 this presentation is called all your things are belong to us. We are the exploiters. The link at the bottom would have been where you would find our slides right now but it's not. So yeah, after this presentation hopefully you will find your slides there. DC25.exploity.rs. So yeah, next slide. Does it work? Okay. Let's find out. Is this going to be my day? No? Nope. Okay. Cool. good. Okay. So I heard you like slides. We put slides in your slides. Oh man. Okay. So my name's Xenifex. I'm the founder of exploiters. I'm a senior research scientist at silence and I'm founder of Payscript. In the back, you can't see, he's standing up waving his hands. He is CJ. He works at Draper. He does hardware and software exploitation of things. Right over here we have 0X00 string, no string. He is a hacker, recreational bug user, senior research engineer. And then right over here we have Maximus. He is a recent graduate of University of Central Florida and he is a master of a soldering iron in all things reflow. Just a little disclaimer, this presentation and thoughts are ours and ours alone and they have no relationship to our employers. Next slide. Ding. Okay. Cool. That's going to get annoying I bet. So the other members, we're like a 12 deep group. That's why we have four on stage. That was the most we could get. So we have MBM. He's the co-founder of OpenWRT. His Twitter handle is at MBM what was here or wash ear. We have Gynaphage. He goes by Gynno underscore LBS. He's the DEF CON CTF organizer. We have at nonstick who is a boring corp sec dude. We have Sarek. He's the creator of Cydia. We have TD Wang. He's our master software developer. And we have Cody Walker who believes that the web platform is the best platform. Expected to hear some laughs. Okay. And then we have Ian who praises our almighty internet overlords. Ding. So a little about us. I guess I'm the minority there. Well, we're the A team. Next. Ding. Okay. Cool. So we are the exploits here. We were formerly known as GTV Hacker but we started to start hacking the Google TV and then Google decided we don't need the Google TV anymore and our name meant nothing. So we switched exploit tiers. We presented at Black Hat, DEF CON, B sides. Some of the content that you'll see today you could get more out of if you watch our Black Hat presentation. The material isn't the same at all but we talk about EMMC hacking a little bit in this presentation and we did a whole white paper for Black Hat on EMMC interfacing. So what else? We released route methods for multiple generations of Google TV devices and other embedded systems. We did televisions, blu-ray players, refrigerators. If you check out our Wiki we got a whole bunch of stuff that we've hacked and data based. We also pushed for DMCA exemptions in jail bracing smart devices. We pushed AN1. We got an exemption for jail breaking set top boxes. So that was really kind of a cool accomplishment for us. And we also maintain a network of sites documenting just a bunch of vulnerabilities in their community and group driven. So if you're looking for a safe place to put your research we're happy to host it and give you credit for it. So you can visit our Wiki or what not from exploit tier.rs. Ding! Okay. So types of vulnerability in exploit so you're going to hear about today and maybe not hear about depending on if the slides work. We have UART bugs. These are pretty simple. It's a development interface. It's a universal asynchronous receive transmit. It's normally just a four pin grouping, maybe three pins, maybe even two because the ground's easy to find. And it's pretty much you can consider a serial port. And some devices will just straight drop you into a root shell on UART. So you'll see a few of those. We promise not to overdo it. We got a whole lot of remote stuff. Then we have JTAG, joint test access action group. We don't have a whole lot of these in our presentation but it is good to know about if you're new to hardware hacking. It's another debug interface and it allows for full CPU access. It's often hard to find. You can get something a JTAG later. You can also get a JTAG enum sketch for your Arduino and be able to map out pinouts pretty easily. We do a pool and program on some of these which is just we pool the flash. Most of the time it's an EMMC. That's to either read, write in chip and dead bug mode which means flip it on to back and interface directly with the chip or even just pull it off and get an in-circuit pinout so that we can publish something online and make it a little easier for you guys who want to replicate the work. Local file disclosure, that's essentially when we're just, we find a bug that discloses some information that, you know, you shouldn't have maybe a Wi-Fi key or, you know, just some personal information, what not. And then RCE remote code execution, payload execution without physical access. Okay, so plan of attack. Generally what we do is we go after the hardware attack first. We had one device that we were attacking and it got heavily hardened on its first update that the device received as soon as it came out. And from that point on we decided that going after UART and JTAG was something that we needed to do before we even got the device online just so that we can test the manufacturer firmware. And so if you're trying to establish a process, I highly recommend you always look for UART first. In all this, you're always looking for a firmware. You want to get, you want to get a firmware so you can find better bugs, remote bugs, you know, the, not the physical access wire, 10 wired bugs. We also reverse mobile and desktop apps. A lot of times you'll find firmware update code that will just lead you to firmwares that you can throw in BinWalk and be able to do a better analysis of the device. It's way better when you have a firmware dump. We also sometimes made in the middle of network traffic. Again, we're just trying to get that firmware update and then dump flash. If we don't get a firmware update, we don't have anything we need code to work off of, doing a black box approach isn't always optimal. So our goal is always to find more bugs and to find better bugs. Ding! Let the games begin. Here's the good stuff. I'm going to hand this off to Qua where he can get us started. Okay, next slide. So this is the 10VIST T8810. It's an IP camera. It has pan 2 and zoom function. It's wireless and two way audio. Next slide. Oh! Okay, so when you open the device up, there's a UR port. You can wire it up to your UR adapter and it will show a Linux login prompt. We don't have the login for this device. So that's not going to work. But this one has a UBOOT 3 second time out. So you can interrupt the UBOOT and it drops you trade to a UBOOT shell. From there, you can set the UBOOT argument to include the bin, I mean like init slash bin slash itch. So it will drop you to a root shell when device booted. Next slide. So while looking at this device, we found an interesting bug. So if you include a carrot return or a new line in an SSID, the device will crash and even if you rebooted it, it will continue to crash. The only way to recover from it is you use UART and clear out the SSID. Next slide. So, okay, so Samsung security DVR. This is a false channel security DVR. It's based on the high silicon chipset. It's run Linux and it has 500 gigabytes of SSID for the next slide. So when you open the device up, there's a four pin port. That's a UR port. You can interrupt to the UBOOT shell and then you can add to the boot argument init and console. That will get you to a root shell. Then you can use it to explore the file system. Next. So while looking through the file system, we found a startup script. It looked for a DIAC 1673 file on a USB drive. So if you put a script to spawn a telnet shell, that will get you root. Next. So we did a quick search of the DIAC 1673. We found a Samsung PDF. It's used for changing your max and the video type. So you put the DIAC 1673 in there and with a config file and you plug into the DVR and put it on, then the script will run and set your max address and the video type. Then this will tell you to reboot the DVR. Next. So this one is a Samsung printer. It's have a 600 megahertz cortex with a 128 megabyte of RAM. It's run via VX word, real time operating system. Next slide. So first thing we did is we used a Reno and we dumped the nam flash so we keep it back up so in case of anything go wrong, we can recover it. Next. So we was messing with the firmware image and we found a section of it. So it doesn't, a section of the firmware image that allows us to, that you can modify. So we modify a small piece of code in there to make the toner level. So we read 100%. Next. Okay. So Chromecast Gen 1, we already root this device back in 2013 and also help with the second time. This one is run a Marvel 88 DE 30.05 chipset. Next. So when the Chromecast release came with a vulnerable boot loader. This vulnerable boot loader allows you to run any unsigned image. So this one is got patched in firmware version 12 840. Then after that fell overflow release a USB boot exploit. This one also got patched. So we got around this using a nan programmer. So we use a nan programmer, we download the, you downgrade the boot loader to the vulnerable version. We use a SDM 32 F4 discovery board because it's cheap and it also have a nan controller built in. And this device have a secure boot enable. Next. So to downgrade the nan, to downgrade the boot loader, you wire up the nan flash to the SDM discovery board. Then calculate the ECC. Then you erase and write in the new boot loader to the device. So after this you can use our original exploit we released in 2013 to get root on the Chromecast. Next. Okay. The Moto smart doorbell is a Wi-Fi connected doorbell. It's used to dream video, to weigh audio and have motion detect. We purchased this at five, two days ago. Next. So when you open it up and you look on the back of the board, there's a two pin port. So you can wire up your UART adapter, then wrap your trade to a root cell. So there's no step three. Next. Wow. Okay. So we look at all the binary in this device and we found a buffer overflow. So when you feed it a query string, a long query string, the device will crash and the PC, you can control the PC counter value. Next. Okay. And ZenoFax will continue. All right, everyone. We're going to make it a little more personal. This feels a lot better. Okay. Cool. So, ding. Let's move forward. Okay. So the western digital MyCloud, this is a device that's pretty personal to me because I originally bought it to use and not to hack. But I can't put anything on my network and feel comfortable without it, without giving it a, about it without giving a good audit. So then western digital MyCloud is a network attached storage device. There's a bunch of different models. There's a pro series. All the models you see there are vulnerable. Every device in the MyCloud series is going to be vulnerable to the bugs you're going to see. And we've already hacked this one once before. So let's go to the next slide. So a little bit about the hardware. It's an Intel Pentium N3710 quad core 1.6 gigahertz processor. It's got four gigabytes of RAM and four bays. We're talking about this specific model, the PR41, which is the one I purchased and use at home. So the MyCloud series of devices we released about 83 RCEs earlier this year. And we just dropped it on western digital. So we dropped 14 pre-off bugs. 13 of them were remote code executions. One was an arbitrary file upload pre-off. And the beautiful thing about this device is that the web directory, it's not squash FS, it's not its packed file system. It's just EXT3. You can modify it. You can just keep going. So PHP shells get instant root. So then we had 70 post-off RCEs. The thing about the post-offs were that they fixed all the pre-off vulnerabilities one month after disclosure, a little more than a month for all the devices. But they didn't fix any of the post-off vulnerabilities. I don't know what the thought process was behind that. But that's just what we observed next. So we're going to talk about the first bug that we have here. It's the western digital MyCloud arbitrary file upload. We had released one of a similar bug to them, full disclosure, a few months back. And this is just another one. When we had 83 bugs, it's kind of hard to like dive super deep because you just keep finding more bugs. It took me a month just to write up the analysis because it was 84 different vulnerabilities and I wanted to make sure that I was pretty thorough. So in this particular one you'll see, it's PHP code. You'll see the request global variable with name and password and redirect URI on lines 29, 30, 31. Essentially with request it means it could be a cookie, it could be a get, it could be a post. So what this particular code does, the snippet thing that you should notice is that it makes a request to this mydlink slash mydlink.cgi script. And then it tries to compare the response to see if it has the auth status string. And if it does, and it notices that you're not authenticated, it's going to spit you out. But the thing is this file doesn't exist. So it 404s, it never matches and this authentication code does nothing. So yeah, it's great. It's at the top of the arbitrary file upload if this worked. Theoretically maybe it would be some type of authentication, but I don't know where the mydlink portion comes in. Next slide. So here's where the actual file upload comes in. You can see that there's a request folder. So we can specify what folder the file gets uploaded into. Then it's a multi-part file upload in PHP. And so that global variable files gets filled in with the file name of whatever file you upload. So between specifying the file name and specifying the folder, you can write to anywhere on the file system with any arbitrary name, with any arbitrary payload pre-auth. And so if you see at the bottom I have the POC. We essentially just echo into temp slash PHP shell, hit curl with the multi-part file upload with the PHP shell, and then you have a PHP shell that you can root the device with. So you want PHP shells? Because that's how you get PHP shells. Okay. Next slide. So we have this, we found this other bug. And this bug is an authentication bypass. And how it works is there's this WTO binary. And this binary, what it really is meant for is it databases the user's IP in the session timeout. And they call this binary to reset the timeout in the IP and or set it or delete it or whatever is happening, log out, log in. And then they also use an is admin cookie or username cookie. Cookies are client supplied. So there's no real authentication in that portion. The is admin cookie, if it equals one, you're an administrator. They check the IP, they check that you're logged in or that there's an admin account logged in from your IP in the timeout. But then they also check this is admin cookie which is completely user supplied. They also check the username cookie. It could just be admin. It could be an actual username. And they use exec calls to essentially call this binary to reset everything. And the CGI binaries do the exact same thing with this WTO binary. On the left you can see the arguments for it. Next slide. So what we do here is, and this is the network manager CGI and this is where the vulnerability really comes into place. So their process is they check if command, if the command get variable is equal to get CGI, get IPv6. Then they check if the flag get variable is equal to one. If those are the case, they reset the WTO timeout in the IP for the admin user to whoever is making that request. This is all prior to actually kicking the user out if they're not authenticated. So you just make this request and you are logged in. Your WTO timeout resets, your IP resets. You get a 404 error but it still resets the WTO information. So next slide. So what we did is we took that authentication bypass. We took one of actually any of the 70 post-auth RCEs that we talked about earlier. And we team them together and you get root code execution. So yeah, they didn't fix the RCEs and it made it just that much easier for us to team an authentication bypass with one of the post-auth RCEs for a pre-auth RCE. You can see at the bottom we make the first request that resets the timeout and IP address. And the second request actually executes the payload. In this case it would be ID. And just as a heads up, I don't think we mentioned this earlier. But the idea here is that at the end of this talk we're going to show a loop, not a loop, but a run through of all the demos all together. We got a special guest coming. We got some stuff to give out. So we're going to have a lot of fun. So I recommend you stay till the end. Next slide. Okay. And then we have this Voodoo Spark. The Voodoo Spark is a media streaming stick. It was only available from walmart and walmart.com and it really only provides Voodoo streaming service. Next slide. This particular one, when you get it, it's a $20 stick. It's really cheap. It has a header for UR already. So you can just jam a wire in there. You can connect to the pads right underneath for the footprint of that header. And the top pin is ground. The second pin is TX and the next pin is RX. 5700, 600, 8N1. Started up. Instant root shell. Like Kwa said earlier, there's no step 3. Next. Okay. And so then we have the Amazon tap. This was Amazon's attempt at making an Alexa device that was portable. And so the idea is you take this Bluetooth speaker around, you tether it to your phone and you have Alexa on the go. It's always online, always listening. It has about 9 hour battery and it actually has secure boot unlike the Echo or the Dot. Next slide. Within this device is a free scale MX6. The secure boot implementation is implemented within UBoot. It's a popular open source boot loader. It boots from an EMMC flash. So if all this fails, we really could have just pulled the flash but there's a way easier way. It's full of glue. I assume just to make sure it doesn't rattle. It's really put together well for that. And we have a full tear down and I think I fixed it also as a full tear down to get you a good picture of the board. Next slide. So here's how this one works. There's a UR UBoot output with no shell. There's a kernel, kernel debug output, also no shell. And then there's a TM30 slash TM26 which is a TXRX for URs. But again, we don't have a shell. What do we do? Well, there's this trick with UBoot that if you ground the flash at the exact right moment, it's the dat zero pin on flash. If you ground the flash at the exact right moment, a lot of times you get dropped into a UBoot shell. And from UBoot, you can do what we call kernel hijacking which is where you replace one of the kernel command line arguments with, one of the kernel arguments with init equals slash bin slash SH and instead of the normal init scripts that happen when the device boots up, it runs init slash SH and you normally just drop into a root shell over UR. So in this case, next slide. If you lower the resistor to ground at TP27, you can see how I did it in the right of the picture and you ground it during boot after UBoot starts printing out output, it drops to a UBoot shell. And so then it's pretty trivial. We can't read the environmental variables just because I think it's some modified version of UBoot without printM which is what we normally use to view all the environment variables. But we can still write to memory and execute code. So, next slide. All right. So now I'm going to pass it over to, is it? All right. Come on up, CJ. Hey Defconn, I'm Noel String. How's everybody doing? Cool. All right. You guys want to see some more bugs? All right. So yeah, long time human first time speaker, good to be here. Glad to be in front of everyone talking about these bugs. We have the QNAP NAS, TS131, 131 and 131P and probably a few other models too. Most of the consumer models. They're network attack storage devices. They have a nice little Unix operating system on board. You can download apps from an app store, do things like music transcoding and video transcoding, like a little picture book thing if you want to directly access your NAS to go through a slide show. A lot of stuff like that. It runs at 1.6 gigahertz ARM processor. They're actually pretty nice little devices. It's good if you just need a NAS for your house. Next slide. So there's a couple of interesting services on the NAS. One in particular and well, before that just specifically, services that listen just on the network that don't have any authentication to access, just things that are forwarded out to the network available on, as you can see, all interfaces. So one such service is the MyTranscode server, which is a video transcoding service. You can upload and specify video files to be transcoded from one format to another. And there's several different commands that you can issue to the service over the network without any authentication. Next slide. So one such command that you can issue is a RM file command. And the commands are issued in such a way that basically you specify a command string, which is a D word that specifies which command is to be executed. And then the parameters for that command. So for the RM file, you specify the D word to say which command you want to execute. And the first argument and only argument is the file path of the file that you want to delete from the video transcoding server. And so you would give it a D word, execute the command, the path to the file, and then a null byte terminator. So once you issue that command, it is issued to another function that does filtering on the file path that you provide. The filtering, as you can see in the bottom right of the slide, it filters out things like spaces, bangs, dollar signs, anything that you would think like would be good to execute a command with. However, they failed to filter out backslashes and vertical pipes in that function. So by issuing a command that contains vertical pipes at the beginning and end after an initial slash to get passed another check to make sure that it's a proper path and a proper path apparently is any string that starts with a slash. So you issue a command to remove a file, backslash or forward slash and then a pipe and then you can just execute any command after the pipe. So next slide. So there's a, you can see the format of the command there, the D word at the beginning, 0x01 followed by three null bytes to execute the RM file command, a single slash and then wrapped in vertical pipes, you can put any command you would like to be executed as root and a terminating null byte. So you can see here at the bottom we have a POC to curl a shell script and just pipe it right into bash and you can put anything you want in there, a bash reverse shell, another file download, load a kernel module because it will let you do that, whatever you'd like and just basically fire it off at that service and it will execute it as root. Next slide. All right, next up we have the Belkin N300 Wi-Fi range extender. It's like a wall vampire range extender. You plug it into the wall, you log on to its little open Wi-Fi network and configure it, you give it your wireless network credentials and it will extend the range of your wireless network. I guess it's for places like, if you got like a big house or a house with bathrooms in weird places where you can't get very good Wi-Fi coverage, you just plug it into your wall, set it up on your network and it'll extend the range of your network a little bit. So, starting off we just do a hardware root, just like tear the bezel off of it and look around for headers and pins, anything we can get to the debug console and see what it's doing behind the scenes while we do stuff in the network interfaces. So it'll drop to a root shell once you find the UART pins. I think we have a picture on the next slide or maybe not, but it'll be on the wiki either way if you want to go that way, but you can skip the entire hardware root process at this point. After getting the hardware root, we went and pulled the firmware, looked around, looked through the web application files and setting hidden dot ASP, which is the file that you're directed to when you want to go set up a wireless network that's not broadcasting its SSID. That particular script, as executed by the CGI, it doesn't do any sanitization or checking against any of the form parameters that you provide. The only sanitization or checking that's done is on the client side so you can just bypass it completely and just throw in any kind of command injection. So just like throw some semicolons and a command you want executed into any one of the parameters and it'll get passed to the shell when it does the WPA supplicant commands to set up the wireless configuration. Doing that runs as root along with every single other service and process on the device. And it makes sense. You're not really expecting anyone to be getting on here. You don't really need to set up like access controls for different users if it's a device that you never expect anyone to get a shell on in the first place. So any command you execute through that will execute as root. Next slide. Here you can see there was a couple caveats as far as actually getting exciting commands executed. The busy box binary that's provided on the device is fairly limited. It's not really the standard busy box. So the best commands that you can do to get a callback or any kind of network communication off of the device would be W get or ping. So there's no tell net, no net cat, no tell net D even. So basically what you end up having to do if you wanted to get a shell back out over the network would be to similar to the QNAP payload from before. You would W get a payload onto the device or you could also TFTP payload onto the device and then use the command execution to execute the payload at the path you downloaded it to. Doing that will also run as root and here at the bottom you can see we have a POC for that exact payload. W get and then echo A. That's about all it takes. Any one of these fields these A, A, A, B, B, C, C, C, D, D, D, E, E, E, F, F, F, all of those anywhere just put your payload anywhere you want. Any one of these form fields and it will execute as root. Next slide. Alright the net gear WN3000 RP Wi-Fi extender is super similar to the Belkin. Same thing. You plug it in, you configure it, it extends the range of your wireless network so you can get around like bathrooms or if you have like a giant house and don't have like 5 gigahertz Wi-Fi. So yeah you plug it in and it runs MIPS 32 SoC and it's got an open W or T comma-causi installation on it. Everything else is just sort of in a sys file. Next slide. So you are super easy to locate right underneath the ethernet header. So from the right side it's VCC and then over on the left is ground and you just plug your UR adapter into there and boot it up and be patient and it drops into a root shell. You can execute telnet after it boots up and get a better shell over the network and have full access to your Wi-Fi range extender. Next slide. And there you can see logging in over telnet. They didn't change the login banner so it's just open W or T comma-causi and the only user on the device is root once again. So no access controls just a root user. Next slide. Yeah. All right. The links is W or T 1200 AC. It's a really nice router. It's fast. It's got a 1.3 gigahertz dual core ARM processor, wireless A through C and the firmware version for our bug is 1.0.5.177401 which as of the other day is the latest firmware released by Linksys. Next slide. So the bug here is post authentication. You log into the device with your administrator credentials and you go to the file sharing section and the file sharing section is set up to allow you to do like a DLNA so if you wanted to cast something to like a Chromecast or another media streaming device or if you wanted to access your router for whatever reason over FTPs from somewhere else or if you want to use FTP locally or I think it also has SMB within the internal network as well. So you can specify a specific path within the file sharing path in the administrator section of the web interface for the router. However, the only sanitization takes place on the client side in JavaScript. So normally what it would do is when you would go and try and do like a direct reversal or an absolute path to something that's outside of where it's originally set up, it would give you an error saying that it's an invalid path and it would make you start over. However, if you just grab a valid command as a curl or a valid request as a curl command and then modify the variables there, there's no verification or sanitization whatsoever on the server side. So you can basically provide any path you'd like. Next slide. So here you can see a curl command where I have removed the credentials for my router and you would have to put your own credentials in there. But as you can see here towards the bottom on the left, test user and password is admin. Yeah. And so you can provide a direct reversal string and traverse all the way back to the root directory. Hop on over FTP and then just drop some scripts into init or rc.d and have them execute as root when the device boots up again. So basically drop whatever script you want, whether it's telnet or adding a user to the password file or whatever you'd like, it'll get executed as root when the device boots up. Or if you just want to pull files off of the device after you get the direct root first of all you can do that as well. Next slide. The LG BPM 350 is a Blu-ray disc player and it also has Wi-Fi and apps and streaming things like that. It's one of the smart Blu-ray players. It's actually, it's a pretty nice device. It's one of the few that I decided to keep after this. It's a pretty nice media player. I'd recommend it. It's pretty cheap too. So it includes like a little app store and a few predefined apps that you can download right away and then other ones that you can download from the store. And one of the apps that it comes preinstalled with is the Pandora Internet Radio app. The interesting thing about the Pandora Internet Radio app on this particular device, it's one of the few apps that has sort of like an execution chain to actually start the app up. So the first thing is a binary that gets executed that calls a shell script on the local file system and that particular shell script will go through in an if switch and check for multiple file paths for the actual Pandora app to execute. It just so happens that that script will check for the file paths for paths that are mapped to USB devices instead of the local file system first. So it tries like for instance like SDA1 or SDB1 before it will go and try the mounted block for the flash file system. So what you can do is you can basically just use the correct file name that it's looking for on the USB device, put whatever payload you would like in that shell script, plug in the USB device and launch the Pandora app and it will execute your command as root. Next slide. So you can also set it up, it's really easy to grab the command to actually execute Pandora normally off of the file system. So you just throw that into the end of your command execution after you get a shell set up. Just a quick, it even has like the dev TCP and everything in proc so you can do a really simple bash reverse shell, get a shell onto the device and start Pandora so you can listen to music while you continue hacking. So yeah, if you just want to grab that slide, go pick one of these up at like Walmart or something for like 40 bucks and you can have a nice rooted DVD player, take off all the region locking and everything and watch whatever you want on it. Next slide. The D-Link DCS936L Wi-Fi camera, it is a smart camera with a wide angle lens, a 720p HD display, built in night vision and sound detection and motion detection, it's actually a pretty nice camera, not nice enough to keep but it's really nice if you want one in your house, if you want that. The firmware version for the bugs we found was 1.02, 0.01. Last check a couple days ago, still good, no updates yet. Next slide. So one of the issues we ran into when working on this device was that the firmware updates are encrypted. RSA, I think it was 2048 bit encryption so we were having trouble getting into the firmware to actually get a look at what the device was doing. We ended up finding some bugs in the web interface we were able to use to get access to the device and pull the firmware off that way and figure out how it actually decrypts the firmware and updates. So what it does is it does an AES encrypted basically RSA key and once it decrypts that it uses that key to decrypt a couple of different firmware blobs and then writes them onto the flash. So you can see here it's really just using system to do open SSL encryption and decryption. So pretty easy to find when you're looking through the firmware to figure out how it's working. So we got that one worked out pretty quick. We haven't verified any of the other device models yet but based on what we've seen it's more than likely that most of the encrypted firmware updates for the D-Link devices are going to be using this same key, which is on the next slide. Yeah, that one. So yeah, you run those two commands on the firmware file. You can just download it straight from D-Links website. Run these two commands, extract the firmware and dig around for better bugs. That key, you can just copy that. You can skip those commands up there above or the first one and go ahead and just do the second one and use that key. You can write your own firmware encrypted with that key and it will upload it. Install it that way if you want to do a custom firmware as well. Next slide. And the bug that we used to actually pull the firmware encryption key off in the first place was this post authentication route command ejection via arbitrary command ejection due to improper sanitization. So like at this point with this device it seems like you could go to like Best Buy or Walmart or Target or any of those stores and pick up like any given device that says smart on the box and just put like a command ejection in the SSID field. And you'll get a fucking root shell. So yeah, that curl command right there, super quick. You just log on to the device. It will use default credentials when you first get it and then you just shove whatever command you want to execute into the SSID field and it will execute it as root. Only one user. So yeah, if you want to hack some cameras or media players, anything that says smart on the box, probably a good bet that the SSID field is going to be completely unsanitized and then just shoved right into an WPA supplicant command, just execute as root. And next slide. And the Lutron LBDG2 WH Cassetta smart bridge. It's one of the smart bridges for your house. Control your like smart power outlets, your smart blinds, your smart garage, smart cat, smart dog. All that stuff. You can control up to 50 devices including smart cats and dogs and lights, thermosites, dimmers, all that stuff. Next slide. So once again, another UR interface unlabeled sitting on the board. You can see that there are three test pads there. On the farthest left you got ground and then TX and then RX. Just drop some rosin on there and then tin the pads and then just put some magnet wire on it. You can get right on digging around the file system. You can pull off the applications that are included on the file system. Any kind of SSH keys, private keys, keys for communication with the external servers and all of that for the cloud stuff. Yeah, just drop right into a root shell, just solder onto it and get on. It's that easy. Next slide. And change places. This is CJ-000. Howdy all. I'm disappointed that I left my scotch up here and not back there because now I have a whole glass. But Amir, if you can advance the slides please. Oh, that's good. So first up, Vizio Smart TV. Specifically the P602 UI. It's a 4K smart TV. It has all the bells and whistles for a year or so ago. Kind of cheap, no HDR, 420 chroma versus 422. For those in the audience who know it's a big deal, if not it doesn't matter. New TVs are better. Full-rate backlit SDK has a different SOC for the 4K bits. Sigma system on chip, as I mentioned, which will be important later. And it's also a Yahoo Smart TV, which apparently was a thing for a while. Nobody uses it anymore. But it will be important. Amir, if you can advance please. So first attempt when I got the TV, of course, I didn't want to just pull it apart because my lovely wife would get kind of pissed off saying, why did you break the TV? So bought a main board and I will whore our black hat talk again. If you look at our black hat talk, we talked about extracting EMMC flash, reading data. From there we were able to read and write EMMC flash. So that way we were able to, as Amir talked about earlier, extract a lovely firmware, look through it, find all the little good bits, and go from there. We also added a back door for debugging purposes because it wasn't, the kernel was signed, the file system was also signed, but there was an NVRAM partition that was not signed, which is used for persistence. So you can just drop a payload there and win. But that's not the fun stuff. Amir, if you can advance, so there's a user manual feature. The user manual feature after you got the firmware digging through it is actually an HTML page that's launched by a hidden Opera web browser. Not accessible, but it's there. It's used for like Netflix and Amazon and a bunch of different apps that are relatively useless. The user manual also has an update procedure. So I was like, hey, this looks interesting. Digging through it, it pulls a tar ball down from an HTTPS server, there is certificate pinning, and it does a GPG check, so there's a signature check. Not really great avenue, but I'm like, how does it download? There's a JavaScript command called sigma dot exec, and it then runs a WGET command, and I'm like, hmm, okay. So using that command, you can run any commands you want on that TV as root, and it will execute depending on where it is. You could potentially even do a man in the middle, which we'll talk about if we can advance to the next slide, please. So if we make a custom app, what we can do is some fun trickery. The Yahoo smart TV development kit is still online and a thing. You make a tiny app, and the app is an HTML file and an XML file, nothing fancy in some JavaScript. There's a sample that I pulled and just made some changes. So you take that sample, you push it to their server, and then from the TV you can download it, and it pretty much when you run it at accesses a custom library called like lib sigma something or the .so. From that lib sigma it parses things that used to be a whiteness of Amazon, Netflix, localhost, file, stuff like that. Now that's pretty much gone. But my thought is if we make a custom app and we point it at a file descriptor, can we actually run JavaScript code as root? If we can advance to the next slide, please. So if we use that lovely URL command, we're installing an app with an XML file and referencing an HTML file inside of it to launch. So it's kind of like going to a home page on a web browser, but in a lovely built-in app with our lovely logo. So that's actually in the development store right now. That pretty much points at an HTML file that uses the same sigma .exec command to launch a telnet daemon on port 1337, and then root shell. Nice and easy. One app click, and there you go. So if we could advance to the next slide, please. We've got some more devices and I've got to get through them kind of quick. So obviously I'm not James Bond. I can't even run. But say I want to spy on somebody. There's this Aobo smart cam that's on eBay. I'm sorry. Well, eBay, Amazon, your pick. 20 bucks. It's supposed to be great. If we could advance. So when you turn it on, it's got a little battery built in. It creates its own access point. Broadcasting in the clear. So, you know, no counterintelligence service or target would ever, ever find this. The AP also doesn't need a password. So you just directly connect to it. Not great. End mapping it shows open FTP and telnet. At this point, I'm like, this is done. If you could advance, please. So I'm hoping at least there's a username and password on it. Username, yes. Password, no. Log in with the username root. You've got the, you've got the camera. So if you could advance, please. Instead of James Bond, it's more like spies like us because they don't know what the hell they're doing. So next up is the Kujo. It's a home security firewall designed to protect pretty much everything on your network from hackers against internet of things and viruses and all the big evil scary things. It's 250 bucks and it's three pieces of plastic covered in all globs of glue. If you could advance, please. Literally had to break the plastic to get the main board out. Ripping, ripping, ripping. I guess this might be tamper evident to stop quote unquote hackers or I have no freaking clue. If you could advance, please. The main board also covered in glue across a bunch of nice interesting pads. In the kitchen with an off glove and a paint, a wallpaper heat gun, you can actually pull that glue right off. So it doesn't really do anything. And if you could advance, please. We've got access to UART on those pads. Same type of thing as the Amazon Echo. If you ground up the AMMC data line, which is really tiny, you can't see, but the slides will be online. There's a full rise pictures. You can then get, you can then get UBoot boot loader shell access and read and write memory to your heart's content. We're working on building that further to get the file system out. This was my last weekend. Could you advance, please? Vera Edge, smart home controller, home automation hub, you know, light stores, thermostat, all that jazz. Please advance. There's a local file disclosure bug with the store file and get file.sh. Pretty much you call store file.sh and then get file.sh. Store file.sh creates a file, creates a folder on the right spot and then get file will let you pull something using directory traversal, as you can see in that second curl. And we're specifically targeting etsycmhcmh.com. Could advance, please? So from there, we just got, it's a simple bash script, nothing crazy. We pull get file.sh to pull etsycmhcmh.com. We pull down a thing with the SSID and password, which is also printed on the box. So, you know, they're better than it's on the box, but whatever. Fun fact, that password is also the same password for the SSH root login. So you can grab the password nice and easily by just running this all pre-off, which this hasn't been released before nor have the rest of these. If you could advance, please? And the last two, and I'm going to be quick about this because we have a special guest coming up. It's a smart speaker, Wi-Fi, you know, Pandora, iHeart radio, Spotify, has an Android app. Could advance, please? We reversed the Android app, and I say reverse because, you know, simple tools, it's Java. Found the update procedure, queried the update server, got the firmware back, as the mayor was talking about earlier. From that firmware, we identified a potential vulnerability in root app. The IWPRIV was just passing commands, was being executed with %s, which is for a string that is being passed right to system. Great thing to check for, not escape, not anything. And that can be actually accessed pre-authenticated through HTTP API. If you could advance, please? Here's the curl, you see user bin, telnet D, user S bin, telnet D, which is the thing going. Now we have root on the device, again, pre-off. This is on the internet, it gets popped. Could you advance, please? So that had me thinking, this was another fries trip, cobblestone Wi-Fi audio receiver. Apparently it's the same thing, but without a speaker and considerably cheaper. Thank you, sir. Could we advance, please? Again, Thursday went to fries, Las Vegas, super great for last minute things, although we spent like three hours there because too much time in fries. Need to confirm a hypothesis. The thing did have a telnet server with the username admin, password admin, that's not the important part. If you could advance, please? Same exact exploit worked, different manufacturer. So that confirmed the hypothesis. If you could advance, please? Same bug, different manufacturer, as I said. It's part of a turnkey Wi-Fi solution called link play. That's the link to all of the, after we reverse the app, reversed. All of the firmware is in there. 96 unique models, seven hardware revisions. Many appear to be affected by this remote code execution. There are 35 products listed on the link play, we move page along. If you could advance, which encompass all of these, we haven't bought them. We're assuming most of them are vulnerable. Not really sure. But now I'm going to hand it back to Amir if you could advance the slide, please? Because we have some freebies. All right, everyone, yes, so we have some freebies and we're not, so here's the thing. We got a ton of them. I'm going to explain to you what they are real quickly. We're going to give them out while we are showing our roots. And so that's the plan. Yeah, we got a special guest. What I want to do is let's get everyone to start chanting dual core so we can get him to come up here, do a little rap, and really make our exploits show. So I got some free stuff. I got some free dual core CDs. I got some free boards. First of all, the boards, before we start chanting, we have these EMMC boards. What they do is they allow you to communicate with EMMC Flash with his little five pins through a standard SD card reader writer. We have a white paper for it. You can go look up. It's from Black Hat this year. We have, you know, probably roughly 2,000 of these. We have some exploit-tier stickers in the CDs. We will just be walking around handing them out. Try to give dual core some attention. I know you want freebies, but he's awesome and he's agreed to come out and do some stuff for us. So let's go ahead and start chanting dual core. Let's get this guy going up here. Come on. Dual core. Dual core. Come on. Dual core. Come on. Come on. Dual core. Dual core. Come on, buddy. Dual core. Dual core. Yeah, boy. The nicest guy ever. Nicest guy ever. Make some noise for exploit tiers. They truly hack all the things. My name is int 80. I'm the rapper in dual core. I'd like to play a song called all the things. We're going to wrap, drink all the booze and hack all the things. Ro 64 can hack into NASA. Pump it up. You can make it go to 11. Here we go. Yo, even now settle scores quick. Our disaster recovery requires even more dis. Put your bites up. Prove it or you fall. They got my C 64 when we blew it in the orbit and bikes and with eight straight perfects over all emotions make hate break circuits. In case you heard it's a name fake service. Optimize our run time to escape verdicts. Got it in just no flow that they can't sign. Passing code. Sanitas command lines land mine. So before they'll see me after I'm advised our courage will plus velociraptor. Don't prove we're human unless we really have to. My team built schemes to destroy recapture hate what they see. Finish this chapter by the way. We're not any geeks. We hack into NASA. We drink all the booze. Drink all the booze. Drink all the booze. Got this by chemist Red Bull. They still give me wings. So we drink all the booze. Drink all the booze. Drink all the booze. Zero through three. We're in every single ring. Yo, I'm just waiting till my blackberry dies because I'll replace it with the raspberry pie. Don't compare to this track. It makes everything they said. Don't neutralize any threat. Turn Red Skull to Dev. No, they killed virus riders that we mentioned. But instead they ascended to the VX heavens and reincarnated as live wires. Still inside behind cypher's and signed device drivers. Which school will we hit next? They didn't want the format. So we've got a print F. Next step is a chin check. Free styles that are fit best. They didn't decrypt yet. Crushed internet MCs and mind battles. Get your Wi-Fi tackled hack five pineapple. I don't think you'll like my snapple because I popped it with vodka and a cyanide capsule. Make some noise for exploit tears. Here we go. We drink all the booze. Drink all the booze. Drink all the booze. Got this by chemist Red Bull. They still give me wings. So we drink all the booze. Drink all the booze. Drink all the booze. You know there's going to be security, right? First we drink all the booze. Then hack all the things. The back door, the firmware on anything you bring. Regardless of the hardware, service or encoding connected to the internet. Someone's going to own it. This is for the pirates to clap and love the sound. Attack it from the cloud. Then we're back in underground. There's no masking from us. Now we pop tour notes around the globe. Track and hunt you down. Hacked on schedule. Add it to your calendar. Devices online. Here comes another challenger. State infiltrated. So undercover. This is for my comrades who stare at dirty buggers and trace every buffer. Examining the cold flow. Having been to sleep. Pop another no-dose. Think I need a planet-sized urn. Because some men just want to watch the world burn. Your turn. Here we go. We drink all the booze. Drink all the booze. Drink all the booze. Got this vodka and this red bull. They still give me winks. So we drink all the booze. Drink all the booze. Drink all the booze. Zero through three. We're running every single ring. I mean, these servers have more firewalls than the couple's spectrum. Hack all the things. Everybody hit up exploitears. exploitee.rs. Download the white papers. Get the code. Get ODES. Get shells. My name's Ed 80. I'm the rapper at Toolcore. I love you guys. Have an awesome, awesome Defcon.