How to hack the capsule hotel IoT and deceive a noisy neighbor (1/2)

　In recent years, when convenient and inexpensive IoT devices have increased around them, services using such IoT devices are increasing in facilities where unspecified majority, such as hotels, are shared.However, there are many IoT devices that have been manufactured without sufficient security requirements at the design stage, and in many cases, the introduction side is operated in a vulnerable state while overlooking security measures.

　At BLACK HAT USA 2021, a security conference held in August this year, there was a lecture session that introduced an example of such an "IoT problem".In this first article, the contents will be introduced.In the second article, I would like to report the results of the lecture on the spot and consider this problem.

"BLACK HAT USA 2021" Mr. Casper's lecture title is "Capsule Hotel Hacking -Bed Room Obake"

You should stay at a comfortable capsule hotel ...?

　Two years ago to go back now.Casper (handle name), a security consultant of the Buddha security company LEXFO, took a long vacation and went on a sightseeing trip to a certain country.The accommodation is a capsule hotel.

　The state -of -the -art capsule hotel was designed to be comfortable in a very small room.He liked to sleep alone (in addition to the bonus!), And decided to stay overnight for a few days and enjoy sightseeing.

A certain capsule hotel where Mr. Casper stayed

　However, problems occur at 2 o'clock in the middle of the night.The phone rang in the next capsule, and the guests next door began to speak loudly.The guests are staying consecutively like Casper."I want to take care of sleep during vacation" Casper asked me to go to the next room and drop the tone of the voice a little.

　Fortunately, the guests next door agree with two replies.Casper who was relieved.However, a few days later, the phone rang again, and the neighbors were in a conversation with the same loud voice as before.Please forgive me at all ...

　As expected, Mr. Casper was irritated."IPod touch" passed at check -in jumps into such eyes.This capsule hotel uses a remote control app installed on the iPod touch to operate lighting in the capsule, on / off fans, and bed reclining.

　At the case of Black Hat and other security consolidates, many lectures have been given to vulnerability and bugs of IoT equipment, such as hotel room iPads and Internet -compatible televisions.Perhaps there is a vulnerability here, and maybe the neighbor can mischief ...

　Casper, of course, got up in the bed and started investigating.

A figure of Casper who is irritated by his neighbor.It will be such a face, isn't it?

"WEP" setting with vulnerable Wi-Fi of IoT controller

　Being able to operate the device in the capsule with the iPod touch app means that you have communicated with the controller on Bluetooth or Wi-Fi.Mr. Casper executed the Wi-Fi scan while looking inside the capsule.As a result, it was confirmed that the NASNOS Wi-Fi controller "CS8700" that operates in access point mode has been moved in total.

　The CS8700 is a commercially available product that allows you to control multiple devices such as lighting and electric curtains via Wi-Fi.The number of "119 units" is the same as the number of capsules in the hotel, so it seems that controllers are installed for each capsule.

The capsule had a Wi-Fi controller "CS8700".It is an IoT controller that allows you to remotely operate the lighting and electric curtains from the smartphone app (image from the website)

　If you search for a CS8700 manual on a web search, you will see an example of installation of "If there is no existing Wi-Fi network environment" and a certain case.In this case, the controller of each capsule has an individual SSID as an access point, so it is considered that the former configuration is taken.In other words, the iPod touch prepared for each capsule should have a Wi-Fi connection directly to the controller in the capsule.

Installation examples described in the manual.This time, it looks like a pattern of (1) that connects Wi-Fi directly from iPod touch to CS8700 (image from the website)

　Casper attempted to access the iPod touch function for more detailed setting information.However, the iPod touch passed at the front has been locked by the iOS "Access Guide" function, and it does not launch anything other than the remote control application.If you do not unlock, you will not be able to display the home screen, and you will not be able to start or see the settings.Of course, the hotel doesn't tell you the passcode.

　However, there was a way to the access guide function.After the iPod touch battery is exhausted and the power is turned off, the access guide stands up in an invalidated state.In other words, you can see the iOS settings by driving into the battery run.Casper avoided the access guide in this way and checked the Wi-Fi settings.Then two were set, "Wi-Fi in the hotel" and "CS8700 Wi-Fi".

　And there was another important discovery.The encryption method used for Wi-Fi connection to the CS8700 controller was "WEP".The WEP is an old encryption method of wireless LAN, and the connection password (WEP key) can only be used by using 5 alphanumeric characters or 13 characters, so it can be easily analyzed by using tools.For this reason, the use of a stronger encryption method (WPA2, WPA3), not WEP, is now strongly recommended.

　"If it is a WEP, you can analyze the WEP key by capturing about 80,000 packets between the access point and the device."Mr. Casper thought so that he created a JavaScript to execute a large amount of ARP requests on the access point, CS8700, and put it in the iPod touch.After a while, the amount of packets required for the WEP key decoding accumulated, and soon it was successful.Using this WEP key, I also confirmed that I could connect to the CS8700 in my capsule.

Examine the operation commands and settings of the equipment

　Casper then decided to find out what kind of operation (command) was sent to the controller from the iPod touch dedicated app.

　However, he is traveling and does not have advanced equipment.Here, we have created an instant MITM (Man in the Middle) environment by combining Android smartphones and laptops.It is a mechanism that intercepts all traffic flowing between iPod touch and CS8700 on a notebook PC in the middle.If the communication is not encrypted, you should be able to observe the commands sent each time you tap the app operation button.

　When we actually observed the traffic, the CS8700 accepted operation commands on the TCP 8000 port, and it was found that the authentication and communication of communication were not particularly performed.In other words, if the iPod touch at hand can be connected to Wi-Fi to the CS8700 in the next capsule, it can be operated as it is.Furthermore, since we were able to grasp all the operation commands, we can easily write the script to operate automatically.

Configure an instant MITM environment with your device

　At the same time, I also obtained a dedicated app that is open to the public on the Google Play Store, scrutinized the functions, and tried a reverse engineering.There was also a new discovery here.

　This app has the function of registering the equipment to be controlled by the CS8700.The configuration information is sent from the application to the CS8700 UDP 988 port (Remote Configuration Service Port of Simple-Wifi UART), but there was no authentication mechanism.In other words, this controller is a mechanism that accepts setting changes from an unspecified number of applications connected to the same network.If you analyze the communication of the setting change as before, it will be easy to rewrite the control target device attached to the CS8700.