Internet of Things security is a current topic, however penetration testing on connected devices are far from being a widespread practice. Most manufacturers prioritize product functionalities and design first. However, even with a “security by design” approach, pentesting remains essential to know the real security risks, and then to take the necessary measures.
What is an IoT pentest?
A connected device is a complex solution, with various potential entry doors for an attacker. A connected device security audit (or pentest IoT) includes tests on the entire object ecosystem, i.e. electronic layer, embedded software, communication protocols, server, web and mobile interfaces. Server-side, web interfaces and mobile applications tests are not specific to IoT, however they are important tests as they are particularly high-risk areas. The tests on the electronic side, embedded software and communication protocols concern vulnerabilities more specifically the IoT.
There are three specific types of attacks on connected objects and embedded systems. Software attacks, non-invasive hardware attacks and invasive hardware attacks. The first take advantage of software vulnerabilities, the second recover information from the hardware without damaging it while the third involve opening the components and therefore destroying them in order to be able to extract secrets. While the first two types of attacks do not require many resources, this is not the case for invasive attacks, for which very expensive equipment is required.
Here are ten concrete tests conducted during the security audit of a connected device, illustrated by some mediatized and emblematic examples. For each of the points discussed below, there are many tools and methods that take advantage of very different vulnerabilities. This is therefore a non-exhaustive list.
1/ Detecting open and poorly protected communication ports
It is common for ports to be left open for debugging or due to an oversight. Shodan, a search engine dedicated to objects connected to the Internet, gives an overview of the diversity of connected systems. It can find anything that has a web interface, a publicly visible IP: webcams, printers or servers. Knowing (or finding) the default credentials is then enough to connect to them, and then collect information, access other services…
During a pentest or an attack on a particular object, it is rather tools like Nmap, a free port scanner, that will allow the pentester to find open ports and the services using them. Traffic observation also makes it possible to identify the different ports used and to see if they are protected. Each open port indicates the use of an application, a particular service, with potentially exploitable vulnerabilities. Some services, such as Telnet, are not secure and may be subject to sniffing.
Appeared in 2016, Mirai malware spreads through Telnet protocol and default passwords through hundreds of thousands of unprotected connected devices. Infected systems are used to conduct large-scale DDoS attacks, taking attacked targets out of service. In particular, Dyn and its DNS services were victims of this, resulting in significant financial losses.
2/ Sniffing: capture and analysis of radio signals – multi-protocol
Connected devices more often use wireless communication technology to exchange data. Equipped with packet analysis software such as Wireshark and an adapter for the targeted wireless technology, an attacker can retrieve the information transmitted by and to the targeted object.
If the communications are wired, sniffing is also possible. It is then necessary to be closer to the network to be able to connect to it.
Depending on the protocol used, the packet size may vary and prevent the implementation of a communication encryption solution and the data is then sent unencrypted.
During a pentest, sniffing is used while the device works normally to see if important information such as keys, hashes, passwords are sent and exploitable. This technique also makes it possible to see which ports are used and by which functions, thus contributing to the prior test.
3/ Detecting configuration interfaces or backdoors
Sometimes, a backdoor or configuration interface is left on a product after the end of development. What was an advantage for the development team to test and modify the product then becomes a wide-open door for an attacker.
During a penetration test, it is possible to detect these interfaces and backdoors by sniffing. By isolating data exchanges not necessary for system operation, open ports for configuration interface services or backdoors are highlighted. The security of these ports must then be tested.
4/ Buffer overflow
Buffer overflow is the writing of data into a buffer beyond its capacity, resulting in the rewriting of adjacent memory spaces. Buffers in embedded systems have a relatively small memory, so the risk of buffer overflow is present. The targeted system may therefore no longer work properly.
An attacker can then send malicious code into the rewritten part to set up a backdoor to take control of the device.
Testing the vulnerability to buffer overflow of a connected device is like testing servers and embedded applications. The study of the code or more simply testing the different fields with large values makes it possible to highlight the presence of this vulnerability and to exploit it.
In September 2018, this is a flaw that was found and exploited on surveillance cameras, you can read more about the attack here.
5/ Breaking password
Trying to break passwords of IoT is usually very successful. Default login/password pairs are not always changed after product development. Moreover, the same pair is often used on a whole series of products. Crack it once and you have access to thousands of devices. Attackers find or buy lists of default IDs for many products online.
Pentesters evaluate password strength using password dictionaries or brute force, which requires a little more time and material resources. Any attack can break a password with these techniques.
Let’s now take the example of breaking a password on the microcontroller of an embedded system.
After studying the technical data sheets of the various components of the product, the attacker can carry out a fault injection attack by, for example, disturbing the supply voltage or emitting electromagnetic waves on specific areas of the components. By doing this, it can prevent the execution of certain parts of the code such as the one responsible for blocking after a finite number of failed attempts. With another microcontroller, it is then possible to brute force the password.
Sometimes a debugging interface is still available on the targeted IoT. If an attacker accesses it, it allows to completely bypass the protections and to obtain direct control on the device. An accessible interface can save attackers a lot of effort, so let’s not make it easy for them.
This vulnerability has been discovered, for example, by a connected teddy bear. Anyone with physical access to the toy could have full access to the teddy bear system. The name, birthday or gender could be retrieved by the attacker and reused to crack other passwords for example.
7/ Firmware modification
Many vulnerabilities allow to modify the software of a device. The attackers have different possibilities:
- uploading of updates infected by malware,
- dump the memory,
- study the memory by reverse engineering modify it by injecting malicious code (to set a backdoor for example) and then put the code back into the device that will execute the added script giving the attacker access to its content.
8/ Reverse engineering
Reverse engineering is possible on both firmware and hardware. In the first case, either the firmware is available online on the manufacturer’s website, or you can try to dump the memory (see memory dumping below). Once the code is retrieved, the pentester decompresses it, disassembles it and decomposes it until it understands how it works. He can then modify it and then inject it back into the device or extract information saved locally.
A few years ago, a research team succeeded in taking control of a Jeep by exploiting a vulnerability in its firmware. They managed to accelerate, slow down the vehicle and even get it off the road.
Invasive hardware attacks
In the case of hardware, the attacker obtains the product and disassembles it to identify its components. The simple visual study of the elements enables to obtain valuable information to better target other types of attacks. The opening of the components and the software analysis of the position of the transistors and metal interconnections even makes it possible to trace the functioning of the component, but such an in-depth study requires a lot of resources.
Non-invasive hardware attacks
9/ Cryptographic analysis
There is often no encryption in order to preserve memory and battery. However, sometimes an algorithm such as the AES or RSA is present in an embedded system. An attacker can crack the secret using, for example, an auxiliary channel attack. This type of attack is based on the analysis of electricity consumption, of heat released or electromagnetic waves generated and does not necessarily require many resources.
A classic pentest of cryptography is first to verify that data and communications are encrypted. If so, are they encrypted with an algorithm still considered safe? Which level of encryption does the secret protected by the algorithm require? A cryptographic analysis attack can be considered successful when the secret discovered is worth more than the time invested to obtain it.
10/ Memory dumps
To obtain the firmware, attackers often use memory dump, i.e. the recovery of the content of the target’s memory. For many microcontrollers, there is a native memory dump function but defenses against its use are sometimes not implemented.
In practice, dumping the memory of a connected object is done by physical connection via USB, SPI, JTA ports. A computer or microcontroller is connected directly to the target microcontroller. Software tools are then used to retrieve the target’s memory and reverse engineering can begin.
To conclude, conducting the various tests mentioned in this article gives a good understanding of the hardware and software security of a connected device. IoT penetration testing can be performed from the development of the connected object on a functional prototype, or when it is in the production phase or when it is commercialized.
While some measures to improve device security and resist these attacks can be complex, others such as changing passwords or checking that unused ports are closed are easy to implement and provide significant security benefits.