Exfiltrate data Through RGB color of IoT device in Air gapped Network using Tuya API

Everything started when the Tunisian National Hacking event : Hackfest Tunisia 2020’s organizers announced this year’s IoT challenge, a challenge where we will have access to the hardware.

We were so driven by the eager to manipulate and hack a real IoT device for the first time. After few days, the excitement grew even more when we received our test smart plug device from Maxcio and the challenge description.

Specification :

  • AC 100V-240V, 50 / 60Hz
  • 2200W Max.
  • 2.4GHz IEEE802.11 b/g/n
  • USB: DC 5V 2.1A Max.
  • -20 ℃~ +50℃
  • LED color: RGB + white (2700–6000K)

Challenge description:

IOTIX is a cybersecurity consulting firm that obtains most of the military and defense contracts of the Iotland country.Given the sensitive nature of its business, IOTIX uses full air-gap separation of its internal networks, ensuring that no data is disclosed through public connections.A recent CEO policy requires the company to replace electronic equipment with connected ones; coffeemakers, refrigerators, light bulbs and outlets. To respect this order, IOTIX has installed connected sockets in the offices which are connected to their internal network.As part of the Hackfest IoT Hacking competition, you are tasked with harnessing these newly installed smart plugs to exfiltrate the secrets of Iotland, bridging the IOTIX air gap networks.

The C&C application of this smart plug was a mobile application called Smart Life — Smart Living (available on Android and IOS).

Aiming to understand the communication protocol algorithm between the mobile and the device was our first purpose, so we proceeded by reverse-engineering the mobile application. Indeed we managed to know the way this mobile application sends Wi-Fi credentials to the device in order to connect it to the internal network.
This step was based on The Smart Config mechanism dedicated for ESP devices. In fact, in this mechanism, the application encodes Wi-Fi credentials in the packet size and it will send it as a UDP broadcast in the network. Other whiles, the smart plug keeps the Smart Config mode on to keep listening to packets over the air in order to capture the Wi-Fi credentials sent by the mobile application. This could be confirmed by the following Wireshark snapshot:

Figure 1: Sending of Wifi credential over the Air

After digging more in the the mobile application, we discovered that the Mobile could communicate with the smart plug locally through the internal network. All we need is to intercept the local key (which is “AES-ECB-128” encryption key) and the device id (which is the identifier of the device).
These parameters will be sent to the cloud during the remote binding of the device. This scenario could be summarized in the following picture :

Figure 2 : Remote binding scenario

So all we need to do, is to play The MiTM attack in order to intercept these parameters and try to connect to device. That’s why we installed anyproxy server in our PC, configureed the proxy in our phone ,and finally we intercepted the couple (local key , device Id).

Through our reverse engineering process, we were able to locate Tuya package in the mobile application. Indeed, when we tried to find/identify any public documentation associated to the same package, we came across a research from Vtrust company in this field and they actually create a whole API that helps people to communicate and flash Tuya devices. So in order to gain more time, we used this API to communicate with the device and it was super cool and smooth.

Now it’s time to understand which parameter values can we send to manipulate the device.

To achieve this, we started by changing status of the smart plug using our mobile application, then we fetched the JSON response from Tuya API and finally compared it to the precedent response in order to locate the changed bytes.

Once we have understood the data structure, we can control the whole device from our PC. But facing an air gapped network could be a problem, that‘s why we need to use covert channel in order to exfiltrate the data.

The first question we asked:

Could we exfiltrate data through USB port of the IoT device?

Unfortunally the data transmission feature in USB port wasn’t activated by the firmware. Actually the USB port was created just for supplying other devices with power. So the only solution to exfiltrate the data using the USB port, is to flash the firmware by another modified firmware, but this could take too much time.

To speed up the data exfiltration process with another solution, we thought about transmitting data through the RGB LED in the device.

Hummmm that’s a good idea !!!!!! But how can we receive data ? And how we make the image processing especially that light changes every single second in our environnement ?

In this case we need to think about receiving before starting transmitting, that’s why we started searching for the basic of communication methods.

Let’s list the components that take action in this communication:

  • Data to transmit (“The S in Iot stands for Secure”)
  • Transmitter: Personal Computer with Tuya API script to command the Smart plug
  • Smart plug with RGB LED
  • Receiver : Mobile or professional camera to decode data
  • The light of the room (“environnement light”)

By listing the components we could target four main problems :

  • How receiver could distinguish between a consecutive stream of the same bit (e.g 0000000000001) ?
  • Changing color could be a source to detect an attack so how could we make the attack in stealthy mode.
  • The light of the room could be changed because of sunlight or something else which influence on the sensitivity of the camera.
  • Realtime image processing through mobile could be a problem because it take too much of ressource and this could influence on the image frame during the receiving process.

Solving the first problem

By using a sequence of same bit, may cause desynchronization of the receiver and loss of data transmitted. That’s why we use Manchester code for modulation. In fact Manchester was one of the most powerfull encoding system that provides the strongest synchronization during transmission. So if we try to transmit “X” bits we need to send “2*X” bits because every single bit will be changed by two bits. For exemple (e.g 0 will be sent as 01 and for 1 it will be sent as 10). We may loose some time in transmission and encrease the size of data but we gain in terms of strength of transmission and probability of corrected information.

Now, we’re done encoding the binary data, but we need to adapt it to the support of transmission. That means how could we encode the bit 1 in color as well as 0 ?
However by encoding the manchester data in RGB format we could face the problem of two consecultive bits with same value (e.g 0110). That’s why we choose to use the HSV (Hue ,Saturation, Value) format of color because we could send more than one state in the color.

Figure 3 : HSV color format

The H (Hue) component controls the color variation in a circular way, which can be used to define the bit values (”0” or ”1”). The S (Saturation) component, that have an horizontal variation , controls the brilliance and intensity of a color, which can be used to inform the receiver that there is another bit that was successfully sent to the smart plug. The V (Value or Brightness), that have a vertical variation, controls the lightness of the color will not be used here as a personal choice to make the study simple.

All of this transformation must be implemented in the Script (Emitter that was installed in the PC that is connected to the internal Network).

Other whiles, the receiver must work in the same way as the sender. Knowing that the emitter sends to the smart plug’s a new color every 3 seconds, the receiver must synchronise his clock with the sender in order to understand each other.

In other part, the Hue values goes from 0° to 360° in a circular representation (the 360° is converted to 0°). Calculating the distance between two Hue’s values is an indispensable thing that should be done correctly where distance ∈ [0, 360[. One of the correct ways to get the distance value can be as follow:

D = |newColor − oldColor|

if (D<180) then R=D

else if (D > 360) and (oldColor < newColor) then

R = |(oldColor − (newColor − 360))| % 360

else if (D > 360) and (oldColor > newColor) then

R = |((newColor − 360) − oldColor)| % 360

Where D is the difference between the new color and the old color and R is the real shortest distance between the Hue’s values.

In addition to that, the receiver must apply other filters to calculate the saturation and detect transmitted bit.
For more information please read the whole research in the report below.

Solving the second problem

To solve this problem, we took the eye color sensitivity spectrum in order to detect which wave length is not sensitive and not easily to detected by the humain Eye.

Figure 4 : Eye color sensitivity spectrum

According to Figure 4 the variation of purple color doesn’t draw attention to humain eyes. So in order to make it stealthy we made the variation of purple color during the transmission.

Solving Third Problem

After trying an experiment about showing the HSV values of the colors that were detected by the receiver’s camera (with a fixed position) in a single pixel that was taken from the center of every frame, we found the following results:

  • In the daylight, the values of the HSV components are changing a little bit but these changes are high to tell exactly the real HSV’s values.
  • In the nightlight, the values of the HSV components are changing more that we can’t even tell what’s the correct color that the camera is detecting.

If a single pixel can’t help to identify the real HSV’s value of the detected color, then a range of pixels around a single point with a specific radius can give an approximated value of the HSV when we calculate the average of every HSV component separately. Adding to that we need manipulate camera sensitivity and the exposure time in order to blackify the background and to keep only the source of light like in figure 5 :

Figure 5 : Blackify the background to better detect color

Solving Fourth Problem

In order to avoid the problem of lag in mobile application due to lack of ressources, we built a Python3 script as receiver with the same workflow.

Final Solution

By combining the solutions of each problem we could exfiltrate data from an internal PC to an external device through Smart plug. In fact using an IoT device in your company could be a threat if you didn’t choose the right equipement.

Figure 6: PoC for the final solution

To summarize the scenario, an internal person could send data from an internal information system to the Smart plug, then the smart plug translate data to HSV color. A high resolution camera is placed outside the building could film through the window the color variation and exfiltrate the data.

Our Team The Emperors won the competition !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

This PoC was implemented on our Github Repository with the fully detailed report and demo videos.

Authors:

Mohamed Ali IBNAL HAJALI
Mohamed Aymen Karmous

Cyber security student @ ENIT | CEH v10

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store