IoT Hacking: Linux Embedded, Bluetooth Smart, KNX Home Automation presented at Deepsec 2016

by Slawomir Jasek,

Summary : The workshop consists of several modules:
1. Linux embedded
Linux embedded is probably the most popular OS, especially in SOHO equipment, like routers, cameras, smart plugs, alarms, bulbs, home automation, and even wireless rifles. Based on several examples, you will learn about the most common flaws (auth bypass, command injection, path traversal, backdoor services...). We will open a wireless doorlock remotely, hack cameras, and take control over other devices.
2. Bluetooth Low Energy
One of the most sought after IoT technologies. Learn how it works, about risks and possible attacks.
Using a new BLE MITM proxy tool developed by the author, we will hack various devices: smart doorlocks, mobile Point of Sale, authentication tokens, beacons, anti-thief protection and others.
3. KNX home automation
Learn how to take control over the most common home automation system: EIB/KNX.
Following the introduction on the system basics, we will hack the provided demo installation, abusing common misconfiguration weaknesses - similarly a luxury hotel in China was hacked few years back.
SYLLABUS:
1.)LINUX EMBEDDED
Theory introduction
Embedded devices - popular architectures, OS-s systems
Device supply chain and why it is difficult to maintain security - BSP, ODM, OEM, SDK...
Linux embedded and its flavours, not only in SOHO devices
One binary to rule them all
Firmware images
Tools
Firmware analysis - binwalk & co
Scanning, sniffing - nmap, wireshark...
Exploiting known vulns: metasploit, routersploit
Default credentials lists, hydra, john...
Web interface attacking - Burp Proxy
Practical exercises
Identifying serial port and connecting to device's boot
Analyze firmware images
Locate hidden URLs
Authentication bypass - open wireless doorlock
Excessive services, debug interfaces
Cracking hardcoded telnet root password
Abusing backdoors
RCE - get remote shell in a router
Attack proprietary remote access protocol
Analysis of Mirai botnet and example affected devices
2.)BLUETOOTH SMART
Theory introduction
What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?
Usage scenarios, prevalence in IoT devices
Protocol basics
Advertisements, connections
Central vs peripheral device
GATT - services, characteristics, descriptors, handles
Security features - pairing/encryption, whitelisting, MAC randomization
Security in practice: own crypto in application layer
Tools and hardware
Reversing communication - mobile application analysis
BlueZ command-line tools
Sniffing soft- & hardware - ubertooth, adafruit, bluehydra...
What can you do with just BT4 USB dongle?
Analysis - hcidump, Android btsnoop log, BLE-replay
BLE MITM - GATTacker, BtleJuice
MAC address cloning
Tips & tricks for MITM attacks
Other tools, PoCs, research...
Practical exercises
BLE beacons spoofing - get rewards & free beer
Abuse proximity autounlock of a padlock
Inject arbitrary commands into car unlocking device communication protocol
Spoof encrypted status of a smart doorlock and home automation devices
Intercept indication of "one-time-password" hardware token and authenticate to a bank
Hijack a mobile Point-of-Sale display
Abuse excessive services (e.g. module's default AT-command interface)
Intercept static authentication password of a padlock
Abusing flaws of custom challenge-response authentication
PRNG weaknesses
Attacking encrypted (bonded) connections
A glimpse at a source code - why the vulnerabilities appear?
Troubleshooting and debugging
Takeaway - hackmelock (mobile application + simulated device) to practice BLE hacking at home
3.)EIB/KNX
Theory introduction
Home automation standards review - wired, wireless
KNX/EIB - history, protocol basics
Group address, device address
Typical topology
KNX/IP gateways
Tools
ETS configuration suite
KNXd (former eibd) and command-line tools
knxmap
nmap scripts
Practical exercises
Scanning for KNX-IP gateway from local network
Detecting publicly exposed gateways
Monitor mode - sniffing
Reading/writing
Brute-force addresses
KNX security features
Device authentication keys
KNX Secure
BONUS TRACK (possible to do at home):
Reversing binary protocol and hijacking communication of mobile application controlling HVAC system.