Duo Labs does a lot of odd research now and again. The whole IoT world can offer up a lot of ups and downs to a researcher, but since we are trying to not only get through this ourselves, we are also trying to encourage others to research.
Therefore, it makes sense to come up with some steps to try and get through the research as quickly and painlessly as possible. It also made sense to “try it out” on a live target. The process we developed, while software-focused, yielded results fairly quickly on our target IoT device, the Milwaukee Tool M18 FUEL with ONE-KEY ½” Drill/Driver.
We discovered that:
- Static passwords used for updates to a master database located on the vendor website were hard-coded into the accompanying IoT app.
- The IoT device in question was expensive, but could be readily identified by a potential thief remotely via Bluetooth scanning.
- GPS data used for inventory tracking in the event of lost or stolen devices could be forged.
In the future, we will take a look at things from a more hardware-centric view, but for now, this should serve as a decent starting place.
The Process and Findings
As usual, instead of filing a short and sweet blog, we ended up with a much larger document better suited for a PDF. This is the plight of the researcher - we find one thing leads to another and another to properly tell the tale. Somehow, we reached a stopping point. We hope you find it both useful and somewhat entertaining, as only a security nerd can be entertained.