exploring and addressing security risk in smart lighting ... · ‣ connected test points on board...

Smart Lighting SecurityExploring and Addressing Security Risk in Smart Lighting Systems

Paul Jauregui | VP, Marketing | Praetorian.com

Information Security Assessment and Advisory

Recent data breaches in various industries have heightened consumers’ awareness of data security and privacy.

“ ”3

LIFX Smart LED Light Bulbs Leak Wi-Fi Passwords

4

Philips Hue Lightbulbs Easily Hackable, Blackouts Imminent“ ”

“ ”5

Belkin WeMo Smart Home Networks in Danger of Hacks

“ ”6

Hacking Traffic Lights Is Apparently Really Easy

7

72%•Lorem ipsum dolor sit amen.•Integer nec odio. Praesent libero. •Sed cursus ante dapibus diam.

I avoid purchasing brands from consumer product companies that I do not believe protect my personal information

I am more likely to purchase brands from consumer product companies that I believe protect my personal information

I am more likely to buy products from a company that is verified by a 3rd-party as having the highest standards of data privacy and security

80%

70%A single data breach would negatively impact my likelihood to buy brands from a consumer products company 59%Source: Consumer responses from the consumer product consumer and executive survey on data privacy and security, Deloitte LLP, August 2014

Consumer Attitudes Towards Data SecurityStrong data security and privacy practices are not just about risk mitigation, but also a potential source of competitive advantage.

Common Security Challenges

8

ResearchTime to market pressures

TestingSecurity is often left

as an afterthought

SupportOngoing security support

and maintenance

Launch

DevelopGeneral lack of security consciousness

Insufficient security testing prior to launch

Product.Development.Lifecycle

The Praetorian Smart Lighting LabCASE STUDY

CLOUD SERVICES

Mesh Network

Internet WiFi Router Lighting Gateway Remote

INTERNAL NETWORKEXTERNAL

WiFiCellular

Mobile appsSensor

Smart Lighting System Components

10

6LoWPAN.Z>wave.and.more

Examples of Smart Lighting System Attacks

Denial of Service ‣ Can someone disrupt functionality, such as

preventing the lights from turning on?

Control of System ‣ Can an unauthorized user take control of

existing lighting functionality?

Facilitate Attacks ‣ Can someone use lighting system as a way to

infiltrate the network or attack other systems?

11

4. | Analyze Zigbee Traffic and Fingerprint Devices with Company MAC address

3. | Sniff and Log Zigbee Traffic

Finding & Targeting Smart Lighting Systems

12

photo.by.Travis.Goodspeed

2. | Take a Drive (Wardriving)

photo.by.Travis.Goodspeed

1. | Get Zigbee Recon Gear

KillerBee Software: designed

to aid in recon and exploitation

of ZigBee networks (free)

Cheap/accessible Hardware:

RZRAVEN USB ($35), Raspberry

Pi with Zigbee radio ($50)

Philips Hue Smart Lighting Network Identified

TCP/Greenwave Lighting Network Identified

13

Praetorian Smart Lighting Lab

+

LED Bulbs

“Smart” Platform

Bulb Mesh Network

WiFi

6LoWPAN

WiFi Router

14

Praetorian Smart Lighting Lab

TCP Gateway

WiFi Router

Bulb Mesh Network

WiFi

6LoWPAN

15

Praetorian Smart Lighting Lab

TCP Gateway

Embedded Device (Hardware) Hacking

16

TX RX Ground

First documented and exploited by GTVHackers (SSH password is online)https://www.exploitee.rs/index.php/Greenwave_Reality_Bulbs

Gained persistent root access to device via SSH server, which runs on boot up

‣ Connected test points on board to UART adapter for “Kernel Init Hijacking”

‣ “Kernel Init Hijacking” allows temporary Root access to TCP Hub file system by tampering with the boot sequence and injecting commands

‣ Access used to retrieve SSH password for root account, which as “thinkgreen”

‣ Root access now possible on all TCP/Greenwave systems (via SSH on internal network)

‣ With the control, we cross compiled and installed additional network analysis tools on hub (netcat, nmap, etc) to learn more about device behavior

‣ Potential to also remotely install malicious software that turns the hub into a proxy to the network, could sniff/exfiltrate data, or launch attacks on other systems

UART%Port

Embedded Device (Hardware) Hacking

17

In January 2015, Greenwave forced a firmware update that fixed these issues

✓ Removed local web control interface that lacked authentication by closing port 80

✓ Opened a secure HTTPS (port 443) service with currently unknown functionality

✓ Close the SSH (port 22) service to remove persistent Root access to hub via SSH credentials share by all devices

✓ UART pins may have been silenced, and boot delay may have been set to zero (no more “kernel init hijacking”)

UART%Pins%Silenced

Recommended Security Best Practices

18

ResearchTrain employees about security best practices

TestingConduct 3rd-party

security risk assessments

SupportMonitor product through

its life, patch known vulns

Launch

DevelopBuild security in from the start, don’t bolt it on

Test security measures before product launch

Product.Development.Lifecycle

The Security ExpertsINFORMATION SECURITY ASSESSMENT AND ADVISORY

NETWORK APPLICATION MOBILE CLOUD IOT

Presented by

Paul Jauregui VP Marketing, Praetorian paul.jauregui@praetorian.com Twitter: @pauljauregui

Learn more at http://www.praetorian.com