-
Not Synced
start
-
Not Synced
So thank you very much. So this is Dennis,
I'm Daniel
-
Not Synced
and today we will talk about
vacuum cleaners.
-
Not Synced
And to be more specific:
we will talk about Xiaomi vacuum cleaners.
-
Not Synced
I already
– there are some fans over there –
-
Not Synced
apologize for mispronunciation the name
of the vendor.
-
Not Synced
I actually have no real idea
how to pronounce it correctly.
-
Not Synced
So let's start with some numbers:
-
Not Synced
Why did we choose to pay more attention
to Xiaomi devices?
-
Not Synced
They claim to have 50 million connected
devices in 2016.
-
Not Synced
And they also say they made 1.9 billion
euros in revenue, also in 2016.
-
Not Synced
So these are already impressive numbers.
-
Not Synced
The biggest point for us was the stuff is
actually cheap as hell
-
Not Synced
when you compare it to other stuff
-
Not Synced
for example other vacuum cleaners
which cost 1000 euro
-
Not Synced
you can buy four Xiaomi vacuum cleaners
for the same amount of money
-
Not Synced
and so we chose to look into Xiaomi stuff
and then we saw this advertisement:
-
Not Synced
So they said for their vacuum cleaners
they have three different processors.
-
Not Synced
So three processors? Why do they need
three processors in a vacuum cleaner?
-
Not Synced
And my eyes were already like this.
-
Not Synced
We were really interested to know what is
going on in these vacuum cleaners.
-
Not Synced
And then we took a step back and looked
into how actual ecosystem look like.
-
Not Synced
So, in the middle of everything is
basically your smartphone app.
-
Not Synced
And then you have of course smart devices.
For example the vacuum cleaners,
-
Not Synced
or smart bulbs in the top left corner.
-
Not Synced
There are also smart water kettles or
other sensors
-
Not Synced
which are then connected via a gateway.
-
Not Synced
This shows these arrows here are dotted
which means that during the connection
-
Not Synced
phase they talk directly to the smartphone
and then after they are connected,
-
Not Synced
basically they will have a direct
connection to the Xiaomi cloud.
-
Not Synced
So there is no more communication via the
app.
-
Not Synced
They talk directly to the cloud.
-
Not Synced
And as you can see, there are also some
other techniques or protocols to use,
-
Not Synced
for example Bluetooth LE and ZigBee.
-
Not Synced
So this is already the end of my part and
then Dennis will show you more in depth
-
Not Synced
stuff about these vacuum cleaners and I
will just present you this vacuum cleaner
-
Not Synced
Thank you Daniel. So let's take a look at
the vacuum cleaner itself.
-
Not Synced
So this is again advertisement and you see
it has a lot of sensors.
-
Not Synced
So the most important one is like this
LIDAR sensor.
-
Not Synced
But it also has like a lot of infrared
sensors around the device
-
Not Synced
and which is also very interesting a
gyroscope and accelerometer.
-
Not Synced
So usually you would ask why a device
needs that, but it's actually very nice.
-
Not Synced
When we saw that it has a lot of sensors
we thought like:
-
Not Synced
Oh yeah, if we can root it why not?
-
Not Synced
And we tried a lot of things to root
this thing.
-
Not Synced
One approach was like to get some kind of
hardware access to that,
-
Not Synced
the next one was the network based
approach.
-
Not Synced
So it actually has micro USB. So we
thought: Oh yeah, simply connect via
-
Not Synced
micro USB. What could possibly go wrong?
-
Not Synced
Unfortunately, this doesn't work
-
Not Synced
because they use some kind of
authentication for that.
-
Not Synced
So that wasn't possible.
-
Not Synced
The next thing we tried to figure out
where some serial port is on the PCB.
-
Not Synced
But unfortunately, they also didn't label
that. So we had no idea.
-
Not Synced
Next idea would be: Let's connect it to
the WiFi and check for open services like
-
Not Synced
telnet or something. Usually IoT devices
love to have open telnet ports or telnet
-
Not Synced
service, but the thing was: port scan
wasn't successful. All ports are closed.
-
Not Synced
And our last approach to sniff the
network traffic was also not successful
-
Not Synced
because everything was encrypted. So that
was pretty bad.
-
Not Synced
The next thing you usually do is, you tear
this whole thing down.
-
Not Synced
So basically you unscrew everything and
take a look at the whole device.
-
Not Synced
We were very surprised that it was very
easy to disassemble this whole thing.
-
Not Synced
We think it is also well engineered in
terms of you can unplug simply the parts
-
Not Synced
without any connectors or something so
this is very nice.
-
Not Synced
The next thing what we see here is like
the PCB layout.
-
Not Synced
What you see here is the application
processor which is an ARM quad core
-
Not Synced
with 1.4 GHz – I think – per core.
-
Not Synced
There connected is also like 512 MB of RAM
– it's DDR3 RAM, if I remember.
-
Not Synced
It has also like 4 GB of flash and over
SDIO there is some WiFi module
-
Not Synced
which connects the whole thing
to the WiFi.
-
Not Synced
For all the real-time tasks, for example
the sensors were some STM32 MCU
-
Not Synced
which takes care of everything like that.
And this is an ARM Cortex M3 – probably
-
Not Synced
most of you will know.
-
Not Synced
There is also an additional MCU in the
LIDAR
-
Not Synced
which is not shown here in this picture.
-
Not Synced
If you look at the backside, you see that
there is a lot of test points
-
Not Synced
which are labeled with different marks
like test point 1,
-
Not Synced
test point 2 and everything.
-
Not Synced
The problem with that is, that it doesn't
give us any information about if there is
-
Not Synced
a UART or something.
-
Not Synced
But we figured out there that the only two
test points which didn't have a label
-
Not Synced
were actually the UART for the application
processor.
-
Not Synced
But unfortunately, if you connect to that
you don't see anything or you can't do
-
Not Synced
anything.
-
Not Synced
So next step: Okay we need to attack the
hardware somehow to get root access.
-
Not Synced
And our weapon of our choice was aluminum
foil, actually.
-
Not Synced
The idea behind that is, actually if you
look into the datasheet of the application
-
Not Synced
processor, it has some fallback mode which
is called FEL mode.
-
Not Synced
So what we did is we inserted the aluminum
foil under the BGA chip and shortcutted
-
Not Synced
the MMC data lines so the application
processor falls back into this FEL mode.
-
Not Synced
And then we can connect through USB and
upload some small tool then dumps the
-
Not Synced
complete memory content of the MMC flash.
-
Not Synced
As soon as we had the MMC flash we could
do some modifications to that
-
Not Synced
but it didn't have any checks, runtime
checks on certificates or whatever.
-
Not Synced
And then we flash it again to the chip.
-
Not Synced
Fun thing about that is exactly one layer
of aluminum foil fits under the chip.
-
Not Synced
Two are too much, actually. So you need
just one.
-
Not Synced
The idea is to just corrupt the data.
-
Not Synced
As soon as we take a look into that vacuum
cleaner image, we figured out that we use
-
Not Synced
actually Ubuntu 14.04 which was mostly
untouched in terms of the packages were
-
Not Synced
still original. And we do a lot of
patching on a regular base.
-
Not Synced
For example they closed down the
vulnerability for the VPA(?) quiet fast.
-
Not Synced
For navigation they use open source
software called Player which takes care
-
Not Synced
of all the sensors. And we have of course
like also a lot of like proprietary
-
Not Synced
software which do all communication like
the control of the commands which come
-
Not Synced
from the cloud.
