Reversing the Rachio Smart Sprinkler Controller by Joseph Bingham
Reversing the Rachio Smart Sprinkler Controller by Joseph Bingham
(25 views)
A new smart device that “takes the guesswork out of watering.” An IoT device that extends the boundaries of your smart home into the yard? Sure, what could go wrong? Turns out, sometimes, when things are designed with security in mind, not as much.
The Rachio smart sprinkler controller is a highly-reviewed IoT device that lets you start and stop your sprinklers from your phone. As another of the growing number of consumer IoT devices in your home network, it is also another potential infection vector for malware or attack vector for hackers.
This blog details the methodology used to explore the potential attack surface on the device. The intention was to find vulnerabilities as that’s what I do for my day job. However, I was pleasantly surprised given my past exploration of similar IoT devices. My research didn’t dig up any vulnerabilities in the Rachio3.
Rachio3 smart sprinkler controller
My initial goals were:
Identify the device components
Identify the attack surface
Acquire and analyze device firmware
Identifying the Device Components
The device disassembles easily enough, revealing a loaded PCB underneath the plastic housing. The board has several transceivers and antennas for network and intra-device communication. It has a clock/calendar chip to maintain real-time during power off. For our purposes of assessing device security and acquiring firmware, the debug interface, processor chip, and flash storage are the most promising components to look at.
Rachio3 layout board
Next, Identifying the attack surface
Starting with a scan of the open ports on the device gives us a look at the services implemented by the Rachio device. It only has web services open (HTTP + HTTPS). Seems quite simple. No web server versioning information is returned in the header. The web server requires basic HTTP authentication and can’t really be explored much more without the firmware.
>nmap -p 1–65535 192.168.0.200
Nmap scan report for Rachio-28D876.lan (192.168.0.200)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
MAC Address: B8:D7:AF:28:D8:76 (Murata Manufacturing)
Let’s start with logging traffic during a firmware update. The device updates over plaintext http, so the firmware is easy to acquire. However, the entropy of the data in the firmware file shows it is encrypted.
Current firmware: iro3-firmware-hk-5-601_c5d37fc0.ota.signed (1196114 bytes)
Let’s check the debug interface by soldering pins to them and using a bus pirate or similar tool to read from the device. I won’t go into specifics of identifying and connecting to UART. The gif below shows the bus pirate used in UART mode to read from the board’s debug pins. The baud rate is automatically determined from the received data by the bus pirate (115200 bps) and the text coming from the debug pins is printed to the console during the Rachio device boot process. As it turns out, the Rachio’s debug pins are just a logging interface. The log interface provides some information on the boot sequence and underlying software, but doesn’t provide a shell. The device uses Cypress’s new and relatively unknown WICED SDK for embedded wireless communication. The boot log also tells us it is using an encrypted file system and has encryption keys hidden somewhere.
The debug interface gave us no leverage on the device, so we have to move on. The flash chip is the obvious next step for locating a bootloader and hopefully some decryption keys. With the device unpowered and a test clip attached to the flash chip, the bus pirate can make quick work of dumping the flash. The gif below shows the commands used with the flashrom tool to query datafrom the flash chip.
Connecting BusPirate to the Rachio’s flash storage chip
Dumping the 8MB flash chip
After getting the flash image, the entropy of the data contained gives a good picture of its contents. We can see several separate sections. The flash chip contains an encrypted filesystem, a section called the “Device Configuration Tables” (also encrypted), and an application image which is the same firmware image the device downloaded in the update earlier.
Flash chip data entropy vs. File offset
Our ultimate goal is to acquire and reverse engineer the device’s decrypted software and probe the service implementations for vulnerabilities. Hence, the next step would be to look at the Murata processor chip [https://wireless.murata.com/eng/type1gc.html] to see how it decrypts and loads the filesystem.
No chip datasheet is available for the Murata System-on-Chip
The Rachio device implements some basic but very important security steps to raise the bar for exploitation.
Firmware and filesystem encryption
Limited debug interfaces (no shell access)
Service-level authentication
Communication encryption
Here’s the thing: I can either continue to explore and dig deeper or just pick up one of the other million IoT devices that have a much lower bar for exploitation and discover vulnerabilities in them. It is very important to remember that attackers might use a similar rationale. They will likely try to find the path of least resistance into the network. A chain is only as strong as its weakest link — sound familiar?
These device security best practices are not cost-prohibitive for manufacturers to implement, but are missing from products by most manufacturers because security is not by design. It is usually an after-though, if that. The inclusion and hardening of consumer-grade IoT devices is a welcome and encouraging trend in network security.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent. Read MoreCookie Settings Reject AllAccept
Manage consent
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
