![Page 1: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/1.jpg)
Mobile Applications: a Backdoor intoInternet of Things?
Axelle Apvrille - FortiGuard Labs, Fortinet
October 2016
![Page 2: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/2.jpg)
Outline
How would YOU reverse engineer IoT?
A solution for AV analysts & software security researchers
Example 1: Connected toothbrush
Example 2: Sony Smart Watch 2
Example 3: House alarm
Conclusion
Edited for public release - A. Apvrille 2/37
![Page 3: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/3.jpg)
That’s your new task
How are you going to reverse it?
Edited for public release - A. Apvrille 3/37
![Page 4: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/4.jpg)
1/5 - Browse the web for documentation
Screenshots of smartwatchforum.com, xda-developers, developer.sony.com
Edited for public release - A. Apvrille 4/37
![Page 5: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/5.jpg)
2/5 - Hardware teardown
I Microscope
I Oscilloscope
I Silicon die analysis
I Firmware
I Interface analysis: JTAG, USB,CAN, Serial...
$ lsusb
... no smart watch :( ...Photo credit: engadget
Edited for public release - A. Apvrille 5/37
![Page 6: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/6.jpg)
3/5 - Social engineering
“Kidnap the developer, getaccess to his/her PC andgrab the sources”
LOL ;-)
Adapted from Pico le Croco
Edited for public release - A. Apvrille 6/37
![Page 7: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/7.jpg)
4/5 - Sniff network traffic
In practice for thesmart watch
I No Wifi
I Bluetooth traffic!
I ... encrypted! UseUbertooth?
I Flow of bytes. Nolabel.
Adapted from Pico le Croco
Edited for public release - A. Apvrille 7/37
![Page 8: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/8.jpg)
4/5 - Sniff network traffic
In practice for thesmart watch
I No Wifi
I Bluetooth traffic!
I ... encrypted! UseUbertooth?
I Flow of bytes. Nolabel.
Adapted from Pico le Croco
Edited for public release - A. Apvrille 7/37
![Page 9: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/9.jpg)
4/5 - Sniff network traffic
In practice for thesmart watch
I No Wifi
I Bluetooth traffic!
I ... encrypted! UseUbertooth?
I Flow of bytes. Nolabel.
Adapted from Pico le Croco
Edited for public release - A. Apvrille 7/37
![Page 10: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/10.jpg)
4/5 - Sniff network traffic
In practice for thesmart watch
I No Wifi
I Bluetooth traffic!
I ... encrypted! UseUbertooth?
I Flow of bytes. Nolabel.
Adapted from Pico le Croco
Edited for public release - A. Apvrille 7/37
![Page 11: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/11.jpg)
5/5 - Develop a smart app for tests
Edited for public release - A. Apvrille 8/37
![Page 12: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/12.jpg)
It is feasible but...good luck
Edited for public release - A. Apvrille 9/37
![Page 13: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/13.jpg)
Now, reverse this one!
No. Your experience with the smart watchwon’t help.
Different architectureDifferent hardwareDifferent protocols
You’ll be starting from scratch again!
Edited for public release - A. Apvrille 10/37
![Page 14: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/14.jpg)
Outline
How would YOU reverse engineer IoT?
A solution for AV analysts & software security researchers
Example 1: Connected toothbrush
Example 2: Sony Smart Watch 2
Example 3: House alarm
Conclusion
Edited for public release - A. Apvrille 11/37
![Page 15: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/15.jpg)
Is there an easier way to reverse?
Yes: reverse engineer the mobile app
Adapted from http://picolecroco.free.fr/images/dessins/2013/pico-59-soude.jpg
Edited for public release - A. Apvrille 12/37
![Page 16: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/16.jpg)
Most IoT come with their connected app
I Sony SmartWatch 2 has a mobile application (to install newextensions)
I Beam Toothbrush has a mobile application to track yourbrushing experience
I Fitbit Flex has a mobile application to see how fit you are
I Wilson X basketball has a mobile application to see how wellyou score
I etc
Edited for public release - A. Apvrille 13/37
![Page 17: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/17.jpg)
Outline
How would YOU reverse engineer IoT?
A solution for AV analysts & software security researchers
Example 1: Connected toothbrush
Example 2: Sony Smart Watch 2
Example 3: House alarm
Conclusion
Edited for public release - A. Apvrille 14/37
![Page 18: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/18.jpg)
Beam toothbrush
Edited for public release - A. Apvrille 15/37
![Page 19: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/19.jpg)
SQL tables - reversing iOS app
I Tip: search for primaryKey
I Contents of each table:mappings func
Edited for public release - A. Apvrille 16/37
![Page 20: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/20.jpg)
SQL tables: what we work out
BTMainCardCellViewModel
NSString *policyIDNSString *activeStatusDateNSString *policyStatusTitle
int policyStatusNSString *stars
NSString *helpNumberForDisplayNSString *helpNumberForCall
InsuredIDTitle
first_namemiddle_initiallast_namepost_name
relation_to_policy_holderGenderDobuser_id
sequence_num
Insured
DiscountPolicy *policy
discountPolicyIDgroup_codeplan_codeeffective_atterminated_atinsureds
DiscountPolicyNSString *coverage;
Edited for public release - A. Apvrille 17/37
![Page 21: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/21.jpg)
Reconstructing implementation design
Edited for public release - A. Apvrille 18/37
![Page 22: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/22.jpg)
Classes, methods, fields: what we work out
BTSetupDevice
BTBrushData *_brushData;BTSetupUser *_parentUser;BTSetupUser *_childUser;NSSet *_connectedDevices;
UserSummary
NSNumber *beamScore, *numberOfBrushDaysLeft,
*numberOfStars,*lastNumberOfStars,
*brushStreak*consecutiveOver2Min
NSString *userSummaryID, averageLifetimeBrushDurationString,
beamScoreRoundedString;float averageLifetimeBrushDuration;
User *user;NSSet *rollingEvents;
int beamScoreRoundedInteger;
ClientSession
NSString *clientSessionID;NSNumber *currentSession;
NSDate *unpausedAt;NSDate *startTime;NSNumber *duration;NSNumber *syncCount;
NSString *clientDeviceID;
BTUserProfileSettingsTableViewCell
pairNewBrushButtonName,
PictureButton,AvatarImageView,avatarImageButton
BTCreateUserViewController
BTSetupDevice *_setupDeviceNSString *
_defaultHeaderLabelText
BTChildUserInformationViewController
delegatename
capturePhotoButton
BTUserSummaryTableViewCell
UILabel *brushScoreValueLabel*brushScoreTitleLabel,Streak value & title,Average brush time
Value & title
Edited for public release - A. Apvrille 19/37
![Page 23: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/23.jpg)
Classes, methods, fields: what we work out
BTBrushEvent
int eventType;NSDate *date;
float duration;NSString *macAddress;
int eventIndex;NSString *rawData;
UIImageView *imageExclaim;UIProgressView *progressView;
UIView *backgroundView;UIImageView *icon;UILabel *headline;UILabel *subtitle;
UIView *progressContainer;UIView *bluetoothContainer
BTFirmwareUpdater
char *firmware;unsigned int totalLength;unsigned int written;unsigned int toWrite;
unsigned int loopCount;int state;
CBService *otaService;CBCharacteristic
*otaControlPoint, *otaDataPoint;
brushEventIDcustom_dataend_timestart_timedevice_id
deviceIDbattery_remainingbluetooth_idcolor_int
firmware_revisionhardware_revisionInitial_setupmac_addressreset_at
last_syncedbrushed_events
user_id
Vector3 *accelerometerValues,
*lastAccelerometerValues;*gyroscopeValues;
NSDate *lastBrushDetected;char buttonDown,
IsBrushing,motorState
double brushingDuration;NSDate
*lastTimeFromBrush;NSMutableArray *brushEvents;
int brushColor, eventWriteIndex;
char activeConnection;float proximity;
NSUUID *uuid;NSString *deviceName,
*macAddress, *appearance, *manufacturer,
*partialMacAddress, *model, *serialNumber *firmwareRevision, *hardwareRevision,
notifyfloat batterylevel;motorIntensity;
char autoOffTimerEnabled,quadrantTimerEnabled;
BTBrushData
BTFirm
ware
Update
View
Controller
Edited for public release - A. Apvrille 19/37
![Page 24: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/24.jpg)
Remotely controlling the toothbrush
Uses Bluetooth Low EnergyCharacteristics ≈ entries to read and/or write
How? We get the UUID to access them in the code!
Edited for public release - A. Apvrille 20/37
![Page 25: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/25.jpg)
Demo: remote control of motor speed
Motor speed percentage Byte value
I Percentage to byte conversion: ((1− x100) ∗ 139) + 69
I Writing to toothbrush: BLE characteristic (833d...) foundfrom RE
Edited for public release - A. Apvrille 21/37
![Page 26: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/26.jpg)
Demo: reading toothbrush battery level
I Byte to battery level formula: 100 ∗ 0.001221x−1.11.5−1.1
I 5 V for 12 bits = 5212
I 1.1 min voltage, 1.5 max voltage?
Edited for public release - A. Apvrille 22/37
![Page 27: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/27.jpg)
Sidenote: why should we care?
Who cares changing toothbrush motor speed?!
Two scenarios:
1. DoS or Ransomware. “Your pocket money or I tell yourmom you don’t brush your teeth”
2. Propagating virus. Infected BLE discovery responses?Infected firmware?
Even harmless IoT need to be securedWith Mirai IoT botnet, attackers did not care about CCTV
cameras!
Edited for public release - A. Apvrille 23/37
![Page 28: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/28.jpg)
Sidenote: why should we care?
Who cares changing toothbrush motor speed?!
Two scenarios:
1. DoS or Ransomware. “Your pocket money or I tell yourmom you don’t brush your teeth”
2. Propagating virus. Infected BLE discovery responses?Infected firmware?
Even harmless IoT need to be securedWith Mirai IoT botnet, attackers did not care about CCTV
cameras!
Edited for public release - A. Apvrille 23/37
![Page 29: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/29.jpg)
Outline
How would YOU reverse engineer IoT?
A solution for AV analysts & software security researchers
Example 1: Connected toothbrush
Example 2: Sony Smart Watch 2
Example 3: House alarm
Conclusion
Edited for public release - A. Apvrille 24/37
![Page 30: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/30.jpg)
Architecture
Smart Accessory Smartphone
Host applicationHost applicationConstanza msg
SmartConnectSmartConnect
TwitterTwitter ......
Bluetooth
Smart Extensions
Edited for public release - A. Apvrille 25/37
![Page 31: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/31.jpg)
Reversing host app protocol
public class RequestForceCrash extends CostanzaMessage {
public static final int FORCE_CRASH_REQUEST_MAGIC
= 0xC057A72A;
private int mMagic;
public RequestForceCrash(int newMessageId) {
super(newMessageId);
this.type = 666;
this.mMagic = 0xC057A72A;
}
666 → Number of the BeastC057A72A → Costanza
Edited for public release - A. Apvrille 26/37
![Page 32: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/32.jpg)
Sending Costanza messages
public class RequestForceCrashextends Costanza {...}
public abstractclass CostanzaMessage {...}
libprotocol.so
ValueActionHeader - 12 bytes
pack()
Edited for public release - A. Apvrille 27/37
![Page 33: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/33.jpg)
Hidden screen
RequestForceCrash packets are sentby a hidden activity!
$ su root
$ am start -n com.sonymobile.smartconnect.
smartwatch2/com.sonymobile.smartconnect.
hostapp.costanza.StartupActivity
Starting: Intent { cmp=com.sonymobile.smart...}
Edited for public release - A. Apvrille 28/37
![Page 34: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/34.jpg)
Debug command work
Edited for public release - A. Apvrille 29/37
![Page 35: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/35.jpg)
Debug console
$ adb forward tcp:58616 tcp:58616
$ telnet localhost 58616
Trying 127.0.0.1...
Connected to localhost.
Escape character is ’^]’.
Debug console for Costanza.
Connection will be closed when you leave the log
(hit the "Back" button on your phone.
Please issue commands:
Edited for public release - A. Apvrille 30/37
![Page 36: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/36.jpg)
Video of hidden functionalities
Edited for public release - A. Apvrille 31/37
![Page 37: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/37.jpg)
Outline
How would YOU reverse engineer IoT?
A solution for AV analysts & software security researchers
Example 1: Connected toothbrush
Example 2: Sony Smart Watch 2
Example 3: House alarm
Conclusion
Edited for public release - A. Apvrille 32/37
![Page 38: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/38.jpg)
There’s an Android app for the alarm
I Protect your house against burglars
I Controllable by SMS
But it’s not very user friendly...
Comply to a strict SMS formatting
So, they created an Android app to assistend-users
Edited for public release - A. Apvrille 33/37
![Page 39: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/39.jpg)
Outbox is not secure
In the outbox, the SMS contains thepassword and phone number of thealarm.You get it? You control thealarm!
Fake data, of course :D
Let’s suppose you are a wise person and erase the SMSYou are wise, aren’t you?
Edited for public release - A. Apvrille 34/37
![Page 40: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/40.jpg)
With the Android app, it’s worse!
Weak protection for password: we can recover alarm’s phonenumber, password, delay, emergency phone...
Your credentials are at risk even if you erased the SMS!
Without the app, 1 security issue.With the app, 2 security issues !!!
Edited for public release - A. Apvrille 35/37
![Page 41: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/41.jpg)
Outline
How would YOU reverse engineer IoT?
A solution for AV analysts & software security researchers
Example 1: Connected toothbrush
Example 2: Sony Smart Watch 2
Example 3: House alarm
Conclusion
Edited for public release - A. Apvrille 36/37
![Page 42: Mobile Applications: a Backdoor into Internet of Things? · 2016. 10. 7. · Photo credit:engadget Edited for public release - A. Apvrille 5/37. 3/5 ... Most IoT come with their connected](https://reader035.vdocument.in/reader035/viewer/2022071403/60f77d8b48a8b440be425708/html5/thumbnails/42.jpg)
Thanks for your attention!
Thanks
Beam Technologies for providing a free user account for testingpurposes.Aurelien Francillon, Ludovic Apvrille and Ruchna NigamStudents: Axel Ehrenstrom and Soufiane Joumar
ReferencesI Fortinet’s blog
I FortiGuard Research
Contact
@cryptax - [email protected]
Awesome slides? Thanks! That’s LATEXLike the crocodile? He’s called Pico
Edited for public release - A. Apvrille 37/37