IOT SECURITY ASSESSMENT Pentester's Approach

1. IOT SECURITY ASSESSMENT: PENTESTER’S APPROACH Jatan Raval Is Smart Home Safe?

2. IoT Device Concept

3. IoT Device Concept

4. Attack Surfaces on IoT ● Hardware Level ● Software Level ● Communication Protocol Analysis

5. Hardware Level Attack Vectors ● Hardware Level ○ Gaining shell via debug points ■ Identifying the communication points (Tx, Rx) ○ Dumping firmware from the memory chip ■ De-soldering the component and read the content. ○ Fault Injection ■ Voltage/Clock Glitching ■ Optical Fault Injection ■ Electromagnetic Fault Injection

6. Software Level Attack Vectors ● Software Level ○ Getting sensitive information from the firmware ○ Modifying the firmware ○ Updating the malicious firmware ○ Gaining shell via default password ○ Emulate the firmware ○ Hook the function and understand the logic

7. Communication Attack Surface ● Communication Level ○ Sniffing ○ Injection attack ○ Fuzzing the protocol ○ Replay Attack ○ MiTM

8. Smart Home Automation

9. Pentester’s Approach ● Understanding the Architecture ● Identifying the attack vectors on the Smart switch ● Observing Hardware details ● Extracting Firmware from the chip ● Analyzing the firmware for the sensitive information ● Getting into the network ● Understanding the communication ● Duplicating the communication and controlling the switch

10. Hardware Level - Identifying the Hardware details ● Open the IoT device hardware ● Identify each component ● Identify the ways to communicate with chip ● Identify the model of CPU/SPI ● To communicate with CPU/SPI download the datasheet and understand the way to communicate with CPU.

11. Download the firmware via onboard pins ● Identify the on board pins to communicate with CPU

12. Download the firmware via onboard pins ● Solder the headers to connect

13. Download the firmware via onboard pins ● Download the required tools to dump the firmware

14. Download the firmware via onboard pins ● Connect the pins to the USB-TTL and connect to the laptop.

15. Download the firmware via onboard pins ● Download the firmware

16. Download the Firmware via desoldering SPI ● Identify the SPI which stores the firmware

17. Download the Firmware via desoldering SPI ● De-solder the SPI from the PCB

18. Download the Firmware via desoldering SPI ● Put the SPI into the SPI reader

19. Download the Firmware via desoldering SPI ● Read the entire chip content

20. Firmware Analysis ● Try to search for the WiFi password to enter into the network. Password Password SSID SSID

21. Connecting to the Network

22. Communication Protocol Analysis ● Identify and understand the protocol being used for the communication

23. Communication Protocol Analysis ● Sniff the packets between the Mobile Application and Switch ● Create the duplicate request ● Send it to the Switch IP and check the status.

24. Packet Duplication ● We need to perform MiTM attack to sniff the traffic between the application and Switch.

25. Packet Duplication ● Sniff the traffic between application and Switch

26. Packet Duplication ● Send the duplicate request from our machine and we get a success response

27. Alternative Ways 1. Use frida to hook the exact function which creates the request ○ Helps in understanding the encryption logic ○ Control other switches 2. Use scapy to create network packet and send it to switch ○ Understand the packet structure

28. Q & A

IOT SECURITY ASSESSMENT Pentester's Approach

Esté a ler uma amostra.

Confira estes a seguir

IOT SECURITY ASSESSMENT Pentester's Approach

Mais Conteúdo rRelacionado

Semelhante a IOT SECURITY ASSESSMENT Pentester's Approach (20)

Mais de NSConclave (20)

Mais recentes (20)