DEF CON 2013 Highlights – Home Invasion, RFID Hacking
Home Invasion 2.0 – Attacking Network-Controlled Consumer Devices
Daniel “unicornFurnace” Crowley, Managing Consultant, SpiderLabs, Trustwave
Jennifer “savagejen” Savage, Software Engineer
David “videoman” Bryan, Computer Security Professional
This talk focused on Internet-connected household devices and how they usually lack even the most basic forms of security. The web-connectivity is intended to provide numerous features, such as the remote opening of door locks or the disarming of home alarms, often times controlled from a handheld device. The insecurity allows hackers to gain control of these and other physical devices, like thermostats, fridges, lights and toys. Following are some examples.
Karotz Smart Rabbit Toy
The rabbit connects to any home network and can be controlled remotely. It uses code signing, which can be bypassed via Python Module Hijacking via a Man-in-the-Middle attack during setup. This grants a hacker control of the bunny’s ears, lights and speaker. Its video stream can also be controlled and the toy can even be hacked to make purchases.
Belkin WeMo Switch
This is a device that plugs into an electrical outlet and can be used, via a mobile app, to automate the home, like power on or off lamps and TVs. Anyone that is on the same home network as the switch, can control it. It uses UPnP to communicate with other devices and is easily discoverable.
This is a network device for playing music. It interestingly broadcasts a TON of information about the computer that this product’s control software is installed on. Web pages can be accessed that will display the computer’s netstat output, processlist, ifconfig output, among other things.
Lixil Satis Smart Toilet
Yes, this is not a typo. This smart toilet can be controlled via a Bluetooth-connected app. There is no authentication at all and it comes with a Bluetooth default PIN of 0000. If hacked, the lid can be opened and closed, it can be flushed, the blow dryer can be turned on, and same goes for the bidet. It can even be controlled to play music. Imagine the reaction from the toilet suddenly cursing something smart at you, while shooting warm water up your bum.
Insteon Hub and VeraLite Home Automation Systems
These are devices that control multiple other devices in your home such as locks, garage doors, lights, etc. They are extremely insecure, with either no default authentication or come equipped with a hardcoded, easily brute-forced username and password. The VeraLite has guest accounts that can’t do many things, but can incidentally do: Firmware updates, settings updates (which contain the root password hash), and test LUA code (it runs the code as root). They were able to find 3 authentication bypasses, 7 root exploits and 2 remote exploits. Also and theoretically, if the VeraLite’s firewall is bypassed, one could control all VeraLite systems that are connected to the cloud.
In the rush to get to market, consumer device makers are skimping or skipping on security and other than Belkin, don’t seem to care much about fixing and finding new security holes.
RFID Hacking: Live Free or RFID Hard
Francis Brown, Managing Partner, Bishop Fox
Up until now RFID hacking tools for stealing credentials have had a range limitation around a few centimeters which would require you to essentially get close enough to grab someone’s butt in order to read the card. Security consulting firm, Bishop Fox, developed a board to read data from longer range RFID card readers such as the ones that read cards in automobiles. This means one can carry a lightweight system capable of reading cards from a few feet away and can be easily concealed in a backpack. These low-frequency card systems are even admitted by the manufacturers to provide no security at all. Regardless, it was mentioned that an estimated 70-80% of facilities that use RFID access control use these outdated systems.
Interestingly, Disney is transitioning to an all-RFID solution for their theme parks. Imagine having a RFID widget that can get fast passes for you and provide you access to different rides or parts of the park. Now imagine having free reign over the system. It wasn’t stated if Disney’s system is using the old low-frequency system with no security, though.
Protective sleeves can be used to protect one’s credentials, if using an outdated RFID keycard. The U.S. government issues one with every green card now, but the researcher found that half of them do not block anything. Passports also have RFID tags embedded in them.
Instead of actively stealing credentials it’s possible to sniff credentials over the air when the keys are used at a valid access point. One researcher could do so from a distance of 10 feet. It’s also possible to open up the readers and dump their logs or sniff the traffic from the readers over the network.