Difference between revisions of "Install c't'-Raspion on Raspberry PI"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
(30 intermediate revisions by 4 users not shown)
Line 39: Line 39:
Pi-hole shows DNS-Requests. They can also be blocked.
Pi-hole shows DNS-Requests. They can also be blocked.


[[File:pi-hole.png]]
In the figure below you can see how the DNS query is displayed. You can view information such as time, type, domain, client, etc.
[[File:Pi-hole.png]]


=== ntopng ===
=== ntopng ===
They include the
They include the involved communication partners, the network protocol and information on duration and volume. ntopng does not show the contents of the packages. But it analyses the flows and provides information about which application is communicating, such as Skype, BitTorrent etc., and provides statistics.
involved communication partners, the network protocol and information on duration and volume. ntopng does not show the contents of the packages. But it analyses the flows and provides information about which application is communicating, such as Skype, BitTorrent etc., and provides statistics.
 
Here we see an example of an overview of the system in ntopng. As you can see, it displays information about the CPU, RAM, Last Log Trace of ntopng and so on:
[[File:ntopng_system.jpeg|800px]]
 
In this screenshot we see the network information like devices, flows, total traffic, total packets of the interface "br0" and much else.
[[File: ntopng_interface.jpeg|800px]]


=== Wireshark ===
=== Wireshark ===
Line 51: Line 57:
The mitm-Proxy can loop into the communication between the local and remote devices by the c't-Raspion redirecting all access from the internal network on TCP ports 80 and 443 to the mitm-Proxy. It takes the redirected accesses to port
The mitm-Proxy can loop into the communication between the local and remote devices by the c't-Raspion redirecting all access from the internal network on TCP ports 80 and 443 to the mitm-Proxy. It takes the redirected accesses to port
8080 towards. The redirection is handled by firewall rules, which  can be activated and deactivated as required by clicking in the c't-Raspion web interface.
8080 towards. The redirection is handled by firewall rules, which  can be activated and deactivated as required by clicking in the c't-Raspion web interface.
There are many options for the search, as you can see in the 2 screenshots below.
[[File: mitmproxy_option.jpeg|800px]]
[[File: mitmproxy_option_search.jpeg|800px]]
Below is a little preview of what you get when you click on "Editing Options Alpha".
[[File: mitmproxy_option_alpha.PNG|800px]]


== Ikea Tradfri Setup Sniff ==
== Ikea Tradfri Setup Sniff ==
Als Testgerät wurde ein möglich leergeräumtes iPhone verwendet. Alle deinstallierbaren Services wurden entfernt, wo möglich Synchronisierung deaktiviert.
For testing purposes an iphone was cleaned as far as possible. All uninstalable services were erased and synchronization plans were deactivated.
Jedoch sind Apple geräte mäßig geeignet, es werden zu viele Verbindungen vom Betriebssystem hergestellt (auch von deaktivierten iOs Services).  
However iphones are not that good for this kind of tests because after all cleaning there were still some connections to apple servers.


Um Pihole auch zur Aufzeichnung von DNS queries vom Tradfri Gateway zu nutzen muss eine USB Netzwerkadapter verwendet werden oder ein externer Router als WiFi Bridge konfiguriert werden. Ohne diese Hardwareänderungen lässt sich ein Tradfri Gateway nicht in das Raspion Netzwerk integrieren. Um dennoch Pakete mitschneiden zu können wurde arpspoofing verwendet.
To use pihole for capturing the dns queries of the Tradfri Gateway itself you may use an USB networkadapter or an external router as wifi bride. Otherwise you cannot use the Tradfri Gateway due to the lack of connection possibilities. As an workaround outside the Raspion software package classic arpspoofing was used.


Vorab Übersicht IP config


[[File:ip-config.png|800px]]
Preliminary overview IP addressess:


Direkt beim Einschalten (cap power_on_gateway) werden von der App einige DNS anfragen gestellt um IPs von fw.ota.homesmart.ikea.net zu erhalten. In den DNS Antworten sind ebenfalls IPs zu d262cmbxmzphsu.cloudfront.net enthalten. Ikea nutzt dabei AWS.
[[File:ip-config.png|900px]]
 
Immediately after power on the app is sending dns requests to get ip addresses for fw.ota.homesmart.ikea.net. In the dns answer the ip's to d262cmbxmzphsu.cloudfront.net were included which is an address belonging to amazons aws.


[[File:wireshark-cap1.png|700px]]
[[File:wireshark-cap1.png|700px]]
[[File:wireshark-cap2.png|700px]]
[[File:wireshark-cap2.png|700px]]


Weiters findet man eine http Verbindung:
Also an http get request can be found:
 
[[File:wireshark-cap-http.png|600px]]
[[File:wireshark-cap-http.png|600px]]


Die unter fw.ota.homesmart.ikea.net/feed/version_info.json vorhandenen Daten sind nicht allzu spektakulär: Es sind lediglich Versionsinfos.
The data from fw.ota.homesmart.ikea.net/feed/version_info.json are not that spectacular. As the name implies it only consists of version information.


Sobald über die Ikea Smart Home App das Setup gestarted wird versucht die App mit mDNS queries den Tradfri Gateway zu finden.
As soon as the Ikea Smart Home App starts the setup it tries to find a Tradfri Gateway with mDNS queries.


[[File:wireshark-cap-mDNS.png|550px]]
[[File:wireshark-cap-mDNS.png|550px]]


Bei dem verwendeten Setup schlägt dies natürlich fehl, jedoch bietet die App direkt die option eine IP manuell einzugeben. Nach Eingabe der IP muss entweder der QR Code auf der Rückseite des Gerätes gescannt werden oder der Sicherheitscode eingegeben werden der sich ebenfalls auf der Rückseite des Geräts befindet.
The mDNS queries are not forwarded through our pihole setup so this technique finding the Tradfri Gateway fails. The app itself provides another way to find the Tradfri Gateway by entering the ip address directly. After submitting the input the app finds the gateway and asks you to scan the QR code on the bottom side of the divce or to enter the security code which can be found near the QR code.


Der Sicherheitscode ist dabei der PSK der DTLS Verbindung. Sobald der App der QR Code bzw der Sicherheitscode bekannt sind bauen App und Gateway eine DTLS Verbindung auf. Über diese Verbindung werden alle Applikationsdaten gesendet.
The QR code contains the security code which is used as the pre shared key of the DTLS connection. As soon as the app gets the security code the app and the gateway are initiating the DTLS connection. All applicationdata is send over this encrypted connection.


[[File:wireshark-cap-dtls.png|550px]]
[[File:wireshark-cap-dtls.png|550px]]


Auch beim Verbinden von weiteren SH Geräten baut die App keine gesonderten Verbindung auf sondern kommuniziert ausschließlich über DTLS.
Same implies to connections of additional smart home devices: All data is sent over the encrypted connection.


[[File:wireshark-cap-dtls-snap.png|550px]]
[[File:wireshark-cap-dtls-snap.png|550px]]


Einige Verbindungen zur AWS Cloud baut die App dennoch auf. Dies steht anscheinend im Zusammenhang mit dem Verbinden von Geräten da immer direkt nach dem Verbinden eines Gerätes diese Seiten abgefragt werden:
As far as the initial setup goes there are only a few connections to the internet. This connections are all from app to some aws cloud addresses. It seems this is relating to the setup of a new device:


[[File:wireshark-cap-aws.png|550px]]
[[File:wireshark-cap-aws.png|550px]]


== Data Transmission when using TRADFRI ==
== Data Transmission when using TRADFRI ==


The IKEA TRADFRI Gateway was connected via LAN cable while the mobile phone running the IKEA app was connected wirelessly to the same network.
The IKEA TRADFRI Gateway was connected via LAN cable while the mobile phone running the IKEA app was connected wirelessly to the same network.
Overview of IP addresses used:
[[File:ip_overview_muzik.png|550px]]


Wireshark was used to record the traffic (using arpspoof because the IKEA TRADFRI Gateway requires a LAN connection so it is not possible to just monitor the Raspion WiFi) which was then filtered.
Wireshark was used to record the traffic (using arpspoof because the IKEA TRADFRI Gateway requires a LAN connection so it is not possible to just monitor the Raspion WiFi) which was then filtered.
Line 133: Line 152:
[[File:Ikea-tradfri-update.png|360px]]
[[File:Ikea-tradfri-update.png|360px]]


== Kommunikation entschlüsseln ==
=== Turning devices on/off ===
Bei diesem Versuch wird geschaut ob es möglich ist die Kommunikation, zwischen der IKEA App und dem IKEA Gateway mitzuhören. Nur mit einem Packet Sniffer ist dies nicht möglich, da die Kommunikation per DTLS verschlüsselt wird. Es kam zum Einsatz der MITM Proxy, welcher bei dem c’t-Raspion dabei ist.
When devices are turned on or off, the individual packet sequences are made up of packets that are the same in size but with some devices there are more packets sent when turning on than off. Let me illustrate this by comparing the on/off sequences of the light bulb (pretty much the same for on/off, although of course different packet content):


=== Aufbau ===
Light Bulb ON<br>
[[File:Ikea-gluehbirne_ein.png|700px]]
 
Light Bulb OFF<br>
[[File:Ikea-gluehbirne_aus.png|700px]]
 
As opposed to the smart plug where the on sequence is longer than the off sequence:
 
Smart Plug ON<br>
[[File:Ikea-strom ein.png|700px]]
 
Smart Plug OFF<br>
[[File:Ikea-strom aus.png|700px]]
 
(these were done using arpspoof on 192.168.0.106, 192.168.0.101 is the Internet Gateway, 192.168.0.104 is the TRADFRI Gateway, commands were sent via 192.168.0.103 - so keep in mind that you see duplicates of each packet in the Wireshark caps because they include the sniff and forward to the actual target device)
 
== Interrupt Communication ==
This experiment will show if it is possible to interrupt or sniff the communication between the IKEA and the IKEA gateway. This is not possible with only a packet sniffer like Wireshark, because the communication is encrypted with DTLS. Two attacks were performed, a mitm proxy attack and a replay attack. For the mitm attack the mitm proxy from the c’t Raspion was used and for the replay attack a scapy script.  The network structure is as follows:
 
IP overview:
 
[[File:mitm_findings.png|700px]]
 
=== Structure ===
[[File:mitm-top.png|800px]]
[[File:mitm-top.png|800px]]


Android kann als eine Virtuelle Maschine betrieben werden, oder es kann auch ein Smart Phone benutzt werden welches die IKEA Smarthome App installiert hat. Wenn es als Virtuelle Maschine betrieben wird, ist drauf zu achten, dass der Bridge Mode benutzt wird, da dann die VM eine eigene IP erhält. Dies hat den Vorteil, dass man nur den Traffic analysieren muss, welcher von Android erzeugt wird und nicht dem des Host Systems.
Android can be operated as a virtual machine, or you can also use a smart phone that has the IKEA Smarthome app installed. If it is operated as a virtual machine, make sure that bridge mode is used, since the VM will then have its own IP. This has the advantage that you only have to analyze the traffic generated by Android and not that of the host system.
Um den MITM benutzten zu können, müssen die Zertifikaten zu dem Key-Store hinzugefügt werden. Dies kann getan werden in dem man die Website mitm.it ansurft. Ist man in dem richtigen Netzwerk sieht man folgendes Fenster.
 
In order to be able to use the mitm, certificates must be added to the key store on the android os. This can be done by opening the website mitm.it in the browser of android. If you are in the right network, you will see the following window.


[[File:mitmproxy-cert.png|800px]]
[[File:mitmproxy-cert.png|800px]]


Hier wählt man das richtige Betriebssystem und lädt die Zertifikate herunter.
Here you choose the right operating system and download the certificates.


Die offizielle Dokumentation findet man hier[https://docs.mitmproxy.org/stable/concepts-certificates/#quick-setup].
The official documentation can be found here[https://docs.mitmproxy.org/stable/concepts-certificates/#quick-setup].


=== Findings ===
=== MitM Proxy ===
Beim Starten der App kann man in Wireshark stehen, dass der Handshake für die DTLS Verbindung durchgeführt wird.  
When you start the app in Wireshark you can see that the handshake for the DTLS connection is being carried out.


[[File:wireshark-dtls.png]]
[[File:wireshark-dtls.png]]


Ebenso kann man beobachten, dass mehrere Verbindungen mit verschiedenen Servern nach draußen aufgebaut werden.
You can also observe that there are several connections to different servers outside the network.


[[File:wireshark-tls.png]]
[[File:wireshark-tls.png]]


Die Nachrichten zu diesen Servern können durch den MITM entschlüsselt werden.
The following messages can be decrypted.


[[File:mitm-sniff.png]]
[[File:mitm-sniff.png]]


Beide Nachrichten beinhalten eine JSON-Datei.  
Both include a JSON-file.
 
[[File:Json-file-mitm.jpg]]
 
 
 
* In the debug log, you can observe that there are additional TLS connections, but the mitm proxy couldn’t decrypt these.
 
192.168.24.241:59332: Client Handshake failed. The client may not trust the proxy's certificate for data.logentries.com.
192.168.24.241:59332: ClientHandshakeException('Cannot establish TLS with client (sni: data.logentries.com): TlsException("(-1, \'Unexpected EOF\')")')
::ffff:192.168.24.241:58971: serverdisconnect
  -> ('99.86.243.4', 443)
192.168.24.241:59332: clientdisconnect
::ffff:192.168.24.241:40204: serverdisconnect
  -> ('99.86.243.50', 443)
192.168.24.241:58971: clientdisconnect
192.168.24.241:40204: clientdisconnect
192.168.24.241:41657: clientconnect
::ffff:192.168.24.241:41657: Establish TLS with client
192.168.24.241:50453: clientconnect
::ffff:192.168.24.241:50453: serverconnect
  -> ('99.86.243.36', 443)
192.168.24.241:42222: clientconnect
::ffff:192.168.24.241:42222: serverconnect
  -> ('99.86.243.4', 443)
::ffff:192.168.24.241:42222: Establish TLS with server
::ffff:192.168.24.241:50453: Establish TLS with server
::ffff:192.168.24.241:42222: ALPN selected by server: -
::ffff:192.168.24.241:42222: Establish TLS with client
::ffff:192.168.24.241:50453: ALPN selected by server: -
::ffff:192.168.24.241:50453: Establish TLS with client
::ffff:192.168.24.241:42222: ALPN for client: b'http/1.1'
::ffff:192.168.24.241:50453: ALPN for client: b'http/1.1'
::ffff:192.168.24.241:50453: request
  -> Request(GET /US/en/getPolicyUpdate/?deviceType=android)
::ffff:192.168.24.241:42222: request
  -> Request(GET /AppDetails)
::ffff:192.168.24.241:42222: response
  -> Response(200 OK, application/json, 44b)
::ffff:192.168.24.241:50453: response
  -> Response(200 OK, application/json, 374b)


{
The DTLS connection between the app and the gateway, however, does not appear in the mitm log.
    "descriptionText": "That’s why we have updated the terms and conditions. Please agree below in order to continue. You can find the updated legal information in Settings or you can read more below.",
    "lastUpdatedTimestampCookie": 1568799375000,
    "lastUpdatedTimestampPP": 1568798738000,
    "lastUpdatedTimestampTnC": 1568798786000,
    "titleText": "We’ve changed the name of our app! "
}
{
    "versionCode": "44",
    "versionName": "1.11.3"
}


Im debug log kann beobachtet werden, dass weitere TLS Verbindung aufgebaut werden jedoch nicht entschlüsselt werden können.
=== Replay-Attack ===
In order to be able to carry out a replay attack, the data traffic between the device on which the IKEA app is running and the IKEA gateway must be recorded. Every time you close the app and open it again, a new transmission must be recorded. This is because this is a new session, so the IKEA Gateway and the App have a new shared secret. Then the SRC and DST in IP and MAC have to be adjusted accordingly. In this particular example, a sequence number is available in the DTLS protocol. This must also be adjusted so that it is preliminary. Since the payload is also included in the UDP checksum, it must be recalculated too. This attack was performed on the TKEA Gateway, where a socket was connected to. In the socket was light plugged in to see what's happening.


192.168.24.241:59332: Client Handshake failed. The client may not trust the proxy's certificate for data.logentries.com.
[[File:replay-attack.png]]
192.168.24.241:59332: ClientHandshakeException('Cannot establish TLS with client (sni: data.logentries.com): TlsException("(-1, \'Unexpected EOF\')")')
 
::ffff:192.168.24.241:58971: serverdisconnect
As you can see, the attack is unsuccessful because no response is sent from the gateway, which is likely to drop the packets.
  -> ('99.86.243.4', 443)
 
192.168.24.241:59332: clientdisconnect
This may be because DTLS also uses MAC (message authentication code). The sequence number is used to calculate the MAC value. Unfortunately, this value cannot be recalculated without knowing the encryption.
::ffff:192.168.24.241:40204: serverdisconnect
 
  -> ('99.86.243.50', 443)
=== Change Sequence Number ===
192.168.24.241:58971: clientdisconnect
To change the sequence number, we used a workaround in Wireshark. In Wireshark you can select multiple Packets and then copy them as hex dump.  
192.168.24.241:40204: clientdisconnect
 
192.168.24.241:41657: clientconnect
[[File:Wireshark-save-hexdump.png|700px]]
::ffff:192.168.24.241:41657: Establish TLS with client
 
192.168.24.241:50453: clientconnect
0000  dc a6 32 7d 1d 37 c0 ee fb 4a 9b b5 08 00 45 00
::ffff:192.168.24.241:50453: serverconnect
0010  00 69 57 0a 40 00 40 11 47 f6 c0 a8 18 f1 c0 a8
  -> ('99.86.243.36', 443)
0020  01 42 a4 1a 16 34 00 55 ff 2e 17 fe fd 00 01 00
192.168.24.241:42222: clientconnect
0030  00 00 00 00 34 00 40 00 00 00 00 00 00 00 16 21
::ffff:192.168.24.241:42222: serverconnect
0040  39 8a 8a c5 dd c3 3d 67 ba de a5 5f 0a 10 8c e2
  -> ('99.86.243.4', 443)
0050  75 da ca a1 db ae a2 08 c6 e6 a6 94 32 db d0 cd
::ffff:192.168.24.241:42222: Establish TLS with server
0060  d1 63 e6 bd 32 db 2f 14 1a a1 08 be e9 ac ff 43
::ffff:192.168.24.241:50453: Establish TLS with server
0070  48 1b 54 a9 f9 f7 4f
::ffff:192.168.24.241:42222: ALPN selected by server: -
 
::ffff:192.168.24.241:42222: Establish TLS with client
After you have copied the packet you can put it into a texteditor and edit the part of the packet you want. In our case we changed the 00 00 00 00 00 34 in line 0020 and 0030 to the appropriate sequence number. We found out that after each full communication the number raised by four. So, when the last recorded sequence number was 48 the next one is 52 and then 56 and so on. This is the decimal number you have to convert it so hex and change it in the text editor and save it.
::ffff:192.168.24.241:50453: ALPN selected by server: -
 
::ffff:192.168.24.241:50453: Establish TLS with client
In wireshark it is possible to import packets from a textfile with hexdump in it.  
::ffff:192.168.24.241:42222: ALPN for client: b'http/1.1'
 
::ffff:192.168.24.241:50453: ALPN for client: b'http/1.1'
[[File:Wireshark-import-hexdump1.png]]
::ffff:192.168.24.241:50453: request
 
  -> Request(GET /US/en/getPolicyUpdate/?deviceType=android)
[[File:Wireshark-import-hexdump2.png]]
::ffff:192.168.24.241:42222: request
 
  -> Request(GET /AppDetails)
After you have imported the hexdump save the file as pcap file.
::ffff:192.168.24.241:42222: response
 
  -> Response(200 OK, application/json, 44b)
In order to send the packets, edit the marked parts in the python script.
::ffff:192.168.24.241:50453: response
 
  -> Response(200 OK, application/json, 374b)
#! /usr/bin/python3
from scapy.all import *
from scapy.utils import rdpcap
import time
pkts=rdpcap("path of the pcap file") # reads the pcap file and saves the list in the pkts var
# iterates through the list
for pkt in pkts:
      pkt[Ether].src = "'''sender mac'''"  # MAC of the sender
      pkt[Ether].dst= "'''target mac'''"  # MAC of the target
      pkt[IP].src= "'''sender ip'''" # IP of the sender
      pkt[IP].dst = "'''target ip'''"  # IP of the target
      del pkt.chksum # deletes the current checksum in the IP header
      del pkt[UDP].chksum # deletes the checksum in UDP header
      pkt = pkt.__class__(bytes(pkt)) # scapy builds the packet new and calculates the missing checksums new
      sendp(pkt) # sending packet
      time.sleep(2)


Die DTLS Verbindung zwischen der App und dem Gateway, erscheint jedoch nicht in dem Log des MITM.
After that the script can be executed.

Revision as of 13:25, 2 July 2020

Requirements

  • Raspberry PI with Raspbian OS
  • Internet connection


Description

Step 1: System Update

In the command line interface enter:

sudo apt-get update && sudo apt-get upgrade

Step 2: Download

Download the latest version of Raspion:

wget ct.de/s/x5Pm -O raspion.zip 

Step 3: Installation

Unzip:

unzip raspion.zip

Install:

cd raspion
./install.sh or bash install.sh

Install Raspion.png

At the end of the installation there is the wifi name and password of the c't-Raspion.

Launch c't-Raspion web interface

Atfer connecting to the wifi of the c't'-Raspion go to http://<ip-address of your Raspberry-PI>:81

Raspion webinterface.png

Services of the c't-Raspion

Pi-hole

Pi-hole shows DNS-Requests. They can also be blocked.

In the figure below you can see how the DNS query is displayed. You can view information such as time, type, domain, client, etc. Pi-hole.png

ntopng

They include the involved communication partners, the network protocol and information on duration and volume. ntopng does not show the contents of the packages. But it analyses the flows and provides information about which application is communicating, such as Skype, BitTorrent etc., and provides statistics.

Here we see an example of an overview of the system in ntopng. As you can see, it displays information about the CPU, RAM, Last Log Trace of ntopng and so on: Ntopng system.jpeg

In this screenshot we see the network information like devices, flows, total traffic, total packets of the interface "br0" and much else. Ntopng interface.jpeg

Wireshark

Wireshark offers a deeper analysis of the network traffic as ntopng. The program allows recording and analyzing network traffic down to the last bit and can be operated via browser as a special feature of c't-Raspion. The recorded network traffic will be saved in pcap-files.

mitmproxy

The mitm-Proxy can loop into the communication between the local and remote devices by the c't-Raspion redirecting all access from the internal network on TCP ports 80 and 443 to the mitm-Proxy. It takes the redirected accesses to port 8080 towards. The redirection is handled by firewall rules, which can be activated and deactivated as required by clicking in the c't-Raspion web interface.

There are many options for the search, as you can see in the 2 screenshots below.

Mitmproxy option.jpeg Mitmproxy option search.jpeg

Below is a little preview of what you get when you click on "Editing Options Alpha".

Mitmproxy option alpha.PNG

Ikea Tradfri Setup Sniff

For testing purposes an iphone was cleaned as far as possible. All uninstalable services were erased and synchronization plans were deactivated. However iphones are not that good for this kind of tests because after all cleaning there were still some connections to apple servers.

To use pihole for capturing the dns queries of the Tradfri Gateway itself you may use an USB networkadapter or an external router as wifi bride. Otherwise you cannot use the Tradfri Gateway due to the lack of connection possibilities. As an workaround outside the Raspion software package classic arpspoofing was used.


Preliminary overview IP addressess:

Ip-config.png

Immediately after power on the app is sending dns requests to get ip addresses for fw.ota.homesmart.ikea.net. In the dns answer the ip's to d262cmbxmzphsu.cloudfront.net were included which is an address belonging to amazons aws.

Wireshark-cap1.png Wireshark-cap2.png

Also an http get request can be found: Wireshark-cap-http.png

The data from fw.ota.homesmart.ikea.net/feed/version_info.json are not that spectacular. As the name implies it only consists of version information.

As soon as the Ikea Smart Home App starts the setup it tries to find a Tradfri Gateway with mDNS queries.

Wireshark-cap-mDNS.png

The mDNS queries are not forwarded through our pihole setup so this technique finding the Tradfri Gateway fails. The app itself provides another way to find the Tradfri Gateway by entering the ip address directly. After submitting the input the app finds the gateway and asks you to scan the QR code on the bottom side of the divce or to enter the security code which can be found near the QR code.

The QR code contains the security code which is used as the pre shared key of the DTLS connection. As soon as the app gets the security code the app and the gateway are initiating the DTLS connection. All applicationdata is send over this encrypted connection.

Wireshark-cap-dtls.png

Same implies to connections of additional smart home devices: All data is sent over the encrypted connection.

Wireshark-cap-dtls-snap.png

As far as the initial setup goes there are only a few connections to the internet. This connections are all from app to some aws cloud addresses. It seems this is relating to the setup of a new device:

Wireshark-cap-aws.png


Data Transmission when using TRADFRI

The IKEA TRADFRI Gateway was connected via LAN cable while the mobile phone running the IKEA app was connected wirelessly to the same network. Overview of IP addresses used:

Ip overview muzik.png

Wireshark was used to record the traffic (using arpspoof because the IKEA TRADFRI Gateway requires a LAN connection so it is not possible to just monitor the Raspion WiFi) which was then filtered.

It turns out that TRADFRI is rather well-behaved when it comes to sending data.

For the most part it uses encrypted (DTLS) communication internally between the Gateway and the mobile phone. To initially find the Gateway after opening the mobile app, an MDNS request is sent out via multicast (224.x.x.x).

However, 2 external connections or destinations could also be found:

  • IP address 13.227.156.82 / privacypolicy.config.homesmart.ikea.net (as the url indicates, this has the current policy one has to agree to before using the app)
  • IP address 13.227.156.50 / supportdetails.config.homesmart.ikea.net (this is where the secure certificates are located, apparently).

Wireshark caps

privacypolicy.config.homesmart.ikea.net Client Hello:

Ikea-privacy policy-clientHello.png

supportdetails.config.homesmart.ikea.net ServerHello:

Ikea-supportdetails-serverHello.png

Certificate Information

The Server Hello contains the information regarding the .cer and .crl:

http://ocsp.rootca1.amazontrust.com
http://crt.rootca1.amazontrust.com/rootca1.cer
http://crl.rootca1.amazontrust.com/rootca1.crl

Starfield Technologies, Inc.; Starfield Services Root Certificate Authority

Also:

http://crl.sca1b.amazontrust.com/sca1b.crl
http://ocsp.sca1b.amazontrust.com
http://crt.sca1b.amazontrust.com/sca1b.crt 

That's pretty much it. We couldn't find any unwanted connections.

The app also checks for updates for the used devices, this is also indicated in the app when it happens, so this is very transparent. It is indicated in the app when an update is happening or when the app is checking for new updates as can be seen in the screenshot below. If a device happens to be unavailable, e.g. because it is currently disconnected/turned off, then the app does not report back the current version but instead says the device is unreachable ('Nicht erreichbar')

Ikea-tradfri-update.png

Turning devices on/off

When devices are turned on or off, the individual packet sequences are made up of packets that are the same in size but with some devices there are more packets sent when turning on than off. Let me illustrate this by comparing the on/off sequences of the light bulb (pretty much the same for on/off, although of course different packet content):

Light Bulb ON
Ikea-gluehbirne ein.png

Light Bulb OFF
Ikea-gluehbirne aus.png

As opposed to the smart plug where the on sequence is longer than the off sequence:

Smart Plug ON
Ikea-strom ein.png

Smart Plug OFF
Ikea-strom aus.png

(these were done using arpspoof on 192.168.0.106, 192.168.0.101 is the Internet Gateway, 192.168.0.104 is the TRADFRI Gateway, commands were sent via 192.168.0.103 - so keep in mind that you see duplicates of each packet in the Wireshark caps because they include the sniff and forward to the actual target device)

Interrupt Communication

This experiment will show if it is possible to interrupt or sniff the communication between the IKEA and the IKEA gateway. This is not possible with only a packet sniffer like Wireshark, because the communication is encrypted with DTLS. Two attacks were performed, a mitm proxy attack and a replay attack. For the mitm attack the mitm proxy from the c’t Raspion was used and for the replay attack a scapy script. The network structure is as follows:

IP overview:

Mitm findings.png

Structure

Mitm-top.png

Android can be operated as a virtual machine, or you can also use a smart phone that has the IKEA Smarthome app installed. If it is operated as a virtual machine, make sure that bridge mode is used, since the VM will then have its own IP. This has the advantage that you only have to analyze the traffic generated by Android and not that of the host system.

In order to be able to use the mitm, certificates must be added to the key store on the android os. This can be done by opening the website mitm.it in the browser of android. If you are in the right network, you will see the following window.

Mitmproxy-cert.png

Here you choose the right operating system and download the certificates.

The official documentation can be found here[1].

MitM Proxy

When you start the app in Wireshark you can see that the handshake for the DTLS connection is being carried out.

Wireshark-dtls.png

You can also observe that there are several connections to different servers outside the network.

Wireshark-tls.png

The following messages can be decrypted.

Mitm-sniff.png

Both include a JSON-file.

Json-file-mitm.jpg


  • In the debug log, you can observe that there are additional TLS connections, but the mitm proxy couldn’t decrypt these.
192.168.24.241:59332: Client Handshake failed. The client may not trust the proxy's certificate for data.logentries.com.
192.168.24.241:59332: ClientHandshakeException('Cannot establish TLS with client (sni: data.logentries.com): TlsException("(-1, \'Unexpected EOF\')")')
::ffff:192.168.24.241:58971: serverdisconnect
 -> ('99.86.243.4', 443)
192.168.24.241:59332: clientdisconnect
::ffff:192.168.24.241:40204: serverdisconnect
 -> ('99.86.243.50', 443)
192.168.24.241:58971: clientdisconnect
192.168.24.241:40204: clientdisconnect
192.168.24.241:41657: clientconnect
::ffff:192.168.24.241:41657: Establish TLS with client
192.168.24.241:50453: clientconnect
::ffff:192.168.24.241:50453: serverconnect
 -> ('99.86.243.36', 443)
192.168.24.241:42222: clientconnect
::ffff:192.168.24.241:42222: serverconnect
 -> ('99.86.243.4', 443)
::ffff:192.168.24.241:42222: Establish TLS with server
::ffff:192.168.24.241:50453: Establish TLS with server
::ffff:192.168.24.241:42222: ALPN selected by server: -
::ffff:192.168.24.241:42222: Establish TLS with client
::ffff:192.168.24.241:50453: ALPN selected by server: -
::ffff:192.168.24.241:50453: Establish TLS with client
::ffff:192.168.24.241:42222: ALPN for client: b'http/1.1'
::ffff:192.168.24.241:50453: ALPN for client: b'http/1.1'
::ffff:192.168.24.241:50453: request
 -> Request(GET /US/en/getPolicyUpdate/?deviceType=android)
::ffff:192.168.24.241:42222: request
 -> Request(GET /AppDetails)
::ffff:192.168.24.241:42222: response
 -> Response(200 OK, application/json, 44b)
::ffff:192.168.24.241:50453: response
 -> Response(200 OK, application/json, 374b)

The DTLS connection between the app and the gateway, however, does not appear in the mitm log.

Replay-Attack

In order to be able to carry out a replay attack, the data traffic between the device on which the IKEA app is running and the IKEA gateway must be recorded. Every time you close the app and open it again, a new transmission must be recorded. This is because this is a new session, so the IKEA Gateway and the App have a new shared secret. Then the SRC and DST in IP and MAC have to be adjusted accordingly. In this particular example, a sequence number is available in the DTLS protocol. This must also be adjusted so that it is preliminary. Since the payload is also included in the UDP checksum, it must be recalculated too. This attack was performed on the TKEA Gateway, where a socket was connected to. In the socket was light plugged in to see what's happening.

Replay-attack.png

As you can see, the attack is unsuccessful because no response is sent from the gateway, which is likely to drop the packets.

This may be because DTLS also uses MAC (message authentication code). The sequence number is used to calculate the MAC value. Unfortunately, this value cannot be recalculated without knowing the encryption.

Change Sequence Number

To change the sequence number, we used a workaround in Wireshark. In Wireshark you can select multiple Packets and then copy them as hex dump.

Wireshark-save-hexdump.png

0000   dc a6 32 7d 1d 37 c0 ee fb 4a 9b b5 08 00 45 00
0010   00 69 57 0a 40 00 40 11 47 f6 c0 a8 18 f1 c0 a8
0020   01 42 a4 1a 16 34 00 55 ff 2e 17 fe fd 00 01 00
0030   00 00 00 00 34 00 40 00 00 00 00 00 00 00 16 21
0040   39 8a 8a c5 dd c3 3d 67 ba de a5 5f 0a 10 8c e2
0050   75 da ca a1 db ae a2 08 c6 e6 a6 94 32 db d0 cd
0060   d1 63 e6 bd 32 db 2f 14 1a a1 08 be e9 ac ff 43
0070   48 1b 54 a9 f9 f7 4f

After you have copied the packet you can put it into a texteditor and edit the part of the packet you want. In our case we changed the 00 00 00 00 00 34 in line 0020 and 0030 to the appropriate sequence number. We found out that after each full communication the number raised by four. So, when the last recorded sequence number was 48 the next one is 52 and then 56 and so on. This is the decimal number you have to convert it so hex and change it in the text editor and save it.

In wireshark it is possible to import packets from a textfile with hexdump in it.

Wireshark-import-hexdump1.png

Wireshark-import-hexdump2.png

After you have imported the hexdump save the file as pcap file.

In order to send the packets, edit the marked parts in the python script.

#! /usr/bin/python3
from scapy.all import *
from scapy.utils import rdpcap
import time

pkts=rdpcap("path of the pcap file")  # reads the pcap file and saves the list in the pkts var

# iterates through the list
for pkt in pkts:
     pkt[Ether].src = "sender mac"  # MAC of the sender
     pkt[Ether].dst= "target mac"  # MAC of the target

     pkt[IP].src= "sender ip" # IP of the sender
     pkt[IP].dst = "target ip"  # IP of the target

     del pkt.chksum # deletes the current checksum in the IP header
     del pkt[UDP].chksum # deletes the checksum in UDP header
     pkt = pkt.__class__(bytes(pkt)) # scapy builds the packet new and calculates the missing checksums new

     sendp(pkt) # sending packet
     time.sleep(2)

After that the script can be executed.