tl;dr: this is a series of posts about embedded firmware hacking and reverse engineering of a IoT device, a TomTom Runner GPS Smartwatch. Slidedecks of this work will be available here when I complete this series.
...
I will show you how I hacked a TomTom Runner GPS Smartwatch, by:--Finding a memory corruption vulnerability exploitable via USB and possibly bluetooth (if paired);
--Taking advantage of said vulnerability to gain access to its encrypted firmware;
--Doing all this without ever laying a screwdriver near the device (no physical tampering).After reading about the epic hacking of the Chrysler Jeep by Charlie Miller and Chris Valasek, and getting to watch their talk at Defcon this year (seriously, go watch it if you haven't already), I felt really jealous because I wanted to be able to do that, so I got to work.
(Score: 4, Interesting) by VLM on Wednesday November 18 2015, @10:51PM
Nice story. Dude was lucky times a zillion.
Someone else wrote ttwatch to mess with raw memory files and the protocol doesn't care about auth. The firmware itself is encrypted but not write access to memory. So you can load whatever you want on. Lucky dude. The memory writer could have demanded any block of memory written pass the AES checksum before writing it, which it doesn't. From memory there was was least one model of commercial-level cisco router that wouldn't burn a flash unless the firmware was valid FIRST.
The firmware authors messed up string reading when reading the language i18n file. Lucky dude. This will be easy for the firmware guys to patch around, of course just downgrade to an older firmware thats vulnerable and you're in. Someday people will no longer program "stuff" in C or other buffer overflow languages other than kernels, till then about half of them are pownable. Seriously, its current year, how do you get powned on string handling in current year?
The crash logs are plain text unencrypted so he could mess with stuff and watch the delta in the logs till he got what he wanted. Why doesn't the mfgr encrypt panic dump logs? They could use a different key from the firmware of course. Lucky dude.
For reasons I missed when I skimmed thru (I didn't exactly study the datasheets he did) the PC (that'd be program counter not a desktop...) got loaded by what he stuffed in memory. Why? Lucky dude. Usually not that easy to manipulate stuff and he implied his first try worked, or I misread, I guess.
Of course you tend not to hear about pownership of this level other than endless strings of "lucky dude" so by a survivorship bias the story being cool kinda implies he's a very lucky dude. And it also implies if I tried to pown my fitbit there are two likely true statements 1) I will personally fail 2) the internet being infinitely large and having infinite devices means someone out there will succeed at powning something.
Now why a running watch needs AES encryption of the firmware is mysterious. Maybe they sell the same hardware and software package to the prison industrial complex for house arrest bracelets, who knows. Or maybe the got plans to do so.
(Score: 1) by driverless on Friday November 20 2015, @08:25AM
There is a bit of stereotyping going on there though. From TFA:
Next thing to do is to put this payload inside the watch. We load this into the German language file and then point to it using the pointer that’s being used for the jump (4th double-word from the second file).
You want to carry out an invasion, you enlist the Germans to do it...