Internet of Things

IoT Hacking for Beginners

Hey Guys, Back again with another blog.

Today, we are going to learn a new thing to step up our security knowledge in the field of Internet of Things(IoT)

I can Assure you that, today’s blog will definitely give you a vision on how to proceed with Internet of Things Security(IoT Security).

Let’s learn,

Why:
IOT Penetration testing
We need to perform it?

What:
To look for IoT penetration testing
Tools, Techniques and devices

HOW:
To approach the vulnerabilities
To start

Why we need to make IOT penetration testing?

Twenty years ago, if you told me my phone might be wont to steal the password to my email account or to require a replica of my fingerprint data, I would’ve laughed at you and said you watch an excessive amount of Bond. But today, if you tell me that hackers with malicious intents can use my toaster to interrupt into my Facebook account, i will be able to panic and quickly pull the plug from the evil appliance.

Why we need to perform it?

Welcome to the birth of the Internet of Things, IOT are encroaching on every aspect of our lives, including our homes, offices, cars and even our bodies. With the arrival of IPv6 and therefore the wide deployment of Wi-Fi networks, IoT is growing at a dangerously fast pace, and researchers estimate that by 2020.

What to look for IOT pentest?

  • Determine various ways to compromise the safety of the entire IoT device solution 
  • Don’t just specialize in one small part, rather check out the whole solution
  • Which areas does one think would be most likely vulnerable? – Start from there.

How to approach the vulnerabilities?

  • Quite different from a typical penetration test.
  • You’ve got to specialize in the whole device (not just one
    component).
  • But there’s a strategy for that.
  • The IoT penetration testing methodology – iotpentestingguide.com
  • It consists of 5 phases

How to start IOT penetration test?

  • Attack Surface Mapping
  • Hacking the Embedded Device
  • Hacking Firmware
  • Hacking Mobile, Web and Cloud components
  • Hacking Radio Communications

Surface Mapping (Step1):

  • Recon
  • Understand the device
  • Any visible ports
  • What are the components
  • Communication mediums?

Surface Mapping (Step2):

Map out the attack surface (Architecture diagram)

  • What are the various entry points
  • What are the various communication mediums used?
  • Are there any additional web endpoints?
  • What is the protocol/standard which is used?
  • Are their security specifications on the product?

CREATE AN ARCHITUCTURE DIAGRAM

Now that we’ve done the Attack Surface mapping, next steps are performing actual exploitation.
• Need to perform it during a systematic way.
• Often one component would cause insights into others.
• Device => Dump firmware.
• Firmware => How does the communication works.

HOW TO APPROACH THE BUGS:

• Embedded Device Hacking
• Firmware web mobile
• Radio,BLE,ZigBee,LoRA

Embedded Device Hacking
• Always start with the Embedded Device
• I know most of you’re not hardware hackers
• But getting started isn’t “tough”
• Look for the entry points
• How a few quick crash program in Embedded Device hacking?
• And then point to the resources you would like to find out more.

GET STARTED:

  • Open up the device
  • There could be physical tampering protections
  • Various kind of screws – get your screwdriver toolkit
  • Look at the chipsets
  • Use USB microscope (or actual ones)
  • Use phone’s flashlight to read off the component names.

DIG DEEP:

  • Once you open up the device, look for exposed ports
  • UART interfaces are the easiest to find and exploit
  • Use a multimeter to find out Tx, Rx and GND
  • Connect it to Attify Badge (or any USB-TTL)
  • Identify the baudrate × Run Minicom to get shell access
0 0wsejiPFzPT9EgKo.png

FIRMWARE HACKING:

  • Firmware analysis is straight forward (to find basic BUGS)
  • If you’re good in RE – you would be able to identify more vulnerability
  • Learn ARM and MIPS RE
  • Sensitive hard coded values in firmware – API keys, Encryption mechanisms, verification process, integrity checks, logins etc.)

FIRMWARE METHODOLOGY:

  • Tool by Craig Heffner (@devttys0)
  • binwalk -e firmware-name.bin to extract the firmware
  • Then run “firmwalker” to look for interesting entries
  • also can plan to modify the firmware with Firmware-Mod-Kit And flash it back to the device
  • Does the device detects firmware modifications?

FIRMWARE EXTRACTING:

  • Firmware contains file system which could be a source of many useful info    
  • Extract it using Binwalk or FMK
  • Audit it like you’d inspect a standard Linux file system
  • Search for additional vulns which could affect the device
  • Advanced topics like signature & integrity verification, OTA Update mechanism

FIRMWARE ENCRYPTION:

  • Firmware could be encrypted sometime
  • Let’s take a quick look at one of the encryptions
  • Vuln discovered by Roberto Paleari(@rpaleari) and Alessandro Di Pinto (@adipinto)

SENSITIVE VALUES:

  • One of the easiest bugs to identify
  • For ex – this IoT device i used to be pentesting – it had creds to its FTP server to download firmware updates
  • You’ll find ton of hardcoded sensitive values – API keys, backdoors, SSL certs, Staging URLs, ASCII text file of files to seek out more vulns, interesting binaries to perform reverse eng.

ANALYZING MOBILE APPS:

  • Mobile apps can help you find lots of useful information
  • Native libraries also store secrets <== so look at that too
  • RE the ARM native library
  • Understand the Java code
  • Make connections
  • Exploit the device

HACKING COMMUNICATION:

  • Radio analysis and exploitation needs special hardware
  • Depends on what protocol you’re analyzing
  • But BLE and ZigBee are commonest – so specialise in those
  • What quite vulnerabilities are you able to identify?

HACKING ZIGBEE:

  • one among the foremost common Radio communication protocols utilized in IoT devices
  • 2.4 GHz (mostly), 868 MHz  and 933
  • KillerBee firmware for RzRaven and API
  • Sniff, MITM and replay ZigBee packets
  • Philips Hue Demo

Hacking BLE :

  • Hacking BLE is extremely straightforward
  • Get a BLE sniffer – Ubertooth
  • Sniff BLE traffic
  • See the handles written in what data
  • Make rewrite handles by yourself  by Gatttool

Some research links(but more on google)

https://blog.rapid7.com/2019/02/20/iot-security-introduction-to-embedded-hardware-hacking

https://www.fireeye.com/blog/threat-research/2016/08/embedded_hardwareha.html

Conclusion:

The above mentioned topics are necessary to follow for a Beginner who seek to start their career in IoT. It will be one of the upcoming demanded Domain in Cyber Security in both technical and monetary aspects.

Author:

Sivanesh Kumar D, Cyber Security Intern,
Securium Solutions Pvt Ltd.

Leave a Comment

Your email address will not be published. Required fields are marked *