CEHv11 Module 17 - Hacking Mobile Platforms and IoT
IoT Hacking Methodology
1. Information Gathering 2. Vulnerability Scanning 3. Launching Attacks 4. Gaining Access 5. Maintaining Access
Pairing Mode - Pairable
Accepts all requests
Super Bluetooth Hack
All-in-one package that allows you to do almost anything
Android Device Administration API
Allows for security-aware apps that may help
Improve Mobile Security
Always check OS and Apps are up to date Screen Locks and passwords Secure wireless communication No Jailbreaking or rooting Don't store sensitive information on mobile Remote Desktop Use official app stores Anti-virus Remote wipe option Remote management Remote tracking
Brillo
Android-based OS; generally found in thermostats
BT Browser
Another tool for finding and enumerating devices
Discovery Mode - Discoverable
Answers all inquiries
Bluesniffing
Attempt to discover Bluetooth devices
Smishing Trojans available to send
Bad Fakedefender TRAMPS ZitMo
Bluetooth Attack Tools
BlueScanner BT Browser Bluesniff and btCrawler Bloomer PhoneSnoop Super Bluetooth Hack
Bluetooth Attacks
Bluesmaking Bluejacking Bluesniffing Bluebugging Bluesnarfing Blueprinting
IoT Short Range Wireless
Bluetooth Low-energy (BLE) Light-Fidelity (Li-Fi) Near Field Communication (NFC) QR Codes & Barcodes Radio-frequency Identification (RFID) Wi-fi / Direct Z-wave Zigbee
Bloomer
Can perform Bluebugging
Blueprinting
Collecting device information over Bluetooth
Methods of Communciating - IoT - Device to Gateway
Communicate to a centralized gateway that gathers data and then sends it to an applciation server based in the cloud
Methods of Communicating - IoT - Device to Cloud
Communicates directly to a cloud service
Edge Technology Layer (IoT)
Consists of sensors, RFID tags, readers and the devices
Internet Layer (IoT)
Crucial layer which serves as main component to allow communciation
IoT Threats
DDoS HVAC System Attacks Rolling Code Attacks BlueBorne Attack Jamming Attack Remote Access via backdoors Remote access via unsecured protocols such as TELNET Sybil Attack Rootkits/Exploit Kits Ransomware
Bring Your Own Device (BYOD)
Dangerous for organizations because not all phones can be locked down by default
Bluesmaking
Denial of service against device
IoT - Internet of Things
Describes the network of physical objects - "things" - that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet
Three main avenues of attack for Mobile platform hacking
Device Attacks Network Attacks Data Center (Cloud) Attacks
Common IoT Attack Areas
Device memory containing credentials Device / Ecosystem Access Control Device Physical Interfaces / Fimrware extraction Device web interface Device Firmware Device network services Devices administrative interface(s) Unencrypted Local data storage Cloud interface(s) Device update mechanism(s) Insecure API's (vendor & thir-party) Mobile application Confidentiality and Integrity issues across the ecosystem Network traffic
Jailbreaking
Different levels of rooting an iOS device
Methods of Communciating - IoT - Device to Device
Direct communication between two devices
Edge Computing
Distributed computing paradigm in which processing and computation are performed mainly on classified device nodes known as smart devices or edge devices as opposed to processed in a centralized cloud environment or data centers
Multi-Layer Architecture of IoT
Edge Technology Layer Access Gateway Layer Internet Layer Middleware Layer Application Layer
RIOT OS
Embedded Systems, actuator boards, sensors, is energy efficient
IoT Wired Communication
Ethernet Power-Line Communication (PLC) Multimedia over Coax Alliance (MoCA)
BlueScanner
Finds devices around you
Countermeasures to help secure IoT Devices
Firmware updates Block ALL unecessary ports Disable insecure access protocols such as TELNET Only use encrypted communication protocols Use strong passwords Encrypt ALL data and communications coming into, being stored in and leaving the device Use account lockout Configuration management and baselining of devices along with compliance monitoring Use multi-factor authentication Disable UPnP
Access Gateway Layer (IoT)
First data handling, message identification and routing
Integrity RTOS
Found in aerospace, medical, defense, industrial and automative sensors
IBoot Exploit
Found in boot loader called iBoot; uses vulnerablity to turn codesign off; semi-tethered; can be patched
Userland Exploit
Found in the system itself; gains root access; does not provide admin; can be patched by Apple
PHoneSnoop
Good spyware option for Blackberry
IoT Medium Range Wireless
Ha-Low LTE-Advanced
Pairing Mode
How the device deals with pairing requests
Discovery Mode
How the device reacts to inquiries from other devices
OWASP Top 10 for IoT
I1 - Insecure Web Interface I2 - Insufficient Authentication/Authorization I3 - Insecure Network Services I4 - Lack of Transport Encryption/Integrity Verification I5 - Privacy Concerns I6 - Insecure Cloud Interface I7 - Insecure Mobile Interface I8 - Insufficient Security Configurability I9 - Insecure Software/Firmware I10 - Poor Physical Security
Bluetooth Attacks - Mobile
If a mobile device can be connected to easily, it can fall prey to Bluetooth attacks
Discovery Mode - Nondiscoverable
Ignores all inquiries
RealSense OS X
Intel's depth sensing version; mostly found in cameras and other sensors
Fog Computing
Keeps things locally
Untethered
Kernel remains patched after reboot, with or without a system connection
Tools for Rooting
KingoRoot TunesGo OneClickRoot MTK Droid
Mobile Device Management
Like group policy on Windows; helps enforce security and deploy apps from enterprise
IoT Long-Range Wireless
Low-power Wide-area Networking (LPWAN) LoRaWAN Sigfox Very Smart Aperture Terminal (VSAT) Cellular
OWASP Top 10 mobile risks
M1 - Improper Platform Usage M2 - Insecure Data Storage M3 - Insecure Communication M4 - Insecure Authentication M5 - Insufficient Cryptography M6 - Insecure Authorization M7 - Client Code Quality M8 - Code Tampering M9 - Reverse Engineering M10 - Extraneous Functionality
Mobile Spyware
Mobile Spy Spyera
Phishing attacks
Mobile phones have more data to be stolen and are just as vulnerable as desktops
ARM Mbed OS
Mostly used on wearables and other low-powered devices
Rooting
Name Given to the ability to have root access on an Android Device
Mobile Attack Platforms (Tools)
Network Spoofer DroidSheep Nmap
Tools for IoT Step 2 Vulnerability Scanning
Nmap Multi-ping RIoT Vulnerability Scanner Foren6 (traffic sniffer) beSTORM
Contiki
OS made for low-power devices; found mostly in street slighting and sound monitoring
Zephyr
Option for low-power devices and devices without many resources
Edge Computing handles data by:
Pushing it to into the cloud
Tools for IoT Step 3 Launching Attacks
RFCrack Attify Zigbee Framework HackRF Firmalyzer
Semi-Tethered
Reboot no longer retains patch; must use installed jailbreak software to re-jailbreak
Tethered
Reboot removes all Jailbreaking patches, phone may get in boot loop requiring USB to repair
Grid Computing
Reduces costs by maximizing existing resources. That is accomplished with multiple machines together to solve a specific problem
Pairing Mode - Nonpairable
Rejects all connection requests
Bluebugging
Remotely using a device's features
Application Layer (IoT)
Responsible for deliver of services and a data to the user
Discovery Mode - Limited Discoverable
Restricts the action
SMS Phishing (Smishing)
Sending texts messages with malicious links, people tend to trust these more because they happen less
Bluejacking
Sending unsolicited messages
IoT Three basic components
Sensing Technology IoT Gateways The Cloud
Tools for IoT Step 1 Information Gathering
Shodan Censys Thingful Google
IoT Technology Protocols
Short-Range Wireless Medium-Range Wireless Long-range Wireless Wired Communications
App Store Attacks
Since some App stores are not vetted, malicious apps can be placed there
Middleware Layer (IoT)
Sits between application and hardware; handles data and device management, data analysis and aggregation
BlueSniff and btCrawler
Sniffing programs with GUI
Analytics of Things (AoT)
The analysis of IoT data, which is the data being generated by IoT sensors and devices
Industrial IoT (IIoT)
The extension and use of the IoT in industrial sectors and applications. With a strong focus on machine-to-machine M2M communication, big data, and machine learning, the IIoT enables industries and enterprises to have better efficiency and reliability in their operations (encompasses industrial, including robotics, medical devices, and software-defined production processes)
Bluesnarfing
Theft of data from a device
Mobile Attack Platforms
Tools that allow you to attack from your phone
Techniques for Jailbreaking
Untethered Semi-Tethered Tethered
Nucleus RTOS
Used in aerospace, medical and industrial applciations
Apache Mynewt
Used in devices using Bluetooth Low Energy Protocol
Ubuntu Core
Used in robots and drones; known as "snappy"
Methods of Communicating - IoT - Back-End Data Sharing
Used to scale the device to cloud model to allow for multiple devices to interact with one or more applciation servers
Rolling Code Attacks
Used to steal cars; The ability to jam a key fob's communications, steal the code and then create a subsequent code
Types of Jailbreaking
User land exploit IBoot Exploit BootROM exploit
Geofencing
Uses GPS and RFID technologies to create a virtual geographic boundary, like around your home property. A response is then triggered any time a mobile device enters or leaves the area
Sybil Attack
Uses multiple forged identities to create the illusion of traffic; happens when a insecure computer is hijacked to claim multiple identities.
Zigbee and Z-Wave
Wireless Mesh networking protocol popular in home automation
IoT Methods of Communicating (Technology)
Wires Wireless 4G LTE Bluetooth GPS LoRa Mesh Networking RFID WiFi Zigbee Z-Wave
MDM solutions
XenMobile, IBM, MaaS360, AirWatch and MobiControl
BootROM exploit
allows access to file system, iBoot and custom boot logos; found in device's first boot loader; cannot be patched
Tools for Jailbreaking
evasi0n7 GeekSn0w Pangs Redsn0w Absinthe Cydia
