"This workshop is for pentesters, security researchers or someone looking to get into IoT security but is reluctant due to the wide range of technologies involved and plethora of different tools. While it does require a considerable amount of knowledge in the domain, it is not as difficult as you may think. In this workshop we will introduce you to some of the important concepts and EXPLIoT framework in a very simple way that can be used for the various IoT attack vectors. The primary focus of this workshop is to introduce the attendees to the open source IoT Security Testing and Exploitation Framework - EXPLIoT (https://gitlab.com/expliot_framework/expliot) and enable them to use as well as extend it by writing plugins for new IoT based exploits and analysis test cases. It’s a flexible and extendable framework that would help the security community in writing quick IoT test cases and exploits. The objectives of the framework are:
1. Easy to use
2. Extendable
3. Support for hardware, radio and IoT protocol analysis
EXPLIoT currently supports the following protocols which can be utilized for writing new plugins/exploits:
1. Radio – BLE , Zigbee
2. Network – MQTT, CoAP, DICOM, MODBUS, MDNS, NMAP, TCP, UDP
3. Hardware – CAN, SPI, I2C, UART, JTAG
This talk would give attendees a first-hand view of the functionality, how to use it and how to write plugins to extend the framework."
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
Hacking IoT with EXPLIoT Framework
1. Best Of The World In Security Conference
Best Of The World In Security
12-13 November 2020
Hacking IoT with EXPLIoT
Framework
Asmita
Payatu, India
IoT Security Consultant
@aj_0x00
2. Best Of The World In Security Conference
• IoT Security Consultant at Payatu, India
- Embedded Hardware Security
- Firmware Reverse Engineering
• Trainer/Speaker
- Checkpoint CPX360, Nullcon, IDCSS, Hackaday Remoticon
Infosec meetups
• Email - asmita@payatu.com
• Twitter - aj_0x00
About Me
3. Best Of The World In Security Conference
• IoT Attack Surface
• EXPLIoT Framework
- Architecture,
- Executing plugins,
- Extending the framework by writing your own plugins
• MQTT
- Protocol,
- Security issues,
- Hands-on with plugins,
- Write a custom Plugin
• Plugin Demos
- BLE plugins Demo,
- Zigbee Demo
- I2C Plugins Demo
Agenda
4. Best Of The World In Security Conference
IoT Attack Surface
5. Best Of The World In Security Conference
• Hardware debug ports
• Storage
• Bus Communication
• Encryption
• Authentication
• Sensor interfaces
• Hardware interfaces
IoT Attack Surface
Device Hardware
6. Best Of The World In Security Conference
• Hardware debug ports
• Storage
• Bus Communication
• Encryption
• Authentication
• Sensor interfaces
• Hardware interfaces
IoT Attack Surface
Device Hardware
7. Best Of The World In Security Conference
• Authentication
• Encryption
• Protocol vulnerabilities
• Custom IoT protocols
• Radio communication and
protocols
IoT Attack Surface
Communication
8. Best Of The World In Security Conference
• Storage
• Communication
• Authentication
• APIs
• Encryption
• Generic web/cloud vulnerabilities
IoT Attack Surface
Cloud
9. Best Of The World In Security Conference
• Storage
• Communication
• Authentication
• Hardcoding
• Encryption
• Generic application vulnerabilities
IoT Attack Surface
User application
10. Best Of The World In Security Conference
• Open source IoT Security Testing and Exploitation Framework -
EXPLIoT
• Framework for security testing IoT and IoT infrastructure
• Provides a set of plugins (test cases) and extendable
• It is developed in python3
• Support for hardware, radio and IoT protocol analysis
• Easy to use
• Source : https://gitlab.com/expliot_framework/expliot
• Documentation - https://expliot.readthedocs.io/en/latest/
EXPLIoT Framework
11. Best Of The World In Security Conference
EXPLIoT Framework - Architecture
Source :
https://expliot.readthedocs.io/en/latest/development/architecture.html
12. Best Of The World In Security Conference
• Bluetooth LE
• CAN
• CoAP
• Crypto
• DICOM
• I2C
• mDNS
• Modbus
Currently Supported Plugins
• MQTT
• nmap
• SPI
• TCP
• UART
• UDP
• UPNP
• Zigbee
13. Best Of The World In Security Conference
• Install EXPLIoT framework
• Choose the execution mode
- command line mode
- Interactive mode
Executing Plugins
Source : https://expliot.readthedocs.io/en/latest/installation/intro.html
https://expliot.readthedocs.io/en/latest/usage/intro.html
14. Best Of The World In Security Conference
Executing Plugins - Command line mode
Source :
https://expliot.readthedocs.io/en/latest/usage/command-line-mode.html#command-line-
mode
15. Best Of The World In Security Conference
Executing Plugins - Command line mode
Source :
https://expliot.readthedocs.io/en/latest/usage/command-line-mode.html#command-line-
mode
16. Best Of The World In Security Conference
Executing Plugins - Command line mode
Source :
https://expliot.readthedocs.io/en/latest/usage/command-line-mode.html#command-line-
mode
Plugin name arguments
17. Best Of The World In Security Conference
Executing Plugins - Interactive mode
Source :
https://expliot.readthedocs.io/en/latest/usage/interactive-mode.html
18. Best Of The World In Security Conference
Executing Plugins - Interactive mode
Source :
https://expliot.readthedocs.io/en/latest/usage/interactive-mode.html
19. Best Of The World In Security Conference
Executing Plugins - Interactive mode
Source :
https://expliot.readthedocs.io/en/latest/usage/interactive-mode.html
20. Best Of The World In Security Conference
Executing Plugins - Interactive mode
Source :
https://expliot.readthedocs.io/en/latest/usage/interactive-mode.html
Plugin name arguments
21. Best Of The World In Security Conference
Executing Plugins
Detailed Videos :
https://www.youtube.com/playlist?list=PLpCYsToyPxH-tGseJ3C4Gk0pCNZ-0pl6w
22. Best Of The World In Security Conference
• Setup the development environment
* Don’t miss pre-requirements setup
Extend the framework - Write your own plugins
Source:
https://expliot.readthedocs.io/en/latest/development/setup.html
23. Best Of The World In Security Conference
Extend the framework - Write your own plugins
Source:
https://expliot.readthedocs.io/en/latest/development/development.html
https://gitlab.com/expliot_framework/expliot
Development
- EXPLIoT Framework
Setup.py
24. Best Of The World In Security Conference
Extend the framework - Write your own plugins
Source:
https://expliot.readthedocs.io/en/latest/development/development.html
https://gitlab.com/expliot_framework/expliot
Development
- EXPLIoT Framework
Setup.py
25. Best Of The World In Security Conference
Extend the framework - Write your own plugins
Source:
https://expliot.readthedocs.io/en/latest/development/development.html
https://gitlab.com/expliot_framework/expliot
Development
- EXPLIoT Framework
Setup.py
docs
26. Best Of The World In Security Conference
Extend the framework - Write your own plugins
Source:
https://expliot.readthedocs.io/en/latest/development/development.html
https://gitlab.com/expliot_framework/expliot
Development
- EXPLIoT Framework
Setup.py
docs
expliot
27. Best Of The World In Security Conference
Extend the framework - Write your own plugins
Source:
https://expliot.readthedocs.io/en/latest/development/development.html
https://gitlab.com/expliot_framework/expliot
Development
- EXPLIoT Framework
expliot
28. Best Of The World In Security Conference
Extend the framework - Write your own plugins
Source:
https://expliot.readthedocs.io/en/latest/development/development.html
https://gitlab.com/expliot_framework/expliot
Development
- EXPLIoT Framework
expliot -> core
29. Best Of The World In Security Conference
Extend the framework - Write your own plugins
Source:
https://expliot.readthedocs.io/en/latest/development/development.html
https://gitlab.com/expliot_framework/expliot
Development
- EXPLIoT Framework
expliot /core
30. Best Of The World In Security Conference
Extend the framework - Write your own plugins
Source:
https://expliot.readthedocs.io/en/latest/development/development.html
https://gitlab.com/expliot_framework/expliot
Development
- EXPLIoT Framework
expliot -> plugins
31. Best Of The World In Security Conference
Extend the framework - Write your own plugins
Source:
https://expliot.readthedocs.io/en/latest/development/development.html
https://gitlab.com/expliot_framework/expliot
Development
- EXPLIoT Framework
expliot /plugins
32. Best Of The World In Security Conference
• Message Queuing Telemetry Transport
• Lightweight Messaging protocol
• Publish / Subscribe mechanism
• Message Broker
• TCP Port - 1883 (Plain text) & 8883 (TLS)
• Mqtt.org
• An ISO Standard - ISO/IEC 20922
http://www.iso.org/iso/catalogue_detail.htm?csnumber=69466
• MQTT 5.0 Spec - https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-
v5.0.html
MQTT Introduction
33. Best Of The World In Security Conference
• Topics
Label for grouping of Application
messages, matched against
subscriptions to forward the
messages. Ex: foo/bar
• Topic filters
An expression indicating one or
more topic names in a Subscription.
Use of wild cards. Ex: foo, foo/#
• Publish messages under specific
topics
Publish(topic, message)
• Subscribe/Unsubscribe to/from
Topic filters
MQTT Introduction
Source:
https://payatu.com/blog/aseem/iot-security---part-10-introduction-to-mqtt-protocol-and-security
34. Best Of The World In Security Conference
MQTT Introduction
• Multilevel wildcard - ‘#’
• Singlelevel wildcard – ‘+’
• Topic names beginning with ‘$’ character are used for implementation internal purposes
35. Best Of The World In Security Conference
Node 1, 2, 3
subscribed to
different topic
filters
MQTT Introduction
Source:
https://payatu.com/blog/aseem/iot-security---part-10-introduction-to-mqtt-protocol-and-security
36. Best Of The World In Security Conference
Node 4 publishes
“Hello” on topic
‘a’
MQTT Introduction
Source:
https://payatu.com/blog/aseem/iot-security---part-10-introduction-to-mqtt-protocol-and-security
37. Best Of The World In Security Conference
Node 2 & 3
receives the
published msg but
not node one, why?
MQTT Introduction
Source:
https://payatu.com/blog/aseem/iot-security---part-10-introduction-to-mqtt-protocol-and-security
38. Best Of The World In Security Conference
MQTT Introduction
Quality of service (QoS)
• QoS Levels
• QoS 0 – At most once delivery
• QoS 1 – At least once delivery
• QoS 2 – Exactly once delivery
• Messages are delivered based on the defined QoS Level
39. Best Of The World In Security Conference
MQTT Protocol
Packet Structure
40. Best Of The World In Security Conference
MQTT Protocol
Source:
https://payatu.com/blog/aseem/iot-security---part-10-introduction-to-mqtt-protocol-and-security
16 control packets in v5.0
41. Best Of The World In Security Conference
MQTT Security Issues - Attack Possibilities
Source:
https://payatu.com/blog/aseem/iot-security---part-10-introduction-to-mqtt-protocol-and-security
• Fetching unencrypted sensitive data from sniffed packets
• DoS attack via duplicating client ID
• Insecure/weak authentication : use of client ID or default/guessable
credentials
• Grab system level messages $SYS/#
• Cloning the client
• Attacking and manipulating the devices via malicious input
42. Best Of The World In Security Conference
MQTT Plugin
• mqtt.generic.crackauth
• mqtt.generic.pub
• mqtt.generic.sub
• mqtt.aws.pub
• mqtt.aws.sub
43. Best Of The World In Security Conference
mqttpub Plugin Implementation
Source:
https://gitlab.com/expliot_framework/expliot
https://expliot.readthedocs.io/en/latest/tests/mqtt.html
44. Best Of The World In Security Conference
mqttpub Plugin Implementation
Source:
https://gitlab.com/expliot_framework/expliot
https://expliot.readthedocs.io/en/latest/tests/mqtt.html
45. Best Of The World In Security Conference
mqttpub Plugin Implementation
Source:
https://gitlab.com/expliot_framework/expliot
https://expliot.readthedocs.io/en/latest/tests/mqtt.html
Class name MqttPub same as plugin file name mqttpub.py
Output format place
Initialization
Argument parser
46. Best Of The World In Security Conference
mqttpub Plugin Implementation
Source:
https://gitlab.com/expliot_framework/expliot
https://expliot.readthedocs.io/en/latest/tests/mqtt.html
Main logic of plugin
Exception Handeling
47. Best Of The World In Security Conference
MQTT hands-on labs using plugins
Lab 1 : Subscribe and Publish using expliot
• Objective – Subscribe to a Topic filter and Publish messages to the same
• Steps :
- Open Terminal and Run expliot - $ expliot
- Inside expliot framework run “ run mqtt,generic.sub -h” for help menu
- Again open expliot framework in another terminal
- Terminal 1: Subscribe to any topic using “run mqtt.generic.sub -r localhost -t test”
- Terminal 2: Publish a message to the topic using “ run mqtt.generic.pub -r
localhost -t test -m hello “
- Subscription terminal now received your message which has been published
- You will see messages from everyone publishing on the topic test if they are in
the same network
48. Best Of The World In Security Conference
MQTT hands-on labs using plugins
Lab 2 : Read system level messages
• Objective – Read system level messages instead of Application
messages and be able to gather any interesting information about the
broker.
• Hint – Subscribe to the right Topic ;)
• Steps :
- Use EXPLIoT framework and subscribe to interesting SYS topics
- Command: run mqt.generic.sub -r localhost -t “$SYS/#”
49. Best Of The World In Security Conference
MQTT hands-on labs using plugins
Lab 3 : MQTT Client DoS
• Objective – To kill a legitimate MQTT connection using the same client
ID
• Steps :
- Run expliot framework in two terminal:
- Terminal 1: Subscribe to any topic with a unique client id using “run
mqtt.generic.sub -r localhost -t foobar -i testfoobar “
- Terminal 2: Send a message with same client id to any topic using “run
mqtt.generic.pub -r localhost -t test -i testfoobar -m hello”
- Now you can notice that the client which was subscribing to the broker gets
disconnected because of the publish message with the same client id
- You can use this to DoS a MQTT server and a client and connect to it and send
malicious data.
50. Best Of The World In Security Conference
Write a custom plugin – Hands-on
• Hands-on writing with any custom plugin for the framework
• Before get started, do the set up as :
https://expliot.readthedocs.io/en/latest/development/setup.html
• For reference of new-plugin setup –
https://expliot.readthedocs.io/en/latest/development/new-plugin.html
• Coding style & Documentation Link –
https://expliot.readthedocs.io/en/latest/development/intro.html
https://expliot.readthedocs.io/en/latest/development/documentation.html
So, it’s time to write your own plugin
51. Best Of The World In Security Conference
Plugins Demos
Demo 1 : I2C Plugin
• Objective – Dump the data from memory using protocol adapter
Plugin :
run i2c.generic.readeeprom
Source : https://expliot.readthedocs.io/en/latest/tests/i2c.html
52. Best Of The World In Security Conference
Plugins Demos
Demo 1 : I2C Plugin
• Objective – Dump the data from memory using protocol adapter
Time for Demo
53. Best Of The World In Security Conference
Plugins Demos
Demo 2 : Zigbee Plugin
• ZigBee Network Scan - zbauditor.generic.nwkscan
• ZigBee Packet Sniffer - zbauditor.generic.sniffer
• ZigBee Packet Replay - zbauditor.generic.replay
Source : https://expliot.readthedocs.io/en/latest/tests/zbauditor.html
54. Best Of The World In Security Conference
Plugins Demos
Demo 2 : Zigbee Plugin
• ZigBee Network Scan - zbauditor.generic.nwkscan
• ZigBee Packet Sniffer - zbauditor.generic.sniffer
• ZigBee Packet Replay - zbauditor.generic.replay
Source : https://expliot.readthedocs.io/en/latest/tests/zbauditor.html
Time for Demo
55. Best Of The World In Security Conference
Plugins Demos
Demo 3 : BLE Plugin
• Scan - ble.generic.scan
• Enumerate - ble.generic.enum
• Write - ble.generic.writechar
• Fuzz - ble.generic.fuzzchar
Source : https://expliot.readthedocs.io/en/latest/tests/bluetooth.html
56. Best Of The World In Security Conference
Plugins Demos
Demo 3 : BLE Plugin
• Scan - ble.generic.scan
• Enumerate - ble.generic.enum
• Write - ble.generic.writechar
• Fuzz - ble.generic.fuzzchar
Source : https://expliot.readthedocs.io/en/latest/tests/bluetooth.html
Time for Demo
57. Best Of The World In Security Conference
Thank You
- Questions?
Asmita
Payatu, India
IoT Security Consultant
@aj_0x00
asmita@payatu.com