Phone Number +1-202-802-9399 (US)

ThycoticCentrify is now Delinea!   delinea.com

The Lockdown

Thycotic’s Cyber Security Blog

An Ethical Hacker’s Guide to IoT Security Risks and Challenges: Part 2

Written by Joseph Carson

December 7th, 2021

This post is part of a series about IoT security risks and how you can minimize them.
Read Part 1 here.

Welcome to the second post in our series on the challenges associated with the Internet of Things (IoT).  In An Ethical Hacker’s Guide to IoT Security Risks and Challenges: Part 1, we took an in-depth look at the security risks and threats to IoT devices and systems, and we covered these IoT hacking methods and steps: 

  • Stage 0: Pre-Engagement
  • Stage 1: Passive Recon
  • Stage 2: The Hardware – Opening the Devices and Discover What is Inside
  • Stage 3: The Firmware Boot

 In this post, I’ll focus on the final stages: 

  • Stage 4: Analyze the Firmware and Reverse Engineering
  • Stage 5: Flashing Firmware
  • Stage 6: The Network and Radio Frequencies

STAGE 4: Analyze the Firmware and Reverse Engineering 

*Note: this example is taken from a book recommended in the resources section.

A great technique for compromising an IoT device involves downloading the firmware from the vendor’s download site(s). By getting access to the firmware binary, you can analyze it and extract it.

In this example, we look at a Netgear D6000 router firmware.

Download the firmware and extract the zip. You can then run a check on the file details:

Kali 1

You can also run strings to extract the readable characters from the binary.

Kali 2

You can now run binwalk which will search binary images of embedded files and code.

Binwalk
Binwalk

After running binwalk you should see a squashfs-root folder.

squashfs

From the squashfs-root we can search for files named ‘passwd’.  See the results below.

squashfs

We can now check the contents of the usr/etc/passwd file to see if we find anything interesting that we can use to exploit credentials.

squashfs

We can now use John to try again and crack the password.

squashfs john

As we can see, this is another weak credential that has resulted in a cracked password for the admin account. You should avoid using default or weak credentials in production environments on IoT devices since attackers can easily gain access.

The credentials in this example are the same:

User = Admin

Password = 1234

STAGE 5: Flashing Firmware

Firmware is software that enables control of a device’s hardware. Most hardware requires firmware to function, such as the BIOS for most personal computers and other firmware that can include a complete operating system.

Unfortunately, it’s all too easy to modify firmware using devices such as the Bus Pirate. Flashing Firmware of the Proxmark v3 using Bus Pirate is shown below. This can allow an attacker to modify functionality, change configurations and embed backdoors.

The Proxmark is an RFID device used to interact with many RFID tags and systems that use RFID.

Flashing Proxmark using Bus Pirate
Flashing Proxmark using Bus Pirate

Bus Pirate is an open-source multipurpose tool for programming, analyzing, and debugging many IoT devices. It’s simply a protocol emulator that supports many different interfaces, including UART, SPI, I2C and JTAG.

Bus Blaster is a JTAG debugger. The Bus Pirate also supports JTAG, but it’s extremely slow. The Bus Blaster is much better at debugging JTAG.

GreatFET One is a hardware hacking open-source tool that includes a programmable digital I/O, serial protocols supported such as SPI, I2C, UART, and JTAG. It includes many more features and is readily customizable.

Bus Pirate, Bus Blaster and GreatFET One
Bus Pirate, Bus Blaster and GreatFET One

STAGE 6: The Network and Radio Frequencies

Most IoT devices need to communicate online, whether it’s to collect and process sensor data, receive commands via an API, get new software updates or new configuration settings.

Some devices communicate via WIFI, 4G, 5G, Bluetooth, RFID, or Radio. While there are many other types of interfaces, these are the most common.

An attacker can easily intercept data communicated via these channels, so it’s extremely important that IoT devices use encryption. However, many devices do not. For example, the screenshot here illustrates using a tool called Wireshark to capture the traffic between an IoT device and the vendor for a software update.

Thus, it’s critical that you know whom these devices communicate with and how they get updated. Attackers could infiltrate the supply chain or redirect the communication to send malicious updates that include backdoor malware. The infamous SolarWinds Security Incident from 2020 is an example of this kind of hack.

IoT Water Sensor checking for Firmware Updates
IoT Water Sensor checking for Firmware Updates

You can learn more by listening to my podcast on the SolarWinds Sunburst breach that affected FireEye, the US government, and thousands of other organizations:

Podast Episode 20 - SolarWinds Sunburst Breach

If you previously checked the FCC page as mentioned in Part 1, you can also find the frequencies devices communicate.  You can now use devices such as the HackRF One to capture the data, which also allows you to replay those signals that could allow opening doors, etc.

HackRF One with PortaPack
HackRF One with PortaPack

Other techniques are to capture the WIFI Data or modify the Data using devices that allow Monitor Mode.

Wi-Fi Adapters that can Sniff IoT Traffic
Wi-Fi Adapters that can Sniff IoT Traffic

Another common communication radio frequency used is RFID. It’s typically used for tracking packages, monitoring sensors, door access keycards, and many more features. Several devices such as the Proxmark can be used to capture and read the tags data.

RFID-Capturing Devices
RFID-Capturing Devices

Once the data has been captured, it allows the attacker to write or create duplicate cards such as those shown below:

Cards used to create Duplicate Tags
Cards used to create Duplicate Tags
Reading and cloning RFID Tags
Reading and cloning RFID Tags

IoT risks, and summary

While rapidly becoming a part of all our professional and private lives, IoT devices are a security risk to most organizations and individuals. To protect your devices and users, you must perform an IoT risk impact assessment for devices you have deployed, are currently using, or planning to deploy. You need to understand exactly what the device’s functionality enables and consider turning off specific functionality that is not being used.  Review the OWASP Top 10 risks to IoT and apply the proper security controls to reduce those risks.

Educate yourself by becoming familiar with the techniques described here and try them on your own devices to understand the impacts and the risks of IoT.  Check how your devices get updated—especially from where, and how.  Know how your devices communicate and whether they are encrypted.

Always change default credentials and consider investing in a privileged access security solution to manage IoT access, create complex unique credentials for each device and get auditability when accessed.

Use the OWASP Top 10 to manage your risks

1. Weak, Guessable, or Hardcoded Passwords

2. Insecure Network Services

3. Insecure Ecosystem Interfaces

4. Lack of Secure Update Mechanism

5. Use of Insecure or Outdated Components

6. Insufficient Privacy Protection

7. Insecure Data Transfer and Storage

8. Lack of Device Management

9. Insecure Default Settings

10. Lack of Physical Hardening

For further learning I highly recommend reading the Practical IoT Hacking book from No Starch Press authored by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Woods

Practical IoT Hacking

This post is part of a series about IoT security risks and how you can minimize them.
Read Part 1 here.

Free Cyber Security Incident Response Plan Template

The faster you respond to a cyber incident, the less damage it will cause

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS