on the Foscam IP camera, and then on the coffee maker.

Illustration 2. Available devices at the IoT Village. Note the IP addresses are private to the IoT village LAN.

Is it connected?

I started scanning the coffee maker’s IP address for open ports, but was quite unlucky:

$ sudo nmap -sS 10.0.3.18 
Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-11 10:15 CET 
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.47 seconds

I did what it said and tried with -Pn, but with not much more success:

$ sudo nmap -sU -Pn 10.0.3.18
Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-11 14:03 CET
Nmap scan report for ESP_12CC11 (10.0.3.18)
Host is up (0.0075s latency).
All 1000 scanned ports on ESP_12CC11 (10.0.3.18) are closed
MAC Address: 5C:CF:7F:12:CC:11 (Unknown)

Something's there, but no open ports so far.

Mobile application

So, I decided to have a look at the mobile application. I downloaded and installed the app, but was unable to connect to the coffee pot.

Illustration 3: Smarter Coffee Maker Android application

Making coffee with Python

At that time, I was mentally getting prepared to reversing the mobile application. But never do what others have already done: on the web, I bumped into a very nice Python script of  Simone 'evilsocket' Margaritelli controlling the coffee maker.

Reading the code, I saw the program was connecting to the coffee pot on port 2081:

def __init__( self, address, port = 2081 ):  
  self.address = address
  self.port = port
  self.sock = socket.socket( socket.AF_INET, socket.SOCK_STREAM )  

Does my coffee machine respond on that port?

$ sudo nmap -sX -p 2081 10.0.3.18
Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-11 14:12 CET
Nmap scan report for ESP_12CC11 (10.0.3.18)
Host is up (0.15s latency).
PORT	 STATE	       SERVICE
2081/tcp open|filtered kme-trap-port
MAC Address: 5C:CF:7F:12:CC:11 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.86 seconds  

Yes, it does :) My former port scans hadn't scanned up to that port number, which explained why I hadn't seen it.

I gave Simone's script a try, and it worked perfectly well:

Illustration 4. Controlling the coffee maker remotely using Simone Margaritelli's Python tool.

Illustration 6 Coffee currently brewing! I hope somebody drank it, I made several cups ;)

Responsible Disclosure

From this point, I decided to edit Simone's Python code and insert my own hacks. We're following responsible disclosure at Fortinet, so I won't be telling you what I did as we've just contacted the vendor. What I'll just tell you is that the vulnerability puts the coffee maker out of service:

Illustration 7. Coffee maker hack in action (Denial of Service)

Initially, the coffee maker works and responds to commands (see Illustration 4). I run my hack, and the socket times out: the coffee maker no longer responds (see Illustration 7). As a matter of fact, it won't respond to any more commands unless you reboot it. No more coffee ;) Denial of Service.

Important note: Simone Margaritelli's script is not malicious + does not implement the vulnerability. I used it as a canvas, and inserted the implementation of my own hack inside it. I could have written a standalone tool but I ran for a quick implementation...

Hacked for fun - but no prize :(

I showed my vulnerability live to the organizers, but unfortunately, as the contest was closing minutes later they told me I would not have time to write up my results (note: the contest rules did not specify I had to do that) and told me they would not validate my hack! Hmmm :(

Also, I found out that another competitor had found another vulnerability on the coffee maker before me, so it was fair he'd get the prize. I hacked the coffee maker for fun mainly, but would have loved to bring one back to my colleagues (I don't drink coffee myself!). Nevertheless, it was a bit disappointing not to get even a small "consolation" prize. As far as I know, only 3 vulnerabilities - mine included - were found during the whole contest. I should have "deserved" "something," a sticker, I don't know. Right?

You're organizing a contest? Think about it next time. :)

-- the Crypto Girl

by RSS Axelle Apvrille  |  Nov 17, 2016  |  Filed in: Security Research