 Mae'r ddweud o'r Llyfrgell yma yn ystafell Genedlai, a mae'n fwyaf Ed Lockhard o'r ffordd ymlaen, o'r Cyfrifio'r Llyfrgell yma yma i'r ffordd a'r cyfrifio mor ffadff yma, a rising o'r Ffordd ymlaen yma i'r Ffordd, o'r Gwyrdd Gwyrdd. Rhaid i'n cyfrifio. Rhaid i'n cyfrifio, ddweud, ond mae'n byw'r Llyfrgell yn cael ei'n cyfrifio mewn gyrdd, a'r cyfrifio eich cyfrifio. Byddwn ni'n ymwneud. Mae'r bwrth i'n ffordd ychydig, a'n gweithio. Rwy'n fyddai, os byddai'n meddwl â'r gweithredu i gyda'r gweithredu ac roedden nhw'n gweithredu o'r gweithredu. Ond rwy'n dweud yn ymwneud i gynnyddio'r cyffredig roedd yn dda i chi'n meddwl o'r ddweud. Y cwestiynau llawer, rwy'n gweithredu o ddweud o'r wneud o'r team cyllid. Paul Stone yn ymgylch chi'n gweithredu, Fy wych yn ddim yn fwy, ac mae'r gŷn newydd yn gynnwys hwn yn ôl. Felly mae hwn wedi gydag ei fod yn dweud, ac rwy'n fyddweud o'n fwy o'r ddweud yw yn fwy. Felly, y gŵl eich ddweud y bydd ymweld am y dda, dyna yw'r fwy o'r ddweud o'r ferbyg i'r cynyddu. Roeddwn i ni'n fwy o'r ddweud ar gŵr, mae'n gydig i'r bwyllt i'r gŵr. Felly rydych chi'n ardal, dyna'r ddweud ble mae'n gweld amddangos, As some really interesting hardware Um to play with that Um, so, you know what we're trying to show you that although That is the case for the few sort of minor security additions It's just good… That's much better That being said Um as this article will agree with me If you do invite ones to your home You're probably a little bit mentally Once you are a little bit mentally deranged So, why are we actually looking at theseministerarlies in the first place? Um, I work for a information security company called Context I'm on their research team And we were hired by which magazine to have a look at IOT toys in general o'r gweithio'r hypnyddian nhw, yn ymgyrchol hynny, a'r hypnyddian nhw'n 1998 ac yn ddweud ychwanegol honno. Rwy'r hynny, dwi'n meddwl, yn byw i bryd. Rydyn ni'n meddwl i'r $35, ac mae gwybod o'r $100 o $300, dwi'n rwyf ychydig i'r rheselaeth. Mae'r hynny'n gweithio'r hypnyddian nhw'n hynny'n $100, yn ffwrdd, yn ymgyrchu, maen nhw'n gallu'n gwneud. Oh, mae'r hynny. y gallwn ni. Mae'r rhan o'r rhan o'r fath yma, mae'n ddysgu ymddangos fel o'r llas yn Meri Llywodraeth, a oedd y America yn ymddych yn gwweithio y mae'n ddysgu ymddych llas o'r llas yn ymddych yn ymddangos, mae'n ddysgu o'r tynnu, mae'n ddysgu fel oed, yma yma'r genaeth ymddych ymddych yn ysgai, ymddych ymddych yn ymddych, ymddych yn ymddych. Ac yma'r cyfrwysau, ddim ond Wel E approach that was being sold for 32 pounds that value has since changed significantly since we had done the work But when we did the first third that how much they thing about. And it will come with 1 accompanying app as many bits of IoT rubbish generally do these days this is the ferby connect world app in the Android store you can also get this for iOS and that helps you plan the toy. So what does that look like? Here is a little clip. Hopefully that is displaying. we haven't got some sound for this but that's fine Cwyddiwch chi'n gwych yn ystod, byddai y FFURBEE CONNECT TOY. FFURBEE gweithio's. Mae'n gweithio'n gweithio. Cwyddiwch chi'n gweithio'n gweithio'n gweithio y fideo, ac yn gweithio'r gweithio. Felly mae'n dweud y video yn y gweithio. Fe wnaeth eich cynnig. Mae'n gweithio'n i thoedd, ac mae'n gweithio'n gweithio. Felly mae hynny'n gweithio? Mae'n gweithio FFURBEE CONNECT WORLD app yn gweithio'r internetol byddwch gallu cwunfa yw'r gweinwyr neu'r 3G cwunfa, ac mae'n gweithio i'r sefyr hwsbrwyd, wedi bod yn fawr o amlwg amesgwyr. A yng Nghymru, mae'n cwunfa eich rhai gan ymweld i Gweithgwr Llywodraeth Llywodraeth, mae'r gweithio'r cwunfa ar y gweinwyr eich cwunfa eich cwunfa arall. Dw i'r gweithi'r anghylch Cymru, gyda Mike Loss a Swarles Barkley, mae'r gweithio'r gweithwyr eich cwunfa eich cwunfa. a dweud bod yn cyfleu'r fideoa. Rydych chi'n gweld angenio ymlaen ni'n gweithio'r eich ffyrdi, sy'n dweud. Felly dydych chi'n gweld yr ola, a ysgolwch chi'n ymlaen chi'n gweld eich ffyrdi'u ac yn gweld sut mae'r ddweud gyda'r ddaf amser am gyfynodol ac mae'r ddweud sy'n dweud gyda'r ddweud, ac mae'n ddweud gyda'r ddweud gyda'r ddweud. We were less interested in that because it meant that if we were attacking the Wi-Fi side of things, it's a little bit of a circumstance dependent. It depends what the target's Wi-Fi setup actually is. Instead we looked at this Bluetooth connection instead. That was very much between the app and the toy, and we'd be the same in every setup. A quick overview of how Bluetooth works, if you haven't encountered it before. When your device turns on its Bluetooth radio, what it does is it advertises a number of services. These are logical groupings of these things called characteristics. You, as a person talking to this device, will read and write data to those characteristics, and the services are logical ways of putting them together. If you had to say a Bluetooth speaker, you might have one service that you would write to to send audio to it, and another service you might interact with to control volumes and that kind of thing. This all together we refer to as the gap profile, and that's your device's Bluetooth footprint. If you'd like to go out and have a look at some gap profiles, you can do that really easily. This is the NRF Connect app, which is available for iOS and Android. It's published by Nordic Semiconductor, who make a lot of Bluetooth radio devices. You can download this to your smartphone or tablet and just start scanning stuff and see what gap profiles look like. Here is the gap profile for the Furby Connect. It's quite complicated. Don't worry too much about all of the words there. We're just going to look at the services, which are these guys. It's a good place to focus your attention. What's really great about looking at services is every service has a unique identifying string. It's a UID. You can actually look these up to try and find out what services your device is offering, even if you haven't seen it before. These first three are all quite generic. Most devices will have these. They tell you a little bit of information about what the device is, roughly what firmware it's running, its serial number, things that we're not super interested in as an attacker. Possibly you might be, but generally it's not super helpful. This next service has a UID which identifies it as the Nordic MRF51DFU that's direct firmware updates over the OTA firmware update service. Great. Now, there's two versions of the service. The first one supports signed firmware updates, which means that you, as a developer, can sign your firmware updates, push it to the device of Bluetooth if your signature is verified as correct, it'll flash it if not it'll throw it away, and there's an older version which doesn't do that signature checking. This is the older version. So we actually didn't end up looking at this particular service for a number of reasons. I won't get into that now because I think we are quite short on time. But if you'd like me to talk about that later, you can ask me after the talk or ask a question. That's also fine. The one we looked at and said was this service over here, this fluff service. That sounds interesting. You can see there's loads of characteristics under there to play with. So what's going on there? Thankfully, a very nice German computer science student by the name of Florian Euchner had already done quite a lot of work looking at this. And this is Florian playing with the NRF Connect app. And actually, you're getting the Furby to do some quite interesting stuff. You can see here he sends the byte DB to the Furby over its Bluetooth connection. And that causes it to display that debug menu in its eyes, which is really, really helpful for us to figure out what's actually going on under there. So we'll just show him doing that, sending the byte. And we should see debug menu. Great. So nice work, Florian. He wrote up the whole thing. His documentation is fantastic. It's called Blue Fluff. Look him up on the internet. So armed with Florian's excellent documentation, we were able to figure out a bit more about what was happening with that Bluetooth connection. What we observed is that this Furby Connect world app was downloading a DLC file, some kind of file, from those Hasbro servers to your smart device, and then pushing it to the Furby over that Bluetooth connection. So naturally, we were quite interested in seeing what's actually inside that DLC file. And it turns out it looks like this. It's just like a blob of stuff. This is in a hex editor. I'm sure some of you are familiar with looking at things like this. On the left, you've got bytes displayed as hex. And on the right, you've got the kind of ASCI representation where that's possible. Now generally, when we're looking at a new file format, it's quite good to start at the beginning. That's where parsers will start when they're trying to read it. And you can look for things like file signatures. So if we have a look at the beginning of our file just here, that's it a bit bigger. At the very top there, hopefully you can see the letters F-U-R-B-Y, right? So this is a Furby file. They've got their own file signature. That's kind of cool. But it's also a little bit puzzling because it means that it's not really a file that we know about. This Furby file. So a lot of this project was going to focus on trying to figure out what actually went into this DLC. Now you can see also hopefully on this header is what looks like a number of kind of strings of letters with dots between them. The reason there's dots there is because these are wide characters. They're 16 bits wide. So you have a null byte every other character to kind of pad things out. If we just sort of strip all those strings out and recombine them, what we get is something like this. We get what looks like a bunch of filenames. That's really interesting. Now thankfully, we're able to recover more than just one DLC from the Hasbro servers. We're actually able to recover a number of them and pull out all their strings as well, which look a little bit like this. And these, yeah, all look a little bit like filenames. That's kind of cool. Now Florian actually did one more thing. I've been looking at the Bluetooth and documenting all that stuff. He had a little bit of sort of a rough look at what was inside these DLC files. And he pulled out something that looked a bit like this. This is kind of, he was trying to kind of, I think, look at what bytes were roughly ranged where and pulled out what looked like images. These are like sort of cartoon graphics. There's like a flame in the middle there or something. Now if we have a look back at our promo video from earlier, that was the one with the video. This is a bit later in that. You can see the Furby can actually show graphics in its eyes. You can hopefully make out a little chilly character there with some fire coming out of its mouth. And I hope it's not too much of a jump to see that possibly those kind of sprites that Florian pulled out of the DLC might kind of be that image. So that's kind of cool. Now we didn't find that image in all of the DLCs we looked at. Only this one actually, this one on the left. So curiously that DLC had a few extra filenames. It's those three at the top. So we thought, well, maybe these filenames are somehow involved in the image. So at this point we can start guessing, well, maybe those extensions kind of tell us what kind of image data is in there. And it's kind of hopefully not too much of a jump of sort of extrapolation to say that maybe PAL might stand for pallets, SPR maybe for sprites and CEL for cells. Those are all kind of like image-sanding words, right? At this point we're very much just like trying things out and kind of guessing, which is very much what you kind of have to do at the start of a vercing project. Once you've kind of got that idea that maybe these six file extensions tell us what is in these files, we can do it for the rest of it too. So maybe the LPS section controls what the Furby's lips are doing. Who knows? The one that really caused us some problems was this guy in the middle, this XLS file. Is there an Excel spreadsheet in the Furby DLC? That seems a little bit strange. So we figured maybe that probably isn't a spreadsheet. Instead it's probably the execution list, XLS, which sounds really, really good. As attackers we generally want to go for things that have the word execution in them. They're generally kind of good things. We actually, we had a look at that. It was very, very complicated. So instead of going in and trying to reverse that straight away, we started by looking at this section. Generally when you're reversing anything, it's quite good to start with the small parts and build up to the more complicated parts. So we thought this might contain some Furby audio data. Now under the hood, the Furby is using a general plus, I can't remember the name of the processor, but it's a 16-bit low power processor with a strange kind of instructions there. And it has its own encoding for audio. Now thankfully general plus published their audio encoding tools so you can actually grab a copy of this. And what this will do is if you hand it a WAV file, it will encode it into Furby audio, this A1800, and sort of hand you that audio back. Now unfortunately we don't want to encode our own WAV files to Furby files. We want to take our Furby files and re-backwards them to WAV files. So of course the first thing we did was just rip apart this tool. And we found inside there this A1800 DLC. This exports these functions over here, which are kindly labelled for us. And you can see there's a deck and an enc function in there, which possibly decode encode. That sounds like what you'd call that function, right? We've got encoding working. The tool does that for us already. So we had to look at the deck function instead. This is the deck function in Ida Pro. And you can see at the top there, there's a circle around the function's arguments. Hopefully this is just pseudocode. This is kind of like a representation of what that function does. So the first two arguments to this function are strings of characters. And you can see where they're used. So the first one is used in that second location there at an F open, which is opened in read mode. And the second argument to the function is used at that third location there, where it's also passed to F open with a write mode. So what this function is doing is it's opening one file to read from it, and it's opening another file to write to it. So that's probably going to be kind of our wav in or our Furby audio in and our audio out, right? So we just used the Python C types module to write a little wrap around this DLC and then call into it. And suddenly we could make our own Furby audio, which is great. So at this point we could control the Furby's audio and also read from that DLC to get audio out. Once we figured that out, we moved on to the next logical place to look, which is this playlist section. So probably that will tie some of these audio clips together. It turns out it did. It was very much just a simple linked list of indexes into that section. And we saw this theme time and time again throughout the file. If we want to have a look at how this audio fits together, this is a little diagram, a very simplified diagram of what the file is doing. You can see that AMF section, which is a yellow, is pointed into by the APL, the playlist section is like indexes into that. The SEQ section contains pointers to which playlists you like to play. And that XLS section we talked about earlier, that sort of points into the sequence section to tell you which sequence will be played for which Bluetooth command. So at this point we can kind of get our Furby to play whatever audio you like. So we had a very interesting week in which I played this song quite frequently to our office, I think to many people's disdain. But yes, that was good fun. We weren't done at this point though, because whether we got control of the audio, we still wanted to get control of Furby's eyes. Now to do this, this sort of required a bit of guesswork. I'm going to show you some parts from that SEQ section. That's over here. And these correspond to these eye animations. These both involve a flashing yellow exclamation mark, which hopefully you can see at the top there, and you should see at the bottom there just now. Now we figured out that these SEQ kind of strings of words always ended with a zero, like a terminator, and always started with the hex 2000 or hex 3000. It doesn't really seem to matter which one. We weren't super interested. It was like some sort of way of saying, this is the beginning of a sequence. This next word we figured out was a pointer into that playlist section. So it would tell you which playlist of audio would be played for a particular sequence. And this third word here, we figured out pointed into that MTR section you might have seen earlier, which controlled how the Furby would move for a particular sequence. That gives us a whole bunch more words to figure out, like things to play with. So there really isn't anywhere else that the Furby iAnimations could be controlled from. So these words had to tell us how the iAnimations were happening. If we have a look at the first one here, that's our sequence A, which corresponds to this iAnimation over here. If you look carefully, it's actually not just one iAnimation. It's actually made up of, I think, three distinct sequences, which you should be able to see here. And these feed into each other one after the next. We've got a little up to the right. We've got the exclamation mark and the exclamation mark. If you have a look at the words at the top there, I've highlighted there are actually three words that all start with hex 8000, which is kind of interesting. Maybe those 8000 words correspond to different iAnimations. Crucially, the one in the middle there is 8068. So if both these sequences have a flash exclamation mark in it, we should see it in the second sequence too. So let's have a look in sequence B and we can already see that's 8068 in there. Let's see if it corresponds to an exclamation mark. Hopefully we can see the second part of the animation is an exclamation mark again. Great. So our hex 8068 is likely to refer to exclamation mark animations. And that first word might refer to that sort of wobble left or right we can see there. So we have a bit of confidence now. Maybe these words are referring to parts of animation. So what we should be able to do now is if we get an arbitrary bit of iAnimation, here we've got two bulges and an exclamation mark. We should be able to predict, we see two matching words followed by that hex 8068 in the sequence. These gifts take a really long time to load. That's exactly what we see. So two repeated words followed by a hex 8068. Great. So we kind of, I think we should be confident now, we figured out how the iAnimations are working. Now the problem here is that all these hex 8000 words all pointed to animations that were already in the Furby's internal memory. What we wanted to do was point them at memory that we controlled, so memory in that DLC file. And the only iAnimation in there was that chili. Unfortunately we found out that it wasn't possible to trigger the chili from any Bluetooth command we sent the Furby. It looked like it was something that they added to the toy for the promotional video and since removed that functionality. But we thought maybe it's still in there in some way, just not triggerable. So what we did instead is we gathered up all the SEQ, those sequences we found, and we made a subset of sequences which weren't triggerable from Bluetooth commands and then pulled out all the hex 8000 words that were in them. And what we found is that was actually quite a small subset. It was these guys. You can see there's one that stands out like a sore thumb. It's the second one there. It's not a hex 8000 word, it's a hex 8400 word. So that looks quite fishy already. So then what we did was we took that word and we overwrite it over all the different hex 8000 words in the Furby's memory, and lo and behold we found it would quite happily play back the chili for us. Excellent. So at this point we have control of some memory and we're able to trigger the Furby to play back that memory for us. The last thing we need to do is figure out what we need to write to that memory so if Lauren had done some work on figuring out where that information was stored but not necessarily how to decode it, these images were actually pulled out of the cell section. So let's have a look there first. This is what the cell section looks like. There's not much structural information there for us to play with but you can see a repeated pattern hopefully. You can see a lot of A's are repeated over and over again. So let's look a little bit closer. What you should see here is that this is actually periodic in three bytes. We're seeing 0, 4, 1, 0, 4, 1. Over and over and over and over again. You could also say this is actually periodic in nibbles as well. So you're seeing 0, 4, 1, 0, 4, 1 over and over and over again. If we have a look at what that looks like as binary, that's this number. So B, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1. Which looks like it's periodic in six bits. So maybe this is a bunch of six-bit numbers packed together to save space. That makes sense. If we're seeing 1 over and over and over again, that's likely the background colour. Now, a lot of images like bitmaps in that. They store the colour information for a particular pixel at that location. What we saw earlier is that this Furby is likely using palettes. So rather than storing that colour information at the pixel, it'll store an index into a palette saying, I'd like to use that colour for this pixel, please. So let's have a look at our palette section. Not really much information in there either. So the way that we figured out what was going on here was by doing a little bit of quite simple maths. Please bear with me. This isn't scary at all. What we already know is that each colour, each pixel has a six-bit index, which points to a colour in a palette. With a six-bit number, you can express 64 different values. So we know that every palette has to be about 64 values big. The length of this palette section is hex C100. So if we know the length of the palette section and we know how many palettes are in it, we need to figure out some number that is the size of a colour times the number of palettes in the section and multiply that by the number of colours in a palette to give us a total length. Hopefully that makes sense. So if we divide the total length of the section by the number of colours in a palette, we should get this number, which is the size of a single colour, times the number of palettes in the section. So we can factorise that in lots of different ways. One of them is we can say 4C8 is 4 times 12. I don't know what that would say as 12 palettes, each of them containing a four-byte colour. That's great. Our GBA, hopefully we've encountered this before. It turns out if you're trying to code the information that way, it just doesn't work. Things come out looking very, very strange. You get lots of flamingo pinks. Another way you can factorise it is as 3 times 16. That sounds more sensible. That would give us RGB colour, so just three bytes per colour. But that didn't work either. What we were observing is that the survey was actually using some kind of transparency layer, so RGB doesn't describe transparency. This was never going to work from the outset. Another way we could factorise it is as 2 times 24. That would give us 24 palettes with two-byte colour. Two-byte colour is kind of strange. We hadn't encountered that before, but it turns out that's exactly what was happening. It's an old way of describing colour that uses two bytes. Two bytes is 16 bits. That's five bits per colour, RGB, and one bit of transparency. By juggling those colours around a little bit, just to figure out which channel was which, we're able to decode the images in the DLC and pull out these sprites, which we could then recombine to actually make the Furby's chilli graphic back again, which is this guy. Great. If we can pull the graphics out of the DLC, we can also put our own ones back, which of course we did straight away and we'll be doing that live in a second. Don't worry. This is just to round up. This is a bit of an overview of how the DLC fell off. It's together which sections point to which other ones. You can look at this on our GitHub. It's not really important for right now. So which really liked all this? They were really happy with what we did and they made a little video about it. This is a bit of audio here, but don't worry too much about it. That's Mr Witch. He's saying you can hack a Furby. The Furby is going to be one of the most popular Christmas toys. But how safe is it? Could you use a mobile phone to hack it? Yes, yes, you could. If you have... So Hasbro are the current manufacturers of Furby Connect. We wrote to them telling them our findings and this is their response. Sadly it's not quite as positive as we would have hoped, but they did at least respond to us, which is marvellous. A couple of bits that really stand out here is these two highlighted sections. There are a number of very specific conditions that would need to be satisfied if you're not subscribed. Really? You'd need to be within range of a Bluetooth connection. So not really too specific. The other part that stands out is a tremendous amount of reverse engineering would be required to reverse the product. Not really understanding the fact that you need to do this once. Once it's done, it's done. So you do the work once and then anyone can do this at all. So what we heard was, hacking Furby's is hard, please make it easy for us. So we'll pull through together this wonderful... It's a web page that you can use. You can actually use this web page to hack your Furby. It's all run offline. I've got a copy of it running here. I'm going to try and do a demo now. This might not work, but please cross your fingers. So I have a victim here. This is going to make some really annoying noises. Just... It's how you wake them up. Okay, he's booting up. What we can do in the meantime is I can use my app to have a look for Furby's within range. I do this by clicking on connect. I turn on my Bluetooth. That would help. Okay, you probably can't see this at the back, but I've found one Furby within range. Thank you everyone for having your Furby's off. This is why I asked you to turn them off. They're all called Furby, so I wouldn't know which one to go for. So let's connect to my Furby. And I've paired with him and I'm connected now. Now what I can do is I can pick a DLC file to upload. We're going to go for the hacked logo and I'm going to click on upload. And hopefully... Come on, buddy. Okay, I'm going to try again. That didn't work. Okay, we're connected again. I'm going to try and upload the logo. No luck. We'll try one more time and then we'll call it a day, I think. Okay, no such luck, unfortunately. Don't move, God's won't smile at me on us today. But if you'd like to play with our code, this is all available on the context. I think the code is available for making DLCs on the context. Paul Stone's GitHub has the web page that you can play with. If you've got Furby's, please download it and have fun making your own DLCs. It's great. Okay. Okay, so we'll just quickly round up them. So, aside from the cool demo that could have been, why should we really care? I mean, this is only a kid's toy, right? Like, what does it matter if it gets hacked? So, one thing which I hope you can take away from here is that, although this, we're not really kind of running code or, you know, getting a root shell, the kind of way that you approach this is very much the same way that you do your exploit development, like for a normal kind of target. So we've identified some attack surface there, that DLC file coming in. We've made some kind of crafted input that we then pointed execution at, or video kind of execution at, to take control of the target. It's exactly what you do when you're hacking a binary. Hopefully, you've also seen that reversing is not all IDEPRO or radar. You can actually do quite a lot of really good reversing in a hex editor without specialist tools that cost lots of money. So, please go and do lots of awesome reversing. And lastly, as I'm sure every IoT talk will reiterate, connected devices continue to be vulnerable. Manufacturers continue to be difficult to work with, and things continue to break. So, please bear in mind when you buy devices and or try and attack them. Thank you very much for listening to the talk today. I really hope you've enjoyed it. That's my Twitter. Please say hi. If you want, I can take some questions as well. Hello. Can you give malicious audio files as well, or just the... Was it just the eyes where you could specify whatever you wanted? Sorry, could you just repeat that one more time? Like the Furby makes noises, right? So, could you inject your own audio in there as well? Brilliant, yes. The question was, could you inject your own audio? Yeah, absolutely. So, Florian actually did some work on trying to kind of patch his own audio into the DLC, which he did successfully. And we were able to kind of improve on that. So, when the demo would have happened, you would have heard the Furby talking as well as his playing graphics. With a bit of extra work, you could also control the mouth movements and actually the motions the Furby does too, but it's all possible. Yeah, thank you.