18 - IoT Hacking

Question 1

What is IoT?

Answer 1

A.k.a. Internet of Everything. Refers to the network of devices with an IP address, that have the capability of sensing, collecting, and analyzing data. A thing is referred to as the device implanted on natural man-made or machine-made objects and having the functionality of communicating over the network.

Question 2

How does IoT work?

Answer 2

• Sensing Technology: Sensors embedded in the device sense a wide variety of info.
• IoT Gateways: Used to bridge the gap between the IoT device (internal network) and the end user (external network) allowing them to communicate with each other.
• Cloud Server/Data Storage: Data is stored in the cloud and undergoes data analysis.
• Remote Control using Mobile App: End user uses remote control in order to monitor, control, retrieve data and take specific action on IoT devices from a remote location.

Question 3

What is the architecture of IoT?

Answer 3

• Application Layer: Delivery of various apps to different users
• Middleware Layer: Device and information management
• Internet Layer: Connection between endpoints
• Access Gateway Layer: Protocol translation and messaging
• Edge Technology Layer: Sensors, devices, machines, intelligent edge nodes of all types.

Question 4

What are the different IoT technologies and protocols?

Answer 4

• Short Range Wireless Communication:
  
  • Bluetooth Low Energy: Wireless personal network
  • Light Fidelity (Li-Fi): Household lightbulbs
  • Near Field Communication (NFC): Uses magnetic field induction to enable communication between 2 devices.
  • QR Codes and Barcodes
  • RFID
  • WiFi
• Medium Range Wireless Communication:
  
  • HaLow: Extended range WiFi
  • LTE-Advanced
• Long Range Wireless Communication:
  
  • LPWAN: Low Power Wide Area Network
  • Sigfox: Uses in devices that small battery life
  • Cellular: Type of communication that is used over a long distance.
• Wired Communication:
  
  • Ethernet: Type of LAN
  • Multimedia over Coax Alliance (MoCa): Provides high def video of home and content.
  • Power-Line Communication (PLC): Where electrical wires are used to transmit power and data from one end point to another.
• IoT Operating Systems:
  
  • RIOT OS: Less resource intensive, uses energy efficiently.
  • ARM mbed OS: Mostly used for low powered devices like watches.
  • RealSense OS X: Used in Intel’s depth sensing technology.
  • Nucleus RTOS: Primarily used in aerospace, medical, and industrial
  • Brillo: Android based embedded OS
  • Contiki: Used in low power wireless devices.
  • Zephyr: Used in low power and resources constrained devices.
  • Ubuntu Core: Aka Snappy, used in robots and drones, etc.
  • Integrity RTOS: Primarily used in aerospace, medical, and industrial
  • Apache Mynewt: Supports devices that work on Bluetooth Low Energy protocol.

Question 5

What are the IoT Communication Models?

Answer 5

• Device-to-Device Model: Where devices interact with each other through the internet.
• Device-to-Cloud Model: Where devices communicate with the cloud directly.
• Device-to-Gateway Model: Where device communicates with intermediate device called a Gateway which could provide security features.
• Back-end Data-Sharing Model: Extends Device-to-Cloud communication type by allowing IoT devices to be accessed by 3rd parties for analysis.

Question 6

What are the challenges/concerns of IoT security?

Answer 6

• Lack of privacy and security
• Vulnerable web interfaces
• Legal issues
• default, weak creds
• Clear text protocols and unnecessary open ports
• Coding errors
• Storage issues
• Difficult to update firmware and OS
• Interoperability standard issues
• Physical theft and tampering
• Lack of vendor support

Question 7

What are the top 10 IoT Vulnerabilities?

Answer 7

• Insecure Web Interface
• Insufficient Authentication/Authorization
• Insecure Network Services
• Lack of transport encryption/Integrity Verification
• Privacy Concerns
• Insecure Cloud Interface
• Insecure Mobile Interface
• Insufficient Security Config
• Insecure Software/Firmware
• Poor Physical Security

Question 8

What are the IoT attack surface areas?

Answer 8

• Device Memory: Credentials
• Ecosystem Access Control: Implicit trust between components
• Device Physical Interfaces: Privilege escalation, CLI
• Device Web Interface: SQL injection, XSS
• Device Firmware: sensitive data exposure, creds hardcoded
• Device Network Services: Unencrypted/poorly encrypted services.
• Administrative Interface: SQL Injection, XSS
• Local Data Storage: Data encrypted with discovered keys, lack of integrity checks.

Question 9

What are some IoT threats?

Answer 9

• DDoS Attack: Converts devices into an army of botnet
• Exploiting HVAC: Gain access to a corporate systems.
• Rolling Code: Attacker jams and sniffs the signal to obtain the code transferred to vehicle’s receiver.
• Blue Borne Attack: Attackers exploit vulnerabilities of Bluetooth protocol.
• Jamming Attack: Attacker jams signal between the sender and the receiver.
• Remote Access using Backdoor: Attackers turn device into backdoor.
• Remote Access using Telnet: Attackers exploit an open telnet port to obtain info.
• Sybil Attack: Attacker uses multiple forged identities to create strong illusion of traffic congestion.
• Exploit Kits: Malicious scripts used to exploit poorly patched devices.
• MitM Attack: Attacker pretends to be a legit sender who intercepts all communication between sender and receiver.
• Replay Attack: Attackers send intercepted messages to target device to perform DoS
• Forged Malicious Device: Attackers replace authentic IoT devices with malicious device.
• Side Channel Attack: Attackers extract info about encryption keys by observing the emission signals (side channels) from IoT devices.
• Ransomware Attack: Type of malware that uses encryption to block user’s access to his/her device.

Question 10

What is the IoT Hacking Methodology?

Answer 10

• Information Gathering
• Vulnerability Scanning
• Launch Attack
• Gain Access
• Maintain Access

Question 11

How can you defend against IoT Hacking?

Answer 11

• Disable Guest or Demo user accounts
• Use Lockout feature to disable multiple login attempts
• Implement strong authentication mechanisms.
• Implement IPS/IDS in the network
• Implement end-to-end encryption
• Use VPN architecture
• Allow only trusted IP’s to access device from internet
• Disable Telnet
• Disable UPnP port on routers
• Prevent the devices against physical tampering
• Patch vulnerabilities
• Monitor traffic on port 48101 for infected traffic

Question 12

What are general guidelines for IoT device manufacturing companies?

Answer 12

• SSL/TLS should be used for communications
• Check SSL certs
• Use of strong passwords
• Implement account lockout mechanisms
• Check device for unused tools
• Use secure boot chain

Question 13

What are the IoT Vulnerabilities?

Answer 13

• Username Enumeration
• Weak Passwords
• Account Lockout
• Unencrypted Services
• 2FA
• Poorly Implemented Encryption
• Update Sent Without Encryption
• Update Location Writable
• Denial of Service
• Removal of Storage Media
• No Manual Update Mechanism
• Obtaining Console Access

Question 14

What are SDR-Based Attacks on IoT?

Answer 14

Attackers use Software Defined Radio (SDR) to examine the communication signals in the IoT network and sends spam content or texts to the interconnected devices. Can also change the transmission and reception of signals between the devices.

• Replay Attack: The attacker obtains the specific frequency used for sharing information between connected devices and captures the original data when a command is initiated by these devices.
• Cryptanalysis Attack: The attacker uses the same procedure as that followed in a replay attack, along with reverse engineering of the protocol to capture the original signal.
• Reconnaissance Attack: Attacker obtains info about the target device from the device’s specification.

Question 15

What is DNS rebinding?

Answer 15

A process of gaining access over the victim’s router using a malicious JavaScript code injected on a web page. After that, an attacker can assault any device activated using the default password.

Question 16

What are Fault Injection Attacks?

Answer 16

(aka Perturbation attacks), Occur when a perpetrator injects any faulty or malicious program into the system to compromise the system security.

• Optical, Electro Magnetic Fault Injection (EMFI), Body Bias Injection (BBI): Injection using projecting lasers and electromagnetic pulses.
• Power/Clock/Reset/Glitching: Injections into power supply and clock network of the chip.
• Frequency/Voltage Tampering: Tampering with clock frequency of the chip
• Temperature Attacks: Attackers alter the temp for the operating the chip.

Question 17

What is FCC ID Search?

Answer 17

Helps in finding the details and granted certification of the devices. Contains 2 elements: Grantee ID and Product ID. Attacker can find underlying vulnerabilities.

Question 18

What is OT (Operational Technology)?

Answer 18

The software and hardware designed to detect or cause changes in industrial operations through direct monitoring and/or controlling of industrial physical devices. Consists of Industrial Control Systems (ICS) that include Supervisory Control and Data Acquisition (SCADA), Remote Terminal Units (RTU), Programmable Logic Controllers (PLC), Distributed Control System (DCS), etc., to monitor and control operations.

Question 19

What are some important OT terms?

Answer 19

• Assets: OT systems consist of physical assets such as sensors, etc.
• Zones and Conduits: A network segregation technique used to isolate the networks and assets.
• Industrial Network: A network of automated control systems.
• Business Network: It comprises of a network of systems that offer information infrastructure
• Industrial Protocols: Protocols used for serial communication and communication over standard Ethernet.
• Network Perimeter: It is the outermost boundary of a network zone.
• Electronic Security Perimeter: It is referred to as the boundary between secure and insecure zones.
• Critical Infrastructure: A collection of physical or logical systems and assets that the failure or destruction of which will severely impact the security, safety, economy , or public health.

Question 20

What is IT/OT convergence?

Answer 20

The integration of IT computing systems and OT operation monitoring systems to bridge the gap between IT/OT technologies for improving overall security, efficiency, and productivity. Can enable smart manufacturing known as industry 4.0. Using this IoT can be referred to as Industrial Internet of Things (IIoT).

Question 21

What is the Purdue Model?

Answer 21

Used to describe internal connections and dependencies of important components in the ICS networks. Consists of 3 zones: IT, OT, and DMZ.

Question 22

What are the challenges of OT?

Answer 22

• Lack of visibility
• Plain-text passwords
• network complexity
• Legacy tech
• Lack of AV protection
• Lack of skilled security professionals
• Rapid pace of change
• Outdated systems
• Haphazard modernization
• Insecure connections
• Usage of rogue devices
• Convergence with IT
• Organizational Challenges
• Vulnerable Communication protocols

Question 23

What is the Industrial Control System (ICS)?

Answer 23

A collection of a different types of control systems. Consists of several types of control systems like SCADA, DCS, BPCS, SIS, HMI, PLCs, RTU, IED, etc. Can be configured in 3 modes: Open mode, closed loop, and manual mode.

• SCADA: Centralized Supervisory Control System
• PLC (Programmable Logic Controller): Small solid-state control computer where instructions can be customized to perform a specific task. Consists of CPU Module, Power Supply Module, and I/O modules.
• Basic Process Control System (BPCS): Responsible for process control and monitoring of the industrial infrastructure.
• Safety Instrumented Systems (SIS): An automated control system designed to safeguard the manufacturing environment in case of any hazardous incident in the industry.

Question 24

What are the OT vulnerabilities?

Answer 24

• Publicly Accessible OT systems
• Insecure Remote Connections
• Missing Security Updates
• Weak Passwords
• Insecure Firewall Configuration
• OT Systems Placed within the Corporate IT Network
• Insufficient Security for Corporate IT Network from OT systems
• Lack of Network Segments
• Lack of Encryption for Authentication
• Unrestricted Outbound Internet Access from OT Networks

Question 25

What are HMI-based attacks?

Answer 25

Attackers gain access to the HMI systems to cause physical damage to the SCADA devices or collect sensitive info.

• Memory Corruption
• Credential Management: Attack passwords
• Lack of Authorization/Authentication
• Code Injection

Question 26

What are Side Channel attacks?

Answer 26

Attackers perform side-channel by monitoring its physical implementation to obtain critical information from a target system.

• Timing Analysis
• Power Analysis

Question 27

What are some OT Malware?

Answer 27

MegaCortex, Disruptionware, LockerGoga, Triton, Olympic Destroyer, SamSam, Shamoon3, VPNFilter, Havex

Question 28

What is the OT Hacking Methodology and tools?

Answer 28

• Information Gathering (SearchDiggity, Kamerka-GUI, Redpoint, s7scan, SCADAPASS, plcscan)
• Vulnerability Scanning (SmartRF, CyberX)
• Launch Attack (ICS Exploitation Framework - ISF, PLCInject, MODBUS Pen Testing, Moki Linux, sixnet-tools)
• Gain Remote Access
• Maintain Access

Question 29

What are some defenses against OT hacking?

Answer 29

• Purpose built sensors to discover vulnerabilities
• Patched systems
• Secure coding
• Track assets
• strong passwords
• VPNs
• Secure the network perimeter
• Scan systems
• Harden systems
• patch vulnerabilities
• Employ IDS
• Periodic audits

Question 30

What are some OT security solutions?

Answer 30

• Firewalls
• Unified Identity and OT Access Management
• Asset Inventory and Device Authorization
• OT Network Monitoring and Anomaly Detection
• Decoys to Deceive Attackers