Ceh.v10 IoT Hacking

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Short-range communication : Bluetooth low energy

Also known as Bluetooth Smart is a wireless personal area network. This technology is designed to provide applications in various sectors like healthcare, security, entertainment, fitness, etc.

IoT OS: Ubuntu Core

Also known as Snappy, it is used in robots, drones, edge gateways, etc.

IoT Framework Security Considerations : Mobile

An ideal framework for the this interface should include proper authentication mechanism for the user, account lockout mechanism after a certain number of failed attempts, local storage security, encrypted communication channels and the security of the data transmitted over the channel.

IoT Framework Security Considerations : Gateway

An ideal framework for this should incorporate strong encryption techniques for secure communications between endpoints

Steps Pen Testing IoT devices

1. discover IoT devices 2. hardware analysis 3. firmware and OS analysis 4. wireless protocol analysis 5. mobile application testing 6. web application testing 7. cloud services testing 8. document all the findings

OWASP Top 10 IoT Vulnerabilities

1. insecure Web interface 2. Insufficient authentication/ authorization 3. insecure network services 4. lack of transport encryption/ integrity verification 5. privacy concerns 6. insecure cloud interface 7. insecure mobile interface 8. insufficient security configuribility 9. insecure software/ firmware 10. poor physical security

Shoden

A search engine that provides information about all the internet connected devices such as routers, traffic lights, CCTV cameras, servers, smart home devices, industrial devices, etc. Attackers can make use of this tool to gather information such as IP address, hostname, ISP, device's location and the banner of the target IoT device.

IoT Framework Security Considerations : Cloud Platform

A secure framework for the this component should include encrypted communications, strong authentication credentials, secure web interface, encrypted storage, automatic updates and so on

Short-range communication : WI-Fi

A technology that is widely used in wireless local area networking or LAN. Presently, the most common standard that is used in homes or companies is 802.11n which offers a maximum speed of 600 Mbps and range of approximately 50 meters.

Multiping

A tool used to find IP address of any IoT device in the target network. After obtaining the IP address of an IoT device, the attacker can perform further scanning to identify vulnerabilities present in that device.

Exploit Kits

Attacker uses malicious script to exploit poorly patched vulnerabilities in an IoT device

Side Channel Attack

Attackers extract info about encryption keys by observing the emission of signal

Reply attack

Attackers intercept legitimate messages from a valid communication and continuously send the intercepted message to the target device to perform a denial-of-service attack or delay it in order to manipulate the message or crash the target device.

Forged Malicious Devices

Attackers replace authentic IoT devices with malicious devices, if they have physical access to the network.

RFcrack

Attackers use this tool to obtain the rolling code sent by the victim to unlock a vehicle and later use the same code for unlocking and stealing the vehicle.

HackRF One

Attackers use this tool to perform attacks such as BlueBorne or AirBorne attacks such as replay, fuzzing, jamming, etc.

Sybil Attack

Attackers uses multiple forged identities to create a strong illusion of traffic congestion, effecting communication between neighboring nodes and networks

Information Gathering tools

Censys - is a public search engine and data processing facility backed by data collected from ongoing Internet-wide scans. Censys supports full-text searches on protocol banners and queries a wide range of derived fields Thingful - is a search engine for the Internet of Things to find and use open IoT data from around the world. It helps organizations make better decisions with external IoT data

Exploit HVAC

Many organizations use internet connected heating, ventilation, and air conditioning systems without implementing security mechanisms, giving attackers a gateway to hack corporate systems HVAC systems have many security vulnerabilities that are exploited by attackers to steal login credentials, gain access to HVAC system and perform further attack on the organization's network use shoden to do this attack

More Vulnerability solution

Lack of Transport Encryption / Integrity Verification o Encrypt communication between endpoints o Maintain SSL/TLS implementations o Not to use propriety encryption solutions Privacy Concern o Minimize data collection o Anonymize collected data o Providing end users the ability to decide what data is collected Poor Physical Security o Minimize external ports such as USB ports o Protect operating system o Include ability to limit administrative capabilities

IoT Framework Security Considerations

Edge The main physical device in the IoT ecosystem that interacts with its surroundings and contains various components like sensors, actuators, operating systems, hardware and network and communication capabilities. Gateway This acts as a first step for an edge into the world of Internet as it connects the smart devices to the cloud components. I Cloud Platform This is referred to as the main central aggregation and data management point. Access to the cloud is restricted. Mobile This plays an important part particularly where the data needs to be collected and managed. Using mobile interfaces, users can access and interact with the edge in their home or workplace from miles away.

IoT Framework Security Considerations : Edge

Framework consideration for this would be proper communications and storage encryption, no default credentials, strong passwords, use latest up to date components and so on.

Medium-range Wireless Communication

Ha-low LTE advanced

DigiCert

Home and Consumer IoT Security Solutions protect private data and home networks while preventing unauthorized access using PKI-based security solutions for consumer IoT devices.

Short-range communication : Wi-Fi Direct

It is used for peer-to-peer communication without the need of a wireless access point. These devices start communication only after deciding which device will act as an access point.

IoT OS : RealSense OS X

It is used in Intel's depth sensing technology. Therefore, it is implemented in cameras, sensors, etc

IoT models : Device-to-Gateway

In this communication model, Internet of Things device communicates with an intermediate device called a Gateway, which in turn communicates with the cloud service. This device could be a Smartphone or a Hub that is acting as an intermediate point, also provides security features and data or protocol translation. The protocols generally used in this mode of communication are ZigBee and Z-Wave.

IoT models : Device-to-Cloud

In this type of communication, devices communicate with the cloud directly rather than directly communicating with the client in order to send or receive the data or commands. It uses communication protocols such as Wi-Fi or Ethernet and sometimes uses Cellular as well.

IoT models: Device-to-Device

In this type of communication, devices that are connected interact with each other through the internet but mostly they use protocols like ZigBee, Z-Wave or Bluetooth. Most commonly used in the smart home devices like a thermostat, Light Bulb, Door-locks, CCTV cameras, Fridge, etc. where these devices transfer small data packets to each other at a low data rate. This model is also popular in communication between wearable devices. For example, an ECG/EKG device attached to the body of a patient will be paired to his/her smartphone and will send him/her notifications in an emergency.

LPWAN : Neul

It is used in a tiny part of the TV white space spectrum to deliver high quality, high power, high coverage and low-cost network

IoT OS : Zephyr

It is used in low power and resource constrained devices.

IoT OS : Contiki

It is used in low-power wireless devices such as street lighting, sound monitoring systems, etc

IoT Hacking Methodology

Information gathering -Tool-Shoden, Multiping Vulnerability scanning o Tool - Vulnerability scanning - Nmap, RioT - Sniffing - Foren6 Launch attacks o Tools -Rolling Code (uses RFCrack) -Hacking Zigbee (uses Attify) -BlueBorne (uses HackRF One) Gain Access o Tools -Remote access - Telnet Maintain access -Exploit Firmware

Even More Vulnerability solution

Insecure Mobile Interface o Use strong and complex password o Enable account lockout mechanism o Enable two-factor authentication Insufficient Security Configurability o Enable security logging mechanism o Allow the selection of encryption options o Notify end users regarding security alerts Insecure Software / Firmware o Secure update servers o Verify updates before installation o Sign updates Insecure Cloud Interface o Conduct assessment of all the cloud interfaces o Use strong and complex password o Enable two-factor authentication

Vulnerability solution

Insecure Web Interface o Enable default credentials to be changed o Enable account lockout mechanism o Conduct periodic assessment of web applications Insufficient Authentication / Authorizatio o Implement secure password recovery mechanisms o Use strong and complex passwords o Enable two-factor authentication Insecure Network Services o Close open network ports o Disable UPnP o Review network services for vulnerabilities

IoT OS : Apache Mynewt

It supports devices that work on Bluetooth Low Energy protocol.

IoT OS : RIOT OS

It has less resource requirement and uses energy efficiently. It has an ability of running on embedded systems, actuator boards, sensors, etc

IoT OS : Brillo

It is an android based embedded OS, used in low-end devices such as thermostats

Short-range communication : Zig-Bee

It is another short-range communication protocol based on IEEE 203.15.4 standard. This is for the devices that transfer data infrequently at low data-rate in a restricted area and within a range of 10-100 meters.

medium-range communication : Ha-low

It is another variant of Wi-Fi standard that provides extended range, making it useful for communications in rural areas. It offers low data rates, thus reducing power and cost for transmission

IoT OS : ARM mbed OS

It is mostly used for low-powered devices like wearable devices.

Long-range communication : Low Power Wide Area Networking

LPWAN is a type of wireless telecommunication network, designed in such a way so as to provide long-range communications between two end points. Technology and protocols o loRa WAN o Sigfox o Neul

wired communication : Multimedia over Coax Alliance

MoCA is a type of network protocol that provides a high definition video of home and content related to it over the existing coaxial cable

IoT Architecture : Middleware Layer

This is one of the most critical layers that operates in two-way mode. As the name suggests this layer sits in the middle of the application layer and the hardware layer, thus behaving as an interface between these two layers. It is responsible for important functions such as data management, device management and various issues like data analysis, data aggregation, data filtering, device information discovery and access control.

Short-range communication : Near-field Communication

NFC is a type of short range communication that uses magnetic field induction to enable communication between two electronic devices. It is basically used in connectionless mobile payment, social networking and in identification of documents or some product.

BlueBorne Attack

Performed on Bluetooth connections to gain access and take full control of the target device It is a collection of various techniques based on the known vulnerabilities of Bluetooth protocol It is compatible with all software versions and does not require any user interaction or precondition or configuration except that the Bluetooth being active After gaining access to one device, an attacker can penetrate into any corporate network using that device to steal critical information about the organization and spread malware to the nearby devices

IoT OS : Integrity RTOS

Primarily used in aerospace or defense, ndustrial, automotive and medical sectors.

IoT OS : Nucleus RTOS

Primarily used in aerospace, medical and industrial applications.

IoT Architecture : Internet Layer

This is the crucial layer as it serves as the main component in carrying out the communication between two end points such as device-to-device, device-to-cloud, device-to-gateway and back-end data-sharing

wired communication : Ethernet

This is the most commonly used type of network protocol today. It is a type of LAN (Local Area Network) which refers to a wired connection of computers in a small building, office or on a campus

LPWAN : Sigfox

This is used in devices that have small battery life and need to transfer low level of data

Short-range communication : Radio Frequency Identification

RFID stores data in tags that are read using electromagnetic fields. RFID is used in many sectors like industrial, offices, companies, automobile, pharmaceuticals, livestock and pets.

LPWAN : LoRaWAN

This is used to support applications such as mobile, industrial machine-to-machine and secure two-way communications for IoT devices, smart cities and healthcare applications.

Internet of Things (IoT)

Refers to the network of devices with an IP address that have the capability of sensing, collecting and sending data using embedded sensors, communication hardware and processors Application + Network + Mobile + Cloud = ?

IoT Architecture : Edge Technology Layer

This layer consists of all the hardware parts like sensors, RFID tags, readers or other soft sensors and the device itself. These entities are the primary part of the data sensors that are deployed in the field for monitoring or sensing various phenomena. This layer plays an important part in data collection, connecting devices within the network and with the server.

IoT Architecture : Access Gateway Layer

This layer helps to bridge the gap between two end points like a device and a client. The very first data handling also takes place in this layer. It carries out message routing, message identification and subscribing.

IoT Architecture : Application Layer

This layer placed at the top of the stack, is responsible for the delivery of services to the respective users from different sectors like building, industrial, manufacturing, automobile, security, healthcare, etc.

Firmalyzer

This tool enables device vendors and security professionals to perform automated security assessment on software that powers IoT devices (firmware) in order to identify configuration and application vulnerabilities

RioT Vulnerability scanner

This tool identify at-risk IoT devices, such as IP cameras, DVRs, printers, routers, etc. This tool gives you an attacker's view of all the IoT devices and their associated vulnerabilities. Utilizing precise information such as server banner and header data, it will pinpoint the make and model of a particular IoT device.

IoT models : Back-end Data-Shareing

This type of communication model extends the device-to-cloud communication type in which the data from the IoT devices can be accessed by authorized third parties. Here devices upload their data onto the cloud which is later accessed or analyzed by the third parties

Components of IoT : Sensing Technology

Sensors embedded in the devices sense a wide variety of information from their surroundings like temperature, gases, location, working of some industrial machine as well as sensing health data of a patient.

Attify

This consists of a set of tools used to perform ZigBee penetration testing

Z-Wave sniffer

This is a hardware tool used to sniff traffic generated by smart devices connected in the network.

Short-range communication : Z-Wave

This is a low power, short-range communication designed primarily for home automation. It provides a simple and reliable way to wirelessly monitor and control household devices like HVAC, thermostat, garage, home cinema e

SeaCat.io

This is a security-first SaaS technology to operate IoT products in a reliable, scalable and secure manner. It provides protection to end users, business, and data.

Components of IoT : Cloud Server/Data Storage:

The collected data after travelling through the gateway arrives at the cloud, where it is stored and undergoes data analysis. The processed data is then transmitted to the user where he/she takes certain action based on the information received by him/her.

Components of IoT : Remote Control using Mobile App

The end user uses remote controls such as mobile phones, tabs, laptops, etc. installed with a mobile app to monitor, control, retrieve data, and take a specific action on IoT devices from a remote location.

beSTORM

This is a smart fuzzer to find buffer overflow vulnerabilities by automating and documenting the process of delivering corrupted input and watching for unexpected response from the application.

medium-range communication: LTE advanced

This is a standard for mobile communication that provides enhancement to LTE thus focusing on providing higher capacity in terms of data rate, extended range, efficiency and performance

Long-range communication : Cellular

This is a type of communication protocol that is used for communication over a longer distance. It is used to send high-quality data but with a cost of being expensive and high consumption of power

wired communication : Power-line Communication

This is a type of protocol where electrical wires are used to transmit power and data from one end point to another end point. PLC is required for applications in different areas like home automation, industrial devices and for broadband over power lines (BPL).

Short-range communication : Thread

This is an IPv6 based networking protocol for IoT devices. Its main aim is home automation, so that the devices can communicate with each other on local wireless networks.

Short-range communication : Light-Fidelity (Li-Fi):

This is like Wi-Fi with only two differences: mode of communication and the speed. It is a Visible Light Communications (VLC) system that uses common household light bulbs for data transfer at a very high speed of 224Gbps.

Components of IoT : IoT Gateways

These are used to bridge the gap between the IoT device (internal network) and the end user (external network) and thus allowing them to connect and communicate with each other. The data collected by the sensors in IoT devices send the collected data to the concerned user or cloud through this

Short-range communication : QR Codes and Barcodes

These codes are machine readable tags that contains information about the product or item to which they are attached. Quick Response code or QR code is a two-dimensional code that stores product's information and it can be scanned using smart phones whereas Barcode comes in both, one dimensional (1D) and two-dimensional (2D) code.

Jamming Attack

Type of attack in which the communication between wireless IoT devices are jammed in order to compromise it An attacker transmits radio signal randomly with a frequency as the sensor nodes are sending signals for communication As a result the network gets jammed making endpoints unable to send or receive any message

Rolling Code Attack

Use locking smart system that includes RF signal transmitted in the form of a code from a modern key fob that locks or unlocks the vehicle This code which locks or unlocks a car or a garage is also known as Hopping code Attacker using jammer to thwart the transmission of a code from the key fob to the receiver in the vehicle After obtaining the code, an attacker can use it to unlock and steal the vehicle

Long-range communication : Very Small Aperture Terminal

VSAT is a communication protocol that is used for data transfer using small dish antennas for both broadband data and narrowband data

Attack Area : Device physical interfaces

Vulnerability present it this competent are Firmware Extraction, User CLI (command-line interface), Admin CLI, Privilege Escalation, Reset to Insecure State and Removal of Storage Media

Attack Area : Device Firmware

Vulnerability present it this competent are Hardcoded Credentials, Sensitive Information/URL Disclosure , Encryption Keys and Firmware Version Display and/or Last Update Date

Attack Area : Ecosystem Communication

Vulnerability present it this competent are Health Checks, Heartbeats V, Ecosystem Commands, De-provisioning and Pushing Updates

Attack Area : Ecosystem access control

Vulnerability present it this competent are Implicit Trust between Components, Enrollment Security, Decommissioning System and Lost Access Procedures

Attack Areas of Mobile Application

Vulnerability present it this competent are Implicitly Trusted by Device or Cloud, Username Enumeration, Account Lockout, Known Default Credentials or Weak Passwords, Insecure Data Storage

Attack Area : Device Network Service

Vulnerability present it this competent are Information Disclosure Firmware, Denial-of-Service, UPnP, Vulnerable UDP Services, User and admin CLI, Injection and Unencrypted services and Poorly implemented encryption

Attack Area : Vendor Backend API's

Vulnerability present it this competent are Inherent Trust of Cloud or Mobile Application, Weak Authentication and Weak Access Controls.

Attack Area : Network Traffic

Vulnerability present it this competent are LAN, LAN to internet, Short range and non-standard o LAN -Before deploying LAN, it should be kept in mind that the location is secure and on the software level firewall should be deployed to keep hackers away from the network. o LAN to Internet - The very first thing while deploying LAN is the location. Ensure that it is secure and proper security policies and practices are followed to enhance the network's security making it difficult for the attacker to breach the network security. o Short Range - In order to make the short-range communication secure, a good security design should be implemented that hardens the device's security. o Non-standard - Each piece of network traffic passing through should be standardized and should be checked before leaving or coming into the network.

Attack Area : Administrative Interface

Vulnerability present it this competent are SQL Injection, Cross-site Scripting and Cross-site Request Forgery, Username Enumeration and Known Default Credentials , Weak Passwords and Account Lockout , Security/encryption and Logging options, Two-factor authentication and Inability to wipe device

Attack Area : Device web interface

Vulnerability present it this competent are SQL Injection, Cross-site Scripting, Cross-site Request Forge, Username Enumeration, Weak Password, Account Lockout and Known Default Credentials

Attack Area : Cloud Web Interface

Vulnerability present it this competent are Transport Encryption, SQL Injection, Cross-site Scripting and Cross-site Request Forgery, Username Enumeration and Known Default Credentials, Weak Passwords and Account Lockout , Insecure password recovery mechanism and Two-factor authentication

Attack Area : Local Data Storage

Vulnerability present it this competent are Unencrypted Data , Data Encrypted with Discovered Keys and Lack of Data Integrity Checks

Attack Area : Third-party Backend APIs

Vulnerability present it this competent are Unencrypted PII Sent, Device Information Leaked and Location Leaked

Attack Area : Update Mechanism

Vulnerability present it this competent are Update Sent without Encryption, Updates Not Signed, Update Verification, Malicious Update, Missing Update Mechanism and No Manual Update Mechanism

Attack Area : Device memory

Vulnerability present it this competent are clear-text credentials, third-party credentials and encryption keys

IoT Architecture

o Application Layer o Middleware Layer o Internet Layer o Access Gateway Layer o Edge Technology Layer

Short-range Wireless Communication

o Bluetooth low energy o Light-fidelity LiFi o Near Field Communication o QR Codes and Barcodes o Radio Frequency Identification o Thread o Wifi o Wifi Direct o z-wave o ZigBee

IoT Pen Testing

o Close unused ports and unnecessary /unknown open ports o Disable unnecessary service o Provide protection against unauthorized access and usage of the device o Design a mechanism for uninterrupted flow of info between two endpoints o Provide protection against elevation of privileges o Enhanced the device's data encryption policy o Enhance the security of web application and provide data privacy o Harden the overall device's security

IoT Threats

o DDoS attacks o Attack on HVAC systems o Rolling code attack o BlueBorn attack o Jamming attack o Remote access using backdoor o Remote access using Telnet o Sybil attack o Exploit kits o MITM o Replay attack o Forged malicious device o Side channel attack o Ransomware

IoT Attack Surface Areas

o Device memory o Ecosystem access control o Device physical interfaces o Device web interface o Device firmware o Device network services o Administrative interface o Local data storage o Cloud web interface o Update mechanism o Third party backend APIs o Mobile application o Vendor backend APIs o Ecosystem communication o Network traffic

IoT Communication Models

o Device-to-Device Model o Device-to-Cloud Model o Device-to-Gateway Model o Back-End Data-Sharing Model

How to Defend Against IoT Hacking

o Disable the "guest" and "demo" user accounts if enabled o Use the "Lock Out" feature to lock out accounts for excessive invalid login attempts o Implement strong authentication mechanism o Locate control system networks and devices behind firewalls, and isolate them from the business network o Implement IPS and IDS in the network o Use VPN architecture for secure communication o Deploy security as a unified, integrated system o Allow only trusted IP addresses to access the device from the Internet o Disable telnet (port 23) o Disable UPnP port on routers

Wired Communication

o Ethernet o Multimedia over Coax Alliance MoCA o Power-line Communication PLC

IoT Hacking Tool

o Firmalyzer o ChipWhisperer o rfcat-rolljam o KillerBee o GATTack.io o JTAGULATOR® o Firmware Analysis Toolkit

Challenges of IoT

o Lack of security and privacy o Vulnerable web interfaces o Legal regulatory and rights issues o Default, weak, and hardcoded credentials o Clear text protocol and unnecessary open ports o Coding errors o Storage issues o Difficult to update firmware and OS o Interoperability standard issues o Physical theft and tampering o Lack of vendor support for fixing vulnerabilities o Emerging economy and development issues

Long-range Wireless communication

o Low-power Wide-area Networking LPWAN o Very small aperture terminal VSAT o Cellular

IoT Operating Systems

o RIOT OS o ARM mbed OS o RealSense OS X o Nucleus RTOS o Brillo o Contiki o Zephyr o Ubuntu Core o Integrity RTOS o Apache Mynewt

General Guidelines for IoT Device Manufacturing Companies

o SSL/TLS should be used for communication purpose o There should be a mutual check on SSL certificates and the certificate revocation list o Use of strong passwords should be encouraged o The device's update process should be simple, secured with a chain of trust o Implementing account lockout mechanisms after certain wrong login attempts to prevent brute force attacks o Lock the devices down whenever and wherever possible to prevent them from attacks o Periodically checking the device for unused tools and using whitelisting to allow only trusted tools or application to run o Use secure boot chain to verify all software that is executed on the device

IoT Security Tools

o SeaCat.io o DigiCert o Pulse: IoT Security Platform o Symantec IoT Security o darktarce o Cisco IoT Threat Defense o Cisco Umbrella o Google Cloud IoT o net-Shield o Noddos o AWS IoT Device Defender o Norton Core

Components of IoT

o Sensing technology o IoT Gateways o Cloud Server/ Data Storage o Remote Control using Mobile App

Sniffing Tools

o Z-Wave sniffer o CloudShark o Ubiqua Protocol Analyzer o Perytons Protocol Analyzers o Wireshark o Tcpdump o Open Sniffer o APIMOTE IEEE 802.15.4/ZIGBEE SNIFFING HARDWARE o Ubertooth

Vulnerability Scanner

o beSTORM o Rapid7 Metaspoilt PRO o IoTsploit o IoTSeeker o Bitdefender Home Scanner o IoTInspecto


Kaugnay na mga set ng pag-aaral

Statistics and Analytics - Chapter 01

View Set

The New Deal and Great Depression

View Set

Chapter 21: Emergency Medical Procedures

View Set

EC 202 Exam 3 Launchpad Graded Homework Questions

View Set

Cool Quotes About War and Warriors You May Want to Use in your Writing - Part 1

View Set

Salesforce Sharing and Visibility

View Set

Microcomputer Applications Final Review

View Set

Chemistry: Solutions, Acids, and Bases

View Set

Thirteen Reasons Why Literary Devices

View Set

Chapter 9: The Flow of Food: Service

View Set