DEFCON 27 Conference. Buttplug: True Penetration Testing. Part 1

Analysts believe that there are currently about 10 billion devices from the Internet of Things (IoT) world. Sometimes these devices gain their place in the market, literally climbing up human asses. As it turned out, cheap and low-power radio chips are not only great for home automation - they also change the way people interact with sex toys. In this report, we will plunge into the world of television dildonics, the technology of sex at a distance in which tactile, temperature and other sensations are transmitted between partners through a two-way communication line. The speaker will tell you that the safety of Buttplug electronic electronic anal sex toys can be opposed to an attacker who finds and exploits vulnerabilities at each level of the stack. Ultimately, this allows the sextoys themselves to be compromised,and the devices to which they connect.



A hacker with the nickname smea, or Smealum, began his career as a developer of video games for such game consoles as Nintendo DS, simultaneously trying to crack them. At some point, the consoles acquired serious security systems, and Smea switched from home-grown software to developing techniques for breaking it. Smea is known for its “work” on Nintendo 3DS and Wii U, although it also contributed to the development of exploits for the most popular web browsers and virtualization stacks. Probably, now he became interested in breaking into “smart” anal plugs.

Hello everyone, I’m Smia, and today we’ll talk about how to crack a boot plug. This is an object that I hold in my hand, I do not know if you have seen it before, personally I do not. But over the past 2 years, I met many interesting representatives of the IoT industry, so now the turn of this thing has come. You may be wondering how you can crack a bootplag, because it's just a piece of silicone that needs to be inserted somewhere, and you will agree that there are not many places for this.

In fact, this does not require any electronics. But over the past few years, or even decades, a new industry of electronic devices called teledildonika has appeared. The origin of this term is shown on the slide: the Greek word "tele" means "from afar", and the English "dildo" means nothing more than a dildo. I tried to find the origin of the word dildo, but no one knows where it came from. But this is understandable, right? The idea is that you want to make sex toys that somehow can be controlled from a distance.

There are several scenarios for this. I just want to explain to you how this works, because not everyone is familiar with such devices. So, you take the bootplag, insert it where necessary and can control it remotely from wherever you want - from your phone, laptop, etc. This is the first scenario called "solo play." The second scenario I called "local multiplayer" - this is when you transfer control of this thing to someone else. This is a pretty real thing that is often advertised - you can, for example, go to a bar with her and no one will know how fun it is. But technically, this creates a new attack vector, because you give control of the device to an outsider, and here the threat model really changes.

The third scenario, “remote multiplayer,” is similar to the second, only now you allow another person to control the device via the Internet. Keep in mind that this person can be a stranger.



For many, having sex at a distance looks pretty cool and fun, and I'm not going to joke about it. Some use teledildonics to earn a living, and scenario 3B is called "remote paid multiplayer." Therefore, the fact that I am trying to crack the butt plug is not just entertainment - it gives my penetration studies a certain justification.



Many people, I don’t know what to call them - boys, girls - provide dynamic sexual entertainment on the Internet, allowing other people to control their sex toys for money. The company that produces these butts has a patent for the concept of deductions of profits when using its products for sex games on the Internet. In this scenario, for $ 5 deductions, you have the right to place a link, for example, on Twitter, to provide someone with the opportunity to manage your bootplag for a limited time. Since people rely on these toys as tools for making money, in my opinion, it is very important to consider their safety.

Let's look at scenarios that are of interest to attackers. The first is a local hack, when an attacker who is within range of the device intercepts control over it via wireless communication. There was a lot of research about this hacking method, so we won’t be stuck with our attention on it.



Technically, such an intervention can be regarded as sexual abuse, so whether it is legal or not, do not try to do it. According to the following scenario, an attacker does the same thing, but remotely, via the Internet. As I said, if you make money like that, you could well voluntarily provide a stranger - an attacker with remote access to your sex toy.

This means that a hacker can compromise your “smart” sex toys or related devices, in short, do something bad to you, and it’s completely legal, since you yourself gave him access. For a hacker this is a more interesting option, so we will stay on it a little longer.



The third scenario is the opposite - the attacker himself uses the boot plug-in to take control of a computer or phone and hack devices located on the side of the user who remotely participates in games with the plug-in. People do not understand that this is a real risk, but you probably imagine how insidious butt plugs can be (laughter in the hall). We are also exploring this scenario.



Now that you’ve got an idea of ​​the world of teledildonics, let’s look at how it looks in practice. On the slide, you see a dildo model called Lovense Hush, and later I will show you a demo with this thing on the air. This is the first model of dildo-teledildonics in the world, an anal plug that can be controlled from your phone or computer. There are applications for IoS and Android for this boot-plug, you can control it from a computer running Mac OS and Windows. Mobile applications support social features such as chatting, sharing text, pictures, videos and controlling toys with friends or strangers.



For Windows, you need to use a special USB key, which I will show later, because now this boot plug-in is connected to my computer. The electronic flash drive key was developed by the same company, “Lovens”, a manufacturer of a boot plug-in that created its own ecosystem of “smart” dildos and takes about $ 5 of commission for a session on the Internet.



The following slide shows my vision of an attack on a boot plug using a PC application. There is a BLE (BlueTooth Low Energy) connection between the boot plug and the USB key, the key is connected to the user's computer, which in turn is connected to the Internet. Scenario No. 1 is used by an attacker on the boot plug-USB key section, that is, the BLE connection is attacked. In fact, there is no protection, so that any stranger can take control of this toy. Last year, there was a serious discussion about a tool called BTLE Jack, which allows you to successfully attack such a connection.



Scenario No. 2 consists in attacking a section of a user's computer’s Internet connection. The third scenario is an attempt to hack into any of the three sites: BLE, USB, Internet. It is likely that there is an open project Buttplug ... you can laugh, it was a joke. So where do we start our “true penetration testing”?



I did not find any codes or binaries for the dildo and dongle itself, but there are binary application files for mobile devices and a computer available for download on the Internet. I installed these files on my computer and started working on them. On the next slide, you see the application interface for managing the boot plug-in. In the center of the screen there is a slider for adjusting the vibration of the toy, and on the left is the control panel with buttons - access to the account, control mode on the local network, remote control mode via the Internet. In order to understand the structure of the application, you just need to read a bit of confusing JavaScript code.



I don’t like JavaScript, but what’s good about it is the presence of a bunch of variable names and object field names, and all of this is perfectly reverse engineered. Just drop the code in Beautifier and find out how it works. Once you do this, you can begin to understand the operation of the electronic key.



Finding out that this is just a serial port for connecting via USB, I started sniffing traffic between the key and the application. Pay attention to the lines to the right of the slide - first of all, I noticed that the messages between the dongle and the application were in JSON text format. For JavaScript code, this is familiar, but for a USB key, which is a 32-bit microcontroller, embedding the JSON parser looks strange ... For us it is very convenient, because JSON parsers usually contain firmware bugs that can be used.



However, finding bugs without the key code itself is a tedious task, but since I had the application code, I began to look for a mechanism for updating the USB key firmware in it and soon found what I wanted - the URL of the update node. It turned out that the firmware was not encrypted or signed in any way, so I just downloaded it and got a binary for analysis.



Then I started reverse engineering and drew attention to 2 things. Firstly, there are 2 command handlers for the serial USB port. The first uses simple commands such as reset or device type, the second uses commands such as DFU to update the firmware of the device, so that we have the ability to send these commands and update the firmware.



Having looked at the JSON parser, which is of most interest to us, I discovered the expected bug - the parseJsonString function. It just needs to allocate a copy of the original string into a new buffer, and also work with things like escape sequences. When calculating the length of the new buffer, it does not match the actual length used.



This function works like this: it supports an escape sequence of 5 parameters U instead of, as expected, equating them 0. Thanks to this, we can avoid a null-terminated string and make the length of the first calculated string incorrect.



This little animation shows what is happening here. The backslash before U means 6 characters must be discarded. Next, the function jumps through the null terminator, which is a problem. Then the process continues, all characters are copied and fall into the buffer with a length of only 6 bytes. Here the second problem appears - the risk of buffer overflows. This is great, but we still don't know how the dongle hardware works.



We know for sure that it has no randomization of the ASLR address space, no cookie stack, but it is possible that the key has protection such as DEP data execution prevention or XN protection that prevents code execution in memory, except for the .text region.

The key is equipped with an NRF51822 SoC chip with a Cortex M0 processor, without DEP protection, which is very popular for BLE devices and equipped with a bunch of debugging contacts. Therefore, it is quite simple to connect to this key by soldering a couple of things to it, and do debugging through the interface for debugging and flashing SWD chips if it is not disabled in the factory settings. By connecting via SWD, we can flush the heap contents.

It turns out that it is used only for the JSON parser, which is not very cool, but the heap contains metadata. So what can be spoiled here? Of course, heap metadata! This way we create an exploit for the JSON parser.



A heap is just a free list. If you look at this code, you can see that each distribution has its own length and pointer. If you use buffer overflow, you can spoil the length and position of the next pointer, which allows you to control the location of the next distribution. By copying a new line into it, you can easily arrange arbitrary data in an arbitrary place. All this can be done while the debugger is connected.



On the right side of the slide, you see a stack that is reset and completely overwritten with just 8 characters. This gives us the USB key code execution, which is pretty cool.
I remembered that, unfortunately, this dongle has an emergency DFU firmware update mode. I expected that by analogy with hacking game consoles, this mode serves to authenticate the update in any way possible. It turns out that here the DFU uses the classic CRC16 checksum calculation, which, if you understand cryptography, is not authentication of any kind. I don’t think that they really wanted to use authentication in this case, most likely they just decided that few people would be interested in executing the USB key code for the boot plug. However, it interested me.



At the moment, I had 2 different ways to execute code on this device, but fussing with the JSON parser, which I spent a lot of time on, turned out to be not particularly effective due to the presence of DFU mode. Later we will consider this method together with the existing parser vulnerability. So far, I have been more interested in whether it is possible to simply modify the main.bin file, recalculate its CRC16 and embed it using the program that is included in the Lovense Remote application. It turned out that it is possible.
As a result, we got a USB key that was compromised using a PC application, and it was definitely the easiest part to crack. Having gained control of the key, I began to look for a way to execute the code on the boot plug itself.



To do this, I turned to the "hardware" of our sex toy - probably it also had a debugger on it, and it was worth a look. Having examined the boot plug, I found a more serious chip, with a large amount of flash memory and RAM and a more powerful Cortex M4 processor.

I easily figured out what was missing and what was on board the bootplag. There is no DEP, like on a dongle, at the top there are wires leading to the battery, next is the charging port, contacts of the vibrator motor, several contact pads for debugging and a Bluetooth antenna. Thus, thanks to the presence of SWD, the device can be easily reflashed.



You see what happened - I have no shareholder, but in the bag there will always be a bunch of butt plugs for experiments. Then I started reverse engineering and debugging the bootplag, resetting the original firmware. There were no JSON parsers, only simple commands, but in large numbers.

I thought that if the dongle firmware update mode was so unsafe, then it is possible that there are vulnerabilities. It turned out the way it is. As a result of the DFU search, I found 2 things: the regular DFU command handler and the DfuTarg line in the boot sector. This DfuTarg is used in the same way as the identifier of the LVS-Z00 boot plugin, that is, it is similar to the DFU bootloader for BLE. Therefore, in DFU mode, the bootlog is recognized as a device under the name DfuTarg, and this unique identifier can be used to search for the device.
So, if you send him exactly the same DFU command that we sent to the key, the bootplag will go into the device firmware update mode. For flashing, you can use the proprietary tools of the manufacturer of the Nordic Semiconductor microcircuit - nRF Toolbox.



Using a hardware sniffer, you can visualize BLE packets in Wireshark.



I sent a short message “hello from plug”, and this means that you can execute the code on the batplag without any hacking, and this is not a vulnerability, but simply a kind of developers design that allows you to reflash the device. Perhaps the open source community would like this solution. The bottom line is that anyone who can connect to your boot plug-in is able to run their own code on it, and this is already a rather dangerous thing. In this case, the hacker should be in the area of ​​the local connection, that is, be close enough to the sex toy to gain control over it through a compromised dongle and BLE channel. At the same time, you can use the dongle itself, or any other BLE device.



The question is, what really can be done with the boot plug-in, having the opportunity to run your own code on it? I have a few ideas. The first - taking control of this thing, you can create a ransomware bootplag. You can modify its firmware so that the user will not be able to turn on DFU mode until you provide him with a certain key, or you just turn off the vibration function and ask for 50 bucks to unlock this useful device.



For many, this will serve as a kind of vaccine from the use of such toys. The second idea is to turn the bootplag into a weapon. It has a fairly powerful battery that feeds the vibrator motor, we can say that 80% of the content of the boot plug is a battery. You probably remember what happened with the Samsung Galaxy Note smartphones - they just exploded (laughter), so it is likely that this can happen with butt plugs. I don’t know what the probability of its explosion is, but if you have a lot of sex toys with a motor, you should think about it. The development team claims that these things are absolutely safe, despite the presence of many moving parts. But if this is the case, then the device’s security feature is encoded in software, not hardware.In this case, the execution of malicious code can have disastrous consequences.

Sex toys equipped with an air pump are also dangerous. They also have a fairly powerful motor with a battery, so you should also pay attention to them.
Finally, the last idea is a hostile battle plug-in. Hostile, not in the sense that it is capable of blowing your ass, but in the fact that it can serve as a means to hack the rest of your devices. Therefore, we will consider the battle plug from the point of view of its hostility, which is ensured by the execution of malicious code.

Let's try to find out whether it is possible to achieve code execution in the application for the boot plug-in by considering how it processes incoming messages.



On the left you see a callback in JavaScript, and on the right how it interacts with the application through the serial port. Callback is placed in a string and then processed by a bunch of different functions.

The first function is to find the key, it processes the initialization messages coming from the key. The second function is on (“Data”), a processing function that accepts an incoming JSON packet, the length of which, by the way, cannot exceed 32 characters. Next, parsing and everything else is done. In fact, there is no serious processing here - just a request is made for the status of the device, checking the battery charge and the like overhead.

The last function is much more interesting - I call it the debug log, although it actually has no name in the real code. This function registers everything that enters the device through the serial port and resets these lines to the console, which if necessary displays an error message. In addition, this function creates a new DOM element as an HTML element, and throws all the content received through the serial port into this HTML. I am not a web developer, but I think this is a serious XSS vulnerability.

So, if you have control over the dongle, you can send anything through the serial port, forcing the application to interpret this as HTML. This is the problem, because HTML has the ability to create new JavaScript code in an application installed on your computer, that is, it can compromise it. The question is, what malware can be invented, knowing that only 32 characters are allowed at a time.

22:00 min

DEFCON 27 Conference. Buttplug: genuine penetration testing. Part 2

A bit of advertising :)

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to your friends, cloud VPS for developers from $ 4.99 , a unique analog of entry-level servers that was invented by us for you: The whole truth about VPS (KVM) E5-2697 v3 (6 Cores) 10GB DDR4 480GB SSD 1Gbps from $ 19 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

Dell R730xd 2 times cheaper at the Equinix Tier IV data center in Amsterdam? Only we have 2 x Intel TetraDeca-Core Xeon 2x E5-2697v3 2.6GHz 14C 64GB DDR4 4x960GB SSD 1Gbps 100 TV from $ 199 in the Netherlands!Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $ 99! Read about How to Build Infrastructure Bldg. class c using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?