One of the differentiating risk factors for an IoT device is that its domain is in the physical world - an attacker may be able to physically interact with your device.

As a collection of engineers at Device Authority, many of us have an interest in hardware modding, and investigating devices for their security vulnerabilities in order to better protect them.

This blog will give a brief overview of IoT hacking, and some links to tools we've found useful.

 

Where to start?

The overall flow for IoT hacking tends to follow a straightforward flow: identify a target, gain access to the device's electronics, enumerate and investigate the device to allow reverse engineering.

The exploitee.rs wiki maintains an excellent list of vulnerable devices that are brilliant for learning the basic principles. Higher value targets include popular consumer devices, or higher impact equipment where compromises impact safety and large-scale loss of privacy - especially in the medical and automotive industries.

With a target chosen, gaining access to the internal mechanisms can become a tricky puzzle - many IoT devices are physically hardened to defeat an attacker, with shielding around ports and openings using hidden and uncommon screw types.

Once the devices have been accessed physically, working to identify any ports used for maintenance, and grab copies of firmware to reverse engineer in a lab setting.

The firmware of devices is a compressed file, containing it's operating system and all the files required for the device to operate - with a tool such as the Bus Pirate

 

 

 

This tool allows you to begin to extract firmware from a device which can be hosted within an emulator later. A useful tutorial on the Bus Pirate is hosted at Dangerous Prototypes

Not all IoT devices have exposed USB ports, but if your target device does, the FaceDancer21 allows your computer to emulate any other USB device, allowing you to communicate over the USB protocol via Python

 

 

The JTAGulator is an open source tool that helps identify and map out what chips and pins are on a board. On first opening a device it may be difficult to manually locate available on-chip debug interfaces, which allow tools such as memory manipulation and the ability to modify the device behaviour on the fly. This tool allows rapid identification of what could be a difficult and time consuming enumeration task.

 

Less exciting than the electronic hardware tools, physical access to a device can be aided with a strong set of drivers. My personal favourite is the Gocheer set, which includes many of the rarer types such as Torx security, tri point and star bits.

 

 

Sometimes a bit of brute force is needed: A good claw hammer is not to be underestimated for its utility of ripping things off walls, smashing open cases that have proven too secure to delicately pry apart.

This stubby hammer is small enough to slip into your tool bag, but useful enough for the rare occasion it's needed.

Finally, for prying apart hardened plastic boxes, a spudger tool is a must-have! A thin, flexible metal blade can slip into gaps, and gently pry apart to begin your IoT hacking!

In many of these scenarios, strong encryption of data both at rest and in transit, avoiding default and easily guessable passwords to administration panels become the core hardening points to defeat an attacker! Even though an attacker may be able to reverse engineer and exploit the hardware: if all firmware and hardware status is signed and monitored for changes, with data encrypted, it becomes very difficult to capitalise on any physical access.

 

Sam Boswell