IoT Pentesting

Arun.S

Security Consultant @ IBM

Email : aruns014@in.ibm.com

What can be expected in the future with IoT ???

Let's see some products which already available in online !!!!

What about the security ???

What Needs to be Secured?

Misconception - IoT Security is != Device Security.

Hardware

Web/Mobile Interface

Communication Channel

But, we can categories it as follows;

There are many surface areas which needs to be evaluated for IoT Security.

Hardware Security?

Embedded|H/W devices are often prone to numerous vulnerabilities.

Firmware : A type of software that provides control, monitoring and data manipulation of engineered products and systems.

It is held in Non-Volatile memory devices such as ROM, EPROM, or Flash memory.

It is bit easy to reverse a Firmware for analyzing with the help of tools like binwalk/FirmwareModKit etc.,

Firmware can be dumped cloned and backdoored as well.

Web/Mobile Interface Security?

Webapplication security Issues - OWASP Top 10 WebAppSec

Mobile Application Security Issues - OWASP Top 10 MobileAppsec

https://www.owasp.org/index.php/Top_10_2013-Top_10

https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

Communication Channel Security?

Communication between the IoT products can happen through various channels.

Commonly Used Communication Channels are:

IoT devices are built upon really available components which are often insecure.

Wireless
Bluetooth Low Energy(BLE)
Zigbee
NFC
RFID

So how to map the attack surface?

Mapping the Attack Surface

OWASP - IoT Top 10

I1 : Insecure Web Interface.
I2 : Insufficient Authentication/Authorization.
I3 : insecure Network Services.
I4 : Lack of Transport Encryption/Integrity Verification.
I5 : Privacy Concerns.
I6 : Insecure Cloud Interface.
I7 : Insecure Mobile Interface.
I8 : Insufficient Security Configurability.
I9 : Insecure Software/Firmware.
I10 : Poor Physical Security.

Bluetooth Low Energy

BLE is mainly used/preferred for low-resource consumption devices(Specs include running on a single battery coin for months-years).

Two types of channels:
- 37 Data Channels
- 3 Advertisement broadcast channels

BLE uses the Attribute protocol.

Bluetooth Vs BLE

Wifi Vs BLE

Wifi works on 2 spectrum ranges - 2.4 GHZ and 5GHZ(New one)WiFi.

2.4 GHz wifi will support up to 450Mbps or 600Mbps depending on the class of the router. 5Ghz wifi will support upto 1300Mbps.

When configuring three different WiFi networks the best solution is to use channels 1, 6 and 11. This helps to avoid the interference with Bluetooth Smart and between themselves.

Other channels: 2, 3, 4, 13, 14 might cause interference with Bluetooth signal and it’s best to avoid them.

Are You an IoT

User?

What are all the ways a hacker can hack you ???

Some Interesting BLE Hacks

How does the mobile identify the exact BLE device to communicate with?

By default every BLE devices will have a BLE ID/Bluetooth Address which is shown/advertised for us to find in our Mobile/Laptop.

Devices use the custom service UUID to find the exact devices it wants to talk to and filter out other devices.

How the Connection is Established?

Services, Characteristics and other things use UUID to uniquely identify each BLE Devices.

Splitted as 4-2-2-2-6.

Device Roles

GAP - Generic Access Profile

GAP Identifies what are the different roles are present in each devices.

It is used to find which device acts as a broadcaster and receiver .

GAP controls the connections & Advertising.

Note: The Peripherals stops advertising as and when the communication is established.

GATT - Generic Attribute Profile

GATT defines the communication semantics between the client and server.

Uses concepts called Profiles, Services and Characteristics.

Stores Services,Characteristics in lookup table using 16-bit ID's for each entry.

UUID Format

16-bit - officially adopted Bluetooth Services/Characteristics.
128-bit - Custom defined services/characteristics by vendors.

Prerequisites

Syska Rainbow - Smart LED

Ubertooth One

Bluetooth Sniffer and injector.
2.4 GHz transmit and receive capabilities.
Open source.
By Michael Ossmann.
Cost - 120$
Easily integrates with Wireshark.

BLE 4.0 - nRF51822 - V3.0

Bluetooth Adapter
2.4 GHz transmit and receive capabilities
Supports BLE 4.0
Freely Available on online shopping sites
Cost effective compared to Ubertooth, Comes in 24$ -25$
Easily integrates with Wireshark.

CSR Bluetooth Adapter

Bluetooth Adapter
2.4 GHz transmit and receive capabilities
Supports BLE 4.0
Freely Available on online shopping sites
Low cost effective, Comes in 4-8$
Easily integrates with Wireshark.

BLE Vulnerabilities

MITM

Data being transmitted in clear text which could be sniffed.

Using hcidump to dump all the communication between the phone(android) and the bluetooth device/chip.

Advertisement spoofing leading to DoS - device not being able to scan the cloned device for services or the services doesn't respond.

Replay based attacks

Pairing Modes

Out of band : Still not widely used(Its a Secure way) - Sending the passkey via NFC(But requires NFC Transceivers).

Note: My current demo is based on the first mode.

JustWorks : TK(Temporary Key) all are Zeroes (000000).

6-digit passkey : 0-999,999 : can be bruteforced using tools such as Crackle.
(So only by entering the passkey the comm/Connectivity between the 2devices starts)

Decrypting the 6-digit passkey using Crackle

6-digit passkey : 0-999,999 : can be bruteforced using tools such as Crackle.

Crackle by Mike Ryan - https://lacklustre.net/projects/crackle/

Extract TK,STK(from TK and pairing data), LTK(from STK and key exchange)

By obtaining the LTK we can decrypt the encrypted .pcap file

How did the color changed Just by Changing the Hex Values????

Lets see with our example Hex Value

Dissecting - Hex Code used for changing the LED Colour to RED

We can perform fuzzing on the R/B/G Hex Code to change the color of LED to any desired color.