Besides conference sessions, DefCamp 2016 also ran various competitions in the hacking village. I wandered about the critical infrastructure area - an amazing model kit of a train, station, and solar panels all controlled by Siemens and Schneider PLCs - but mostly, of course, at the IoT village.
Illustration 1. Critical Infrastructure village with model kit, PLCs, and SCADA supervision monitor
At the IoT village, several connected devices were available to be hacked: web cameras, a water sensor, a coffee maker... I lost some time on the Foscam IP camera, and then on the coffee maker.
Illustration 2. Available devices at the IoT Village. Note the IP addresses are private to the IoT village LAN.
I started scanning the coffee maker’s IP address for open ports, but was quite unlucky:
$ sudo nmap -sS 10.0.3.18 Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-11 10:15 CET Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.47 seconds
I did what it said and tried with -Pn, but with not much more success:
$ sudo nmap -sU -Pn 10.0.3.18 Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-11 14:03 CET Nmap scan report for ESP_12CC11 (10.0.3.18) Host is up (0.0075s latency). All 1000 scanned ports on ESP_12CC11 (10.0.3.18) are closed MAC Address: 5C:CF:7F:12:CC:11 (Unknown)
Something's there, but no open ports so far.
So, I decided to have a look at the mobile application. I downloaded and installed the app, but was unable to connect to the coffee pot.
Illustration 3: Smarter Coffee Maker Android application
At that time, I was mentally getting prepared to reversing the mobile application. But never do what others have already done: on the web, I bumped into a very nice Python script of Simone 'evilsocket' Margaritelli controlling the coffee maker.
Reading the code, I saw the program was connecting to the coffee pot on port 2081:
def __init__( self, address, port = 2081 ): self.address = address self.port = port self.sock = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
Does my coffee machine respond on that port?
$ sudo nmap -sX -p 2081 10.0.3.18 Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-11 14:12 CET Nmap scan report for ESP_12CC11 (10.0.3.18) Host is up (0.15s latency). PORT STATE SERVICE 2081/tcp open|filtered kme-trap-port MAC Address: 5C:CF:7F:12:CC:11 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 1.86 seconds
Yes, it does :) My former port scans hadn't scanned up to that port number, which explained why I hadn't seen it.
I gave Simone's script a try, and it worked perfectly well:
Illustration 4. Controlling the coffee maker remotely using Simone Margaritelli's Python tool.
Illustration 6 Coffee currently brewing! I hope somebody drank it, I made several cups ;)
From this point, I decided to edit Simone's Python code and insert my own hacks. We're following responsible disclosure at Fortinet, so I won't be telling you what I did as we've just contacted the vendor. What I'll just tell you is that the vulnerability puts the coffee maker out of service:
Illustration 7. Coffee maker hack in action (Denial of Service)
Initially, the coffee maker works and responds to commands (see Illustration 4). I run my hack, and the socket times out: the coffee maker no longer responds (see Illustration 7). As a matter of fact, it won't respond to any more commands unless you reboot it. No more coffee ;) Denial of Service.
Important note: Simone Margaritelli's script is not malicious + does not implement the vulnerability. I used it as a canvas, and inserted the implementation of my own hack inside it. I could have written a standalone tool but I ran for a quick implementation...
I showed my vulnerability live to the organizers, but unfortunately, as the contest was closing minutes later they told me I would not have time to write up my results (note: the contest rules did not specify I had to do that) and told me they would not validate my hack! Hmmm :(
Also, I found out that another competitor had found another vulnerability on the coffee maker before me, so it was fair he'd get the prize. I hacked the coffee maker for fun mainly, but would have loved to bring one back to my colleagues (I don't drink coffee myself!). Nevertheless, it was a bit disappointing not to get even a small "consolation" prize. As far as I know, only 3 vulnerabilities - mine included - were found during the whole contest. I should have "deserved" "something," a sticker, I don't know. Right?
You're organizing a contest? Think about it next time. :)
-- the Crypto Girl