Hacking IoT Introduction

Internet of Things (IoT)

The Internet of Things (IoT) is the ability to have devices communicate with one another via the internet or other networks, remotely tracking information to provide feedback to assist with decisions as well as sharing information, enabling communication, and allowing action and interaction through automation and machine learning.

IoT devices don’t exist in a void. A lone sensor isn’t good for developing something big, nor is a group of them, for that matter, unless they are all connected to one another and to platforms that generate data for further use. This is what we call an Internet of Things (IoT) ecosystem – a broad network of connected and interdependent devices and technologies that are applied by specialists towards a specific goal such as the creation of a smart city.

there are limitless applications to the IoT and therefore we can speak of endless coexisting IoT ecosystems. But if we simplified what is happening in the ecosystem, we will come up with a simple schema: a device collects data and sends it across the network to a platform that aggregates the data for future use by the agent. And so we have the key components to an IoT ecosystem: devices, networks, platforms, and agents.

IoT Pentesting

An IoT penetration test is the assessment and exploitation of various components present in an IoT device solution to help make the device more secure. Unlike traditional penetration tests, IoT involves several various components.

A typical penetration testing engagement looks like this infographic

Attack Surface Mapping

The process of attack surface mapping means mapping out all the various entry points that an attacker could potentially abuse in an IoT device solution. This is the first step, and one of the most important ones, in the entire IoT pentesting methodology. It also involves creating an architecture diagram of the entire product from a pentester’s perspective.

This step is useful because it helps you understand the architecture of the entire solution, and at the same time helps you establish various tests that you would run on the product, sorted by priority.

once you get a new target, take time to understand it first. This means going through all the possible channels and collecting information for example:

  • Documentation and manuals

  • online resources and posts about the product

  • Any available content or prior research about the device.

  • Any CVE or public content or prior research about the device

When we look at an IoT solution, the entire architecture can be broadly divided into three categories:

1. Embedded device.

2. Firmware, software, and applications.

3. Radio communications

Each of the categories mentioned next serve as an introduction to component with very much details

Our goal in analyzing the IoT device for attack surface mapping would be to categorize the functionality and the security threats corresponding to each category.

Embedded Devices

An embedded device is the key to any IoT device architecture and is also the “thing” in the Internet of Things. The embedded device in an IoT product can be used for several different purposes depending on the user case scenario. It could be used as a hub for the entire IoT architecture of the device, it could serve as the sensor that collects data from its physical surroundings, or it could be used as a way of displaying the data or performing the action intended by the user.

Thus, the things in Internet of Things could be used to collect, monitor, and analyze data, and perform actions.

To clarify this with a real-world example, think of a smart home IoT product. There are many devices that together make the smart home IoT product. These include a smart gateway or the hub, smart lightbulbs,motion sensors, smart switches, and additional connected devices.

Even though the devices serve different purposes, for the most part, the approach to test these devices for security issues would be the same

The following are some of the vulnerabilities found in embedded devices:

  • Serial ports exposed.

  • Insecure authentication mechanism used in the serial ports.

  • Ability to dump the firmware over JTAG or via Flash chips.

  • External media-based attacks.

  • Power analysis and side channel-based attacks

For now, let`s focus on category num 2 ( Firmware, software, and applications )

Firmware, Software, and Applications

This is the software part of an IoT device, which includes everything from the firmware that runs on the device, the mobile applications that are used to control the device, to the cloud components connected to the device, and so on.

These are also the components where you can apply the traditional pentesting experience to the IoT ecosystem. This would also involve topics such as reverse engineering of binaries of different architectures including Advanced RISC Machines (ARM) and MIPS, as well as reverse engineering of mobile applications. These components can often help you uncover many secrets and find vulnerabilities.

Examining the many ways that we can access the specific component we want to test is one of the other goals during the pentesting of software-based components. For example, in order to test the firmware for vulnerabilities, we would need access to the firmware, which is frequently difficult to obtain.

Additionally, we must put a lot of effort into reverse engineering the communication APIs in order to understand how the various IoT device components interact with one another and determine the communication protocols in use.

Firmware is a piece of code residing on the nonvolatile section of the device, allowing and enabling the device to perform different tasks required for its functioning. It consists of various components such as kernel, bootloader, file system, and additional resources. It also helps in the functioning of various hardware components for the IoT device.

If we look at a real-world IoT device, a smart home will have the following components:

Mobile application: This allows us to control the smart devices—turning the lights on and off, adding new devices to the smart home system, and so on. Typically,you will have mobile applications for Android and iOS platforms, which are the two dominant mobile application platforms as of this writing.

There are several attacks that are possible in mobile applications that could reveal sensitive information from the device or how the device works.

Web-based dashboard: This allows the user to monitor the device, view analytics and usage information, control permissions for the devices, and so on. Most of the IoT devices that you will encounter will have a web interface where you can access the data sent from the device to the web endpoint. If the web application is vulnerable, it could allow you to access unauthorized data, which could be the data of the same user or any other user using the same IoT device, which has been the case with many IoT devices in the past, notably baby monitors

Insecure network interfaces: These are the components of the IoT device that are exposed over the network and could be compromised because of vulnerabilities in the exposed network interface. This could be either an exposed port that accepts connection to the service without any sort of authentication, or a service that is running a vulnerable and outdated version that has known vulnerabilities against that specific version.

Firmware: This controls the various components on the device and is responsible for all the actions on the device. You can think of it as the component that holds the keys to the kingdom. Pretty much anything that you can imagine that could be extracted from the device can be found in the firmware

Getting the Firmware Binary

The first thing to learn to perform IoT exploitation is to get hold of the device’s firmware. Depending on the device you are targeting, the ways of getting to the firmware binary may be different.

  • Getting it online is one of the most common ways of getting hold of the firmware binary. As you go further in your IoT security journey, you will notice that a lot of manufacturers decide to put their firmware binary package online on either their Support page or the Downloads section of their website.

  • Extracting from the device. This means that once you have physical access to the device, using various hardware exploitation techniques, you can dump the firmware from the device’s flash chip and then run additional analysis on it

  • Sniffing Over the Air (OTA) is another common technique of getting to the firmware binary package while the device is performing an update.

The process here is to set up a network interceptor for the device. As soon as the device queries for downloading the new firmware image from the server, you will be able to extract it from the network capture.

Extracting Firmware

Once we have a firmware image, one of the most important things we can do with it is extract the file system from the binary image.

In this example I used binwalk. This tool helps us with the extraction of the file system from a firmware binary image.

Setting up Binwalk on kali linux is quite straightforward:

sudo apt install binwalk

let`s assume that we have a bin firmware ready to download

Once we have the firmware, let’s fire up Binwalk and extract it

sudo binwalk -Me –dd=".*" {product_firmware.bin} --run-as=root

After binwalk extracts our firmware, we will notice a new dir /{SOME PRODUCT FIRM.BIN}.extracted which contains these dirs and files.

At this point, it’s essential to get a deeper knowledge of what firmware holds.

To understand firmware, we must first understand the specific things that firmware holds.

  1. Bootloader: A bootloader for an embedded system is responsible for numerous tasks such as initializing various critical hardware components and allocating the required resources.

  2. Kernel: Kernel is one of the core components of the entire embedded device. Speaking at a very general level, a kernel is simply an intermediary layer between the hardware and the software.

  3. File system: The file system is where all the individual files necessary for the embedded device runtime are stored. This also includes components such as web servers and network services.

But this maybe differ from one firmware to another depends on the product.

At this point, we explained almost the essential information or small part of what we need to know before doing IoT Hacking.

Conclusion

Many innovative and fascinating applications are now possible through the Internet of Things (IoT), but it also creates many new risks related to information security. IoT systems and gadgets are notoriously unsafe, as demonstrated by a number of recent attacks against them. Additionally, It has also been shown that a major part of the attacks resulted in full adversarial control over IoT devices, and the reason for this is that IoT devices themselves are weakly protected and they often cannot resist even the most basic attacks.

For me, it was very exciting to learn more about this topic and I will continue to search about it.

Reference

  • The IoT Hacker's Handbook

Thanks For Reading, Hope you enjoyed it 😊

PreviousHow To Pass Your eJPT ExamNextHacking wireless by monitoring

Last updated