Broadlink smart ecosystem vulnerability details

Broadlink smart ecosystem vulnerability details

With the rapid development of consumer electronic devices and the delivery of Iot in our daily lives, chip manufacturers and a large number of smart device entrepreneurial teams have increased investment in the field of Smart Living, chip manufacturers provide a complete set of SoC (System On Chip) solutions for various life scenarios. This lowers the threshold for small smart device entrepreneurial teams to enter this field. Small teams can quickly use the solutions provided by chip manufacturers and customize hardware equipment products, you don't need to worry about hardware integration. You only need to use the SDK development platform provided by the chip manufacturer to develop your own upper-layer applications.

Today, I will introduce in depth the design architecture and security issues of smart devices in Iot applications, we will use Broadlink's smart sockets as our research goal to explore the security issues of the entire beilian smart ecosystem. This series of security vulnerabilities were demonstrated in the 2015 GeekPWN smart device cracking.

0 × 01 first recognized smart sockets

Today, I chose this plug-in for analysis and research.Bo Lian's SP2 (smart plug)Why is this socket widely used, and the smart energy provided by the component manufacturer marvell is also widely used in domestic entrepreneurial teams, it is reported that the Xiaomi outlet also uses the marvell solution.

Appearance, for example, is the main character of our research today.

 

 

By disassembling the socket, we know some chips and components it uses, and the core modules of the socket.

Cortex-M3 processor + WIFI module, specific chip is marvell 88MC200 + 88W8782

 

Is the socket of the relay module, the main function is used for the switch socket, the specific device is Y14F-SS-105LMW-115

 

It is a power metering module used to record power usage. The specific device is ATT7021CU.

 

From the perspective of these modules, we can basically determine some associations. The microcontroller is the core control center, the management WIFI module is used for networking and communication, and the management of physical switch sockets of the relay module, the above micro-control module is the focus of our research today.

0 × 02. System Architecture

We will introduce this socket in detail from the hardware architecture and software system.

2.1 hardware architecture

Here we will introduce in detail the hardware and software architecture of the core control system, as we mentioned above the micro-control chip marvell's 88MC200 and WIFI module 88W8782, the combination of these two chips is the smart Energy solution provided by Marvell.

Is the hardware combination function Diagram

 

This section briefly introduces the features of the two chips:

88MC200:ARM Cortex M3 core, processor clock up to 200 Mhz, 128 kb SRAM, 1 MB Flash on-chip storage space,-bit AES encryption algorithm engine, CRC algorithm engine.

88W8782:Integrated with Marvell Feroceon CPU (ARMv5TE-compliant) up to 802.11 MHz processor clock, compatible with a/B/g/n, supports WIFI-Direct and stations mode (will be detailed later, the legendary SmartConfig)

2.2 Software System Architecture

The software system of this plug-in is based on the Easy-Connect SDK development platform of Marvell. The developer develops their own upper-layer applications through the development platform provided by Marvell. Based on the information provided by marvell, we can see that some features of the software system of this socket are the Development Board provided by marvell.

??Operating System?? : FreeRTOS

??TCPIP protocol stack: LwIP (implementation of a lightweight TCPIP protocol stack)

??

 

A Brief Introduction to the embedded operating system FreeRTOS is an open-source cross-platform mini real-time operating system. The first time I knew that this operating system was going to start with pebble watch, a smart watch company in Silicon Valley, they integrate money into smart watches from the U.S. crowdfunding website kickstarter. They use FreeRTOS.

Its features are short and concise, and the smallest FreeRTOS core only contains three. C file (task. c, queue. c, list. c) and a small number of header files. The simplified binary file of the compiler can be as small as 10 K, which is very suitable for the operating system of this low-power smart device, the firmware of the entire system of the bunion socket is more than 260 KB, including the entire hardware initialization, FreeRTOS system and TCPIP protocol stack, wireless management, and upper-layer business logic, the use of FTFS to streamline the file system is very tight and streamlined. Next we will introduce the socket startup process.

2.2.1 system guidance process

We get the updated firmware (BL_SP2-27-3.bin) for the socket from some channels, so we can know the processes and functions of its internal system operation, which is the structure analysis diagram of the firmware.

 

The firmware header consists of 0 to 28 bytes including the header identifier, firmware length, loading address, and firmware verification information.

For the 88MC200 chip Boot Process, we need to attach the memory distribution diagram of the entire hardware system to detail the boot process, it uses a 32-bit Cortex-M3 processor, using the ARMv7-M architecture, the Thumb-2 instruction set used (16/32-bit Mixing) is small because of the high code density.

 

Brief Introduction to address space distribution of some hardware systems:

1. Address Space: 0x0000-0x100000; 1 MB on-chip flash storage; 0x0 ~ 0x1000 is Boot ROM. BootROM is mainly used to load the firmware stored in flash to the static memory with the starting address of 0x100000.

2. static Memory on chip (SRAM), which is 1/2 kb and divided into four segments, namely (RAM0/3 ), you can configure the address space and size through the system control memory flag. The default configuration is as follows:

Memory RAM0 192KB (used to store code and data) memory RAM1 192KB (used to store code and data) 0x20000000-0x20010000 RAM2 64KB (runtime stack space) 0x200-0x20020000 RAM3 64KB (BootROM runtime stack space)

3. AON Domain static memory,

0x480c0000-0x480c1000 4KB AON Domain (used to store some key information even after the system is powered off, it can continue to be used after power-on and wake-up)

The startup process is as follows:

1. bootROM reads 4 bytes of data from the 0 address as the initial MSP (Master stack) value, and then takes over the MCU (microcontroller) from the 0 × 04 address value as the command execution entry ), read the Wi-Fi Flash firmware to the memory space through the SPI controller, and the Wi-Fi firmware Code takes control of the firmware.

2. the Wi-Fi firmware code loads the flash system firmware to the static memory 0 × 100000, and then jumps to 0 × 100000 to read the four bytes as the initial values of MSP, read 0 × 100004 as the initial value of the PC and start executing the Code. This is to execute the function to the reset in the table.

3. initialize the Power Management Unit (PMU)

4. initialize uart and watchdog

5. Read and verify the configuration data that was run before the system from flash.

6. initialize wlan (including tcpip protocol stack, wifi chip driver, wireless network management), GPIO and PIN_MUX

7. initialize the AES encryption algorithm Engine

8. initialize the business logic of the socket.

Here we will focus on the business logic.

Device Configuration

Before a smart device starts to run and uses it, you must configure the network connection and connect the mobile phone to an account. Before the network connection, you must inform the smart device of the Wi-Fi account and password used in the home, this process is completed through a mobile phone. The specific method is achieved through SmartConfig or direct wifi.

In SmartConfig mode, the Wi-Fi module of the device is in the listening mode, so that the device can receive the original 802.11 data frame, the mobile phone sends the Wi-Fi account information to the device through random Data Length Encoding to complete the Wi-Fi network. The specific process is as follows:

 

Complete the process of pairing WIFI distribution networks, mobile phones, and devices.

Direct wifi is simpler. smart devices turn themselves into a Wi-Fi AP, allowing mobile phone users to connect. mobile phone users can tell the device's home wi-fi account information to complete the distribution process, the mobile phone pairing process is the same as above.

The client and outlet of the control outlet negotiate a 16-bit AES key. The key is generated based on the system clock of the outlet. The key will be used in the business control logic, for example, if a mobile phone remotely controls the switch of a device, the cloud only forwards and locates the network link of the device. The key is stored on the mobile phone end and the device end, And the cloud does not store the information, all devices are indexed by MAC addresses.

Broadlink smart device Ecosystem

Bilian smart device ecosystem is divided into two categories. The first category is bilian's smart device product developed through its own Iot solution, such as the following smart sockets, universal remote control, and smart audio, your own product.

 

The second category is third-party equipment vendors who have joined the smart ecosystem through the Internet of Things solution provided by boilian, including traditional household manufacturers and smart device manufacturers, as shown in.

 

 

The Iot solution provided by Bolian includes hardware and software. hardware is the smart home solution of Marvell mentioned above, the software includes the low-power embedded operating system solution provided by Marvell, the mobile App SDK provided by bilian, the network management logic, and the cloud communication storage solution (optional, because some vendors build their own clouds ), the device control logic is developed by the manufacturer, and the overall solution is charged at 9.999 yuan per device.

 

Broadlink device Vulnerability

1. due to the lack of strict authentication on the control end, the device can be controlled by attackers. Due to the weakness of the authentication system between the device and the control end, the device does not perform credibility authentication on the control end, as a result, devices may be controlled by malicious attackers. Most smart devices are used in the home network, and their dangers are mitigated due to the relationship between routers, however, during our global scanning, we found that about 10000 of devices are still exposed to the Internet (including smart devices of third-party vendors), most of which are in China.

 

2. the one-click "self-destruction" function is not publicly available. Because all the smart device products of bilian use the same Protocol framework code for development, different series of products only have different control logics, leading to underlying code problems, all other products are affected. This vulnerability is stored in the full range of code. An undisclosed function, a specific network package, allows you to remotely reset devices and clear system configuration information, make the device unavailable.

Hazard 1:

Due to the existence of vulnerability 1, smart devices can be remotely controlled by hackers and have the same operation and control as normal users of the devices. Because bilian devices support firmware update from unofficial addresses, therefore, hackers can remotely update and insert the firmware of malicious code. Because the firmware update verification mechanism is weak and there is no digital signature, it is also easy to update the firmware remotely. In order to verify its harmfulness, I made a self-made firmware, the purpose of inserting a piece of code is to send the Wi-Fi account and password of the remote smart device user and the MAC address of the smart device to our C & C server, it does not disrupt the original normal business logic of smart devices.

 

The UDP 80 on the C & C server will receive the MAC address and remote Wi-Fi account information and password information.

 

You can remotely update the firmware and obtain the user's mobile phone user name, IMEI, and other information from a smart device. In addition, the firmware can penetrate the Intranet and other functions.

Broadlink smart ecosystem vulnerability

Vulnerability 1 of this vulnerability is similar to that of botnet. This vulnerability allows you to remotely control other smart devices in the ecosystem. The following products may be affected.

 

Note:Because the verification mechanism of some products is on a third-party cloud, the vulnerability may not be affected.

0 × 03. Security repair suggestions

1. Improve the client access verification mechanism. For example, each device has a unique serial number and verification code for access verification.

2. The test code of the released version must be cleared. The test code may become a backdoor of the product.

3. the firmware update signature mechanism is related to the IOT solution provided by Marvell.

4. SDL development process.