Getting Started with IOT Security (Part 1)
📶

Getting Started with IOT Security (Part 1)

❓What is IoT?

“The Internet of things (IoT) describes the network of physical objects—a.k.a. “things”—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the Internet.” – Wikipedia

  • Examples Include: Cameras, environmental monitoring, motion sensors, health sensors, smart lights, smart doorbells, smart TVs, smart cars, smart industrial control systems, etc. (everything smart is IoT? Probably… 🧐🤣)
  • According to surveys, there will be 55.7B IoT devices worldwide by the end of 2025. Revenue growth is $1.9 trillion in 2013 to $7.1 trillion in 2020. The huge no. of IoT devices will create a huge network of all the devices like self-driving cars, energy grids, and smart appliances. The massive the network the massive the security risks. One has to constantly evaluate the IoT security Risks before it’s too late.

🔒 What is IoT Security?

IoT security is to protect the connected devices and network from all the security risks. As the technologies evolve, new techniques to break these technologies also evolve. New vulnerabilities are discovered all the time, and to protecting the network and devices from these vulnerabilities is what IoT security is all about.

📰 Famous IoT Security Events in The Past

  1. Tesla In 2017 Jason Hughes managed to exploit vulnerabilities in Tesla’s servers to gain access and control over the automaker’s entire fleet. Since then, there have been many high-profile Tesla security issues published in the news. https://electrek.co/2020/08/27/tesla-hack-control-over-entire-fleet/ https://electrek.co/2022/05/17/tesla-singled-out-bluetooth-hack-unlock-cars/
  2. Philips Smart Home Philips smart home also suffered from numerous security issues. The most famous vulnerability in Philips smart home was the ZigBee vulnerability. Philips uses Zigbee to exchange data and authenticate it. so hackers hardcoded the Zigbee packet and gain control over all the connected devices. https://www.tomsguide.com/news/philips-hue-bridge-zigbee-hack
  3. The Jeep hack The Jeep hack is the most popular one. Two security researchers, Dr. Charlie Miller and Chris Valasek demonstrated in 2015 how they could remotely control and takeover a jeep using the vulnerability in the Uconnect system. This hack can lead 1.4 million vehicles to be remotely controlled from home. Basically, this was one of the most dangerous vulnerabilities in IoT devices at that time. https://securityledger.com/2021/07/encore-podcast-chris-valasek-on-hacking-the-jeep-cherokee/

These are a few past IoT security issues with some famous companies. There are lots of other hacks from the past like Lifx smart bulb, Belkin Wemo home automation, insulin pumps, smart door locks, and even smart guns and gifles. All these hacks happen because of a lack of security awareness among developers, a lack of macro perspective (building a secure architecture), and the usage of various vulnerable software.

🪣 Types of IoT Security Testing Domains

  • IoT device security testing
  • IoT network security testing
  • IoT cloud API security testing
  • IoT device application security testing
  • IoT device firmware security testing

📕 Important IoT Terminology

Important Terms For This Session

MQTT

MQTT (Message Queuing Telemetry Transport) is a lightweight machine-to-machine (M2M) protocol that uses publish/subscribe messaging model. The MQTT Protocol is one of the most used networking protocols by IoT devices due to its simplicity.

SCADA

SCADA or Supervisory Control and Data Acquisition system denotes a real-time device monitoring and controlling framework. The access to quick and resourceful data with SCADA allows all types of organizations globally to initiate data-driven measures for process improvisation. SCADA has been in existence much before the dawn of IoT, and it has benefitted numerous industries, including manufacturing, waste treatment, and telecommunication. The intersection of the two is Industrial IoT (IIoT).

  • While SCADA systems focus on regulating and monitoring different machinery, IoT emphasizes machine data analysis to improve productivity and business profitability.
  • SCADA usually functions as MOM (Message-oriented middleware) or IoT gateways that help businesses connect various devices across many websites to fetch data on a single platform.
  • Despite the emergence of IoT, many business organizations continue to use SCADA software systems or a combination of both IoT and SCADA.

Thus, it is essential to conduct comprehensive penetration testing for both IoT solutions and SCADA systems, and it is recommended to implement extensive security best practices for both SCADA software and IoT systems.

JTAG

Joint Test Action Group (JTAG) is the common name used for a debugging, programming, and testing interface typically found on microcontrollers, ASICs, and FPGAs. It enables all components with this interface to be tested, programmed, and/or debugged using a single connector on a PC board which can daisy chain them together.

JTAG is the name of the group that defined the IEEE 1149.1 standard. This standard defines the Test Access Port (TAP) controller logic used in processors with JTAG interfaces.

Other Important Terms and References

  • Advanced Encryption Standard (AES) Electronic data encryption specification, established in 2001, operating on a public/private key system. Planning for key management is important when implementing AES.
    • Why it's important: To date, there are no known successful practical attacks having allowed illicit access of correctly implemented AES encrypted data. This is the standard for transport layer security in IoT devices.
  • Application Programming Interface (API) A way for computers to talk to hardware or software platforms in a less complicated way.
    • Why it's important: Third parties use other company's API platforms as a point of integration. Designing applications to leverage APIs allows for faster development and easier paths to improve over time.
  • Backhaul Backhaul refers to the process of reporting event information from tagged assets related to things like movement, temperature, distress and so forth.
    • Why it's important: This process can easily become very data- and resource-intensive, substantially raising the cost of ownership for IoT devices.
  • Big Data A very large set of data that can be analyzed for patterns and trends. Big data provides valuable (and very profitable) insights that can be used to identify service or product opportunities and customer behaviors.
    • Why it's important: Analyzing big data moves enterprises away from making decisions by gut instinct into data-drive strategic choices. IoT deices have the potential to generate entirely new streams of data for big data processing.
  • Bluetooth Low Energy (BLE) Also known as Bluetooth 4.0, this is a wireless, personal-area network with short-range and low-power consumption that allows for objects to transmit data.
    • Why it's important: This technology offers low-cost, safe, wireless connectivity and solves many of the earlier Bluetooth's pairing and performance headaches. This is the least expensive way to add short range wireless connectivity to devices.
  • Cloud Computing "In the cloud" refers to a network of remote servers hosted online that store, manage, and process data.
    • Why it's important: Cloud computing is vital for large sets of data. It's great for those who need disaster recovery, collaboration controls, security, and an environmentally friendly way to store data.
  • Embedded Software Instruction code that runs on hardware microcontrollers. Usually it is performing specific low-level functions, often without using an operating system.
    • Why it's important: Specialized for the particular hardware it runs on, embedded software often has time and memory constraints that must be addressed in IoT innovation. Most IoT devices leverage embedded software which can take longer to write than more abstracted server-side code.
  • Firmware Over-the-Air (FOTA) A mobile technology enables manufacturers to wirelessly repair bugs or remotely install new software, features, and services on a mobile device after product distribution.
    • Why it's important: FOTA is an efficient way to upgrade and update a mobile device wirelessly. Manufacturers can save resources on efficient and timely upgrades without having physical access to the device.
  • Gateway A device that receives information from many other points on the network and transmits information to another network.
    • Why it's important: When multiple wireless protocols are mixed, a gateway is almost always required. The gateway is the stopping point for online communications, the hub through which data is sent back and forth.
  • General Packet Radio Service (GPRS) A wireless communications standard on 2G and 3G cellular networks supporting a number of bandwidths and providing data rates of 56-114 kbps.
    • Why it's important: As cellular companies move to more advanced networks, GPRS networks may be more cost-effective for IoT networks. NB-IoT and LTE-M1 networks are being touted as replacements for these older cellular standards.
  • Industrial IoT (IIoT) M2M communication for machinery and other industrial applications.
    • Why it's important: The IIoT enables machinery and equipment to transmit real-time information to an application. This allows operators to better understand equipment efficiency and identify preventative maintenance needs.
  • Industrial, Scientific, and Medical (ISM) Band An unlicensed part of the RF spectrum used for general purpose data communications. In the US, the ISM bands are 915MHz, 2.4 GHz, and 5.5 GHz, whereas 2.4 GHz is the global unlicensed frequency, and has increasing amounts of interference.
    • Why it's important: This part of the radio spectrum can be used without a license in most countries.
  • Link Budget An accounting of all of the losses (e.g. from antennas, structural attenuation, propagation loss) in a wireless communication system.
    • Why it's important: In order to "close the link," enough RF energy has to make it from the transmitter to the receiver.
  • Low-Power Wide Area (LPWA) LPWA networks are built specifically for M2M communications and offer long-range, low-power consumption.
    • Why it's important: LPWANs solve cost and battery life issues that cellular technology cannot, and solve range issues that technologies like Bluetooth or BLE struggle with.
  • Low-Power Wireless Sensor Network A group of spatially distributed, independent devices that collect data by measuring physical or environmental conditions with minimal power consumption.
    • Why it's important: Minimizing power consumption is key to achieving a longer lifetime for devices on wireless sensor networks.
  • LoRa Protocol (LoRaWAN) A LPWAN specification deployed internally to enable IoT and M2M, intended for carrier networks of wireless, battery-operated things.
    • Why it's important: Many carriers are testing LoRaWAN as a possible technology to support IoT networks.
  • LTE-M An abbreviation for LTE-MTC (or machine-type communications), LTE-M is a more energy efficient part of the LTE system. Because of its extended discontinuous repetition cycle (eDRX) an endpoint can communicate with the tower or network on how often it will wake up to listen for the downlink.
    • Why it's important: LTE-M is one of three new standards, along with NB-IoT, from the cellular industry allowing devices that operate on carrier networks to be less expensive and more power-efficient.
  • Machine to Machine (M2M) Connected devices exchanging information with other connected devices, without human assistance.
    • Why it's important: Machines monitoring other machines, without the need of human intervention, are transforming many industries. For example, a machine can alert when a new part is needed or broken down, eliminating manual monitoring, which eats up valuable time and resources.
  • Media Access Control (MAC) One of two sublayers in a network, the MAC address is a unique identifier allowing the physical medium (radio waves or wire signals) to be organized to pass data back and forth.
    • Why it's important: Upper layer protocols rely on the MAC layer to produce complex, functioning networks.
  • Mote Primarily used in North America, this is one way of referring to an "endpoint" in the IoT. Also known as a node, this usually refers to a generic sensor out in the physical world.
    • Why it's important: The sensor does the data gathering, some processing and communicated with other connected nodes in the IoT network.
  • NB-IoT Even simpler than NB-LTE-M, this is a proposed narrowband (NB) technology not based on LTE. Instead it will likely be deployed on a side band or in deprecated GSM spectrum.
    • Why it's important: Although not available yet, with chipsets (if they exist) in the prototype stage, this may be an inexpensive option when rolled out.
  • Near-Field Communication (NFC) Low-power, low-speed, short-range radio communication standard that allows two-way communication between endpoints within very close proximity.
    • Why it's important: Popular as a contactless communication between mobile devices, NFC is used to send information without physical device connection.
  • Quality of Service (QoS) QoS manages network capabilities and resources to provide a reliable backbone to IoT connectivity. In order to offer secure and predictable services, QoS can manage delays, bandwidth and packet loss by classifying traffic and registering channel limits.
    • Why it's important: With effective QoS management in place, there is a much better chance of receiving warnings or other high priority messages in near real-time.
  • Radiofrequency (RF) Radio waves. This term generally means "wireless communication" when referred to in IoT discussions.
    • Why it's important: RF is fundamental to IoT connectivity. Many IoT devices have RF transceiver chipsets to transmit data long distances using minimal power.
  • Radio Frequency Identification (RFID) Generally speaking, this is the use of strong radio waves to "excite" enough current in a small tag to send a radio transmission back. It works over short range, and only for small amounts of data.
    • Why it's important: RFID tags can be used to detect and record such as temperature, movement, radiation levels, and thus can be very useful in asset monitoring and supply chain management.
  • RF Geolocation A general term that applies to "finding" a radio transceiver with another -- GPS is a good example.
    • Why it's important: Location is a critical part of many IoT solutions. For systems that have GPS, location is easy. When GPS doesn't work for cost or because the node is indoors, WiFi fingerprinting or BLE proximity can be used.
  • Repeater A device that receives and retransmits a digital signal to extend network reach.
    • Why it's important: Repeaters boost the distance a signal can travel and help a transmitted communication overcome obstructions.
  • Smart Meter An electronic device that collects data about consumption of energy (gas, electric) and communicates it back to the energy company and/or consumer.
    • Why it's important: Enabling two-way communication, smart meters gather and transmit IoT device information to the central network.
  • Software-Defined Network (SDN) An approach to networking that decouples control of information flow from the hardware and gives it to a software controller.
    • Why it's important: This allows for less data to travel wirelessly, making it a potential strategy for IoT networks.
  • Structure Attenuation The loss in intensity of radio waves through a medium (like radio waves through a brick wall).
    • Why it's important: Structure attenuation can slow data transmission in the IoT. Repeaters can be used to address this issue.
  • Transmission Control Protocol/Internet Protocol (TCP/IP) The core standard protocol for internet-based communications. Some wireless systems "break" TCP/IP in order to lower the overhead of the on-air signals.
    • Why it's important: This protocol manages data packets at the TCP layer and handles addressing of those packets at the IP layer. With this protocol, gateways can recognize and route data.
  • Ultra-Wide Band (UWB) A "spark gap" transmitter that emits a very weak, very wide (in frequency) pulse of RF energy. This signal is used mostly for localizing signals. Wide signal bandwidths are good for measuring distance.
    • Why it's important: UWB operates by generating short, narrow pulses and can be an attractive option for asset tracking and fleet/inventory management.
  • ZigBee/Z-Wave Short-range, low-power wireless standards used for sensing and control, typically used for personal or home area networks, or in a wireless mesh for longer-range networks. Like 6LoWPAN, designed for low data-rate and battery-powered applications, but Zigbee and Z-Wave technology can require more nodes to function successfully -- which can increase costs.
    • Why it's important: Information from one sensor node continues to hop from node to node until it gets to the gateway. Often seen in security systems, home automation and lighting control applications.

✨IoT OWASP Materials

  • IoT Top 10 - 2018
    • I1 Weak Guessable, or Hardcoded Passwords
    • I2 Insecure Network Services
    • I3 Insecure Ecosystem Interfaces
    • I4 Lack of Secure Update Mechanism
    • I5 Use of Insecure or Outdated Components
    • I6 Insufficient Privacy Protection
    • I7 Insecure Data Transfer and Storage
    • I8 Lack of Device Management
    • I9 Insecure Default Settings
    • I10 Lack of Physical Hardening
  • IoT Top 10 - 2018 Mapping Project
    • The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem.
  • IoT Goat
    • IoT Goat is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices.
  • ByteSweep
    • ByteSweep is a Free Software IoT security analysis platform. This platform will allow IoT device makers, large and small, to conduct fully automated security checks before they ship firmware. A Free Software IoT Firmware Security Analysis Platform
      • ByteSweep Features:
        • Firmware extraction
        • File data enrichment
        • Key and password hash identification
        • Unsafe function use detection
        • 3rd party component identification
        • CVE correlation
  • Firmware Security Testing Methodology (FSTM)
    • The Firmware Security Testing Methodology (FSTM) is composed of nine stages tailored to enable security researchers, software developers, consultants, hobbyists, and Information Security professionals to conduct firmware security assessments.
  • IoT Attack Surface Areas Project
    • The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.
  • IoT Vulnerabilities Project
    • The IoT Vulnerabilities Project provides:
      • Information on the top IoT vulnerabilities
      • The attack surface associated with the vulnerability A summary of the vulnerability
  • Medical Attack Surfaces
    • The Medical Attack Surfaces project provides:
      • A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment
      • Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems
  • Firmware Analysis Project
    • The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware".
  • IoT Logging Events
    • The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.

🔥 MQTT Pentesting 101

Understanding MQTT Protocol

MQTT is a simple and efficient protocol that allows devices to send and receive messages over a TCP/IP network on port 1883. The protocol uses a client-server architecture, where IoT devices (clients) communicate with an MQTT broker (server). The key components of MQTT are:

  • Publisher: The client that sends messages to a topic.
  • Subscriber: The client that receives messages from a topic.
  • Topic: A hierarchical string that acts as a message filter.
  • Broker: The server that manages the connections and message distribution.

The design principles are to minimise network bandwidth and device resource requirements whilst also attempting to ensure reliability and some degree of assurance of delivery. These principles also turn out to make the protocol ideal of the emerging “machine-to-machine” (M2M) or “Internet of Things” world of connected devices, and for mobile applications where bandwidth and battery power are at a premium.

Some of the protocol main features:

  • Publish and subscribe pattern
  • Simple packet formats: binary payloads
  • Current version: 5.0 (2019)
  • The protocol runs over TCP
  • Default port: 1883/TCP (not encrypted!)
image
image

Security Concerns in MQTT

Some common security concerns with MQTT are:

  • Cleartext communications and eavesdropping
image
  • Unauthorized access to the broker.
  • Message tampering or interception.
  • Poorly configured access control and authentication.
  • Insecure MQTT implementations in IoT devices.

Starter MQTT Security Testing Tools

Here are some essential tools to perform security testing with MQTT:

  • Mosquitto (https://mosquitto.org/): An open-source MQTT broker that can be used to set up a test environment for MQTT security testing.
  • MQTT.fx (https://softblade.de/en/mqtt-fx/): A graphical MQTT client that simplifies the process of subscribing to and publishing messages on various topics.
  • Wireshark (https://www.wireshark.org/): A network protocol analyzer that can be used to inspect MQTT messages and analyze the protocol's behavior in real-time.
  • MQTT-PWN (https://github.com/akamai-threat-research/mqtt-pwn): A tool designed to perform penetration testing on MQTT implementations and uncover security issues.
  • MQTT Client Shell (https://github.com/bapowell/python-mqtt-client-shell): Thepurpose of this utility is to provide a text console-based, interactive shell for exercising various tasks associated with MQTT client communications, including connecting to an MQTT server, subscribing to topics, and publishing messages.