SlideShare a Scribd company logo

DEF CON 27- JISKA FABIAN - vacuum cleaning security

Felipe Prado
Felipe Prado

This document summarizes security research conducted on Neato vacuum cleaning robots. Key findings include bypassing the robots' secure boot mechanism to extract memory, gaining unauthenticated remote code execution on robots through a buffer overflow in the cloud connection daemon, and being able to impersonate robots by discovering that the RSA key used for authentication was static across all robots. The researchers were able to leak victim smartphone IP addresses and manually drive robots remotely by exploiting these issues. The document outlines lessons for both consumers and developers, such as keeping IoT devices offline, reviewing cryptographic components, and thoroughly testing security-critical code.

Related slideshows

Scratch pcduino
Scratch pcduinoScratch pcduino
Scratch pcduino
 
IoT with openHAB on pcDuino3B
IoT with openHAB on pcDuino3BIoT with openHAB on pcDuino3B
IoT with openHAB on pcDuino3B
 
IRJET- Design and Characteristics of LIZARD Stream Cipher IP Core
IRJET- Design and Characteristics of LIZARD Stream Cipher IP CoreIRJET- Design and Characteristics of LIZARD Stream Cipher IP Core
IRJET- Design and Characteristics of LIZARD Stream Cipher IP Core
 
1 of 34
Download to read offline
Vacuum Cleaning Security Pinky and the Brain Edition Jiska Classen Secure Mobile Networking Lab - SEEMOO Technische Universität Darmstadt, Germany Fabian Ullrich IT Security Analyst @ ERNW GmbH Heidelberg, Germany
2 ● A vacuum cleaning robot is in your house, has access to your Wi-Fi and knows many of your personal habits. ● Who of you owns a vacuum cleaning robot? ● (Own as it's YOUR robot, neither your neighbor's nor someone's on the Internet!) Motivation
3 ● A vacuum cleaning robot is in your house, has access to your Wi-Fi and knows many of your personal habits. ● Who of you owns a vacuum cleaning robot? ● Neato is one of the top vacuum cleaning robot models in the US. ● In Germany, Vorwerk has been selling vacuum cleaners forever (founded 1883). Their top model, a robot, is a rebranded Neato. ● Vorwerk won the test comparisons in Germany with their VR300/VR200. Motivation
4 ● Robots were harmed during our experiments! (Sorry for that…) ● No customer data was leaked. ● Neato was informed and fixed all issues in time. Responsible Disclosure
5 Infrastructure & Security Features UI & USB console
6 Infrastructure & Security Features UI & USB console Manual robot commands
7 Infrastructure & Security Features Beehive UI & USB console Manual robot commands Setup only Account information
8 Infrastructure & Security Features Nucleo Beehive UI & USB console Manual robot commands Setup only ?? Robot commands / status Account information Robot commands, status responses
9 Infrastructure & Security Features Nucleo Beehive ✔ HTTPS ✔ RSA key (robot↔cloud) ?? ✔ HTTPS ✔ Secure boot ✔ Encrypted logs ✔ Signed firmware updates ✔ HTTPS ✔ RSA key (robot↔cloud) ✔ Secret key (robot↔user) ✔ HTTPS ✔ Secret key (robot↔user) ✔ Secret key (robot↔user)
10 ● With all these security features, what could possibly go wrong? Contributions
11 ● With all these security features, what could possibly go wrong? ● We bypass secure boot on a vacuum cleaning robot to extract its memory. ● Our key findings are… ○ … key findings! ○ And a QNX side quest. ● We also gained unauthenticated RCE on robots over the cloud. Contributions
12 ● Custom AM335x chip (guessed by size factor). ● QNX 6.5 image from Foundry27 is bootable but crashes. ● Get QNX SDP, modify image, skip hardware initialization, reboot Neato system into custom image for cold boot attack, print all RAM to the serial port. ● Watchdog started by Pinky, ● Cleaning logic binary started by Brain. Secure Boot Bypass Jiska found this, got assigned CVE-2018-20785, fixed in Neato BotVac Connected D7 4.4.0-72 in December 2018 and for Vorwerk somewhen after January 2019.
13 Secret Key ● Generated when associating a robot with a user account. ● Known by: robot, app and cloud components. ● Individual key for each robot/user account relation! Used for authenticating commands to robot. Keys and their Purpose (1) https://developers.neatorobotics.com/
14 Secret Key ● Generated when associating a robot with a user account. ● Known by: robot, app and cloud components. ● Individual key for each robot/user account relation! Used for authenticating commands to robot. Keys and their Purpose (1) Header = Authorization: NEATOAPP [signature] 1 string_to_sign = serial + date + message_body 2 signature = HMAC_SHA256(secret_key, string_to_sign) https://developers.neatorobotics.com/
15 RSA Key ● Robots have to initially send the secret key ○ Has to be authenticated. ● Secret key not that secret ○ Several third parties know it. ○ Cannot be used to authenticate the robot in the cloud. RSA Key used to authenticate robot to cloud. Keys and their Purpose (2)
16 RSA Key ● Robots have to initially send the secret key ○ Has to be authenticated. ● Secret key not that secret ○ Several third parties know it. ○ Cannot be used to authenticate the robot in the cloud. RSA Key used to authenticate robot to cloud. Keys and their Purpose (2) Header = Authorization: NEATOBOT [serial]:[signature] 1 string_to_sign = serial + http_method + URI + date + body 2 signature = sign_rsa_sha256(string_to_sign, rsa_private_key)
17 Secret Key Entropy Reduction Fabian found and analyzed this beautiful piece of code! Got assigned CVE-2018-19441. 1 rnd = rand(); 2 3 time_shift[0:3] = time_now; 4 time_shift[4:6] = 0; 5 time_shift[7] = 16; 6 time_shift[8] = rnd + rnd / 0xFFFF; 7 time_shift[9] = entropy_reducing_math(rnd + rnd / 0xFFFF); 8 time_shift[10:15] = robot_MAC;
18 Secret Key Entropy Reduction Fabian found and analyzed this beautiful piece of code! Got assigned CVE-2018-19441. 1 rnd = rand(); 2 3 time_shift[0:3] = time_now; 4 time_shift[4:6] = 0; 5 time_shift[7] = 16; 6 time_shift[8] = rnd + rnd / 0xFFFF; 7 time_shift[9] = entropy_reducing_math(rnd + rnd / 0xFFFF); 8 time_shift[10:15] = robot_MAC;
19 ● Entropy relies on time of robot linkage. ○ One year = 25 bit ○ One hour = 12 bit ● There are multiple offline attack scenarios. Secret Key Entropy Reduction Fabian found and analyzed this beautiful piece of code! Got assigned CVE-2018-19441. 1 rnd = rand(); 2 3 time_shift[0:3] = time_now; 4 time_shift[4:6] = 0; 5 time_shift[7] = 16; 6 time_shift[8] = rnd + rnd / 0xFFFF; 7 time_shift[9] = entropy_reducing_math(rnd + rnd / 0xFFFF); 8 time_shift[10:15] = robot_MAC;
20 ● Encrypted RSA keys in /var/keys. ● vendorPrivateKeyProduction sounds promising! ● Let’s do some string de-obfuscation! RSA Keys for Robot Authenticity (1)
21 ● Encrypted RSA keys in /var/keys. ● vendorPrivateKeyProduction sounds promising! ● Let’s do some string de-obfuscation! RSA Keys for Robot Authenticity (1) ● RSA key is the same for all robots.
22 ● Encrypted RSA keys in /var/keys. ● vendorPrivateKeyProduction sounds promising! ● Let’s do some string de-obfuscation! RSA Keys for Robot Authenticity (1) ● RSA key is the same for all robots.
23 ● We are able to impersonate arbitrary robots. ○ Allows for multiple other attacks. ○ For example: Leak victim’s smartphone IP RSA Keys for Robot Authenticity (2) Nucleo Robotlocation?
24 ● We are able to impersonate arbitrary robots. ○ Allows for multiple other attacks. ○ For example: Leak victim’s smartphone IP RSA Keys for Robot Authenticity (2) Nucleo Does no longer get requests Robotlocation? Robot location?
25 ● We are able to impersonate arbitrary robots. ○ Allows for multiple other attacks. ○ For example: Leak victim’s smartphone IP RSA Keys for Robot Authenticity (2) Nucleo Does no longer get requests Robotlocation? Robot location? Robot location is 1.3.3.7:42
26 ● We are able to impersonate arbitrary robots. ○ Allows for multiple other attacks. ○ For example: Leak victim’s smartphone IP. RSA Keys for Robot Authenticity (2) Nucleo Does no longer get requests Robotlocation? Robot location? Robot location is 1.3.3.7:42 1.3.3.7:42
27 ● We are able to impersonate arbitrary robots. ○ Allows for multiple other attacks. ○ For example: Leak victim’s smartphone IP RSA Keys for Robot Authenticity (2) Nucleo Does no longer get requests Manual drive… 1.3.3.7:42 Robotlocation? Robot location? Robot location is 1.3.3.7:42 1.3.3.7:42
28 ● Power plants, cars, and other critical applications run on QNX < 6.6. Today. ● The current version is 7.x, but many vendors might not have updated it so far. ● Default settings are no ASLR, no DEP :). ● The robots run on QNX 6.5 … Side quest: How secure is it? We ❤ QNX < 6.6 Fabian and Johannes created a PoC for privilege escalation and got assigned CVE-2019-8998. http://support.blackberry.com/kb/articleDetail?articleNumber=000057178
29 ● Power plants, cars, and other critical applications run on QNX < 6.6. Today. ● The current version is 7.x, but many vendors might not have updated it so far. ● Default settings are no ASLR, no DEP :). ● The robots run on QNX 6.5 … Side quest: How secure is it? We ❤ QNX < 6.6 Fabian and Johannes created a PoC for privilege escalation and got assigned CVE-2019-8998. http://support.blackberry.com/kb/articleDetail?articleNumber=000057178
30 ● Buffer overflow in Nucleo cloud connection daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177), Johannes did further analysis and implemented a PoC (CVE-2018-19442). Nucleo /bin/astro /bin/robot Buffer Overflow
31 ● Buffer overflow in Nucleo cloud connection daemon. ● Can be triggered with requests to https://nucleo.neatocloud.com:4443/ vendors/neato/robots/[robot_serial]/ messages. ● The overflow is within parsing the authentication header, which means that we found an unauthenticated RCE! ● All services run as root. ● Fix: Authentication headers are validated on Nucleo. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177), Johannes did further analysis and implemented a PoC (CVE-2018-19442). Nucleo /bin/astro /bin/robot Buffer Overflow
32 ● IoT product at home? Keep it offline! ● As a customer: ○ Update your robot. ○ Hide your robot’s serial number! Security Implications (1)
33 ● Connected ecosystem developers: ○ Using RSA, RNG, hashing, secure boot, encrypted logs, signed firmware updates sounds good... ○ Review cryptographic key components and root of trust assumptions. ○ Dissecting one of your products should not compromise security of the other products, i.e., similar keys. ○ Test your security relevant code in practice to uncover issues like the static secret key “random” function—check entropy before hashing. Security Implications (2)
34 Q&A

More Related Content

DEF CON 27- JISKA FABIAN - vacuum cleaning security

  • 1. Vacuum Cleaning Security Pinky and the Brain Edition Jiska Classen Secure Mobile Networking Lab - SEEMOO Technische Universität Darmstadt, Germany Fabian Ullrich IT Security Analyst @ ERNW GmbH Heidelberg, Germany
  • 2. 2 ● A vacuum cleaning robot is in your house, has access to your Wi-Fi and knows many of your personal habits. ● Who of you owns a vacuum cleaning robot? ● (Own as it's YOUR robot, neither your neighbor's nor someone's on the Internet!) Motivation
  • 3. 3 ● A vacuum cleaning robot is in your house, has access to your Wi-Fi and knows many of your personal habits. ● Who of you owns a vacuum cleaning robot? ● Neato is one of the top vacuum cleaning robot models in the US. ● In Germany, Vorwerk has been selling vacuum cleaners forever (founded 1883). Their top model, a robot, is a rebranded Neato. ● Vorwerk won the test comparisons in Germany with their VR300/VR200. Motivation
  • 4. 4 ● Robots were harmed during our experiments! (Sorry for that…) ● No customer data was leaked. ● Neato was informed and fixed all issues in time. Responsible Disclosure
  • 5. 5 Infrastructure & Security Features UI & USB console
  • 6. 6 Infrastructure & Security Features UI & USB console Manual robot commands
  • 7. 7 Infrastructure & Security Features Beehive UI & USB console Manual robot commands Setup only Account information
  • 8. 8 Infrastructure & Security Features Nucleo Beehive UI & USB console Manual robot commands Setup only ?? Robot commands / status Account information Robot commands, status responses
  • 9. 9 Infrastructure & Security Features Nucleo Beehive ✔ HTTPS ✔ RSA key (robot↔cloud) ?? ✔ HTTPS ✔ Secure boot ✔ Encrypted logs ✔ Signed firmware updates ✔ HTTPS ✔ RSA key (robot↔cloud) ✔ Secret key (robot↔user) ✔ HTTPS ✔ Secret key (robot↔user) ✔ Secret key (robot↔user)
  • 10. 10 ● With all these security features, what could possibly go wrong? Contributions
  • 11. 11 ● With all these security features, what could possibly go wrong? ● We bypass secure boot on a vacuum cleaning robot to extract its memory. ● Our key findings are… ○ … key findings! ○ And a QNX side quest. ● We also gained unauthenticated RCE on robots over the cloud. Contributions
  • 12. 12 ● Custom AM335x chip (guessed by size factor). ● QNX 6.5 image from Foundry27 is bootable but crashes. ● Get QNX SDP, modify image, skip hardware initialization, reboot Neato system into custom image for cold boot attack, print all RAM to the serial port. ● Watchdog started by Pinky, ● Cleaning logic binary started by Brain. Secure Boot Bypass Jiska found this, got assigned CVE-2018-20785, fixed in Neato BotVac Connected D7 4.4.0-72 in December 2018 and for Vorwerk somewhen after January 2019.
  • 13. 13 Secret Key ● Generated when associating a robot with a user account. ● Known by: robot, app and cloud components. ● Individual key for each robot/user account relation! Used for authenticating commands to robot. Keys and their Purpose (1) https://developers.neatorobotics.com/
  • 14. 14 Secret Key ● Generated when associating a robot with a user account. ● Known by: robot, app and cloud components. ● Individual key for each robot/user account relation! Used for authenticating commands to robot. Keys and their Purpose (1) Header = Authorization: NEATOAPP [signature] 1 string_to_sign = serial + date + message_body 2 signature = HMAC_SHA256(secret_key, string_to_sign) https://developers.neatorobotics.com/
  • 15. 15 RSA Key ● Robots have to initially send the secret key ○ Has to be authenticated. ● Secret key not that secret ○ Several third parties know it. ○ Cannot be used to authenticate the robot in the cloud. RSA Key used to authenticate robot to cloud. Keys and their Purpose (2)
  • 16. 16 RSA Key ● Robots have to initially send the secret key ○ Has to be authenticated. ● Secret key not that secret ○ Several third parties know it. ○ Cannot be used to authenticate the robot in the cloud. RSA Key used to authenticate robot to cloud. Keys and their Purpose (2) Header = Authorization: NEATOBOT [serial]:[signature] 1 string_to_sign = serial + http_method + URI + date + body 2 signature = sign_rsa_sha256(string_to_sign, rsa_private_key)
  • 17. 17 Secret Key Entropy Reduction Fabian found and analyzed this beautiful piece of code! Got assigned CVE-2018-19441. 1 rnd = rand(); 2 3 time_shift[0:3] = time_now; 4 time_shift[4:6] = 0; 5 time_shift[7] = 16; 6 time_shift[8] = rnd + rnd / 0xFFFF; 7 time_shift[9] = entropy_reducing_math(rnd + rnd / 0xFFFF); 8 time_shift[10:15] = robot_MAC;
  • 18. 18 Secret Key Entropy Reduction Fabian found and analyzed this beautiful piece of code! Got assigned CVE-2018-19441. 1 rnd = rand(); 2 3 time_shift[0:3] = time_now; 4 time_shift[4:6] = 0; 5 time_shift[7] = 16; 6 time_shift[8] = rnd + rnd / 0xFFFF; 7 time_shift[9] = entropy_reducing_math(rnd + rnd / 0xFFFF); 8 time_shift[10:15] = robot_MAC;
  • 19. 19 ● Entropy relies on time of robot linkage. ○ One year = 25 bit ○ One hour = 12 bit ● There are multiple offline attack scenarios. Secret Key Entropy Reduction Fabian found and analyzed this beautiful piece of code! Got assigned CVE-2018-19441. 1 rnd = rand(); 2 3 time_shift[0:3] = time_now; 4 time_shift[4:6] = 0; 5 time_shift[7] = 16; 6 time_shift[8] = rnd + rnd / 0xFFFF; 7 time_shift[9] = entropy_reducing_math(rnd + rnd / 0xFFFF); 8 time_shift[10:15] = robot_MAC;
  • 20. 20 ● Encrypted RSA keys in /var/keys. ● vendorPrivateKeyProduction sounds promising! ● Let’s do some string de-obfuscation! RSA Keys for Robot Authenticity (1)
  • 21. 21 ● Encrypted RSA keys in /var/keys. ● vendorPrivateKeyProduction sounds promising! ● Let’s do some string de-obfuscation! RSA Keys for Robot Authenticity (1) ● RSA key is the same for all robots.
  • 22. 22 ● Encrypted RSA keys in /var/keys. ● vendorPrivateKeyProduction sounds promising! ● Let’s do some string de-obfuscation! RSA Keys for Robot Authenticity (1) ● RSA key is the same for all robots.
  • 23. 23 ● We are able to impersonate arbitrary robots. ○ Allows for multiple other attacks. ○ For example: Leak victim’s smartphone IP RSA Keys for Robot Authenticity (2) Nucleo Robotlocation?
  • 24. 24 ● We are able to impersonate arbitrary robots. ○ Allows for multiple other attacks. ○ For example: Leak victim’s smartphone IP RSA Keys for Robot Authenticity (2) Nucleo Does no longer get requests Robotlocation? Robot location?
  • 25. 25 ● We are able to impersonate arbitrary robots. ○ Allows for multiple other attacks. ○ For example: Leak victim’s smartphone IP RSA Keys for Robot Authenticity (2) Nucleo Does no longer get requests Robotlocation? Robot location? Robot location is 1.3.3.7:42
  • 26. 26 ● We are able to impersonate arbitrary robots. ○ Allows for multiple other attacks. ○ For example: Leak victim’s smartphone IP. RSA Keys for Robot Authenticity (2) Nucleo Does no longer get requests Robotlocation? Robot location? Robot location is 1.3.3.7:42 1.3.3.7:42
  • 27. 27 ● We are able to impersonate arbitrary robots. ○ Allows for multiple other attacks. ○ For example: Leak victim’s smartphone IP RSA Keys for Robot Authenticity (2) Nucleo Does no longer get requests Manual drive… 1.3.3.7:42 Robotlocation? Robot location? Robot location is 1.3.3.7:42 1.3.3.7:42
  • 28. 28 ● Power plants, cars, and other critical applications run on QNX < 6.6. Today. ● The current version is 7.x, but many vendors might not have updated it so far. ● Default settings are no ASLR, no DEP :). ● The robots run on QNX 6.5 … Side quest: How secure is it? We ❤ QNX < 6.6 Fabian and Johannes created a PoC for privilege escalation and got assigned CVE-2019-8998. http://support.blackberry.com/kb/articleDetail?articleNumber=000057178
  • 29. 29 ● Power plants, cars, and other critical applications run on QNX < 6.6. Today. ● The current version is 7.x, but many vendors might not have updated it so far. ● Default settings are no ASLR, no DEP :). ● The robots run on QNX 6.5 … Side quest: How secure is it? We ❤ QNX < 6.6 Fabian and Johannes created a PoC for privilege escalation and got assigned CVE-2019-8998. http://support.blackberry.com/kb/articleDetail?articleNumber=000057178
  • 30. 30 ● Buffer overflow in Nucleo cloud connection daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177), Johannes did further analysis and implemented a PoC (CVE-2018-19442). Nucleo /bin/astro /bin/robot Buffer Overflow
  • 31. 31 ● Buffer overflow in Nucleo cloud connection daemon. ● Can be triggered with requests to https://nucleo.neatocloud.com:4443/ vendors/neato/robots/[robot_serial]/ messages. ● The overflow is within parsing the authentication header, which means that we found an unauthenticated RCE! ● All services run as root. ● Fix: Authentication headers are validated on Nucleo. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177), Johannes did further analysis and implemented a PoC (CVE-2018-19442). Nucleo /bin/astro /bin/robot Buffer Overflow
  • 32. 32 ● IoT product at home? Keep it offline! ● As a customer: ○ Update your robot. ○ Hide your robot’s serial number! Security Implications (1)
  • 33. 33 ● Connected ecosystem developers: ○ Using RSA, RNG, hashing, secure boot, encrypted logs, signed firmware updates sounds good... ○ Review cryptographic key components and root of trust assumptions. ○ Dissecting one of your products should not compromise security of the other products, i.e., similar keys. ○ Test your security relevant code in practice to uncover issues like the static secret key “random” function—check entropy before hashing. Security Implications (2)