Mass Device Takeover via Subdomain Takeover in Discontinued IoT Product

Mass Device Takeover via Subdomain Takeover in Discontinued IoT Product - Akita IoT Defender

Рет қаралды 6,464

Күн бұрын

Who's going to defend us from the IoT defender??
Come join us on Discord for some device hacking!
/ discord
Need IoT pentesting or reverse engineering services?
Please consider Brown Fine Security:
brownfinesecur...
🛠️ Stuff I Use 🛠️
🪛 Tools:
Raspberry PI Pico: amzn.to/3XVMS3K
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4h4G7DD
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
Soli Deo Gloria
💻 Social:
website: brownfinesecur...
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nma...
#hacking #iot #cybersecurity

Пікірлер: 78

@RK-kn1ud 3 сағат бұрын

Your viewer could just count the number of unique source IPs over that 24hr period and then you'd have a good rough idea of how many devices are still connected.

@kg790 6 сағат бұрын

"They move on to the next... uh... thing" - we all know the actual word is "scam"

@mplogas 8 сағат бұрын

Tha fact that it does just HTTP requests is just wild. You have to tell Blob Storage explicitly to NOT use HTTPS and Azure will warn you again and again to not use unencrypted public Blob access

@drooplug 8 сағат бұрын

All the firmware requests are http, but, thankfully, that icon is https. 🤣

@aaronfrancis3923 7 сағат бұрын

Yup.

@doom9603 6 сағат бұрын

wilful security downgrading - but there might have been technical and administrative reasons to do so

@andyparadis342 6 сағат бұрын

Thanks for teaching this old GUY, who cut his teeth on IBM 360 and spent a career on oracle, a whole different world of IOT.

@donreid358 4 сағат бұрын

That shell code seemed to have a limit of 5 access attempts for the last packages file so it wouldn't be trying forever. Of course there may be an outer loop .....

@starfox.64 4 сағат бұрын

I feel like it would have been useful if they tried to push an update that bricked all of them, that way a domain takeover wouldn't result in compromise

@Duckly97 Сағат бұрын

Obligatory the 'S' in "IoT" stands for "Security".

@dadw7og116 2 сағат бұрын

Good job

@Holycurative9610 7 сағат бұрын

I'm still waiting for someone to hack my TP-Link lights and turn my house into a disco🤣🤣🤣🤣

@bondarenkodf 7 сағат бұрын

It's not a web server-it's just a blob storage service. You can't register this domain on your own server; the only thing you can do is serve files from it using Microsoft's control panel. Regarding the screenshots he provided: the first one is from the dashboard, while the second one appears to be some kind of security audit or analysis. I’ve never used this part of the service, so I’m not sure. It's unfortunate that they didn’t implement certificate pinning on their custom server with a custom domain. The API was likely responsible for serving update and version information, as well as update lists containing URLs pointing to the blob storage. Ideally, they should have also incorporated package signing later on, allowing updates to be verified locally.

@RickDkkrd 9 сағат бұрын

Would've been great to see any actual actions to fix this ongoing vulnerability while you have access to that domain. Like pushing an update to disable future updates on those devices.

@aaronfrancis3923 9 сағат бұрын

I'm based in the United Kingdom so this would be legally dubious unfortunately although I agree this would likely be a good action, Our laws around this (Computer Misuse Act) stops me from doing anything that would modify device behaviour without breaking the law.

@doubled8511 9 сағат бұрын

Better yet, Microsoft shouldn't allow reuse of bucket names like this.

@RickDkkrd 8 сағат бұрын

@@aaronfrancis3923 So what's the plan then? For how long are you going to pay for this domain/bucket?

@inq752 8 сағат бұрын

@@aaronfrancis3923 just go into international waters for that

@aaronfrancis3923 7 сағат бұрын

@@RickDkkrd Realistically this hasn't cost me anything, I'll be contacting the NCSC (the cyber security governmental body in the UK) to essentially ask for permission to do this, or to hand over control to them (As there is a low number of devices in the UK). If I don't get it due to the low number then I'll just keep hold of it for as long as I can.

@olokelo 7 сағат бұрын

"You were supposed to destroy them, not join them"

@ferrellsl 9 сағат бұрын

Another case of when a device's capabilities sound too good to be true, at best it's just a sales gimmick and at worst a vulnerability.

@markcentral 7 сағат бұрын

Thanks for the video! Would be extremely interested for you to check for backdoors in consumer kit like the TP Deco wap (and wifi app) as well as Ubiquity equipment

@JonnyWilson-rg3uv 7 сағат бұрын

Great video

@MrFrakey93 5 сағат бұрын

Doing some very quick and dirty napkin maths, let's assume it sends out 5 requests a second according to the Wireshark capture, that'd be: 5 per second, 86400 seconds in 24 hours. 86400 x 5 = 432,000 1,270,222 / 432,000 = 2.94. So let's say 3 devices online during that 24 hours period. Could be WILDLY wrong though.

@kg790 4 сағат бұрын

At least you gave it a honest attempt. I have to assume counting the unique IP addresses was not possible in this case, but beats me why...

@iblackfeathers 9 сағат бұрын

this is similar to the fingbox, which was discontinued. it might be a good idea to check that one out as well while you are at it.

@kg790 4 сағат бұрын

Is that the same "Fing" that makes the Fing apps for various platforms? I've been in contact with them and they were neither professional nor knowledgeable. I suspect your suggestion is a good one.

@svenhuettmann 3 сағат бұрын

How about fw extraction from TP Link Omada controller or switch, this woud be nice 😅

@marvinweis8278 9 сағат бұрын

If they all would request every 5 seconds, that would mean, that there are like 100 of these out there (but every device could be reconnecting different)

@aaronfrancis3923 9 сағат бұрын

This matches around the number of Unique IPs I saw in the Blob Storage logs, it was around 100-140 unique IPs depending on the 24 hour window selected

@flipschwipp6572 8 сағат бұрын

Even 140 devices with 50 to 100Mbit/s is a nice cumulated bandwidth.

@curtchauvin5303 6 сағат бұрын

Interesting , i've heard of people deconstructing old malware and finding the command and control domains . They would buy these old domains that were abandoned. In that case would the old scripts/software still be present on the abandoned domains or does the provider(GoDaddy ...etc) wipe the existing files that were associated with that website (i.e index.html, backdoor.php etc)

@flipschwipp6572 8 сағат бұрын

Are there cloud services which offer one time use unique subdomains? Like a long unique string which is guaranteed to be never reassigned even after you cancel the service?

@rickgreer7203 Сағат бұрын

Even if not, it's pretty sad they wouldn't pass through a domain they paid $130 for to register for 10 years that protected user for a while. (And ideally pushing a firmware update to protect folks too...but even for the super lazy failing company...for $100 they could have avoided this.)

@zandermcnabb7779 5 сағат бұрын

Since it runs openWRT, realistically, couldn’t you grab a bunch of WRT packages and could push a fresh wrt update to them? (Assuming there’s a sig check and they already should have wrt signing

@doubled8511 9 сағат бұрын

That would have been a nice little botnet.

@AmxDude1969 2 сағат бұрын

It would be nice if someone could make a patch for these devices and host it on that url so bad actors can't abuse it

@rickgreer7203 Сағат бұрын

It's pretty sad they wouldn't pass through a top level domain, and pay $130 for to register for 10 years that protects user for as long as possible when shutting down... Cheap for such a basic bit of caring. (Not surprising though. When I see domains expire for small sites that I use, I often register and blackhole them to avoid it becoming something bad and tainting a reputation of some hapless individual --- and of course, would transfer it back for free. Or host a static archive with permission.)

@markcentral 9 сағат бұрын

Thanks for the great video I’m curious- Would an iot device validating web certificates to check it still controls a domain be helpful in preventing these issues? -- or would bad actors registering a domain after the company goes bankrupt just spoof their name anyway?

@rotamrofsnart 9 сағат бұрын

This would work if the company makes their own CA and makes the device trust its certificates. It would not work with LetsEncrypt for example, because the bad actors would just create new certificates and the LE CA is already trusted (probably).

@flipschwipp6572 8 сағат бұрын

certificate pinning! But it also means they could brick the devices if they lost the private key themselfes or if the certificate was not renewed in time.

@bondarenkodf 7 сағат бұрын

yes, this called certificate pinning.

@bondarenkodf 7 сағат бұрын

@@rotamrofsnart certificate pinning.

@aaronfrancis3923 7 сағат бұрын

As others stated this would be certificate pinning and IS the industry standard, but this device doesn't use it.

@CharlesVanNoland 9 сағат бұрын

Does the device not use the .SIG signature file to validate that the packages that its downloading are created by the original company? If it is then it's not currently possible to put new firmware on everyone's (useless) devices. You can hack your own device and change the public key that it's validating the signatures with but unless you have the original private key used to sign the firmware packages that corresponds to the public key that's already on all of the devices they should still be secure for now - barring any remote 0day exploits that bypass everything, like a malformed response to the device when it performs an HTTP request (hint hint).

@aaronfrancis3923 9 сағат бұрын

The .sig is pulled from the blob storage, so you *could* push your own.

@CharlesVanNoland 7 сағат бұрын

@@aaronfrancis3923 Is it just a hash of the file, or is it signed with a private key that only the creator of the product had? I don't imagine it's as something as mundane as just an MD5 hash of the package like you'd find elsewheres, which would imply that the developers were predicating their device's entire security on ownership of their internet domain name. The fact that it's a .SIG file implies that it's a cryptographic signature for the package file that can't be replicated/duplicated for a different (malicious) package file. You know all about how digital signatures work, right?

@HenryWu-rc5gw 6 сағат бұрын

I think the best way to deal with these deprecated devices is to shutdown them automatically. Maybe we can create a payload to do that.

@kg790 4 сағат бұрын

Shutting down others' devices is frowned upon even if you were the actual manufacturer. I think that a message in a GUI is the line that should not be crossed lightly.

@HenryWu-rc5gw 3 сағат бұрын

@@kg790 I agree that it's rude to shut it down but it's the most effective way to protect it's owner. A message on GUI and interruptible shutdown after several minutes is better. I prefer shutting down for following reasons: 1. Prevent it from being hacked and joined into a botnet. 2. Prevent unnecessary electricity, bandwidth, computation resource consumption. 3. Try to notice user that it's depreciated. I think most owners which still run them have not checked it's management interface for a long time. They may notice that the power light is turned off.

@jdl3408 4 сағат бұрын

Does the device check for a signature on the firmware or perform and other integrity/ authenticity checks?

@74Gee 9 сағат бұрын

Did you actually take over a device though? Maybe try with a WRT image

@jchastain789 5 сағат бұрын

Any comments on cerebras chips

@chrisbishop6928 5 сағат бұрын

Couldn't you take an average request count per minute to the sub-domain from your single device and then average it out against the 1.27MM request count for an overall devices in the field count?

@kg790 4 сағат бұрын

Yes, but that'd take a minute.

@wltechblog 7 сағат бұрын

All those plain text http requests ahhhhhhhhh!

@robertbaindourov134 7 сағат бұрын

Amazing content

@MADDOG-sq9oj 10 сағат бұрын

Oh boy

@fabulousfab282 Сағат бұрын

Et pourquoi ne pas faire mentir votre serveur dns local pour que l'appareil aille télécharger le fichier de mise à jour sur votre serveur web hébergé chez vous ou ailleurs afin d'en prendre le contrôle total après lui avoir envoyé une mise à jour vérolée ? Qu'en pensez vous ?

@OLDMANDOM42.Dominic 9 сағат бұрын

YUCK! I am guessing these requests would cripple or slow down a low end internet service like DSL. Maybe there is a way to tell the device to stop said requests. Just for the unaware user's sake. But I do see this would cause pause do to a moral stance, possibly a legal stance as well. HMMM, I am just thinking of helping, as I just want to help the unaware.

@flipschwipp6572 8 сағат бұрын

You underestimate the capability of even the smallest dsl lines. Where i am the lowest available is 16Mbit/s or 50Mbit/s, those requests may be 2kbit every 5 seconds or 1/10.000th of the capacity of the slowest DSL line.

@doom9603 6 сағат бұрын

@@flipschwipp6572 which does not matter if you router gets overwhelmed by so many requests from different locations in a short time span. You could also pull application level attacks.

@doubled8511 9 сағат бұрын

Microsoft shouldn't allow reuse of bucket names like this.

@mattbrwn 8 сағат бұрын

Yeah that's what I was thinking

@mplogas 8 сағат бұрын

You really don't want the bucket names to become longer and longer over the years because you're blocking 'old' names

@flipschwipp6572 8 сағат бұрын

@@mplogas then offer a option for a very long uuid subdomain. with this option comes the ban of this exact name forever.

@drooplug 8 сағат бұрын

I believe I heard a story of someone creating a new storage with the same name as a previous business server. It resulted in some insane level of charges from the cloud provider. I wish I remembered more details, but as the person creating the storage, you probably want long and unique names.

@ronaldosd 7 сағат бұрын

@@drooplug It was AWS, the primeagen read the article about this story some time ago

@gydo1942 9 сағат бұрын

isn't it ironic?

@flipschwipp6572 8 сағат бұрын

it was obvious since the product was anounced and sold. Every modern security software is pure Snake oil with huge attack surface.

@sumedh-girish 9 сағат бұрын

Hello!

@H3aling808 10 сағат бұрын

3rd and I'm so early Also, get this guy to Rick roll everyone that has that device, just saying... Missed opportunity.

@samuraidriver4x4 7 сағат бұрын

Not a big fan of more rules and regulations but companies should be required to send a "final" update out bricking a device when they become EoL. Something along the lines of removing all forms of communications to the outside making it an offline only device.

@doom9603 6 сағат бұрын

So if my device is working fine and properly, at the EoL the company bricks it? Companies like Apple would brick the iPhones every year, just to release a new one.