IoT security basics
In this introductory article, we will look at the main aspects of security of one of the most popular topics lately - the Internet of things.
If, one way or another, you are aware of news in the field of cybersecurity, you may have noticed that cases of creating botnets from ip cameras have become more frequent , security experts are more often finding vulnerabilities in smart home controllers , hacking wireless locks and much more!
Before turning to the topic of security, in the beginning we will understand what is included in the concept of the Internet of things.
At the moment there are several definitions, but I believe that the presence of a definition drives the IoT technology into a certain framework, not allowing it to develop more widely, so I do not advise learning them by heart. Let us consider an example of one of the most common definitions:
But thinking globally is hard enough to start a boring article, so we’ll set limits. We will agree under the clever things to perceive the things around us with high-tech stuffing (the presence of a small board with a microcontroller), having additional functionality that can be used by ordinary users to solve everyday problems (at home, at work, on the street).
Let's go back to safety. Since this area essentially captures an indefinite set of protocols, programming languages, chips, what knowledge does one need to gain in order to be sure that they will be enough to carry out a full IoT security analysis?
The correct answer is: but it isn’t :( you will spend a month exploring one technology in detail, as manufacturers start using something new. The only right decision would be to study the secrets of smart devices:
Knowledge of these technologies (where it may be superficial) will give you a great start in IoT security, but as often happens - knowledge alone is not enough. Unfortunately, for the analysis of security, additional equipment is needed, among which are:
More information about the hardware can be obtained by viewing the Elvis Collado presentation at DEF CON 25 with the topic Reversing and Exploiting Embedded Devices .
Now, when we have the required equipment, we will consider the main stages of testing.
The first stage is to search for information about the device without interacting with it. In most cases, the information lies on publicly available sources. Also often on the device is the FCC ID (Federal Communications Commission), by which it is possible to find documentation and a list of used frequencies.
To practice, try to look for information about some smart device that you often use.
Next, you will need to create a general scheme that can interact with this device and through which communication channels. It can be a mobile application that communicates over a local wireless network, a remote control with an infrared port, an external cloud available on the Internet, sensors that work over a radio channel (for example, ZigBee) and so on.
After that, for each of the devices and communication channels will need to make a list of threats for which they need to be checked. For example, communication in the local network can be checked for security from man-in-the-middle attacks, and the web-based management interface with the default password set, etc.
But just do not forget that we will have to consider the device itself as a separate item, mostly because of the hardware security, namely, to be able to interact directly with the board, up to extracting the microcontroller firmware and accessing the console.
If you simplify the scheme, then for IoT it comes down to three points :
About each of these topics, as far as possible, it is calculated to write a series of articles and examine in detail what you are more likely to encounter if you decide to pick your home devices.
Consider the example of building a "map" device.
In the Moscow Savelovsky market, a Chinese camera was acquired:
To begin, consider the box in more detail: The
manufacturers promised the following:
After reviewing the documentation in more detail, we find out that the camera works purely on the local network, but most likely has the ability to update the firmware via the Internet.
This is what the scheme will look like:
Connections over local and external networks should be checked for the possibility of a man-in-the-middle attack. For mobile and stationary devices, you should analyze the communication protocol and after that supplement the scheme. The website needs to be checked for forced encryption (https) and checked for common web vulnerabilities (OWASP top-10). The camera itself, as mentioned earlier, will be considered a separate item. For the most part, the task will be to extract the firmware, after which we will be able to supplement the circuit with updated data and continue testing with a “white box”.
Separately, at the end of the article I think it is worth writing that testing devices without agreements with the manufacturer is not always encouraged. But it is also worth mentioning that in the United States it became quite legal after the adoption of the Digital Millennium Copyright Act (DMCA).
In the next article we will look at the process of extracting firmware from smart devices.
I advise everyone to read:
If, one way or another, you are aware of news in the field of cybersecurity, you may have noticed that cases of creating botnets from ip cameras have become more frequent , security experts are more often finding vulnerabilities in smart home controllers , hacking wireless locks and much more!
Before turning to the topic of security, in the beginning we will understand what is included in the concept of the Internet of things.
At the moment there are several definitions, but I believe that the presence of a definition drives the IoT technology into a certain framework, not allowing it to develop more widely, so I do not advise learning them by heart. Let us consider an example of one of the most common definitions:
The Internet of Things is a network of devices that are connected to the Internet, controlled through it, and can communicate with each other.According to the author, if the device can work only in the local network, then it will not be IoT? Of course it will be. Even without an internet connection, the device can be in a group of Internet of things, such as a portable bluetooth speaker with the ability to save music to the device’s memory. And such erroneous definitions on the Internet is full. Think wider :)
But thinking globally is hard enough to start a boring article, so we’ll set limits. We will agree under the clever things to perceive the things around us with high-tech stuffing (the presence of a small board with a microcontroller), having additional functionality that can be used by ordinary users to solve everyday problems (at home, at work, on the street).
Let's go back to safety. Since this area essentially captures an indefinite set of protocols, programming languages, chips, what knowledge does one need to gain in order to be sure that they will be enough to carry out a full IoT security analysis?
The correct answer is: but it isn’t :( you will spend a month exploring one technology in detail, as manufacturers start using something new. The only right decision would be to study the secrets of smart devices:
- The stack of network protocols, which is taken as the basis of most protocols used in IoT
- Microcontroller Basics
- Radio Protocol Basics
- Reverse engineering firmware / compiled programs
- Web vulnerability search
- Exploiting binary vulnerabilities
Knowledge of these technologies (where it may be superficial) will give you a great start in IoT security, but as often happens - knowledge alone is not enough. Unfortunately, for the analysis of security, additional equipment is needed, among which are:
- SDR is a programmable radio operating over a large frequency range and allowing you to work with, perhaps, any known protocol, or to study the work of proprietary radio protocols. In more detail this question will be considered in the following articles (if the subject comes to audience).
- Arduino Uno c - replaces several devices at once, for example, as a USB-UART adapter.
- A set of screwdrivers with adapters - manufacturers are trying to at least somehow protect their devices, in connection with which they produce screws that require special screwdrivers.
- MicroSD to USB Flash Memory Cards
- Soldering Station
More information about the hardware can be obtained by viewing the Elvis Collado presentation at DEF CON 25 with the topic Reversing and Exploiting Embedded Devices .
Now, when we have the required equipment, we will consider the main stages of testing.
The first stage is to search for information about the device without interacting with it. In most cases, the information lies on publicly available sources. Also often on the device is the FCC ID (Federal Communications Commission), by which it is possible to find documentation and a list of used frequencies.
To practice, try to look for information about some smart device that you often use.
Next, you will need to create a general scheme that can interact with this device and through which communication channels. It can be a mobile application that communicates over a local wireless network, a remote control with an infrared port, an external cloud available on the Internet, sensors that work over a radio channel (for example, ZigBee) and so on.
After that, for each of the devices and communication channels will need to make a list of threats for which they need to be checked. For example, communication in the local network can be checked for security from man-in-the-middle attacks, and the web-based management interface with the default password set, etc.
But just do not forget that we will have to consider the device itself as a separate item, mostly because of the hardware security, namely, to be able to interact directly with the board, up to extracting the microcontroller firmware and accessing the console.
If you simplify the scheme, then for IoT it comes down to three points :
- Hardware security
- Software security
- Radio security
About each of these topics, as far as possible, it is calculated to write a series of articles and examine in detail what you are more likely to encounter if you decide to pick your home devices.
Consider the example of building a "map" device.
In the Moscow Savelovsky market, a Chinese camera was acquired:
To begin, consider the box in more detail: The
manufacturers promised the following:
- Ability to control from an IOS / Android device
- Ability to control by web-interface
- Saving video stream on microSD
- The ability to control through computer software
After reviewing the documentation in more detail, we find out that the camera works purely on the local network, but most likely has the ability to update the firmware via the Internet.
This is what the scheme will look like:
Connections over local and external networks should be checked for the possibility of a man-in-the-middle attack. For mobile and stationary devices, you should analyze the communication protocol and after that supplement the scheme. The website needs to be checked for forced encryption (https) and checked for common web vulnerabilities (OWASP top-10). The camera itself, as mentioned earlier, will be considered a separate item. For the most part, the task will be to extract the firmware, after which we will be able to supplement the circuit with updated data and continue testing with a “white box”.
Separately, at the end of the article I think it is worth writing that testing devices without agreements with the manufacturer is not always encouraged. But it is also worth mentioning that in the United States it became quite legal after the adoption of the Digital Millennium Copyright Act (DMCA).
In the next article we will look at the process of extracting firmware from smart devices.
I advise everyone to read:
- IoT Hackers Handbook, Aditya Gupta - in the book consider in detail each of the stages of testing a smart thing, it will be useful for beginners ( tyk )
- IoT Penetration Testing Cookbook, Aaron Guzman & Aditya Gupta - a lot of information intersects with the first book, but there are chapters that focus on safe development and long-term testing of the product ( tyk )