Talks

Troopers 2022 - Heidelberg, Germany [Slides]

Endpoint management and monitoring solutions are used to monitor and administrate servers and clients in most corporate networks. While enabling automation and centralized management, they also significantly add to the networks attack surface. Most solutions deploy high-privileged agent services to all systems in the network that are centrally controlled via custom communication protocols. A security vulnerability in either the central component, the agent services, or the communication channels can have a major impact on network integrity affecting the entire company. Our research has shown that many solutions are based on outdated proprietary software using custom protocols and authentication methods.

In this talk, we dissect the security of endpoint monitoring and management solutions based on 4 examples (Solarwinds N-Central, Nagios XI, Broadcom Automic Automation and Ivanti DSM). We identified multiple reoccurring high impact issues which we categorize and present using examples from our research. Through a series of live demonstrations the audience will be able to form their own opinion on the security posture of endpoint management and monitoring solutions. Finally, we will give a collection of security recommendations for vendors as well as corporations and their IT management.

Usenix WOOT19 - Santa Clara, CA, USA [Slides] [Paper]

With the advent of robot vacuum cleaners, mobile sensing platforms entered millions of homes. These gadgets not only put 'eyes and ears' into formerly private spaces, but also communicate gathered information into the cloud. Furthermore, they reside inside the customer's local network. Hence, they are a prime target for attacks and if compromised become a privacy and security nightmare. Vendors are aware of robots being a target of interest; they employ various security mechanisms against tampering with devices and recorded data in the cloud.

In this paper, the Neato BotVac Connected and Vorwerk Kobold VR300 ecosystems are analyzed and the robot firmware is reverse engineered. To achieve the latter, a technique to bypass the devices' secure boot process is presented revealing the firmware, which is then dissected to evaluate device-specific secret key generation and to trace vulnerabilities. We present flaws in the secret key generation and provide insight on the occurrence and exploitation of a buffer overflow, which give an attacker complete control not only in the local network but also via the robots' cloud interface. Eventually, multiple attacks based on the findings are described and security implications are discussed. We shared our findings with the vendors, who further increased their otherwise commendable security mechanisms, and hope more vendors can take away valuable lessons from this highly complex Internet of Things (IoT) ecosystem.

Defcon 27 - Las Vegas, Nevada, USA

Data collected by vacuum cleaning robot sensors is highly privacy-sensitive, as it includes details and metadata about consumers’ habits, how they live, when they work or invite friends, and more. Connected vacuum robots are not as low-budget as other IoT devices and vendors indeed invest into their security. This makes vacuum cleaning robot ecosystems interesting for further analysis to understand their security mechanisms and derive takeaways.

In this talk we discuss the security of the well-protected Neato and Vorwerk ecosystems. Their robots run the proprietary QNX operating system, are locally protected with secure boot, and use various mechanisms that ensure authentication and encryption in the cloud communication. Nonetheless, we were able to bypass substantial security components and even gain unauthenticated privileged remote execution on arbitrary robots. We present how we dissected ecosystem components including a selection of vacuum robot firmwares and their cloud interactions.

MRMCD18 - Darmstadt, Germany

Ein IoT Smart Lock – was sollte schon schief gehen?

Die Sicherheit von Smart Locks ist in jedem Fall ganz großes Kino! Wir haben für euch das Nello Smart Lock genauer angesehen, entwickelt von einem Münchner Startup, welches mit Sicherheit 2.0 (AES256, TLS1.2) beworben wird. „Highly advanced encryption methods & unbreakable compared to physical locks“ ...

Das Nello Smart Lock verbindet sich mit dem WLAN und ist dann ausschließlich über die Cloud steuerbar. Von der Cloud aus wird anhand von Uhrzeiten und Benutzer-Standorten konfiguriert, ob sich die Haustüre gerade öffnen lässt. Ist dies der Fall, wenn geklingelt wird, öffnet sich die Haustüre.

Zuerst geben wir euch einen Überblick über alle Komponenten und Protokolle, die in diesem Ökosystem zum Einsatz kommen. Hier wird eine interessante Protokoll-Mischung eingesetzt - bekannt durch andere IoT-Fernsehköche ;)

Wir möchten nicht all zu viele Details spoilern, damit ihr alle ins Kino geht, aber wir waren in der Lage, den gesamten Netzwerkverkehr zu lesen, Nachrichten zu senden, Verbindungen dauerhaft zu beenden, Nutzeraccounts einsehen und ändern, Aktivitätsprotokolle anzusehen, Mailadressen zu verifizieren und Rechte zu eskalieren. Wie jeder gute Disney-Film endet es mit einem Happy Responsible Disclosure.