产品安全审查方法:Traeger烤炉黑客技术分析
在这篇博客中,我们将详细介绍Bishop Fox安全团队如何通过产品安全审查方法发现Traeger烤炉D2 Wi-Fi控制器产品中的漏洞。
硬件分析与UART连接
收到设备后,Bishop Fox团队将印刷电路板(PCB)从外壳中取出并检查板上的组件。PCB包含一个ESP32设备和一个10针接口。
图1 - Traeger板上的10针接口
设备的引脚排列在ESP32数据手册中有详细说明,如下所示:
图2 - ESP32 WROVER-E引脚排列
如上图所示,TXD0和RXD0引脚负责UART连接。在追踪板上的引脚后,发现这些UART引脚与10针接口有物理连接。为确认这一点,团队使用万用表检查ESP32设备上的发送和接收UART引脚与10针接口之间是否存在连续性:
图3 - 10针接口与ESP32 UART引脚之间的电压连续性,显示100欧姆电阻
如上所示,万用表显示100欧姆电阻,表明发送和接收UART引脚与10针接口之间存在连续性。100欧姆的电阻可能是由于板背面的电阻器造成的,这些电阻器似乎位于UART引脚的路径上。
图4 - 板背面的电阻器解释电阻值
团队通过将ESP32的发送UART引脚连接到Attify badge的接收UART引脚,以及将ESP32的接收UART引脚连接到Attify badge的发送UART引脚,建立了适当的硬件连接。
图5 - UART连接到UART调试桥
接下来,团队使用picocom监控串行连接,并在设备启动后观察到以下输出:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
% sudo ~/Tools/picocom/picocom -b 115200 /dev/cu.usbserial-2
picocom v3.2a
...省略部分内容...
Terminal ready
ets Jul 29 2019 12:21:46
rst:0x1 (POWERON_RESET),boot:0x17 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0018,len:4
load:0x3fff001c,len:5736
load:0x40078000,len:7916
load:0x40080000,len:5908
entry 0x40080314
I (29) boot: ESP-IDF v3.1.3-51-g39c6b2f90 2nd stage bootloader
I (29) boot: compile time 12:02:40
I (30) boot: Enabling RNG early entropy source...
I (35) boot: SPI Speed : 40MHz
I (39) boot: SPI Mode : DIO
I (43) boot: SPI Flash Size : 4MB
...省略部分内容...
|
如上所示,UART连接成功建立,设备启动日志显示在屏幕上。此外,通过将设备的GPIO引脚接地,可以强制设备进入下载状态,最终使团队能够恢复设备的固件。
配对过程分析
成功建立UART连接后,团队开始与设备交互,查看记录的信息。在配对过程中,设备托管一个HTTP服务器,负责促进与移动应用程序的初始设备通信。
请求
1
2
3
4
5
6
|
POST /prod/pairing-sessions HTTP/2
Host: 1ywgyc65d1.execute-api.us-west-2.amazonaws.com
Authorization: COGNITO_TOKEN
...省略部分内容...
{"lat":37.421998,"long":-122.084,"thingName":"803428743EA7"}
|
响应
1
2
3
4
5
|
HTTP/2 200 OK
Content-Type: application/json
...省略部分内容...
{"pairingToken":"fde5f0f06d4aad2bd11d6ad66272fdeae2fa3c0ce8d9227a92ef8148fdddc8fc","thingName":"803428743EA7"}
|
如上所示,移动设备首先为烤炉检索配对令牌,烤炉ID为803428743EA7。检索到此令牌后,移动应用程序提示用户加入烤炉的LAN以共享网络信息和配对令牌。
请求
1
2
3
4
|
GET /connect.html HTTP/1.1
Host: mytraegergrill.net
AWS-Pairing-Token: fde5f0f06d4aad2bd11d6ad66272fdeae2fa3c0ce8d9227a92ef8148fdddc8fc
...省略部分内容...
|
响应
1
2
3
4
5
|
HTTP/1.1 200 OK
Content-Type: text/json
{"networks": [{"ssid": "GrillMasterWiFi","sec_type": 3,"rssi": -46}
...省略部分内容...
|
上述请求似乎告知移动客户端烤炉可以通过其Wi-Fi接口检测和连接的网络。随后,移动应用程序发出额外的POST请求,将与烤炉共享配对令牌。
请求
1
2
3
4
5
|
POST /pairingtoken.html HTTP/1.1
AWS-Pairing-Token: fde5f0f06d4aad2bd11d6ad66272fdeae2fa3c0ce8d9227a92ef8148fdddc8fc
...省略部分内容...
__SL_P_UN1=fde5f0f06d4aad2bd11d6ad66272fdea&__SL_P_UN2=e2fa3c0ce8d9227a92ef8148fdddc8fc
|
响应
上述请求中的参数反映了配对令牌被分成两个32字符的字符串。随后,移动应用程序共享网络信息,允许烤炉连接到家庭网络:
请求
1
2
3
4
5
6
|
POST /nothing.html HTTP/1.1
Host: mytraegergrill.net
AWS-Pairing-Token: fde5f0f06d4aad2bd11d6ad66272fdeae2fa3c0ce8d9227a92ef8148fdddc8fc
...省略部分内容...
__SL_P_USE=2&__SL_P_USD= GrillMasterWiFi&__SL_P_USG=1&__SL_P_USF=[REDACTED Wi-Fi Password]&__SL_P_USC=Add
|
响应
收到网络信息后,烤炉连接到指定的Wi-Fi网络并向AWS IoT注册自己。值得注意的是,注册交互是TLS加密的,但团队通过修补固件并降级到HTTP绕过了这一保护措施。注册可以在以下拦截的请求中看到:
请求
1
2
3
4
5
6
7
8
9
|
POST /certs HTTP/2
Host: durable-api.iot.traegergrills.io
Authorization: fde5f0f06d4aad2bd11d6ad66272fdeae2fa3c0ce8d9227a92ef8148fdddc8fc
...省略部分内容...
{
"thingName": "803428743EA7",
"csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICgTCCAWkCAQAwPDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB1RyYWVnZXIxGzAZ\nBgNVBAMTElRyYWVnZXIgSW9UIERldmljZTCCASIwDQYJKoZIhvcNAQEBBQADggEP\nADCCAQoCggEBAL4O20OYw2mDbk1kH/0cZ3h3ZxQhrYvZcPrQLBhsQOJ+c3D22ps9\ngAkf0j6XsOU7pIHX+xPDOpODaWX7OPq37RGjne8YbYy1p9PnMHYpnyajaCkXCjlW\nnWSJv51Cu36OBah4SAv+wd3v1l4oOXCFfiwAqobvqTxouKs1TkB47fRBSkI2OrLq\nR2qbYxZkCfi2lJiL3Gf/eB+1+uZumYYtjkKXe+WKGsbMw95aUr6BjX6i9Vv2x5lN\nKA8IEYDFZZ3vsxJUAbD0suh1Bmm6zRT9VmAbg65zWQMDaQi8T08hKVz1//rRqqo+\n3WffHdORnB6AyHTkiBizrTCmbJ1x2Dk06+UCAwEAAaAAMA0GCSqGSIb3DQEBCwUA\nA4IBAQADCxk3uJqgL9uquOGwXpaqCP34wASDulMitICb2FWy6IRQT9jfhpZufAjn\n43VU8QOPx3TGiAbQHmRWoN/D0y3+eGEytZ/UOvBAukclfQcsiGtz9wm77rT4oLsP\nXsu3cCfwKU90jUbAIKD/qjvVni7nF6EKpS70iwUn+0QVwGY5LlCyurdRKmH82ebP\nBctw3EviPOyv2XkjwEQTrfA26XNqv5RMewa951q7mZDLzP1KDWFXhR5aj+h7VKIS\nz5wzuh3/dXOjSvuSpMBqYKrKoG2bi2ItgoPS3uDT5i5BhldOTKiPo9w4UR3YyE1o\nCUIwgSarsz/b9ZtfO3CddRY1WFvx\n-----END CERTIFICATE REQUEST-----\n"
}
|
响应
1
2
3
4
5
|
HTTP/2 200 OK
Content-Type: application/json
...省略部分内容...
{"certificate":"-----BEGIN CERTIFICATE-----\nMIIDeDCCAmCgAwIBAgIVAL3s+ljpusLF05NHOtmnYD3f5D8pMA0GCSqGSIb3DQEB\nCwUAME0xSzBJBgNVBAsMQkFtYXpvbiBXZWIgU2VydmljZXMgTz1BbWF6b24uY29t\nIEluYy4gTD1TZWF0dGxlIFNUPVdhc2hpbmd0b24gQz1VUzAeFw0yMzEyMjUxNjMy\nMDRaFw00OTEyMzEyMzU5NTlaMDwxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdUcmFl\nZ2VyMRswGQYDVQQDExJUcmFlZ2VyIElvVCBEZXZpY2UwggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQC+DttDmMNpg25NZB/9HGd4d2cUIa2L2XD60CwYbEDi\nfnNw9tqbPYAJH9I+l7DlO6SB1/sTwzqTg2ll+zj6t+0Ro53vGG2MtafT5zB2KZ8m\no2gpFwo5Vp1kib+dQrt+jgWoeEgL/sHd79ZeKDlwhX4sAKqG76k8aLirNU5AeO30\nQUpCNjqy6kdqm2MWZAn4tpSYi9xn/3gftfrmbpmGLY5Cl3vlihrGzMPeWlK+gY1+\novVb9seZTSgPCBGAxWWd77MSVAGw9LLodQZpus0U/VZgG4Ouc1kDA2kIvE9PISlc\n9f/60aqqPt1n3x3TkZwegMh05IgYs60wpmydcdg5NOvlAgMBAAGjYDBeMB8GA1Ud\nIwQYMBaAFK5LcpMC+tMMCts/MFF8rCzyeGBbMB0GA1UdDgQWBBRlT2pg4UoHtTrF\nSckFkVZwPofFxjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG\n9w0BAQsFAAOCAQEAmad1qCwQYzhAR7VqEHhI4X5p6yVQ+cSS6AF1a/zpPKJppwPQ\nStDCF9ewjZlsE9o6qnClOQV9UgCaxJmX6ZHHjEitPnF+jIafDlYOxboXGxh2Z661\n4sGsK3VEStfjNtnN10GdETAG7ThWmVXxOYml+ybWDUy2l9iw/pq6uuAZEtjcUxlh\nSQl9jphjMjadRYAPtoegBnCGvdpDGmnz90b9aIu7U1wCcgV7QEKX+xHArCH+e9Mr\nItUCrKpFXybhzBPtbLp/4s2fa9KsX5s5WshIrq9Q/Ee/a0rWqO2HwV+erWg87uGc\n1Vr8lRPuSWKwxqYG/Z35IS5gzUkhy0q1qJVjDg==\n-----END CERTIFICATE-----\n"}
|
从/certs API检索到的上述证书随后被下载并由设备用于促进与服务器的安全mqtts通信。这在配对过程中团队捕获的UART调试日志中进一步证明。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
(364403) OtaDownloadInterface: HTTP POST data:
{
"thingName": "803428743EA7",
"csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICgTCCAWkCAQAwPDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB1RyYWVnZXIxGzAZ\nBgNVBAMTElRyYWVnZXIgSW9UIERldmljZTCCASIwDQYJKoZIhvcNAQEBBQADggEP\nADCCAQoCggEBANAAmIO52U4v1K9DSUfbFL8jSMR/lUQzOch8cNtY9Dd99uyESIw1\ncyHHFgY5ZZWhdzxQWs3/OkDNURvZ/BLkQ++z0qQNTGDdeR+N7Rmb7d8xYkDEkMM6\nmEY9am/3BpfV0b9g7BMo+M410OrAqPCX/CZ01KqdHxCesBQNff81FYr3ccfouvZi\ngoUL8CaE4t98P7KvAOD2r8jXCGsZpMdbkFQbg5dB1fyWPr7qoJ+1l1xYNhRd80Ft\nsoy5Z2ZwAaDCqSsbLavDNnWYDV49PHVZ4PWckFrH6qVhJT+xGQEsutJB2Bf6HhgW\nRuweXAOFsQcb6M1HgW/JdfdvWF0O5KGSwPsCAwEAAaAAMA0GCSqGSIb3DQEBCwUA\nA4IBAQAAhSzZlfx54gzRSZHIg1rvRPN6/f6QSwoJVjRDSv85RTRXhR7znwPBX25e\nH547VKXH3wwu0vvboVFqFf+3AMyt9pIFJ5WMsj6BwgrOTVSqnmltWblvOJfWnK3V\nBGkWB+3OmgcHTx9kmg7NWGGtp0rldugy5h0Yr9cagvfDoV+3XvvFsfbtM1VT75Pg\n7xw6g2bhcBLtTSFUFRQ08PY6M4Sf93p7fyDO1M/Wff8SHy/heIr2Gbirp/+2WlDn\n4yLj4RHMiRqxEfcZSPOGmfIBIUqWxSUnKhGtGrVFgy8ybI7hwgtVuGRNcaNirB40\nrKMQ0/2eBV34A7u8kRiHG8Hbvgkr\n-----END CERTIFICATE REQUEST-----\n"
}
I (364507) OtaDownloadInterface: Connecting to https://durable-api.iot.traegergrills.io/certs
...省略部分内容...
(366949) OtaDownloadInterface: HTTP_EVENT_ON_CONNECTED
D (366953) OtaDownloadInterface: Writing POST data
...省略部分内容...
OtaDownloadInterface: HTTP_EVENT_ON_HEADER
D (368109) OtaDownloadInterface: HTTP_EVENT_ON_DATA, len=432
I (368341) FILE SYSTEM: File clientCert.pem exists: 0, File in use: 0
D (368541) OtaDownloadInterface: HTTP_EVENT_ON_DATA, len=512
D (368541) OtaDownloadInterface: HTTP_EVENT_ON_DATA, len=356
D (368542) OtaDownloadInterface: Writing value for certificate to file
...省略部分内容...
I (368658) FILE SYSTEM: File path = /sp
|