License

Copyright © 2015 Michael Schloh von Bennewitz
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the document entitled “fdl-1.3.txt”

Attacking Internet
of Things Telemetry

Presented by: Michael Schloh von Bennewitz
Download at: lect.europalab.com/ccciotelm

In this hour…

  • IoT definitions
  • Industrial trends
  • Sensor & actuators
  • Telemetry & telecommand
  • Protocols & transports
  • Coding & attack demos

Experimentation

Estimote beacon

Experimentation

MSvB IoT mobile laboratory

Experimentation

MSvB IoT mobile laboratory

Warning: Passive
monitoring demos

Scanning the network…
   Albert Einstein's IBM
   Ada Lovelace's PDP-11

Attack scenarios

Method Device Passive Active
802.3 capture Ethernet tap
802.11 MITM Pineapple MKV
BT/BLE capture Ubertooth one
Z-Wave/Zigbee MuCCC Rad1o

MQTT cat client sample 0



$ mosquitto_pub -h mqtt.devlol.org -t "devlol/winkekatze" -m "WINK"
$

Publishing to cat using mosquitto_pub(1)

Web history


  • Web 1.0
  • Web 2.0
  • Social web
  • Mobile web
  • Ubiquitous web

The case for IoT


  • IDC: $8.9 trillion market in 2020
  • Gartner: 26 billion IoTs by 2020
  • ABI Research: 30 billion IoTs by 2020
  • Tech providers growing deal size

Sensor platforms

Smart utility metre

Sensor platforms

Smart Nest thermostat

Sensor platforms

Estimote beacon

Beacon construction

Estimote beacon

Sensor platforms

Autonomous personal drone

Sensor platforms

Streetlight communication device Streetlight communication device

M2M sensor routing

Machine M2M sensing

Biological sensor routing

Human biology sensing

Wearables

Smart wristwatch

Wearables

Wearable headset

Q: What does a ‘BAN’ connect?

 

Q: What does a ‘BAN’ connect?

A: BAN == Body Area Network

Not a sensor platform

Thats just wrong

Crit infrastructure


  • Pressure temperature
  • Military geolocation
  • Aircraft altitudes
  • Water chemistry

Ethics & legality


  • Insulin pump 0 day
  • EKG heartmon 0 day
  • Electropill dose 0 day
  • EFF policy distance

Device relations


  • Sensors produce telemetry
  • Actuators consume telecommands
  • Computers route, store, forward
  • IoT is a buzzword (don't use it)

Defining telemetry


NASA: “the highly automated communications process by which measurements are made and other data collected at remote or inaccessible points and transmitted to receiving equipment for monitoring.”

Defining telecommand


Wikipedia: “A telecommand is a command sent to control a remote system or systems not directly connected (e.g. via wires) to the place from which the telecommand is sent.”

Protocols


  • MQTT (OASIS spec)
  • CoAP (RFC 7252)
  • AMQP (ISO/IEC 19464)
  • LWM2M (OMA LWM2M)
  • ZeroMQ (Nospec)

Transports


  • Bluetooth 2/3
  • Bluetooth LE
  • Zigbee
  • Z-Wave
  • Internet

Q: Which IM app uses MQTT?

 

Q: Which IM app uses MQTT?

A: Facebook Messenger!      

MQTT

MQTT JavaScript code sample 1



// Simple subscribe client (use test.mosquitto.org?)      

var mqtt = require('mqtt'), locli = mqtt.connect('mqtt://host/');
locli.subscribe('messages');
locli.on('message', function(topic, message) {
  console.log(message.toString());
});

Subscribing topics via MQTT from the broker

MQTT JavaScript code sample 2



// Simple publish client (use test.mosquitto.org?)

var mqtt = require('mqtt'), locli = mqtt.connect('mqtt://host/');
locli.publish('messages', 'Mqtt is pretty cool');
locli.end();

// Other MQTT features like last will
// testament, data retention, or QoS

Publishing messages via MQTT to the broker

IEEE802.11 sniffing

Wifi Pineapple Mark V

Capture by MITM insertion

IEEE802.3 tapping

Capture from IEEE802.3 ethernet cable

Easy capturing from Ethernet cable

Network topologies

P2P topology

Point to point network topology

Tree topology

Tree network topology

Mesh topology

Mesh network topology

Star topology

Star network topology

Bluetooth logo piconets

Bluetooth piconetworking

Master operates on only one Bluetooth logo mode

Dissecting Bluetooth logo

Bluetooth address encoding

BD_ADDR  00:06:66:42:21:52

Dissecting Bluetooth logo

Bluetooth channel hopping Bluetooth channel hopping

Bluetooth logo sniffing


  • Piconet
    • Slave device
    • Master device
  • BT device address
    • LAP
    • UAP
    • NAP

Bluetooth logo sniffing


  • Timing
    • CLK27
    • CLKN
  • Frequency hopping
    • AFH map
  • We need LAP, UAP and CLKN!

Bluetooth logo packet injection


  • Channel map size
  • Changed mapping
  • (Non)AFH piconets
  • Transmit time slot <10 ms
  • Sloppy retry until lucky?

Bluetooth logo packet injection


  • CRC checksum
  • Auto retrans req
  • Packet whitening
  • Role switches and…
  • Sniff, hold, park mode

Bluetooth logo attack vectors


  • Packet injection
    • Service denial
    • Data manipulation
  • Evil twin MITM
    • Connection hijacking
    • Reconnect in specification

Bluetooth logo attack vectors


  • Passive analysis
    • Identity theft
    • Data theft
  • Staged trigger
    • Timed attack
    • NFC combination

Bluetooth logo BLE applications


  • Heart rate monitors
  • Blood pressure monitors
  • Beacon geography targets
  • Industrial monitoring sensors
  • Public transportation apps

Bluetooth logo demonstrations

Live demonstrations and experiments

Bluetooth logo sniffing

Ubertooth One Bluetooth analyser

Penetration testing

Node+ sensor test

Bluetooth logo recon


// BlueZ samples
$ hcitool scan
Scanning ...
        98:D6:XX:XX:XX:XX       Nexus 4
        00:0D:XX:XX:XX:XX       Bluetooth Speaker

$ hcitool inq
Inquiring ...
        98:D6:XX:XX:XX:XX       clock offset: 0x0000    class: 0x5a020c
        00:0D:XX:XX:XX:XX       clock offset: 0x5a75    class: 0x240404

$ ./btclassify.py 0x5a020c 0x240404
0x5a020c: Phone (Smartphone): Telephony, Object Transfer, Capturing, Networking
0x240404: Audio/Video (Wearable Headset Device): Audio, Rendering

$ sdptool browse 98:D6:XX:XX:XX:XX | grep Service\ Name
Service Name: Headset Gateway
Service Name: Handsfree Gateway

$ sdptool records 00:0D:XX:XX:XX:XX
Service RecHandle: 0x10001
Service Class ID List:
  "Audio Sink" (0x110b)

$ hcidump -w /tmp/inquriy.cap
$ wireshark && echo filter bthci.evt_code == 0x2f

Conducting Bluetooth logo reconnaissance with BlueZ

Bluetooth logo recon


// Ubertooth samples
$ ubertooth-specan-ui
$ ubertooth-scan -s -t 40 -x

// Pair master and slave
$ ubertooth-rx
$ ubertooth-dump
$ sudo ubertooth-follow -l cafe00 -u 0x12 -a
Address given, assuming address is remote
Address: 00:00:12:CA:FE:00
	AFH Map=0x3cffe01f0000007f01df
systime=1431730852 ch= 0 LAP=cafe00 err=0 clk100ns=1240630361 clk1=12257125 s=-71 n=-86 snr=15
Packet decoded with clock 0x40 (rv=1)
  Type: POLL
  Type: POLL
systime=1431730852 ch= 0 LAP=cafe00 err=2 clk100ns=1242681473 clk1=12257453 s=-17 n=-86 snr=69
Packet decoded with clock 0x40 (rv=1)
  Type: POLL
  Type: POLL
systime=1431730852 ch= 0 LAP=cafe00 err=0 clk100ns=1243456829 clk1=12257577 s=-16 n=-86 snr=70
Packet decoded with clock 0x40 (rv=1)
  Type: DM1
  LT_ADDR: 2
  LLID: 0
  flow: 0
  payload length: 29
  Data:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Type: DM1
  LT_ADDR: 2
  LLID: 0
  flow: 0
  payload length: 29
  Data:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Conducting Bluetooth logo reconnaissance with Ubertooth

Bluetooth logo BLE recon


$ ubertooth-btle -f
systime=1431576352 freq=2402 addr=8e89bed6 delta_t=316892.462 ms
00 15 07 13 8c c0 1a 1c 02 01 1a 0b ff 4c 00 09 06 03 86 0a 00 00 07 8d d3 0a
Advertising / AA 8e89bed6 / 21 bytes
    Channel Index: 37
    Type:  ADV_IND
    AdvA:  1c:1a:c0:8c:13:07 (public)
    AdvData: 02 01 1a 0b ff 4c 00 09 06 03 86 0a 00 00 07
        Type 01 (Flags)
           00011010
        Type ff
            4c 00 09 06 03 86 0a 00 00 07

    Data:  07 13 8c c0 1a 1c 02 01 1a 0b ff 4c 00 09 06 03 86 0a 00 00 07
    CRC:   8d d3 0a

systime=1431576415 freq=2402 addr=8e89bed6 delta_t=1280.003 ms
00 0d 53 6f e6 0e fd 08 02 01 18 03 19 c0 00 db b7 44
Advertising / AA 8e89bed6 / 13 bytes
    Channel Index: 37
    Type:  ADV_IND
    AdvA:  08:fd:0e:e6:6f:53 (public)
    AdvData: 02 01 18 03 19 c0 00
        Type 01 (Flags)
           00011000
        Type 19
            c0 00

    Data:  53 6f e6 0e fd 08 02 01 18 03 19 c0 00
    CRC:   db b7 44

...or via Wireshark(1)
$ ubertooth-btle -f -c /tmp/pipe
$ echo 'Filter connection requests and nonzero data packets...'
$ echo 'btle.type == 0x05 || (btle.data && btle.length > 0)'

Conducting BLE reconnaissance with Ubertooth

Dirty tricks

Android HCI capture

Capture straight from Android HCI

/etc/bluetooth/bt_stack.conf

Free telem book

Redbooks book: Building with MQTT

IBM Redbooks (Ebook, 2014)
Building... with MQTT, Boyd et al

Free IoT book

APress Open book: Rethinking the Internet of Things

APress Open (Online Ebook, 2014)
Rethinking the IoT, Francis daCosta

To be continued…


  • Bluetooth LE
  • Active Bluetooth logo attacks
  • Z-Wave (closed) ↓
  • ZigBee 802.15.4
  • Kisbee hardware
  • The MuCCC Rad1o!

Human controlling the IoT or…

things controlling the human?

Attacking Internet
of Things Telemetry

Michael Schloh von Bennewitz

IoT definitions
Industrial trends
Sensor & actuators
Telemetry & telecommand
Protocols & transports