A journey into IoT Forensics - Episode 4 - Analysis of an iRobot Roomba 690 (aka thanks VTO Labs for sharing!)

By -

This the fourth blog post on the analysis of IoT devices images made available by VTO Labs. The first blog post was about the analysis of Samsung refrigerator, the second one was about the analysis of an LG Smart TV, the third one was about the analysis of an Ematic Android TV OS Box, and this one is about the analysis of an iRobot Roomba 690.

[START DISCLAIMER]

I only had one dataset, so the testing is limited and not to be considered strong and verified. 

The goal is to open a discussion and to provide a first glimpse into the analysis of these types of devices.

[END DISCLAIMER]

The iRobot Roomba 690

The fourth candidate for my research in the VTO Labs dataset was the image of an iRobot Roomba 690, aWi-Fi Connected Robot Vacuum manufactured by iRobot Corporation.

An old book (2006) on Hacking Roomba is available and the book website is still active. A forum on robot hacking is also available on Robot Reviews

I was not able to find any previous forensics research on an iRobot Roomba.

Image verification and partitioning schema

As in the previous cases, I tried loading the provided image (RoomaDump2) in X-Ways Forensics. By simply loading the image, the tool was not able to find any partitioning schema.


I used the "Scan for lost partitions" feature, with no luck. I tried multiple tools, including Active Partition Recovery, R-Studio, MobileRevelator and none of them found any partition. 

I run binwalk on the image, and the tool found some PEM certificates and private keys. 


As the image is quite small (4MB), I decided to go manually through it to search for interesting data.

Manual analysis

Manual analysis was conducted by using X-Ways Forensics.

  • Offset "0x600C" - Software Version
  • Offset "0x602A" - Robot ID
  • Offset "0x60A0" - Cloud Certificate
  • Offset "0x6ABD" - Cloud Privkey
  • Offset "0x71F9" - Product SKU (Stock Keeping Unit)
  • Offset "0x7232" - Wi-Fi Network SSID
  • Offest "0x7264" - Wi-Fi Network Password (in clear-text)
  • Offset "0x728A" - Other Wi-Fi settings
  • Offset "0x73C5"rbt_passwd
  • Offset "0x73FF" - sdiscUrl 
  • Offset "0x7484" - Timezone
  • Offset "0x74AC" - NTP Hosts at offset 
  • Offset "0x751E" - Country 
  • Offset "0x7557" - Wi-Fi Network SSID
  • Offset "0x75E1" - Wi-Fi Network Password (in clear text)
  • Offset "0x76B0" - SDISCVAR
  • Offset "0x77EE" - tzevents
  • Offset "0x7CA0"Robot name

A lot of text/strings are available in the dump, including some timestamps about firmware release.

Conclusions

During the analysis I was able to find:

  • Device model (SKU)
  • Device serial number
  • System version
  • Country 
  • Timezone
  • Device name
  • Wi-Fi networks, including password in clear text
  • Cloud URLs and certificates
  • Events with timestamps
  • Language settings

Again, more research is definitely needed in this field and I really hope to find soon new images to validate and improve these findings. If you have any additional image to share for research, you are very welcome!

I encourage you to provide me any kind of feedback and verify my findings. I'll update the blog post mentioning and thanking the reader.

Comments

Post a Comment

Popular posts from this blog

A first look at Android 14 forensics

By -
Android 14 was released to the public by the Open Handset Alliance on October 4, 2023, and is now available on various smartphones, including the Google Pixel. This blog post aims to explore a list of the majr oartifacts you can find on this version of the Android OS.  For testing and review, I set up a Google Pixel 7A and used it for about a month, with a SIM card and various native and third-party apps installed. The blog post is organized by sections: Device information and general settings User accounts Information on Cellular, Wi-Fi, and Bluetooth connections Native Android applications Google applications Analysis of the use of native and third-party applications Other relevant information As always, I'll try to update this blog post as I test and research. Device information and general settings build.prop TXT format Stored in the root directory of the system partition  Among other things, it contains the device manufacturer, the device model, the operating system version, a
Keep reading

Huawei backup decryptor

By -
When doing Mobile Forensics the first and usually the hardest step is to get access to user's data . It depends on the case type, but the so called physical  acquisition is the analyst object of desire. The reason is simple: iOS and Android native backups, respectively adb  and iTunes , contain a subset of user data, because they respect the various apps configurations where they can specify " you can't include me in backups ". Which leads to inconsistent situations like, for example, having WhatsApp data in iTunes backups and not having it in Android adb backups. Not considering WhatsApp, the majority of apps in iOS and Android do not allow their data to be included in backups . In the scenario where  device is unlocked or the lock  code is known (the only scenario considered in this post), the analyst could use the device itself to make the analysis of the installed applications. Anyone who did that at least once knows how uncomfortable is this approach. Al
Keep reading

WhatsApp Xtract

By -
I don’t want to bore you explaining what is WhatsApp . If you have this serious gap, you can fill it here .  Forensically speaking, WhatsApp was a very cool app until the last June. After that, someone had decided to add the extension “crypt” to such excellent source of information which was msgstore.db . This database stores information about contacts and also entire conversations. But simply opening it with SQLite Browser , you can have some troubles in extracting a single chat session with a desired contact, or in reordering the messages. My last python script wants to overcome these problems, avoiding to deal with complex SQL queries. Now, you need only to decrypt that file! Go to the repo.
Keep reading