Install c't'-Raspion on Raspberry PI
- 1 Requirements
- 2 Description
- 3 Services of the c't-Raspion
- 4 Ikea Tradfri Setup Sniff
- 5 Data Transmission when using TRADFRI
- 6 Interrupt Communication
- Raspberry PI with Raspbian OS
- Internet connection
Step 1: System Update
In the command line interface enter:
sudo apt-get update && sudo apt-get upgrade
Step 2: Download
Download the latest version of Raspion:
wget ct.de/s/x5Pm -O raspion.zip
Step 3: Installation
cd raspion ./install.sh or bash install.sh
At the end of the installation there is the wifi name and password of the c't-Raspion.
Launch c't-Raspion web interface
Atfer connecting to the wifi of the c't'-Raspion go to http://<ip-address of your Raspberry-PI>:81
Services of the c't-Raspion
Pi-hole shows DNS-Requests. They can also be blocked.
They include the involved communication partners, the network protocol and information on duration and volume. ntopng does not show the contents of the packages. But it analyses the flows and provides information about which application is communicating, such as Skype, BitTorrent etc., and provides statistics.
Wireshark offers a deeper analysis of the network traffic as ntopng. The program allows recording and analyzing network traffic down to the last bit and can be operated via browser as a special feature of c't-Raspion. The recorded network traffic will be saved in pcap-files.
The mitm-Proxy can loop into the communication between the local and remote devices by the c't-Raspion redirecting all access from the internal network on TCP ports 80 and 443 to the mitm-Proxy. It takes the redirected accesses to port 8080 towards. The redirection is handled by firewall rules, which can be activated and deactivated as required by clicking in the c't-Raspion web interface.
There are many options for the search, as you can see in the 2 screenshots below.
Below is a little preview of what you get when you click on "Editing Options Alpha".
Ikea Tradfri Setup Sniff
For testing purposes an iphone was cleaned as far as possible. All uninstalable services were erased and synchronization plans were deactivated. However iphones are not that good for this kind of tests because after all cleaning there were still some connections to apple servers.
To use pihole for capturing the dns queries of the Tradfri Gateway itself you may use an USB networkadapter or an external router as wifi bride. Otherwise you cannot use the Tradfri Gateway due to the lack of connection possibilities. As an workaround outside the Raspion software package classic arpspoofing was used.
Preliminary overview IP addressess:
Immediately after power on the app is sending dns requests to get ip addresses for fw.ota.homesmart.ikea.net. In the dns answer the ip's to d262cmbxmzphsu.cloudfront.net were included which is an address belonging to amazons aws.
The data from fw.ota.homesmart.ikea.net/feed/version_info.json are not that spectacular. As the name implies it only consists of version information.
As soon as the Ikea Smart Home App starts the setup it tries to find a Tradfri Gateway with mDNS queries.
The mDNS queries are not forwarded through our pihole setup so this technique finding the Tradfri Gateway fails. The app itself provides another way to find the Tradfri Gateway by entering the ip address directly. After submitting the input the app finds the gateway and asks you to scan the QR code on the bottom side of the divce or to enter the security code which can be found near the QR code.
The QR code contains the security code which is used as the pre shared key of the DTLS connection. As soon as the app gets the security code the app and the gateway are initiating the DTLS connection. All applicationdata is send over this encrypted connection.
Same implies to connections of additional smart home devices: All data is sent over the encrypted connection.
As far as the initial setup goes there are only a few connections to the internet. This connections are all from app to some aws cloud addresses. It seems this is relating to the setup of a new device:
Data Transmission when using TRADFRI
The IKEA TRADFRI Gateway was connected via LAN cable while the mobile phone running the IKEA app was connected wirelessly to the same network. Overview of IP addresses used:
Wireshark was used to record the traffic (using arpspoof because the IKEA TRADFRI Gateway requires a LAN connection so it is not possible to just monitor the Raspion WiFi) which was then filtered.
It turns out that TRADFRI is rather well-behaved when it comes to sending data.
For the most part it uses encrypted (DTLS) communication internally between the Gateway and the mobile phone. To initially find the Gateway after opening the mobile app, an MDNS request is sent out via multicast (224.x.x.x).
However, 2 external connections or destinations could also be found:
- IP address 220.127.116.11 / privacypolicy.config.homesmart.ikea.net (as the url indicates, this has the current policy one has to agree to before using the app)
- IP address 18.104.22.168 / supportdetails.config.homesmart.ikea.net (this is where the secure certificates are located, apparently).
privacypolicy.config.homesmart.ikea.net Client Hello:
The Server Hello contains the information regarding the .cer and .crl:
http://ocsp.rootca1.amazontrust.com http://crt.rootca1.amazontrust.com/rootca1.cer http://crl.rootca1.amazontrust.com/rootca1.crl
Starfield Technologies, Inc.; Starfield Services Root Certificate Authority
http://crl.sca1b.amazontrust.com/sca1b.crl http://ocsp.sca1b.amazontrust.com http://crt.sca1b.amazontrust.com/sca1b.crt
That's pretty much it. We couldn't find any unwanted connections.
The app also checks for updates for the used devices, this is also indicated in the app when it happens, so this is very transparent. It is indicated in the app when an update is happening or when the app is checking for new updates as can be seen in the screenshot below. If a device happens to be unavailable, e.g. because it is currently disconnected/turned off, then the app does not report back the current version but instead says the device is unreachable ('Nicht erreichbar')
Turning devices on/off
When devices are turned on or off, the individual packet sequences are made up of packets that are the same in size but with some devices there are more packets sent when turning on than off. Let me illustrate this by comparing the on/off sequences of the light bulb (pretty much the same for on/off, although of course different packet content):
As opposed to the smart plug where the on sequence is longer than the off sequence:
(these were done using arpspoof on 192.168.0.106, 192.168.0.101 is the Internet Gateway, 192.168.0.104 is the TRADFRI Gateway, commands were sent via 192.168.0.103 - so keep in mind that you see duplicates of each packet in the Wireshark caps because they include the sniff and forward to the actual target device)
This experiment will show if it is possible to interrupt or sniff the communication between the IKEA and the IKEA gateway. This is not possible with only a packet sniffer like Wireshark, because the communication is encrypted with DTLS. Two attacks were performed, a mitm proxy attack and a replay attack. For the mitm attack the mitm proxy from the c’t Raspion was used and for the replay attack a scapy script. The network structure is as follows:
Android can be operated as a virtual machine, or you can also use a smart phone that has the IKEA Smarthome app installed. If it is operated as a virtual machine, make sure that bridge mode is used, since the VM will then have its own IP. This has the advantage that you only have to analyze the traffic generated by Android and not that of the host system.
In order to be able to use the mitm, certificates must be added to the key store on the android os. This can be done by opening the website mitm.it in the browser of android. If you are in the right network, you will see the following window.
Here you choose the right operating system and download the certificates.
The official documentation can be found here.
When you start the app in Wireshark you can see that the handshake for the DTLS connection is being carried out.
You can also observe that there are several connections to different servers outside the network.
The following messages can be decrypted.
Both include a JSON-file.
- In the debug log, you can observe that there are additional TLS connections, but the mitm proxy couldn’t decrypt these.
192.168.24.241:59332: Client Handshake failed. The client may not trust the proxy's certificate for data.logentries.com. 192.168.24.241:59332: ClientHandshakeException('Cannot establish TLS with client (sni: data.logentries.com): TlsException("(-1, \'Unexpected EOF\')")') ::ffff:192.168.24.241:58971: serverdisconnect -> ('22.214.171.124', 443) 192.168.24.241:59332: clientdisconnect ::ffff:192.168.24.241:40204: serverdisconnect -> ('126.96.36.199', 443) 192.168.24.241:58971: clientdisconnect 192.168.24.241:40204: clientdisconnect 192.168.24.241:41657: clientconnect ::ffff:192.168.24.241:41657: Establish TLS with client 192.168.24.241:50453: clientconnect ::ffff:192.168.24.241:50453: serverconnect -> ('188.8.131.52', 443) 192.168.24.241:42222: clientconnect ::ffff:192.168.24.241:42222: serverconnect -> ('184.108.40.206', 443) ::ffff:192.168.24.241:42222: Establish TLS with server ::ffff:192.168.24.241:50453: Establish TLS with server ::ffff:192.168.24.241:42222: ALPN selected by server: - ::ffff:192.168.24.241:42222: Establish TLS with client ::ffff:192.168.24.241:50453: ALPN selected by server: - ::ffff:192.168.24.241:50453: Establish TLS with client ::ffff:192.168.24.241:42222: ALPN for client: b'http/1.1' ::ffff:192.168.24.241:50453: ALPN for client: b'http/1.1' ::ffff:192.168.24.241:50453: request -> Request(GET /US/en/getPolicyUpdate/?deviceType=android) ::ffff:192.168.24.241:42222: request -> Request(GET /AppDetails) ::ffff:192.168.24.241:42222: response -> Response(200 OK, application/json, 44b) ::ffff:192.168.24.241:50453: response -> Response(200 OK, application/json, 374b)
The DTLS connection between the app and the gateway, however, does not appear in the mitm log.
In order to be able to carry out a replay attack, the data traffic between the device on which the IKEA app is running and the IKEA gateway must be recorded. Every time you close the app and open it again, a new transmission must be recorded. This is because this is a new session, so the IKEA Gateway and the App have a new shared secret. Then the SRC and DST in IP and MAC have to be adjusted accordingly. In this particular example, a sequence number is available in the DTLS protocol. This must also be adjusted so that it is preliminary. Since the payload is also included in the UDP checksum, it must be recalculated too. This attack was performed on the TKEA Gateway, where a socket was connected to. In the socket was light plugged in to see what's happening.
As you can see, the attack is unsuccessful because no response is sent from the gateway, which is likely to drop the packets.
This may be because DTLS also uses MAC (message authentication code). The sequence number is used to calculate the MAC value. Unfortunately, this value cannot be recalculated without knowing the encryption.
Change Sequence Number
To change the sequence number, we used a workaround in Wireshark. In Wireshark you can select multiple Packets and then copy them as hex dump.
0000 dc a6 32 7d 1d 37 c0 ee fb 4a 9b b5 08 00 45 00 0010 00 69 57 0a 40 00 40 11 47 f6 c0 a8 18 f1 c0 a8 0020 01 42 a4 1a 16 34 00 55 ff 2e 17 fe fd 00 01 00 0030 00 00 00 00 34 00 40 00 00 00 00 00 00 00 16 21 0040 39 8a 8a c5 dd c3 3d 67 ba de a5 5f 0a 10 8c e2 0050 75 da ca a1 db ae a2 08 c6 e6 a6 94 32 db d0 cd 0060 d1 63 e6 bd 32 db 2f 14 1a a1 08 be e9 ac ff 43 0070 48 1b 54 a9 f9 f7 4f
After you have copied the packet you can put it into a texteditor and edit the part of the packet you want. In our case we changed the 00 00 00 00 00 34 in line 0020 and 0030 to the appropriate sequence number. We found out that after each full communication the number raised by four. So, when the last recorded sequence number was 48 the next one is 52 and then 56 and so on. This is the decimal number you have to convert it so hex and change it in the text editor and save it.
In wireshark it is possible to import packets from a textfile with hexdump in it.
After you have imported the hexdump save the file as pcap file.
In order to send the packets, edit the marked parts in the python script.
#! /usr/bin/python3 from scapy.all import * from scapy.utils import rdpcap import time pkts=rdpcap("path of the pcap file") # reads the pcap file and saves the list in the pkts var # iterates through the list for pkt in pkts: pkt[Ether].src = "sender mac" # MAC of the sender pkt[Ether].dst= "target mac" # MAC of the target pkt[IP].src= "sender ip" # IP of the sender pkt[IP].dst = "target ip" # IP of the target del pkt.chksum # deletes the current checksum in the IP header del pkt[UDP].chksum # deletes the checksum in UDP header pkt = pkt.__class__(bytes(pkt)) # scapy builds the packet new and calculates the missing checksums new sendp(pkt) # sending packet time.sleep(2)
After that the script can be executed.