Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Everything is on the internet. This device is an IoT buttplug that can be used to control it from your phone or other people can control your device as well. The major usage for this is with sex workers on the internet. The creator of this tool has a patent on tips for control over the plug.

The device connects to a USB dongle via BLE. The dongle connects to the computer and the computer is connected to the internet. The computer application allows for chat, video sending and remote controlling of the buttplugs. From the attacker point of view, we can go from the internet to the buttplug, or in the reverse direction. Both of these are discussed in the article.

Now, how does the flow actually work under the hood? The application was built in Electron. This means that the JavaScript will only be partially obfuscated, making it pretty easy to reverse. When looking for updates, the binary for the USB dongle was saved locally on the device. Additionally, the dongle itself had test points still on it, making it possible to dynamically debug by soldering a few wires onto it.

The buttplug itself had a nice SWD (Single Wire Debug) that allows for easy debugging of the buttplug. With this, it was possible to dump the firmware as well.

The JSON parser for the USB dongle had a vulnerability when parsing escape sequences. When using the \u or unicode escape sequences, the parser will skip 6 bytes. However, if an incomplete unicode escape sequence is used, then it will skip over the null terminator byte. As a result, the copying goes above the allocated string length.

The dongle and binary has no binary protections (Nx, ASLR, etc.). The JSON parser data is put onto the heap. Using an fd poison style attack on a custom allocator, we can place data into arbitrary locations in memory. Using this, we trivially control the flow of execution and run shellcode. The dongle has a DFU (device firmware update) that can be used to get code execution on the device. USB compromised!

The DFU mode on the buttplug is also insecure. With control over the USB dongle, we can send an update command to the buttplug to take control of this. The compromise could be used as ransomware or hurting people with the buttplug. With code execution on the dongle and USB, can we compromise it from the internet?

The Electron application parsing of the Dongle messages does a few things. Of particular interest to us is the debug log. This function logs the incoming serial data to console.log and throws the contents into a new DOM element. Because this is not sanitized, this results in JavaScript execution known as XSS. XSS in an electron app means code execution within the context of the application!

The payloads are restricted to 32 characters. Although this does not seem like enough (with only 10 characters of JS at a time), this is still enough! We can create an array and add our payload the array. Next, we join the string. Finally, we can run eval in order to execute the JavaScript. Although this takes a while, it does work!

This still was not enough though... they wanted to be able to compromise the USB dongle from the buttplug. The device has an entire BLE section of code from the semiconductor manufacturer. A statically sized buffer is iterated over depending on the amount of BLE handles. However, the amount of these is not validated, resulting in a basic stack smashing attack.

The BLE dongle does not have any binary protections. As a result, the return address on the stack, from the function with the vulnerability, can be sent to the data in the BLE packet. As a result, we can execute arbitrary code on the device. In order to work with thumb instructions, they had restrictions for dealing with alignment. The alignment could be dealt with on the ring buffer by allocating packets before to get the required alignment on thumb.

The remote control functionality can be used to compromise the dongle with the same bug as before. There is an attempt on validating the integer value on the vibration amount. However, the amount only validates that the value is less than 0 in JavaScript. The logic works for integers but NOT strings or other objects. As a result, this check fails entirely, allowing for one of the bugs from before.

The chat portion of the application also has an XSS vulnerability. Because this is Electron, this means code execution on the computer. The author writes that this can be used in wormable attacks in order to take over all buttplugs that are connected to computers by simply sending a message to them that is read.

The author of the talk made buttplug ransomware with a live demo! This was hilarious to see. The speaker was a tad bit awkward but had amazing visualizes throughout the presentation.