Common attacks

on IoT devices
Why you can not win

@binarychrysh
Agenda
● What is IoT? And why is security important?

● Software attacks

● Hardware attacks

● Example attack stories

● Take-aways
What is IoT?
What is IoT?
• Embedded device connected to the internet
• Often power constrained, small, connected
over some kind of wireless technology
• Often memory-constrained
• E.g. PLC, SSD-Controller,
Temperature-control
• Often easy to hack

• Can become part of botnet

[by geralt on pixabay/ CC0]
Approach
• Analysis: Inspect components, datasheets, firmware update
process, contents of flash
• Code execution: Tamper with firmware update process, rewrite
persistent memory content, gain access over debug
channels/JTAG
• Communication channel: Get feedback from device over JTAG,
serial console, etc
Software
Software
Where to get the firmware

● Dump from device memory

● Download from manufacturer FTP
server/search on ftp index sites
● Get from CD/DVD
● Wireshark traces of firmware updates

Analyse firmware

● Understand file format from firmware update

routine
● Search for code/string on code.google.com,
sourceforge.net, ..
● Decompile, compile, tweak, fuzz
● If not stripped and human readable strings, it’s
easier to reverse IDA view
Attacker Tools
● Software:
○ Binary reversing:
■ IDA Pro
■ radare2
■ binaryninja
○ Bug finder:
■ Flawfinder
■ Metasploit Framework
○ Firmware analysis:
■ firmwalker (with binwalk, cpu_rec)
■ firmware-analysis-toolkit
■ FACT (firmware analysis and comparison tool)
○ Web testing:
■ ZAP, sqlmap, sslyze, Gobuster (see OWASP)
○ Debugging:
■ GDB & OpenOCD
Hardware
Hardware
Non-invasive attacks
● Search for UART, JTAG, etc
● Write protection security fuses not enabled => Patch
bootloader
● Hardware Fuzzing (automatically send random data
and monitor whether device crashes)
● Side channel attacks
○ Timing attacks
■ Computation time depends on value of
secret data
■ Cache miss and cache hit have huge timing
[Backside layout mainboard XIaomi Vacuum difference => find access pattern in
Cleaner robot by Dennis Giese and Daniel dependence of timing difference
Wegemer]

* See Talk “Hardware Hacking - Extracting Information From Chips” by Dmitry Nedospasov (@nedos)
Hardware
Non-invasive attacks
● Side Channel Attacks (2)
○ Hardware Glitching
■ very high/low voltage
■ alter clock period during execution
○ Power Analysis
■ Power consumption of a chip depends
on the secret data that is computed on
the chip):
● SPA (Simple power analysis)
● DPA (Differential power analysis)
■ EM Radiation channel
■ Acoustic channel [Visible and infrared light emitted by switching
transistors/ by Dmitry Nedospasov]

* See Talk “Hardware Hacking - Extracting Information From Chips” by Dmitry Nedospasov (@nedos)
Hardware
Semi-invasive attacks
● Decapping package
● Infrared light/photon emission analysis of
backside to find location for attack
● Then use laser to flip bits and break crypto

Fully-invasive attacks
● Much effort, but 100% success rate
● Modify chip with FIB (Focused Ion Beam)
● Microprobing
● Linear code extraction (LCE)
[Yamaha audio IC decapsulated by Olli Niemitalo/ CC0 1.0]

* See Talk “Hardware Hacking - Extracting Information From Chips” by Dmitry Nedospasov (@nedos)
Attacker Tools
● Hardware:
○ Oscilloscope
○ Logic Analyzer (e.g. Salae)
○ JTAG:
■ GoodFET, BusBlaster, BusPirate,
JTAGulator, JTAGenum, Black Magic
Probe
○ Side Channel Attacks:
■ ChipWhisperer (power analysis, glitching
ChipWhisperer
attacks)
○ USB:
■ Facedancer
○ SDR:
■ HackRF

BusPirate HackRF
Real world attacks
Real world attacks*
● UART (populated or not): Usually device boots into special console/root console

[From Hack The World by Juan Carlos Jiménez]

[From 5-Min Tutorial: Gaining Root via UART by @konukoli]

* See Talk “Hack All The Things: 20 Devices in 45 Minutes” by gtvhacker

Real world attacks*
● Root with U-Boot:
○ Access bootloader shell, add init=/bin/sh into
kernel cmdline
○ Will execute preconfigured script name
‘xyz’ => replace script with own script
○ Short pins on NAND, power on => boot into
corrupted U-Boot environment
● Hardcoded/base64 encoded username and
password in binary
● Bruteforce easy password

[Reverse Engineering the TP-Link HS110 by Lubomir

[BGA by Smial / GFDL-1.2]
Stroetmann, Consultant and Tobias Esser, Consultant/
© Softscheck]

* See Talk “Hack All The Things: 20 Devices in 45 Minutes” by gtvhacker

Real world attacks*
● Write su binary into eMMC fs
● Command injection
○ system(“ls %s”): will reboot on
user input “; reboot;”)
○ often in WEP or Wifi password
field of Configuration Web page,
Network folder names, ..
○ In URL parameters
(http://foobar/subpage?action=com
mand&command=reboot)
● App installation /Firmware update over
unencrypted HTTP/FTP => can be
intercepted
● SMB share without restrictions, run su
binary via adb

[How to Fix a Bricked Hikvision IP Camera Firmware by Bob Jackson]

* See Talk “Hack All The Things: 20 Devices in 45 Minutes” by gtvhacker

Real world attacks: Xiaomi Vacuum
Cleaning Robot*

Micro USB Port: was authentication protected

Serial communication: Didn’t find

Port Scan: No suspicious open ports

Sniff network traffic

Recovery mode: Shorting BGA pins with [CC by 4.0 34C3 media.ccc.de}
aluminium foil

* See Talk “34C3 - Unleash your smart-home devices: Vacuum Cleaning Robot Hacking” by Dennis Giese, Daniel Wegemer from TU Darmstadt
Real attack stories: PLC*
● Downgrading to older firmware
● Physical mapping of JTAG not easy to
find
● Injecting code into firmware update

● Injecting code via flash reprogramming

○ rewrote bootloader after partly
desoldering pins asserting write Picture:
https://www.astiautomation.ro/en/prod
protection uct/plc-canopen-training-panel-s7-120
○ MitM like setup for quick 0-siemens/

prototyping and testing of

bootloader replacement code

* See Paper “Off-the-shelf Embedded Devices as Platforms for Security Research” by L.Cojocar, K.Razavi, H.Bos (see References)
Real attack stories: Electronic Safe Lock*
● Resistor in series to battery and lock
● Amplified current => Power analysis Side
channel attack (high current consumption
=> 0 read from EEPROM, low current => 1
read from EEPROM
● Mitigate: Don’t store secret in EEPROM

Sargent & Greenleaf 6120-332

[by Plore]

[by Plore]

* See Talk “DEF CON 24 - Plore - Side channel attacks on high security electronic safe locks” by Plore
Real attack stories: Electronic Safe Lock*
● Timing attack: The correct key will have a
longer delay
● Problem: 5 tries, then locked out for 10
minutes
● Counter of tries stored in EEPROM
● Reset counter by turning off MCU shortly
after write of counter started, where cell is
erased but not written yet
● Mitigate: Constant time for comparison,
S&G Titan PivotBolt [by Plore]
hashed secrets

[by Plore]

* See Talk “DEF CON 24 - Plore - Side channel attacks on high security electronic safe locks” by Plore
Protection
Protection*
○ Buffer/Stack Overflow Protection, heap overflow protection
■ Use safe equivalent functions (gets()->fgets())
■ Verify buffer bounds
■ Secure compiler flags (-fPIE, -fstack-protector-all, -Wl,-z,noecexstack,
-Wl,-z,noexecheap,..)
■ See https://wiki.debian.org/Hardening#Using_Hardening_Options

○ Injection (SQL/command injection, XSS) protection for webservers

■ Whitelist commands
■ No user data into OS system commands
■ Validate input & output

* See Talk “AppSec EU 2017 Don't Get Caught Em-bed” by Aaron Guzman
Protection*
○ Firmware Updates with cryptographic signatures, update over TLS
■ Force updates for high critical bugs
■ Anti-rollback protection
■ Infrastructure with pub-priv key for verifying signed packages
■ Don't Roll Your Own Crypto!

○ Secure sensitive information

■ No hardcoded secrets (usernames, passwords, tokens, priv keys,.).
■ Store secrets only in protected storage (NOT EEPROM, flash)
■ Use Trusted Execution Environment (TEE) or security element (SE), TrustZone (for ARM)

* See Talk “AppSec EU 2017 Don't Get Caught Em-bed” by Aaron Guzman
Protection*
○ Identity Management
■ Separate accounts for internal/remote web management, internal/remote console access
■ No sessionIDs/Tokens/Cookies in URL (can be replayed)
■ Tokens should be randomized, and invalidated on logout
■ Secure and complex password for accessing UART, EEPROM, ssh
■ Each device: individual secret (one device’s gets hacked, the others stay safe)

○ Hardened toolchains, libraries and frameworks

■ Remove unused language/shell interpreters (/bin/dash, /bin/bash, /bin/ash, /bin/zsh, ..),
dead (debugging) code (dead code which can be used for attacks), unused libs
■ Disable ancient legacy protocols (ftp, telnet, ..)
■ Remove debugging interfaces
■ Remove (or secure) backdoors management interfaces for consumer support/debugging
purposes,...usually with root privilege
■ Check third party code and SDKs

* See Talk “AppSec EU 2017 Don't Get Caught Em-bed” by Aaron Guzman
Protection*
○ Keep kernel, frameworks & libraries up to date
■ Use package managers opkg, ipkg
■ Check against vulnerabilities DBs
■ Load tools to check third party code and components (retirejs, libscanner, nsp, lynis, owasp
zap, ..),

○ Threat modeling

* See Talk “AppSec EU 2017 Don't Get Caught Em-bed” by Aaron Guzman
Take-aways

● Main attack vectors: web-interface, crypto, outdated/unpatched firmware,

sniffing unencrypted communication and cleartext passwords..
● Don’t have your key or password fixed in your binary, store secrets in
hardware protected place
● Integrate security tests into your CI/development cycles

● There is always a way to hack a system, just a matter of cost and time
Questions?
Ressources
● https://www.owasp.org/index.php/OWASP_Embedded_Application_Security
● http://www.sharcs-project.eu/m/documents/papers/a01-cojocar.p df (Off-the-shelf Embedded
Devices as Platforms for Security Research)
● https://www.handymanhowto.com/how-to-fix-a-bricked-hikvision-ip-camera-firmware/
● http://jcjc-dev.com/2016/06/08/reversing-huawei-4-dumping-flash/
● http://konukoii.com/blog/2018/02/16/5-min-tutorial-root-via-uart/
Recommended Talks
● “34C3 - Unleash your smart-home devices: Vacuum Cleaning Robot Hacking” by Dennis Giese,
Daniel Wegemer from TU Darmstadt
● “Hardware Hacking - Extracting Information From Chips“ by Dmitry Nedospasov
● “Lockpicking in the IoT...or why adding BTLE to a device sometimes isn't smart at all“ by Ray
● “DEF CON 24 - Plore - Side channel attacks on high security electronic safe locks” by Plore
● Hack All The Things: 20 Devices in 45 Minutes
● “Black Hat 2013 - Exploiting Network Surveillance Cameras Like a Hollywood Hacker” by Craig
Heffner