Smart Lighting SecurityExploring and Addressing Security Risk in Smart Lighting Systems
Paul Jauregui | VP, Marketing | Praetorian.com
Information Security Assessment and Advisory
Recent data breaches in various industries have heightened consumers’ awareness of data security and privacy.
“ ”3
LIFX Smart LED Light Bulbs Leak Wi-Fi Passwords
4
Philips Hue Lightbulbs Easily Hackable, Blackouts Imminent“ ”
“ ”5
Belkin WeMo Smart Home Networks in Danger of Hacks
“ ”6
Hacking Traffic Lights Is Apparently Really Easy
7
72%•Lorem ipsum dolor sit amen.•Integer nec odio. Praesent libero. •Sed cursus ante dapibus diam.
I avoid purchasing brands from consumer product companies that I do not believe protect my personal information
I am more likely to purchase brands from consumer product companies that I believe protect my personal information
I am more likely to buy products from a company that is verified by a 3rd-party as having the highest standards of data privacy and security
80%
70%A single data breach would negatively impact my likelihood to buy brands from a consumer products company 59%Source: Consumer responses from the consumer product consumer and executive survey on data privacy and security, Deloitte LLP, August 2014
Consumer Attitudes Towards Data SecurityStrong data security and privacy practices are not just about risk mitigation, but also a potential source of competitive advantage.
Common Security Challenges
8
ResearchTime to market pressures
TestingSecurity is often left
as an afterthought
SupportOngoing security support
and maintenance
Launch
DevelopGeneral lack of security consciousness
Insufficient security testing prior to launch
Product.Development.Lifecycle
The Praetorian Smart Lighting LabCASE STUDY
CLOUD SERVICES
Mesh Network
Internet WiFi Router Lighting Gateway Remote
INTERNAL NETWORKEXTERNAL
WiFiCellular
Mobile appsSensor
Smart Lighting System Components
10
6LoWPAN.Z>wave.and.more
Examples of Smart Lighting System Attacks
Denial of Service ‣ Can someone disrupt functionality, such as
preventing the lights from turning on?
Control of System ‣ Can an unauthorized user take control of
existing lighting functionality?
Facilitate Attacks ‣ Can someone use lighting system as a way to
infiltrate the network or attack other systems?
11
4. | Analyze Zigbee Traffic and Fingerprint Devices with Company MAC address
3. | Sniff and Log Zigbee Traffic
Finding & Targeting Smart Lighting Systems
12
photo.by.Travis.Goodspeed
2. | Take a Drive (Wardriving)
photo.by.Travis.Goodspeed
1. | Get Zigbee Recon Gear
KillerBee Software: designed
to aid in recon and exploitation
of ZigBee networks (free)
Cheap/accessible Hardware:
RZRAVEN USB ($35), Raspberry
Pi with Zigbee radio ($50)
Philips Hue Smart Lighting Network Identified
TCP/Greenwave Lighting Network Identified
13
Praetorian Smart Lighting Lab
+
LED Bulbs
“Smart” Platform
Bulb Mesh Network
WiFi
6LoWPAN
WiFi Router
14
Praetorian Smart Lighting Lab
TCP Gateway
WiFi Router
Bulb Mesh Network
WiFi
6LoWPAN
15
Praetorian Smart Lighting Lab
TCP Gateway
Embedded Device (Hardware) Hacking
16
TX RX Ground
First documented and exploited by GTVHackers (SSH password is online)https://www.exploitee.rs/index.php/Greenwave_Reality_Bulbs
Gained persistent root access to device via SSH server, which runs on boot up
‣ Connected test points on board to UART adapter for “Kernel Init Hijacking”
‣ “Kernel Init Hijacking” allows temporary Root access to TCP Hub file system by tampering with the boot sequence and injecting commands
‣ Access used to retrieve SSH password for root account, which as “thinkgreen”
‣ Root access now possible on all TCP/Greenwave systems (via SSH on internal network)
‣ With the control, we cross compiled and installed additional network analysis tools on hub (netcat, nmap, etc) to learn more about device behavior
‣ Potential to also remotely install malicious software that turns the hub into a proxy to the network, could sniff/exfiltrate data, or launch attacks on other systems
UART%Port
Embedded Device (Hardware) Hacking
17
In January 2015, Greenwave forced a firmware update that fixed these issues
✓ Removed local web control interface that lacked authentication by closing port 80
✓ Opened a secure HTTPS (port 443) service with currently unknown functionality
✓ Close the SSH (port 22) service to remove persistent Root access to hub via SSH credentials share by all devices
✓ UART pins may have been silenced, and boot delay may have been set to zero (no more “kernel init hijacking”)
UART%Pins%Silenced
Recommended Security Best Practices
18
ResearchTrain employees about security best practices
TestingConduct 3rd-party
security risk assessments
SupportMonitor product through
its life, patch known vulns
Launch
DevelopBuild security in from the start, don’t bolt it on
Test security measures before product launch
Product.Development.Lifecycle
The Security ExpertsINFORMATION SECURITY ASSESSMENT AND ADVISORY
NETWORK APPLICATION MOBILE CLOUD IOT
Presented by
Paul Jauregui VP Marketing, Praetorian [email protected] Twitter: @pauljauregui
Learn more at http://www.praetorian.com