The IoT Hacker's Handbook: A Practical Guide to Hacking the Internet of Things

© Aditya Gupta 2019

Aditya GuptaThe IoT Hacker's Handbookhttps://doi.org/10.1007/978-1-4842-4300-8_1

1. Internet of Things: A Primer

Aditya Gupta¹ 

(1)

Walnut, CA, USA

In the world of communication technology, two of the events that hold special significance are the invention of ARPANET, a computer network allowing computers to exchange data even when being geographically separate, and the rise of the Internet of Things (IoT). The latter, however, was an evolving process instead of a single event. The earliest implementations of the IoT concept occurred when a couple of Carnegie Mellon University students found a way to monitor the number of cans remaining in a vending machine by allowing devices to communicate with the external world. They did this by adding a photosensor to the device that would count every time a can left the vending machine, and thus, the number of remaining cans was calculated. These days IoT devices are capable of monitoring your heart rate, and even controlling it if required in the case of an adverse event. Moreover, some IoT devices can now serve as a source of evidence during trials in court, as seen in late 2015, when the FitBit data of a woman was used in a murder trial. Other incidents include usage of pacemaker data and Amazon Echo recordings in various court trials. The journey of IoT devices from a university dorm room to being present inside human beings is fascinating, to say the least.

Kevin Aston, when he first mentioned the term Internet of Things, would probably not have imagined that these devices would soon be overtaking the entire human population in number. Aston mentioned the term in reference to radio-frequency identification (RFID) technology, which was being used to connect devices together. The definition of IoT has since changed, with different organizations giving their own meaning to the term. Qualcomm and Cisco came up with the term called Internet of Everything (IoE) , which some believe was for a marketing agenda. The term according to them means extending the concept of the IoT from being limited to machine-to-machine communication to machines communicating with both machines and the physical world.

The very first glimpse of the current day IoT was seen in June 2000 when the first Internet-connected refrigerator, the Internet Digital DIOS, was revealed by LG. The refrigerator contained a high-quality TFT-LCD screen with a number of functionalities, including displaying the temperature inside the refrigerator, providing freshness scores of the stored items, and using the webcam functionality to keep track of the items being stored. The early device that probably got the most attention from the media and consumers was the Nest Learning Thermostat in October 2011. This device was able to learn the user’s schedule to adjust different desired temperatures at different times of day. The acquisition of this IoT thermostat company by Google for US$3.2 billion was the event that made the world aware of the upcoming revolution in technology.

Soon, there were hundreds of new startups trying to interconnect all the different aspects of the physical world to devices and large organizations starting specialized internal teams to come up with their own range of IoT devices to be launched in the market as soon as possible. This race to create new so-called smart devices brings us to the present, where we are able to interact with our smart TVs at home while sipping a cup of coffee prepared by an Internet-controlled coffee machine and controlling the lights by the music playing on your smart assistant. IoT, however, is not just limited to our physical space. It also has numerous applications in enterprises, retail stores, health care, industry, power grids, and even advanced scientific research.

The policymakers of the digital world struggled with the fast pace of the rise of IoT devices, and could not come up with strict quality controls and safety regulations. This changed only recently, when organizations like GSMA came up with security and privacy guidelines for IoT devices, and the Federal Trade Commission (FTC) laid out steps to be followed to ensure safety and security. However, the delay led to widespread adoption of IoT devices in all different verticals, and it also enabled developers to ignore security considerations when it comes to these devices. It was not until the widespread effect of the Mirai botnet that the security shortcomings of these devices would be known. Mirai was a botnet that attacked IoT devices, mostly Internet-connected cameras, by checking the status of Ports 23 and 2323 and brute forcing authentication using common credentials. Unsurprisingly, many of the IP cameras exposed to the Internet had telnet available with an extremely common username and password, which was easy to find. The same botnet was also later used to take over Liberia’s Internet infrastructure as well as on DYN, which led to an attack on several popular web sites, including GitHub, Twitter, Reddit, and Netflix.

Over the past couple of years, even though security of these devices has slowly improved, it has not yet reached a point where these devices can be considered extremely safe to use. In November 2016, four security researchers—Eyal Ronen, Colin O’Flynn, Adi Shamir, and Achi-Or Weingarten—came up with an interesting proof-of-concept (PoC) worm that attacked using drones and took control of the Philips Hue smart lights of an office building. Even though the attack was just a PoC, it is not a reach to think that we would be seeing smart-device ransomware similar to WannaCry, asking us for money to open the lock on our door or to turn on a pacemaker. Nearly every smart device has been determined to have critical security and privacy issues, including smart home automation systems, wearable devices, baby monitors, and even personal sex toys. Considering the amount of intimate data these devices collect, it is scary to see how much exposure we have to cyberattacks.

The rise in security incidents in IoT devices has also led to increasing demand for IoT security professionals, both as builders and breakers. This allows organizations to ensure that their devices are protected from the vulnerabilities that malicious attackers can use to compromise their systems. Additionally, a number of companies have started offering bug bounties to incentivize researchers to assess the security of their IoT devices, with some even shipping free hardware devices to researchers. In the coming years, this trend is set to grow, and with the rise of IoT solutions in the market, there will be a heightened demand for specialized IoT security professionals in the workforce.

Previous IoT Security Issues

The best way to learn about the security of these devices is looking at what has happened in the past. By learning about the security mistakes other product developers have made in the past, we can gain an understanding of what kind of security issues to expect in the product we are assessing. Even though some terms might seem unfamiliar here, we discuss them in detail in the upcoming chapters.

Nest Thermostat

The paper Smart Nest Thermostat : A Smart Spy in Your Home by Grant Hernandez, Orlando Arias, Daniel Buentello, and Yier Jin, mentions some of the security shortcomings of Google Nest that allowed the installation of a new malicious firmware on the device. This was done by pressing the button on Nest for about 10 seconds to trigger the global reset. At this stage, the device could be made to look for USB media for firmware by communicating with the sys_boot5 pin. On the USB device, a malicious firmware was present, which the device then used while booting .

Jason Doyle identified another vulnerability in Nest products that involved sending a custom-crafted value in the Wi-Fi service set identifier (SSID) details via Bluetooth to the target device, which would then crash the device and ultimately reboot it. This would also allow a burglar to break into the house during the duration of the device reboot (around 90 seconds) without being caught by the Nest security camera .

Philips Smart Home

Philips home devices suffered from a number of security issues across the product range. These include the popular Philips Hue worm built as a PoC by security researchers Eyal Ronen, Adi Shamir, Achi-Or Weingarten, and Colin O’Flynn. In the PoC they demonstrated how the hard-coded symmetric encryption keys used by Philips devices could be exploited to gain control over the target devices over ZigBee. It also included automatic infection of Philips Hue bulbs placed near each other .

In August 2013, Nitesh Dhanjani, a security researcher, also came up with a novel technique to cause permanent blackouts by using a replay attack technique to gain control of the Philips Hue devices. He discovered this vulnerability after he realized that the Philips Hue smart devices were only considering the MD5 of the media access control (MAC) address as the single parameter to validate the authenticity of a message. Because the attacker can very easily learn the MAC address of the legitimate host, he or she can craft a malicious packet indicating that it came from the genuine host and with the data packets with the command to turn the bulb off. Doing this continuously would allow the attacker to cause a permanent blackout with the user having no other option than to replace the light bulb .

Philips Hue (and many other smart devices today) uses a technology called ZigBee to exchange data between the devices while keeping resource consumption to a minimum. The same attack that was possible on the device using Wi-Fi packets would also be applicable to ZigBee. In the case of ZigBee, all an attacker would need to do is simply capture the ZigBee packets for a legitimate request, and simply replay it to perform the same action at a later point in time and take over the device. We will also look at capturing and replaying ZigBee packets in Chapter 10 .

Lifx Smart Bulb

Smart home devices have been one of the most popular research targets among the security community. Another early example occurred when Alex Chapman, a security researcher from the firm Context, discovered serious security vulnerabilities in the Lifx smart bulb, making it possible for attackers to inject malicious packets into the network, obtain decrypted Wi-Fi credentials, and take over the smart light bulbs without any authentication.

The devices in this case were communicating using 6LoWPAN, which is another network communication protocol (just like ZigBee) built on top of 802.15.4. To sniff the 6LoWPAN packets, Chapman used an Atmel RzRaven flashed with the Contiki 6LoWPAN firmware image, allowing him to look at the traffic between the devices. Most of the sensitive data exchange happening over this network was encrypted, which made the product appear quite secure.

One of the most important things during IoT penetration testing is the ability to look at the product in its entirety, rather than just looking at one single component to identify the security issues. This means that to figure out how the packets are getting encrypted in the radio communication, the answer most likely lies in the firmware. One of the techniques to get the firmware binary of a device is to dump it via hardware exploitation techniques such as JTAG, which we cover in Chapter 6. In the case of Lifx bulbs, JTAG gave access to the Lifx firmware, which when reversed led to the identification of the type of encryption, which in this case was Advanced Encyrption Standard (AES), the encryption key, the initialization vector, and the block mode used for encryption. Because this information would have been same for all the Lifx smart bulbs, an attacker could take control of any light bulb and break into the Wi-Fi because the device was also communicatng the Wi-Fi credentials over the radio network, which could now be decrypted .

The Jeep Hack

The Jeep Hack is probably the most popular IoT hack of all time. Two security researchers, Dr. Charlie Miller and Chris Valasek, demonstrated in 2015 how they could remotely take over and control a Jeep using vulnerabilities in Chrysler’s Uconnect system, resulting in Chrysler having to recall 1.4 million vehicles.

The complete hack took advantage of many different vulnerabilities, including extensive efforts in reverse engineering various individual binaries and protocols. One of the first vulnerabilities that made the attack possible was the Uconnect software, which allowed anyone to remotely connect to it over a cellular connection. Port 6667 was accessible with anonymous authentication enabled and was found to be running D-Bus over IP, which is used to communicate between processes. After interacting with D-Bus and obtaining a list of available services, one of the services with the name NavTrailService was found to have an execute method that allowed the researchers to run arbitrary code on the device. Figure 1-1 shows the exploit code that was used to open a remote root shell on the head unit .

Figure 1-1

Exploit code. Source: Image from official white paper at http://illmatics.com/Remote%20Car%20Hacking.pdf

Once arbitrary command execution was gained, it was possible to perform a lateral movement and send CAN messages taking control of the various elements of the vehicle, such as the steering wheel, brakes, headlights, and so on.

Belkin Wemo

Belkin Wemo is a product line offering consumers whole-home automation. Belkin Wemo is an interesting case in which the developers took precautions to prevent attackers from installing malicious firmware on the device. The firmware updates for Belkin Wemo, however, happened over an unencrypted channel that allowed attackers to modify the firmware binary package during the update. As a protection measure, the Belkin Wemo used a GNU Privacy Guard (GPG)-based encrypted firmware distribution mechanism so the device would not accept malicious firmware packages injected by an attacker. This security protection was overcome extremely easily because the device was distributing the firmware signing key along with the firmware during the update process, all over an unencrypted channel. An attacker could therefore easily modify the package, as well as sign it with the correct signing key, and the device would happily accept this firmware. This vulnerability was discovered by Mike Davis of IOActive in early 2014 and was rated a (CVSS) score of 10.0 for the criticality of the vulnerability .

Later, Belkin was found to have a number of other security issues including bugs such as SQL injection and modification of the name of the device to execute arbitrary JavaScript on the user’s Android smartphone among others. Additional research was performed on Belkin Wemo by the FireEye group (see https://www.fireeye.com/blog/threat-research/2016/08/embedded_hardwareha.html ), which involved obtaining access to the firmware and debugging console using Universal Asynchronous Receiver Transmitter (UART) and Serial Peripheral Interface (SPI) hardware techniques . This also led them to identify that via hardware access, one can easily modify the bootloader arguments, rendering the device’s firmware signature verification check useless.

Insulin Pump

A security researcher named Jay Radcliffe working for Rapid7 identified that some medical devices, specifically insulin pumps , could be suffering from a replay-based attack vulnerability. Radcliffe, a Type 1 diabetic himself, set out to research one of the most popular insulin pumps on the market, the OneTouch Ping insulin pump system by Animas, a subsidiary of Johnson & Johnson. During the analysis, he found that the insulin pump used clear-text messages to communicate, which made it extremely simple for anyone to capture the communication, modify the dosage of insulin to be delivered, and retransmit the packet. When he tried out the attack on the OneTouch Ping insulin pump, it worked flawlessly, with there being no way of knowing the amount of insulin that was being delivered during the attack.

The vulnerability was patched by the vendor, Animas, within five months, which shows that at least some companies take security reports seriously and take actions to keep consumers safe .

Smart Door Locks

A security researcher with the handle Jmaxx set out on a challenge to find security weaknesses in the August smart lock , considered to be one of the most popular and safest smart locks, used by both consumers for their homes and Airbnb hosts to allow guests to check in at their convenience. Some of the vulnerabilities that he discovered included the ability of guests to turn themselves into an admin by modifying a value in the network traffic from user to superuser, firmware not being signed, app functionality to