[VB 2016] Mobile Applications: a Backdoor into Internet of Things?

Smart watches, wearable cameras, fitness wristbands, skin exposure detectors, connected T-shirts, shoes, etc.: there are so many connected objects nowadays, and new ideas flourishing every day. For us as security researchers, this also means exciting new topics to work on, especially because products often reach the market without proper security. However, there is an issue: studying and reversing the Internet of Things (IoT) is honestly really difficult.


Nearly every product has its own custom hardware, firmware, operating system, protocols, etc. So each time you investigate a given product, it is like starting from scratch on a fully new domain. The first steps are slow and painful: gather the equipment, start research with close to no help from the community (no tools, documentation...), try, fail, try again, look for help (and usually don't find any), try again etc.


There is an easier way in. We notice that IoT devices often come with a mobile companion application, for example a mobile application to manage the device. I have already investigated several different devices: smart glasses, a smart watch, a home safety alarm, connected doorbells and toothbrushes. In all cases, the equipment had a related mobile application. So instead of starting the investigation with a multimeter, a microscope or the disassembly of an unknown firmware format, I show that it is far easier (especially for a mobile anti-virus researcher) to reverse the mobile application first, grab information and then, afterwards only, continue with other reversing techniques if necessary. I arm myself with known off-the-shelf tools such as adb, apktool, baksmali, JEB and IDA Pro and get valuable information from the application in no time.


To illustrate my point, I present the results of this methodology on several devices. For example, the reversing of Beam's toothbrush application makes an excellent case. Reversing the toothbrush itself would have been difficult: the device is small, there is no public documentation. The disassembly of the mobile apps proved to be useful. We quickly learnt, for instance, that there is a gyroscope or an accelerometer on board. We also saw that the communication with the toothbrush occurs through Bluetooth Low Energy, and identified services and characteristics which are open for firmware updating or reading data. The same findings would have taken months to find without the analysis of the mobile application.


We will also discuss Sony's SmartWatch 2, which is open to third-party applications, known as "smart extensions". The architecture is quite interesting because the watch does not actually "run" any code, it only displays it. The whole processing is delegated to the smartphone the watch is paired with. For anti-virus protection, this is good news, because smart extensions can be scanned against viruses as any other mobile applications with existing anti-virus products.


Finally, in the worst cases, the mobile application itself is a threat to the connected object's security. This is what we noticed with an application for a home safety alarm. Its mobile application weakly protects credentials — a vulnerability which was reported to the vendor, of course. Unfortunately, the mobile application puts the main security password, phone number and emergency line at risk and, in this way, only helps a burglar control the alarm. In this very case, the mobile application worsens security. It is a good example to remind vendors and developers to review the security of their apps and products.