 These fine gentlemen are researchers hailing from two of the finest research universities in the world, Northeastern and TU Darmstadt. Due to personal financial restrictions, they became interested in inexpensive smart home gear. Let's give a warm welcome to Dennis Giesel and Daniel Wegemer. So thank you very much and this is Dennis, I am Daniel and today we will talk about vacuum cleaners and to be more specific, we will talk about Xayomi vacuum cleaners. I already have some fans over there. I apologize for mispronunciation, the name of the vendor, so I actually have no real idea how to pronounce it correctly. So let's start with some numbers. Why did we choose to pay more attention to Xayomi devices? So they claim to have 50 million connected devices in 2016 and they also say they made 1.9 million euros in revenue also in 2016. So these are already impressive numbers but the biggest point for us was that the stuff is actually cheap as hell. When you compare it to other stuff, for example, other vacuum cleaners which cost 1.000 euro, you can buy 4 Xayomi vacuum cleaners for the same amount of money. So we choose to look into Xayomi stuff and then we saw Disadvertisement. So they said for the vacuum cleaners they have three different processors. So three processors, why do they need three processors in a vacuum cleaner? And our eyes were already like this. So we were really interested to know what is going on in this vacuum cleaners. And then we took a step back and looked into how does the actual ecosystem look like. So in the middle of everything is basically your smartphone app. And then you have of course your smart devices. For example the vacuum cleaners or smart bulbs in the top left corner. There are also smart water kettles or other sensors which are then connected via a gateway. And I already, or this shows, this arrows here are dotted which means that during the connection phase they talk directly to the smartphone and then after they are connected basically they will have a direct connection to the Xayomi cloud. So there is no more communication via the app. They talk directly to the cloud. And as you can see there are also some other techniques or protocols they use. For example Bluetooth LE and SIGP. So this is already the end of my part and then I will show you some more in depth stuff about these vacuum cleaners and I will just present you this vacuum cleaner. Thank you Daniel. So let's take a look at the vacuum cleaner itself. So this is again a advertisement and you see it has a lot of sensors. So the most important one is like this LiDAR sensor but it also has like a lot of infrared sensors around the device and which is also very interesting, a gyroscope in like 7 meter. So usually you would ask why the device need that but it's actually very nice. When we saw that it has a lot of sensors we thought like oh yeah if we can route it why not and we tried a lot of things to route this thing. One approach was like to get some kind of hardware access to that and the next one was the network based approach. So it has actually micro USB so we thought like oh yeah so it's simply connected to the micro USB which could possibly go wrong. Unfortunately this doesn't work because they use some kind of authentication for that so that wasn't possible. The next thing we tried to figure out where some serial port is on the like PCB but unfortunately we also didn't label that so we had no idea. Next idea would be okay let's connect it to the Wi-Fi and check like for open devices, for open services like telnet or something. Usually IoT devices love to have open telnet ports or telnet service. But the thing was well Potscan wasn't successful all ports are closed and our less approach to sniff the network traffic was also not successful because everything is encrypted so yeah that was pretty bad. The next thing you usually do is you tear this whole thing down so basically you unscrew everything and take a look at the whole device. We were very surprised that it was very easy to disassemble this whole thing and so we think it's also well engineered in terms of you can unplug simply the parts without any connectors or something so it's very nice. The next thing what we see here is like the PCB layout so what you see here is the application processor which is a quad core which is an arm quad core with 1.5 gigahertz I think per core. Their connector is also like 512 megabyte of RAM. It's their free RAM if I remember. It has also like 4 gigabyte of flash and over SDIO there's some Wi-Fi module which connects the whole thing to the Wi-Fi. For all the retime tasks like for example the sensors there's some SDM32 MCU which takes care of everything like that and this is our ARM Cortex M3 as probably most of you will know. There's also an additional MCU in the lighter which is not shown here in this picture. So if you look at the back side you see that there's a lot of test points which are labeled with different marks like test point one, test point two and everything. The problem with that is it doesn't give us any information about if there's a UART or something but we figured out that the only two test points which didn't have a label they're actually the UART for the application processor. But unfortunately to that if you connect to that you don't see anything so or you can't do anything. So next step okay we need to attack the hardware somehow to get root access and our red mark of our choice was aluminium foil actually. The idea behind that is actually so if you look in the data sheet of the application processor it has some some fallback mode which is called FEL mode. So what we did is we inserted the aluminium foil under the BGA chip and short cut the MMC data lines so the the application processor fall back in this FEL mode and then we can connect through USB and upload some small tool which then dumps the complete memory content of the MMC flash. As soon as we had the MMC flash we could do some modifications to that we didn't have any checks runtime checks on certificates or whatever and then we flashed it again to the chip. One thing about that is exactly one layer of aluminium foil fits under the chip too much actually so you need just one. The idea is just to corrupt the data. As soon as we take a look into that vacuum cleaner image actually we figured out that we use actually Ubuntu 14.04 which was mostly untouched in terms of the packages were still original and they do a lot of patching on a regular base. For example we close down the vulnerability for the VPA quite fast. For navigation they use open source software called Player which takes care of all the sensors and they have of course like also a lot of like proprietary software which do the cloud communication or like the control of the commands which come from the cloud. One thing which we figured out is actually behind the USB we have some ADB running but the ADB do some custom authentication things so you basically you need information that you don't usually don't have to access that port and so that that's not possible to to get on onto the vacuum and then most interesting is also like they we run SSH but the SSH is blocked by IP tables so they close down also that thing so actually not that bad technically. Right, so let's take a quick look at the data on the device. Apparently we love to create lock files. There are a lot of lock files. For example they collect sys lock files with collect durations for cleaning jobs. The area which we're driving around but also like important data like SSID and passwords. One thing is we're in some banners with this line with DCP dump. Now the big question is why we need that. Well I don't know if you can think the rest right and for all of you who have like some kind of LTE with volume based you know stuff and just this vacuum if it's just stand around it creates a lot of data already so it's multiple megabytes per day. If you run it for cleaning it creates even more data so basically if you have LTE then probably you have a big interest to you know root this device and also maps. Maps I will tell later in one second. So all this data is uploaded to the cloud so the vendor has it and another important thing is if you do a factory reset the the operation system is restored from a recovery but the data like the maps and the locks are not deleted so basically we are still on the vacuum cleaner so if you reset your vacuum cleaner sell it on amazon then the next owner of the vacuum will know your SSID and password and how your apartment looks like. Talking about apartments look like this is how the maps look onto the device so basically this open source player software creates this kind of maps. Technically they are bitmaps 1034 pixels in square and one pixel is more or less equivalent to five centimeters. One thing is the lighter is way more precise but they just store like five centimeters in terms of accuracy. Right before we take a look at the communication itself we want to take a look at the configuration so one thing which is quite usual for all of the Xiaomi devices is that every device has its unique device ID which is burned at the factory more or less into the device. For the vacuum cleaner it's a text file so technically you can edit it but for other devices it's like in utp memory and they have two kinds of keys a cloud key which is just used for the cloud communication and it's never changed and the token which is only used for the app communication and just change every time if you reset the vacuum or connect it to a new wi-fi so I know that there are a lot of attacks outside where who try to control the vacuum cleaner over this token but every time you connect it to a new wi-fi the token is regenerated so you have to start from the beginning again. This is just for a few information about that. So if you take a very simple look at the cloud communication everything here in this left box is actually the internal of the of the vacuum cleaner so they have a lot of like processes inside which take care of the navigation and the most sensory one is the meo client which takes care of all the communication between inside and outside. So here we have some examples so if the cloud wants you to do something it sends you a message which is encrypted obviously with the cloud key then this meo client encrypts it and forwards it in plain text plain text JSON to to the internal devices which then communicate over for example IPC between each other and the result of that thing is again forwarded inside the vacuum with plain text but then as soon as it exits the vacuum is encrypted again so all the time you see something that's encrypted. Also if you download like firmware or upload map files then it's everything is also encrypted with HTTPS as you see on the cloud side at the top right. Okay let's take a quick look at the update process itself so what we do is actually so we need my laser again they sent from the cloud an encrypted package with the package information so the cloud tells the vacuum where it has to download the firmware so we give them the URL and the next thing we do is we give also the md5 of the URL so let's say something goes wrong by the download of the of the file when the vacuum can check like okay is the md5 okay so you can attack that very easily. The next thing that happens is that the vacuum wants to download it we have shown here the some simple simplified structure of the memory so you have technically two copies of the operation system one active copy and one passive copy you probably know that from all of the iot devices because it's quite usual for all devices that we have at least two copies of the operation system so the vacuum downloads the package then checks in the next step if the md5 is okay which was transmitted and encrypted channel from the cloud if that's okay it uses some secret key to decrypt this package and it impacts that to some temporary partition. Next thing this is quite important they update the root password so basically every device has a different root password which you don't know actually so not not a master password for all of devices and the next thing is it updates the passive partition after this this is done the vacuum takes some time to rethink and reboot and it reboots the new updated partition and the next step they update the old active partition again so after that you have a completely updated vacuum cleaner with the newest version right so the thing is well how does firmware updates look like actually and there are two kinds of firmware updates one firmware update is like full and the other is partial they encrypt the tar gz archives and most of the time they contain so the full image contains the disk image which has the full file system for the linux the fun thing is they use they've been very creative in the password for the encryption which is rock robo and the next fun thing is you can download also sound files on the vacuum and it uses a more complex password than this one so they protect various sound files better than the firmware updates the firmware update is encrypted with AES which is a secret which is a standard linux tool and the integrity is more or less protected by the cloud because the cloud tells you before that what the md5 does look like right so now we know the password for the for the firmware and we get them to get this firmware somewhere we can prepare our route and this time we simply take the firmware and rebuild it for example we include our authorized t file for ssh so we can log in with ssh and we remove the ip tablets rule for that so that the ssh is not protected by ip tablets anymore the next thing that we can do is we can send the update command ourselves with the url of our own web server and the md5 of our own file and the good thing is that the vacuum cleaner accepted this command if we encrypted with the token so basically the token it can somehow get the token somewhere from the app for example and then we can send this this update command it takes a few minutes so like i think between five and ten minutes and after that what you can do is you can log in into that thing like i said before it's a wuntu so you can do api ticket update and install your own software into that and like run like htop or something the next interesting thing is you can also access directly the sensors so for example here i have some some map data which is created by the by the lighter sensor right now we have the root access onto the bed device then we want to gain independence from the from the cloud um we have two methods actually um it depends more or less if you want to still be if you want to be still able to use the app from them so the more drastic one is to replace simply the cloud interface and the other one is like to the proxy cloud communication so um if you want to get rid of the cloud completely so what you can do is you simply take the uh meo client and install your like own client it could be some some small python script which do some external commands like from a fem or home assistant it's very easy to do that and to get rid of the of the map upload you simply use a host file which simply kills all the xiaomi service um very easy but the problem is now the app doesn't work anymore um but it's very simple actually and the other thing would be like the proxy uh the cloud communication for that we developed some um open source implementation of the xiaomi cloud which we call dust cloud uh and it basically is a complete emulation so what you can do is you can actually forward even packets to the real cloud or you can simply um use it like as a local cloud solution or like even you know forward change commands um suppress them completely like you want usually you want to suppress firmware updates that kind of stuff you don't want to you know send outside uh let's set get inside so um this is um some way um what you can do and be published also just think on our github right some use cases um you can use this whole thing as a home automation server you can use it also as a web radio and or even as a file server but the file server problem is actually so so the usable memory is like two gigabytes more or less so it's not a very big file server but the good thing is if you have a power outage this thing holds for two days with the battery so it's a great thing um and i know that the question would come like oh can you use it for bitcoin mining i think nowadays it's a little bit difficult it has two dps which are used somehow but um i think they're way too too slow nowadays so ah sorry but if you hack millions of them maybe okay um for the home automation server we have some sample sample um firmware where we installed um them into the vacuum cleaner and you see here that we um run it more or less locally we know the token because we can access it directly and then you can run your home automation system um directly on the vacuum cleaner um no need for a Raspberry Pi everything runs very smoothly um we have some downloadable content for you but we not a EA but we demand money for that so it's free um we have modified some some firmware for you so you can download them and install that um you can download also the um our cloud emulation but the thing is i'm not a very good platformer so basically it's totally broken and insecure so don't use it for productive means and don't put it on the internet maybe um i'm also very happy if someone can take a look at that and we also will publish um pictures uh pinouts and much more everything under the domain don't vacuum dot me uh yeah so so we upload this thing like and today in the evening or so after the talk is over and be at time right um so we are two things we want to mention um actually two words of warning not one um never leave your devices unprovisioned so we know a lot of people or some people who some professor even um who thought like oh i don't trust the cloud so i'll simply don't connect the vacuum to the to the wi-fi that might be a bad idea because they they have an open wi-fi access point the vacuum cleaners so what someone can do for you is like it can provision that thing for you and can install like malicious firmware or even snoop your apartment so always provision your device and the second thing is be very very careful with uh used devices so bad people could like order that kind of devices on amazon and send them back after they put something under that and um if you do it for very very expensive devices like some like rumba for 1000 euros then um there could be some assumption what kind of people would buy this kind of stuff so you know it could be very never mind bad ideas all right and that's more or less the end of our presentation um so we want to thank um two people more or less or two yeah more people um Dizemulap Attitude Amstad and Professor Nubir from the um Northeastern University and now we are happy to take your questions about our talk thank you thank you so much Dennis and Daniel so if you have questions for Dennis and or Daniel please line up by one of the microphones there are four over here one two three four there are four over there five six seven eight and from the internet one of our signal angels will be reading your questions allowed on your behalf so any questions for the Xiaomi vacuum hacking signal angel do we have a question from the internet not yet not yet uh microphone number two test test uh hi thank you for your talk how many robots were harmed doing research um so in total I bought like nine of them and also work so it's just a 100 chance of like successful uh rooting so yeah no no break runs yeah microphone number six hi uh so you said what the robot is doing when I have it in my wi-fi it's sniffing all the traffic and uploading it to the cloud hello hello hello hello okay so um there is at least a cloud command which uh xiaomi can for example send to your vacuum which then enables monitor mode and enables this tcp sniffing tcp dump sniffing so we don't exactly know what why there would be some kind of uh command like this but we saw at least the string and we know that there is this command we did not investigate further into this up until this point so okay so the locks are just there but they are not sent by default no so they need to send the command for this to start and so on yeah but the locks are uploaded all the time so so the locks are uploaded but it doesn't mean that the pcap file is there so locks are always uploaded but the pcap file have to create have to be created by the command hi uh have you looked at any other xiaomi devices besides the uh this robot yeah so uh test test this is working yeah okay so uh yeah this is sort of spoilers but yes we did for example we looked into uh light bulbs smart light bulbs and we were also able to route these kind of devices or let's say we we were able to um get them into your own cloud if you want to say so and we will present this work at recon at the beginning of February so so your question is um if we so we have total root access to the vacuum we can install everything um and the player software is actually open source is also used for different kinds of um other robots and it's just the standout open source version which they also use basically to communicate with the sensors of the robot was this your question yeah i didn't also understand this i'm just was curious yeah you mentioned you had uh adb uh d running on usb did you try to reverse the authentication they implemented on that uh custom installation uh yeah so we tried actually so we figured out that you need some some uh strings like the like some kind of root password which you usually don't have but usually the the vendor probably happens database so there's they did it quite well so the application it's it's not that trouble you actually it's it's even have multiple levels so you have even if you have one level you need to gain another level so it's like it's way easier to after you root of this device it's to install your the open source adb software so you can simply connect usb and adb show so if you have want to have that as a recovery method for the for the vacuum you can do that but to reverse the the modification of the of the adb of the custom adb it's way too hard actually so it just accepts a hash version of a password for the adb it's some kind of challenge response what we do okay and if you even did the first level of the challenge response there's a second level and i think there's even a third level if you want to get show or whatever so it's like like a game all right thank you uh did you just close this just to show me before because i just got a bug release update for my vacuum um no we didn't uh and the reason is um because we don't want to teach uh we don't want to tell me to close down this bug i mean it's not a real bug but you know um the thing is as soon as your vacuum is is rooted and as soon as you have the cloud encryption key they cannot do anything anymore because you can read all the communication you can get all the firmware updates you can send your own firmware updates to the vacuum so as soon as you have the key you you more or less protect it against the firmware updates of show me but the problem is if if you buy now a vacuum cleaner and they change something in the firmware that it doesn't work anymore then um well then we have to start from the beginning again or you have to use aluminium foil uh because against this attack i think it's it's very hard to somehow for the for the chip at least what we use is very hard to to defend against that but it's not very so so if you have the choice to remotely update your vacuum uh with your own firmware please don't use the the aluminium foil because i mean that things can happen in terms of you miss you you miss one pin and then you put some five bolts onto the mmc and you know if you have no idea what you do you better don't do the aluminium foil thing yeah thank you uh yeah so that the player software i think the player software supported by default so basically we use the player software to control the small robots to do some collaborative thing i guess if i remember correctly yeah so your your rule of the device you can do anything you want so hi thanks for the talk and how did you get the passwords like rub robo or how do you know that the voice packages have a better better password um well we reverse engineered the binaries and the fun thing was that we have still ordered the box symbols in the in bed because they thought why remove the the box symbols and it was very easy to to get the strings it was simply with somebody's string and that was uh in the near of the decrypt command and there was this work robo thing first we didn't thought that it's a password because like well it was too easy but after we had the password for the um for the audio files then we looked more more deep deeper in this thing and then we figured out that robo is for real the password so basically reverse engineered the binaries itself