Shulou(Shulou.com)05/31 Report--

I would like to share with you an example analysis of breaking smart homes in the Internet of things. I believe most people don't know much about it, so share this article for your reference. I hope you will learn a lot after reading this article. let's learn about it!

With the development of science and technology, more and more users begin to use Internet of things devices, and when they buy these devices, they often choose more advanced and richer products. But from the perspective of a safe community, we do not give enough "care" to the devices that are gradually "infiltrating" into our lives.

Although many security researchers have conducted security analysis on networked devices in recent years, security threats still exist, and these things will certainly put users at risk. Today, we will choose a smart hub for analysis, which can be used for a variety of purposes, such as controlling sensors and devices in the home environment, for energy or water management, safety monitoring, or in security systems.

The small device can get information from all the devices connected to it, and it will alert users via text messages or e-mails if something unexpected happens in the current environment. Interestingly, it can also connect to the local emergency service and send warnings to users as appropriate. So, if someone can hack into this smart home system and take over the home controller, it will not only be a terrible nightmare for users, but also affect the functionality of emergency services.

In the process of our analysis, we find that there are several logical vulnerabilities, and these vulnerabilities will become attack vectors that attackers can use.

Physical access

First, we need to detect vulnerabilities that attackers can exploit from outside the network. We can easily find the firmware of this hub from the Internet, and it can be downloaded directly. Therefore, anyone can directly analyze the firmware file, or even modify the firmware content.

We also found that the password of the root account is stored in a hidden file and encrypted using the DES algorithm. Some students may know that the DES encryption algorithm is not secure and is easy to crack. Therefore, the attacker can obtain the password hash by brute force and crack the password of the 'root' account.

Physical access is necessary in order to use root privileges to access the device and modify files, or to execute malicious commands.

We removed the shell of the device, but this is not what all attackers can do. However, our further analysis shows that we have other ways to gain remote access to the device.

Remote access

When personalizing the hub and checking all connected devices, the user can choose to use the mobile App or through the Web page. When the user settings are complete, all the setting information will be encapsulated in the config.jar file, and the hub will download and execute the configuration.

But we can see that the config.jar file is sent over HTTP, and the device identifier uses the serial number of the device. Therefore, an attacker can use any sequence number to send the same request and download the configuration file. Some students may feel that the serial number is unique, but the developer said: the serial number is not well protected and can be obtained in the form of brute force cracking. In order to obtain the serial number, the remote attacker can send a specially forged request and determine whether the current serial number has been registered in the system according to the response information of the server.

In addition, our initial research also shows that many users discuss their device problems in online forums or post photos of hubs on social networking sites, which may expose the serial number of the device. even if attackers can't crack the serial number, they can try it through social work technology.

When analyzing the config.jar file, we found that it contained the login and password of the device, which was enough information for an attacker to access the user's account through the Web interface. Although the passwords in the file are encrypted, there are many open source tools or open source password databases that can help attackers hash and decrypt. Most importantly, when setting a password, the device does not require the user to enter a complex password (there is no requirement for a mixture of length and English numbers), which reduces the difficulty of password cracking to a certain extent.

In the course of our experiment, we successfully access the target user's smart home system, we not only get all the configuration (including IP address) and sensor information, but also can modify these data. In addition, the jar file also contains the user's privacy information, because users need to upload their mobile phone number to receive warnings and notifications.

Therefore, attackers only need to generate and send fake requests to the server, and they may remotely access the smart home systems of the target users, which do not use any two-factor authentication. In this way, the attacker can control the "whole home" of the target user, such as turning on the lights, turning on the faucet, or even opening the door. In this way, smart family life is likely to become a nightmare.

Note: we have reported the details of the vulnerabilities to the relevant vendors, but these vulnerabilities have not been fixed yet.

The sun is always after the wind and rain

In addition to the smart hub, we also analyzed a smart light bulb. Although this product does not have very serious security vulnerabilities, there are still a lot of security issues that surprise us.

The smart light bulb can be connected to the WiFi, and users can then control it by moving the App. Therefore, the user needs to download the mobile App (Android or iOS), turn on the light bulb, connect to the WiFi hotspot created by the light bulb, and provide the light bulb with the SSID and password of the local WiFi network.

With App, users can turn on or off the lights, set timers, or change the brightness and color of the lights. The goal of our research is to find out how attackers use vulnerabilities in smart light bulbs to gain access to the local network. After many attempts, we obtained the firmware of the light bulb through the mobile application, and interestingly, the light bulb does not interact directly with the mobile application. In fact, both the light bulb and App need to connect to a cloud service and interact through the cloud service.

We found that the light bulb will send a firmware update request to the server and download the update file through the HTTP protocol, which is obviously not safe. If the attacker is on the same network, the man-in-the-middle attack becomes easy.

Through firmware detection and flash data extraction technology, we not only access firmware files, but also obtain user data. However, further analysis shows that there is no sensitive data in the device or internal network. However, we found credentials for all WiFi networks to which the target bulb was previously connected, which is permanently stored in the device's flash memory and is not encrypted and cannot be cleared even if the "reset" button is pressed.

The above is all the contents of this article entitled "example Analysis of breaking Smart Home in the Internet of things". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.