Attacks and defense against abuse of permissions in the IOT age
In addition to debugging on the android real machine, the permission Abuse Vulnerability has many other scenarios. It is particularly widely used in the IOT field. For example: A smart TV can be remotely debugged through the network, a monitoring system of a large rotating machine can be remotely controlled, a highway camera can be controlled to take photos, and a carrier device can be controlled to make calls.
0x00 Introduction
Permission abuse is generally classified as a logic issue. This refers to the fact that the server is too open or has insufficient permissions. As a result, attackers can directly or indirectly call the server to achieve attack results. With the advent of the Internet of Things era, such vulnerabilities have become common and the combination and utilization of various vulnerabilities is also strange and varied. Here, we summarize the vulnerabilities to better respond to and prevent them, if anything is inappropriate, please give me more advice.
0x01 background
In April 2014, when bitcoin soared, a website once revealed a case where hackers used surveillance camera DVR for distributed mining. Coincidentally, a security company in China has encountered similar problems on the scanner platform opened to external users. Due to the lack of functional restrictions, external users can use the scanner to detect the Intranet. In addition, a hacker has exposed a vulnerability in the Chinese android testing platform on a third-party platform, which can be exploited to directly access the company's internal system from the testing platform website.
0x02 case
The permission Abuse Vulnerability sometimes allows the server to initiate specific requests (similar to SSRF attacks), and sometimes some special features, such: access the camera, use microphone recording, write and implant Trojans, rebound shell, and so on.
There are already many mobile phone real machine testing platforms at home and abroad, such as Testin cloud testing, China Mobile Terminal pool, Testdroid, TestObject, TestCloud, uTest, UserTesting, and WeTest. The author randomly selects an android real machine testing platform for testing.
First, you can select a model after logging on as the test target.
Then go to the machine debugging interface. We can use the web terminal to control the android mobile phone and use all the functions on the mobile phone.
In addition to the WIFI provided by the website, we accidentally found many other WIFI services. After a closer look, we will also notice that there are a lot of internal office network WIFI, even some WIFI can be directly connected without entering a password. I guess the current device has been authorized to connect to these WIFI, so no need to enter a password to directly connect to the office network!
In addition, we can install apk on our mobile phone to try to obtain the ROOT permission of the mobile phone. The ROOT mobile phone is as dangerous as a server that we win in the intranet. Here, we use meterpreter to generate the reverse shell apk and upload and install it. Then we can have full control of the mobile phone with the root permission locally.
Next, we can access the camera function of the mobile phone.
Here we can see the full picture of the mobile phone data center. If the video is recorded, we can always monitor the staff's every action in the data center. If some mobile phones are properly placed, we can take a note of the password. We can also enable the mobile phone recording function for long-time remote eavesdropping and so on ......
In addition, we can find the location of the controlled machine through the mobile phone positioning function.
In addition, when we have a large number of mobile phone clusters, we can do some scanning and mining. We can also mine the ARM processor of the mobile phone, and convert the mobile phone into a scanning cluster of our distributed scanner.
0x03 Extension
In addition to debugging on the android real machine, the permission Abuse Vulnerability has many other scenarios. It is particularly widely used in the IOT field. For example: A smart TV can be remotely debugged through the network, a monitoring system of a large rotating machine can be remotely controlled, a highway camera can be controlled to take photos, and a carrier device can be controlled to make calls. Small vulnerabilities can endanger citizens' daily lives (Microwave Oven Control, refrigerator control, smart TV, etc ), big Data can endanger national security (control industrial control system production operations, control of power facilities, control of transportation, etc.), the harm should not be underestimated.
0x04 defense
In the face of attacks with permission abuse vulnerabilities, any negligence can cause catastrophic damage to the Information System. The traditional defense system cannot resist the intrusion caused by permission abuse attacks, therefore, we need to develop more stringent physical device management policies. Most of these problems are caused by the lack of restrictions on external functions. Therefore, I suggest you defend against such problems, you can start from the following aspects:
In the real-machine debugging scenario, we recommend that you focus on the following aspects, considering the current large number of smart phone functions:
I. Network isolation
1) for access to WIFI in the office environment, you can install a metal mesh for physical isolation;
2) Test the independent deployment of Wi-Fi and isolate it from the office network development network.
Ii. Feature disabling
1) For camera photos, you can use an opaque sticker to cover the photo before the camera;
2) For microphone eavesdropping, you can consider disabling the microphone function, or even removing the microphone from a real machine or soundproofing the lab.
For other major industrial control systems, secondary password verification can be performed on calls of core functions, and biological authentication technologies such as Fingerprint Authentication and iris recognition can even be introduced.
Smart Home, manufacturers need to control the identification of the network interface during product design, and verify the signal source on the control system, in this way, there may not be any interesting news that some people used a factory's air conditioner remote control to go on the street and press it to make many household air conditioners start one after another :)
0x05 Summary
Today in the Internet + era, people are increasingly inclined to "simple and fast", while forgetting "secure and reliable ". A function itself is a double-edged sword. When designing a function, you must consider the call scenarios of the function, callers and callers, because security issues are everywhere.