iot exploitation

An Introduction

IoT Exploitation

Name : veerababu penugonda

IoT enthusiast

maintainer at

Agenda:. Introduction to IoT

. Information About IoT protocols . Attack Surfaces

. IoT Exploitation Methodology

. Demo

What is IoT?Network of physical devices, vehicles, buildings and other items-embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data (Wikipedia).

Bringing together people, process, data, and things to make networked connections more relevant and valuable than ever before-turning information into actions that create new capabilities, richer experiences, and unprecedented economic opportunity for businesses, individuals, and countries. (CISCO)

IoT Protocols CoAPConstrained application

MQTTMessage Queue Telemetry Transport.

IoT Protocols:CoAP:

. Simple to encode: targets 8 bits MCU (Microcontroller Unit).

. UDP based, targets low power IP networks.

. Two level of QoS (Qulaity of Service): confirmable message or not.. Simple observation mechanism.

CoAP Security:. DTLS (TLS on UDP Datagrams). Pre-shared key or not. DTLS is not really light

Microcontroller:

. Very simple and light protocol on top of TCP.

. Good fit for wireless applications.

. Publish/Subscribe paradigm.

. Websocket support.

MQTT:

. Uses SSL/TLS on top of the TCP stream.

. Pre-shared key encryption is supported.

MQTT Security :

IoT ProtocolsXMPPExtensible Messaging and Presence Protocol

AMQPAdvanced Message Queuing Protocol

XMPP:XMPP provides a general framework for messaging across a network, which offers a multitude of applications beyond traditional Instant Messaging (IM) and the distribution of Presence data.

WhatsApp, Gtalk Facebook Chat

Who using this protocol:

https://xmpp.org/uses/internet-of-things.htmlFind more info from here:

AMQP:

https://www.amqp.org

. It is used in one of the world’s largest biometric databases India’s Aadhar project—home to 1.2 billion identities.

. It is used in the Ocean Observatories Initiative—an architecture that collects 8 terabytes of data per day.

AMQP is a binary wire protocol which was designed for interoperability between different vendors. Where other protocols have failed, AMQP adoption has been strong. Companies like JP Morgan use it to process 1 billion messages a day.

find more infor from here:

IoT Attack Surfaces:

OWASP Top 10 for IoT:

What we going to discuss about:

I9:Insecure software/firmware:

What is Firmware:

Firmware is a type of software that provides control, monitoring and data manipulation of engineered products and systems. Typical examples of devices containing firmware are embedded systems (Wikipedia)

. VoIP

. Cars

. Drones

. Networking devices(routers, firewalls, IDS)

. Medical devices(Health monitors)

. Mobile phones.

. Home security systems

. Vehicles

. Thermostats, metering systems, consumer electronics Displays

what are Embedded devices:

What we need to know?The most common architectures for IoT

devices:• ARM (ARM7, ARM9, Cortex)• MIPS

what we required ?

Debug interfaces :

.UART (Universal Asynchronous Receive & Transmit) .JTAG (Joint Test Action Group) – HW Debug.SPI (Serial Peripheral Interface) .I2C (Inter-Integrated Circuit)

UART Debugger:A UART usually contains the following components:

1.input and output shift registers

2.transmit/receive control

3.read/write control logic

4.First-in, first-out (FIFO) buffer memory (optional)

5.Signals needed by a third party DMA controller (optional)

JTAG Debugger(Joint Test Action Group):

-support in-circuit debugging and firmware programming as well as for boundary scan testing.

-Modern 8-bit and 16-bit microcontroller chips, such as Atmel AVR and TI MSP430 chips, support JTAG programming and debugging

-Almost all FPGAs and CPLDs used today can be programmed via a JTAG port.

-Many MIPS and PowerPC processors have JTAG support

• JTAG – Joint Test Action Group– Finding TDI (Test Data In),

– Hardware Debugging via OpenOCD / GDB

– Jtagulator is awesome for brute-forcing pinout

An Example view of Jtag connection

http://www.grandideastudio.com

- On-chip debug (OCD) interfaces can provide chip-level control of a target device and are a primary vector used by engineers, researchers, and hackers to extract program code or data.

- JTAGulator is an open source hardware tool that assists in identifying OCD connections from test points, vias, or component pads on a target device.

Operating systems for IoT:

• Contiki• RIOT• mbed• TinyOS• NanoRK • Mantis• emb ::6• Free RTOS

• U-Boot• RedBoot• BareBox• Ubicom bootloader

Bootloaders:What are these?

.Bootloader is a piece of code that runs before any operating system is running.

.Bootloaders usually contain several ways to boot the OS kernel and also contain commands for debugging and/or modifying the kernel environment.

• busybox + uClibc• buildroot• openembedded• crosstool• crossde

Are they Compilers..?

Compilers for IoT:

The computing environments are developing to the IoT services which exchange a lot of information using various and heterogeneous devices that always connected on networks.

Since the data communication and services take places on the various devices including not only traditional computing environments and mobile devices such as smartphone but also household appliances, embedded devices,and sensor nodes, the security requirements is getting more important at this point in time In this paper, the compiler with secure software concept was proposed to develop the secure applications for IoT services

IoT exploitation methodology ..

-Identify Device, hardware revisions, document hardware components

-Research chip datasheets - figure out features

-Identify hardware communication interfaces possibilities

-Identifying wireline protocol logic (How the hell do I talk to these chips?)

-Hardware tools for accessing interfaces

-Firmware Reverse Engineering

-Vulnerability Research / Exploitation

"routers & cars & drones are also hackable"

Lets get into our topic :Insecure software/firmware:

Insecure software/firmware

• Encryption Not Used to Fetch Updates

• Update File not Encrypted

• Update Not Verified before Upload

• Firmware Contains Sensitive Information

• No Obvious Update Functionality

We are targetting the router firmware..?

I already have DVRF V3

No practicle device hacking?

For firmware analysis what we required .?

Tools for analysis: .Binwalk .Firmwalk .Firmdyne .Firmware-mod-kit .ERESI framework .FRAK - firmware reverse anaysis konsole

What to do?

• Get the firmware• Reconnaissance• Unpacking• Localize point of interest• Decompile/compile/tweak/fuzz/pentest/fun!

What not to do?

• Never try on home or company devices .. when work is going on ..!

Get the DVRF here..?

https://github.com/praetorian-inc/DVRF

Lets start testand the get the info

using Binwalk.!

. Download from manufacturer FTP/HTTP site

. Device memory dump

Reconnaissance:getting information about the firmware for the And analysing the string values .

Unpacking:

. Use binwalk to extract any files that it finds in the firmware image

Localize Point of Interest:This instructs binwalk to search the specified file(s) for executable opcodes common to a variety of CPU architectures. Note that some opcode signatures are short and thus are prone to producing false positive results.

Decompile/compile/tweak/fuzz/pentest/fun!.Running hexdump can help identify the type of firmware build

.QEMU emulation is also another way to examine binaries

Any Questions..?