Did you know that your Philips Hue bulb can be hijacked by a malicious hub in the neighborhood?

Posted by Kulani Mahadewa on May 25, 2020
Posted in: Article, Internet of Things. Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Leave a comment

Philips Hue is a popular smart home lighting system. This smart lighting system provides you with flexibility and ease in controlling, and diverse customizations in terms of colour range and functionalities that a typical light bulb cannot provide you. However,  there can be vulnerabilities in these new Internet of Things products due to lack of security hardening or challenges in adopting existing security solutions into them.

With reference to the previous post, HomeScan [1, 2] has discovered a vulnerability in the Philips Hue lighting system that leads to hijacking a Philips Hue bulb which is already connected with a victim’s hub at the presence of a malicious hub. As stated by HomeScan,  the vulnerability introduced due to the use of the existing communication protocol ‘ZigBee’ by the Philips Hue bulbs as a low power solution. Specifically, Philips Hue uses ZigBee Light Link (ZLL) protocol. It allows the ZigBee enabled bulb to accept and reply to the discovery beacons even after the bulb is already connected to a hub. Consequently, a malicious hub can discover the victim’s bulb by sending a discovery beacon. Following that the attacker can launch the ZLL authentication which results in the bulb disconnect itself from the victim’s hub and establish authentication with the malicious hub.

Here, is the attack demo video showing how the Philips Hue bulb is hijacked by the malicious hub over the ZigBee network. This demo uses the Perytons tool and a USB pluggable sniffing stick that supports ZigBee traffic capturing. This traffic was captured at the presence of a real Philips Hue bulb and two Philips Hue Hubs (one as the benign or belongs to the victim and the other as the malicious or belongs to the attacker). There are several other vulnerabilities that were discovered by HomeScan from including Chromecast and LIFX devices. You can check the HomeScan demo site for other findings.

 

References

[1] Scrutinizing Implementations of Smart Home Integrations. Kulani Mahadewa, Kailong Wang, Guangdong Bai, Ling Shi, Yan Liu, Jin Song Dong, and Zhenkai Liang. IEEE Transactions on Software Engineering, TSE 2019

[2] HOMESCAN: Scrutinizing Implementations of Smart Home Integrations. Kulani Mahadewa, Kailong Wang, Guangdong Bai, Ling Shi, Jin Song Dong and Zhenkai Liang. 23rd International Conference on Engineering of Complex Computer Systems, ICECCS 2018, Melbourne, Australia, December 12-14, 2018

Why Smart Homes Require Integration Analysis?

Posted by Kulani Mahadewa on May 24, 2020
Posted in: Article, Getting Started with Android. Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Leave a comment

In the HomeScan[2]  paper (in ICECCS 2018),  we highlight the importance of the security analysis of a smart home system from the integration perspective and propose a semi-automatic approach to perform the integration analysis. Later, an extended version [1] of this work was published in the 2019 TSE journal.

Why integration analysis?

Unlike the traditional ubiquitous smart home systems, the IoT (Internet of Things) driven smart home systems are more complex with the inherent attributes of IoT such as heterogeneity in technologies, standards, protocols, and platforms they are built upon while supporting a low-cost and a low-power system over the Internet.

Screenshot 2020-05-25 03.23.52

The Figure shows the diversity of communication protocols and smart devices by different manufacturers supported by a smart home system that uses Smarthings hub.

The HomeScan paper suggests two factors which make securing of a smart home system challenging as incompatibilities and invalidated assumptions exist in a smart home system due to its complexity. Therefore, it highlights the requirement of analyzing the security of a smart home system from the integration perspective to discover insecurities arrises due to the challenges in providing security for smart home systems.

How to perform integration analysis?

The paper proposes HomeScan, a semi-automatic approach to perform a security analysis of a smart home system from the integration perspective. The idea is that, if you have a model (a finite state diagram) of the integrated system, you can perform model checking against different attack models to find security problems in the integrated system. Hence, the paper first provides a set of techniques to extract the model of the integrated system as a Labeled Transition System (LTS) from the available implementations. Next, it shows that reachability checking over the generated integrated system model can be used to find security problems in the smart home integration. For more information please refer to the Homescan [2] paper or its extended version [1].

References

[1] Scrutinizing Implementations of Smart Home Integrations. Kulani Mahadewa, Kailong Wang, Guangdong Bai, Ling Shi, Yan Liu, Jin Song Dong, and Zhenkai Liang. IEEE Transactions on Software Engineering, TSE 2019

[2] HOMESCAN: Scrutinizing Implementations of Smart Home Integrations. Kulani Mahadewa, Kailong Wang, Guangdong Bai, Ling Shi, Jin Song Dong and Zhenkai Liang. 23rd International Conference on Engineering of Complex Computer Systems, ICECCS 2018, Melbourne, Australia, December 12-14, 2018

Use mitmproxy to Capture Traffic on the Same Machine

Posted by Kulani Mahadewa on April 10, 2020
Posted in: mitmproxy. Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Leave a comment

Hi, In this post I’m giving a detailed guide to use mitmproxy on kali Linux to capture the traffic. The mitmproxy tool provides many attacker capabilities in traffic analysis such as intercept, modify, replay, save, etc. You can check here for more details. I wanted to use this tool to capture traffic on the same machine (The tool is by default designed to use as a man-in-the-middle attacker to monitor the traffic of a victim device) to analyze the web protocols.  On my windows machine I used Fiddler to capture and analyze traffic. However, it was not enough support for Linux machines, if required to do further processing. Hence, I decided to use mitmproxy on Linux.

Note: In order to use mitmproxy to monitor traffic in the same machine we need to consider two users; one user as to provide the proxy; the other user as the victim. So following are the steps to set up your environment on a kali Linux machine. Although kali Linux comes with mitmproxy as pre-installed, I removed the existing version and installed the latest mitmproxy version 5.0.1. The newest version claims to be 4X faster.

Step 0: Remove previously installed mitmproxy

You may have to install the existing old version of mitmproxy if you are using kali Linux

sudo apt-get remove --auto-remove mitmproxy

Step 1: Create a new account for the proxy.

Use the following commands to create a new user. This user will be used as the attacker.

useradd -m mitmproxyuser// it creates a new direcotry 
 passwd mitmproxyuser //provide a password 
usermod -a -G sudo mitmproxyuser //add the user to sudo user list

Step 2: Download the mitmproxy version 5.0.1

  • Visit https://mitmproxy.org/ and download the v5.0 binary of mitmproxy.
  • Extract the downloaded .gz file. It contains following executables:
    • mitmproxy
    • mitmdump
    • mitmweb

Step 3: Install the mitmproxy as the newly created user

Change the directory to the directory with the extracted content of mitmproxy

  • Use the following command to install the mitmproxy.

Note: I’m using pip3 to install the mitmproxy, the pip gave errors for me.

sudo -u mitmproxyuser bash -c 'cd ~ && pip3 install --user mitmproxy'

If the command was successful, the following hidden files will be generated

0installmitmproxyasdiffuser(1)genfiles

Step 3: Update IP forwarding settings and add rules to the iptables.

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv4.conf.all.send_redirects=0

iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080
ip6tables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080
ip6tables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080

Note*: Once the iptables are updated you will not be able to browse the internet unless the mitmproxy is started

Step 4: Start the mitmproxy as the user mitmproxyuser

sudo -u mitmproxyuser bash -c '$HOME/.local/bin/mitmproxy --mode transparent --showhost --set block_global=false'

00runmitmproxyNote*: Now, when you visit a web site on Firefox browser, it will still say that the certificate is not trusted.

01waring

Step 5: Install the mitmproxy certificates on Firefox browser

Once the mitmproxy is started …

02installcert

02details

  • Click on ‘other’ for Linux. It will download the certificate and prompt for acceptance. You can view the certificate and accept it.

02trustcert

02certdetails(2)

Step 5: Capture traffic on mitmproxy

Finally,  after installing the CA certificate, you can use the mitmproxy to analyze your traffic as follows.

03successmitmproxy

Click on an item to view the details.

03details

Cheers ! 🙂

Running PyCharm Traffic through Fiddler

Posted by Kulani Mahadewa on April 6, 2020
Posted in: Fiddler. Tagged: , , , , , , , , , , , , , , , , , , , , . Leave a comment

Hi, Here is a brief guide to setup PyCharm to send its traffic generated by requests through Fiddler.

Usage:  If you get errors while  implementing an extracted  protocol from a Fiddler traces, you can forward the traffic to Fiddler, so that you can check the captured traces against the traffic generated from PyCharm to debug your code. For example, you can solve issues when receiving Code 422 in response.

Running PyCharm Traffic through Fiddler

First, you need to update proxy settings at PyCharm with Fiddler proxy details. This will ask to install Fiddler generated certificates at PyCharm. However, this step only allows PyCharm to direct it’s traffic to Fiddler, but your python code fails since this setting does not apply to urllib3 used by requests. Hence, we have to bypass certificate verification in the code.

Step 1: Add Fiddler Generated Certificates to PyCharm

  • At PyCharm IDE Goto -> File -> Settings ->Appearance & Behaviour -> System Settings -> HTTP Proxy -> Provide Fiddler proxy settings as follows (Host: 127.0.0.1, Port: 8888)

update proxy settings

  • Restart PyCharm -> It will prompt to Accept the Fiddler generated certificates for JetBrains.

Screenshot 2020-04-06 19.32.00

  • You can check the saved certificates at File -> Settings ->Tools-> Server Certificates

Step2: Update Python Code

In the python code, I’m using requests package to send HTTPS requests. Update the request with an additional argument as verify=False. Otherwise, it will throw an verification failed exception (ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:646))

import requests

initResponse = requests.get(initURL, params=initParams, headers=headerInit,verify=False)

Now, it will only give a warning (InsecureRequestWarning: Unverified HTTPS request is being made to host ‘127.0.0.1’. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,) and pass the code. Assuming you are aware of the security of the URL you are visiting, this can help you forward PyCharm traffic through Fiddler without much hassle.

Cheers ! 🙂

Fix ERR_CONNECTION_TIMED_OUT error on Android with Fiddler Proxy

Posted by Kulani Mahadewa on March 12, 2020
Posted in: Fiddler. Tagged: , , , , , , , , , , , , , , , , , , . Leave a comment

Hi, When setting up an Android device with Fiddler on the host machine, you need to set up proxy settings on Android Wi-Fi giving the IP address shown on Fiddler (Online) as host and port as 8888. After that, you need to visit http://ipv4.fiddler:8888 on your browser to download the Fiddler Root Certificate. However, when visiting the http://ipv4.fiddler:8888 on the Android browser, you might get ERR_CONNECTION_ TIMED_OUT.  This could be due to many reasons.

Reasons and Solutions:

  • If you are connecting your Android with Fiddler for the first time recheck the settings on Fiddler. Goto -> Tools -> Options -> Connection -> Tick “Allow remote computers to connect”.  To allow HTTPS decryption, ensure you have ticked “Decrypt HTTPS traffic” under Options-> HTTPS, and then install the root certificate.
  • If you are trying to reconnect you Android with Fiddler which was working with a different host, and now getting  ERR_CONNECTION_ TIMED_OUT on the Android browser,
    • You can first try removing current certificates on the Fiddler host machine and try reinstalling the certificates..
      • First, Goto -> Tools -> Options -> HTTPS-> Untick “Decrypt HTTPS traffic”.
      • Then, select ‘Actions’ on the same dialog -> select “Remove interception certificates”
      • Then follow the normal procedure to enable HTTPS traffic decryption
    • The ultimate try is to uninstall and reinstall the Fiddler from the beginning on your host machine. After that, your Android browser can visit http://ipv4.fiddler:8888 and download a new Fiddler Root Certificate.

Plus:

Even after successfully installing the Fiddler root certificate on your Android device, if you are not able to capture the HTTTPS traffic. It might be that you are using an older fiddler root certificate or a certificate you installed when working with a different Fiddle r host machine. Hence, remove the current installed certificate from your android device. After that, try reconnecting with the Fiddler host to reinstall the new root certificate.

adb shell
cd /data/misc/user/0/cacerts-added
ls
rm < current root certificate e.g. e5c3944b.0>

In the worst case It may be due to certificate pinning used in the application you are trying to test. In that case, you may have to use an instrumentation tool like Xposed to bypass such conditions.

Cheers ! 🙂

 

Install MongoDB on Kali 2020

Posted by Kulani Mahadewa on March 10, 2020
Posted in: Kali Linux. Tagged: , , , , , , , , , , , , , , , , , , , , , , . 1 Comment

Hi, I have tried to install mongod from the apt-get install on my Kali Linux machine. However, it couldn’t find a package with that name. Hence, I decided to install mongod binaries specified at in their documentation as follows.

  • Donwload mongod package and extract the content

mogodown

wget https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-3.6.17.tgz
  • Add the location of mongod in the PATH variable

Goto home directory -> Ctrl+H -> Find the .bashrc file -> open and paste following-> Save

export PATH=<path-to-mongodb-directory>/bin:$PATH
  • Create data/db directory. (Since I use the root user not needed to set permissions)
mkdir -p /data/db
  • Now open terminal and use mongod  to start the server
mongod

mongod

  • Use mongo command to use the database
mongo

mongo

Cheers ! 🙂

 

Python GUI with PySide2 and QtCreator

Posted by Kulani Mahadewa on March 7, 2020
Posted in: Kali Linux. Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , . Leave a comment

Hi, In this post I explain how to create a GUI application for Python using Qt. Qt is a cross-platform software development framework.  It provides PySide to support creating GUI applications for Python. There is also PyQt another python package supporting the same functionality. This post explains the differences between the two packages. They are basically alternatives. So, in this post I’m using PySide2 the latest version of PySide supporting the Qt 5.14 version.  In brief, you can first generate the layout using QtCreator tool. Then export that into your Python application for adding functionalities to the UI components.

Step 1: Install QtCreator/QtDesigner

There are two version of the QtCreator is available. You can use the open source version.

  • Prerequisite:
sudo apt-get install build-essential libgl1-mesa-dev
  • Download the installer:  from https://www.qt.io/offline-installers. I installed qt-opensource-linux-x64-5.14.1.run.
  • Installing: The installer can be directly executed on linux machine (I’m using Kali Linux 2020)  when  provide access to execute. It will prompt to create a user account through the installer. Then verify your email and continue. Once installed the application can be find through the application searching as qt.

qt setup

Step 2: Create an Qt Application using the QtCreator

  • Select Qt Widget application -> Provide the name and location -> select qtmake as the build system -> Next, you can edit class name information -> Next, select Kit Selection as ‘Desktop’ -> Finish

Screenshot_2020-03-08_01-57-38

  • When you install for the first time there won’t be any kits available.

Hence, you need to do the following steps first.

    • Install qt5-defaults
sudo apt-get install qt5-default
    • At the QtCreator Select Tools -> Options -> at Kits goto Qt Versions -> Maual -> Add -> give qmake file of qt5 location (usr/lib/x86_64-linux-gnu/qt5/bin/qmake)

Screenshot_2020-03-08_02-10-12

qt setup versoin

    • Then at the Kits window –> Select Desktop -> Update the Qt Version to the added Qt version.
    • Now, you can create the Qt Widget application as described above.
  • When you created the Qt application you can use the ‘Design’ View to add the layouts and the components as desired.

Screenshot_2020-03-08_02-20-47

Step 3: Export your designed mainWindow.ui as mainWindow.py

The mainWindow.ui is an xml file.

Screenshot_2020-03-08_02-21-00

You can covert it to a python file as folllows.

pip3 install PySide2
pyside2-uic mainwindow.ui -o mainWindow.py

The generated mainWindow.py:

Screenshot_2020-03-08_02-31-30

Step 4: Create Python GUI Application

Now, you can create a python project including the mainWindow.py, and another python file app.py to refer the components in the mainWindow.py and provide functionalities.

you import the Ui_mainWindow from the ainWindow.py  in app.py

app.py:

import sys
from PySide2.QtGui import *
from PySide2.QtCore import *
from PySide2.QtWidgets import *
from path.to.mainWindow import Ui_mainWindow

class MainWindow(QMainWindow, Ui_mainWindow):
def __init__(self):
super(MainWindow, self).__init__()
self.setupUi(self)
self.assignWidgets()
self.show()

def assignWidgets(self):
self.goButton.clicked.connect(self.goPushed)

def goPushed(self):
self.goText.append("Test Go!")

if __name__ == '__main__':
app = QApplication(sys.argv)
mainWin = MainWindow()
ret = app.exec_()
sys.exit( ret )

You can refer to following tutorials for more information

Cheers ! 🙂