Jack O'Sullivan
March 22 2021
We found eight serious, previously unknown vulnerabilities in big brand routers and storage devices, which is the highest number found by any team over the last four years. We also found time to score maximum points in the IoT Capture the Flag (CTF) contest (which was running in parallel) – by doing CTF by day, and 0-day by night.
It’s fair to say we’re very proud of the team. Juggling two IoT contests whilst (largely) turning a blind eye to the usual non-hacky goings-on of Sin City, and coming out on top, is no mean feat.
What we actually found more rewarding, however, is what we brought back with us. Not necessarily the $2,000 prize money (although that was a great gift, which we’ll be donating to White Hat Rally) – but more an understanding of the scale of IoT vulnerability, and a greater knowledge of how we need to respond to it. We saw how those epiphanic Eureka moments typically happen when you take a break. And we reminded ourselves of how critical it is to do your homework, and your paperwork!
There is also much, much more to be done when it comes to IoT cybersecurity education and awareness. Our findings in a very brief period at the contest serve as a stark reminder that, by and large, IoT security remains extremely inadequate.
We looked at flagship products from some of the main brands producing SOHO (Small Office / Home Office) equipment. On each device we assessed, we found at least one critical vulnerability within a short period of time. Users of these devices (and most likely other similar devices) remain at constant threat from attackers leveraging such issues.
On each device that we looked at, the impact would be maximal; routers control all the traffic in and out of their network, and NAS devices are typically a central storage location for sensitive data.
After a couple of our consultants dabbled in the OpenCTF event at DEFCON 24 the previous year, and really enjoyed themselves, we decided to send a team over to compete properly at DEFCON 25. Unfortunately, we found out the event wasn’t running. Undeterred we set about finding another contest to enter.
There are a number of different contests held at DEFCON each year, but one that immediately caught our attention was the 0-day track in the SOHOpelessley Broken CTF at the IoT village. This is an unusual contest in that, rather than expecting teams to hack the targets in some known way, the challenge was to break into devices with no publicly known vulnerabilities. Excellent, we thought. Breaking into stuff is a specialism of all our consultants!
We love the ethos behind the contest, and feel it has benefited greatly the security of end users over the last four years that it has run. IoT security has come quite some way in that time (and still has a long way to go). But without events like this we would be even further behind in the battle to secure such devices. Besides, who doesn’t like a good 0-day?
The kind folks at ISE (Independent Security Evaluators), who run the contest, always publish a list of the devices to be used in the contest. After a quick look through the list, we decided to focus on routers and NAS (Network Attached Storage) devices. These are both critical devices in the most common SOHO setups.
It was a great fit, both in the tradition of the contest, and in that the devices were sufficiently complex that we felt there was a good chance we would be able to find high impact issues. We felt that fewer teams would be focusing on these, and they would also provide the most points; a few big wins would be more rewarding than lots of small ones. Our team also relished the opportunity to show off what we could do.
A few weeks before the contest we bought a couple of the more interesting devices – and in the run up to the event we squeezed in a couple of late-night sessions, managing to find and report a critical issue on each device. So, we were quietly confident when we arrived on the day at Caesars Palace.
There were 15 ‘villages’ at DEFCON along with the main speaking track, but the IoT Village was always our desired destination. It’s big, it’s booming, it’s fun, it’s notoriously insecure. It’s the only 0-day event across all of the villages, and therefore a somewhat flagship event. We also felt that this contest is the most relevant right now, and the closest to real life, with thousands of companies making billions of IoT devices across the globe.
However, as the first day progressed, we could see the CTF event winking and flirting at us from across the conference room floor. Half way through the first day there was a conversation within the team. We didn’t want to jeopardise the 0-day track, and if we started on the CTF we were at least half a day behind. But how to resist such temptation.
Turns out it was actually quite a short conversation. We’d do both.
The Capture the Flag contest had to be done within the arena, so we decided to focus on that during the day. This meant the nights were for 0-days, and this meant hacking in the hotel rooms, bars and casinos.
All the team members have experience of working together – e.g. on red teaming or other large assignments. We quickly split up into smaller groups whenever multiple devices were available to look at. But as soon as someone found something interesting, their hand went up and the team snapped into place as a unit to focus on it.
Also, each member of the team has different specialisms, so typically we’d have a group working on reversing the devices firmware, one on identifying issues and another on exploiting devices for which we had already identified issues.
[Note to software companies: if your firmware isn’t available online, black box hacking techniques can still crack open your device and extract the binary. From there, large portions of the source code are often trivially reversible. When partnering with a cybersecurity firm, it’s far more efficient to provide all source code up front to ensure the most thorough testing. ]
There’s no room for BS in IoT Village, and to earn your points you have to demonstrate to the judges, in person, every vulnerability you find. Without the proof, without the evidence, it all counts for naught.
A real buzz for us came when we went to demo on the first day. The judges were true professionals and remained completely impartial, but what we were able to show them made us think that we had a real chance of winning.
Even more critical than the judge demos, was the responsible disclosure of vulnerabilities to the device manufacturers. Everything we found, we disclosed securely to the affected vendor. We’ll continue to work with the affected vendors until the issues are resolved. Obviously, we’re counting down the days until the vendors release their fixes so that we can talk in more detail about what we did. Keep an eye on our main Twitter feed and also Secarma Labs, as well as our blog, for all the details.
DEFCON is great for any company that makes connected devices – from smart lightbulbs to home assistants – as they get free consultancy from the best ethical hackers in the world. But it’s also scary. What will alarm them, and indeed anyone with a vested interest in IoT security, is the scale of the security threat faced.
We managed to find eight 0-day vulnerabilities in three days, whilst only working at night. At one point we borrowed a device for a night, and found a 0-day vulnerability inside 10 minutes. There are all the bugs we found that we didn’t feel prize-worthy. And we could have found more, and will continue to find more, without competition deadlines. Indeed on the way out of the contest we were still trying to report more vulnerabilities.
It’s vital that companies creating IoT products take their responsibility for customer security more seriously. We’ve kicked off an IoT checklist, and we’ve also been piloting free IoT amnesties from our Scotland office (something we plan to roll out wider).
Since our Sin City success, we’ve certainly been having more and more fascinating conversations on IoT, with businesses, developers and IT professionals. We have a DEFCON-dedicated internal chat group that still pings daily and nightly with discoveries and ideas. Plus IoT will definitely play a more central part in our ongoing out-of-work team hacking sessions.
Several of the team had never taken part in a CTF before we went to Vegas. But it’s safe to say they now have the bug, and we’ll certainly be looking to enter more of them!
After all, it’s vital to us that what we did in Vegas DOESN’T stay in Vegas 🙂
Keep your business secure with Secarma
We believe that the security of your critical networks and data is key to your organisation’s success. Whatever your sector, whatever your size, our mission is to help you to seize the competitive advantages of providing your clients with security, compliance, and reliability.