I want a "Red Teaming"
Michael Schneider
In our Labs Approach to Testing IoT Devices we have described strategies to analyse devices embedded into the Internet of Things (IoT). In this article, we tackle the communications analysis of an IOT device and its surrounding systems such as apps and server infrastructure. We chose to have a look at the Belkin WeMo Switch. The product has been proven to have various vulnerabilities such as privilege Escalation (VulDB 12452), information disclosure (VulDB 12451 and 12453), buffer overflow (VulDB 12454) and weak authentication (VulDB 12455). Belkin has removed these vulnerabilities. During this communications analysis we want to investigate if we can remote control one or several devices using new vulnerabilities in the exchange between app, WeMo Switch and Belkin’s infrastructure.
Belkin’s WeMo Switch is a power plug insert that allows users to turn on and off any device plugged into it. From everywhere. A WeMo Switch is being set up in a pre-existing Wireless LAN (WLAN) and controlled using an App (iOS or Android). If the app and the switch are connected to the same network, then they communicate directly. Direct communication relies on Universal Plug and Play (UPnP) and a simple REST-API. Remote communication is handled using HTTP and the same REST-API that is used with UPnP.
During the initialization phase, WeMo Switch generates its own WLAN as an access point (AP). The SSID of the WLAN is assigned using the scheme WeMo.Switch.XXX
whereas XXX
is the last three digits of the serial number. The AP is – additionally – being used for DHCP servers and uses IP addresses in the range 10.22.22.0/24
. A webserver on port tcp/49152 is used for device administration. The WeMo App uses this service to transfer WLAN access data to the WeMo Switch. This access data is being transferred as an XML Request as follows:
POST /upnp/control/WiFiSetup1 HTTP/1.1 Content-Type: text/xml; charset="utf-8" SOAPACTION: "urn:Belkin:service:WiFiSetup:1#ConnectHomeNetwork" Content-Length: 444 HOST: 10.22.22.1:49152 User-Agent: CyberGarage-HTTP/1.0 <?xml version="1.0" encoding="utf-8"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <s:Body> <u:ConnectHomeNetwork xmlns:u="urn:Belkin:service:WiFiSetup:1"> <ssid>WeMoTest</ssid> <auth>WPA2PSK</auth> <password>edTQ/hzPJ7MpPeL/qBA5gseNRZWdNdPR5dUu9v8Br40=2d1a</password> <encrypt>TKIP</encrypt> <channel>7</channel> </u:ConnectHomeNetwork> </s:Body> </s:Envelope>
The password is being transferred in an encoded form. The last four digits, in our case 2d1a
, are Hex values and give away the length of the entire password string. 2d
equals 45 characters. The actual length of the password equals the value 1a
, 26 characters. We could not determine which encoding for the password is being used. WeMo Switch uses this access data in order to connect to and communicate with the WLAN and Belkin’s servers.
Subsequently, the remote access is being established. The app sends a request to the WeMo Switch, identifying an app by its unique DeviceId
. Under iOS, the UniqueDeviceIdentifier (UDID) is being used as DeviceId
. Android uses the International Mobile Equipment Identity (IMEI).
POST /upnp/control/remoteaccess1 HTTP/1.1 Content-Type: text/xml; charset="utf-8" SOAPACTION: "urn:Belkin:service:remoteaccess:1#RemoteAccess" Content-Length: 603 HOST: 10.22.22.1:49152 User-Agent: CyberGarage-HTTP/1.0 <?xml version="1.0" encoding="utf-8"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <s:Body> <u:RemoteAccess xmlns:u="urn:Belkin:service:remoteaccess:1"> <DeviceId>9jiusa7pp00n3uzdbwfv2ulat5yy34x26ou1wgo2</DeviceId> <dst>0</dst> <HomeId></HomeId> <DeviceName>TestDevice23</DeviceName> <MacAddr></MacAddr> <pluginprivateKey></pluginprivateKey> <smartprivateKey></smartprivateKey> <smartUniqueId></smartUniqueId> <numSmartDev></numSmartDev> </u:RemoteAccess> </s:Body> </s:Envelope>
WeMo Switch’s reply contains HomeId
and two keys: pluginprivateKey
and smartprivateKey
. These keys are presumably being used for encryption and signing purposes during further communication. HomeId
is made up of seven digits and maybe tied to the SSID or the MAC-address of the WLAN. In our test network, two devices were used independently from each other and they both used the same HomeId
.
HTTP/1.1 200 OK CONTENT-LENGTH: 632 CONTENT-TYPE: text/xml; charset="utf-8" DATE: Fri, 24 Jul 2015 11:12:08 GMT EXT: SERVER: Linux/2.6.21, UPnP/1.0, Portable SDK for UPnP devices/1.6.18 X-User-Agent: redsonic <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <s:Body> <u:RemoteAccessResponse xmlns:u="urn:Belkin:service:remoteaccess:1"> <homeId>0000000</homeId> <pluginprivateKey>xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</pluginprivateKey> <smartprivateKey>yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy</smartprivateKey> <resultCode>PLGN_200</resultCode> <description>Successful</description> <statusCode>S</statusCode> <smartUniqueId>9jiusa7pp00n3uzdbwfv2ulat5yy34x26ou1wgo2</smartUniqueId> <numSmartDev>1</numSmartDev> </u:RemoteAccessResponse> </s:Body> </s:Envelope>
Communication between WeMo App and Belkin’s infrastructure can be divided into registration, enabling and disabling and firmware update.
During all requests related to registrations, the app uses a Basic Access Authentication Header that is formed following this scheme:
Authorization: SDU 9jiusa7pp00n3uzdbwfv2ulat5yy34x26ou1wgo2:gclbqUYLczNi+cJf+MJ5W/cmCeo=:1440403670@
In patent US9021139 B1 the building of the header is described. The SDU String from DeviceID
, Signature
and an expiration time are being combined. The field Signature
could, according to the patent, be generated as follows: Signature=Base64(HMAC-SHA1(PrivateKey, StringToSign))
. The key used in this is most likely one of the two keys used during initial registration.
The first request to the relay api.xbcs.net queries a list of registered devices assigned to a HomeId
. During this, the DeviceID
that is used as an authenticator is tied to the HomeId
. In our tests, we did not succeed in accessing a different HomeId
using a DeviceId
. These requests are being blocked by the server with an error message. During successful requests, the server outputs a list of registered devices assigned to a HomeId
.
HTTP/1.1 200 OK asyncServiceInvoke: false Content-Type: application/xml;charset=ISO-8859-1 Date: Mon, 24 Aug 2015 08:05:51 GMT Server: Apache-Coyote/1.1 X-Powered-By: Servlet/3.0; JBossAS-6 Content-Length: 1242 Connection: keep-alive <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <devices xmlns:modelns="http://datamodel.components.cs.belkin.com/" success="S" fail="F" partial_success="P"> <statusCode>S</statusCode> <resultCode> <code>PLGN_200</code> <description>Successful</description> </resultCode> <message>Device list retrieved successfully</message> <home> <homeId>0000000</homeId> <description>this is first plugin initialization</description> <firmwareId>0</firmwareId> </home> <device> <pluginId>1111111</pluginId> <macAddress>00005E005300</macAddress> <serialNumber>22222222222Z00</serialNumber> <uniqueId>uuid:Socket-1_0-22222222222Z00</uniqueId> <modelCode>Socket</modelCode> <productType>Socket</productType> <status>3</status> <notificationType>0</notificationType> <firmwareVersion>WeMo_WW_2.00.2176.PVT</firmwareVersion> <hwVersion>v1</hwVersion> <fwUpgradeStatus>4</fwUpgradeStatus> <signalStrength>29</signalStrength> <friendlyName>WeMo Switch 5</friendlyName> <dbVersion>0</dbVersion> <customizedState>1</customizedState> <attributeLists action="GetAttributes"> <attribute> <name>hardResetTS</name> <value>1438939404278</value> </attribute> </attributeLists> </device> <groupSSIDs> <ssid>WeMoTest</ssid> </groupSSIDs> <groupArpMacs> <arpMac>00005E005301</arpMac> </groupArpMacs> </devices>
The list contains further, hitherto unknown markers of a device. Among them are PluginId
(also used as RecipientId
in some cases), the macAddress
as well as the firmware version of the WeMo Switch. These markers are being used for further actions such as the enabling and disabling of the WeMo Switch. In addition to that, the SSID of the WLAN as well as the MAC address of the AP are being stored at Belkin’s.
The command to turn the device on or off is being sent to the host api.xbcs.net. In order to send this message, an authentication using the Basic Access Authentication Header is necessary. The WeMo Switch is being addressed using the fields PluginId
and RecipientId
or the macAddress
. The status of the device is being controlled using the values 0
and 1
.
POST /apis/http/plugin/message HTTP/1.1 Host: api.xbcs.net:8443 <redacted by scip AG> <plugins> <plugin> <recipientId>1111111</recipientId> <macAddress>00005E005300</macAddress> <content> <![CDATA[ <pluginSetDeviceStatus> <plugin> <pluginId>1111111</pluginId> <macAddress>00005E005300</macAddress> <status>1</status> <friendlyName></friendlyName> <eventDuration>(null)</eventDuration> <cookedTime>(null)</cookedTime> </plugin> </pluginSetDeviceStatus> ]]> </content> </plugin> </plugins>
The WeMo app can also be used to update the firmware of the WeMo Switch. In the reply to the initial request that – in turn – contains the Basic Access Authentication Header the app receives a link to a site that lists all available firmware versions. The access to the firmware uses unencrypted connections, even though the server would be available per HTTPS.
HTTP/1.1 200 OK asyncServiceInvoke: false Content-Type: application/json;charset=ISO-8859-1 Date: Thu, 10 Sep 2015 12:35:43 GMT Server: Apache-Coyote/1.1 X-Powered-By: Servlet/3.0; JBossAS-6 Content-Length: 133 Connection: keep-alive {"fwUpgradeInfo":{"firmwareId":0,"description":"Default firmware file","fwUpgradeURL":"http:\/\/fw.xbcs.net\/wemo\/NewFirmware.txt"}}
The firmware binary itself is encrypted using GPG and is being extracted on the WeMo Switch itself. The use of GPG to distribute firmware is basically a good idea, only that Belkin made a grave mistake when implementing it. Security researcher Mike Davis of IOActive discovered in 2013 that Belkin had integrated the GPG Signing Key into the WeMo firmware image. An attacker could extract this key and sign his own firmware version with it, which he would be able to transfer to the device. The firmware update dated 24 January 2014 fixed this vulnerability.
Belkin runs its infrastructure on Amazon EC2 Cloud. The infrastructure includes the systems ota.xbcs.net, api.xbcs.net and fw.xbcs.net. We were able to identify Red Hat Linux, Apache 2.2.15 and JBoss 6.
When starting the WeMo Switch, log data is being sent to a system with the IP address 184.73.191.189. The MAC-Address 00005E005300 that belongs to the WeMo Switch is being used as ID during the POST request. There is no further authentication necessary and there are no further checks that investigate the content. This means that arbitrary content using arbitrary MAC-Addresses can be submitted to Belkin’s servers. It was, however, impossible to access already submitted content as well as stored data.
PUT /ToolService/log/uploadWdLogFile/00005E005300 HTTP/1.1 Host: 184.73.191.189:8899 Content-Type: multipart/octet-stream Accept: application/xml Content-Length: 301 Expect: 100-continue [2015-08-07][08:33:35]|RT|Internet is connected [2015-08-07][08:33:39]|PLUGINREMOTEREGISTER|Plugin App Remote ReRegister [2015-08-07][08:33:37]|SIG|Connection signal strength: 55 [2015-08-07][08:33:40]|Plugin App Remote ReRegister failure| [2015-08-07][08:33:40]|Plugin App Remote ReRegister failure| HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/xml Content-Length: 67 Date: Fri, 07 Aug 2015 06:33:58 GMT /opt/deviceLogs2/20150807/wdLogFile_00005E005300_20150807063358.log
When the WeMo Switch was first published, it wasn’t long before several vulnerabilities had been discovered. In the area of communication between application, WeMo Switch and server infrastructure Belkin has learned from this and remote communication has been secured to the point where devices can not be remote controlled without prior authentication. In addition to that, the devices and local networks are being tied to one another and it’s not possible without further attacks to find other local networks and their devices using a trial and error enumeration method. Therefore, it’s not easy for a remote attacker to carry out a successful attack. It remains to hope that other IoT manufacturers learn a lesson from this and implement security features mitigating these issues from the first version onwards.
Our experts will get in contact with you!
Michael Schneider
Michael Schneider
Michael Schneider
Michael Schneider
Our experts will get in contact with you!