Difference between revisions of "Install c't'-Raspion on Raspberry PI"

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search
m
(2 intermediate revisions by the same user not shown)
Line 197: Line 197:
 
* In the debug log, you can observe that there are additional TLS connections, but the mitm proxy couldn’t decrypt these.
 
* In the debug log, you can observe that there are additional TLS connections, but the mitm proxy couldn’t decrypt these.
  
[[File:Debug-log-mitm.jpg]]
+
192.168.24.241:59332: Client Handshake failed. The client may not trust the proxy's certificate for data.logentries.com.
 +
192.168.24.241:59332: ClientHandshakeException('Cannot establish TLS with client (sni: data.logentries.com): TlsException("(-1, \'Unexpected EOF\')")')
 +
::ffff:192.168.24.241:58971: serverdisconnect
 +
  -> ('99.86.243.4', 443)
 +
192.168.24.241:59332: clientdisconnect
 +
::ffff:192.168.24.241:40204: serverdisconnect
 +
  -> ('99.86.243.50', 443)
 +
192.168.24.241:58971: clientdisconnect
 +
192.168.24.241:40204: clientdisconnect
 +
192.168.24.241:41657: clientconnect
 +
::ffff:192.168.24.241:41657: Establish TLS with client
 +
192.168.24.241:50453: clientconnect
 +
::ffff:192.168.24.241:50453: serverconnect
 +
  -> ('99.86.243.36', 443)
 +
192.168.24.241:42222: clientconnect
 +
::ffff:192.168.24.241:42222: serverconnect
 +
  -> ('99.86.243.4', 443)
 +
::ffff:192.168.24.241:42222: Establish TLS with server
 +
::ffff:192.168.24.241:50453: Establish TLS with server
 +
::ffff:192.168.24.241:42222: ALPN selected by server: -
 +
::ffff:192.168.24.241:42222: Establish TLS with client
 +
::ffff:192.168.24.241:50453: ALPN selected by server: -
 +
::ffff:192.168.24.241:50453: Establish TLS with client
 +
::ffff:192.168.24.241:42222: ALPN for client: b'http/1.1'
 +
::ffff:192.168.24.241:50453: ALPN for client: b'http/1.1'
 +
::ffff:192.168.24.241:50453: request
 +
  -> Request(GET /US/en/getPolicyUpdate/?deviceType=android)
 +
::ffff:192.168.24.241:42222: request
 +
  -> Request(GET /AppDetails)
 +
::ffff:192.168.24.241:42222: response
 +
  -> Response(200 OK, application/json, 44b)
 +
::ffff:192.168.24.241:50453: response
 +
  -> Response(200 OK, application/json, 374b)
  
 
The DTLS connection between the app and the gateway, however, does not appear in the mitm log.
 
The DTLS connection between the app and the gateway, however, does not appear in the mitm log.
  
 
=== Replay-Attack ===
 
=== Replay-Attack ===
In order to be able to carry out a replay attack, the data traffic between the device on which the IKEA app is running and the IKEA gateway must be recorded. Then the SRC and DST in IP and MAC have to be adjusted accordingly. In this particular example, a sequence number is available in the DTLS protocol. This must also be adjusted so that it is preliminary. Since the payload is also included in the UDP checksum, it must be recalculated too. This attack was performed on the TKEA Gateway, where a socket was connected to. In the socket was light plugged in to see what's happening
+
In order to be able to carry out a replay attack, the data traffic between the device on which the IKEA app is running and the IKEA gateway must be recorded. Every time you close the app and open it again, a new transmission must be recorded. This is because this is a new session, so the IKEA Gateway and the App have a new shared secret. Then the SRC and DST in IP and MAC have to be adjusted accordingly. In this particular example, a sequence number is available in the DTLS protocol. This must also be adjusted so that it is preliminary. Since the payload is also included in the UDP checksum, it must be recalculated too. This attack was performed on the TKEA Gateway, where a socket was connected to. In the socket was light plugged in to see what's happening.
  
 
[[File:replay-attack.png]]
 
[[File:replay-attack.png]]
Line 209: Line 241:
  
 
This may be because DTLS also uses MAC (message authentication code). The sequence number is used to calculate the MAC value. Unfortunately, this value cannot be recalculated without knowing the encryption.
 
This may be because DTLS also uses MAC (message authentication code). The sequence number is used to calculate the MAC value. Unfortunately, this value cannot be recalculated without knowing the encryption.
 +
 +
=== Change Sequence Number ===
 +
To change the sequence number, we used a workaround in Wireshark. In Wireshark you can select multiple Packets and then copy them as hex dump.
 +
 +
[[File:Wireshark-save-hexdump.png|700px]]
 +
 +
0000  dc a6 32 7d 1d 37 c0 ee fb 4a 9b b5 08 00 45 00
 +
0010  00 69 57 0a 40 00 40 11 47 f6 c0 a8 18 f1 c0 a8
 +
0020  01 42 a4 1a 16 34 00 55 ff 2e 17 fe fd 00 01 00
 +
0030  00 00 00 00 34 00 40 00 00 00 00 00 00 00 16 21
 +
0040  39 8a 8a c5 dd c3 3d 67 ba de a5 5f 0a 10 8c e2
 +
0050  75 da ca a1 db ae a2 08 c6 e6 a6 94 32 db d0 cd
 +
0060  d1 63 e6 bd 32 db 2f 14 1a a1 08 be e9 ac ff 43
 +
0070  48 1b 54 a9 f9 f7 4f
 +
 +
After you have copied the packet you can put it into a texteditor and edit the part of the packet you want. In our case we changed the 00 00 00 00 00 34 in line 0020 and 0030 to the appropriate sequence number. We found out that after each full communication the number raised by four. So, when the last recorded sequence number was 48 the next one is 52 and then 56 and so on. This is the decimal number you have to convert it so hex and change it in the text editor and save it.
 +
 +
In wireshark it is possible to import packets from a textfile with hexdump in it.
 +
 +
[[File:Wireshark-import-hexdump1.png]]
 +
 +
[[File:Wireshark-import-hexdump2.png]]
 +
 +
After you have imported the hexdump save the file as pcap file.
 +
 +
In order to send the packets, edit the marked parts in the python script.
 +
 +
#! /usr/bin/python3
 +
from scapy.all import *
 +
from scapy.utils import rdpcap
 +
import time
 +
 +
pkts=rdpcap("path of the pcap file")  # reads the pcap file and saves the list in the pkts var
 +
 +
# iterates through the list
 +
for pkt in pkts:
 +
      pkt[Ether].src = "'''sender mac'''"  # MAC of the sender
 +
      pkt[Ether].dst= "'''target mac'''"  # MAC of the target
 +
 +
      pkt[IP].src= "'''sender ip'''" # IP of the sender
 +
      pkt[IP].dst = "'''target ip'''"  # IP of the target
 +
 +
      del pkt.chksum # deletes the current checksum in the IP header
 +
      del pkt[UDP].chksum # deletes the checksum in UDP header
 +
      pkt = pkt.__class__(bytes(pkt)) # scapy builds the packet new and calculates the missing checksums new
 +
 +
      sendp(pkt) # sending packet
 +
      time.sleep(2)
 +
 +
After that the script can be executed.

Revision as of 13:22, 27 June 2020

Requirements

  • Raspberry PI with Raspbian OS
  • Internet connection


Description

Step 1: System Update

In the command line interface enter:

sudo apt-get update && sudo apt-get upgrade

Step 2: Download

Download the latest version of Raspion:

wget ct.de/s/x5Pm -O raspion.zip 

Step 3: Installation

Unzip:

unzip raspion.zip

Install:

cd raspion
./install.sh or bash install.sh

Install Raspion.png

At the end of the installation there is the wifi name and password of the c't-Raspion.

Launch c't-Raspion web interface

Atfer connecting to the wifi of the c't'-Raspion go to http://<ip-address of your Raspberry-PI>:81

Raspion webinterface.png

Services of the c't-Raspion

Pi-hole

Pi-hole shows DNS-Requests. They can also be blocked.

Pi-hole.png

ntopng

They include the involved communication partners, the network protocol and information on duration and volume. ntopng does not show the contents of the packages. But it analyses the flows and provides information about which application is communicating, such as Skype, BitTorrent etc., and provides statistics.

Wireshark

Wireshark offers a deeper analysis of the network traffic as ntopng. The program allows recording and analyzing network traffic down to the last bit and can be operated via browser as a special feature of c't-Raspion. The recorded network traffic will be saved in pcap-files.

mitmproxy

The mitm-Proxy can loop into the communication between the local and remote devices by the c't-Raspion redirecting all access from the internal network on TCP ports 80 and 443 to the mitm-Proxy. It takes the redirected accesses to port 8080 towards. The redirection is handled by firewall rules, which can be activated and deactivated as required by clicking in the c't-Raspion web interface.

Ikea Tradfri Setup Sniff

For testing purposes an iphone was cleaned as far as possible. All uninstalable services were erased and synchronization plans were deactivated. However iphones are not that good for this kind of tests because after all cleaning there were still some connections to apple servers.

To use pihole for capturing the dns queries of the Tradfri Gateway itself you may use an USB networkadapter or an external router as wifi bride. Otherwise you cannot use the Tradfri Gateway due to the lack of connection possibilities. As an workaround outside the Raspion software package classic arpspoofing was used.


Preliminary overview IP addressess:

Ip-config.png

Immediately after power on the app is sending dns requests to get ip addresses for fw.ota.homesmart.ikea.net. In the dns answer the ip's to d262cmbxmzphsu.cloudfront.net were included which is an address belonging to amazons aws.

Wireshark-cap1.png Wireshark-cap2.png

Also an http get request can be found: Wireshark-cap-http.png

The data from fw.ota.homesmart.ikea.net/feed/version_info.json are not that spectacular. As the name implies it only consists of version information.

As soon as the Ikea Smart Home App starts the setup it tries to find a Tradfri Gateway with mDNS queries.

Wireshark-cap-mDNS.png

The mDNS queries are not forwarded through our pihole setup so this technique finding the Tradfri Gateway fails. The app itself provides another way to find the Tradfri Gateway by entering the ip address directly. After submitting the input the app finds the gateway and asks you to scan the QR code on the bottom side of the divce or to enter the security code which can be found near the QR code.

The QR code contains the security code which is used as the pre shared key of the DTLS connection. As soon as the app gets the security code the app and the gateway are initiating the DTLS connection. All applicationdata is send over this encrypted connection.

Wireshark-cap-dtls.png

Same implies to connections of additional smart home devices: All data is sent over the encrypted connection.

Wireshark-cap-dtls-snap.png

As far as the initial setup goes there are only a few connections to the internet. This connections are all from app to some aws cloud addresses. It seems this is relating to the setup of a new device:

Wireshark-cap-aws.png


Data Transmission when using TRADFRI

The IKEA TRADFRI Gateway was connected via LAN cable while the mobile phone running the IKEA app was connected wirelessly to the same network. Overview of IP addresses used:

Ip overview muzik.png

Wireshark was used to record the traffic (using arpspoof because the IKEA TRADFRI Gateway requires a LAN connection so it is not possible to just monitor the Raspion WiFi) which was then filtered.

It turns out that TRADFRI is rather well-behaved when it comes to sending data.

For the most part it uses encrypted (DTLS) communication internally between the Gateway and the mobile phone. To initially find the Gateway after opening the mobile app, an MDNS request is sent out via multicast (224.x.x.x).

However, 2 external connections or destinations could also be found:

  • IP address 13.227.156.82 / privacypolicy.config.homesmart.ikea.net (as the url indicates, this has the current policy one has to agree to before using the app)
  • IP address 13.227.156.50 / supportdetails.config.homesmart.ikea.net (this is where the secure certificates are located, apparently).

Wireshark caps

privacypolicy.config.homesmart.ikea.net Client Hello:

Ikea-privacy policy-clientHello.png

supportdetails.config.homesmart.ikea.net ServerHello:

Ikea-supportdetails-serverHello.png

Certificate Information

The Server Hello contains the information regarding the .cer and .crl:

http://ocsp.rootca1.amazontrust.com
http://crt.rootca1.amazontrust.com/rootca1.cer
http://crl.rootca1.amazontrust.com/rootca1.crl

Starfield Technologies, Inc.; Starfield Services Root Certificate Authority

Also:

http://crl.sca1b.amazontrust.com/sca1b.crl
http://ocsp.sca1b.amazontrust.com
http://crt.sca1b.amazontrust.com/sca1b.crt 

That's pretty much it. We couldn't find any unwanted connections.

The app also checks for updates for the used devices, this is also indicated in the app when it happens, so this is very transparent. It is indicated in the app when an update is happening or when the app is checking for new updates as can be seen in the screenshot below. If a device happens to be unavailable, e.g. because it is currently disconnected/turned off, then the app does not report back the current version but instead says the device is unreachable ('Nicht erreichbar')

Ikea-tradfri-update.png

Turning devices on/off

When devices are turned on or off, the individual packet sequences are made up of packets that are the same in size but with some devices there are more packets sent when turning on than off. Let me illustrate this by comparing the on/off sequences of the light bulb (pretty much the same for on/off, although of course different packet content):

Light Bulb ON
Ikea-gluehbirne ein.png

Light Bulb OFF
Ikea-gluehbirne aus.png

As opposed to the smart plug where the on sequence is longer than the off sequence:

Smart Plug ON
Ikea-strom ein.png

Smart Plug OFF
Ikea-strom aus.png

(these were done using arpspoof on 192.168.0.106, 192.168.0.101 is the Internet Gateway, 192.168.0.104 is the TRADFRI Gateway, commands were sent via 192.168.0.103 - so keep in mind that you see duplicates of each packet in the Wireshark caps because they include the sniff and forward to the actual target device)

Interrupt Communication

This experiment will show if it is possible to interrupt or sniff the communication between the IKEA and the IKEA gateway. This is not possible with only a packet sniffer like Wireshark, because the communication is encrypted with DTLS. Two attacks were performed, a mitm proxy attack and a replay attack. For the mitm attack the mitm proxy from the c’t Raspion was used and for the replay attack a scapy script. The network structure is as follows:

IP overview:

Mitm findings.png

Structure

Mitm-top.png

Android can be operated as a virtual machine, or you can also use a smart phone that has the IKEA Smarthome app installed. If it is operated as a virtual machine, make sure that bridge mode is used, since the VM will then have its own IP. This has the advantage that you only have to analyze the traffic generated by Android and not that of the host system.

In order to be able to use the mitm, certificates must be added to the key store on the android os. This can be done by opening the website mitm.it in the browser of android. If you are in the right network, you will see the following window.

Mitmproxy-cert.png

Here you choose the right operating system and download the certificates.

The official documentation can be found here[1].

MitM Proxy

When you start the app in Wireshark you can see that the handshake for the DTLS connection is being carried out.

Wireshark-dtls.png

You can also observe that there are several connections to different servers outside the network.

Wireshark-tls.png

The following messages can be decrypted.

Mitm-sniff.png

Both include a JSON-file.

Json-file-mitm.jpg


  • In the debug log, you can observe that there are additional TLS connections, but the mitm proxy couldn’t decrypt these.
192.168.24.241:59332: Client Handshake failed. The client may not trust the proxy's certificate for data.logentries.com.
192.168.24.241:59332: ClientHandshakeException('Cannot establish TLS with client (sni: data.logentries.com): TlsException("(-1, \'Unexpected EOF\')")')
::ffff:192.168.24.241:58971: serverdisconnect
 -> ('99.86.243.4', 443)
192.168.24.241:59332: clientdisconnect
::ffff:192.168.24.241:40204: serverdisconnect
 -> ('99.86.243.50', 443)
192.168.24.241:58971: clientdisconnect
192.168.24.241:40204: clientdisconnect
192.168.24.241:41657: clientconnect
::ffff:192.168.24.241:41657: Establish TLS with client
192.168.24.241:50453: clientconnect
::ffff:192.168.24.241:50453: serverconnect
 -> ('99.86.243.36', 443)
192.168.24.241:42222: clientconnect
::ffff:192.168.24.241:42222: serverconnect
 -> ('99.86.243.4', 443)
::ffff:192.168.24.241:42222: Establish TLS with server
::ffff:192.168.24.241:50453: Establish TLS with server
::ffff:192.168.24.241:42222: ALPN selected by server: -
::ffff:192.168.24.241:42222: Establish TLS with client
::ffff:192.168.24.241:50453: ALPN selected by server: -
::ffff:192.168.24.241:50453: Establish TLS with client
::ffff:192.168.24.241:42222: ALPN for client: b'http/1.1'
::ffff:192.168.24.241:50453: ALPN for client: b'http/1.1'
::ffff:192.168.24.241:50453: request
 -> Request(GET /US/en/getPolicyUpdate/?deviceType=android)
::ffff:192.168.24.241:42222: request
 -> Request(GET /AppDetails)
::ffff:192.168.24.241:42222: response
 -> Response(200 OK, application/json, 44b)
::ffff:192.168.24.241:50453: response
 -> Response(200 OK, application/json, 374b)

The DTLS connection between the app and the gateway, however, does not appear in the mitm log.

Replay-Attack

In order to be able to carry out a replay attack, the data traffic between the device on which the IKEA app is running and the IKEA gateway must be recorded. Every time you close the app and open it again, a new transmission must be recorded. This is because this is a new session, so the IKEA Gateway and the App have a new shared secret. Then the SRC and DST in IP and MAC have to be adjusted accordingly. In this particular example, a sequence number is available in the DTLS protocol. This must also be adjusted so that it is preliminary. Since the payload is also included in the UDP checksum, it must be recalculated too. This attack was performed on the TKEA Gateway, where a socket was connected to. In the socket was light plugged in to see what's happening.

Replay-attack.png

As you can see, the attack is unsuccessful because no response is sent from the gateway, which is likely to drop the packets.

This may be because DTLS also uses MAC (message authentication code). The sequence number is used to calculate the MAC value. Unfortunately, this value cannot be recalculated without knowing the encryption.

Change Sequence Number

To change the sequence number, we used a workaround in Wireshark. In Wireshark you can select multiple Packets and then copy them as hex dump.

Wireshark-save-hexdump.png

0000   dc a6 32 7d 1d 37 c0 ee fb 4a 9b b5 08 00 45 00
0010   00 69 57 0a 40 00 40 11 47 f6 c0 a8 18 f1 c0 a8
0020   01 42 a4 1a 16 34 00 55 ff 2e 17 fe fd 00 01 00
0030   00 00 00 00 34 00 40 00 00 00 00 00 00 00 16 21
0040   39 8a 8a c5 dd c3 3d 67 ba de a5 5f 0a 10 8c e2
0050   75 da ca a1 db ae a2 08 c6 e6 a6 94 32 db d0 cd
0060   d1 63 e6 bd 32 db 2f 14 1a a1 08 be e9 ac ff 43
0070   48 1b 54 a9 f9 f7 4f

After you have copied the packet you can put it into a texteditor and edit the part of the packet you want. In our case we changed the 00 00 00 00 00 34 in line 0020 and 0030 to the appropriate sequence number. We found out that after each full communication the number raised by four. So, when the last recorded sequence number was 48 the next one is 52 and then 56 and so on. This is the decimal number you have to convert it so hex and change it in the text editor and save it.

In wireshark it is possible to import packets from a textfile with hexdump in it.

Wireshark-import-hexdump1.png

Wireshark-import-hexdump2.png

After you have imported the hexdump save the file as pcap file.

In order to send the packets, edit the marked parts in the python script.

#! /usr/bin/python3
from scapy.all import *
from scapy.utils import rdpcap
import time

pkts=rdpcap("path of the pcap file")  # reads the pcap file and saves the list in the pkts var

# iterates through the list
for pkt in pkts:
     pkt[Ether].src = "sender mac"  # MAC of the sender
     pkt[Ether].dst= "target mac"  # MAC of the target

     pkt[IP].src= "sender ip" # IP of the sender
     pkt[IP].dst = "target ip"  # IP of the target

     del pkt.chksum # deletes the current checksum in the IP header
     del pkt[UDP].chksum # deletes the checksum in UDP header
     pkt = pkt.__class__(bytes(pkt)) # scapy builds the packet new and calculates the missing checksums new

     sendp(pkt) # sending packet
     time.sleep(2)

After that the script can be executed.