In this article, we are going to talk about IoT pentesting. Before starting the IoT Pentesting part first, let me introduce what IoT or Internet of Thing is.
What is IoT?
“The Internet of things (IoT) describes the network of physical objects—a.k.a. “things”—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the Internet.” – Wikipedia
According to surveys, there will be 55.7B IoT devices worldwide by the end of 2025. The huge no. of IoT devices will create a huge network of all the devices like self-driving cars, energy grids, smart appliances. The massive the network the massive the security risks. One has to constantly evaluate the IoT security Risks before it’s too late.
What is IoT Security?
IoT security is to protect the connected devices and network from all the security risks. As the technologies evolve, new techniques to break these technologies also evolve. New vulnerabilities are discovered all the time and to protect the network and devices from these vulnerabilities the IoT security is all about.
Previous IoT Security Hacks
Let’s see some famous IoT security issues happens in the past.
1. Nest Thermostat
In the past Nest, devices are exploited by hackers. There was a Vulnerability in Nest Thermostat in which by holding a button for 10 seconds to reboot the device. At this stage, the device can be made to communicate with USB media, which contains malicious firmware. There are few more vulnerabilities that are discovered in Nest thermostats
2. Philips Smart Home
Philips smart home also suffered from numerous security issues. The most famous vulnerability in Philips smart home was the ZigBee vulnerability. Philips uses Zigbee to exchange data and authenticate it. so hackers hardcoded the Zigbee packet and gain control over all the connected devices.
3. The Jeep hack
The Jeep hack is the most popular one. Two security researchers Dr. Charlie Miller and Chris Valasek demonstrated in 2015 how they can remotely control and takeover a jeep using the vulnerability in the Uconnect system. This hack can lead 1.4 million vehicles to be remotely controlled from home. Basically, this was one of the most dangerous vulnerabilities in IoT devices at that time.
These are some of the past IoT security issues in some famous companies. There are lots of other hacks in past like Lifx Smart Bulb, Belkin Wemo home automation, Insulin Pump, Smart Door Locks, Even Smart Guns and Rifles. All these hacks are happens because of lack of security awareness among developers, lack of macro perespective, Usage of Insecure framework and third-party libraries.
IoT Vulnerabilities
Like OWASP top 10 for web application security there is a OWASP top 10 for IoT. In the list there are top 10 vulnerabilities in IoT devices. Let’s have a look on the list
OWASP Top 10 IoT
- Weak, guessable, or hardcoded passwords
- Insecure network services
- Insecure ecosystem interfaces
- Lack of secure update mechanism
- Use of insecure or outdated components
- Insufficient privacy protection
- Insecure data transfer and storage
- Lack of device management
- Insecure default settings
- Lack of physical hardening
These are the OWASP top 10 IoT
Now, we know what is IoT Security and what are IoT Vulnerabilities. The last thing we are going to discuss here is IoT pentesting methodology.
Explaining the whole pentesting methodology in-depth in one blog is not possible. So, we are going to discuss the methodology in a quick but effective way.
IoT Pentesting Methodology
1. Understanding Scope
For any pentest, pentesters need to understand the scope of the target. The scope consists of constraints and limitations. the condition for penetration testing varies from product to product. so in the first step of IoT pentest, the tester needs to understand the scope and make plans accordingly.
2. Attack surface mapping
In attack surface mapping the tester maps out all the entry points that an attacker could potentially exploit or abuse in an IoT device. The attack surface mapping also involves the creating of a highly detailed architecture diagram highlighting all the possible entry points for an attacker.
There are many ways to do Attack surface mapping. So, let’s discuss the basic role of attack surface mapping
when the tester is creating architecture of the system, the entire architecture can be broadly divided into three categories:
1. Embedded device
Embedded devices can be used for several different purposes according to the situation. It can be a sensor that collects data, smart lightbulbs, switches, smart homes all are examples of embedded devices.
Some vulnerabilities in Embedded devices are:
- Serial Ports Exposed
- Insecure authentication mechanism
- Ability to dump the firmware over JTAG
- External Media-based attacks
2. Firmware, Software, and Applications
After the hardware exploitation the next component is software exploitation of IoT device. This includes everything from the firmware in mobile devices to the cloud components
Some Vulnerabilities related to them are:
- Firmware
- Ability to modify
- Insecure Signatures
- Private certificates
- Outdated components with known vulnerabilities
- Mobile applications
- Reverse Engineering
- Dumping the Source
- Side-channel data leaks
- Insecure Network Communication
- Web application
- Injections
- XSS
- CSRF
- Sensitive data leaks
3. Radio Communications
Basically, radio communications provide a way to communicate with each other.
Some of the common radio protocols used in IoT are:
- Wi-Fi
- BLE
- ZigBee
- Wave
- 6LoWPAN
- LoRa
Some Vulnerabilities in Radio Communications are:
- MITM
- Replay-based attacks
- Insecure Cyclic Redundancy check
- Jamming attacks
- DoS
basically, these are the basics of attack surface mapping
3. Vulnerability Assessment and Exploitation
As the name suggests, in this step the tester exploits all those vulnerabilities found in previous steps and tries to crack the IoT device. Again, there are hundreds of ways a hacker can exploit the target.
Some of them are:
- Exploiting using I2C and SPI
- JTAG debugging
- Firmware Reverse Engineering
- Hard coded Sensitive values
- etc.
The whole exploitation process cannot be described in one blog. so, these are the basic ways to exploit the device depending on vulnerabilities.
4. Documentation and Reporting
In this step the tester have to make a in-depth detailed report of all the technical and non-technical summary.
Also the tester have to give all the proof of concepts, demos, code snippet, everything they used in the process.
Sometimes the tester have to reassess the bug after they get patched up.
These are all the four steps in the methodology of IoT pentesting.
Best Practices to Protect the IoT
- Make hardware tamper resistant
- Provide firmware updates and patches
- use strong authentication
- use strong encryption
- Make sure to use secure protocols
- Specify a destroy method if gets breakdown
For more blogs like this check our blog page