IoT Hacking Basics Intro
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \
( I | O | T ) ( H | A | C | K | I | N | G ) ( I | N | T | R | O )
\_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
IoT Security Assessment - Intro
This more of the bullet point list from which angles one can approach the hacking of IOT device, rather than real tutorial.
IoT devices (often repurposed RPi, Android, OrangePI boards) can be analyzed using the STRIDE framework:
| Threat Type | Description |
|---|---|
| Spoofing | Actor impersonates system component |
| Tampering | Violation of data/system integrity |
| Repudiation | Users deny actions taken |
| Information Disclosure | Confidentiality breach |
| Denial of Service | System availability disruption |
| Elevation of Privilege | Unauthorized access level increase |
Threat Modeling Process
System Architecture Analysis
- Primary IoT device + control servers
- Multiple network units with varying access levels
- External connections (cloud services, enterprise databases)
- Update mechanisms and data flows
Component Decomposition
- Device hardware
- Embedded OS
- Application software
- Communication interfaces
- Server-side services
- User interfaces
Trust Boundaries
- On-premises devices
- Cloud infrastructure
- External users
- Data flow entry points
Restricted User Interface (RUI) Vulnerabilities
Common Attack Vectors
Spoofing:
- PIN observation
- Admin code memorization
Tampering:
- External keyboard input bypass
- Key combination exploits (Alt+F4, Windows key)
- Accessibility feature abuse
- Kiosk mode escape
Security Testing Methodology
1. Passive Reconnaissance (OSINT)
- Device manuals and chipset datasheets
- Online forums and Q&A platforms
- Support tickets analysis
- Patent research
- Google dorking (
inurl:pdf+ device name)
2. Physical/Hardware Layer Testing
Peripheral Interfaces
USB Ports:
- Check for active/bootable ports
- Boot custom OS for filesystem access
- Extract password hashes
- Install override software
Storage Access:
- Direct disk extraction and analysis
- Unencrypted filesystem mounting
Boot Environment
BIOS/UEFI Assessment:
- Password protection status
- Boot order configuration
- PXE boot vulnerability
- BIOS battery reset potential
- UEFI Secure Boot validation
Debug Interfaces
- Service/test point identification
- Development interface exploitation
- Root shell access via debug ports
- Communication protocol analysis
3. Network Layer Testing
Host Discovery
Techniques:
- ICMP echo requests
- TCP/UDP port scans
- Broadcast traffic monitoring
- ARP request scans (L2 segment)
Note: Complex Systems - Use diverse detection methods for firewall/VLAN bypass
Network Protocol Attacks
Vulnerability Scanning
- Database checks (NVD, VulnDB)
- Automated scanning tools
- Remote code execution identification
- Controlled environment testing
Traffic Analysis
Tools: Wireshark, tcpdump
Capture Points:
- Inter-component communication
- Localhost IPC traffic
- Cross-compiled tool installation
Analysis Focus:
- Cleartext protocols
- Vulnerable protocols (UPnP)
- Proprietary protocols
Protocol Reverse Engineering
Common Patterns:
- TCP/UDP-based custom protocols
- XML/JSON structured data
- Proprietary wireless protocols
Analysis Approach:
- Debug system services
- Driver layer examination
- Upper layer protocol understanding
4. Wireless Protocol Testing
Equipment Requirements
- Injection-capable Wi-Fi chipsets (Atheros)
- Bluetooth tools (Ubertooth)
- Software Defined Radio (HackRF, LimeSDR)
Common Attacks
Wi-Fi:
- Association attacks
- WEP exploitation (deprecated)
- Weak WPA/WPA2 credentials
- WPA3 vulnerabilities
Custom Protocols:
- Authentication bypass
- Missing mutual authentication
- Lack of encryption/integrity checks
Web Application Security Assessment
Application Mapping
Content Discovery
| Discovery Type | Description |
|---|---|
| Visible Content | Map all accessible pages and functionality |
| Hidden Content | Enumerate endpoints not reachable via hyperlinks |
| Default Content | Check for default pages, admin panels, test files |
| Data Entry Points | Identify all user input locations |
| Hidden Fields | Discover concealed form elements and parameters |
Discovery Techniques
Manual Browsing: Essential for context-aware exploration
Automated Spidering:
- Passive: Monitor traffic during manual browsing
- Active: Crawl using discovered URLs and AJAX requests
Directory Brute-forcing:
- Tools like DirBuster (220k+ common names)
- High network traffic generation
- Often discovers unauthenticated endpoints
Parameter Enumeration
- GET/POST parameters
- HTTP headers
- Cookie values
- URL path components
- JSON/XML data structures
Client-Side Controls
Vulnerable Components
- Hidden Fields: Client-controllable values
- Cookies: Session and preference data
- JavaScript: Client-side logic and validation
- AJAX Requests: Asynchronous data calls
- Binary Components: Java applets (.jar), Flash (.swf), Silverlight (.xap)
- ViewState: ASP.NET application state
- ActiveX Controls: Browser plugins
Common Exploits
- Client-side authentication bypass
- Hidden field manipulation
- JavaScript decompilation and modification
- Binary component reverse engineering
- Cookie tampering
Authentication Testing
Credential Assessment
Default Credentials:
- admin/admin, root/root, a/a
- Manual/documentation lookup
- Credential databases
Additional Checks:
- No Authentication: Complete access without credentials
- Dictionary Attacks: Automated password guessing
- Brute-force Protection: Rate limiting and account lockout
Authentication Mechanisms
- Credential Transmission: HTTP vs HTTPS enforcement
- Password Recovery: "Forgot password" functionality
- Remember Me: Persistent authentication
- Username Enumeration: Valid user discovery
- Fail-open Conditions: Authentication bypass on errors
Session Management
Session Vulnerabilities
- Predictable Tokens: Sequential or guessable session IDs
- Unsafe Transmission: Unencrypted session data
- Token Disclosure: Logs, URLs, referrer headers
- Insufficient Expiration: Long-lived sessions
- Session Fixation: Attacker-controlled session IDs
- CSRF: Cross-Site Request Forgery attacks
Testing Areas
- Session token entropy and randomness
- Session lifecycle management
- Concurrent session handling
- Session invalidation on logout
Access Controls & Authorization
Role-Based Access Control (RBAC)
- User Segregation: Different privilege levels
- Privilege Boundaries: Admin vs user vs guest
- Vertical Escalation: Lower to higher privilege access
- Horizontal Escalation: Same-level user data access
Common Vulnerabilities
- Forced Browsing: Direct URL access bypass
- API Authorization: Different framework inconsistencies
- Missing Function-Level Access Control
- Insecure Direct Object References
Testing Methodology
- Map all user roles and permissions
- Test cross-role functionality access
- Verify API endpoint authorization
- Check administrative function protection
Input Validation
Injection Attack Types
| Attack Type | Description |
|---|---|
| SQL Injection | Database query manipulation |
| Cross-Site Scripting (XSS) | Stored, Reflected, DOM-based |
| Command Injection | OS command execution |
| XML External Entity (XXE) | XML parser exploitation |
| LDAP Injection | Directory service attacks |
| NoSQL Injection | Non-relational database attacks |
Testing Approach
- Entry Point Identification: All user input locations
- Payload Testing: Malicious input submission
- Response Analysis: Error messages and behavior
- Bypass Techniques: Filter and WAF evasion
- Sanitization Verification: Input cleaning effectiveness
Logic Flaws
Vulnerability Categories
- Business Logic Bypass: Process flow manipulation
- Race Conditions: Concurrent request exploitation
- State Manipulation: Application flow disruption
- Workflow Violations: Step sequence bypass
Testing Strategies
- Multi-stage Process Analysis: Sequential operation testing
- Parameter Manipulation: Value and timing modification
- Concurrent Request Testing: Race condition identification
- Industry-Specific Logic: Domain knowledge application
Application Server Security
Server Vulnerabilities
- Known CVEs: Public vulnerability databases
- Deserialization Attacks: Object injection
- Web Application Firewall (WAF): Bypass techniques
- Default Configurations: Unnecessary services and content
Configuration Issues
- Directory Listings: File system exposure
- Default Content: Sample files and documentation
- HTTP Methods: Dangerous operations (PUT, DELETE, TRACE)
- Error Handling: Information disclosure
- File Upload: Unrestricted file types
SSL/TLS Assessment
Weak Ciphers: Deprecated encryption algorithms
Certificate Issues:
- Self-signed certificates
- Expired certificates
- Wrong hostname
Additional Checks:
- Protocol Vulnerabilities: SSLv3, weak TLS versions
- Perfect Forward Secrecy: Key exchange security
IoT-Specific Considerations
Common Findings
- Weak Default Credentials: Unchanged factory settings
- Limited Brute-force Protection: Resource constraints
- Client-side Authentication: JavaScript-based validation
- Unauthenticated Endpoints: Hidden administrative functions
- Insecure Firmware Updates: Unverified code installation
Assessment Priorities
- Default credential identification
- Hidden endpoint discovery
- Client-side control bypass
- Authentication mechanism testing
- Privilege escalation verification
Host Configuration Security Review
Overview: Post-compromise assessment of system security from inside local access (e.g., Windows server component of IoT system).
User Account Security
Account Configuration Testing
- Default Accounts: Check for vendor-default user accounts
- Account Policies:
- Password history requirements
- Password expiration intervals
- Account lockout thresholds
- Enterprise Integration: Active Directory/LDAP compliance
- Centralized Management: Policy enforcement consistency
Common Vulnerabilities
- Non-expiring passwords identical to username
- Overlooked local accounts without centralized management
- Inconsistent security policy application
- Weak password complexity enforcement
Password Strength Assessment
Policy Enforcement
- Windows: Group Policy and Local Security Policy
- Linux: Pluggable Authentication Modules (PAM)
- Complexity Requirements: Length, character sets, patterns
- Business Impact: Balance security with operational needs
Critical System Considerations
- Medical Devices: Emergency access requirements
- Time-Sensitive Operations: Surgical systems, life support
- Risk Assessment: Security vs accessibility trade-offs
Account Privileges
Principle of Least Privilege
- Process Privileges: Elevated rights management
- Service Accounts: Minimal required permissions
- Privilege Dropping: Runtime privilege reduction
- Account Separation: Process isolation
Common Misconfigurations
- Excessive Service Privileges: SYSTEM/root for simple services
- Overprivileged Processes: Unnecessary administrative rights
- Shared Service Accounts: Multiple processes under same account
- Logging Services: High privileges for basic operations
Mitigation Solutions
Windows:
- Managed Service Accounts (MSA)
Linux:
- Capabilities framework
- seccomp system call filtering
- SELinux/AppArmor mandatory access control
Identity Management:
- Kerberos, OpenLDAP, FreeIPA
Patch Management
Update Assessment
- Operating System: Kernel and core components
- Applications: First-party software
- Third-party Libraries: Dependencies and frameworks
- Vendor Support: End-of-life software identification
Detection Methods
- Automated Scanning: Vulnerability assessment tools
- Software Composition Analysis: Open source component analysis
- Authenticated Scans: Credentialed vulnerability testing
- Manual Verification: System-specific checks
IoT-Specific Challenges
| Challenge | Description |
|---|---|
| Firmware Complexity | Embedded system limitations |
| Downtime Costs | ATM machines, critical infrastructure |
| Regulatory Requirements | Medical device testing protocols |
| Physical Access | Implantable device updates |
| Unnecessary Software | Bloatware removal vs patching |
Common Outdated Components
- Windows: Java, Adobe products, Wireshark
- Linux: OpenSSL, system libraries
- Embedded: Legacy firmware components
Remote Maintenance Security
Connection Assessment
- Remote Support Software: Binary analysis and reverse engineering
- Communication Channels: Encryption and authentication
- Access Methods: VPN, direct connection, cloud-based
Process Evaluation
- Connection Duration: 24/7 vs on-demand access
- Authentication: Multi-factor authentication requirements
- Logging: Access audit trails
- Vendor Access Controls: Third-party privilege management
Risk Considerations
- Backdoor Exploitation: Administrative access abuse
- Third-party Breaches: Supply chain attack vectors (Target/HVAC example)
- Unauthorized Access: Persistent connection vulnerabilities
Filesystem Access Controls
Permission Assessment
Critical Directories:
- Windows: C:\Program Files, system directories
- Linux: /root, /etc, system binaries
Additional Checks:
- Service Executables: Write permissions on critical files
- Configuration Files: Administrative access requirements
- Log Files: Read/write access control
Privilege Escalation Vectors
- Writable System Directories: DLL hijacking, binary replacement
- Startup Scripts: Boot-time privilege escalation
- Service Configuration: Executable path manipulation
- Weak File Permissions: Critical file modification
Data Encryption
Sensitive Data Identification
- Protected Health Information (PHI): Healthcare records
- Personally Identifiable Information (PII): Individual identification data
- Business Critical Data: Proprietary information
- Authentication Data: Credentials and tokens
Encryption Assessment
Data at Rest:
- Full-disk encryption
- Database encryption
- File-level encryption
Additional Considerations:
- Cryptographic Strength: Algorithm and key length evaluation
- Key Management: Storage and rotation practices
- Theft Scenarios: Physical device compromise protection
Server Misconfiguration
Service Security
- Default Configurations: Vendor-supplied settings
- Anonymous Access: FTP guest access, public shares
- Default Credentials: Unchanged administrative accounts
- Network Exposure: Unnecessary remote access
Common Vulnerabilities
- FTP Services: Anonymous read/write access
- Database Management: Default credential exposure
- Web Services: Administrative interface exposure
- Network Services: Unnecessary service binding
Critical Findings Examples
- Oracle Enterprise Manager with SYSTEM privileges
- Default credentials enabling OS command execution
- Network-accessible administrative interfaces
- Stored procedure abuse for system compromise
Assessment Priorities
High-Risk Areas
- Service Privileges: Excessive rights identification
- Default Accounts: Unchanged vendor credentials
- Patch Status: Critical vulnerability exposure
- Remote Access: Third-party connection security
- Data Protection: Sensitive information encryption
Testing Methodology
- Automated Tools: Vulnerability scanners, policy analyzers
- Manual Review: Configuration file analysis
- Process Analysis: Running service enumeration
- Permission Auditing: File system access verification
- Network Assessment: Service exposure evaluation