Broadlink Intelligent Ecological Series of loopholes detailed __iot

Blogger: Ali Security Research Laboratory-Cheijun

Release date: 2016-1-26

Blog content: background

In the current global network threat activities, foreign attackers mainly use Zeus, CryptoWall, BEDEP, all kinds of common rat tools, such as malicious load, but in the recent monitoring of the malicious threat, we found that individual advanced sample attack using a relatively rare betabot trojan, There are few related to this Trojan

0x01 Initial knowledge of intelligent sockets

Today I choose the analysis of this socket is Bo SP2 (smart Plug), why choose this socket, this socket is now used more, and the use of components manufacturers Marvell provided by the smart energy in the domestic entrepreneurial team is also applied more, It is learned that the millet socket also uses the Marvell solution.

The appearance of the following figure, is the protagonist of our study today.

By dismantling the socket we know that it uses some chips and components, the following figure socket core module.

CORTEX-M3 Processor +wifi module, the specific chip is Marvell 88mc200+88w8782

The following figure is a socket relay module, the main function is used for switch sockets, the specific device is y14f-ss-105lmw-115

The following figure is a metering module for recording the use of electricity, the specific device is ATT7021CU

From the use of these several modules, basically we are able to identify some associations, microcontroller is the core of the control center, the management of WiFi modules for networking and communication, management of relay modules physical switch sockets, from the sensor to read the use of electricity sensors, the above micro-control module is the focus of our research today.

0x02. System Architecture

We will provide a detailed description of this socket from the hardware architecture and software system.

2.1 Hardware Architecture

Here we will detail the hardware and software architecture of the core control system, which we mentioned in the micro-control chip Marvell 88mc200 and WiFi module 88w8782, which is the smart energy solution provided by Marvell.

The following figure is a hardware combination function diagram

Briefly introduce the characteristics of these two chips:

88mc200:arm Cortex M3 Core, processor clock up to 200MHZ,512KB SRAM,1MB Flash chip storage space, 128-bit AES encryption algorithm engine, CRC algorithm engine.

88w8782: Integrated Marvell Feroceon CPU (armv5te-compliant) up to 128Mhz processor clock, compatible 802.11 a/b/g/n, support Wifi-direct and stations mode (described later in detail, The legendary Smartconfig)

2.2 Software system Architecture

The socket software system is based on the Marvell Easy-connect SDK development platform to complete, the manufacturers through the Marvell provided by the development platform to develop their own top-level applications, through the information provided by Marvell, we know that the socket of the software system features, The following figure is the development Board provided by Marvell.

Operating system: FreeRTOS

TCPIP protocol stack: LwIP (Implementation of a lightweight TCPIP protocol stack)

A brief introduction to the embedded operating system FreeRTOS, this is an open source Cross-platform mini Real-time operating system, the first time to know that the operating system from Silicon Valley to do a smart watch company called Pebble Watch, They are from the Kickstarter of the United States on the Internet to make money to do smart watches, they are used FreeRTOS.

Its features are dapper, the smallest FreeRTOS core contains only 3. c Files (task.c,queue.c, list.c) and a small number of header files, the streamlined binary files can be as small as 10 k, very suitable for this Low-power intelligent device operating system, The entire system of this socket firmware is only more than 260 KB, which includes the entire hardware initialization, FreeRTOS system and TCPIP protocol stack, wireless management, upper business logic, etc., using the FTFs streamlined file system, appears very tightly clustered and streamlined, Below we will describe the socket startup process.

2.2.1 System Boot Process

We have obtained the update firmware (bl_sp2-27-3.bin) of the socket from some sources, so we can know the process and function of its internal system running, the following figure is the structure analysis diagram of the firmware.

The head 0x28 of the firmware contains the header ID, firmware length, and load address, firmware checksum information.

For the 88mc200 chip start-up process, we need to attach the entire hardware system of the memory map, to detail its start-up process, it uses the CORTEX-M3 32-bit processor, using the ARMV7-M architecture, the use of the instruction set Thumb-2 (16/32-bit mix), Because of the high code density, the volume is small.

A brief introduction to the hardware system part of the address space distribution:

1. Address space 0x0000-0x100000, 1MB Flash storage on the chip, the function of 0x0~0x1000 for the boot Rom,bootrom is to load the firmware stored on Flash to the static memory of the starting address 0x100000.

2. On-Chip static memory (SRAM), the size of 512KB is divided into 4 segments, across the code and data segments, respectively (RAM0/1/2/3), address space and size can be through the system control of the register bit can be matched, the default configuration is as follows:

0X100000-0X12FFFF RAM0 192KB (for storing code and data)

0X12FFFF-0X15FFFF RAM1 192KB (for storing code and data)

0x20000000-0x20010000 RAM2 64KB (runtime stack space)

0x20010000-0x20020000 RAM3 64KB (bootrom runtime stack space)

3. AON domain static memory,

0x480c0000-0x480c1000 4KB AON Domain (used to store critical information even after a power outage, can continue to use after wake up)

The startup process is as follows:

1. Bootrom reads 4 bytes of data from 0 addresses as the value of the initial MSP (primary stack), and then takes over the MCU (microcontroller) from the 0X04 address value as an instruction execution, reads the WiFi flash firmware to the memory space through the SPI controller, and the WiFi firmware code takes over control.

2. The WiFi firmware code loads the system firmware on Flash to the static memory 0x100000, then jumps to 0x100000 reads 4 bytes as the MSP's initial value, reads 0x100004 as the PC's initial value and starts executing the code, Here is the reset execution function in the vector table

3. Initialize Power management Unit (PMU)

4. Initialization of UART and watchdog

5. From the flash inside read the system run before the configuration data information and verify

6. Initialize WLAN (including TCPIP protocol stack, WiFi chip driver, wireless network management), Gpio and Pin_mux

7. Initialization of AES encryption algorithm engine

8. Initialize the business logic of the socket, etc.

Here we will focus on the business logic.

Device Configuration

When a smart device is running and uses it, it must be configured and connected to a mobile phone, and so on, before the internet has to be told that the WiFi account and password used in the home of the smart device, the process is done via a mobile phone, specifically via smartconfig or direct wifi.

First said Smartconfig mode, the mode is to allow the device's WiFi module in the listening mode, so that the device can receive the original 802.11 of the data frame, the phone to the WiFi account information through the random data length code to the device to complete the WiFi distribution network, the specific process is as follows:

The image above completes the process of pairing the entire WiFi network with the handset and device.

DIRECT WiFi is simpler, smart devices turn themselves into a WiFi AP, allowing mobile users to connect, mobile phone users to tell the device home WiFi account information can complete the distribution process, the phone matching process ibid.

A 16-digit AES key is negotiated between the client and the socket that controls the socket. The key is generated based on the socket system clock to generate, the key will be used for business control logic, such as mobile phone remote control device switches and other operations, the cloud only forwarding and positioning device network link, the key stored in the phone and device end, The cloud does not store this information, and all devices are indexed by a MAC address.

broadlink Intelligent Equipment Ecology

Bo Lian Intelligent Equipment ecology is divided into two categories, the first type is Bo Lian through their own things networking solutions developed by their own intelligent equipment products, such as the following intelligent sockets, universal remote control, intelligent audio, belong to their own products.

The second category is the Third-party equipment manufacturers through the Bo Lian's internet of things to join the intelligent ecology of the equipment producers, including the traditional home manufacturer and some intelligent equipment producers, as shown below.

Bo-Link to provide the internet of things, including hardware and software, hardware is the above we mentioned Marvell Smart Home program, software including the Marvell provided by the Low-power embedded operating system solutions and Bo-Link to provide mobile app SDK, network management logic and cloud communication storage solutions (optional, Because some manufacturers build their own cloud, and the control logic of equipment by the production business development, the overall solution in accordance with the equipment charged 9.999 yuan per equipment.

Broadlink Device Vulnerabilities

1. The lack of strict certification of the control end causes the device to be controlled by the attacker, because of the fragility of the equipment and the authentication system of the control terminal, the device does not authenticate the control side, which causes the device to be controlled by the malicious attacker, because most of the intelligent devices are used in the home network, because of the relationship between the routers, So the harm was mitigated, but in the course of our global scans we found that about 10000 of the equipment was still exposed to the public network (including the smart devices of third-party producers), mostly in China.

2. Unpublished one-button "self-destruct" function, since all of the smart device products are using the same set of protocol framework code to develop, different series of products just control logic is different, leading to the underlying code problems, all other products will be affected, the vulnerability hidden in a full range of code, an undisclosed function, A specific network packet, you can remotely reset the device, purge system configuration information, and leave the device in an unusable state.

the danger of a loophole:

Because of the existence of a loophole, can cause smart devices to be remotely controlled by hackers and have the same operation and control as the normal users of the device, because the Bo-Lian device support from the unofficial address update firmware, so hackers can remotely update the malicious code to insert the firmware, because the firmware update verification mechanism is fragile, no digital signature, Remote Update firmware Defense is also easy, the author in order to verify its harmfulness, homemade firmware, insert a piece of code to the remote smart device users home WiFi account and password, as well as smart device MAC address information sent to our c&c server, And does not destroy the original normal business logic of the smart device.

Our c&c server UDP 80 will receive the MAC address and the remote WiFi account information and password information.

Through the homemade firmware remote update and can be from the smart device to obtain user's phone username and IMEI and other information, and can penetrate the intranet and other functions.

Broadlink Intelligent Ecological loophole

The vulnerability with the Bo-linked vulnerability, through which the vulnerability can remotely control other intelligent devices within the ecosystem, may be affected by the following products.

Note: Because the validation mechanism for some products is in the cloud of a third party, it may not be affected by this vulnerability.

Security Patching Recommendations:

1. Improve the Client access verification mechanism, for example, each device has a unique serial number and verification code for access verification.

2. The release version of the test code must be cleared away, may test the code will become the product of the back door and exist.

3. Firmware update signature mechanism, which I think is related to the internet of things provided by Marvell solution.

4. SDL development process.

Original address: https://security.alibaba.com/blog/blog.htm?spm=a219k.7962236.0.0.8CkV0D&id=39