Chapter 8 - Mobile Communications and the IoT
I4 - Lack of Transport Encryption/Integrity Verification (OWASP IoT)
Lack of transport encryption allows data to be viewed as it travels over local networks or the Internet. Lack of transport encryption is prevalent on local networks, as it is easy to assume that local network traffic will not be widely visible; however, in the case of a local wireless network, misconfiguration of that wireless network can make traffic visible to anyone within its range.
Mobile Device Management (MDM)
Mobile Device Management (MDM) is an effort to add some control to enterprise mobile devices. Much like Group Policy and such in the Microsoft Windows world, MDM helps in pushing security policies, application deployment, and monitoring of mobile devices. Most MDM solutions offer the same basic features: passcodes for device unlocking, remote locking, remote wipe, root or jailbreak detection, policy enforcement, inventory, and monitoring/reporting. Some solutions are XenMobile, IBM MaaS360, AirWatch, and MobiControl.
Notable Android Trojans
Notable Android Trojans include Obad, Fakedefender, TRAMP.A, and ZitMo. Spyware is really scary, and tools like Mobile Spy and Spyera make it really easy to listen in on or even watch what the target is doing. And if that's not enough, the tools we use to manage our own devices can be used against us. Ever heard of Google Voice? How about Remote Wipe from Google? One loose password and mobile device hacking becomes a nightmare. How about tracking where I'm at all the time? Tools like AndroidLost, Find My Phone, and Where's My Droid were designed to help me find my lost phone, but they (and many, many others) can be used to track where I happen to be at. Wouldn't it be helpful to know where folks are at during a social engineering visit to the site?
IoT gateway
Once a thing has sensed and collected data, it forwards to the next component, the IoT gateway. This is designed to send collected data from devices to the user or to the third component, data storage or cloud, for use later.
I10 - Poor Physical Security (OWASP IoT)
Physical security weaknesses are present when an attacker can disassemble a device to easily access the storage medium and any data stored on it. Weaknesses are also present when USB ports or other external ports can be used to access the device using features intended for configuration or maintenance.
I5 - Privacy Concerns (OWASP IoT)
Privacy concerns generated by the collection of personal data in addition to the lack of proper protection of that data is prevalent. Privacy concerns are easy to discover by simply reviewing the data that is being collected as the user sets up and activates the device.
jailbreaking
Same thing as rooting on andriod but for iOS. As far as jailbreaking an iOS device (which, just like rooting, invalidates every warranty you can think of), some tools include evasi0n7, GeekSn0w, Pangu, Redsn0w, Absinthe, and Cydia. There are three basic techniques and three different types, regardless which tool you want to try. Techniques include untethered, semi-tethered, and tethered And the three types of jailbreaking include Userland, iBoot, and BootROM:
OWASP Mobile Top 10
The Open Web Application Security Project (OWASP) has an arm dedicated specifically to mobile security
data storage or cloud
The cloud stores and analyzes data, providing information back for future queries. A fitness watch, for example, may provide you, the user, immediate feedback and information on your workout while simultaneously storing details for your comparison and review later.
rolling code attack
The code used by your key fob to unlock (and in some cases) start your car is called a rolling (or hopping) code. An attack can sniff for the first part of the code, jam the key fob, and sniff/copy the second part on subsequent attempts, allowing the attacker to steal the code—and your car. One of the better ways to pull this one off is to use hardware designed for a wide radio range spectrum, like the HackRF One (https://greatscottgadgets.com).
Untethered jailbreaking
The kernel will remain patched (that is, jailbroken) after reboot, with or without a system connection.
I9 - Insecure Software/Firmware (OWASP IoT)
The lack of ability for a device to be updated presents a security weakness on its own. Devices should have the ability to be updated when vulnerabilities are discovered, and software/firmware updates can be insecure when the updated files themselves and the network connection they are delivered on are not protected. Software/firmware can also be insecure if it contains hardcoded sensitive data such as credentials.
Bluetooth attacks
The major Bluetooth attacks are listed here: • Bluesmacking A simple denial-of-service attack against the device. • Bluejacking Consists of sending unsolicited messages to, and from, mobile devices. • Bluesniffing An effort to discover Bluetooth-enabled devices—much like war driving in wireless hacking. • Bluebugging Successfully accessing a Bluetooth-enabled device and remotely using its features. • Bluesnarfing The actual theft of data from a mobile device due to an open connection— such as remaining in discovery mode. • Blueprinting Think of this as footprinting for Bluetooth: Blueprinting involves collecting device information over Bluetooth.
M6 - Insecure Authorization
This category captures any failures in authorization (authorization decisions in the client side, forced browsing, and so on). It is distinct from authentication issues (device enrolment, user identification, and so on). Remember, authentication proves who you are, whereas authorization proves you have a right to access a particular resource. For example, if the app grants anonymous access to some resource or service when the use should have first been authenticated, then that is an authentication failure, not an authorization failure. If the app does authenticate users but puts no authorization protections on memory areas or other resources, that would fall under M6.
M4 - Insecure Authentication
This category captures notions of authenticating the end user or bad session management. Examples include failing to identify the user at all when it should be required, failure to maintain the user's identity when it is required, and weaknesses in session management.
M2 - Insecure Data Storage
This category combines a couple entries from the previous list (2014) and covers insecure data storage and unintended data leakage. Threat agents include an adversary who has attained a lost/stolen mobile device as well as malware (or another repackaged app) acting on the adversary's behalf that executes on the mobile device.
M8 - Code Tampering
This category covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification. Once the application is delivered to the mobile device, the code and data resources are resident there. An attacker can either directly modify the code, change the contents of memory dynamically, change or replace the system APIs that the application uses, or modify the application's data and resources.
M1 - Improper Platform Usage
This category covers misuse of a platform feature or failure to use platform security controls. It might include Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security control that is part of the mobile operating system. There are several ways that mobile apps can experience this risk.
M9 - Reverse Engineering
This category includes analysis of the final core binary to determine its source code, libraries, algorithms, and other assets. Software such as IDA Pro, Hopper, otool, and other binary inspection tools give the attacker insight into the inner workings of the application. This may be used to exploit other vulnerabilities in the application, as well as revealing information about back-end servers, cryptographic constants and ciphers, and intellectual property.
M5 - Insufficient Cryptography
This category refers to instances where code applies cryptography to a sensitive information asset; however, the cryptography is insufficient in some way. Note that anything and everything related to TLS or SSL goes in M3. Also, if the app fails to use cryptography at all when it should, that probably belongs in M2. This category is for issues where cryptography was attempted, but it wasn't done correctly.
M3 - Insecure Communication
This covers poor handshaking, incorrect SSL versions, weak negotiation, clear-text communication of sensitive assets, and other insecure communication channels or methods. For example, poor SSL setup can also facilitate phishing and MITM attacks.
M7 - Client Code Quality
This is a catchall for code-level implementation problems in the mobile client that are distinct from server-side coding mistakes. This encapsulates things like buffer overflows, format string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's running on the mobile device.
Internet Layer
This is a crucial layer, as it serves as the main component to allow all communication.
M10 - Extraneous Functionality
This is another catchall for something coders do all the time: build in a backdoor. These are never intended to be released into a production environment, but they usually pop up in the weirdest places. Examples include a developer accidentally including a password as a comment in a hybrid app or disabling two-factor authentication during testing and forgetting to turn it back on.
Edge Technology Layer (IoT architecture layers)
This layer consists of sensors, RFID tags, readers, and the devices themselves.
Application Layer
This layer is responsible for delivery of services and data to the user.
Middleware Layer
This layer sits between the application and hardware layers, and handles data and device management, data analysis, and aggregation.
IoT OS
Those things communicating with each other must have a couple items intact in order to work. The first is some sort of operating system allowing all this data collection and analysis in the first place. EC-Council nicely provides a quick list for your amusement and perusal: • RIOT OS It can run on embedded systems, actuator boards, and sensors, uses energy efficiently, and has very small resource requirements. • ARM mbed OS This is mostly used on wearables and other devices that are lowpowered. • RealSense OS X Intel's depth sensing version, this is mostly found in cameras and other sensors. • Nucleus RTOS This is primarily used in aerospace, medical, and industrial applications. • Brillo An Android-based OS, this is generally found in thermostats. • Contiki This is another OS made for low-power devices; however, it is found mostly in street lighting and sound monitoring. • Zephyr This is another option for low-power devices, and devices without many resources. • Ubuntu Core This is used in robots and drones, and is also known as "snappy." • Integrity RTOS This is primarily found in aerospace and medical, defense, industrial, and automotive sectors. • Apache Mynewt Devices using Bluetooth Low Energy Protocol make use of this.
back-end data sharing
back-end data sharing, is almost exactly like device to cloud; however, it adds the ability for third parties to collect and use the data.
Sybil attack
multiple forged identities are used to create the illusion of traffic congestion that affects everyone else in the local IoT network.
Pairing mode
pairing mode details how the device will react when another Bluetooth system asks to pair with it. There are basically only two versions: yes, I will pair with you, and no, I will not. Nonpairable rejects every connection request, whereas pairable accepts all of them.
Rooting
perform some action that grants you administrative (root) access to the device so you can do whatever you want with it. Rooting—the name given to the process on an Android device—is such a common, ubiquitous action it's almost not thought of as technical anymore. And there are multiple tools to help you in your Android rooting efforts. One such groovy tool is KingoRoot (https://www.kingoapp.com), and it makes the whole process ridiculously easy with or without a laptop or PC handy. Others are TunesGo (https://tunesgo.wondershare.com), OneClickRoot (https://oneclickroot.com), and MTK Droid (https://androidmtk.com).
Internet of Things (IoT)
the IoT is a collection of devices using sensors, software, storage, and electronics to collect, analyze, store, and share data among themselves or to a user. How it all works comes down to three basic components—things using sensing technology, IoT gateways, and the cloud (or put another way, data storage availability).
Vehicle Ad Hoc Network (VANET)
the Vehicle Ad Hoc Network (VANET) is the communications network used by our vehicles. It refers to the spontaneous creation of a wireless network for vehicle-to-vehicle (V2V) data exchange.
BlueBorne attack
A BlueBorne attack is basically an amalgamation of techniques and attacks against known, already existing Bluetooth vulnerabilities.
Semi-tethered jailbreaking
A reboot no longer retains the patched kernel; however, the software has already been added to the device. Therefore, if admin privileges are required, the installed jailbreaking tool can be used.
Tethered jailbreaking
A reboot removes all jailbreaking patches, and the phone may get stuck in a perpetual loop on startup, requiring a system connection (USB) to repair.
things using sensing technology
A thing inside the IoT is defined as any device implanted somewhere with the ability (and purpose) of communicating on the network. Each embedded with some form of sensing technology, IoT devices can communicate and interact over the Internet, and oftentimes can be remotely monitored and controlled. In other words, sensors are embedded in the devices to measure and forward data (for example, a medical device sensing a patient's health statistics or the Nest thermostat implanted in your A/C system, providing information and feedback on its use).
BootROM exploit
Allows access to the file system, iBoot, and custom boot logos, and is found in the device's first bootloader, SecureROM. This kind of exploit can be untethered, but cannot be patched by Apple: it's hardware, not software.
Bluetooth tools
Although they're not covered in depth on your exam, you should know some of the more common Bluetooth tools available. Of course, your first action should be to find the Bluetooth devices. BlueScanner (from SourceForge) does a great job of finding devices around you, but it will also try to extract and display as much information as possible. BT Browser is another great, and well-known, tool for finding and enumerating nearby devices. Bluesniff and btCrawler are other options, providing nice GUI formats for your use. As far as attacks go, Blooover is a good choice for Bluebugging, and PhoneSnoop is good for spyware on a Blackberry. In a step up from that, you can start taking advantage of and hacking the devices nearby. Super Bluetooth Hack is an all-in-one software package that allows you to do almost anything you want to a device you're lucky enough to connect to. If the device is a smartphone, you could read all messages and contacts, change profiles, restart the device, and even make calls as if they're coming from the phone itself.
I6 - Insecure Cloud Interface (OWASP IoT)
An insecure cloud interface is present when easy-toguess credentials are used or account enumeration is possible. Insecure cloud interfaces are easy to discover by simply reviewing the connection to the cloud interface and identifying if SSL is in use or by using the password reset mechanism to identify valid accounts, which can lead to account enumeration.
I7 - Insecure Mobile Interface (OWASP IoT)
An insecure mobile interface is present when easy-toguess credentials are used or account enumeration is possible. Insecure mobile interfaces are easy to discover by simply reviewing the connection to the wireless networks and identifying if SSL is in use or by using the password reset mechanism to identify valid accounts, which can lead to account enumeration.
I1 - Insecure Web Interface (OWASP IoT)
An insecure web interface can be present when issues such as account enumeration, lack of account lockout, and weak credentials are present. Insecure web interfaces are prevalent, as the intent is to have these interfaces exposed only on internal networks; however, threats from the internal users can be just as significant as threats from external users. Issues with the web interface are easy to discover when examining the interface manually, along with using automated testing tools to identify other issues such as cross-site scripting.
IoT communication models
And once devices have all that data prepared, they need a network of some sort to communicate on. Mostly this is done over wireless communications in all its various forms and generally follows one of four IoT communication models—device to device, device to gateway, device to cloud, or back-end data sharing.
I2 - Insufficient Authentication/Authorization (OWASP IoT)
Authentication may not be sufficient when weak passwords are used or are poorly protected. Insufficient authentication/authorization is prevalent, as it is assumed that interfaces will only be exposed to users on internal networks and not to external users on other networks. Deficiencies are often found to be present across all interfaces. Many issues with authentication/authorization are easy to discover when examining the interface manually and can also be discovered via automated testing.
BBProxy
BBProxy is a Blackberry-centric tool that's useful in an attack called blackjacking.
Bluetooth devices
Bluetooth devices have two modes: a discovery mode and a pairing mode.
Device to device & device to cloud
Device to device and device to cloud are pretty straightforward, with the things communicating directly with each other or shooting their data off directly to a cloud.
Device to gateway
Device to gateway adds a collective before sending to a cloud, which can be used to offer some security controls.
Discovery mode
Discovery mode determines how the device reacts to inquiries from other devices looking to connect, and it has three actions. The discoverable action obviously has the device answer to all inquiries, limited discoverable restricts that action, and nondiscoverable tells the device to ignore all inquiries.
Access Gateway Layer
First data handling takes place in this layer, with message identification and routing occurring here.
iBoot exploit
Found in one of the device's bootloader, called iBoot (the other bootloaders are called SecureROM and LLB). It uses a vulnerability in iBoot to turn codesign off, and runs a program that gets everything done. iBoot exploits can be semitethered, and they can be patched by Apple.
Userland exploit
Found in the system itself, which is leveraged to gain root access, modify the fstab, and patch the kernel. These types of exploits cannot be tethered because nothing can cause a recovery mode loop, but they can be patched by Apple. This exploit provides user-level access but not admin.
I3 - Insecure Network Services (OWASP IoT)
Insecure network services may be susceptible to buffer overflow attacks or attacks that create a denial-of-service condition, leaving the device inaccessible to the user. Denial-of-service attacks against other users may also be facilitated when insecure network services are available. Insecure network services can often be detected by automated tools such as port scanners and fuzzers.
I8 - Insufficient Security Configurability (OWASP IoT)
Insufficient security configurability is present when users of the device have limited or no ability to alter its security controls. Insufficient security configurability is apparent when the web interface of the device has no options for creating granular user permissions or for forcing the use of strong passwords, for example. Manual review of the web interface and its available options will reveal these deficiencies.
HVAC attacks
It's pretty much exactly what it sounds like—hack IoT devices in order to shut down air conditioning services.
