CyberWire Daily - Clever breaches demonstrate IoT security gaps. [Research Saturday]
Episode Date: January 18, 2020Some of our favorite and most trusted IoT devices help make us feel secure in our homes. From garage door openers to the locks on our front doors, we trust these devices to recognize and alert us when... people are entering our home. It should come as no surprise that these too are subject to attack. Steve Povolny is head of advanced research at McAfee; we discuss a pair of research projects they recently published involving popular IoT devices. The research can be found here: McAfee Advanced Threat Research demo McLear NFC Ring McAfee Advanced Threat Research Demo Chamberlain MyQ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So the team that I run is focused typically on vulnerability research.
That's Steve Pavolny. He's head of advanced threat research at McAfee.
Today, we're discussing a pair of research projects they recently published involving popular IoT devices. So it's an offensive-minded team, and these techniques for attack scenarios do fall into that category as well.
However, they're a little bit different in that they don't represent classical software-based vulnerabilities,
like something that you can fix in code.
But they do fall into the area of one of the categories of research we often do,
which is consumer devices, smart home devices, IoT in general. Both of these
devices fall into that category as a whole. ATR in general does research in almost every area
for offensive security research, from automotive to industrial control systems, enterprise software,
and IoT is just one other category that is in the domain of what we research.
and IoT is just one other category that is in the domain of what we research.
Well, let's go through them one at a time.
These are both interesting videos that you all have posted on YouTube.
The first one has to do with being able to bypass an IoT device that works with garage doors.
Can you walk us through what's going on here?
Yeah, absolutely.
We got interested in this product.
The vendor is Chamberlain, and the product is the MyQ garage door opener.
And this is a fairly popular industry product.
Just like everything else in the IoT domain,
it's used to give a homeowner remote control automation over the Internet from their smartphone to be able to open and close their
garage door, check notifications. What got us kind of interested in the first place is that
the service does allow for garage door delivery. So in garage delivery, meaning the package courier
can actually use the MyQ app to do the same kinds of things the homeowner does, open and close the garage door and get notifications.
So if you register for a delivery service
to get a package to your garage while you're away from home,
and they can actually, of course, open and close the garage,
we wondered if there was an interesting attack scenario there.
So we did audit the device itself in some level of detail
and didn't really find anything, at least not low-hanging fruit on the device itself.
But we found an interesting technique in the RF or radio frequency space that allowed us to kind of achieve the scenario we wanted to, which is to be able to gain access to the garage.
And that's what this entire article and corresponding video are about.
Yeah, so let's go through exactly how this works. Can you give us a little bit of an overview of
how the technology that you connect to your garage door system, how it's physically connected and how
the user is getting alerts and so on and so forth? Yeah, it's a pretty simple and fairly
straightforward setup. You have
a physical sensor that is in your garage and it's actually just attached to your garage door itself
with some Velcro that ships with the product. So it's pretty easy to put on and take off.
And the reason that it's attached to the garage door is that it actually sends out its state,
whether the garage is open or closed, based on whether it's
in a vertical or horizontal orientation. In other words, when it's attached to your garage door and
the garage door is open, obviously it's horizontal and it sends an open state. And when it's closed,
it's vertical and it sends a closed state. This is a little bit different than most systems,
but certainly nothing insecure about that concept itself. It transmits that open
or closed state to a hub that's located anywhere in your home or even in your garage, the MyQ hub.
And that hub, of course, is connected to your Wi-Fi, which is the same way that you can use
your mobile phone and the MyQ app to connect to the device. So essentially those are the three components.
You have the sensor, the hub, and the mobile application,
which allows you to control the device over Wi-Fi.
The hub will send and receive those state commands to open or close the garage,
and the sensor, of course, is what's responsible for actually opening and closing it as well.
Well, let's go through the sort of clever attack that you all came up with here,
a way to circumvent this.
This is a very unique one for us.
Typically, we're looking at software-based vulnerabilities.
And the way this one is different is that we actually wanted to study the state sense for itself.
And because it's just transmitting this binary state, either open or closed,
to the hub, we wondered what would happen if we built a radio that could allow us to jam
that state signal as it was transmitted from the sensor back to the hub in the home.
And more so if we could not only jam that state signal, but potentially even capture and replay it.
And there's two pieces to this pack. We were able to successfully build a software-defying radio
that allows us to jam the RF signals between the sensor and the hub. And what that does is it allows
us to block the state signal from transmitting when the garage is actually closing.
And the reason this is important is because if you consider the package delivery scenario,
the garage, of course, has to close for the package courier to drive away. They're not going
to leave the garage door open. But that's independent of the fact that the state is
still trying to transmit closed. And if we can block that state of closed from reaching the hub, we can block it then from updating in the user's app.
And ultimately, what you'll see in the proof of concept that we build is that by jamming that state, if the homeowner logs into their MyQ app, what they'll see is an error.
And that error will say something went wrong.
Your garage didn't close.
Well, as you know, we talked about the garage is independent something went wrong. Your garage didn't close. Well, as you
know, we talked about the garage is independent of that state. So it really did close. And now
the homeowner is left with some confusion, especially if they're not home and can't,
you know, line of sight, see their garage door, the door is closed. The app is saying it's open.
Now they go ahead and click close from the app. And of course, it's going to do the inverse thing and open the garage door up for the attacker.
So just as a full scenario, what we kind of envisioned is taking this small radio we built, and we built a battery-powered version of it as well, putting it somewhere in the bushes or nearby the home, waiting for a package delivery to come to someone who has the MyQ, jamming the signal
during the closing of the garage.
And then the homeowner actually opens the garage accidentally for the attacker to walk
in.
And often, as you know, that gives access to the home itself.
The really interesting thing here in the novel part of this technique is that jamming signals
and capturing and replaying signals
has been happening for a long time. And the manufacturer actually built a stronger version
of the product to deal with this exact kind of thing. So they actually hop over three unique,
distinct frequencies in a very small range to try to avoid the ability to jam here.
And we released a white paper that shows kind of what we believe is the first
in industry technique for not just jamming across all three of these frequencies at the same time,
but the jammer that we built actually only jams on demand, meaning it'll only jam as soon as it
sees that closed state signal being sent back to the hub. And so it's very hard to find or
fingerprint this device because it's not very noisy, right? It's only working for a few seconds when it needs to. So that's kind of the
power of the tech in general. It's very quiet, it's very, very specific, and it's very reliable.
And then the second part that I referenced was we did test out and prove the capability
to actually transmit back the state signal when we wanted to,
the true closed state signal, so we can kind of clean up after ourselves, if you will,
and restore the correct state to the user.
That's not really fundamentally important to the attack being successful,
but it is a really interesting and novel way that we could replay that state signal.
And I suppose part of this relies on the fact that your typical garage
door opener, you're just sending, I guess, a trigger signal to either open or close the garage
door. It's not signaling back and forth to say, open the door or close the door. It's just
signaling and saying, change the state. If it's open, close it. If it's closed, open.
Exactly, Dave. No, you hit it on the head. That's exactly one of the weaknesses here is garage doors don't truly understand what open or closed means.
They just send a signal that changes to the other state. Right. And and that's very typical.
And really the one of the flaws here, although it's very common and there's not really an easy fix for this.
although it's very common and there's not really an easy fix for this.
But just because that state is so unintelligent, right, it only does the opposite.
We can actually use that to confuse the user, as we talked about.
So, yeah, that's exactly right.
Now, would the user eventually get a signal that sends them the true state of things? Is it a matter that by that time it's just too late?
There's a couple of ways that we can either correct this or leave it incorrect. Of course,
for an attacker, if all they care about is getting access to the home or the garage door,
the job is done and they don't necessarily have to care whether the user finds out if it was
incorrect or correct. The app will not correct itself unless we either transmit the state,
as I mentioned, by capturing and replaying it,
or what's much simpler is the attacker
can actually just take that sensor off of the garage
because it's on Velcro and just flip it vertical
instead of being horizontal, right?
And that'll actually then, if we're not jamming,
that'll send the true closed state
just like the garage was actually closed.
So our video actually shows our attacker after they've gained access to the garage, just pulling that sensor off of the Velcro, placing it on the floor upright.
And then the user's app will sync up, and it'll look like everything did get closed correctly.
So this is kind of similar to the cleanup steps after someone gets into your network or exploits some malware.
They're trying to typically cover their tracks, and that would be a really easy way to do that.
I suppose one of the lessons here is that old story of defense in depth,
that if you have something like this, maybe it's a good idea to have some sort of video monitoring system also
so you can take a look at what the true state is.
It's almost like you read the blog or maybe my
mind or both, Dave. That's very intuitive. And I think that makes a lot of sense. In fact,
I wouldn't be surprised at all. And there is actually an FCC filing from Chamberlain for a
camera sensor, which I wouldn't be surprised to see them build into future versions of the app
or homeowners could use another product as well to get actual visible line of sight.
And in general, I think that's a great idea is to have, as you mentioned,
defense in depth or more than one system to be able to physically or visually validate what's going on there.
Well, let's move on to the second video that you all posted that we're going to discuss today.
This one is fascinating. This is about, you're working with an
NFC ring device, so like a ring that you wear
on your finger that has NFC capabilities. Take us through
what you're doing here. Yeah, this is a ring
developed by a company called McLear. Actually, John McLear was the original
developer out of the UK.
And now the company makes a number of rings,
including payment rings and smart rings.
They also still manufacture this ring, which is called the NFC ring.
And it's the one that we targeted for research
because it is advertised as being used to pair with smart home locks
for access control to your home.
So it's very simple in
the way that we typically use NFC is for contactless payments, credit cards, et cetera.
This one's a little different in that it is specifically used for smart locks and home
access, or at least that's one of the primary uses. And that of course caught our attention
is, hey, a cool piece of technology that you wear on your body that can get you access to your home.
What could go wrong?
Of course.
So we looked at the weaknesses in this ring and fundamentally this is just an insecure design.
And what I mean by that is the ring itself has no form of encryption.
It doesn't require any kind of authentication.
It doesn't require any kind of authentication.
So once you set it up and pair it to your smart home lock, whatever version that is,
an attacker, if they can get access to this ring, can actually clone or steal all of the relevant information off of the ring that is paired to the home.
And then they can just simply reprogram any kind of NFC device.
In our proof of concept, we use just the NFC card, a readable, writable card,
and we clone the ring onto that card and use it to unlock the home and basically give us a
permanent key into somebody's house there or whatever they're trying to protect. All it takes
is a small, unique ID. It's just a seven-byte, unique ID that's stored on that ring unencrypted.
And so long as we can get access to that ring,
and I'll talk about how we do that in a minute,
we can clone it easily and get access.
Yeah, well, the way that you,
the clever technique that you all have come up with to, I guess, fool the user into providing access to that ring.
Share with us what you've done there.
Well, there's two parts to every piece of research.
One is the technical viability, and that's the unencrypted, unauthenticated, stored context of the ring.
And then there's what would attackers do with this in a real-world scenario, and how would they actually compromise someone?
And as we thought about that, we realized most people are going to have this ring on them.
It's going to be pretty far-fetched for us to find someone with this ring,
get access to it if they put it down somewhere.
So we wanted to think about how are we going to be able to clone that ring
if it's on somebody's finger.
The technique that we developed was to create a mobile app for Android
just because it's easier to modify the code.
And we just have this app run silently on it's easier to modify the code. And we just have
this app run silently on the attacker's phone in the background. It's constantly running.
All it does is it leverages what comes on pretty much every smartphone, which is NFC
reading capabilities. And it's just constantly scanning for NFC devices that come within
proximity of it, and it will store off the NFC details if it can read
them. And because everything's stored unencrypted, what that means is we just need to get this
attacker's phone within about two, three, four centimeters of the NFC ring. And as you can
imagine where I'm going with this, an easy way to do that is to social engineer someone. Walk up to
them, hand them the phone and say, hey, would you mind taking a picture
of me and my family?
99 out of 100 people are gonna do that nowadays,
and as long as we can get them to grab it
with the hand the ring is on,
which is fairly easy to do as well,
we instantly can scan that NFC tag, and we're good to go.
So the final proof of concept is basically,
we have this mobile app, we social engineer someone
into getting the ring close to the app.
We save the details off of it.
And then at our own time, we go back and use a very simple NFC rewriting device called a Proxmark to reprogram that unique identifier I talked about onto an NFC card.
And now all of a sudden we have access to the home.
Now, is it typical for these sorts of NFC devices to be unencrypted?
Is that something that's optional in that particular protocol?
What's the situation there?
It certainly can go either way.
It kind of depends on what the device is built for.
Of course, if you have something that's used for mobile payment
or secure communications like that, it better be encrypted.
And most devices, I'd say, most of the devices we've looked at that do that are encrypted and would make this attack either impossible or at least a much different attack vector.
You know, there's no need for NFC to protect the contents of what it's being used for unless it has a critical function.
And I think it's pretty easy to argue that home access and access control certainly is
a critical function.
And this ring should have been developed with some kind of encryption or crypto module built
into it.
But of course, it was not.
So it may have been that this ring was built as a proof of concept and then later kind
of added on for access control versus being built for it,
but it is still marketed by Peclear as being used for access control along with a number of smart
locks. So our recommendation to the vendor was that this should have certainly been built with
some kind of encryption at a very minimum. You know, McAfee and Advanced Threat Research
follows responsible disclosure practices.
So with both of these pieces of research and everything we do, we reported this to the vendors well before public disclosure.
With McLear, we heard back just last week actually at CES for the first time, which was a little bit strange.
With Chamberlain, we actually worked with them throughout the entire process, having them test and validate the findings. They actually released and updated the app just a few weeks ago,
which doesn't fundamentally fix the issue, but it at least warns users if that garage space
was received appropriately. And it instructs them to go try to visually validate that the
door was properly closed. So at least provide some context to the homeowners
where before there was none. So neither of these represent what could be easily, easily fixed,
given that they are NFC and RF. They're not just simple software patches. But the reason we talk
about these and publicly disclose issues like this is for the future development of better and more
secure products. And I think we've already seen some growth in these two areas alone.
That's Steve Pavolni from McAfee. We'll have links to the research in the show notes.
Thank you. is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.