View
1.399
Download
0
Embed Size (px)
Citation preview
An Introduction
IoT Exploitation
Name : veerababu penugonda
IoT enthusiast
maintainer at
Agenda:. Introduction to IoT
. Information About IoT protocols . Attack Surfaces
. IoT Exploitation Methodology
. Demo
What is IoT?Network of physical devices, vehicles, buildings and other items-embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data (Wikipedia).
Bringing together people, process, data, and things to make networked connections more relevant and valuable than ever before-turning information into actions that create new capabilities, richer experiences, and unprecedented economic opportunity for businesses, individuals, and countries. (CISCO)
IoT Protocols CoAPConstrained application
MQTTMessage Queue Telemetry Transport.
IoT Protocols:CoAP:
. Simple to encode: targets 8 bits MCU (Microcontroller Unit).
. UDP based, targets low power IP networks.
. Two level of QoS (Qulaity of Service): confirmable message or not.. Simple observation mechanism.
CoAP Security:. DTLS (TLS on UDP Datagrams). Pre-shared key or not. DTLS is not really light
Microcontroller:
. Very simple and light protocol on top of TCP.
. Good fit for wireless applications.
. Publish/Subscribe paradigm.
. Websocket support.
MQTT:
. Uses SSL/TLS on top of the TCP stream.
. Pre-shared key encryption is supported.
MQTT Security :
IoT ProtocolsXMPPExtensible Messaging and Presence Protocol
AMQPAdvanced Message Queuing Protocol
XMPP:XMPP provides a general framework for messaging across a network, which offers a multitude of applications beyond traditional Instant Messaging (IM) and the distribution of Presence data.
WhatsApp, Gtalk Facebook Chat
Who using this protocol:
https://xmpp.org/uses/internet-of-things.htmlFind more info from here:
AMQP:
https://www.amqp.org
. It is used in one of the world’s largest biometric databases India’s Aadhar project—home to 1.2 billion identities.
. It is used in the Ocean Observatories Initiative—an architecture that collects 8 terabytes of data per day.
AMQP is a binary wire protocol which was designed for interoperability between different vendors. Where other protocols have failed, AMQP adoption has been strong. Companies like JP Morgan use it to process 1 billion messages a day.
find more infor from here:
IoT Attack Surfaces:
OWASP Top 10 for IoT:
What we going to discuss about:
I9:Insecure software/firmware:
What is Firmware:
Firmware is a type of software that provides control, monitoring and data manipulation of engineered products and systems. Typical examples of devices containing firmware are embedded systems (Wikipedia)
. VoIP
. Cars
. Drones
. Networking devices(routers, firewalls, IDS)
. Medical devices(Health monitors)
. Mobile phones.
. Home security systems
. Vehicles
. Thermostats, metering systems, consumer electronics Displays
what are Embedded devices:
What we need to know?The most common architectures for IoT
devices:• ARM (ARM7, ARM9, Cortex)• MIPS
what we required ?
Debug interfaces :
.UART (Universal Asynchronous Receive & Transmit) .JTAG (Joint Test Action Group) – HW Debug.SPI (Serial Peripheral Interface) .I2C (Inter-Integrated Circuit)
UART Debugger:A UART usually contains the following components:
1.input and output shift registers
2.transmit/receive control
3.read/write control logic
4.First-in, first-out (FIFO) buffer memory (optional)
5.Signals needed by a third party DMA controller (optional)
JTAG Debugger(Joint Test Action Group):
-support in-circuit debugging and firmware programming as well as for boundary scan testing.
-Modern 8-bit and 16-bit microcontroller chips, such as Atmel AVR and TI MSP430 chips, support JTAG programming and debugging
-Almost all FPGAs and CPLDs used today can be programmed via a JTAG port.
-Many MIPS and PowerPC processors have JTAG support
• JTAG – Joint Test Action Group– Finding TDI (Test Data In),
– Hardware Debugging via OpenOCD / GDB
– Jtagulator is awesome for brute-forcing pinout
An Example view of Jtag connection
http://www.grandideastudio.com
- On-chip debug (OCD) interfaces can provide chip-level control of a target device and are a primary vector used by engineers, researchers, and hackers to extract program code or data.
- JTAGulator is an open source hardware tool that assists in identifying OCD connections from test points, vias, or component pads on a target device.
Operating systems for IoT:
• Contiki• RIOT• mbed• TinyOS• NanoRK • Mantis• emb ::6• Free RTOS
• U-Boot• RedBoot• BareBox• Ubicom bootloader
Bootloaders:What are these?
.Bootloader is a piece of code that runs before any operating system is running.
.Bootloaders usually contain several ways to boot the OS kernel and also contain commands for debugging and/or modifying the kernel environment.
• busybox + uClibc• buildroot• openembedded• crosstool• crossde
Are they Compilers..?
Compilers for IoT:
The computing environments are developing to the IoT services which exchange a lot of information using various and heterogeneous devices that always connected on networks.
Since the data communication and services take places on the various devices including not only traditional computing environments and mobile devices such as smartphone but also household appliances, embedded devices,and sensor nodes, the security requirements is getting more important at this point in time In this paper, the compiler with secure software concept was proposed to develop the secure applications for IoT services
IoT exploitation methodology ..
-Identify Device, hardware revisions, document hardware components
-Research chip datasheets - figure out features
-Identify hardware communication interfaces possibilities
-Identifying wireline protocol logic (How the hell do I talk to these chips?)
-Hardware tools for accessing interfaces
-Firmware Reverse Engineering
-Vulnerability Research / Exploitation
"routers & cars & drones are also hackable"
Lets get into our topic :Insecure software/firmware:
Insecure software/firmware
• Encryption Not Used to Fetch Updates
• Update File not Encrypted
• Update Not Verified before Upload
• Firmware Contains Sensitive Information
• No Obvious Update Functionality
We are targetting the router firmware..?
I already have DVRF V3
No practicle device hacking?
For firmware analysis what we required .?
Tools for analysis: .Binwalk .Firmwalk .Firmdyne .Firmware-mod-kit .ERESI framework .FRAK - firmware reverse anaysis konsole
What to do?
• Get the firmware• Reconnaissance• Unpacking• Localize point of interest• Decompile/compile/tweak/fuzz/pentest/fun!
What not to do?
• Never try on home or company devices .. when work is going on ..!
Get the DVRF here..?
https://github.com/praetorian-inc/DVRF
Lets start testand the get the info
using Binwalk.!
. Download from manufacturer FTP/HTTP site
. Device memory dump
Reconnaissance:getting information about the firmware for the And analysing the string values .
Unpacking:
. Use binwalk to extract any files that it finds in the firmware image
Localize Point of Interest:This instructs binwalk to search the specified file(s) for executable opcodes common to a variety of CPU architectures. Note that some opcode signatures are short and thus are prone to producing false positive results.
Decompile/compile/tweak/fuzz/pentest/fun!.Running hexdump can help identify the type of firmware build
.QEMU emulation is also another way to examine binaries
Any Questions..?