<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Philips-Hue on Colin O'Flynn</title><link>https://colinoflynn.com/tag/philips-hue/</link><description>Recent content in Philips-Hue on Colin O'Flynn</description><generator>Hugo</generator><language>en-ca</language><lastBuildDate>Sat, 18 Feb 2023 01:48:02 +0000</lastBuildDate><atom:link href="https://colinoflynn.com/tag/philips-hue/index.xml" rel="self" type="application/rss+xml"/><item><title>Philips Hue, AES-CCM, and more!</title><link>https://colinoflynn.com/2016/11/philips-hue-aes-ccm-and-more/</link><pubDate>Thu, 03 Nov 2016 00:55:25 +0000</pubDate><guid>https://colinoflynn.com/2016/11/philips-hue-aes-ccm-and-more/</guid><description>&lt;p&gt;This is just a quick blog post to update you on some rather interesting research that will be coming out led by &lt;a href="http://eyalro.net"&gt;Eyal Ronen&lt;/a&gt;. At Black Hat USA 2016 I did some teardown of the Philips Hue system, and described the &lt;em&gt;possibility&lt;/em&gt; of a lightbulb worm.
Check this &lt;a href="http://iotworm.eyalro.net/"&gt;landing page which now has a draft PDF of what that became&lt;/a&gt;. This draft paper details how you can (1) recover the encryption keys used to encrypt the firmware updates, and thus encrypt/sign your own images, and (2) details a bug specific to a version of a range-checking protocol which allows reflashing of bulbs over longer distances. The end result is this basically solves all the roadblocks I had identified as stopping the lighbulb worm from actually happening [NB: the distance-check bug has been FIXED already in firmware updates which solves this specific spreading vector].
To me the most interesting part is a demonstration of side-channel power analysis being useful for breaking a &lt;em&gt;rather good encrypted bootloader&lt;/em&gt;. To be clear the Philips Hue does a great job of implementing a bootloader on an IoT device&amp;hellip; it&amp;rsquo;s one of the better I&amp;rsquo;ve seen, especially considering we are talking about a lightbulb. But it&amp;rsquo;s very very difficult to hide from side-channel power analysis and other &amp;ldquo;hands on&amp;rdquo; embedded hardware attacks, instead it&amp;rsquo;s better (but more expensive logistically) to push the solutions to the higher-level architecture. If each bulb had a unique encryption key (&lt;em&gt;maybe&lt;/em&gt; derived from the MAC address using an algorithm on a secure server if you don&amp;rsquo;t want to store all those keys) it would provide an excellent layer of defense.
I&amp;rsquo;m working on making a description of the AES-CCM attack, which will be posted to the &lt;a href="https://wiki.newae.com/AES-CCM_Attack"&gt;wiki page&lt;/a&gt;.&lt;strong&gt;Q: What does that mean to someone using Hue, is it safe?&lt;/strong&gt;
&lt;strong&gt;A:&lt;/strong&gt; Philips released a OTA update to fix the bug that allows spreading over longer distances (October 3rd update). This is a great example of a fast response by a company who takes this stuff seriously. Basically - if I was choosing a smart light platform, I&amp;rsquo;d probably use Hue (I have a few of them in my house too).
 
&lt;strong&gt;Q: What&amp;rsquo;s power analysis?&lt;/strong&gt;
**A:**This isn&amp;rsquo;t a FAQ type answer - but you can see an &lt;a href="https://www.youtube.com/watch?v=OlX-p4AGhWs"&gt;intro video&lt;/a&gt; I made. Basically we use tiny variations in power consumption of a device as it&amp;rsquo;s running to determine information about secrets held within the device.
 
&lt;strong&gt;Q: What if I want more information?&lt;/strong&gt;
**A:**Please contact Eyal for more details, if you want to discuss specific questions, etc. Note the Philips-specific details (such as scripts, keys, etc) will never be released, please don&amp;rsquo;t ask for them.
 
&lt;strong&gt;Q: Does a worm exist?&lt;/strong&gt;
&lt;strong&gt;A:&lt;/strong&gt; NO. It would be extremely reckless to make such a worm, as it would be VERY hard to contain the spread should you have a bunch of Hue devices around you. Instead that research paper demo&amp;rsquo;d all the pieces, but stopped short of putting them together (we wouldn&amp;rsquo;t want a criticality accident).&lt;/p&gt;</description></item><item><title>Philips Hue - R.E. Whitepaper from Black Hat 2016</title><link>https://colinoflynn.com/2016/08/philips-hue-r-e-whitepaper-from-black-hat-2016/</link><pubDate>Thu, 04 Aug 2016 14:37:33 +0000</pubDate><guid>https://colinoflynn.com/2016/08/philips-hue-r-e-whitepaper-from-black-hat-2016/</guid><description>&lt;p&gt;At Black Hat 2016 I presented on some reverse engineering of the Philips Hue (also see &lt;a href="https://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/"&gt;my other post about getting root on it&lt;/a&gt;, which was part of that presentation).&lt;/p&gt;
&lt;p&gt;If you were at the talk, you would have also seen mention that you'll want to keep your eyes out for future publications by Eyal Ronen. You can see &lt;a href="http://www.wisdom.weizmann.ac.il/~eyalro/"&gt;his website for more research related to the Hue &lt;/a&gt;as well, and follow him on twitter @eyalr0. He's been doing some work in parallel that I think will do more than just R.E. the bulbs (as I did), and actually bring some of my `possible' attacks to become real proof-of-concepts.&lt;/p&gt;</description></item><item><title>Getting Root on Philips Hue Bridge 2.0</title><link>https://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/</link><pubDate>Tue, 12 Jul 2016 16:00:00 +0000</pubDate><guid>https://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/</guid><description>&lt;p&gt;This post will briefly show you how to get a root console on the new Philips Hue Bridges (the square ones). It's rather easy, the only special tools you require are a USB-Serial cable &amp;amp; a torx screwdriver.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://colinoflynn.com/wp-content/uploads/2016/07/P1080978.jpg"&gt;&lt;img class="alignnone size-medium wp-image-711" src="https://colinoflynn.com/wp-content/uploads/2016/07/P1080978-300x240.jpg" alt="P1080978" width="300" height="240"&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;There's a video with full details, this post is just the specifics if you don't want a very boring walk-through:&lt;/p&gt;
&lt;div class="embed embed--video"&gt;&lt;iframe src="https://www.youtube-nocookie.com/embed/hi2D2MnwiGM" title="YouTube video" loading="lazy" allowfullscreen frameborder="0"&gt;&lt;/iframe&gt;&lt;/div&gt;
&lt;ol&gt;
 	&lt;li&gt;For the serial cable (a standard 3.3V type one, DO NOT use a 5V cable), there is a 6-pin header along the bottom. Pin '1' has a square footprint, and counting from pin 1 the connections are:
&lt;pre&gt;Pin 1 = GND
Pin 4 = RX In (connect to TX Out of your serial cable)
Pin 5 = TX Out (connect to RX in of your serial cable).&lt;/pre&gt;
&lt;a href="https://colinoflynn.com/wp-content/uploads/2016/07/P1080980.jpg"&gt;&lt;img class="alignnone size-medium wp-image-709" src="https://colinoflynn.com/wp-content/uploads/2016/07/P1080980-259x300.jpg" alt="P1080980" width="259" height="300"&gt;&lt;/a&gt;&lt;/li&gt;
 	&lt;li&gt;The bottom left-corner of the 2-row header is GND. You'll have to short that with a wire to the following test point:
&lt;figure&gt;&lt;a href="https://colinoflynn.com/wp-content/uploads/2016/07/P1080981.jpg"&gt;&lt;img class="wp-image-708 size-medium" src="https://colinoflynn.com/wp-content/uploads/2016/07/P1080981-300x261.jpg" alt="P1080981" width="300" height="261"&gt;&lt;/a&gt;&lt;figcaption&gt;This test-point is shorted to GND with a paper-clip or wire. Click image for full-sized to see in better detail.&lt;/figcaption&gt;&lt;/figure&gt;&lt;/li&gt;
 	&lt;li&gt;To get the system working, check you are getting boot messages. Now, restart the system and after you get a bit of output, short the pin. You might see some output like this:
&lt;pre&gt;U-Boot 1.1.4 (Sep&amp;nbsp; 8 2015 - 04:08:21)
&lt;p&gt;bsb002 - Honey Bee 2.0DRAM: &amp;nbsp;&lt;br /&gt;
sri&lt;br /&gt;
Honey Bee 2.0&lt;br /&gt;
ath_ddr_initial_config(195): (16bit) ddr2 init&lt;br /&gt;
tap = 0x00000003&lt;br /&gt;
Tap (low, high) = (0x8, 0x22)&lt;br /&gt;
Tap values = (0x15, 0x15, 0x15, 0x15)&lt;br /&gt;
64 MB&lt;br /&gt;
Top of RAM usable for U-Boot at: 84000000&lt;br /&gt;
Reserving 214k for U-Boot at: 83fc8000&lt;br /&gt;
Reserving 192k for malloc() at: 83f98000&lt;br /&gt;
Reserving 44 Bytes for Board Info at: 83f97fd4&lt;br /&gt;
Reserving 36 Bytes for Global Data at: 83f97fb0&lt;br /&gt;
Reserving 128k for boot params() at: 83f77fb0&lt;br /&gt;
Stack Pointer at: 83f77f98&lt;br /&gt;
Now running in RAM - U-Boot at: 83fc8000&lt;br /&gt;
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x13&lt;br /&gt;
flash size 0MB, sector count = 8&lt;br /&gt;
Flash: 512 kB&lt;br /&gt;
*** Warning *** : PCIe WLAN Module not found !!!&lt;br /&gt;
In:&amp;nbsp;&amp;nbsp;&amp;nbsp; serial&lt;br /&gt;
Out:&amp;nbsp;&amp;nbsp; serial&lt;br /&gt;
Err:&amp;nbsp;&amp;nbsp; serial&lt;br /&gt;
Net:&amp;nbsp;&amp;nbsp; ath_gmac_enet_initialize...&lt;br /&gt;
Fetching MAC Address from 0x83febe80&lt;br /&gt;
Fetching MAC Address from 0x83febe80&lt;br /&gt;
ath_gmac_enet_initialize: reset mask:c02200 &lt;br /&gt;
Scorpion ----&amp;gt;S27 PHY*&lt;br /&gt;
S27 reg init&lt;br /&gt;
: cfg1 0x800c0000 cfg2 0x7114&lt;br /&gt;
eth0: 00:03:7f:11:20:ce&lt;br /&gt;
athrs27_phy_setup ATHR_PHY_CONTROL 4 :1000&lt;br /&gt;
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4 :10&lt;/pre&gt;&lt;br /&gt;
Which will then fall back to a prompt:&lt;br /&gt;
&lt;pre&gt;ath&amp;gt;&lt;/pre&gt;&lt;br /&gt;
Good news! We can now get everything working for you. You can print the existing variables if you wish:&lt;br /&gt;
&lt;pre&gt;ath&amp;gt; printenv&lt;/pre&gt;&lt;br /&gt;
&lt;/li&gt;&lt;br /&gt;
 	&lt;li&gt;Set a boot delay such we can enter the menu without the boot hack:&lt;br /&gt;
&lt;pre&gt;setenv bootdelay 3&lt;/pre&gt;&lt;br /&gt;
Check it works with&lt;br /&gt;
&lt;pre&gt;printenv bootdelay&lt;/pre&gt;&lt;br /&gt;
and confirm you get a line like this:&lt;br /&gt;
&lt;pre&gt;bootdelay=3&lt;/pre&gt;&lt;br /&gt;
Finally, save the setting with:&lt;br /&gt;
&lt;pre&gt;saveenv&lt;/pre&gt;&lt;br /&gt;
You can now reset the system (use the 'reset' command), and confirm there is a count-down that gives you time to hit "enter" and get this prompt again.&lt;/li&gt;&lt;br /&gt;
 	&lt;li&gt;Now let's fix the root password. Before doing this, I suggest you keep a copy of the old value:&lt;br /&gt;
&lt;pre&gt;printenv security&lt;/pre&gt;&lt;br /&gt;
This would let you restore things back to default. Then the following will set the root password to 'toor':&lt;br /&gt;
&lt;pre&gt;setenv security '$1$3vGNd7Q3$ISqFeo1VkmQV6nyriUV0V/'&lt;/pre&gt;&lt;br /&gt;
You may have to copy this into notepad first to ensure it all fits on one line! The quotes are critical here. Again check it works with printenv, then type saveenv to store things to disk.&lt;/p&gt;</description></item></channel></rss>