, Florentine A
Today's weather: 0 C, tomorrow's weather: Hell!
This is the story all about how two midwesterners hacking IoT devices turn their lives upside-down. When one day they came upon a hellish wasteland @ 171 degrees, they said let’s get on it with our hands and keys!
Explore the world of IoT vulnerabilities with our exhibition of Tuya-based devices' encrypted communication protocols. Using a combination of firmware extraction and reverse engineering tools, this talk unveils useful security flaws in home weather stations and potentially other Tuya devices. Join us as we demonstrate how to manipulate device operations and unlock a portal to 'another climate' through live demos and hacks.
Bored in the frozen cornfields of Iowa, Dave and Aask’s exploration into IoT vulnerabilities began with an unusual glitch: Aask’s home weather station misreporting temperatures, unable to show negative numbers and instead showing the hellish forecast of 171 degrees in January. This anomaly sparked our curiosity, leading us two SecDSM community members to delve into the firmware of Tuya-based IoT devices. We soon uncovered a series of useful security vulnerabilities which we are going to share in this session.
Leveraging open-source tools like Cloudcutter, we extracted the firmware and used Ghidra to dissect it, gaining access to the plain-text keys within the devices used to access Tuya API as well as their various endpoints. From these keys our findings revealed security lapses in the devices' communication protocols, which we exploited to manipulate device operations.
Dave took on the challenge of reverse engineering the AES “encrypted protocol”, pinpointing critical flaws in how the keys were secured and implemented. Concurrently, Aask developed and refined proof-of-concept code to extend our control over the device (and more consistently pull firmware), leading to further streamlining of the developed exploits.
Our session will demonstrate these vulnerabilities live, illustrating how shady devices from online markets can be coerced to cry, literally, by fuzzing the right fields. The presentation will not only showcase our journey through firmware extraction and protocol exploitation but will also offer a detailed demonstration of these techniques. Attendees will witness live exploits, and a comprehensive view of the IoT hacking process, from the initial alarming weather forecasts to making it 5-O’clock somewhere.
Notes:
- We have working demos across three devices (and potentially more!), including one with a shattered screen due to a cat named Nikola (cat tax: https://photos.app.goo.gl/gVPtr1PVngT6BYMw7)
- We will be releasing a tool-set that will allow anyone to control their Tuya IoT devices with this chipset (BK7231N) over their own wifi without having to go through the fuss of dealing with an API
- There will be live demos!
- There will also be a full writeup at https://aask.ltd/hell0_world
- We will be showing the Debug Serial live
- We will also be showing off the network interface live
- If things go well: Dumping the binary and the JSON that comes out of it
Dave and Amelia are two SecDSM IoT/hardware hackers that love to see how things work. They are makers, volunteers, and mentors. Dave and Amelia work on embedded systems in $dayjobs.