Ethical Hacking v10 Module 20 - IoT Hacking

Goals• Understand IoT concepts• Describe IoT Threats and Attacks• Understand IoT Hacking Methodology• Describe IoT Hacking Tools• Describe IoT Hacking Countermeasures• List IoT Security Tools• Describe IoT Penetration Testing

Module 20.0 IoT Hacking• 20.1 IoT Concepts• 20.2 IoT Vulnerabilities and Attacks• 20.3 IoT Hacking Methodology and Tools• 20.4 IoT Hacking Countermeasures• 20.5 IoT Penetration Testing

20.1 IoTConcepts

What is IoT?

• Internet of Things• Internet of Everything• Anything that can be connected to

a network:• Industrial devices• Embedded devices• Wearable devices• Healthcare devices• Home devices• Buildings, HVACs, Alarm systems

IoT Application Areas and Devices

Service Sector Application Group Location Devices

Buildings • Commercial• Industrial

• Office• Education• Retail• Hospitality• Healthcare• Airports• Stadiums

• HVAF• Transport• Fire & Safety• Lighting• Security• Access

Energy • Supply/Demand• Oil/Gas• Alternative

• Power generators• Transportation &

Distribution• Low Voltage• Power Quality• Energy management• Solar & Windmills• Electrochemical• Rigs, derricks, pumps• Pipelines

• Turbines• Windmills• UPS• Batteries• Generators• Meters• Drills• Fuel Cells

IoT Application Areas and Devices (cont’d)

Service Sector Application Group Location Devices

Consumer and Home • Infrastructure• Awareness & Safety• Convenience and

Entertainment

• Wiring, networkaccess, energy management

• Security/Alerts, Fire safety, Elderly, Children, Power protection

• HVAC/Climate, Lighting, Appliances, Entertainment

• Cameras, power systems, e-Readers, dishwashers, desktop computers, washers/dryers, meters, lights, TVs, MP3 players, Gaming consoles, alarms

Healthcare and Life Sciences

• Care• In Vivo/Home• Research

• Hospital, ER, Mobile, PoC, Clinic, Labs, Doctor’s office

• Implants, Home, monitoring systems

• Drug discovery, diagnostics, labs

• MRI, PDAs, Implants, health monitors, Surgical Equipment, Pumps, Monitors, Telemedicine

IoT Application Areas and Devices (cont’d)Service Sector Application Group Location Devices

Transportation • Non-Vehicular• Vehicles• Transportation

Systems

• Air, Rail, Marine• Consumer,

Commercial, Construction, Off-Highway

• Tools, traffic management, navigation

• Vehicles, lights, ships, planes, signage, tolls

Industrial • Resource automation• Fluid/Processes• Converting/Discrete• Distribution

• Mining, irrigation,agriculture, woodland

• Petrochemical, hydro, carbons, food, beverage

• Metals, papers, rubber/plastic

• Metalworking• Electronics• Assembly/testing

• Pumps, valves, vats, conveyors, fabrication, assembly/packaging, vessels, tanks

IoT Application Areas and Devices (cont’d)Service Sector Application Group Location Devices

Retail • Specialty• Hospitality• Stores

• Fuel stations, Gaming, Bowling, Cinemas, Discos, Special Events,

• Hotel restaurants, bars, cafes, clubs

• Supermarkets, shopping centers, single site, distribution

• POS Terminals, Tags, Cash Registers, Vending machines, Signs, inventory control

Security / Public Safety • Surveillance• Equipment• Tracking• Public Infrastructure

• Radar/satellite,environmental, military, unmanned, fixed

• Human, animal, postal, food, health, beverage

• Water treatment, building, environmental equipment, personnel, police, fire, regulatory

• Tanks, fighter jets, battlefields, jeeps, cars, ambulance, Homeland security, Environment, Monitoring

IoT Application Areas and Devices (cont’d)

Service Sector Application Group Location Devices

IT and Networks • Public• Enterprise

• Services, e-Commerce,data centers, mobile carriers, ISPs

• Servers, storage, PCs,routers, switches, PBXs

How IoT Works

• Sensing Technology• Gathers telemetry

• IoT Gateway• Connects device to the Internet• Cloud services• Cloud-based storage

• Cloud Server/Data Storage• Connect through web services

• Remote Control• Mobile App

IoT Architecture

IoT Architecture

• Application Layer• Delivery of services to

end users• Middleware Layer

• Sits between application layer and hardware layer

• Data management• Data analysis and

aggregation• Data filtering• Device information

discovery• Access control

• Internet Layer• Device-to-device• Device-to-Cloud• Device-to-Gateway• Back-end Data-sharing

• Access Gateway Layer• Connection between

device and client• Very first data handling• Message routing,

identification, subscribing• Edge Technology Layer

• Devices• RFID tags• Sensors

IoT Technologies and Protocols

Short-Range Wireless Communications

Medium-Range Wireless Communications

Long-Range Wireless Communications

Wired Communications

IoT Operating Systems

• Bluetooth Low Energy

• Light-Fidelity (Li-Fi)

• NFC• QR

Codes/Barcodes• RFID• Thread• Wi-Fi• Wi-Fi Direct• Z-Wave• ZigBee

• Ha-Low• LTE-Advanced

• Low-power WAN (LPWAN)

• Very Small Aperture Terminal (VSAT

• Cellular

• Ethernet• Multimedia over

Coax Alliance (MoCA)

• Power-line Communication (PLC)

• RIOT OS• ARM embedded

OS• RealSense OS X• Nucleus RTOS• Brillo• Contiki• Zephyr• Ubuntu Core• Integrity RTOS• Apache Mynewt• Windows 10 IoT

Core

Challenges of IoT

• Lack of security and privacy• Most devices are connected to the Internet• They contain important and confidential data• Lack even basic security

• Vulnerable web interfaces• Many devices have embedded web servers that make them vulnerable

• Legal regulatory and rights issues• No existing laws that address interconnection of IoT devices

• Default, weak, or hardcoded credentials• Clear text protocols• Unnecessary ports

Challenges of IoT (cont’d)

• Coding errors• buffer overflows• SQL injection

• Storage issues• Small storage capacity, yet limitless data collection

• Difficult to update firmware and OS• Interoperability• Inability of manufacturers to test APIs using common methods and mechanisms

• Physical theft and tampering• Lack of vendor support for fixing vulnerabilities• Emerging economy and development issues

• Policy makers have yet to catch up

20.2 IoTVulnerabilities

and Attacks

OWASP Top 10 IoT Vulnerabilities

• Insecure web interface• Insufficient Authentication/Authorization• Insecure Network Services• Lack of Transport Encryption/Integrity Verification• Privacy Concerns• Insecure Cloud Interface• Insecure Mobile Interface• Insufficient Security Configurability• Insecure Software/Firmware• Poor Physical Security

#1 Insecure Web Interface

#2 Insufficient Authentication/Authorization

#3 Insecure Network Services

#4 Lack of Transport Encryption/Integrity Verification

#5 Privacy Concerns

#6 Insecure Cloud Interface

#7 Insecure Mobile Interface

#8 Insufficient Security Configurability

#9 Insecure Software/Firmware

#10 Poor Physical Security

IoT Attack Surfaces

• Device memory• Clear text credentials• Third party credentials• Vulnerable encryption keys

• Ecosystem access control • Implicit trust between components• Weak restrictions allow enrolling malicious devices

• Device physical interfaces• Hidden OS vulnerabilities can be exposed if firmware is accessed• Possible user access to administrative features/CLI

IoT Attack Surfaces

• Device web interface• SQL injection• XSS• XSRF• Weak passwords• Absence of account lockout• Known default credentials

IoT Attack Surfaces (cont’d)

• Device firmware• Hard coded credentials• Leak of sensitive data via URLs• Poorly protected encryption keys

• Device network services• Standard network risks (information disclosure, DoS, UPnP, UDP services

IoT Attack Surfaces (cont’d)

• Administrative interface• SQL injection• XSS/XSRF• Username enumeration and default credentials• Weak passwords• Inability to wipe device

• Local data storage• Unencrypted data• Data encryption keys are discoverable• Lack of data integrity checks

IoT Attack Surfaces (cont’d)

• Cloud web interface• Weak or missing transport encryption• All of the common cloud/web issues

• Update mechanism• Updates sent without encryption• Updates not signed• No mechanism for updates

• Third-party back end APIs• Unencrypted PII/PHI• Device information leakage

• Mobile applications• Implicitly trusted by device or cloud• All of the common mobile app issues

IoT Mobile App Attack Surface Example

IoT Attack Surfaces (cont’d)

• Vendor back end APIs• Inherent trust of cloud or mobile app• Weak authentication/authorization/access control

• Ecosystem communications• Vulnerable medical devices can put a patient’s life at risk• Vulnerable medical devices are connected to many monitors and sensors• Potential points of entry into the hospital network• Lack of verification of any commands• Improperly de-commissioned devices that are still connected to the network

• Network traffic• Absence of any robust LAN security

Common IoT Threats

• DDoS• Exploiting HVAC• Rolling code• BlueBorne Attack• Jamming• Remote access / backdoor• Remote accessing using

telnet• Sybil attack

• Exploit kits• MITM• Replay • Forged malicious devices• Side channel attack• Ransomware attack

20.3 IoT Hacking Methodology and

Tools

IoT Device Hacking

• Information gathering • Shodan.io• Censys.io• Thingful.net• Z-Wave Sniffer• CloudShark• Ubiqua Protocol Analyzer• Wireshark• Multiping• Nmap• RIoT Vulnerability Scanner• Foren6

IoT Device Hacking (cont’d)

• Vulnerability Scanning• beSTORM fuzzer• Metasploit• IoTsploit• IoTSeeker• Bitdefender Home Scanner• IoTInspector

IoT Device Hacking (cont’d)

• Attack• RFCrack - obtain vehicle unlock rolling code• Attify Zigbee - attack Zigbee devices• HackRF One - BlueBorne attack (replay, fuzzing, jamming)• Firmalyzer Enterprise - automated security assessment• ChipWhisperer• Rfcat-rolljam• KillerBee• GATTack.io• JTAGULATOR• Firmware Analysis Toolkit

IoT Device Hacking (cont’d)

• Gain Remote Access• Telnet

• Maintain Access• Firmware Mod Kit -

Exploit firmware

20.4 IoT Hacking Countermeasures

Defend Against IoT Hacking

• Approach security as a unified, integrated, holistic system• Disable guest and demo accounts if enabled• Implement any existing lockout feature• Implement the strongest available authentication mechanism• Local control system networks and devices behind firewalls, and

isolate them from the business network• Implement IDS/IPS on the network• Implement end-to-end encryption using PKI when possible• Use VPNs when possible

Defend Against IoT Hacking (cont’d)

• Only allow trusted IP addresses to access the device from the Internet• Disable telnet (TCP 23)• Disable UPnP ports on routers• Protect devices from physical tampering• Patch vulnerabilities and update firmware if available• Monitor traffic on port 48101 as infected devices tend to use this port

Defend Against IoT Hacking (cont’d)

• Ensure that a vehicle has only one identity• Implement data privacy and protection as much as possible• Implement data authentication, authenticity, and encryption

wherever possible

OWASP Top 10 IoT Vulnerabilities Solutions

IoT Security Tools

• SeaCat.io• DigiCert IoT Security Solution• Pulse: IoT Security Platform• Symantec IoT Security• Google Cloud IoT• Net-Shield• Trustwave Endpoint Protection

Suite• NSFOCUS ADS

• Darktrace• Noddos• Norton Core• Cisco IoT Threat Defense• AWS IoT Device Defender• Zvelo0 IoT Security Solution• Cisco Umbrella• Carwall• Bayshore Industrial Cyber Protection

Platform

20.5 IoTPenetration

Testing

1. Discover IoT Devices

• Shodan• Censys• Thingful• Multiping

2. Perform Hardware Analysis

• Evaluate physical and hardware components• See if you can connect to JTAG, SWD or USB interfaces• Use tools like:• JTAG Dongle• Digital Storage Oscilloscope• Software Defined Radio

3. Perform Firmware and OS Analysis

• See if the firmware is cryptographically signed, and has an update mechanism• Use tools such as:• IoTInspector• Binwalk• Firmware Mod Kit• Firmalyzer Enterprise

4. Conduct Wireless Protocol Analysis

• See if you can connect using:• ZigBee• Bluetooth LE• 6LoWPAN• Attempt to perform replay and MITM attacks• Attempt to gain unauthorized network access• Try to fuzz test the device

• Use tools such as:• Ubiqua Protocol Analyzer• Perytons Protocol Analyzer• Wireshark• SoapUI Pro• Attify Zigbee• Z3sec

Attify Zigbee Example

5. Conduct Mobile App Testing

• Attempt to penetrate mobile apps that connect with the IoT device• Try to access storage, and bypass authentication and authorization• Use tools such as:• X-Ray• Threat Scan• Norton Halt exploit defender• Shellshock Scanner - Zimperium• Hackode• BlueBorne• EternalBlue Vulnerability Scanner

Blueborne Example

6. Perform Web App Testing

• Try typical attacks against a web app including buffer overflows, SQL injection, bypassing authentication, XSS/XSRF, code execution• Use tools such as:• SAUCE LABS Functional Testing• PowerSploit• Kali Linux• WAFNinja• Arachni

WAF Ninja Example

7. Perform Cloud Services Testing

• Try to gain unauthorized access to cloud services for the IoT device• Use tools such as:

• ZEPHYR• SOASTA CloudTest• LoadStorm PRO• BlazeMeter• Nexpose

8. Document All Findings

• Analyze all findings• Make any recommendations• Provide all findings in a report

IoT Hacking Review

• The Internet of Things is the connection of any type of device, industrial, scientific, home/consumer, public health and safety, etc. to a network, and ultimate the Internet• IoT devices may require a gateway to

connect them to the cloud• Ultimately IoT devices can be remotely

accessed and managed across a network and often the cloud• Most IoT devices have few if any

security features• There are currently few or no laws

governing IoT devices and the data they process• IoT is a new, uncharted frontier in

cyber security