An Ethical Hacker’s Guide to IoT Security Risks and Challenges: Part 2
Welcome to the second post in our series on the challenges associated with the Internet of Things (IoT). In An Ethical Hacker’s Guide to IoT Security Risks and Challenges: Part 1, we took an in-depth look at the security risks and threats to IoT devices and systems, and we covered these IoT hacking methods and steps:
- Stage 0: Pre-Engagement
- Stage 1: Passive Recon
- Stage 2: The Hardware – Opening the Devices and Discover What is Inside
- Stage 3: The Firmware Boot
In this post, I’ll focus on the final stages:
- Stage 4: Analyze the Firmware and Reverse Engineering
- Stage 5: Flashing Firmware
- Stage 6: The Network and Radio Frequencies
STAGE 4: Analyze the Firmware and Reverse Engineering
*Note: this example is taken from a book recommended in the resources section.
A great technique for compromising an IoT device involves downloading the firmware from the vendor’s download site(s). By getting access to the firmware binary, you can analyze it and extract it.
In this example, we look at a Netgear D6000 router firmware.
Download the firmware and extract the zip. You can then run a check on the file details:
You can also run strings to extract the readable characters from the binary.
You can now run binwalk which will search binary images of embedded files and code.
After running binwalk you should see a squashfs-root folder.
From the squashfs-root we can search for files named ‘passwd’. See the results below.
We can now check the contents of the usr/etc/passwd file to see if we find anything interesting that we can use to exploit credentials.
We can now use John to try again and crack the password.
As we can see, this is another weak credential that has resulted in a cracked password for the admin account. You should avoid using default or weak credentials in production environments on IoT devices since attackers can easily gain access.
The credentials in this example are the same:
User = Admin
Password = 1234
STAGE 5: Flashing Firmware
Firmware is software that enables control of a device’s hardware. Most hardware requires firmware to function, such as the BIOS for most personal computers and other firmware that can include a complete operating system.
Unfortunately, it’s all too easy to modify firmware using devices such as the Bus Pirate. Flashing Firmware of the Proxmark v3 using Bus Pirate is shown below. This can allow an attacker to modify functionality, change configurations and embed backdoors.
The Proxmark is an RFID device used to interact with many RFID tags and systems that use RFID.
Bus Pirate is an open-source multipurpose tool for programming, analyzing, and debugging many IoT devices. It’s simply a protocol emulator that supports many different interfaces, including UART, SPI, I2C, and JTAG.
Bus Blaster is a JTAG debugger. The Bus Pirate also supports JTAG, but it’s extremely slow. The Bus Blaster is much better at debugging JTAG.
GreatFET One is a hardware hacking open-source tool that includes a programmable digital I/O, serial protocols supported such as SPI, I2C, UART, and JTAG. It includes many more features and is readily customizable.
STAGE 6: The Network and Radio Frequencies
Most IoT devices need to communicate online, whether it’s to collect and process sensor data, receive commands via an API, get new software updates or new configuration settings.
Some devices communicate via WIFI, 4G, 5G, Bluetooth, RFID, or Radio. While there are many other types of interfaces, these are the most common.
An attacker can easily intercept data communicated via these channels, so it’s extremely important that IoT devices use encryption. However, many devices do not. For example, the screenshot here illustrates using a tool called Wireshark to capture the traffic between an IoT device and the vendor for a software update.
Thus, it’s critical that you know whom these devices communicate with and how they get updated. Attackers could infiltrate the supply chain or redirect the communication to send malicious updates that include backdoor malware. The infamous SolarWinds Security Incident from 2020 is an example of this kind of hack.
If you previously checked the FCC page as mentioned in Part 1, you can also find the frequencies devices communicate. You can now use devices such as the HackRF One to capture the data, which also allows you to replay those signals that could allow opening doors, etc.
Other techniques are to capture the WIFI Data or modify the Data using devices that allow Monitor Mode.
Another common communication radio frequency used is RFID. It’s typically used for tracking packages, monitoring sensors, door access keycards, and many more features. Several devices such as the Proxmark can be used to capture and read the tags data.
Once the data has been captured, it allows the attacker to write or create duplicate cards such as those shown below:
IoT risks, and summary
While rapidly becoming a part of all our professional and private lives, IoT devices are a security risk to most organizations and individuals. To protect your devices and users, you must perform an IoT risk impact assessment for devices you have deployed, are currently using, or planning to deploy. You need to understand exactly what the device’s functionality enables and consider turning off specific functionality that is not being used. Review the OWASP Top 10 risks to IoT and apply the proper security controls to reduce those risks.
Educate yourself by becoming familiar with the techniques described here and try them on your own devices to understand the impacts and the risks of IoT. Check how your devices get updated—especially from where, and how. Know how your devices communicate and whether they are encrypted.
Always change default credentials and consider investing in a privileged access security solution to manage IoT access, create complex unique credentials for each device and get auditability when accessed.
Use the OWASP Top 10 to manage your risks
1. Weak, Guessable, or Hardcoded Passwords
2. Insecure Network Services
3. Insecure Ecosystem Interfaces
4. Lack of Secure Update Mechanism
5. Use of Insecure or Outdated Components
6. Insufficient Privacy Protection
7. Insecure Data Transfer and Storage
8. Lack of Device Management
9. Insecure Default Settings
10. Lack of Physical Hardening
For further learning, I highly recommend listening to our recent podcast, Practical IoT Hacking with Beau Woods and Paulino Calderon. Plus, read the Practical IoT Hacking book from No Starch Press authored by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Woods