CEH v10: 18 IoT Hacking
Certified Ethical Hacker v10 Chapter 18: IoT Hacking.
The Internet of things (IoT) is the network of devices, vehicles, and home appliances that contain electronics, software, actuators, and connectivity which allows these things to connect, interact and exchange data.
IoT involves extending Internet connectivity beyond standard devices, such as desktops, laptops, smartphones and tablets, to any range of traditionally dumb or non-internet-enabled physical devices and everyday objects.
Embedded with technology, these devices can communicate and interact over the Internet, and they can be remotely monitored and controlled.
Main Components
- Sensors
- Device
- Gateway
- Cloud
IoT Architecture
- Perception Layer : sensors that gather information about the environment (heat sensor)
- Transport Layer : transfer the sensor data through network (Wi-Fi, Bluetooth, ...)
- Processing Layer : stores, processes, analyses data (cloud computing, big data, ...)
- Application Layer : delivering application specific services to the user
- Business Layer : manage the whole IoT system (business and profit model, user's privacy)
IoT Technologies
- IoT uses IPv6 due to the limited number of IPv4 addresses
Wireless
Short-Range Wireless Communication
- Bluetooth Low Energy (BLE)
- Wi-FI
- Radio-Frequency Identification (RFID)
- Light-Fidelity (Li-Fi): similar to Wi-Fi, but using visible light for communication
- Near-Field Communication (NFC)
Medium-Range Wireless Communication
- LTE-Advanced : formally submitted as a candidate 4G, often being described as 3.9G (beyond 3G but pre-4G)
- Wi-Fi HaLow : uses 900MHz to provide extended range, lower energy consumption
Long Range Wireless Communication
- Low-Power Wild-Area Network (LPWAN) : designed to allow long range communication at a low bit rate among things
- Very Small Aperture Terminal (VSAT) : satellite communication technology uses small dish antennas
- Cellular
Wired Communication
- Ethernet
- Power-Line Communication (PLC) : using electrical wiring to carry power and data
Operating System
- Linux on embedded systems
- Windows IoT
IoT Communication Models
Device-To-Device Model
- The devices communicating with each other without interfering any other device
- Using communication medium such as a wireless network
Device-To-Cloud Model
- The IoT device directly communicating with the application server
- The application server provide information exchange between these devices
Device-To-Gateway Model
- Gateway collects the data from the sensors, then send it to the application server
- Gateway provides security or information and protocol translation
Back-End Data-Sharing Model
- Used a collective partnership between different application providers
- Access granted to the uploaded data to third-parties
- An extended Device-To-Cloud model
Challenges to IoT
- Lack of security
- Vulnerable interfaces
- Physical security risk
- Lack of vendor support
- Difficult ot update firmware and OS
- Interoperability issues
OWASP Top Ten IoT (2014)
- Insecure web interface
- Insufficient authentication / authorization
- Insecure network services
- Lack of transport encryption / integrity verification
- Privacy concerns
- Insecure cloud interface
- Insecure mobile interface
- Insufficient security configurability
- Insecure software / hardware
- Poor physical security
Common Attacks
- Device memory containing credentials
- Access control
- Firmware extraction
- Privilege escalation
- Resetting to an insecure state
- Removal of storage media
- Web attacks
- Firmware attack
- Network service attacks
- Unencrypted local data storage
- Confidentiality and integrity issues
- Cloud computing attacks
- Malicious updates
- Insecure APIs
- Mobile application threats
- DoS / DDoS
- Rolling Code Attack: attacker capture signal from transmitter device, simultaneously blocking the receiver to receive the signal, later it will used to gain unauthorized access (steal car with captured signal)
- BlueBorn Attack: using different exploits to gain unauthorized access to the target device
- Jamming Attack: jamming the signal to prevent the communication of devices
- Backdoor (not just IoT related)
- Eavesdropping
- Sybil attack
- Exploit kits
- Man-in-the-middle attack
- Replay attack
- Forged malicious devices
- Side channel attack
- Ransomware attack
Hacking Methodology
Information Gathering
- IP address
- Running protocols
- Open ports
- Type of device
- Vendor
- shodan is a helpful search engine for IoT
Vulnerability Scanning
- Scanning the network and devices to find vulnerabilities
- Search for weak password
- Software and firmware vulnerabilities
- Tools: nmap, hping, ...
Attack
- Exploiting vulnerabilities
- Tools: HackRF
Gain Access
- Gain unauthorized access
- Privilege escalation
- Install backdoor
Maintain Attack
- Logging out
- Clearing logs
- Covering tracks
Countermeasures
- Firmware update
- Block unnecessary ports
- Disable telnet
- Use encrypted communication (SSL/TLS)
- Use strong password
- Encrypt drives
- Periodic assessment of devices
- Secure password recovery
- Two-Factor Authentication
- Disable UPnP