CEHv11 Part 10 IOT

Defend Against IoT Hacking

- Disable the "guest" and "demo" user accounts if enabled - Use the "Lock Out" feature to lock out accounts for excessive invalid login attempts - Implement a strong authentication mechanism - Locate control system networks and devices behind firewalls, and isolate them from the business network - Implement IPS and IDS in the network

Defend Against IoT Hacking

- Use VPN architecture for secure communication - Deploy security as a unified, integrated system - Allow only trusted IP addresses to access the device from the Internet - Disable telnet (port 23) - Disable the UPnP port on routers - Protect the devices against physical tampering - Patch vulnerabilities and update the device firmware regularly - Monitor traffic on port 48101,

Phases of IoT hacking.

1. Information gathering 2. Vulnerability scanning 3. Launching Attacks 4. Gaining remote access 5. Maintaining access

Steps used by attackers to Perform Firmware Analysis and Reverse Engineering:

1. Obtain Firmware 2. Analyze Firmware 3. Extract the Filesystem 4. Mount the Filesystem 5. Analyze the Filesystem Content 6. Emulate Firmware for Dynamic Testing

Nmap

: Attackers use vulnerability scanning tools such as this to identify all the IoT devices connected to the network along with their open ports and services

Level 3 (Operational Systems/Site Operations)

: In this level, the production management, individual plant monitoring, and control functions are defined.

Level 2 (Control Systems/Area Supervisory Controls)

: Supervising, monitoring, and controlling the physical process is carried out at this level.

Power-Line Communication (PLC)

: This is a type of protocol that uses electrical wires to transmit power and data from one endpoint to another. PLC is required for applications in different areas such as home automation, industrial devices, and broadband over power lines (BPL).

Lack of Physical Hardening

According to OWASP, the best solution for one of the following vulnerabilities is setting up a Unique password for BIOS/firmware, Configuring device Boot, and minimizing external ports (USB). Which is this vulnerability?

Level 1 (Basic Controls/Intelligent Devices):

Analyzation and Alteration of the Physical process can be done at this level. The operations in basic control include "start motors," "open valves," "move actuators," etc.

Back-End Data-Sharing Communication Model:

Cloud to Third Parties, This type of communication model extends the device-to-cloud communication type such that the data from the IoT devices can be accessed by authorized Third parties. Here, devices upload their data onto the cloud, which is later accessed or analyzed by third parties.

Operational Technology (OT)

Controlling Industrial Physical Devices. is the software and hardware designed to detect or cause changes in Industrial Operations through direct monitoring and/or controlling of industrial physical devices. It consists of Industrial Control Systems (ICS) that include: Supervisory Control and Data Acquisition (SCADA), Remote Terminal Units (RTU), Programmable Logic Controllers (PLC), Distributed Control System (DCS), etc., to monitor and control the industrial operations.

Cloud Platform

Encrypted communications, strong Authentication credentials, secure web interface, encrypted storage, and automatic updates are the security considerations for which of the following components?

Purdue Model

IT System (Enterprise Zone) Levels: 0 - Physical 1 - Basic Controls / Intelligent Devices 2 - Control Systems / Area Supervisory Controls 3 - Operation Systems/Site Operations OT System (Manufacturing zone) Levels: 4 - Business Logistics Systems 5 - Enterprise Network

Shodan

If an attacker wants to gather information such as IP Address, hostname, ISP, device's location, and the banner of the target IoT device, which of the following tools should he use to do so?

Information Gathering Tools

If an attacker wants to gather information such as IP address, hostname, ISP, device's location, and the banner of the target IoT device, which of the following types of tools can he use to do so?

Account lockout mechanism

In order to prevent an Account lockout mechanism, what security mechanism should be implemented to the accounts?

Disable UPnP

In order to protect a device against insecure Network Services Vulnerability, which of the following solutions should be implemented?

Device-to-Cloud Communication Model

In this type of communication, devices communicate with the cloud directly, rather than directly communicating with the client to send or receive data or commands. It uses communication protocols such as Wi-Fi or Ethernet, and sometimes uses Cellular as well.

Side-channel attack

In which of the following IoT attacks does an attacker extract information about encryption keys by observing the emission of signals?

Sybil Attack

In which of the following attacks does an attacker use Multiple forged identities to create a strong illusion of traffic congestion, affecting communication between neighboring nodes and networks?

Exploit kits

In which of the following attacks does an attacker use a malicious script to exploit poorly patched vulnerabilities in an IoT device?

Side-channel attack

In which of the following attacks does an attacker use techniques such as timing analysis and power analysis to obtain critical information from a target industrial system?

Information gathering

Information such as IP address, protocols used, open ports, device type, and geo-location of a device is extracted by an attacker in which of the following phases of IoT hacking?

LockerGoga ransomware stages

Initial execution Running the master process Running the slave process Ransom note

Cloud Server/Data Storage:

IoT technology component that collects data that undergoes Data Analysis, from the Gateway. The collected data after traveling through the gateway arrives at the cloud, where it is stored and undergoes data analysis. The processed data is then transmitted to the user where he/she takes certain action based on the information received by him/her.

Device-to-Gateway Communication Model

Iot to Gateway , In this model, the IoT device communicates with an intermediate device called a gateway, which in turn communicates with the cloud service.

Distributed Control System (DCS)

It contains a Centralized Supervisory Control Unit used to control Multiple local Controllers, thousands of input/output (I/O) points, and various other field devices that are part of the overall production process.

VSAT

Long-range wireless communication protocol is used for data transfer through Small Dish Antennas for both broadband and narrowband data

IoT devices is included in the buildings service sector

MRI, PDAs, implants, surgical equipment, pumps, monitors, telemedicine, etc. HVAC, transport, fire and safety, lighting, security, access, etc.

Jamming attack

Name an attack where an attacker interrupts communication between two devices by using the Same Frequency Signals on which the devices are communicating.

Insecure Web Interface

Name the IoT security vulnerability that gives rise to issues such as weak credentials, lack of account lockout mechanism, and account enumeration?

Device-to-Gateway Communication Model

Name the communication model where the IoT devices communicate with the cloud service through gateways?

RFCrack

One of the following tools is used by attackers to obtain the rolling code sent by a victim to unlock a vehicle, which is later used for unlocking and stealing the vehicle. Which is this tool?

python RFCrack.py -j -F 314000000

Out of the following RFCrack commands, which command is used by an attacker to perform Jamming?

Nmap

Port Gathering. Which of the following tools can an attacker use to gather information such as Open Ports and Services of IoT devices connected to the network?

Edge

Proper communication and storage encryption, and up-to-date components are the security consno default credentials, strong passwords,iderations for which of the following component?

Sniffing Tools:

System administrators use automated tools to monitor their network and devices connected to the network, but attackers misuse these tools to capture network data, traffic, capturing packets, etc.

Internet layer

The following IoT architecture layers carries out communication between Two End Points such as device-to-device, device-to-cloud, device-to-gateway, and back-end data-sharing?

Cloud server/data storage

The following IoT technology components Collects Data that undergoes Data Analysis, from the gateway

Level 2

The following levels of the Purdue model uses protocols such as 6LoWPAN, DNP3, DNS/DNSSEC, FTE, HART-IP, IEC 60870-5-101/104, and SOAP

Level 4 and 5

The following levels of the Purdue model uses protocols such as: : DCOM, DDE, FTP/SFTP, GE-SRTP, IPv4/IPv6, OPC, TCP/IP, Wi-Fi.

Level 0 and 1

The following levels of the Purdue model uses protocols such as: BACnet, EtherCat, CANopen, Crimson v3, DeviceNet, GE-SRTP, Zigbee, ISA/IEC 62443, ISA SP100, MELSEC-Q, MODBUS, Niagara Fox, Omron Fins, PCWorx, Profibus, Profinet, Sercos II, S7 Communications, WiMax.

Internet Layer

This is a crucial layer as it serves as the main component in carrying out communication between two endpoints, such as device-to-device, device-to-cloud, device-to-gateway, or back-end data sharing.

Middleware Layer

This is one of the most critical layers that operates in two-way mode. It is responsible for important functions such as Data Management & Device Management, and various issues like data analysis, data aggregation, data filtering, device information discovery, and access control.

Contiki

This is used in Low-Power Wireless Devices such as street lighting, sound monitoring systems, etc.

Edge Technology Layer

This layer consists of all the hardware components, including sensors, radio-frequency identification (RFID) tags, readers, or other soft sensors, and the device itself.

Access Gateway Layer:

This layer helps to bridge the gap between two endpoints, such as a device and a client. The initial data handling also takes place in this layer. This layer carries out message routing, message identification, and subscribing.

Hack RF one

Using which one of the following tools can an attacker perform BlueBorne or airborne attacks such as replay, fuzzing, and jamming?

Edge Technology Layer

Which of the following IoT architecture layers consists of all the hardware parts like sensors, RFID tags, readers or other soft sensors, and the device itself?

Device Firmware

Which of the following IoT attack surface areas has vulnerabilities to A6 Sensitive Data Exposure: Backdoor accounts Hardcoded credentials Encryption keys Encryption (symmetric, asymmetric) Sensitive information Sensitive URL disclosure

Device Web Interface

Which of the following IoT attack surface areas has web application vulnerabilities like: username enumeration, weak passwords, account lockout, known default credentials, and an insecure password recovery mechanism as its major vulnerabilities? - Credential Management Vulnerabilities

Device Physical Interfaces

Which of the following IoT attack surface areas vulnerabilities are: Firmware extraction Admin CLI Privilege escalation Removal of storage media Reset to insecure state Tamper resistance Debug port UART (Serial) JTAG/SWD Device ID/serial number exposure

Network Traffic

Which of the following IoT attack surface areas vulnerabilities are: LAN LAN to Internet Short range Non-standard Wireless (Wi-Fi, Z-wave, XBee, Zigbee, Bluetooth, LoRa) Protocol fuzzing

Insecure Network Services

Which of the following IoT threats is prone to various attacks such as Buffer overflow that result in denial of service, leaving the device inaccessible to the user?

nmap -Pn -sT -p 46824 <Target IP>

Which of the following Nmap commands helps attackers identify the HMI systems in a target OT network?

nmap -6 -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX <Name> <IP>

Which of the following Nmap commands is used by an attacker to identify the IPv6 capabilities of a target IoT device?

Port 48101

Which of the following TCP/UDP port is used by the infected devices to spread malicious files to other devices in the network?

Network

Which of the following layers in the IoT architecture has security issues such as Firewall, improper communications encryption, services, lack of automatic updates.

Cloud

Which of the following layers in the IoT architecture has security issues such as Improper authentication, no encryption for storage and communications, insecure web interface.

Mobile

Which of the following layers in the IoT architecture has security issues such as Insecure API, lack of communication channels encryption, authentication, lack of storage security.

Application

Which of the following layers in the IoT architecture has security issues such as validation of the inputted string, AuthN, AuthZ, No Automatic security updates, and default passwords?

CRITIFENCE

Which of the following online tools allows attackers to discover the default credentials of a device or product simply by entering the device name or manufacturer name?

Physical Web

Which of the following protocols is used to enable fast and seamless interaction with nearby IoT devices and reveals the list of URLs being broadcasted by nearby devices with BLE beacons?

ISA/IEC 62443

Which of the following protocols provides a flexible framework for addressing and mitigating current and future Security Vulnerabilities in Industrial Automation and Control systems?

Decoy

Which of the following security solutions is known as honeypots and used in OT environments to lure attackers into revealing their presence and activities?

SeaCat.io

Which of the following security tools offers SaaS technology and assists in operating IoT products in a reliable, scalable, and secure manner?

DigiCert IoT security solution

Which of the following tools can be used to protect private data and home networks while preventing unauthorized access using PKI-based security solutions for IoT devices?

FCC ID Search

Which of the following tools helps attackers find the Details and Certification granted to IoT devices?

Binwalk

Which of the following tools helps attackers scan and examine firmware binaries and images as well as retrieve information such as encryption types, sizes, partitions, and file systems?

beSTORM

Which of the following tools is a smart fuzzer that detects buffer-overflow vulnerabilities by automating and documenting the process of delivering corrupted inputs and watching for an unexpected response from the application?

RF crack

Which of the following tools is used to perform a Rolling Code Attack by obtaining the rolling code sent by the victim?

GRASSMARLIN

Which of the following tools passively maps and visually displays an ICS/SCADA network topology while safely conducting device discovery, accounting, and reporting on these critical cyber-physical systems?

Vulnerability Scanning Tools

allows an attacker to identify vulnerabilities in IoT devices and their network and to further determine how they can be exploited. These tools assist network security professionals in overcoming the identified weaknesses in the device and network by suggesting various remediation techniques to protect the organization's network.

IoT Gateways:

are used to bridge the gap between the IoT device (internal network) and the end user (external network) and thus allowing them to connect and communicate with each other. The data collected by the sensors in IoT devices send the collected data to the concerned user or cloud through the gateway.

Supervisory Control and Data Acquisition (SCADA)

is a centralized supervisory control system that is used for controlling and monitoring Industrial facilities and infrastructure.

Censys

is a public search engine and data-processing facility backed by data collected from ongoing Internet-wide scans. It can identify specific vulnerable devices and networks, and generate statistical reports on broad usage patterns and trends.

Thingful

is a search engine for finding and using open IoT Data from Around the World. It helps organizations make better decisions with external IoT data. Data across dozens of verticals, including weather, environment, smart cities, energy, and transport

LTE-Advanced

is a standard for mobile communication that provides enhancement to LTE, focusing on providing higher capacity in terms of data rate, extended range, efficiency, and performance.

Near Field Communication (NFC)

is a type of short-range communication that uses magnetic field induction to enable communication between two electronic devices. It is primarily used in contactless mobile payment, social networking, and the identification of documents or other products.

Constrained Application Protocol (CoAP)

is a web transfer protocol used to transfer messages between constrained nodes and IoT networks.

Lightweight Machine-to-Machine (LWM2M)

is an application-layer communication protocol used for application-level communication between IoT devices.

safety instrumented systems (SIS)

is an automated control system designed to safeguard the manufacturing environment in case of any hazardous incident in industry.

Safety instrumented systems (SIS)

is an automated control system designed to safeguard the manufacturing environment in case of any hazardous incident in the industry.

The Purdue model

is derived (PERA) model, which is a widely used to describe internal connections and dependencies of important components in the ICS networks. It consists of three zones: Manufacturing zone (OT) and Enterprise zone (IT) separated by a Demilitarized zone (DMZ).

Li-Fi

is like Wi-Fi with only two differences: the mode of communication and the speed.It is a Visible Light Communications (VLC) system that uses common household Light Bulbs for data transfer at a very high speed of 224 Gbps.

Device-to-Device Communication Model

is most commonly used in smart home devices such as thermostats, light bulbs, door locks, CCTV cameras, and fridges, which transfer small data packets to each other at a low data rate.

IT/OT Convergence (IIOT)

is the integration of IT (information technology) computing systems and OT operation monitoring systems. - Smart manufacturing, Industry 4.0 Benefits of: - Enhancing Decision making - Enhancing Automation - Expedite Business Output - Minimizing Expenses - Mitigating Risks

Ethernet

is the most commonly used type of network protocol today. It is a type of LAN (Local Area Network) that consists of a wired connection between computers in a small building, office, or campus.

PLC (Programmable Logic Controller)

the following components of an industrial control system is a small solid-state control computer where instructions can be customized to perform a specific task?

ZigBee

the following technologies is a short-range communication protocol based on the IEEE 203.15.4 standard and is used in devices that transfer data infrequently at a low rate in a restricted area, within a range of 10-100 m

Edge

this computing helps the IoT environment to move computational processing to the edge of the network, allowing smart devices and gateways to perform tasks and services from the cloud end.

Foren6

uses sniffers to capture 6LoWPAN traffic and renders the network state in a graphical user interface (GUI). It captures all RPL-related information and identifies abnormal behaviors