Full Report
You’ve probably never thought of this, but the home automation market in the US was worth approximately $3.2 billion in 2010 and is expected to exceed $5.5 billion in 2016. Under the hood, the Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems. Zigbee is based on an open specification (IEEE 802.15.4) and has been the subject of several academic and practical security researches. Z-wave is a proprietary wireless protocol that works in the Industrial, Scientific and Medical radio band (ISM). It transmits on the 868.42 MHz (Europe) and 908.42MHz (United States) frequencies designed for low-bandwidth data communications in embedded devices such as security sensors, alarms and home automation control panels.
Analysis Summary
The provided article focuses on the security research presented by SensePost at Black Hat USA 2013, specifically concerning the Z-Wave wireless protocol used in home automation, and briefly mentions several other historical security tools and research topics from the company.
Since the primary focus of the article is security research against wireless protocols (Z-Wave) and mentions historical tools, the summary will focus on the historical tools/techniques explicitly named, as the Z-Wave attack methodologies themselves are only referenced as being presented at a future talk (Black Hat USA 2013).
Here is the summary structured based on the tools/research mentioned in the text:
# Tool/Technique: Setiri Trojan
## Overview
Setiri was an early publicly discussed Trojan that implemented the concept of using a web browser for communication with its Command and Control (C2) server.
## Technical Details
- Type: Malware family
- Platform: Not explicitly stated, but implied to target desktop environments capable of running web browsers common in 2002.
- Capabilities: Web browser-based C2 communication.
- First Seen: 2002
## MITRE ATT&CK Mapping
*Note: Mapping is historical/speculative based on the description.*
- [TA0011 - Command and Control]
- [T1071 - Application Layer Protocol]
- [T1071.001 - Web Protocols]
## Functionality
### Core Capabilities
- Establishing remote communication via a web browser interface connected to the controller.
### Advanced Features
- Its innovation was using the web browser for C2, which caused a stir at the time.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Web browser-based C2 traffic (defanged).
- Behavioral Indicators: Establishing outbound connections typically associated with standard web browsing.
## Associated Threat Actors
- SensePost research (2002).
## Detection Methods
- Signature-based detection: Not specified.
- Behavioral detection: Detection of unusual outbound connections initiated by browser processes or associated back-end communication channels.
- YARA rules: N/A
## Mitigation Strategies
- Traditional endpoint security measures available in the early 2000s.
- Network monitoring for unexpected outbound traffic originating from compromised hosts.
## Related Tools/Techniques
- Web-based C2 techniques in subsequent malware.
***
# Tool/Technique: Bidiblah
## Overview
Bidiblah is an automated footprinting tool released by SensePost during their 2005 Black Hat presentation on assessment automation.
## Technical Details
- Type: Tool
- Platform: Not explicitly stated, but used for footprinting and link analyses (suggesting a network/web scanning tool).
- Capabilities: Automated footprinting and link analysis expansion.
- First Seen: 2005
## MITRE ATT&CK Mapping
*Note: Mapping based on the tool's purpose.*
- [TA0043 - Reconnaissance]
- [T1598 - Gather Victim Identity Information] (Passive reconnaissance)
- [T1595 - Active Scanning] (If active scanning was involved)
## Functionality
### Core Capabilities
- Automation of penetration testing processes, specifically focusing on footprinting and link analysis.
### Advanced Features
- First widely released version of their automated footprinting capability.
## Indicators of Compromise
- File Hashes: N/A
- File Names: bidiblah
- Registry Keys: N/A
- Network Indicators: N/A (The tool's output would be focused on data gathering, not active compromise).
- Behavioral Indicators: High volume of requests used for target discovery and mapping.
## Associated Threat Actors
- SensePost research/internal penetration testing teams.
## Detection Methods
- N/A (As a proprietary assessment tool, typical detection is not relevant unless used maliciously by external actors).
## Mitigation Strategies
- Network monitoring for reconnaissance activity against organizational assets.
## Related Tools/Techniques
- Other automated footprinting and link analysis tools (e.g., Maltego).
***
# Tool/Technique: Sour Pickles/Pickle Hacking
## Overview
This research focused on exploiting Python's `pickle` module, which possesses a known capability for running arbitrary Python functions, leading to Remote Code Execution (RCE). The research covered hurdles for shellcoding and provided guidelines, templates, and dedicated tools for exploiting this vulnerability.
## Technical Details
- Type: Technique / Framework (Shellcode Generator and Pickle Mangler)
- Platform: Python environments utilizing the Pickle module.
- Capabilities: Generating Pickle shellcode, mangling Pickle streams to reliably execute arbitrary Python code (RCE).
- First Seen: 2011 (Presentation date)
## MITRE ATT&CK Mapping
- [TA0002 - Execution]
- [T1059 - Command and Scripting Interpreter]
- [T1059.006 - Python]
- [TA0001 - Initial Access] (If Pickle deserialization is triggered remotely)
## Functionality
### Core Capabilities
- Exploitation of Python's default serialization mechanism (`pickle`) for code execution.
- Providing guidelines and templates for writing Pickle shellcode.
### Advanced Features
- Development of a dedicated shellcode generator and a "Pickle mangler" tool.
- Analysis of the prevalence of the vulnerability across public Python codebases.
## Indicators of Compromise
- File Hashes: N/A
- File Names: pickle mangler, shellcode generator (N/A)
- Registry Keys: N/A
- Network Indicators: N/A (Focus is on data structure exploitation).
- Behavioral Indicators: Detection of deserialization operations on untrusted, specially crafted Pickle objects leading to immediate process execution.
## Associated Threat Actors
- SensePost research (2011).
## Detection Methods
- Application security scanning for improper handling of pickle deserialization.
- Static analysis of Python code for unsafe `pickle.load()` calls on unvalidated input.
## Mitigation Strategies
- **Never** unpickle/deserialize data received from untrusted or unauthenticated sources.
- Use safer serialization formats (e.g., JSON).
## Related Tools/Techniques
- General Python deserialization exploitation techniques.
***
## Summary of Other Mentions:
* **Z-Wave Hacking (Black Hat USA 2013 Talk):** Explores security flaws in the Z-Wave proprietary wireless protocol (ISM band, 908.42MHz in the US). This research addresses the possibility of capturing the AES key exchange.
* **SecureID Software Token Cloning:** Behrang Fouladi's prior research demonstrating the ability to clone RSA SecurID software tokens (2012). This relates to **T1003.002 - Credentials Access: Copy/Dump Credentials (Specific to Hardware/Tokens)**.
* **Suru:** An HTTP Man-in-the-Middle (MITM) proxy tool developed by SensePost (2006). Maps to **T1557 - Interception Proxies**.
* **go-derper.rb:** A tool developed for hacking memcached servers (2010). Maps to **T1219 - Remote Access Software** or **T1083 - File and Directory Discovery** (if used for data extraction).