Professional Documents
Culture Documents
DefCamp_2018_Chemerkin_Yury - Full - Website - AM
DefCamp_2018_Chemerkin_Yury - Full - Website - AM
LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
TWITTER: @YURYCHEMERKIN
EMAIL: YURY.S@CHEMERKIN.COM
IoT: CONCEPT, FACTS, ISSUES
Source: https://www.cbinsights.com/research/internet-of-things-periodic-table/
IoT TAXONOMY
Wearable Tech
Connected Home
Healthcare
IoT: CONCEPT, FACTS, ISSUES
MITM
Breaking LockScreen
Jailbreak
Backup
APPLE WATCH
MITM
The Apple Watch Series communicates via Bluetooth with the owner’s iPhone. If
this is not available via Bluetooth, Wi-Fi is used for synchronization to Apple
servers and the iPhone.
Online communication (over Wi-Fi)
[iPhone apps iCloud] – prevents MITM, SSL Pinning
[Apple Watch iCloud] – prevents MITM , SSL Pinning
No way to install SSL to Apple Watch
APPLE WATCH
BREAKING THE LOCKSCREEN
Remove the Passcode Using Your iPhone
Go to a “Settings->General->Reset”
“Erase Apple Watch Content & Settings”
“Keep Plan” if iWatch has a Cellular Plan
Otherwise just “Erase All Content & Settings”
Pair it again
APPLE WATCH
BREAKING THE LOCKSCREEN
Removing Your Passcode Without an iPhone
/mobile/Library/DeviceRegistry.state
/properties.bin
Binary Plist File – Contains Paired Apple
Watch Specifics incl: Watch Name, Make,
Model, OS, GUID
Synced Data Path with GUID, date, local
Serial Number, UDID, WiFi MAC, SEID
(Secure Element ID), Bluetooth MAC
APPLE WATCH - BACKUP
Plist contained installed apps on Apple
Watch (2 places)
/mobile/Library/DeviceRegistry/<GUID>/Na
noPreferencesSync/NanoDomains/com.apple.C
arousel
/mobile/Library/DeviceRegistry/<GUID>
Example:
/mobile/Library/DeviceRegistry/<GUID>/
AddressBook/
APPLE WATCH
BACKUP
Email -
/mobile/Library/DeviceRegistry/<
GUID>/NanoMail/registry.sqlite
Voicemails -
/mobile/Library/DeviceRegistry/<
GUID>/PreferencesSync/NanoDo
mains/com.apple.mobilephone
Records containing Phone
Numbers and paths to synced
voicemail files
APPLE WATCH
BACKUP - PASSBOOK
/mobile/Library/DeviceRegistry/<
GUID>/NanoPasses/nanopasses.sqli
te3
Pass table
Unique_ID
Type_ID (boarding pass, loyalty
pass)
Encoded pass (value/data)
APPLE WATCH – BACKUP
APPLE HEALTH
Encrypted (.hfd) in password-protected
/ encrypted backups only
No data out of non-encrypted backup
Export in raw/plaintext
Local data
Not many but jailbreaks are available
Backup still works to access the data
Wallet contains booking, card and other info
Apple Health app
Contains a lot of medical user data
Encrypted if backup is password-protected and out of backup otherwise
Contains non-encrypted basic medical user data and list of app-sources
WEARABLE TECH
SMARTWATCHES – ANDROID WATCH
Root opportunities
Physical Acquisition
Logical Acquisition
Deleting / altering the gesture.key & settings.db files to remove the lock screen entirely
adb.exe shell; cd /data/system; rm gesture.key
The “settings.db” file contains system settings and can cause system wide changes if modified
update system set value =0
Flashing a modified ROM / a reboot in safe mode - to leverage a third-party lock screen
Utilize adbkey and adbkey.pub files from other computers that have been previously
synchronized with the examined device to create a trust relationship with a new device
/.android/<ADB keys> - those files are an SSH key-pair that allow me to mark my
computer as "trusted" to my phone.
Copy of ADB keys stored on synchronized devices in users/<user name>/.android
folders
ANDROID WATCHES
ROOT
Root:
5.1.1 - SuperSU-5.1.1.zip https://supersu.apk.gold/android-5.1.1
6.0.1 - SuperSU-6.0.1.zip https://supersu.apk.gold/android-6.0.1
Wear 2.0 - SuperSU-Wear
Wear-SuperSU 2.4 -
https://androidfilehost.com/?fid=24269982086990060
Recovery:
TWRP - https://eu.dl.twrp.me/bass/
5.1.1 twrp-3.1.0-0.img
6.0.1 и Wear 2.0 twrp-3.0.0-0.img
ANDROID WATCH
WEAR OS Android Wear Version
4.4W1
4.4W2
Android base version
4.4
4.4
Release date
June 2014
October 2014
1.0 5.0.1 December 2014
#1 Gain root:
turn on SDB ‘Smart Development Bridge‘,
find a ROM, uses Odin,
reboot to ‘download’ mode – hold down the main button through the
turn off prompt
Sdb shell, sdb root
ANDROID WATCHES
SAMSUNG GEAR – ALL OF THEM
#2 Get Data as an image:
Requires root (see step #1)
Use anything to image the watches, like a Toybox http://landley.net/toybox/
adb push toybox /sdcard/download
adb shell; su
mv /sdcard/download/toybox /dev/
chown root:root toybox;
chmod 755 toybox
cd /dev/block/platform/msm_sdcc; ls -al by-name
/* image partition with dd and pipe to netcat, -L puts netcat in listening mode */
dd if=/dev/block/mmcblk0p21 | ./toybox nc -L
/* Port number being listened to on the watch displayed for user */
44477 port displayed
adb forward tcp:44867 tcp:44867
/* Send request to watch on port number 44867 and send it to image file */
nc 127.0.0.1 44867 > Samsung.IMG
Here is a user partition
ANDROID WATCHES
SAMSUNG GEAR – ALL OF THEM
#3 Results:
Messages - apps.com.samsung.message.data.dbspace/msg-
consumer-server.db
Health/Fitness Data - apps.com.samsung.shealth/shealth.db
Email - apps.com.samsung.wemail.data.dbspace/wemail.db
Contacts/Address book - dbspace/contacts-svc.db
ANDROID WATCHES
LG WATCH – ALL OF THEM
Android Wear, USB, Bluetooth, No Wi-Fi
#1. Gain Root: Turn on ADB, use LG G Watch Restore Tools, reboot to
bootloader & unlock it, and push image
adb reboot-bootloader
fastboot oem unlock
adb push <SuperSU>.zip /sdcard/download
adb reboot-bootloader
fastboot boot <twrp>.img
Install <SuperSu>.zip, wait for reboot
ANDROID WATCHES
LG WATCH – ALL OF THEM
#2 Get Data as an image:
Requires root (see step #1)
Use anything to image the watches, like a Toybox http://landley.net/toybox/
adb push toybox /sdcard/download
adb shell; su
mv /sdcard/download/toybox /dev/
chown root:root toybox;
chmod 755 toybox
cd /dev/block/platform/msm_sdcc; ls -al by-name
/* image partition with dd and pipe to netcat, -L puts netcat in listening mode */
dd if=/dev/block/mmcblk0p21 | ./toybox nc -L
/* Port number being listened to on the watch displayed for user */
44477 port displayed
adb forward tcp:44867 tcp:44867
/* Send request to watch on port number 44867 and send it to image file */
nc 127.0.0.1 44867 > LG.img
Here is a user partition
ANDROID WATCHES
LG WATCH – ALL OF THEM
Results:
Events/Notifications -
data.com.android.providers.calendar.databases/calendar.db
Contacts/Address book -
data.com.android.providers.contacts.databases/contacts2.db
Health/Fitness Data -
data.com.google.android.apps.fitness.databases/pedometer.db
ANDROID WATCHES
ANDROID WEAR
Mobile device paired with all watches in this app
/com.samsung.android.app.watchmanager
/auto_update.xml - a timestamp of the day the Samsung Gear was last
updated.
/com.samsung.android.app.watchmanagerstub/shared
preferences/hmonlinehelppref.xml
/data/com.google.android.wearable.app/databases/devices.db
list of devices using Android wear which listed the LG G Watch.
ANDROID SMARTWATCHES
ACCESS ATTACK LOGIC
IoT: CONCEPT, FACTS, ISSUES
Device Mac Address & Crash log: DevInfo, debug info - /Documents/hms/oclog/<crash>,<log>
Last Wear’s values: sleep (many params), wakeup (many params), distance (steps, ride, climb,…), heart rate,
calories
Firmware: Path to locally stored firmware, URL to download firmware (HTTP !!! ), Change log, Options
Bluetooth Keys
CRASH LOG: DEVINFO, DEBUG INFO -
/DOCUMENTS/HMS/OCLOG/CRASH
CRASH: *** -[__NSArrayM replaceObjectAtIndex:withObject:]: index 9223372036854775815 beyond
bounds [0 .. 6]Stack Trace: ( 0 CoreFoundation 0x00000001834d317c
<redacted> + 148 1 libobjc.A.dylib 0x000000018271c528 objc_exception_throw +
56 2 CoreFoundation 0x000000018346bc9c _CFArgv + 0 3
CoreFoundation 0x00000001833a0324 <redacted> + 0 4 HuaweiWear
0x0000000100319064 HuaweiWear + 315492 5 HuaweiWear
0x000000010030ffdc HuaweiWear + 278492 6 libdispatch.dylib
0x0000000182e52a54 <redacted> + 24 7 libdispatch.dylib
0x0000000182e52a14 <redacted> + 16 8 libdispatch.dylib
0x0000000182e5f698 <redacted> + 1016 9 CoreFoundation
0x000000018347b344 <redacted> + 12 10 CoreFoundation
0x0000000183478f20 <redacted> + 2012 11 CoreFoundation
0x0000000183398c58 CFRunLoopRunSpecific + 436 12 GraphicsServices
0x0000000185244f84 GSEventRunModal + 100 13 UIKit 0x000000018caf15c4
UIApplicationMain + 236 14 HuaweiWear 0x00000001005b13f8 HuaweiWear +
3036152 15 libdyld.dylib 0x0000000182eb856c <redacted> + 4)iPhone:iPhone8,4
ClientVersion:21.0.12 OSVersion:11.2.6
HUAWEI WEAR – LAST VALUES
/DOCUMENTS/<*.ARCHIVER> FILES
<string>{
"sleepTotalData":{"shallowSleepTime":0,"totalSleepTime":0,"deepSlee
pTime":0,"wakeupTimes":0,"wakeupDuration":0,"type":0,"sleepStartTim
e":0},
"distance":3940,"lastHeartRate":0,"steps":4623,"lastHRTimeStamp":0,"
calories":216,"date":1537867958.8875299,"totalClimb":0,"daySport
Info":[]
}</string>
HUAWEI WEAR: FIRMWARE
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
{"fireWareMd5":"33E44F1B02292C8B9D00A5DEB91B72AB","firmwareDownloadFilePath":
"Nyx_1.5.35.bin.apk","identify":"38:37:8B:B8:C9:C7","firmWareSize":1410023,"deviceTyp
e":13,"workMode":2,"forceUpdateFlag":false,"netFirwareVersion":"1.5.35",
"firmwareLocalPath":"/var/mobile/Containers/Data/Application/9B666199-342F-4897-
9577-59B68F5CF40F/Documents/DownloadData/dfu_image_OTA.dfu_Nyx",
"changeLogContent":"[Optimizations]\nOptimizes calorie counting accuracy while
swimming.\nFixes an issue where exercise sessions would suddenly exit due to accidental
touches.\nFixes an issue where fitness data would be occasionally cleared.\nOptimizes the
TrusleepTM data syncing speed on IOS.\n[Notes]\n1. New features require that Huawei
Health APP is updated to version 8.0.1.302 or later for IOS, and 8.0.2.327 or later for
Android.\n2. Before updating, make sure the band is charged to at least 20%.\n","status":1,
"baseURL":"http://update.hicloud.com:8180/TDS/data/files/p7/s131/G3533/g3039/v1
55123/f1/"}
</string>
HUAWEI WEAR: GEO, SPEED
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
{"speed":0.63999998569488525,"timestamp":"2018-06-
09T05:12:19+0300",
"longitude":41.512356810310401,"latitude":52.571571199272356,
"totalDistance":0,"verticalAccuracy":4,
"course":10.546875,"duration":0,"distance":0,
"altitude":147.71790409088135,"distanceFilter":0,"horizontalAccuracy":5
}
</string>
HUAWEI WEAR: USER INFO
/DOCUMENTS/<*.ARCHIVER> FILES
<string>
{"headImgLocal":"\/var\/mobile\/Containers\/Data\/Application\/
9B666199-342F-4897-9577-
59B68F5CF40F\/Documents\/temp_user\/temp_user.jpg",
"age":29,"unitType":0,"nameIsNil":false,"isDefault":true,
"weight":78,"userName":"Yury Chemerkin","walkStepLen":77.28,
"birthday":19880605,"height":184,"modifyTime":0,"runStepLen":92.7
36,"gender":0}
</string>
HUAWEI WEAR:
/DOCUMENTS/<*.ARCHIVER> FILES
Account
Account details stored in protected way
Device Mac Address
<string>deviceMacAddress</string>
<string>38:37:8B:B8:C9:C7</string>
Bluetooth Keys
HUAWEI WEAR: PERSONAL DETAILS
/DOCUMENTS/<WEAR*.DB> FILES
User goals
Device details
User measures
m_7_DataSourceTable_temp_user
m_7_FitnessMergedDataTable_temp_user
m_14_FineSleepDayMergeTable_temp_user
m_7_MotionGoalTable_temp_user
HUAWEI WEAR: PERSONAL DETAILS
/DOCUMENTS/<WEAR*.DB> FILES
User measures
m_14_HeartRateByDay_temp_user
m_14_SportDataByDay_temp_user
m_133_MotionPathDetail_temp_user
m_7_MotionGoalTable_temp_user
HUAWEI WEAR: PERSONAL DETAILS
/DOCUMENTS/<WEAR*.DB> FILES
User measures
m_133_SingleMovementStatistic_temp_user
m_133_SingleMovement_temp_user
HUAWEI HONOR
SUMMARY
Local data
Credentials is protected
Personal and medical info – plaintext / as it
Communication
Local – encrypted
Online – SSL Pinning for all possible connections, registration,
login and synchronization
XIAOMI MI BAND 2 & MI FIT
Online communication
AWS storages in Ireland (EU) mainly, secondary US
TLS 1.2, No SSL Pinning
Local data
Action Log with details incl. URLs
https://api-mifit.huawei.com/v1/user/manualData.json?r=f8a9d00c3433&t=1512648130831
https://api-
mifit.huawei.com/users/70000054661/heartRate?r=f8a9d00c3433&t=1512648130848
https://api-mifit.huawei.com/v1/data/band_data.json?r=f8a9d00c3433&t=1512648130805
FITNESS APPS
ROAD BIKE, MOUNTAIN BIKE, …
GPS Data: longitude, latitude, altitude, accuracy, distanceInMeter,
upward/downward (meters), timestamp local, timestamp gps
Session Data: timestamp (start, end), distance, duration, avg & max
speed, upward/downward, heartZone values (need special device)
HealthDomain\Health\healthdb.sqlite
HealthDomain\Health\healthdb_secure.sqlite
HealthDomain\Health\healthdb_secure.hfd
Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)
Medical implants
APPLE HEALTH
HEALTHDOMAIN\MEDICALID\MEDICALIDDA
TA.ARCHIVE
Recorded by the any Apple Devices & accessed through the Health App.
Data can be exported in .xml file format without encryption (!) and
even without encrypting of zip file
Date of birth, sex, blood group, skin type, height (in cm), and mass (in kg)
Steps, distance covered (in km), active energy burned (in kJ), and exercise time (in mins)
The exact activity log time (creationDate), and activity start and end times (startDate, endDate)
Fat indexes
• Vertical fat index, body fat
Mass
• Body weight, bone mass, muscle, skeletal muscle
Productivity
• BMR, body water, protein, Metabolic Age
Delta
• Tracking changes, charts, reports
PICOOC MINI (BT) –
BODY COMPOSITION SMART SCALE
BT Logs: Peripheral Info of nearby devices, and mac of itself (picooc scaler)
Body scale values: body, muscles, productivity, date & time, device mac
Friends info: name, account_id, user_id, phone_id, sex (have to have them as PICOOC users)
User Info: nick name , userID, height, age, sex, race, type
Sensor values: time, age, OS, race, type, screen size, mobile device info model, environment, language
current_age_characteristic 3 As is
current_role_is_athlete false As is
current_role_height 178 As is
current_language 英语 English
current_role_age 58 As is
current_role_sex 男 Man
app_type PICOOC国际版 PICOOC Worldwide
Version
time_zone Europe/Moscow
As is
current_role_race 白
White
current_role_type 使用者
User
PICOOC SENSOR VALUES
PICOOC\LIBRARY\SENSORSANALYTICS-
MESSAGE-V2.PLIST.DB
• {"time":1537632555035,"_track_id":2682421375,"event":"$AppStart","distinct_id":"9144
339","properties":{"current_role_age":30,"$os":"iOS","current_role_race":"白
","current_role_type":"主角色
","current_role_is_athlete":false,"$screen_width":320,"event_type":"1","$app_version":"3.6.
1","current_age_characteristic":3,"$is_first_day":false,"$model":"iPhone8,4","$device_id":"E
C640161-EC87-4A90-AD99-5B29A3F86700","$network_type":"WIFI","$carrier":"Mobile
TeleSystems","$resume_from_background":true,"$wifi":true,"current_role_height":184,"curren
t_language":"英语","$screen_height":568,"app_type":"PICOOC国际版
","time_zone":"Europe\/Moscow","$lib_version":"1.9.3","$os_version":"12.0","$is_first_time":
false,"$lib":"iOS","$manufacturer":"Apple","current_role_sex":"男
","current_role_id":"9144339"},"type":"track","lib":{"$lib_version":"1.9.3","$lib":"iOS","$app
_version":"3.6.1","$lib_method":"code"}}
PICOOC
MITM - NOT SSL-PINNED
• Profile URL (public accessible)
https://cdn2.picooc.com/head/201810/03/20181003_181034000_50589.png
• Request URL - https://api2.picooc-
int.com/v1/api/role/updateRole?sign=3DCE33B1B07E4639394F555F1D95C623&urlOfGetReque
st=https://api2.picooc-
int.com/v1/api&roleId=9144339×tamp=1538579449&version=i3.6.1&appver=i3.6.1.0&re
questByChildThread=0&os=iOS&userId=4611483&lang=en&timezone=Europe/Moscow&push_to
ken=iOS::019290ade677be79f5fbded930b2435fa81eef103d89347108e265c0cd984cf2&devi
ce_id=EC640161-EC87-4A90-AD99-5B29A3F86700&device_mac=&method=update_role&
/data/data/com.myfitnesspal.android/databases/myfitnesspal.db
User details including time zone, gender, date of birth and email
- in tables <user_properties, users> - see a pic
User profile pictures - in table <images>
User personal notes - in table <diary_notes>
User records of exercises, food habits and personal measurements - in tables
<exercise_entries; exercises; food_entries; foods; measurement_types;
measurements>
User last synched items with the server - in table <last_sync_pointers>
User food search history - in table <search_history>
~30 mHEALTH APPS
RUNKEEPER
User profile Pics / fitnesskeeper.runkeeper.pro /cache/Picasso-cache
/ fitnesskeeper.runkeeper.pro /databases/RunKeeper.sqlite
User details including activities, trips
Trips deleted by user - in table <deleted_trips>
Activities posted by user - in table <feed>
List of user’s friends - in table <friends>
Images uploaded during trips by user - in table <status_updates>
User settings for each trip - in table <trip_settings>
Places visited during all the trips - in table <points>
Information about each trip - in table <trips>
More tables
The points table is to locate the map coordinates of a user’s route
~30 mHEALTH APPS
PERIOD CALENDAR
User personal details: User personal details include name, gender, date of birth, email address, height,
weight and other personal data would be helpful for forensic investigators to positively identify the app
or device users.
User activities: The mHealth apps require users to enter their day-to-day food habit, health conditions,
activity or exercise details, diagnosis details, medication details and symptom details, etc.
User location: Fitness apps allow users to keep track of their exercise, running, jogging, cycling and other
activities. These apps generally store the geographical coordinates of the user location during these
activities which can provide useful evidence to the investigators.
Activity timestamps: Another important artefact is the timestamp of the user activity. For example, linking
activity timestamps with corresponding user locations (e.g. geographical coordinates) and other relevant
information (e.g. CCTV feeds) would provide useful information in an investigation.
Images: This artefact includes profile images, and images taken and posted from a location.
~30 MEDICAL/FITNESS/HEALTH APPS
User credentials Personal details User User Activity
App Name / Data Images
and pins of users activities location timestamps
Google Fit N N P N F N
MyFitnessPal P F F N F F
RunKeeper - GPS N N F F F N
Nike+ Running N F F N F F
WebMD N N P N N N
Calorie Counter N F F N F N
Pseudo health apps – usually requires user to handle all data by himself
Friend list, Credentials, secret questions & answers
Body values, timestamp, visited places & geo
Medical periods, schedule, pills and so on
Preferences, searches
IoT: CONCEPT, FACTS, ISSUES
Jailbreak tools
Password management
USB Acquisition
Backup
Jailbroken acquisition
Profiling
APPLE TV – I GENERATION
EASILY TO BREAK
First edition of TV, Mac OS X & HDD makes breaking much easier
All possible ways to break into the first Apple TV 8 years ago:
“Hacking the Apple TV and Where Your Forensic Data Lives”, Kevin Estis and
Randy Robbins, Def Con 2009
https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-
kevin_estis-apple_tv.pdf
https://www.youtube.com/watch?v=z-WCy3Bdzkc
APPLE TV – II-V GENERATION
EASILY TO BREAK TOO
Perform breaks in the same way like any other Apple Mobile device (iPhone, iPad)
Backup contains valuable data (forensics tool works too)
Network
User email
APPLE TV – 2TH – 5TH GEN
JAILBREAK
iCloud synced preferences
/var/mobile/Library/SyncedPreferences/
Wi-Fi Access Points
com.apple.wifid.plist
Weather Cities
com.apple.nanoweatherprefsd.plist
Cached video
/private/var/mobile/library/caches/appletv
/video/
APPLE TV – 2TH – 5TH GEN
JAILBREAK
Installed applications
/private/var/db/lsd/com.apple.lsdidentifiers.plist
Installed applications
/private/var/mobile/containers/bundle/
Installed applications
/private/var/mobile/containers/data/application/
APPLE TV – 2TH – 5TH GEN
JAILBREAK
Country, last activity
App snapshots
Youtube
APPLE TV – ANY GEN
PROFILING AS A KIND OF PROTECTION
TV Remote Payload
The TV Remote payload is designated by specifying com.apple.tvremote as the
PayloadType value. If not present, or the list is empty, any device will be allowed
to connect.
Availability: Available in tvOS 11.3 and iOS 11.3 and later
AllowedRemotes
AllowedTVs
RemoteDeviceID
TVDeviceID
https://developer.apple.com/enterprise/documentation/Configuration-
Profile-Reference.pdf
IoT: CONCEPT, FACTS, ISSUES
Root
• Картинки и спецификацию
AMAZON ECHO DOT
Local access
Bootloader
Credentials breaks
AMAZON ECHO DOT
LOCAL ACCESS, LACK OF ROOT
Alexa doesn’t have ADB, but have a MTK
bus 001 Device 010: ID 0ed8d:2000 MediaTek Inc. MT65xx Preloader
However a SP Flash Tool does not work atm
Bootloader – press and keep ‘Uber’ while it is loading, but bootloader is locked
and no unlocking key is available
Bus 001 Device 019: ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 /
Magic / Tattoo
# fastboot devices
fastboot
# fastboot getvar all
lk_build_desc: c1…..
prod: 1
unlock_status: false
serialno: […..]
product: BISCUIT
version-preloader: 0.1.00
version: 0.5
AMAZON ECHO DOT
MITM. WHAT ABOUT SSL?
Self signed certificates is allowed on Alexa for devs
https://developer.amazon.com/docs/custom-
skills/configure-web-service-self-signed-certificate.html
https://www.amazon.com/gp/help/customer/display.ht
ml?nodeId=201589180
Metrics - https://device-metrics-us-2.amazon.com/metricsBatch
HTTP_USER_AGENTDAMZN(SmartPhone/iPhone/A2IVLV5VM2W81,iOS/12.0,Alexa//2.2.233205,DCM)"
CountryCode RU"
Profile
Name, Billing Address, Shipping Address
Device IDs, types, Account ID, Device capabilities
First answer in .mp3 (https://tinytts.amazon.com/) stored for a long time (at least couple months)
AMAZON ALEXA APP
LOCAL
Library\Application Support\device.sqlite – device list with
ID, serials
Library\METRICS_NORMAL\* - Logs &
MetricsHTTP_USER_AGENT(SmartPhone/iPhone/A2IVLV5VM
2W81,iOS/12.0,Alexa//2.2.233205,DCM)
a
CONNECTED HOME
READYFORSKY
Backup
Lightify
IKEA TRÅDFRI
Philips HUE
LIGHTIFY
Lightify is the IoT platform with a simplest integration of wireless lighting.
Wireshark does not support QUIC decryption at the moment. The drafts
at tools.ietf.org/wg/quic are also not really detailed on the ciphers.
Communication
Online – usually encrypted, MITM sometimes possible
Local – non-protected, custom protocols & encryption – usually analyzed
Firmware – plaintext usually, malicious attacks are possible
Local
Credentials, log, data
CONNECTED HOME
SUMMARY
Jailbreaks & roots
Available for popular devices
Sideloading apps are possible
New in-house manager devices, such as Alexa Dot doesn’t have root tools
Backup & Data
Works for many devices
Works for synchronizing apps, like Alexa
In-house smart manageable things works over app-manager that, in turn
Allow itself to be manageable by any devices BT, Wi-Fi, e.g. cast video or other content
Doesn’t have a good protection and available over Internet
Has a firmware issues with malicious over-air-attacks
Locally stored lot of data in app installed on the mobile device
Moved in an user’s pocket everywhere
IoT: CONCEPT, FACTS, ISSUES
Password Management
Default credentials – change it for router’s , IoT devices’ password
Unique passwords - use unique, complex passwords made up of letters, numbers, and symbols
IoT
HOW TO SECURE
Software Management
Settings – change it to default privacy policies & security settings
Features – disable features you don’t need, such as a remote access
Apps – avoid use apps that don’t encrypt data locally or while it’s transferring
Patches – keep all devices & software up-to-date
VPN – stand alone software or shipped with router to protect connections of IoT device that working over Internet
Multifactor & Hubs – use all security settings that require additional actions before it’s being easily hacked
Data
Data Analysis - analyzing data generated by IoT devices to understand what data might be monetized
Activity Analysis – identifying unusual activity of IoT devices to understand what data might be leaked
Breaking tools
Risky app – avoid apps out of store, junk apps from app store
Broken - don’t break any device in a chain of devices, rely on supported vendor ROMs
Flashed – flash clean & secure ROMs to remove unwanted apps but rely on well-known supported ROMs
Cloud & third party tools
IoT clouds – audit it before using for your personal/business need
Third party services – there are many automation tools to manage IoT devices. Use secured and audited and be
informed
MOBILE, IoT, CLOUDS…
IT’S TIME TO HIRE A RISK MANAGER!
YURY CHEMERKIN
SEND A MAIL TO: YURY.S@CHEMERKIN.COM
HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN