KingFisher: Unveiling Insecurely Used Credentials in IoT-to-Mobile Communications

1. Introduction
2. Code Overview
3. Tutorials
4. Evaluation Result Confirmation

1. Introduction

KingFisher is an insecure shared credential (SC) detection framework against real-world IoT products, designed to automate the tasks of SC extraction and SC security inspection.
It employed a value-based data flow analysis to track SCs in IoT (Android) companion apps, and the understand how the SCs are used and inspect their security status by dynamic interaction testing.

KingFisher is currently built with a set of python scripts, combined with Frida dynamic code instrumentation framework, composed of four main components: Function Interface Identification, Message Collection, Value-based SC Extraction and Security Violation Detection.

We use KingFisher to evaluate eight IoT products, including BroadLink, Haier, Horn, Qihoo, Tuya, Xiaomi, Xiaoyi and ZTE, and discover their vulnerable SC usage and implementations.

So far, we have received five CNVDs (i.e., CNVD-2021-73144, CNVD-2021-90790, CNVD-2021-90791, CNVD-2021-39530, CNVD-2021-73145, CNVD-2021-73140, CNVD-2021-90647, CNVD-2021-73142) and one is waited for confirmation.

Huawei replied that they have internally isolated the device registration process (SC generation and distribution) of new devices that support another more secure protocol and old devices that can not be updated to new protocols.
And we will help them and horn company to deploy the patch to deal with the issues.

2. Code Overview

We have implemented KingFisher with Python and JavaScript scripts, combining and integrating some other tools: Frida dynamic code instrumentation framework, tcpdump packet capture binary and Burp Suite toolkit for web security testing.

The code files of KingFisher and their introduction are listed as below.
KingFisher Code Structure
Files Details

identify_java_funcs.py Identifying SC-related functions in Java code and generate corresponding instrumentation scripts.

identify_native_funcs.py Identifying SC-related functions in Native code and generate corresponding instrumentation scripts.

collection.py Collecting Message.

extract_SC.py Implementing value-based analysis to extract possible SCs from collected messages.

violation_detection Detecting if the products violate security property and including nine independent tests.

The SC extraction source code of KingFisher is available now: code. And the violation detection scripts are will be available soon.

**KingFisher Code Structure**
Files	Details
identify_java_funcs.py	Identifying SC-related functions in Java code and generate corresponding instrumentation scripts.
identify_native_funcs.py	Identifying SC-related functions in Native code and generate corresponding instrumentation scripts.
collection.py	Collecting Message.
extract_SC.py	Implementing value-based analysis to extract possible SCs from collected messages.
violation_detection	Detecting if the products violate security property and including nine independent tests.

2.1 Function Interface Identification

KingFisher adopts keyword-based search for function recognition. We observed that most SC related functions are sensitive functions, e.g., cryptographic functions, data construction functions, and network related functions. In particular, cryptographic functions take as input the CSC as an encryption key to encrypt the transmission data. The encrypted data and some other information are format as a transmission message by data construction functions and further transmitted over the communication channel by network related functions.

We manually construct a reference set from source code of Github and StackOverflow, which contains a list of keywords that are commonly used to name SC-related functions.

The reference set is listed as following. And by the reference set, we identify the potentially SC-related functions, and output a SC function candidates list.

Cryptographic functions: encrypt, decrypt, hash, hmac, set*key, get*key
Data construction functions: get*frame, get*req, set*data, contact, build, pack
Network related functions: send, recv, write, control, connect, start, session, open
Others: token, password

Note the asterisk indicates zero or more occurrences of any characters.

An example of the Function Interface Identification result is listed as following:

        
            {
                "class": "com.tuya.sdk.hardwareprotocol.control.LocalControl3_2",
                "method": "encryptRequestWithLocalKey",
                "params": [
                  "com.tuya.sdk.hardwareprotocol.bean.HRequest",
                  "java.lang.String",
                  "java.lang.String"
                ],
                "params_len": 3,
                "return": "com.tuya.sdk.hardwareprotocol.bean.HRequest"
            }

2.2 Message Collection

Function Value Collection
KingFisher conducts dynamic function instrumentation based on Frida to track parameter values and return values of the SC-related functions identified in Function Interface Identification.

Java Functions: KingFisher hooks each SC-related candidates and obtains all its parameter values and return values. A instrumentation code demo generated by code templates is listed in following.

Code Demo: com.tuya.sdk.hardwareprotocol.control.LocalControl3_2.encryptRequestWithLocalKey(com.tuya.sdk.hardwareprotocol.bean.HRequest, java.lang.String, java.lang.String): com.tuya.sdk.hardwareprotocol.bean.HRequest

                        
                            var com_tuya_sdk_hardwareprotocol_control_LocalControl3_2 = Java.use("com.tuya.sdk.hardwareprotocol.control.LocalControl3_2");
                            com_tuya_sdk_hardwareprotocol_control_LocalControl3_2.encryptRequestWithLocalKey.overload("com.tuya.sdk.hardwareprotocol.bean.HRequest","java.lang.String","java.lang.String").implementation = function(s0, s1, s2){
                                console.log("----------------------------com.tuya.sdk.hardwareprotocol.control.LocalControl3_2.encryptRequestWithLocalKey---------------------------");
                                console.log("[s] com.tuya.sdk.hardwareprotocol.control.LocalControl3_2.encryptRequestWithLocalKey argument 0 = " + s0 + " [e]");
                                console.log("[s] com.tuya.sdk.hardwareprotocol.control.LocalControl3_2.encryptRequestWithLocalKey argument 1 = " + s1 + " [e]");
                                console.log("[s] com.tuya.sdk.hardwareprotocol.control.LocalControl3_2.encryptRequestWithLocalKey argument 2 = " + s2 + " [e]");
                                var res = this.encryptRequestWithLocalKey(s0, s1, s2);
                                console.log("[s] com.tuya.sdk.hardwareprotocol.control.LocalControl3_2.encryptRequestWithLocalKey res = " + res + " [e]");
                                console.log("++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++");
                                return res;
                            }

Native Functions:
For a pointer variable, KingFisher extracts the variable value from its memory block and records both values stored in the memory block before and after the function execution.
For a non-pointer variable, KingFisher directly records its runtime value.
A instrumentation code demo is listed in following.

Code Demo: __int64 __fastcall tuya::BizLogicService::SendByte(_QWORD *a1, unsigned __int8 *a2, __int64 a3, unsigned int a4, __int64 a5, __int64 a6)

                        
                            var a1 = new Array()
                            Interceptor.attach(
                                Module.getExportByName("libnetwork-android.so", "_ZN4tuya15BizLogicService8SendByteEPhliNSt6__ndk112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEENS2_8functionIFviiPKhiEEE"), {
                                    onEnter: function(args) {
                                        console.log("----------------------------libnetwork-android.so-_ZN4tuya15BizLogicService8SendByteEPhliNSt6__ndk112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEENS2_8functionIFviiPKhiEEE---------------------------")
                                        a1 = new Array()
                                        for(var i = 0; i < 10; i++){
                                            var ar = Process.findRangeByAddress(args[i])
                                            if(ar != null && ar['protection'] == 'rw-'){
                                                var ad = parseInt(args[i])
                                                var arstr = ''
                                                for(var j = 0; j < 256; j++){
                                                    var ch = (ptr(ad+j).readU8()).toString(16)
                                                    if(ch.length < 2) ch = '0' + ch
                                                    arstr = arstr + ch
                                                }
                                                console.log("[s] libnetwork-android.so-_ZN4tuya15BizLogicService8SendByteEPhliNSt6__ndk112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEENS2_8functionIFviiPKhiEEE argument " + i + " = " + arstr + " [e]")
                                                var ii = {"ind":i,"point":args[i]}
                                                a1.push(ii)
                                            }
                                        }
                                    },
                                    onLeave: function(retval){
                                        for(var i=0; i < a1.length; i++){
                                            var ad = parseInt(a1[i]['point'])
                                            var arstr = ''
                                            for(var j = 0; j < 256; j++){
                                                var ch = (ptr(ad+j).readU8()).toString(16)
                                                if(ch.length < 2) ch = '0' + ch
                                                arstr = arstr + ch
                                            }
                                            console.log("[s] libnetwork-android.so-_ZN4tuya15BizLogicService8SendByteEPhliNSt6__ndk112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEENS2_8functionIFviiPKhiEEE res-argument " + a1[i]['ind'] + " = " + arstr + " [e]")
                                        }
                                        if(Process.findRangeByAddress(retval) != null){
                                            var rd = parseInt(this.retval)
                                            var rstr = ''
                                            for(var j = 0; j < 256; j++){
                                                var ch = (ptr(rd+j).readU8()).toString(16)
                                                if(ch.length < 2) ch = '0' + ch
                                                rstr = rstr + ch
                                            }
                                            console.log("[s] libnetwork-android.so-_ZN4tuya15BizLogicService8SendByteEPhliNSt6__ndk112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEENS2_8functionIFviiPKhiEEE res = " + rstr + " [e]")
                                        }
                                        else console.log("[s] libnetwork-android.so-_ZN4tuya15BizLogicService8SendByteEPhliNSt6__ndk112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEENS2_8functionIFviiPKhiEEE res = " + retval + " [e]")
                                        console.log("++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++");
                                    }
                                }
                            );

Traffic Clustering
1. First execute tcpdump to capture all network packets on the smartphone.
2. Second filter the IoT-to-Mobile communication packets by device IP address and the smart-phone IP address.
3. Third cluster the IoT-to-Mobile communication packets by Needleman-Wunsch algorithms and UPGMA clustering algorithms.

2.3 Value-based Analysis

Taken Function Value Collection and Traffic Clustering results as input, KingFisher executes a value-based analysis in two steps to distinguish the used SCs. We illustrate the detailed Tuya example in the figure below to explain how the value-based analysis works and why common program analysis methods (e.g., control flow construction) could not be applied in our approach.

Coarse Candidate Selection
The corase candidate selection in KingFisher takes the message collection results as input. Specifically, it performs value-based comparison iteratively.
- First, it compares values of Function Instrumentation (Function Information List) with values of Traffic Clustering (IMC Packet List). If the values in Function Information List contain the subsequence of any values in IMC Packet List, KingFisher marks the function as directly related to the packet, labeled as a Key_Fun.
- Second, KingFisher further compares values of the other functions in Function Information List with values in Key_Fun. Similarly, the function, whose values contain the subsequence of the values of any Key_Fun, is marked as a Related_Func indicating the indirect correlation with the IMC-related packets.
- Finally, the corase candidate selection in KingFisher takes Key_Fun and Related_Func as output, containing potential SC candidate values that are related to IoT-to-Mobile communication.
- For example, the bufferevent_write, sendBytes2, controlByBinary, buildRequest and encryptRequestWithLocalKey functions will be marked as Key_Fun.
Fine-grained SC Recognition
In this step, KingFisher utilizes the two common SC formats to recognize the SCs from the candidates obtained in corase candidate selection. Specifically, it follows two rules to recognize the SCs and if the value in candidates satisfy one of the rules, it would be considered as the used SC.
- Authentication Shared Credential (ASC): KingFisher will recognize a value as the ASC, if the value satisfies 1) it contains Base64 subsequences; or 2) it is in JSON formats and contains authentication fields (i.e., auth, pass, cred, token, key).
- Cryptographic Shared Credential (CSC): KingFisher will recognize a value as the CSC, if the value satisfies: 1) its length is multiple of 16; 2) its length does not exceed 64 bytes; 3) it is a parameter of cryptographic functions.

2.4 Security Violation Detection

KingFisher next assesses the security of the SCs based on the security properties listed in Section 3. Specially, the SC used in this procedure is the correct one after verification. And the security violation detection tests for nine properties are independent, so than each test could be done separately.
The source code of the security violation detection will be available soon.

Detecting Insecurely Generated SCs.
- P1: KingFisher in this test takes the SC as input. It first examines whether the length of SC is less than 16, and then checks if any four-byte substrings are in different SCs.
Detecting Insecurely Distributed SCs.
- P2: KingFisher in this test takes the SC distribution traffic as input. It first filters the packets with mobile phone IP and then utilizes Scapy python library to identify the TLS version field and parses the Certificate messages. If the TLS version field value is not lower than 0x0303 (TLSv1.2) and both client and server Certificate messages are involved, it will consider that the SC distribution is not violate P2.
- P3: The detection for P3 needs security analysts to first launch the Burp Suite to capture the application data during SC distribution. Then KingFisher parses the application data to check whether there is any SC included. And if the SC first exists in traffics from smartphone to cloud, we consider the SC is generated locally and leakaged to the cloud, violating P3.
Detecting Insecurely Validated SCs.
- P4:
- P5: KingFisher first conducts mutation-based fuzzing to change the value length and value characters of the SC value and other data included in the SC-related message (SC candidates). Specifically, it randomly generates pseudorandom character and then inserts the character to the end of the SC (or other data) value to modify its length, or replace the last character of the SC (or other data) with this character to change its value only. Then, it utilizes Frida to hook and modify the parameters with these changed values and triggers the IoT-to-Mobile communication to monitor the device responses. KingFisher considers that the implementation violates P5 if the response of the incorrect SC value and the responses of the other incorrect data are different.
- P6: KingFisher utilizes Frida to hook and modify the SC with these incorrect values (similar to P5). Then the security analysts should trigger 20 IoT-to-Mobile operations, which can produce IoT-to-Mobile communication and involve the incorrect the SCs. If the response messages from devices are same, it could be considered the violation of P6.
Detecting Insecurely Protected SCs.
- P7: KingFisher in this test takes the SC as input and performs string matching to check whether it is stored in app local internal storage (i.e., '/data/data/xxx') and the external storage (i.e., '/sdcard/xxx').
Detecting Insecurely Revoked SCs.
- P8: To check whether the SCs are updated timely, the security analysts should first utilize KingFisher to extract the used SCs and after 8 hours, they should extract the used SCs again. If the SCs in two extractions are same, it is considered as violating P8.
- P9: To check whether the SCs are updated timely, the security analysts first utilize KingFisher to extract the used SCs. Then they should reset the IoT device (e.g., by pressing the reset button on the device) or delete the binding relationship from the companion app, and trigger the SC generation by re-binding the IoT device with companion app. After that, a new SC will be generated and distributed. KingFisher could utilize the Frida to replace the new generated SC with the old one. If the IoT device still accepts the old SC and communicates with app successfully, it is considered as violating P9.

3. Tutorials

Take Tuya as an example, the step by step tutorials of how KingFisher analyze a IoT product (i.e., an IoT device and its companion app) are provided as below.

3.1 Preparation

Download and install the Tuya app (com.tuya.smart) on a smartphone, then register or login the user account and bind with the Tuya Smart Plug following its instructions.
Install frida client on the laptop (Windows, macOS, or GNU/Linux): pip install frida and pip install frida-tools Check frida client version: frida --version Download corresponding version and architecture (decided by the Android smartphone) frida server and push it to smartphone.
Download tcpdump binary and push it to smartphone.

3.2 SC Extraction

Run frida server on the smartphone: ./frida-server
Function Interface Identification:
- Replace the "appname" in identify_java_funcs.py and identify_native_funcs.py with "com.tuya.smart"
- Execute the two python scripts: python identify_xxx_funcs.py
- After that, a file that contains identified SC-related function candidates will be output.
Message Collection:
- Input: Function Interface Identification output file.
- Capture smartphone network packets by tcpdump: tcpdump -i {Network Interface Name} -w {Pcap Files Output Path}
- Process packets and execute function instrumentation at the same time: python collection.py
- After that, a file that contains clustered and chosen packets and function runtime information (parameters and return values) will be output.
Value-based Analysis:
- Input: Message Collection output file.
- Execute script to extract possible SCs from these SC-related messages: python extract_SC.py
Security Violation Detection:
- Execute script to detect each security property violation: python violationx_detect.py x is the index of security property.

4. Evaluation Results

The evaluation dataset of our experiment is available: dataset. It includes the experimental objects (i.e., eight IoT companion apps downloaded from Google Play and Tencent Myapp) and the our SC extraction results (i.e., SC Function Candidate Listlocated interfaces, Function Information List, Key_Fun and Related_Func).
Our experiment covers eight IoT vendors:

BroadLink
Haier
Horn
Qihoo
Tuya
Xiaomi
Xiaoyi
ZTE

4.1 Benchmark [Waiting for upload]

**Benchmark Dataset**
IoT Vendor	SC-related Functions		SCs
IoT Vendor	Java	Native	ASC	CSC
BroadLink				2d07905f0fcc2919f290c3526ab4cd49
Haier			7y5INpxqLQKHmdo0wUd7V8R2k9gp2xR1SZdISl6t: eCgrgL9M-5HdKH4yw-RB5LP0sI8=: eyJyYW5kb20iOjE2MjE1ODc3ODM2MjYsInN0YXRlbWVudCI6W3siY WN0aW9uIjoibGlua2luZzp0dXRrIn1dLCJkZWFkbGluZSI6MTYyMTU5MTM4M30=
Horn				9205B304FD64482D >6e4d397472546231
Qihoo			54f4281b3738d2ea56c68c873a7ecc40655986f8e21260a1c0289a54cdb7d167	54f4281b3738d2ea56c68c873a7ecc40655986f8e21260a1c0289a54cdb7d167
Tuya				65cda52393a0079b
Xiaomi				d8e7b8fa1a569d8ede2e890aa850c02e
Xiaoyi			UrFvIGY7DfoIIan	UrFvIGY7DfoIIan
ZTE			CiV6vk1WE4MsvsPT

The detailed dataset information and vendor confirmation results for our findings are listed below.

**Evaluation Dataset and Confirmation Results**
IoT Vendor	Device		Companion App	Confirmed
IoT Vendor	Type	Model	Companion App	Confirmed
BroadLink	Smart Plug	SP 4L	cn.com.broadlink.econtrol.international	Yes (CNVD-2021-73144)
Haier	Smart Camera	HCC-22B20-W	com.haier.uhome.uplus	Yes (CNVD-2021-90790, CNVD-2021-90791)
Horn	Smart Gateway	T2	com.huawei.smarthome	Yes (CNVD-2021-39530)
Qihoo	Smart Camera	AP5CA1	com.qihoo.camera	Waiting
Tuya	Smart Plug	YKYC-W1Y0-16	com.tuya.smart	Yes (CNVD-2021-73145)
Xiaomi	Smart Gateway	DGNWG02LM	com.xiaomi.smarthome	Yes (CNVD-2021-73140)
Xiaoyi	Smart Camera	YHS-113	com.ants360.yicamera	Yes (CNVD-2021-90647)
ZTE	Smart Camera	C320	com.ztesoft.homecare	Yes (CNVD-2021-73142)

"Waiting" means we have reported to the IoT vendor and waited for confirmation.

Feedback

Huawei replied that they have internally isolated the device registration process (SC generation and distribution) of new devices that support another more secure protocol and old devices that can not be updated to new protocols. And they are working with horn company to deploy the path to deal with the issues.