Clever breaches demonstrate IoT security gaps.
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:25] And now a quick word about our sponsor, Juniper Networks. NSS Labs gave Juniper its highest rating of "Recommended" in its 2019 Data Center Security Gateway Test. To get your copy of the NSS Labs report, visit juniper.net/SecureDC or connect with Juniper on Twitter or Facebook. That's juniper.net/SecureDC. And we thank Juniper for making it possible to bring you Research Saturday.
Dave Bittner: [00:00:57] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Steve Povolny: [00:01:37] So the team that I run is focused typically on vulnerability research.
Dave Bittner: [00:01:42] That's Steve Povolny. He's Head of Advanced Threat Research at McAfee. Today, we're discussing a pair of research projects they recently published involving popular IoT devices.
Steve Povolny: [00:01:53] So it's an offensive-minded team, and these techniques for attack scenarios do fall into that category as well. However, they're a little bit different in that they don't represent classical software-based vulnerabilities, like something that you can fix in code, but they do fall into the area of one of the categories of research we often do, which is consumer devices, smart home devices, IoT in general – both of these devices fall into that category as a whole. ATR in general does research in almost every area for offensive security research, from automotive to industrial control systems, enterprise software. And IoT is just one other category that is in the domain of what we research.
Dave Bittner: [00:02:38] Well, let's go through them one at a time. These are both interesting videos that you all have posted on YouTube. The first one has to do with being able to bypass an IoT device that works with garage doors. Can you walk us through what's going on here?
Steve Povolny: [00:02:55] Yeah, absolutely. We got interested in this product – the vendor is Chamberlain and the product is the MyQ Garage Door Opener. And this is a fairly popular industry product, just like everything else in the IoT domain, it's used to give the homeowner remote control automation over the Internet from their smartphone to be able to open and close their garage door and check notifications.
Steve Povolny: [00:03:20] What got us kind of interested in the first place is that the service does allow for garage door delivery – so, in-garage delivery, meaning the package courier can actually use the MyQ app to do the same kinds of things the homeowner does, open and close the garage door and get notifications. So if you register for a delivery service to get a package to your garage while you're away from home, and they can actually, of course, open and close the garage, we wondered if there was an interesting attack scenario there.
Steve Povolny: [00:03:52] So we did audit the device itself in some level of detail and didn't really find anything, at least not low-hanging fruit on the device itself. We found an interesting technique in the RF or radio frequency space that allowed us to kind of achieve the scenario we wanted to, which is to be able to gain access to the garage. And that's what this entire article and corresponding video are about.
Dave Bittner: [00:04:17] Yeah. So, let's go through exactly how this works. Can you give us a little bit of an overview of how the technology that you connect to your garage door system – how it's physically connected and how the user is getting alerts, and so on and so forth?
Steve Povolny: [00:04:35] Yeah, it's a pretty simple and fairly straightforward setup. You have a physical sensor that is in your garage, and it's actually just attached to your garage door itself with some Velcro that ships with the product, so it's pretty easy to put on and take off. And the reason that's attached to the garage door is that it actually sends out its state – whether the garage is open or closed – based on whether it's in a vertical or horizontal orientation. In other words, when it's attached to your garage door and the garage door is open, obviously it's horizontal and it sends an "open" state. And when it's closed, it's vertical and it's under "closed" state.
Dave Bittner: [00:05:11] Hmm.
Steve Povolny: [00:05:11] This is a little bit different than most systems, but certainly nothing, you know, insecure about that concept itself. It transmits that open or closed state to a hub that's located anywhere in your home or even in your garage – the MyQ hub – and that hub, of course, is connected to your Wi-Fi, which is the same way that you can use your mobile phone and the MyQ app to connect to the device. So essentially, those are the three components – you have the sensor, the hub, and the mobile application, which allows you to control the device over Wi-Fi, and the hub will send and receive those state commands to open or close the garage, and the sensor, of course, is what's responsible for actually opening and closing it as well.
Dave Bittner: [00:05:55] Well, let's go through the sort of clever attack that you all came up with here, a way to circumvent this.
Steve Povolny: [00:06:01] Yeah, this is a very unique one for us. Typically, we're looking at software-based vulnerabilities. And the way this one is different is that we actually wanted to study the state sensor itself, and because it's just transmitting, you know, this binary state, either open or closed, to the hub, we wondered what would happen if we built a radio that could allow us to jam that state signal as it was transmitted from the sensor back to the hub in the home. And more so, if we could not only jam that state signal, but potentially even capture and replay it.
Steve Povolny: [00:06:39] And there's two pieces to this attack. We were able to successfully build a software-defined radio that allows us to jam the RF signals between the sensor and the hub. And what that does is it allows us to block the state signal from transmitting when the garage is actually closing. And the reason this is important is because if you consider the package delivery scenario, the garage, of course, has to close for the package career to drive away – they're not going to leave the garage door open. But that's independent of the fact that the state is still trying to transmit "closed." And if we can block that state of "closed" from reaching the hub, we can block it then from updating in the user's app.
Steve Povolny: [00:07:24] And ultimately, what you'll see in the proof-of-concept that we built, is that by jamming that state, if the homeowner logs into their MyQ app, what they'll see is an error. And that error will say something went wrong, your garage didn't close. Well, as you know, we talked about the garage is independent of that state, so it really did close. And now the homeowner is left with some confusion, especially if they're not home and can't, you know, line-of-sight see their garage door. The door is closed, the app is saying it's open. Now they go ahead and click "close" from the app, and of course it's going to do the inverse thing and open the garage door up for the attacker.
Dave Bittner: [00:08:00] Hmm.
Steve Povolny: [00:07:59] So, just as a full scenario, what we kind of envisioned is taking this small radio we built – and we built a battery-powered version of it as well – putting it somewhere in the bushes or nearby the home, waiting for a package delivery to come to someone who has the MyQ, jamming the signal during the closing of the garage, and then the homeowner actually opens the garage accidentally for the attacker to walk in. And often, as you know, that gives access to the home itself.
Steve Povolny: [00:08:30] The really interesting thing here, and the novel part of this technique, is that jamming signals and capturing and replaying signals has been happening for a long time, and the manufacturer actually built a stronger version of the product to deal with this exact kind of thing. So they actually hop over three unique, distinct frequencies in a very small range to try to avoid the ability to jam here. And we released a white paper that shows kind of what we believe is the first in the industry technique for not just jamming across all three of these frequencies at the same time, but the jammer that we built actually only jams on demand, meaning it'll only jam as soon as it sees that "closed" state signal being sent back to the hub. And so, it's very hard to find or fingerprint this device because it's not very noisy, right? It's only it's only working for a few seconds when it needs to. So that's kind of the power of the attack in general. It's very quiet, it's very specific, and it's very reliable.
Steve Povolny: [00:09:29] And then the second part that I referenced was we did test out and prove the capability to actually transmit back the state signal when we wanted to – the true "closed" state signal, so we can kind of clean up after ourselves, if you will, and restore the correct state to the user. That's not really fundamentally important to the attack being successful, but it is a really interesting and novel way that we could replay that state signal.
Dave Bittner: [00:09:54] And I suppose part of this relies on the fact that your typical garage door opener – you're just sending, I guess, a trigger signal to either open or close the garage door. It's not signaling back and forth to say "open the door" or "close the door." It's just signaling and saying, you know, change the state – if its open, close it, if it's closed, open.
Steve Povolny: [00:10:17] Exactly, Dave. No, you hit it on the head. That's exactly one of the weaknesses here – is garage doors don't truly understand what open or closed means. They just send a signal that changes to the other state, right? And that's very typical. And really, the – one of the flaws here – although it is very common and there's not really an easy fix for this – but just because that state is so unintelligent, right? It only does the opposite. We can actually use that to confuse the user, as we talked about. So, yeah, that's exactly right.
Dave Bittner: [00:10:48] Now, would the user eventually get a signal that that sends them the true state of things? Is it a matter that by that time, it's just too late?
Steve Povolny: [00:10:58] There's a couple of ways that we can either correct this or leave it incorrect. Of course, for an attacker, if they all they care about is getting access to the home or the garage door, the job is done and you don't necessarily have to care that the user finds out if it was incorrect or correct. The app will not correct itself unless we either transmit the state, as I mentioned, by capturing and replaying it, or what's much simpler is the attacker can actually just take that sensor off of the garage, because it's on Velcro, and just flip it vertical instead of being horizontal, right? And that'll actually then, if we're not jamming, that'll send the true "closed" state, just like the garage was actually closed. So, our video actually shows our attacker, after they've gained access to the garage, just pulling that sensor off of the Velcro, placing it on the floor upright, and then the user's app will sync up and it'll look like everything did get closed correctly. So, this is kind of similar to the clean-up steps after someone gets into your network or exploits some malware, they're trying to typically cover their tracks. And that would be a really easy way to do that.
Dave Bittner: [00:12:01] I suppose one of the lessons here is that old story of defense-in-depth – that if you have something like this, maybe it's a good idea to have some sort of video monitoring system also, so you can take a look at what the true state is.
Steve Povolny: [00:12:15] It's almost like you read the blog, or maybe in my mind, or both, Dave.
Dave Bittner: [00:12:18] (Laughs)
Steve Povolny: [00:12:18] Yeah, that's very – that is very intuitive, and I think that makes a lot of sense. In fact, I wouldn't be surprised at all – there is actually an FCC filing from Chamberlain for a camera sensor, which I wouldn't be surprised to see them build into future versions of the app. Or homeowners could use another product as well to get actual visible line of sight. And in general, I think that's a great idea, is to have, as you mentioned, defense in depth, or more than one system to be able to physically or visually validate what's going on there.
Dave Bittner: [00:12:52] Well, let's move on to the second video that you all posted that we're going to discuss today. This one is fascinating. This is about – you're working with an NFC Ring device, so a ring that you wear on your finger that has NFC capabilities. Take us through what you're doing here.
Steve Povolny: [00:13:11] Yeah, this is a ring developed by a company called McLear. Actually, John McLear was the original developer out of the UK, and now the company makes a number of rings, including payment rings and smart rings. They also still manufacture this ring, which is called the NFC Ring. And it's the one that we've targeted for research because it is advertised as being used to pair with smart-home locks for access control to your home. So, it's very simple, and the way that we typically use NFC is for contactless payments, credit cards, et cetera. This one's a little different in that it is specifically used for smart lock and home access – or at least that's one of the primary uses.
Steve Povolny: [00:13:53] And that of course caught our attention, it's, hey, a cool piece of technology that you wear on your body that can get you access to your home. What could go wrong?
Dave Bittner: [00:14:03] (Laughs)
Steve Povolny: [00:14:03] So, we looked at the weaknesses in this ring, and fundamentally this is just an insecure design. And what I mean by that is the ring itself has no form of encryption, it doesn't require any kind of authentication, so once you set it up and pair it to your smart home lock – whatever version that is – an attacker, if they can get access to this ring, can actually clone or steal all of the relevant information off of the ring that is paired to the home. And then they can just simply reprogram any kind of NFC device. In our proof-of-concept, we use just the NFC card – a readable, writeable card – and we clone the ring onto that card and use it to unlock the home, and basically give us a permanent key into somebody's house there, or whenever they're trying to protect.
Steve Povolny: [00:14:48] All it takes is a small, unique ID – it's just a seven-byte unique idea that's stored on that ring unencrypted. And so long as we can get access to that ring – and I'll talk about how we do that in a minute – we can clone it easily and get access.
Dave Bittner: [00:15:02] Yeah. Well, the way that you – the clever technique that you all have come up with to, I guess, fool the user into to providing access to that ring – share with us what you've done there.
Steve Povolny: [00:15:15] Well, there's two parts to every piece of research. One is the technical viability, and that's the unencrypted, unauthenticated stored context of the ring. And then there's what would attackers do with this in a real-world scenario and how would they actually compromise someone? And as we thought about that, we realized, you know, most people are going to have this ring on them. It's going to be pretty far-fetched for us to find someone with this ring, get access to it, you know, if they put it down somewhere. So we wanted to think about how are we going to be able to clone that ring if it's on somebody's finger?
Steve Povolny: [00:15:48] A technique that we developed was to create a app, a mobile app, for Android – just because it's easier to modify the code – and we just had this app run silently on the attacker's phone in the background. It's constantly running. All it does is it leverages what comes on pretty much every smartphone, which is NFC-reading capabilities. And it's just constantly scanning for NFC devices that come within proximity of it, and it will store off the NFC details if it can read them. And because everything's stored unencrypted, what that means is we just need to get this attacker's phone within about two, three, four centimeters of the NFC Ring.
Steve Povolny: [00:16:29] And as you can imagine, where I'm going with this, an easy way to do that is to social engineer someone. Walk up to them, hand them the phone and say, hey, would you mind taking a picture of me and my family? And you know, 99 out of 100 people are going to do that nowadays. And as long as we can get them to grab it with the hand the ring is on, which is fairly easy to do as well, we instantly can scan that NFC tag and we're good to go.
Steve Povolny: [00:16:52] So the final proof-of-concept is basically, we have this mobile app, we social engineer someone into getting the ring close to the app, we save the details off of it, and then at our own time, we go back and use a very simple NFC read-writing device called a proxmark to reprogram that unique identifier I talked about onto an NFC card, and now all of a sudden we have access to the home.
Dave Bittner: [00:17:17] Now, is it typical for these sorts of NFC devices to be unencrypted? Is that something that is optional in that particular protocol? What's the situation there?
Steve Povolny: [00:17:28] It certainly can go either way. It kind of depends on what the device is built for. Of course, if you have something that's used for mobile payment or, you know, secure communications like that, it better be encrypted. And most devices, I'd say, most of the devices we've looked at that do that are encrypted and would make this attack either impossible or at least a much different attack vector. You know, there's no need for NFC to protect the contents of what it's being used for unless it has a critical function. And I think it's pretty easy to argue that home access and access control certainly is a critical function, and this ring should have been developed with some kind of encryption or crypto module built into it. But of course, it was not.
Steve Povolny: [00:18:10] So, it may have been that this ring was built as a proof-of-concept and then later kind of added on for access control versus being built for it. But it is still marketed by McLear as being used for access control along with a number of smart locks. So, our recommendation to the vendor was that this should have certainly been built with some kind of encryption at a very minimum.
Steve Povolny: [00:18:33] You know, McAfee and Advanced Threat Research follows responsible disclosure practices. So, with both of these pieces of research and everything we do, we reported this to the vendors well before public disclosure. With McLear, we heard back just last week, actually, for the first time, which was a little bit strange. With Chamberlain, we actually worked with them throughout the entire process, having them test and validate the findings. They actually released an update to the app just a few weeks ago, which doesn't fundamentally fix the issue, but it at least warns the users if that garage state is – wasn't received appropriately, and it tells them, instructs them to go try to visually validate that the door was properly closed, so at least provides some context to the homeowners where before there was none.
Steve Povolny: [00:19:20] So, neither of these represent what could be easily, easily fixed, given that they are NFC and RF, they're not just simple software patches. But the reason we talked about these and publicly disclosed issues like this is for the future development of better and more secure products. And I think we've already seen growth in these two areas alone.
Dave Bittner: [00:19:42] That's Steve Povolny from McAfee. We'll have links to the research in the show notes.
Dave Bittner: [00:19:52] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: [00:20:02] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security enveil.com.
Dave Bittner: [00:20:08] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing. CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.