 Introduce Rick Ramgati who's going to give us a live demo presentation on shining a light on a black box Reverse engineering proprietary protocols in embedded devices. Please give a warm welcome to Rick Hey everyone Can everyone hear me good guys everyone in the back? I'm gonna take that as a yes All righty then like you mentioned my name is Rick Ramgati And I tried to come up with a snazzy title So it's called shining a light on a black box in our reality What it really covers is the process of reverse engineering custom protocols I'm really hoping that the device behaves itself and it's because it's still flashing its lights. We'll get around to that later on so First a little bit about myself Like I mentioned, my name is Rick Ramgati. I enjoy doing these things It's mostly about building and hacking while applications which is what I do at my day job and reverse engineering custom protocols and mobile applications and Embedded device security. I got into embedded device security recently or IoT security as it's most commonly referred to Because I work at independent security evaluators and we have a part of the research team So next a little bit about the people that paid for me to be here because they will be watching this video I work in Baltimore, Maryland for a security consultancy called independent security evaluators We also have an office here in San Diego, California, which is why we're here today. I Do security assessments there and that's what we all do there as well Most of the assessments we do them from a white box perspective But we'll do anything else from white box to black box or anything else in between So here's the outline of what we're gonna cover today. There is a lot So full disclosure I signed up for a 20 minute talk and I didn't realize I thought it was a one-hour talk this whole time And I found out yesterday. So excuse me if it is a little bit a little quick while I'm giving it We're gonna be talking about the job of 5 and 2 which is this nazi device right here We're gonna be going over the process of how we identified attack surfaces The passive testing that we did to identify what it is that we wanted to attack We did active testing after we found other things that we wanted to hack Then after that there's gonna be a live demonstration, which is I'm calling fun with lights And then after that if times allow if time allows, we'll try to get a shell and I'll show you how easy it is And then the wrap up First we have the job of 5 and 2 The the way that we found the job of 5 and 2 was that me and my coworkers were trying to find devices that we wanted to Add to our research lab to identify vulnerabilities The reason why we picked the job of 5 and 2 was because people were losing their minds over it on reddit And the reason why they were losing their minds over it on reddit is because you can add more storage to it And as you add more storage to it it encrypts the drives and it is marketed as a secure device Which is kind of ironic Then after that the reason why I thought it was kind of cool is because it has those really pretty lights on the front and it's also an Enterprise slash user type device. So some manufacturers are or I guess like some organizations have it in their Inside of their offices some people have it in their houses So the first thing that we have to do is that we have to identify attack surfaces on the Drobo So usually when it's a network-accessible device and we're trying to identify what it is that we want to look at We Look always towards end map. So now I'm just gonna go over quickly the end map results I added them into a file before I came to the representations to make things a little bit more quick So let's look at those and it's not coming up on there escape please hold while I try to fix the display on this and The reason why I think I have to go through that right now is because I want to use both displays and not just my not just the The mirrored version or I want the mirrored version. So here we go let's go look at the end map results right now and Hopefully that's visible to everyone everyone in the back good Take that as a yes as well. Here are the ports that were open after we ran the end map scan That makes it less visible. So port 445 139, which is usually what you it's usually SMB, right? Port 548 which is net-a-talk and then 5000 and 5001 which are a mystery ports in this case Let's go through and see what and map decided for us as well. So 139 and 445 are in fact SMB or Samba Port 548 is in fact net-a-talk and Then what about these mystery ports? The mystery ports say that port 5000 is UPNP question mark Which to me sounds like no map wasn't able to decide wasn't able to figure out what it is that's running on that port and From what we can see here when The scanner connected to it this XML data came back That's very important. We should probably remember that for later on Then on port 5001 similar thing happened except this time it says complex links question mark, which is kind of new to me as well and It returns some XML data, but there was also a bunch of other important come back here a Bunch of other important information that was included in it this time it included some of the bytes that came back So we saw that there's a couple nulls and an x1 and then more XML data cool, so Looking at it looks like port 5000 and 5001 are still pretty interesting So let's see what happens when we connect to that just with neck cap and I need to give it a port Same thing came back again So let's see what happened Looks like when by default you connect to this device on port 5000 So there was no authentication. We just use neck at right that was pretty much it it returns all this information in XML Let's see if anything is valuable. So it seems like it's pretty Just pretty normal. It gives you the firmware version, which is not the end of the world some things like the architecture used by a device the firmware version as well and Let's see what else comes up. So it seems like it gives you the serial number which is pretty interesting and It gives you the status of when it was last updated the version that it's running and Nothing that really seems to be a game changer So this is just information that if you knew if you knew that the owner is using an older version of the firmware You could just guess these things right? It's not really important. At least it isn't for now So let's see what happens when we connect to port 5000 one In this case port five thousand one doesn't really do anything. So it seems like it's why waiting for us to issue a request So let's just let's forget about that for now since it didn't give us any information on we want it back Dude, there's two important things that I noticed when we were doing this one. Everything came back in plaintext So that's interesting if you're interacting with something that's giving you back when you're interacting with a device Over a network protocol and it's giving you back all the information plaintext that means that there's no transfer layer security, right? Right. All right, and the other part is that there's no there was no authentication required as well That got me wondering What did it how is it that I can interact with with this device if it's not over a web application? Most of the time when you have a NAS device or any other embedded devices a web application involved and all that in this case There isn't there's just this protocol So trying to figure out how to interact with it It's going to involve a trying to use the client that's used to communicate with the device and be trying to look at that Network information, but it's not a web application. So you can't just attach burbs free to it and look at what's going on In this case, I want to look at the traffic between my client and the device and see what's going on So why shark seems like the best option here? Let's go ahead and look at why shark now Where is why I think that's visible so for why shark in this case. We're going to look at Everything that's going between the host and the client like I said, I recorded this beforehand So it does have the IP addresses messed up and all that matters right now is what's running What it is that our client is sending to the device So the ports are matter to us right now or port five thousand five thousand one, right? So TCP port equals five thousand And that already search whoops Let's look at what's going on there We do that. It's a very small version of what we saw before I can't zoom in great It's a very small version of what we saw before it is the XML data they came back when we connected to it on port five thousand would not catch us now So that seems pretty reasonable Let's see now what happens when we look at port five thousand one Looking at the traffic on port five thousand one port five thousand one We see that there is similar XML data When we're looking at this XML data something stuck out to me It's using these things called CMD ID. There's a number in between and What this is the whatever is going between our client and the server there are a couple curious yet funny things about this First of all is that we needed to authenticate the device in order to use it What it did for that is that it just sent a bunch of X's and that was the form of authentication There's another really interesting thing about this and it's that there there doesn't seem to be a requirement For usernames and passwords like I mentioned this is all in plain text at this point So there was no transfer layer security. There's no integrity checking or none of that So let's see what happens at the beginning of this conversation for that Let's switch over to the hex for you to make things a little bit more visible I'm gonna say that's visible and we can see that remember that serial number that we saw a while ago When you connected to it on port five thousand the serial number is actually your form of authentication So theoretically Really practically not theoretically you can't connect to these devices get the serial number and then begin to issue commands on the device So like well that seems reasonable. I should only have it on my internal network Well, that depends if you have it on your internal network and it really doesn't seem practical when you think about a tax like SSRF where you can issue queries to a device that's available on your local network Not only that Because it's only the serial number. It's very easy to figure out what the rest of them in the world are So now that we figured out more or less what it is that the protocol looks like we can start figuring out like well How is it that you're gonna install other applications? We took advantage of this in During our research to figure out that we can install whatever application We wanted to and some of those were a web application to access device So you can in fact have that web application if you do want it SSH and the SSH credentials are the ones that you choose for it as well You can install other services as well such as my sequel, but there were really interesting problems with this So Jovo as a company provides the device and then after sometimes they provide some of the applications And then you can make them you can also build your own you can choose whichever one you want it to do But one example is that they provide an installation of MariaDB or my sequel and as soon as you connect to it It immediately tells you what your password is back in the web application Because that's part of the internet functionality and it's really if you read the white paper that we have on this or the blog post It sure it says that in case you forget your password here It is in plain text in the little web application Hopefully we get enough time to go through some of those today So getting back to the reverse engineering the protocol The first thing that we tried was just sending these commands directly and seeing if we would get a response back So actually have that in a little Python script that I prepared for you today and I also Have a layout of what the protocol looks like at the beginning so that you guys can see that there's no nonsense going on At the beginning here the login preamble was the first request that we saw The this is just a hex version of the SSID or sorry the serial number or the M E S a id And it's just sent twice then after the rest of the end of it this Zero X DC is just the size of the rest of the request and that's it so The structure is right here for you So this is just saying that this message is being every time it's sent. It's just that static string After that we have the if it's coming from or being sent to the server The only one that's different in this case is actually the one that's being used to log in So this one is the one for login after that the number changes So here you can see that it's zero seven zero one and then after that commands are zero a zero one We also see that The size has this many packets available to it For those of you that are probably still paying attention are there you're probably thinking about like oh What if I mess with the size and make it smaller or bigger if you make it bigger The server just waits for the rest of the message to come So that'd be a nice way to stop them at the or to cause some type of havoc And then if it's smaller it just errors out So For this I specified the IP it's going to be dot 12. Hopefully still it's going to be listening on port 5001 and then after that I set a source port on the buffer size the buffer size is just to receive the response and Then the command 26 command 26 is actually the command used to start the lights on the device which I hope is still on and Hopefully if this is still working it'll turn on the lights as soon as I Issue this this Request with the Python script The lights are not This is when you clap So lucky for me I have five minutes left so let's try to SSH on the device now So usually after you having a way to get into the device in this case we install SSH And this is partially working. I don't know why it's slashed But in the job apps, which is what I mentioned before man, this looks terrible Well, we mentioned before you have the ability to install applications which you can't see right now But one of them was SSH and one of them was a web application. So When auditing embedded devices or any type of application for that sense usually if it's an interpretive language like PHP You can just connect to the device and view all the files, right? So that's probably the easiest way to get a shell So in this case, let's just get one right now if we SSH onto the device, which is a little small I want all of you to see on port 2222 2222 Which is not currently connected you can you would be able to SSH on the device and look at the web application Let's see now if we have the ability to open up a browser and connect to it. So Connected 112 Drobo access is the name of the application Which is sadly not on So let's see now if we can figure this out here with all of you together So in right now the job after we issued our request is in an error state, which is approximately going to take an hour to fix So I don't have an hour left. So I apologize for that But what I do have time for is explaining more of the protocol So here we see some of the requests that came out Some of the other ones is the ability to list all of the available applications on the device so here for example is the request to see the List of users on the device which in this case is just going to return one because it's the admin user And it x's out the password, but you don't really need it because it's an unauthenticated protocol So it doesn't really matter Some of the other ones as well is This request to return all of the information that's currently on the device So it has really cool features like it tells you the current temperature of the device current temperature of the drives if the drives are not working like it is right now and You can also see other information like the network information the MAC address if you want to see the SSID again the M E a s s I or s ID There's also other requests so that you can view the uptime the temperature and There's another request for Removing installed applications. So some of the ramifications for this is that if you have if you are aware of a durable device on anyone's network You can with unauthenticated access On a without authentication you can access the device and solve whatever application you want get a shell And then after issue requests from that device into their internal network or just use it as part of a botnet Which I think is pretty popular nowadays would embedded devices The other problem is that you could actually this device is a little pricey. It's around the $500 mark So you could technically just kill it By if we're moving every or just rmming the slash directory and moving everything else from there We're just doing other things to affect the device and Other things as well. You can also turn on the lights if you want it to So now that we've covered that I Think that we have hit the end part of my slides so put up the fiend one and That's it. I hope you guys had an enjoyable time and that my speedy presentation was usable