Ceh.v10 IoT Hacking
Short-range communication : Bluetooth low energy
Also known as Bluetooth Smart is a wireless personal area network. This technology is designed to provide applications in various sectors like healthcare, security, entertainment, fitness, etc.
IoT OS: Ubuntu Core
Also known as Snappy, it is used in robots, drones, edge gateways, etc.
IoT Framework Security Considerations : Mobile
An ideal framework for the this interface should include proper authentication mechanism for the user, account lockout mechanism after a certain number of failed attempts, local storage security, encrypted communication channels and the security of the data transmitted over the channel.
IoT Framework Security Considerations : Gateway
An ideal framework for this should incorporate strong encryption techniques for secure communications between endpoints
Steps Pen Testing IoT devices
1. discover IoT devices 2. hardware analysis 3. firmware and OS analysis 4. wireless protocol analysis 5. mobile application testing 6. web application testing 7. cloud services testing 8. document all the findings
OWASP Top 10 IoT Vulnerabilities
1. insecure Web interface 2. Insufficient authentication/ authorization 3. insecure network services 4. lack of transport encryption/ integrity verification 5. privacy concerns 6. insecure cloud interface 7. insecure mobile interface 8. insufficient security configuribility 9. insecure software/ firmware 10. poor physical security
Shoden
A search engine that provides information about all the internet connected devices such as routers, traffic lights, CCTV cameras, servers, smart home devices, industrial devices, etc. Attackers can make use of this tool to gather information such as IP address, hostname, ISP, device's location and the banner of the target IoT device.
IoT Framework Security Considerations : Cloud Platform
A secure framework for the this component should include encrypted communications, strong authentication credentials, secure web interface, encrypted storage, automatic updates and so on
Short-range communication : WI-Fi
A technology that is widely used in wireless local area networking or LAN. Presently, the most common standard that is used in homes or companies is 802.11n which offers a maximum speed of 600 Mbps and range of approximately 50 meters.
Multiping
A tool used to find IP address of any IoT device in the target network. After obtaining the IP address of an IoT device, the attacker can perform further scanning to identify vulnerabilities present in that device.
Exploit Kits
Attacker uses malicious script to exploit poorly patched vulnerabilities in an IoT device
Side Channel Attack
Attackers extract info about encryption keys by observing the emission of signal
Reply attack
Attackers intercept legitimate messages from a valid communication and continuously send the intercepted message to the target device to perform a denial-of-service attack or delay it in order to manipulate the message or crash the target device.
Forged Malicious Devices
Attackers replace authentic IoT devices with malicious devices, if they have physical access to the network.
RFcrack
Attackers use this tool to obtain the rolling code sent by the victim to unlock a vehicle and later use the same code for unlocking and stealing the vehicle.
HackRF One
Attackers use this tool to perform attacks such as BlueBorne or AirBorne attacks such as replay, fuzzing, jamming, etc.
Sybil Attack
Attackers uses multiple forged identities to create a strong illusion of traffic congestion, effecting communication between neighboring nodes and networks
Information Gathering tools
Censys - is a public search engine and data processing facility backed by data collected from ongoing Internet-wide scans. Censys supports full-text searches on protocol banners and queries a wide range of derived fields Thingful - is a search engine for the Internet of Things to find and use open IoT data from around the world. It helps organizations make better decisions with external IoT data
Exploit HVAC
Many organizations use internet connected heating, ventilation, and air conditioning systems without implementing security mechanisms, giving attackers a gateway to hack corporate systems HVAC systems have many security vulnerabilities that are exploited by attackers to steal login credentials, gain access to HVAC system and perform further attack on the organization's network use shoden to do this attack
More Vulnerability solution
Lack of Transport Encryption / Integrity Verification o Encrypt communication between endpoints o Maintain SSL/TLS implementations o Not to use propriety encryption solutions Privacy Concern o Minimize data collection o Anonymize collected data o Providing end users the ability to decide what data is collected Poor Physical Security o Minimize external ports such as USB ports o Protect operating system o Include ability to limit administrative capabilities
IoT Framework Security Considerations
Edge The main physical device in the IoT ecosystem that interacts with its surroundings and contains various components like sensors, actuators, operating systems, hardware and network and communication capabilities. Gateway This acts as a first step for an edge into the world of Internet as it connects the smart devices to the cloud components. I Cloud Platform This is referred to as the main central aggregation and data management point. Access to the cloud is restricted. Mobile This plays an important part particularly where the data needs to be collected and managed. Using mobile interfaces, users can access and interact with the edge in their home or workplace from miles away.
IoT Framework Security Considerations : Edge
Framework consideration for this would be proper communications and storage encryption, no default credentials, strong passwords, use latest up to date components and so on.
Medium-range Wireless Communication
Ha-low LTE advanced
DigiCert
Home and Consumer IoT Security Solutions protect private data and home networks while preventing unauthorized access using PKI-based security solutions for consumer IoT devices.
Short-range communication : Wi-Fi Direct
It is used for peer-to-peer communication without the need of a wireless access point. These devices start communication only after deciding which device will act as an access point.
IoT OS : RealSense OS X
It is used in Intel's depth sensing technology. Therefore, it is implemented in cameras, sensors, etc
IoT models : Device-to-Gateway
In this communication model, Internet of Things device communicates with an intermediate device called a Gateway, which in turn communicates with the cloud service. This device could be a Smartphone or a Hub that is acting as an intermediate point, also provides security features and data or protocol translation. The protocols generally used in this mode of communication are ZigBee and Z-Wave.
IoT models : Device-to-Cloud
In this type of communication, devices communicate with the cloud directly rather than directly communicating with the client in order to send or receive the data or commands. It uses communication protocols such as Wi-Fi or Ethernet and sometimes uses Cellular as well.
IoT models: Device-to-Device
In this type of communication, devices that are connected interact with each other through the internet but mostly they use protocols like ZigBee, Z-Wave or Bluetooth. Most commonly used in the smart home devices like a thermostat, Light Bulb, Door-locks, CCTV cameras, Fridge, etc. where these devices transfer small data packets to each other at a low data rate. This model is also popular in communication between wearable devices. For example, an ECG/EKG device attached to the body of a patient will be paired to his/her smartphone and will send him/her notifications in an emergency.
LPWAN : Neul
It is used in a tiny part of the TV white space spectrum to deliver high quality, high power, high coverage and low-cost network
IoT OS : Zephyr
It is used in low power and resource constrained devices.
IoT OS : Contiki
It is used in low-power wireless devices such as street lighting, sound monitoring systems, etc
IoT Hacking Methodology
Information gathering -Tool-Shoden, Multiping Vulnerability scanning o Tool - Vulnerability scanning - Nmap, RioT - Sniffing - Foren6 Launch attacks o Tools -Rolling Code (uses RFCrack) -Hacking Zigbee (uses Attify) -BlueBorne (uses HackRF One) Gain Access o Tools -Remote access - Telnet Maintain access -Exploit Firmware
Even More Vulnerability solution
Insecure Mobile Interface o Use strong and complex password o Enable account lockout mechanism o Enable two-factor authentication Insufficient Security Configurability o Enable security logging mechanism o Allow the selection of encryption options o Notify end users regarding security alerts Insecure Software / Firmware o Secure update servers o Verify updates before installation o Sign updates Insecure Cloud Interface o Conduct assessment of all the cloud interfaces o Use strong and complex password o Enable two-factor authentication
Vulnerability solution
Insecure Web Interface o Enable default credentials to be changed o Enable account lockout mechanism o Conduct periodic assessment of web applications Insufficient Authentication / Authorizatio o Implement secure password recovery mechanisms o Use strong and complex passwords o Enable two-factor authentication Insecure Network Services o Close open network ports o Disable UPnP o Review network services for vulnerabilities
IoT OS : Apache Mynewt
It supports devices that work on Bluetooth Low Energy protocol.
IoT OS : RIOT OS
It has less resource requirement and uses energy efficiently. It has an ability of running on embedded systems, actuator boards, sensors, etc
IoT OS : Brillo
It is an android based embedded OS, used in low-end devices such as thermostats
Short-range communication : Zig-Bee
It is another short-range communication protocol based on IEEE 203.15.4 standard. This is for the devices that transfer data infrequently at low data-rate in a restricted area and within a range of 10-100 meters.
medium-range communication : Ha-low
It is another variant of Wi-Fi standard that provides extended range, making it useful for communications in rural areas. It offers low data rates, thus reducing power and cost for transmission
IoT OS : ARM mbed OS
It is mostly used for low-powered devices like wearable devices.
Long-range communication : Low Power Wide Area Networking
LPWAN is a type of wireless telecommunication network, designed in such a way so as to provide long-range communications between two end points. Technology and protocols o loRa WAN o Sigfox o Neul
wired communication : Multimedia over Coax Alliance
MoCA is a type of network protocol that provides a high definition video of home and content related to it over the existing coaxial cable
IoT Architecture : Middleware Layer
This is one of the most critical layers that operates in two-way mode. As the name suggests this layer sits in the middle of the application layer and the hardware layer, thus behaving as an interface between these two layers. It is responsible for important functions such as data management, device management and various issues like data analysis, data aggregation, data filtering, device information discovery and access control.
Short-range communication : Near-field Communication
NFC is a type of short range communication that uses magnetic field induction to enable communication between two electronic devices. It is basically used in connectionless mobile payment, social networking and in identification of documents or some product.
BlueBorne Attack
Performed on Bluetooth connections to gain access and take full control of the target device It is a collection of various techniques based on the known vulnerabilities of Bluetooth protocol It is compatible with all software versions and does not require any user interaction or precondition or configuration except that the Bluetooth being active After gaining access to one device, an attacker can penetrate into any corporate network using that device to steal critical information about the organization and spread malware to the nearby devices
IoT OS : Integrity RTOS
Primarily used in aerospace or defense, ndustrial, automotive and medical sectors.
IoT OS : Nucleus RTOS
Primarily used in aerospace, medical and industrial applications.
IoT Architecture : Internet Layer
This is the crucial layer as it serves as the main component in carrying out the communication between two end points such as device-to-device, device-to-cloud, device-to-gateway and back-end data-sharing
wired communication : Ethernet
This is the most commonly used type of network protocol today. It is a type of LAN (Local Area Network) which refers to a wired connection of computers in a small building, office or on a campus
LPWAN : Sigfox
This is used in devices that have small battery life and need to transfer low level of data
Short-range communication : Radio Frequency Identification
RFID stores data in tags that are read using electromagnetic fields. RFID is used in many sectors like industrial, offices, companies, automobile, pharmaceuticals, livestock and pets.
LPWAN : LoRaWAN
This is used to support applications such as mobile, industrial machine-to-machine and secure two-way communications for IoT devices, smart cities and healthcare applications.
Internet of Things (IoT)
Refers to the network of devices with an IP address that have the capability of sensing, collecting and sending data using embedded sensors, communication hardware and processors Application + Network + Mobile + Cloud = ?
IoT Architecture : Edge Technology Layer
This layer consists of all the hardware parts like sensors, RFID tags, readers or other soft sensors and the device itself. These entities are the primary part of the data sensors that are deployed in the field for monitoring or sensing various phenomena. This layer plays an important part in data collection, connecting devices within the network and with the server.
IoT Architecture : Access Gateway Layer
This layer helps to bridge the gap between two end points like a device and a client. The very first data handling also takes place in this layer. It carries out message routing, message identification and subscribing.
IoT Architecture : Application Layer
This layer placed at the top of the stack, is responsible for the delivery of services to the respective users from different sectors like building, industrial, manufacturing, automobile, security, healthcare, etc.
Firmalyzer
This tool enables device vendors and security professionals to perform automated security assessment on software that powers IoT devices (firmware) in order to identify configuration and application vulnerabilities
RioT Vulnerability scanner
This tool identify at-risk IoT devices, such as IP cameras, DVRs, printers, routers, etc. This tool gives you an attacker's view of all the IoT devices and their associated vulnerabilities. Utilizing precise information such as server banner and header data, it will pinpoint the make and model of a particular IoT device.
IoT models : Back-end Data-Shareing
This type of communication model extends the device-to-cloud communication type in which the data from the IoT devices can be accessed by authorized third parties. Here devices upload their data onto the cloud which is later accessed or analyzed by the third parties
Components of IoT : Sensing Technology
Sensors embedded in the devices sense a wide variety of information from their surroundings like temperature, gases, location, working of some industrial machine as well as sensing health data of a patient.
Attify
This consists of a set of tools used to perform ZigBee penetration testing
Z-Wave sniffer
This is a hardware tool used to sniff traffic generated by smart devices connected in the network.
Short-range communication : Z-Wave
This is a low power, short-range communication designed primarily for home automation. It provides a simple and reliable way to wirelessly monitor and control household devices like HVAC, thermostat, garage, home cinema e
SeaCat.io
This is a security-first SaaS technology to operate IoT products in a reliable, scalable and secure manner. It provides protection to end users, business, and data.
Components of IoT : Cloud Server/Data Storage:
The collected data after travelling through the gateway arrives at the cloud, where it is stored and undergoes data analysis. The processed data is then transmitted to the user where he/she takes certain action based on the information received by him/her.
Components of IoT : Remote Control using Mobile App
The end user uses remote controls such as mobile phones, tabs, laptops, etc. installed with a mobile app to monitor, control, retrieve data, and take a specific action on IoT devices from a remote location.
beSTORM
This is a smart fuzzer to find buffer overflow vulnerabilities by automating and documenting the process of delivering corrupted input and watching for unexpected response from the application.
medium-range communication: LTE advanced
This is a standard for mobile communication that provides enhancement to LTE thus focusing on providing higher capacity in terms of data rate, extended range, efficiency and performance
Long-range communication : Cellular
This is a type of communication protocol that is used for communication over a longer distance. It is used to send high-quality data but with a cost of being expensive and high consumption of power
wired communication : Power-line Communication
This is a type of protocol where electrical wires are used to transmit power and data from one end point to another end point. PLC is required for applications in different areas like home automation, industrial devices and for broadband over power lines (BPL).
Short-range communication : Thread
This is an IPv6 based networking protocol for IoT devices. Its main aim is home automation, so that the devices can communicate with each other on local wireless networks.
Short-range communication : Light-Fidelity (Li-Fi):
This is like Wi-Fi with only two differences: mode of communication and the speed. It is a Visible Light Communications (VLC) system that uses common household light bulbs for data transfer at a very high speed of 224Gbps.
Components of IoT : IoT Gateways
These are used to bridge the gap between the IoT device (internal network) and the end user (external network) and thus allowing them to connect and communicate with each other. The data collected by the sensors in IoT devices send the collected data to the concerned user or cloud through this
Short-range communication : QR Codes and Barcodes
These codes are machine readable tags that contains information about the product or item to which they are attached. Quick Response code or QR code is a two-dimensional code that stores product's information and it can be scanned using smart phones whereas Barcode comes in both, one dimensional (1D) and two-dimensional (2D) code.
Jamming Attack
Type of attack in which the communication between wireless IoT devices are jammed in order to compromise it An attacker transmits radio signal randomly with a frequency as the sensor nodes are sending signals for communication As a result the network gets jammed making endpoints unable to send or receive any message
Rolling Code Attack
Use locking smart system that includes RF signal transmitted in the form of a code from a modern key fob that locks or unlocks the vehicle This code which locks or unlocks a car or a garage is also known as Hopping code Attacker using jammer to thwart the transmission of a code from the key fob to the receiver in the vehicle After obtaining the code, an attacker can use it to unlock and steal the vehicle
Long-range communication : Very Small Aperture Terminal
VSAT is a communication protocol that is used for data transfer using small dish antennas for both broadband data and narrowband data
Attack Area : Device physical interfaces
Vulnerability present it this competent are Firmware Extraction, User CLI (command-line interface), Admin CLI, Privilege Escalation, Reset to Insecure State and Removal of Storage Media
Attack Area : Device Firmware
Vulnerability present it this competent are Hardcoded Credentials, Sensitive Information/URL Disclosure , Encryption Keys and Firmware Version Display and/or Last Update Date
Attack Area : Ecosystem Communication
Vulnerability present it this competent are Health Checks, Heartbeats V, Ecosystem Commands, De-provisioning and Pushing Updates
Attack Area : Ecosystem access control
Vulnerability present it this competent are Implicit Trust between Components, Enrollment Security, Decommissioning System and Lost Access Procedures
Attack Areas of Mobile Application
Vulnerability present it this competent are Implicitly Trusted by Device or Cloud, Username Enumeration, Account Lockout, Known Default Credentials or Weak Passwords, Insecure Data Storage
Attack Area : Device Network Service
Vulnerability present it this competent are Information Disclosure Firmware, Denial-of-Service, UPnP, Vulnerable UDP Services, User and admin CLI, Injection and Unencrypted services and Poorly implemented encryption
Attack Area : Vendor Backend API's
Vulnerability present it this competent are Inherent Trust of Cloud or Mobile Application, Weak Authentication and Weak Access Controls.
Attack Area : Network Traffic
Vulnerability present it this competent are LAN, LAN to internet, Short range and non-standard o LAN -Before deploying LAN, it should be kept in mind that the location is secure and on the software level firewall should be deployed to keep hackers away from the network. o LAN to Internet - The very first thing while deploying LAN is the location. Ensure that it is secure and proper security policies and practices are followed to enhance the network's security making it difficult for the attacker to breach the network security. o Short Range - In order to make the short-range communication secure, a good security design should be implemented that hardens the device's security. o Non-standard - Each piece of network traffic passing through should be standardized and should be checked before leaving or coming into the network.
Attack Area : Administrative Interface
Vulnerability present it this competent are SQL Injection, Cross-site Scripting and Cross-site Request Forgery, Username Enumeration and Known Default Credentials , Weak Passwords and Account Lockout , Security/encryption and Logging options, Two-factor authentication and Inability to wipe device
Attack Area : Device web interface
Vulnerability present it this competent are SQL Injection, Cross-site Scripting, Cross-site Request Forge, Username Enumeration, Weak Password, Account Lockout and Known Default Credentials
Attack Area : Cloud Web Interface
Vulnerability present it this competent are Transport Encryption, SQL Injection, Cross-site Scripting and Cross-site Request Forgery, Username Enumeration and Known Default Credentials, Weak Passwords and Account Lockout , Insecure password recovery mechanism and Two-factor authentication
Attack Area : Local Data Storage
Vulnerability present it this competent are Unencrypted Data , Data Encrypted with Discovered Keys and Lack of Data Integrity Checks
Attack Area : Third-party Backend APIs
Vulnerability present it this competent are Unencrypted PII Sent, Device Information Leaked and Location Leaked
Attack Area : Update Mechanism
Vulnerability present it this competent are Update Sent without Encryption, Updates Not Signed, Update Verification, Malicious Update, Missing Update Mechanism and No Manual Update Mechanism
Attack Area : Device memory
Vulnerability present it this competent are clear-text credentials, third-party credentials and encryption keys
IoT Architecture
o Application Layer o Middleware Layer o Internet Layer o Access Gateway Layer o Edge Technology Layer
Short-range Wireless Communication
o Bluetooth low energy o Light-fidelity LiFi o Near Field Communication o QR Codes and Barcodes o Radio Frequency Identification o Thread o Wifi o Wifi Direct o z-wave o ZigBee
IoT Pen Testing
o Close unused ports and unnecessary /unknown open ports o Disable unnecessary service o Provide protection against unauthorized access and usage of the device o Design a mechanism for uninterrupted flow of info between two endpoints o Provide protection against elevation of privileges o Enhanced the device's data encryption policy o Enhance the security of web application and provide data privacy o Harden the overall device's security
IoT Threats
o DDoS attacks o Attack on HVAC systems o Rolling code attack o BlueBorn attack o Jamming attack o Remote access using backdoor o Remote access using Telnet o Sybil attack o Exploit kits o MITM o Replay attack o Forged malicious device o Side channel attack o Ransomware
IoT Attack Surface Areas
o Device memory o Ecosystem access control o Device physical interfaces o Device web interface o Device firmware o Device network services o Administrative interface o Local data storage o Cloud web interface o Update mechanism o Third party backend APIs o Mobile application o Vendor backend APIs o Ecosystem communication o Network traffic
IoT Communication Models
o Device-to-Device Model o Device-to-Cloud Model o Device-to-Gateway Model o Back-End Data-Sharing Model
How to Defend Against IoT Hacking
o Disable the "guest" and "demo" user accounts if enabled o Use the "Lock Out" feature to lock out accounts for excessive invalid login attempts o Implement strong authentication mechanism o Locate control system networks and devices behind firewalls, and isolate them from the business network o Implement IPS and IDS in the network o Use VPN architecture for secure communication o Deploy security as a unified, integrated system o Allow only trusted IP addresses to access the device from the Internet o Disable telnet (port 23) o Disable UPnP port on routers
Wired Communication
o Ethernet o Multimedia over Coax Alliance MoCA o Power-line Communication PLC
IoT Hacking Tool
o Firmalyzer o ChipWhisperer o rfcat-rolljam o KillerBee o GATTack.io o JTAGULATOR® o Firmware Analysis Toolkit
Challenges of IoT
o Lack of security and privacy o Vulnerable web interfaces o Legal regulatory and rights issues o Default, weak, and hardcoded credentials o Clear text protocol and unnecessary open ports o Coding errors o Storage issues o Difficult to update firmware and OS o Interoperability standard issues o Physical theft and tampering o Lack of vendor support for fixing vulnerabilities o Emerging economy and development issues
Long-range Wireless communication
o Low-power Wide-area Networking LPWAN o Very small aperture terminal VSAT o Cellular
IoT Operating Systems
o RIOT OS o ARM mbed OS o RealSense OS X o Nucleus RTOS o Brillo o Contiki o Zephyr o Ubuntu Core o Integrity RTOS o Apache Mynewt
General Guidelines for IoT Device Manufacturing Companies
o SSL/TLS should be used for communication purpose o There should be a mutual check on SSL certificates and the certificate revocation list o Use of strong passwords should be encouraged o The device's update process should be simple, secured with a chain of trust o Implementing account lockout mechanisms after certain wrong login attempts to prevent brute force attacks o Lock the devices down whenever and wherever possible to prevent them from attacks o Periodically checking the device for unused tools and using whitelisting to allow only trusted tools or application to run o Use secure boot chain to verify all software that is executed on the device
IoT Security Tools
o SeaCat.io o DigiCert o Pulse: IoT Security Platform o Symantec IoT Security o darktarce o Cisco IoT Threat Defense o Cisco Umbrella o Google Cloud IoT o net-Shield o Noddos o AWS IoT Device Defender o Norton Core
Components of IoT
o Sensing technology o IoT Gateways o Cloud Server/ Data Storage o Remote Control using Mobile App
Sniffing Tools
o Z-Wave sniffer o CloudShark o Ubiqua Protocol Analyzer o Perytons Protocol Analyzers o Wireshark o Tcpdump o Open Sniffer o APIMOTE IEEE 802.15.4/ZIGBEE SNIFFING HARDWARE o Ubertooth
Vulnerability Scanner
o beSTORM o Rapid7 Metaspoilt PRO o IoTsploit o IoTSeeker o Bitdefender Home Scanner o IoTInspecto