产品安全审查方法:Traeger Grill Hack
硬件分析与UART连接
收到设备后,Bishop Fox团队将印刷电路板(PCB)从外壳中移除,并检查板上的组件。PCB包含一个ESP32设备和一个10针接口。
图1 - Traeger板上的10针接口
根据ESP32数据手册,设备的引脚分配如下:
图2 - ESP32 WROVER-E引脚分配
如上图所示,TXD0和RXD0引脚负责UART连接。通过追踪板上的引脚,发现这些UART引脚与10针接口有物理连接。为确认这一点,团队使用万用表检查ESP32设备上的UART发送和接收引脚与10针接口之间是否存在连续性:
图3 - 10针接口与ESP32 UART引脚之间的电压连续性,显示100欧姆电阻
万用表显示100欧姆电阻,表明UART发送和接收引脚与10针接口之间存在连续性。这100欧姆电阻可能是由于板背面的电阻器造成的,这些电阻器似乎位于UART引脚的路径上。
图4 - 板背面的电阻器解释电阻值
团队通过将ESP32 UART发送引脚连接到Attify badge的UART接收引脚,以及将ESP32 UART接收引脚连接到Attify badge的UART发送引脚,建立了适当的硬件连接。
图5 - UART连接到UART调试桥接器
接下来,团队使用picocom监控串行连接,并在设备启动后观察到以下输出:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
% sudo ~/Tools/picocom/picocom -b 115200 /dev/cu.usbserial-2
picocom v3.2a
…省略部分内容…
Terminal ready
ets Jul 29 2019 12:21:46
rst:0x1 (POWERON_RESET),boot:0x17 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0018,len:4
load:0x3fff001c,len:5736
load:0x40078000,len:7916
load:0x40080000,len:5908
entry 0x40080314
I (29) boot: ESP-IDF v3.1.3-51-g39c6b2f90 2nd stage bootloader
I (29) boot: compile time 12:02:40
I (30) boot: Enabling RNG early entropy source...
I (35) boot: SPI Speed : 40MHz
I (39) boot: SPI Mode : DIO
I (43) boot: SPI Flash Size : 4MB
I (47) boot: Partition Table:
I (51) boot: ## Label Usage Type ST Offset Length
I (58) boot: 0 nvs WiFi data 01 02 00009000 00010000
I (66) boot: 1 otadata OTA data 01 00 00019000 00002000
I (73) boot: 2 factory factory app 00 00 00020000 00100000
I (80) boot: 3 ota_0 OTA app 00 10 00120000 00100000
I (88) boot: 4 ota_1 OTA app 00 11 00220000 00100000
I (95) boot: 5 storage Unknown data 01 82 00320000 000e0000
I (103) boot: End of partition table
I (107) esp_image: segment 0: paddr=0x00120020 vaddr=0x3f400020 size=0x2dee4 (188132) map
I (181) esp_image: segment 1: paddr=0x0014df0c vaddr=0x3ffb0000 size=0x02104 (8452) load
I (185) esp_image: segment 2: paddr=0x00150018 vaddr=0x400d0018 size=0xb4448 (738376) map
I (444) esp_image: segment 3: paddr=0x00204468 vaddr=0x3ffb2104 size=0x04714 (18196) load
I (451) esp_image: segment 4: paddr=0x00208b84 vaddr=0x40080000 size=0x00400 (1024) load
I (452) esp_image: segment 5: paddr=0x00208f8c vaddr=0x40080400 size=0x11714 (71444) load
I (499) boot: Loaded app from partition at offset 0x120000
I (499) boot: Disabling RNG early entropy source...
I (500) cpu_start: Pro cpu up.
I (503) cpu_start: Starting app cpu, entry point is 0x40081128
I (0) cpu_start: App cpu up.
I (514) heap_init: Initializing. RAM available for dynamic allocation:
I (521) heap_init: At 3FFAE6E0 len 00001920 (6 KiB): DRAM
I (527) heap_init: At 3FFD0C30 len 0000F3D0 (60 KiB): DRAM
I (533) heap_init: At 3FFE0440 len 00003BC0 (14 KiB): D/IRAM
I (539) heap_init: At 3FFE4350 len 0001BCB0 (111 KiB): D/IRAM
I (545) heap_init: At 40091B14 len 0000E4EC (57 KiB): IRAM
I (552) cpu_start: Pro cpu start user code
I (234) cpu_start: Starting scheduler on PRO CPU.
…省略部分内容…
|
如上所示,UART连接成功建立,设备启动日志显示在屏幕上。此外,通过将设备的GPIO引脚接地,可以强制设备进入下载状态,最终使团队能够恢复设备的固件。
HTTP通信分析与配对过程
成功建立与设备的UART连接后,团队开始与设备交互,查看记录的信息。在配对过程中,设备托管一个HTTP服务器,负责促进与移动应用程序的初始设备通信。为演示这一点,团队从移动设备和烤架捕获了HTTP流量:
请求
1
2
3
4
5
6
|
POST /prod/pairing-sessions HTTP/2
Host: 1ywgyc65d1.execute-api.us-west-2.amazonaws.com
Authorization: COGNITO_TOKEN
…省略部分内容…
{"lat":37.421998,"long":-122.084,"thingName":"803428743EA7"}
|
响应
1
2
3
4
5
|
HTTP/2 200 OK
Content-Type: application/json
…省略部分内容…
{"pairingToken":"fde5f0f06d4aad2bd11d6ad66272fdeae2fa3c0ce8d9227a92ef8148fdddc8fc","thingName":"803428743EA7"}
|
如上所示,移动设备首先为烤架检索配对令牌,烤架ID为803428743EA7。检索到此令牌后,移动应用程序提示用户加入烤架的LAN以共享网络信息和配对令牌。
请求
1
2
3
4
|
GET /connect.html HTTP/1.1
Host: mytraegergrill.net
AWS-Pairing-Token: fde5f0f06d4aad2bd11d6ad66272fdeae2fa3c0ce8d9227a92ef8148fdddc8fc
…省略部分内容…
|
响应
1
2
3
4
5
|
HTTP/1.1 200 OK
Content-Type: text/json
{"networks": [{"ssid": "GrillMasterWiFi","sec_type": 3,"rssi": -46}
…省略部分内容…
|
上述请求似乎告知移动客户端烤架可以通过其Wi-Fi接口检测和连接的网络。随后,移动应用程序发出额外的POST请求,与烤架共享配对令牌。
请求
1
2
3
4
5
|
POST /pairingtoken.html HTTP/1.1
AWS-Pairing-Token: fde5f0f06d4aad2bd11d6ad66272fdeae2fa3c0ce8d9227a92ef8148fdddc8fc
…省略部分内容…
__SL_P_UN1=fde5f0f06d4aad2bd11d6ad66272fdea&__SL_P_UN2=e2fa3c0ce8d9227a92ef8148fdddc8fc
|
响应
上述请求中的参数反映了配对令牌被分成两个32字符的字符串。随后,移动应用程序共享网络信息,允许烤架连接到家庭网络:
请求
1
2
3
4
5
6
|
POST /nothing.html HTTP/1.1
Host: mytraegergrill.net
AWS-Pairing-Token: fde5f0f06d4aad2bd11d6ad66272fdeae2fa3c0ce8d9227a92ef8148fdddc8fc
…省略部分内容…
__SL_P_USE=2&__SL_P_USD= GrillMasterWiFi&__SL_P_USG=1&__SL_P_USF=[REDACTED Wi-Fi Password]&__SL_P_USC=Add
|
响应
收到网络信息后,烤架连接到指定的Wi-Fi网络,并向AWS IoT注册自己。值得注意的是,注册交互是TLS加密的,但团队通过修补固件并降级到HTTP绕过了这一保护措施。注册可以在以下拦截的请求中看到:
请求
1
2
3
4
5
6
7
8
|
POST /certs HTTP/2
Host: durable-api.iot.traegergrills.io
Authorization: fde5f0f06d4aad2bd11d6ad66272fdeae2fa3c0ce8d9227a92ef8148fdddc8fc
…省略部分内容…
{
"thingName": "803428743EA7",
"csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICgTCCAWkCAQAwPDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB1RyYWVnZXIxGzAZ\nBgNVBAMTElRyYWVnZXIgSW9UIERldmljZTCCASIwDQYJKoZIhvcNAQEBBQADggEP\nADCCAQoCggEBAL4O20OYw2mDbk1kH/0cZ3h3ZxQhrYvZcPrQLBhsQOJ+c3D22ps9\ngAkf0j6XsOU7pIHX+xPDOpODaWX7OPq37RGjne8YbYy1p9PnMHYpnyajaCkXCjlW\nnWSJv51Cu36OBah4SAv+wd3v1l4oOXCFfiwAqobvqTxouKs1TkB47fRBSkI2OrLq\nR2qbYxZkCfi2lJiL3Gf/eB+1+uZumYYtjkKXe+WKGsbMw95aUr6BjX6i9Vv2x5lN\nKA8IEYDFZZ3vsxJUAbD0suh1Bmm6zRT9VmAbg65zWQMDaQi8T08hKVz1//rRqqo+\n3WffHdORnB6AyHTkiBizrTCmbJ1x2Dk06+UCAwEAAaAAMA0GCSqGSIb3DQEBCwUA\nA4IBAQADCxk3uJqgL9uquOGwXpaqCP34wASDulMitICb2FWy6IRQT9jfhpZufAjn\n43VU8QOPx3TGiAbQHmRWoN/D0y3+eGEytZ/UOvBAukclfQcsiGtz9wm77rT4oLsP\nXsu3cCfwKU90jUbAIKD/qjvVni7nF6EKpS70iwUn+0QVwGY5LlCyurdRKmH82ebP\nBctw3EviPOyv2XkjwEQTrfA26XNqv5RMewa951q7mZDLzP1KDWFXhR5aj+h7VKIS\nz5wzuh3/dXOjSvuSpMBqYKrKoG2bi2ItgoPS3uDT5i5BhldOTKiPo9w4UR3YyE1o\nCUIwgSarsz/b9ZtfO3CddRY1WFvx\n-----END CERTIFICATE REQUEST-----\n"
|
响应
1
2
3
4
5
|
HTTP/2 200 OK
Content-Type: application/json
…省略部分内容…
{"certificate":"-----BEGIN CERTIFICATE-----\nMIIDeDCCAmCgAwIBAgIVAL3s+ljpusLF05NHOtmnYD3f5D8pMA0GCSqGSIb3DQEB\nCwUAME0xSzBJBgNVBAsMQkFtYXpvbiBXZWIgU2VydmljZXMgTz1BbWF6b24uY29t\nIEluYy4gTD1TZWF0dGxlIFNUPVdhc2hpbmd0b24gQz1VUzAeFw0yMzEyMjUxNjMy\nMDRaFw00OTEyMzEyMzU5NTlaMDwxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdUcmFl\nZ2VyMRswGQYDVQQDExJUcmFlZ2VyIElvVCBEZXZpY2UwggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQC+DttDmMNpg25NZB/9HGd4d2cUIa2L2XD60CwYbEDi\nfnNw9tqbPYAJH9I+l7DlO6SB1/sTwzqTg2ll+zj6t+0Ro53vGG2MtafT5zB2KZ8m\no2gpFwo5Vp1kib+dQrt+jgWoeEgL/sHd79ZeKDlwhX4sAKqG76k8aLirNU5AeO30\nQUpCNjqy6kdqm2MWZAn4tpSYi9xn/3gftfrmbpmGLY5Cl3vlihrGzMPeWlK+gY1+\novVb9seZTSgPCBGAxWWd77MSVAGw9LLodQZpus0U/VZgG4Ouc1kDA2kIvE9PISlc\n9f/60aqqPt1n3x3TkZwegMh05IgYs60wpmydcdg5NOvlAgMBAAGjYDBeMB8GA1Ud\nIwQYMBaAFK5LcpMC+tMMCts/MFF8rCzyeGBbMB0GA1UdDgQWBBRlT2pg4UoHtTrF\nSckFkVZwPofFxjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG\n9w0BAQsFAAOCAQEAmad1qCwQYzhAR7VqEHhI4X5p6yVQ+cSS6AF1a/zpPKJppwPQ\nStDCF9ewjZlsE9o6qnClOQV9UgCaxJmX6ZHHjEitPnF+jIafDlYOxboXGxh2Z661\n4sGsK3VEStfjNtnN10GdETAG7ThWmVXxOYml+ybWDUy2l9iw/pq6uuAZEtjcUxlh\nSQl9jphjMjadRYAPtoegBnCGvdpDGmnz90b9aIu7U1wCcgV7QEKX+xHArCH+e9Mr\nItUCrKpFXybhzBPtbLp/4s2fa9KsX5s5WshIrq9Q/Ee/a0rWqO2HwV+erWg87uGc\n1Vr8lRPuSWKwxqYG/Z35IS5gzUkhy0q1qJVjDg==\n-----END CERTIFICATE-----\n"}
|
从/certs API检索到的上述证书随后被下载并由设备用于促进与服务器的安全mqtts通信。这在配对过程中团队捕获的UART调试日志中进一步证明:
1
2
3
4
|
(364403) OtaDownloadInterface: HTTP POST data:
{
"thingName": "803428743EA7",
"csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICgTCCAWkCAQAwPDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB1RyYWVnZXIxGzAZ\nBgNVBAMTElRyYWVnZXIgSW9UIERldmljZTCCASIwDQYJKoZIhvcNAQEBBQADggEP\nADCCAQoCggEBANAAmIO52U4v1K9DSUfbFL8jSMR/lUQzOch8cNtY9Dd99uyESIw1\ncyHHFgY5ZZWhdzxQWs3/OkDNURvZ/BLkQ
|