Back to Home

IoT Security. Issue 1. Smart watches, fitness trackers and scales

In my last article · I talked about how I went to DefCamp. Today's article is the first part of a publication about my research on the security of the Internet of things · which formed the basis ...

IoT Security. Issue 1. Smart watches, fitness trackers and scales


    In my last article, I talked about how I went to DefCamp . Today's article is the first part of a publication about my research on the security of the Internet of things, which formed the basis of my presentation at the conference.

    IoT is developing rapidly: there are now more than 260 companies , including smart cities, factories, mines, oil companies, retailers, healthcare, education and more. The publication cycle will cover only areas of wearable technology, smart medicine and smart home, including mobile applications.

    Today, smart technology is beginning to make more sense than connecting a Bluetooth headset to a phone, and it is becoming commonplace, which indicates an understanding of what purpose smart technology is used for and which scenarios it allows to automate.

    The bad news is that many of these new devices are targets for attacks. At the same time, security issues were either resolved retroactively or were not resolved at all due to the lack of support for old devices. Such devices pose a serious risk to the infrastructure (home or business) if they are not properly managed. Therefore, below we consider a number of issues related to the security of smart things, accessible methods and tools of hacking, as well as features of processing and data protection. The purpose of the research is not to implement or describe the “turnkey hacking” methods, but to review approaches that, under certain conditions, can lead to access to data, and also to review situations where developers for some reason decide not to protect user data. The materials are presented overviewly (full information can be found on the officialsite .

    Wearable Technology - Smart Watches


    Apple watch




    MITM


    The watch interacts via Bluetooth, or, if this channel is not available, via Wi-Fi to communicate with the phone and Apple servers. Network data transmission between the cloud and the phone / watch applications is encrypted with TLS1.2 and protection against MITM attacks and SSL Pinning. At the same time, watches, unlike phones, do not have an interface for installing custom root SSL certificates. Unencrypted data streams were not detected.

    Lock Screen Bypass


    Using a passcode on a smart watch is often an optional item, but may be included. Apple allows you to reset the passcode in various ways , but only one can conditionally avoid data deletion.

    The latter method is based on the mechanism of re-linking the watch to the device with data recovery with a change of the passcode. Such a scenario is used whenever it is supposed to give hours for repair or sell, because it is required to disconnect the Activation Lock mode. Its meaning is that deleting the watch’s binding to the phone deletes the data from the watch, however, the phone backs up the watch data in order to restore the data on the watch in the future. And since the backup does not save only bank cards, passcode and Bluetooth clock settings, you can access the data and also set a new passcode.

    To perform the method, you must perform the following steps:

    • Watch and phone should be near; The Apple Watch app must be running on the phone.
    • On the “My Watch tab” tab, the necessary hours are selected and the action is confirmed by “Unpair Apple Watch”.
    • Next, you need to enter the password for your Apple account (in case the password is forgotten, it is proposed to reset it ).
    • Final confirmation of the action.

    Since this method interacts with Apple credentials, it is possible to access them by resetting the password using forensic solutions , which allows you to ultimately remove the passcode on the Apple watch.

    Jailbreak


    Jailbreak for the iOS platform has always served as a way to increase privileges for various operating systems (iOS, tvOS, and watchOS). Despite its popularity, there are quite a few known jailbreak watches for Apple watches (available below):

    Jailbreaks for USB


    Jail & Bluetooth Connection over SSH


    Backups


    Since Apple watches primarily work as an auxiliary device, the applications installed on the watch are widgets, and all information is stored in applications on the phone. Nevertheless, the watch applications still store a certain part on their own, which allows you to consider options for accessing data through backups (when interacting with a clock that already exists on a PC / Mac in the cloud). It should be borne in mind that in Apple products, many data are cross-platform, and are synchronized between all devices.

    For access to data, both forensic solutions and ordinary applications for working with backup files are suitable (in the case of a cloud backup or access bypass scenarios, only forensic solutions or close to them); It is worth noting that many applications at the moment may not have access to view the contents of backup files, so one of the possible tools is iphone backup extractor (in the basic version of the subscription it allows access to the clock data, and the full and business versions still have 2FA support access to data).

    The necessary information about the device is located in the file /mobile/Library/DeviceRegistry.state/properties.bin and covers the following parameters:

    • Watch data, including name, manufacturer, model, OS, GUID.
    • Serial number, UDID, Wi-Fi MAC address, SEID (Secure Element ID), Bluetooth MAC address.

    The list of installed applications can be found in two places:

    • In the file "com.apple.Carousel" located on the path /mobile/Library/DeviceRegistry/GUID/NanoPreferencesSync/NanoDomains/com.apple.Carousel
    • In subfolders of the folder “ / mobile / Library / DeviceRegistry / GUID

    Depending on the installed applications, for example, you can get to the address book, which is synchronized with the phone and is a cross-platform data type (the data is located in the file / mobile / Library / DeviceRegistry / GUID / AddressBook / ) or to the passbook repository that stores banking cards or cards of loyalty programs, various passbook tickets (data is placed in the file /mobile/Library/DeviceRegistry/GUID/NanoPasses/nanopasses.sqlite3 ). The database of the latter in the “Pass table” table contains data in three parts (the picture below is for convenience of viewing taken from the phone, not the clock):

    • Unique_ID
    • Type_ID (ticket, loyalty card, etc.)
    • Encoded content of a separate “pass” (in value / data format)



    The Apple Watch also provides access to the data of the Apple Health application and fills the data of this application from various sources, including among those that the user manually contributes. As a rule, the data of this application is encrypted, therefore they get to the backup only if a password is set for it (i.e. backup files are encrypted). However, this application has the option to export data in clear form without encryption (in the zip archive). When exporting data, it is important to consider that the archive can be exported to any application: apple files, cloud storage, IM, etc., where there is no additional encryption. The app is separately parsed below in the Apple Health section.

    Android Watches


    Samsung Gear



    LG Watch



    Android watches are produced by various manufacturers (Asus, Samsung, LG, etc.). Unlike Apple watches, they often offer a complete set with a 3G-4G module for installing a SIM card, rather than eSIM, otherwise the functionality does not differ.

    Among the approaches to data access, the following are distinguished:

    • Forensic research (physical, logical and network)
    • Lock Screen Bypass
    • Using Root Data Analysis Tools

    Only the first option will be considered in the article as part of copying images, sections and root tools. Logical research (including as part of backups) does not differ from known methods. The online version of the study is gaining popularity and is not widely represented even in the framework of ready-made forensic solutions. It consists in the reproduction of interaction mechanisms for exchanging data via Wi-Fi, Bluetooth, including MITM methods, but requires consideration in a separate article.

    Copy device image


    When analyzing Android devices, the approach does not change, only the tools differ (an example of the tool will be given in the section for Samsung / LG). To copy the contents of the device, bitwise copying of the entire device or individual partitions can be used. For these purposes uses the developer mode. The simplest option is to use the adb shell and adb pull commands to access the data. Depending on the manufacturer, device model, and OS version, the ADB, SDB, or MTK toolkits may be used. Most often, the user section “ / dev / block / mmcblk0p12 / data ” is copied for analysis , but other sections can be copied if necessary:

    • DD if = / dev / block / mmcblk0p12 / data of = /storage/extSdCard/data.dd
    • DD if = / dev / block / mmcblk0p8 / cache of = /storage/extSdCard/cache.dd
    • DD if = / dev / block / mmcblk0p3 / efs of = /storage/extSdCard/efs.dd
    • DD if = / dev / block / mmcblk0p09 / system of = /storage/extSdCard/system.dd

    Lock Screen Bypass


    For Wear OS, the use of pin codes is optional, so often the watch is not protected by a pin code. There are more ways to bypass the lock for Android watches than for Apple.

    • Account-based password management.
    • Gesture.key and settings.db (Interaction with lock files).
    • ADB keys

    Account-based password management

    The least invasive way to bypass a lock is to use a Google account and credentials obtained in some way. The methods can be different, including access to the account through forensic solutions. After gaining access, it is possible to remotely unlock the device or enter a new pincode, which in both cases allows you to bypass the pincode lock.

    Gesture.key and settings.db

    ADB or its analogues is a part of development tools and works independently of them. These utilities can be used to modify system files and delete them: the gesture.key file responsible for pincode locking and the settings.db fileresponsible for unlocking a locked device. In both cases, physical access to the device is required; for the first file, a set of commands to delete “ adb.exe shell; cd / data / system; rm gesture.key ”and the activated debugging mode 'Debugging mode' or the execution of commands through custom recovery like ClockworkMod or Team Win Recovery Project (TWRP).

    Similarly, for settings.key, you should run the command “ update system set value = 0 ”, which will lead to the replacement of the values ​​of the lock_pattern_autolock and lockscreen.lockedoutpermenently parameters and unlocking the device without knowing the PIN code.

    It is also worth noting that the locked bootloader and the lack of unlocking tools do not allow access to data, in other cases, especially if custom recovery is already installed, there are no difficulties with access.

    ADB keys

    Quite often, the use of devices for various scenarios leads to unsafe settings and device states. In particular, when using a device for development, it will forcibly enable USB debugging mode, and on the PC synchronized with the devices, the adbkey and adbkey.pub development keys will be placed in the users //. android / directory. Accordingly, the mode itself allows you to install third-party software, bypass the screen lock, and the keys can be used to transfer the "synchronization" state to a new location.

    Wear OS and Root


    For Android watches, Android OS is used adapted to the physical needs of devices. The Asus Zenwatch, Huawei Watch, LG Watch and many others use the Android OS, in the case of Samsung Watches - Tizen OS.

    Android Wear starts with 4.4W1, 4.4W2, 1.0 and ends with the 2.9 version, which corresponds to the usual Android, starting with 4.4. 4.4, 5.0.1 versions and ending with 7.1.1 / 8.0.0 (Feb 2018). New versions after changing the brand on Wear OS start with 1.0 (Android 7.1.1 / 8.0.0 - Mar 2018 and version 2.1 (7.1.1 / 9.0.0 - Sept 2018) and onwards. The root toolkit is widely presented for Android Wear version 2.0.

    Root:


    Recovery - To search for the necessary versions, you can use the search :

    • TWRP
    • For version 5.1.1, twrp-3.1.0-0.img is suitable
    • For version 6.0.1 and Wear 2.0, twrp-3.0.0-0.img is suitable
    • For Samsung Gear & LG Watch, version 2.8.4 and higher is suitable

    For example, Samsung Gear Watch & LG Watch


    Omitting the technical parameters of the Samsung Gear, you can consider the option of researching devices as part of a physical forensic study. The watch does not support Wi-Fi connection, only Bluetooth and USB connection are available, as well as optional pincode protection. In the case of Samsung, an SDB (smart development bridge) is required, which is part of the Tizen-SDK. In the case of LG, a traditional tool kit for Android is required - ADB.

    Data extraction can be described in three steps.

    Stage number 1. Getting Root for Samsung

    To get it, you need to find the appropriate custom image, the universal utility for Samsung devices - Odin 3.0, put the device in development mode (by turning on SDB), put it into “download mode” mode and execute the command “ Sdb shell, sdb root

    Stage number 1. Getting Root for LG

    Before getting root access, you need to enable ADB Debug mode. After that, use the LG Watch Restore Tools, reboot into the bootloader and update the image:

    • adb reboot-bootloader
    • fastboot OEM unlock
    • adb push SuperSU.zip / sdcard / download
    • adb reboot-bootloader
    • fastboot boot twrp.img
    • Install SuperSu.zip, and wait for the reboot

    Stage number 2. Obtaining a device image

    Among various Android development tools, there is a popular Toybox , which allows you to create a device image for further extraction and study of data. The Toybox package is located on an external drive or in the download folder of the main memory. Access rights for the execution of the toybox are changed, the search for suitable sections for copying is performed (by executing the commands “ cd / dev / block / platform / msm_sdcc.1; ls -al by-name ). As a rule, the user section (userdata) located in / dev / block / mmcblk0p21 is copied . After that, using toybox, dd and netcat, the image of the corresponding section is copied:

    • adb push toybox / sdcard / download
    • adb shell; su
    • mv / sdcard / download / toybox / dev /
    • chown root: root toybox
    • chmod 755 toybox
    • cd / dev / block / platform / msm_sdcc; ls -al by-name
    • / * image partition with dd and pipe to netcat, -L puts netcat in listening mode * /
    • dd if = / dev / block / mmcblk0p21 | ./toybox nc -L
    • / * Port number being listened to on the watch displayed for user * /
    • 44477 / * port displayed * /
    • adb forward tcp: 44867 tcp: 44867
    • / * Send request to watch on port number 44867 and send it to image file * /
    • nc 127.0.0.1 44867> Samsung.IMG



    Stage number 3. Data extraction

    The most useful data, which is stored independently in the watch itself in the case of Samsung, is stored in the following databases:

    • Messages - apps.com.samsung.message.data.dbspace / msg-consumer-server.db
    • Health / Fitness Data - apps.com.samsung.shealth / shealth.db
    • Email - apps.com.samsung.wemail.data.dbspace / wemail.db
    • Contacts / Address book - dbspace / contacts-svc.db

    In the case of LG watches —— in the following database:

    • Events / Notifications - data.com.android.providers.calendar.databases / calendar.db
    • Contacts / Address book - data.com.android.providers.contacts.databases / contacts2.db
    • Health / Fitness Data - data.com.google.android.apps.fitness.databases / pedometer.db

    Fitness Tracker - Xiaomi Band




    The fitness tracker is an auxiliary device, and all data is collected in the Mi-Fit app, which always interacts over an encrypted connection with TLS1.2 with Amazon AWS servers, mainly located in the EU. A number of requests that are not tied to actions go to US servers. In the case of Mi Fit, encryption does not fully prevent MITM attacks due to the lack of SSL Pinning and the ability to install a root certificate on the device. In this case, access to all data transmitted over the network occurs. Locally, the application folder contains a detailed log of events and user fitness indicators from which this data was obtained as part of user scenarios, for example,

    Request to api-mifit.huawei.com server

    GET /users/-/sports?startDate=YYYY-MM-DD&endDate=YYYY-MM-DD&sportCategory=run&timezone=GMT-3%3A00 HTTP/1.1
    Content-Type: application/json
    

    Answer

    HTTP/1.1 200 OK
    Content-Type: application/json;charset=UTF-8
    Content-Length: 716
    {
      "items" : [ {
        "trackId" : "1496744715",
        "startTime" : 1496744715,
        "endTime" : 1496748315,
        "sportTime" : 1800,
        "distance" : 3600,
        "calories" : 3.5,
        "averagePace" : 2.0,
        "averageStepFrequency" : 39,
        "averageStrideLength" : 68,
        "timestamp" : 1496744715,
        "averageHeartRate" : 90,
        "altitudeAscend" : 20,
        "altitudeDescend" : 10,
        "secondHalfStartTime" : 600,
        "strokeCount" : 30,
        "foreHandCount" : 15,
        "backHandCount" : 15,
        "serveCount" : 30,
        "type" : "OUTDOOR_RUN"
      } ]
    }
    

    Fitness Tracker - Huawei Honor Band




    Huawei Honor Band, like Xiaomi Band, is not a standalone device, and all data is collected by the application installed on the phone. The application also relies on a TLS connection, however, unlike Xiaomi, it has a small number of connections. All of them are quite protected, including from MITM attacks and SSL Strip attacks.

    At the same time, a lot of data is received locally as part of the backups, obtained from the tracker’s sensors, which can be divided into service, user, and fitness data, which, in turn, are divided into raw and aggregated. The data list is for iOS, but does not differ from the Android version.

    • These devices and logs are located in the / hms / oclog / crash, / hms / oclog / log folder.
    • The current and latest values ​​of the tracker cover information about sleep, wake up data, distances (distance, mileage, etc.), heart rate and calories. They are located in the /Documents/*.archiver files.
    • The firmware includes all the data, the location, the URL from where it is downloaded, the size, the change log, the forced update flag and the firmware file itself, which is downloaded via HTTP as part of the DFU secure update , except for the earliest versions.
    • Geo data includes location information with a reference to time and separation by days and types of activities, as well as data on speed and direction of movement, if any. They are also located in the /*.archiver folder.
    • User data includes basic information - profile picture, name, date of birth, height, weight, gender, age, and general data of steps and mileage. Also located in the /*.archiver folder.
    • Account data includes UDID, Token, UserID, SessionID, Mac device address and Bluetooth Keys.



    Fitness Apps - Road Bike, Mountain bike




    As an example of fitness applications, RoadBike & MountainBike PRO versions were considered, which are no different in implementation.

    These applications track user achievements, speed indicators, distances and have the ability to integrate with some physical trackers, and also do not imply Internet activity. Locally store all recorded data:

    • GPS data - geolocation, distance, altitude and elevation, time stamps local and with reference to gps values.
    • Session data - time stamps, distance, track duration, average and minimax indicators, altitude difference heart indicators (if there is a special tracker).
    • Speed ​​data - time stamps, driving time, distance (if you have additional sensors, you can correct the correct speed calculation).
    • User data - credentials (including password in clear text), height, weight, gender, name and date of birth.

    All data is placed in database.sqlite3 and additionally, MapOpenCycleMap.SQLite database contains information about the track, including geolocation and a snapshot of geolocation and route.





    Smart medicine


    Smart medicine involves the convergence of digital technology with health issues within society to increase the effectiveness of medical care. These technologies include hardware and software solutions and services, including telemedicine, mobile phones and applications, wearable devices and fixed devices, clinic sensors or remote monitoring.



    Most health applications fall into two categories: source applications (measuring human health indicators) and data aggregator applications (collect data in one place from different sources).

    Apple health


    The Apple app collects health data from a variety of software and hardware sources (iPhone, Apple Watch, and third-party apps) that support the HealthKit protocol.

    The data is divided into 4 categories: Activity, Sleep, Mindfulness, and Nutrition (summary activity, sleep and wakefulness indicators, indefinite category for iOS 11-12, nutrition diary). If passcode, Touch ID, or Face ID is used, all data in this application is encrypted both on the device and in the cloud, including when transmitting data over the network. Separately, about the comparison of data protection Apple Health & Google Fit can be found in the Elcomsoft article .



    Globally, all Apple Health data can be divided into two categories from a security point of view: automatically saved by the application from different sources and exported data.

    In the first case, most of the data is encrypted and a certain part in the clear, from the point of view of Apple is not critical to encrypt it.

    In the second case, all data will be in clear text in CDA format (Clinical Document Architecture) - typical for the exchange of medical data; and in a more familiar form, this is an archive with xml files. It should be noted that data protection by Apple does not mean that data in source applications is also protected (can be seen in the examples above with trackers and below with weights). It also does not guarantee that applications will not use data from other source applications through Apple Healthkit and will not save data in their cloud.

    It is worth noting that the permission model at Apple was originally a little different. All requests for access to application data were requested at startup or as needed (upon the completion of actions requiring permissions), unlike earlier versions of Android. But for the Apple Health application, a detailed list of permissions to read and write indicators of the heart, pressure, mass, etc. is not displayed with a detailed description of what and why is required (as usual, everything is requested immediately).

    The latter leads to the fact that the initial idea of ​​a data sandbox with the advent of applications such as Apple Health is not obvious to the user, which led Apple to create another sandbox for medical data. For example, an application asked for something to read and write, and there is nothing criminal in it, although basically most applications working with Apple Health only write data than read it, with the exception of basic data. If the application is explicitly designed to read data for work, then this requires explicit notification to the user, allowing him to prohibit individual read requests without consequences for the application. In other words, reading and writing the medical data of each application as in a keychain or sandbox should be isolated from other applications, despite Apple Health being able to aggregate all the data in itself. Otherwise, from the side of unscrupulous developers it is possible to access the data of other applications with their subsequent pumping out of the device. By the way, Apple Health separately in the sources allows you to transparently manage permissions, but the question of the correct operation of the application when access is denied remains open (as it used to be in Android for application permissions).

    Apple has also approached the issue of issuing data recorded by other applications to an application requesting data. The application (in case of lack of access) will receive data only previously saved by the same application. However, this requires a) turning off unnecessary access rights and checking them; b) there is no guarantee of the correct operation of the application, because it is not known whether permissions to read any data were really required. Many applications do not respond to permission checks. So, for example, the PICOOC smart scale application does not even have a section with read permissions - only write data.

    Interesting fact, in the upcoming release of Android, permission to read access to the clipboard is expected .

    Apple Health data is distributed between the following database files:

    • HealthDomain \ MedicalID \ MedicalIDData.archive - stores data to information manually entered by the user (name, height, weight, medical implants).
    • HealthDomain \ Health \ healthdb.sqlite - a list of source applications that allows you to retrieve data in its original form and without additional protection; also contains information about the source device (name, model / manufacturer, time stamps, general information about the software part / environment).
    • HealthDomain \ Health \ healthdb_secure.sqlite - contains additional information (device UDID, device name, timestamps, height, gender, blood type, birthday, physical limitations, total body weight, timezone and OS version of the phone device).
    • HealthDomain \ Health \ healthdb_secure.hfd is an encrypted database that includes information from source applications.



    When working with an exported data archive (i.e., without encryption), it must be understood that the export of the archive can be performed anywhere on the device, it can be transferred to the cloud storage or archive to any other application, which in itself can be a risk because it contains detailed information, including but not limited to:

    • Username, profile picture, height, body weight.
    • Geo-tracking (host country / city, OS version).
    • Device UDID, device name, latest data update date in Apple Health app.
    • Birthday, gender, blood type, skin color, height, weight, honey. implants.
    • Daily indicators and measurements, for example, heart rate, weight, pressure, various additional indicators of devices and applications, calories and nutrition diary data, training and distance data, activity logs with time stamps, etc.
    • Free XML Parser

    Smart scales Picooc


    PICOOC integrates hardware solutions with Internet applications and services. In particular, 13 measurements are monitored in smart scales, such as weight, body fat percentage and fat index, body mass, bone, muscle, water in the body, metabolic age and changes in indicators.





    The following data is locally posted:

    • Bluetooth logs occur as a result of scanning devices nearby and for all devices the device name and its mac address are saved.
    • Body measurement values ​​are stored in the picooc.sqlite database in the table `body_indexs` and were mentioned above in the application description.
    • Information about the device includes information about the mac address of the device, model name, user ID, device image and is also stored in the file in the picooc.sqlite file.
    • The list of friends includes information about the name, phone, user_id, field - provided that friends use the same application - i.e. The application forms a social network.
    • User information includes nickname, user ID, height, age, gender, race and consists of two parts on the example of iOS
    • Sensor data includes information on time, age, OS, height, screen settings, device model, language settings, environment, etc. and are stored in the file “\ sensorsanalytics-message-v2.plist.db”
    • Settings include information about the local password, unlock method and recent activity; stored in the file “picooc \ Library \ Preferences \ com.picooc.international.plist” on the example of iOS.



    From the point of view of data transfer, there is the possibility of interception with a root certificate. The most interesting data can be considered the following:

    • The URL of the profile picture, which is publicly available via the link constantly and actually has 2 URLs:
    • Information about the device and the environment.
    • User information, including username, birthday, height, weight, timestamps, OS, and timezone.
    • Credentials, including password, including when changing the password from old to new.



    This is where the first article ends. The second part will be about Connected home: smart TV, voice assistants, smart kitchen and lighting.

    Read Next