IoT Device Hacking and New Direction of IoT Security Evaluation Using Common Criteria

Security Analysis aNd Evaluation Lab.
ICCC 2019
2019. 10. 02
IoT Device Hacking and New Direction of IoT
Security Evaluation Using Common Criteria
Ki Taek Lee* Kwangwoo Lee** Seungjoo Kim***
zizihacker@korea.ac.kr* kwangwoo.lee@hp.com** skim71@korea.ac.kr***
*1st
Author
CIST (Center for Information
Security Technologies),
Korea University
**2nd
Author
HP Inc.
***Corresponding Author
CIST (Center for Information
Security Technologies),
Korea University

2 / 40
Contents
Introduction
Real attack against IoT devices
New Direction of IoT Security Evaluation
Conclusion

3 / 40
Introduction
§ IoT market
§ In 2018, the global IoT market reached about 164 billion U.S. dollars.
§ In 2025, IoT market will reach over 1.5 trillion U.S. dollars.
Source: Size of the Internet of Things (IoT) market worldwide from 2017 to 2025 (in billion U.S. dollars),
https://www.statista.com/statistics/976313/global-iot-market-size/

4 / 40
Introduction
§ Reference model of Internet of Things
§ ITU-T Y. 4000
Source: Fernmeldeunion, Internationale. "ITU-T Y. 4000/Y. 2060 (06/2012)."

5 / 40
Introduction
§ Three high-level considerations for Internet of Things
1. Device Interactions with the Physical World.
Many IoT devices interact with the physical world in ways conventional IT devices
usually do not.
2. Device Access, Management, and Monitoring Features.
Many IoT devices cannot be accessed, managed, or monitored in the same ways
conventional IT devices can.
3. Cybersecurity and Privacy Capability Availability, Efficiency, and
Effectiveness.
The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities
are often different for IoT devices than conventional IT devices.
Source: NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8228.pdf

6 / 40
Introduction
§ IoT hacking and botnet
§ security cameras represent 47 percent of vulnerable devices installed on home
networks
§ IoT botnet in large-scale network attacks
§ Mirai(2016), Satori(2017)
Okiru, Masuta, PureMasuta, OMG, Wicked, Sora, Owari, Omni, Miori(2018)
Hakai, Yowai, SpeakUp (2019)
Source: ZDNET, https://www.zdnet.com/article/cybersecurity-these-are-the-
internet-of-things-devices-that-are-most-targeted-by-hackers/

7 / 40
Introduction
§ High-level risk mitigation
Three high-level risk mitigation goals:
1. Protect device security
2. Protect data security
3. Protect individuals’ privacy
Source: NIST IR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8228.pdf

8 / 40
⓪ Firmware acquisition and analysis
① Firmware provisioning
② Serial communication
③ Desoldering
④ Side channel attack
⑤ Remote Code Execution
⑥ Packet Relay
⑦ Developer mode or Backdoor

9 / 40
⑦ Developer mode or Backdoor
⑥ Packet Relay
③ Desoldering

10 / 40
⓪ Find a firmware
§ Provides firmware publicly
§ depends on vendors

11 / 40
Update Server
IoT Hub
Getting firmware link when firmware updating
SSL Strip

12 / 40
§ Used for debugging embedded systems
Trying to JTAG
connection
UART
Connection
Find UART pin

13 / 40
③ Desoldering
§ Removal of solder and components from a PCB using Heat gun
§ Very hazardous, it needs very skillful technique
Heat gun

14 / 40
③ Desoldering
Mount the extracted eMMC Work normally

15 / 40
U-Boot
CFE
Other
Redboot
RouterBOOT
BOOTLOADER
Most IoT devices use U-Boot
Source: https://wikidevi.com/wiki/Property:Stock_bootloader/full

16 / 40
Memory
Loading stored
kernel images
Kernel Memory Load,
file system mount
Embedded Boot Process
Boot loader
Flash memory
Initialize
peripheral device
U-Boot boot loader
Initialization task
main_loop()
cli_loop
main_loop()
OS Boot
If fail
run_preboot
bootdelay
cli_loop
autoboot_
command
Return to
Custom Shell

17 / 40
Memory map is overwritten
when autoboot_command is executed
U-Boot Start OS Boot
Main_loop DOES NOT HANDLE the return
value

18 / 40
Make an error through glitching Got the shell, CVE-2018-19916

19 / 40
§ Remote Code Execution at Cookie parameter
Service
Analysis
Process Caught !
Found to Login pages
SessionSecurityHandler Function
GetCookieValue Function

20 / 40
Used the proxy tool to poison cookie values Crashed by memory overflow

21 / 40
Got reverse shell
Exploit !
Wrote exploit code

22 / 40
⑥ Packet Relay
§ Malformed packet relay attack
output log generated during communication Data packet Structure

23 / 40
⑥ Packet Relay
Found command value of Packet Structure in ida
Supported binary commands

24 / 40
⑥ Packet Relay
MITM send packet MITM recv packet

25 / 40
⑦ Developer mode or backdoor
Checked 8443 service
Accessed denied Accessed to login interface successfully
Web service code analysised
Service
Analysis

26 / 40
Analyzed source code to got account
Restricted the number of login attempts
98:93:CC:A2:XX:XX @ AH66AJ01000000XXX Found service to changed MAC address and Serial key
Port information about special service
Serial : AH66AJ01000000XXXMAC : 98:93:CC:A2:XX:XX

27 / 40
Access
Connected to service
Changed the password through MESD daemon
Ethernet Mac Ethernet Mac WiFi Mac Check

28 / 40
Function
analysis
Accessed to admin page successfully Found plug-in management service

29 / 40
Uploaded a reverse shell
Got the shell !
Exploit

30 / 40
§ Efforts on the security requirements
§ Secure Boot from Microsoft*
Secure boot is a security standard developed by members of the PC industry to help make
sure that a device boots using only software that is trusted by the Original Equipment
Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of
boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications,
and the operating system. If the signatures are valid, the PC boots, and the firmware gives
control to the operating system.
§ Root of Trust from Trusted Computing Group (TCG)**
A component that performs one or more security-specific functions, such as measurement,
storage, reporting, verification, and/or update. It is trusted always to behave in the expected
manner, because its misbehavior cannot be detected under normal operation.
§ Root of Trust from Global Platform***
A computing engine, code, and possibly data, all co-located on the same platform; provides
security services. No ancestor entity is able to provide a trustable attestation (in Digest or
other form) for the initial code and data state of the Root of Trust.
* https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
** https://trustedcomputinggroup.org/wp-content/uploads/17.pdf
*** https://globalplatform.org/wp-content/uploads/2018/07/GP_RoT_Definitions_and_Requirements_v1.1_PublicRelease-2018-06-28.pdf

31 / 40
§ NIST Special Publication 800-193
§ Platform Firmware Resiliency Guidelines
§ Provides technical guidance for resiliency of
platforms to protect against destructive
attacks
§ Promotes resiliency in the platform by
describing security mechanisms for:
§ Protecting the platform against
unauthorized changes
§ Detecting unauthorized changes that
occur
§ Recovery from attacks

32 / 40
§ NIST Special Publication 800-193
§ Key concept
§ Roots of Trust (Section 4.1)
§ Protection (Section 4.2)
§ Detection (Section 4.3)
§ Recovery (Section 4.4)
Source: NIST Special Publication 800-193, Platform Firmware Resiliency Guidelines, https://doi.org/10.6028/NIST.SP.800-193

33 / 40
§ ISO/IEC 15408 CD3 (FPT_INI.1 TSF Initialization)
§ This component requires the TOE to provide a TSF initialization function that brings the
TSF into a secure operational state at power-on.
§ FPT_INI.1.1 The TOE shall provide an initialization function which is self-protected for
integrity and authenticity.
§ FPT_INI.1.2 The TOE initialization function shall ensure that certain properties hold on
certain elements immediately before establishing the TSF in a secure initial state, as
specified below:
§ Properties à [assignment: property, for instance authenticity, integrity, correct version]
§ Elements à [assignment: list of TSF/user firmware, software or data]
§ FPT_INI.1.3 The TOE initialization function shall detect and respond to errors and failures
during initialization such that the TOE [selection: is halted, successfully completes
initialization with [selection: reduced functionality, signaling error state, [assignment: list of
actions]].
§ FPT_INI.1.4 The TOE initialization function shall only interact with the TSF in
[assignment: defined methods] during initialization.
Source: ISO/IEC JTC 1 SC 27 WG 3 15408-2 Committee Draft 3. July 2019

34 / 40
§ Other approaches and guidance
§ UK Government, DCMS (Digital, Culture, Media and Sport)
§ Code of Practice for Consumer IoT Security
§ Hardcopy Devices TC
§ HCD cPP
§ Network Device iTC
§ NDcPP
§ DSC iTC
§ DSC cPP
Source https://medium.com/rtone-iot-security/the-uk-code-of-practice-for-consumer-iot-security-783e3473f726

35 / 40
* collaborative Protection Profile for Dedicated Security Component, Version 1.0d, Sept. 9, 2019
** ISO/IEC JTC 1 SC 27 WG 3 15408-2 Committee Draft 3. July 2019
Vulnerability Threat/Assumption* Security Requirement of New Direction*
① Firmware provisioning T.SDE_TRANSIT_COMPROMISE FTP_ITE_EXT.1 Encrypted Data Communications
② Serial communication T.HW_ATTACK
T.UNAUTHORIZED_ACCESS
FPT_PHP.3 Resistance to Physical Attack
FPT_MOD_EXT.1 Debug Modes
③ Desoldering T.HW_ATTACK
④ Side channel attack T.HW_ATTACK
T.SDE_TRANSIT_COMPROMISE
T.WEAK_OWNERSHIP_BINDING
T.WEAK_ELEMENT_BINDING
A.ROT_INTEGRITY
FPT_PRO_EXT.1 Root of Trust
FPT_ROT_EXT.1 Root of Trust Services
FPT_TST.1 Integrity Checking
FDP_MFW_EXT.1 Mutable/Immutable Firmware
FDP_DAU.1 Prove Data Authentication for Use with The Prove Service
FDP_MFW_EXT.2 Basic Firmware Integrity
FDP_MFW_EXT.3 Firmware Authentication with Identity of Guarantor
FPT_INI.1 TSF Initialization
⑤ Remote Code Execution T.UNAUTHORIZED_ACCESS ATE_IND.1 Independent Testing
AVA_VAN.1 Vulnerability Survey
⑥ Packet Relay T.UNAUTHORIZED_ACCESS
T.SDE_TRANSIT_COMPROMISE
T.WEAK_OWNERSHIP_BINDING
T.WEAK_ELEMENT_BINDING
FPT_RPL_EXT.1 Replay Prevention
⑦ Developer mode or
Backdoor
T.HW_ATTACK
FPT_MOD_EXT.1 Debug Modes

36 / 40
Conclusion
§ Lack of Security Requirement and Testing in IoT products.
§ We demonstrated real attacks against IoT devices that do not
provide enough capabilities such as Secure Boot and Root of
Trust.
§ iTC, TC, and WG who want to create new protection profile need
to consider this in their evaluation and testing.
§ Also, IoT manufacturers …

37 / 40
Thank you
This work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded
by the Korea government(MSIT) (No.2018-0-00532,Development of High-Assurance(≥EAL6) Secure Microkernel)
Special thanks to Jisub Kim, Hongryeol Lim and Pwnhub team.

IoT Device Hacking and New Direction of IoT Security Evaluation Using Common Criteria

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a IoT Device Hacking and New Direction of IoT Security Evaluation Using Common Criteria

Semelhante a IoT Device Hacking and New Direction of IoT Security Evaluation Using Common Criteria (20)

Mais de Seungjoo Kim

Mais de Seungjoo Kim (20)

Último

Último (20)

IoT Device Hacking and New Direction of IoT Security Evaluation Using Common Criteria