Module 18: IoT and OT Hacking
OT Hacking
To damage or disrupt business processes through industrial control systems at various manufacturing sites
Components of an ICS: Supervisory Control and Data Acquisition (SCADA)
1) A centralized supervisory control system that is used for controlling and monitoring industrial facilities and infrastructure 2) It provides centralized controlling and monitoring of multiple process inputs and outputs by integrating the data acquisition system with the data transmission system and Human Machine Interface (HMI) software
Components of an ICS: Distributed Control System (DCS)
1) A highly engineered and large-scale control system that is often used to perform industry specific tasks 2) It contains a centralized supervisory control unit used to control multiple local controllers, thousands of I/O points, and various other field devices that are part of the overall production process 3) It operates using a centralized supervisory control loop that connects a group of localized controllers to execute the overall tasks required for the working of an entire production process
Components of an ICS- Programmable Logic Controller (PLC)
1) A small solid-state control computer where instructions can be customized to perform a specific task 2) Are used in industries such as the steel industry, automobile industry, energy sector, chemical industry, glass industry, and paper industry
Fault Injection Attacks
1) Also known as Perturbation attacks, occur when a perpetrator injects any faulty or malicious program into the system to compromise the system security 2) Fault injection attacks can be both invasive and non-invasive in nature
Information Gathering using MultiPing
1) An attacker can use MultiPing to find the IP address of any IoT device in the target network 2) After obtaining the IP address of an IoT device, the attacker can perform further scanning to identify vulnerabilities in that device
Components of an ICS: Safety Instrumented Systems (SIS)
1) An automated control system designed to safeguard the manufacturing environment in case of any hazardous incident in the industry 2) It is an essential component of a risk management strategy that uses layers of protection to prevent the operational boundaries of critical processes from reaching an unsafe operating condition
Gathering Default Passwords using CRITIFENCE
1) An online database that stores default passwords of critical infrastructure, SCADA, ICS, and IIOT 2) Attackers can use this tool to discover the default credentials of an OT system 3) It lists information such as product code, vendor, device type and its default username and password
Side-channel attack using ChipWhisperer
1) An open-source toolchain mainly used for embedded hardware security research 2) Attackers use ChipWhisperer for performing side-channel power analysis and glitching attacks 3) Side-channel power analysis allows attackers to extract cryptographic keys from a system 4) Attackers use ChipWhisperer for breaking the implementation of complex algorithms like AES and triple DES by using power analysis attacks
DDoS Attack
1) Attacker initiates the attack by exploiting the vulnerabilities in the devices and installing a malicious software in their operating systems 2) Multiple infected IoT devices are referred to as an Army of Botnets 3) The target is attacked with a large volume of requests from multiple IoT devices present in different location
Power Analysis
1) Attackers observe the change in power consumption of semiconductors during clock cycles 2) By observing the power profile, one character of the password can be retrieved comparing the correct character with the wrong character
HMI-Based attacks
1) Attackers often try to compromise the HMI system as it is the core hub that controls the critical infrastructure 2) Attackers gain access to the HMI systems to cause physical damage to the SCADA devices or collect sensitive information related to the critical architecture
Gaining Remote Access using Telnet
1) Attackers perform port scanning to learn about open ports and services on the target IoT device 2) Many embedded system application in IoT devices such as industrial control systems, routers, VoIP phones, and televisions implement remote access capabilities using Telnet 3) If an attacker identifies that the Telnet port is open, he/she can exploit this vulnerabilities to gain remote access to the device 4) Attackers use tools such as Shodan and Censys to gain remote access to the target device
Hacking ICS Hardware
1) Attackers use publicly available online sources to gather details of hardware chips used in a specific ICS device 2) By performing static and dynamic analysis of the functions running on the chip, the attackers can discover arguments used and detect the presence of input/output validations 3) Attackers analyze integrated software inside a chip to retrieve information such as certificates, key generation algorithms, and encryptions functions
The Purdue Model
1) Derived from the Purdue Enterprise Reference Architecture (PERA) model, which is a widely used to describe internal connections and dependencies of important components in the ICS networks 2) It consists of 3 zones: Manufacturing zone (OT) and Enterprise zone (IT) separated by a Demilitarized zone (DMZ). The 3 zones are further divided into several operational levels
IoT Communication models
1) Device-To-Device Model 2) Device-To-Cloud Model 3) Device-to-Gateway Model 4) Back End Data-Sharing Model
OWASP IoT Attack Surface Area
1) Ecosystem (general) 2) Device memory 3) Device physical interfaces 4) Device web interfaces 5) Device firmware 6) Device network services
IoT Framework Security Considerations
1) Edge 2) Gateway 3) Cloud platform 4) Mobile
Maintain Access by exploiting firmware
1) Exploit the firmware installed on the IoT device to maintain access on the device 2) After gaining remote access, the attackers explore the file system to access the firmware on the device 3) Attackers use tools such as Firmware Mod Kit to reconstruct the malicious firmware from the legitimate firmware 4) The Firmware Mod Kit allows for easy deconstruction and reconstruction of firmware images for various embedded devices
Information Gathering using FCC ID search
1) Helps in finding the details and granted certification of the devices 2) Contains two elements: Grantee ID (initial 3 or 5 characters) and Product ID (remaining characters) 3) Attackers can gather basic information about a target device using FCC ID search 4) Using this information, an attacker can find underlying vulnerabilities in the target device and launch further attacks
IoT device management
1) Helps in supporting IoT solutions by using any software tools and processes and helps in onborading latest devices securely and promptly 2) It allows the users to track, monitor, and manage physical IoT devices and forces users to remotely update the firmware 3) Helps in providing permissions and security capabilities against vulnerabilities
IoT Hacking Methodology
1) Information Gathering 2) Vulnerability Scanning 3) Launch Attacks 4) Gain Remote Access 5) Maintain Access
IoT Threats
1) IoT devices on the internet have very few security protection mechanisms against various emerging threats 2) Attackers often exploit these poorly protected devices on the internet to cause physical damage to the network, to wiretap the communication, and to launch disruptive attacks such as DoS
Challenges of IoT
1) Lack of security and privacy 2) Vulnerable web interfaces 3) Legal, regulatory, and right issues 4) Default, weak, and hardcoded credentials 5) Clear text protocols and unnecessary open ports 6) Coding errors 7) Storage issues 8) Difficult to update firmware and OS 9) Interoperability standard issues 10) Physical theft and tampering 11) Lack of vendor support for fixing vulnerabilities 12) Emerging economy and development issues
Exploit HVAC
1) Many organizations use Internet-connected heating, ventilation and air conditioning (HVAC) systems without implementing security mechanisms, this gives attacker a gateway to hack corporate systems 2) HVAV systems have many security vulnerabilities that are exploited by attackers to steal login credentials, gain access to the HVAC system, and perform further attack on the organization's network
Rolling Code Attack
1) Most smart vehicles use smart locking systems that involve the transmissions of an RF signal in the form of a code from a modern key fob, which locks or unlocks the vehicle, to the receiver in the vehicle 2) This code that locks or unlocks a vehicle or garage is called a Rolling code or Hopping code 3) The attacker uses a jammer to thwart the transmission of a code 4) After obtaining the code, the attacker can use it to unlock and steal the vehicle
Introduction to ICS
1) Often referred to as a collection of different types of control systems and their associated equipment such as systems, devices, network, and controls used to operate and automate several industrial processes 2) An ICS consists of several types of control systems like SCADA, DCS, BPCS, SIS, HMI, PLCs, RTU, IED, etc. 3) The operation of ICS systems can be configured in three models, namely, open loop, closed loop, and manual mode 4) ICS systems are extensively used in industries like electricity production and distribution, water supply and waste-water treatment, oil and natural gas supply, chemical and pharmaceutical production, pulp and paper, and food and beverages
Type of fault injection attacks
1) Optical, Electro magnetic fault injection (EMFI), Body bias injection (BBI) 2) Power/Clock/Reset Glitching 3) Frequency/Voltage Tampering 4) Temperature Attacks
Side-Channel Attacks
1) Perform a side-channel attack by monitoring its physical implementation to obtain critical information from a target system 2) Use 2 techniques namely timing analysis and power analysis to perform side-channel attacks on the target OT systems
BlueBorne Attack
1) Performed on Bluetooth connections to gain access and take full control of the target device 2) It is a collection of various techniques based on the known vulnerabilities of the Bluetooth protocol 3) Is compatible with all software versions and does not require any user interaction, precondition, or configuration, except that the Bluetooth should be activated 4) After gaining access to a device, the attacker can penetrate any corporate network using that device to steal critical information about the organization and spread malware to nearby devices
Information Gathering get using Shodan
1) Provides information about all the internet-connected devices such as routers, traffic lights, CCTV cameras, servers, and smart home devices 2) Attackers can utilize this tool to gather information such as IP address, hostnames, ISP, device's location and the banner of the target IoT device
IoT
1) Refers to the network of devices having IP addresses and the capability to sense, collect, and send data using embedded sensors, communication hardware and processors 2) The term thing is used to refer to a device that is implanted on natural, human-made, or machine-made objects and has the functionality of communicating over the network
Components of an ICS: Basic Process Control System (BPCS)
1) Responsible for process control and monitoring of the industrial infrastructure 2) A system that responds to input signals, from the process and associated equipment to generate output signals that cause the process and its associated equipment to operate based on an approved design control strategy 3) Applicable to all sorts of control loops like temperature control loops, batch control, pressure control loops, flow control loops, feedback and feed-forward control loops used in industries such as chemical, oil and gas, and food and beverages
Identifying ICS/SCADA Systems using Shodan
1) Shodan search engine helps attackers to gather information about OT devices connected to the internet 2) Using Shodan, attackers obtain details of SCADA systems that are used in water treatment plants, nuclear power plants, HVAC systems, electrical transmission systems, home heating systems, etc.
Hacking Smart Grid/ industrial Devices: Remote Access using backdoor
1) The attacker gathers basic information about the target organization using various social engineering techniques 2) The attacker sends phishing emails to the employees with malicious attachments 3) When an employee opens the email and clicks on the attachment, a backdoor is automatically installed on the target system 4) Using the backdoor, the attacker gains access to the private network of the organization
SDR-Based Attacks on IoT
1) The attacker uses software defined radio (SDR) to examine the communication signals in the IoT network and sends spam content or text to the interconnected devices 2) Can also change the transmission and reception of signals between the devices, based on their software implementations
IT/OT Convergence (IIOT)
1) The integration of IT computing systems and OT operation monitoring systems to bridge the gap between IT/OT technologies for improving overall security, efficiency, and productivity 2) Can enable manufacturing known as industry 4.0, where IoT applications are used in industrial operations 3) Using this Internet of Things (IoT) for industrial operations such as monitoring supply chains, manufacturing and management systems is referred to as Industrial Internet of Things (IIoT)
Operation Technology (OT)
1) The software and hardware designed to detect or cause changes in industrial operations through direct monitoring and/or controlling of industrial physical devices 2) Consist of Industrial Control System (ICS) that include Supervisory Control and Data Acquisition (SCADA), Remote Terminal Units (RTU), Programmable Logic Controllers (PLC), Distributed Control System (DCS), etc. to monitor and control industrial operations
Rolling code attack using RFCrack
1) Use the RFCrack tool to obtain the rolling code sent by the victim to unlock the vehicle and later use the same code for unlocking and stealing the vehicle 2) used for testing RF communications between any physical device that communicates over sub Ghz frequencies
Discovering IoT devices with default credentials using IoTSeeker
1) Use tools such as IoTSeeker to discove IoT devices that are using default credentials and are vulnerable to various hijacking attacks 2) Will scan a network for specific types of IoT devices to detect if they are using the default, factory set credentials 3) This tool help organizations to scan their networks to detect IoT devices using the factory setting
Vulnerability Scanning using Nmap
Attacker use vulnerability scanning tools such as Nmap to identify all the IoT devices connected to the network along with their open ports and services
OT Malware
Attackers develop malware targeting industrial systems. These malware can cause potential damage to the software and hardware that is used to operate critical infrastructure
Timing Analysis
Attackers monitor the amount of time the device is taking to finish one complete password authentication process to determine the number of correct characters
Firmware Analysis and reverse engineering
Attackers perform firmware analysis to identify the passwords, API tokens and endpoints, vulnerable services running, backdoor accounts, configuration files in use, private keys, stored data, etc.
Identifying and Accessing Local IoT devices
The attacker gains access over the local IoT devices when a user from the network visits the malicious page created and distributed by the attacker in the form of an advertisement or any other attractive means
IoT Device Hacking
The objective of IoT device hacking is to compromise smart devices like CCTV camera, automobiles, printer, door locks, and washing machines to gain unauthorized access to network resources and IoT devices
