USB devices are so convenient. Whenever we need to store small amounts of data, we use a USB stick. Everyone owns one and we generally trust it to be safe. USB keys are one of the main ways to do industrial espionage, but attacks against random civilians and companies are also common. The 2018 Honeywell report on USB threat to industrial operators analyzed a sample of 50 locations. Energy, chemical manufacturing, pulp & paper, oil & gas and other industrial facilities were concerned by the study. Among the locations targeted, 44% blocked a suspicious file originating from USB ports and 15% of the threats detected and blocked were high-profile threats, like Stuxnet, Wannacry and Mirai.
A 2016 experiment conducted on the University of Illinois Urbana-Champaign campus showed that from 297 USB sticks dropped around the university, students and staff members picked up 98% of them. By almost half of the USB drives picked up, someone plugged them in and clicked on a file. A survey was then conducted on the persons who used the sticks. 68% of the respondents did not take any security measure when using the USB stick. 68% said they took the drive to give it back and 18% took it out of curiosity. This experiment shows how dangerous a simple USB device can be.
Internet of Things security is a current topic, however penetration testing on connected devices are far from being a widespread practice. Most manufacturers prioritize product functionalities and design first. However, even with a “security by design” approach, pentesting remains essential to know the real security risks, and then to take the necessary measures.
What is an IoT pentest? A connected device is a complex solution, with various potential entry doors for an attacker. A connected device security audit (or pentest IoT) includes tests on the entire object ecosystem, i.e. electronic layer, embedded software, communication protocols, server, web and mobile interfaces. Server-side, web interfaces and mobile applications tests are not specific to IoT, however they are important tests as they are particularly high-risk areas. The tests on the electronic side, embedded software and communication protocols concern vulnerabilities more specifically the IoT.
There are three specific types of attacks on connected objects and embedded systems. Software attacks, non-invasive hardware attacks and invasive hardware attacks. The first take advantage of software vulnerabilities, the second recover information from the hardware without damaging it while the third involve opening the components and therefore destroying them in order to be able to extract secrets. While the first two types of attacks do not require many resources, this is not the case for invasive attacks, for which very expensive equipment is required.
Here are ten concrete tests conducted during the security audit of a connected device, illustrated by some mediatized and emblematic examples. For each of the points discussed below, there are many tools and methods that take advantage of very different vulnerabilities. This is therefore a non-exhaustive list.
The CSRF is an attack that forces an end user to perform unwanted actions and without noticing on a web application he/she is currently authenticated.
CSRF attacks specifically target requests that make modifications, not data theft, because the attacker has no way of seeing the response of the falsified request. The outcome of the actions is what interests the attacker.
This type of attack is based on the fact that when a user is authenticated on an application, it will usually provide a session ID that its browser stores in a cookie.
We often think that a firewall restrictive enough protects the access to non-open services. We also believe that only a compromise machine can give access to the internal network. We are indeed wrong, and that’s what we are going to see with a web application vulnerability: The Server-Side Request Forgery, or SSRF.
What is an SSRF?
From a vulnerable web application, an SSRF makes possible to interact with the server, in order to extract files and to find its other active services. But there is more. It is also possible to scan the internal network to cartography IP and open ports.