If you keep track of the latest cybersecurity news, you might have noticed the growing number of IP camera botnets emerging, vulnerabilities in smart home controllers being discovered and wireless smart locks being hacked, among other things.
Before I move on to security proper, let’s sort out what the the internet of things actually means.
There are several definitions at this point, but I think definitions can limit the potential of the IoT technology so memorising them all is a waste of time. But let’s analyse one of the common definitions:
The internet of things is a network of devices embedded with connectivity features and controlled via the internet, which enables them to exchange data with each other.
In the author’s opinion, if a device can only function within a local network, then it’s not an IoT device. I can prove this wrong. Even if it’s not connected to the open internet, it can still be in a group of smart things, such as a portable Bluetooth speaker that allows you to save music to the device’s memory. There are lots of misconceptions like that online. Think broader.
However, thinking globally is too broad a scope for a single article, so let’s set some restrictions. Let’s consider smart things as objects around us equipped with hi-tech stuffing (small microcontroller boards) that have additional features which can be leveraged by regular users to perform routine tasks at home, at work or outdoors.
Let’s get back to security. Considering this domain covers numerous protocols, programming languages and hardware components, what kind of knowledge do you need to assess IoT protection?
The right answer is: there is no answer. You’ll spend a month looking into a certain technology, then all of a sudden the manufacturers start using something new. The only reasonable approach is to study the ins and outs of smart devices, including:
- Stack of network protocols that most IoT protocols are based on
- Basics of working with microcontrollers
- Basics of working with wireless communication protocols
- Reverse-engineering firmware or compiled applications
- Web application vulnerabilities detection
- Binary vulnerabilities exploitation
Expertise in the above technologies, even superficially, is a great starting point for mastering IoT security – but knowledge alone may not be enough. Fully-fledged security analysis needs additional equipment and gear that includes:
- SDR. Programmable radio supporting a broad range of frequencies and allowing you to work with pretty much any known protocol or study proprietary wireless communication protocols. Arduino Uno C can be a substitute for several devices, for instance, by functioning as a B-UART adapter
- Screwdriver kit with adapters. The manufacturers are trying to add an extra layer of protection to their devices by releasing screws that require special screwdrivers
- External memory drives, from MicroSD to USB Flash
- Soldering station
Watch the video below – a DEF CON 25 presentation by Elvis Collado called Reversing and Exploiting Embedded Devices – for more information on the necessary gear.
Now we have the right equipment to hand, let’s see what the main testing stages are.
The first stage comes down to searching for device information without interacting with it physically. You can obtain this data from publicly available sources most of the time.
Also, devices often have FCC (Federal Communications Commission) ID that allows you to easily find documentation about it and the list of supported frequencies. For a start, try to find the details about some smart device you often use.
Next, you need to figure out what things may interact with the device and which communication channels they may use. It can be a mobile app communicating over a local wireless network, a remote control device with infrared port, an online-accessible cloud, sensors functioning via a radio channel (such as Zigbee), and the like.
The next thing on your to-do list is to determine what threats you need to check every device for. For example, you can check communication over a local network for protection against man-in-the-middle attacks. You might also want to check whether or not a control web interface uses a default password.
Meanwhile, let’s not forget that we should separately analyse the device itself as a physical entity – due to hardware security for the most part. This will allow us to see whether it’s possible to interact with the embedded board directly, all the way to extracting the microcontroller and accessing the console.
Simply put, the IoT security scheme boils down to the following:
- Hardware security
- Software security
- Radio security
Let’s now create a roadmap for a specific device.
Suppose we purchased a Chinese IP camera X. We’ll start the analysis with scrutinising the packaging. The manufacturer promises the following:
- The option of controlling the camera from an iOS/Android device
- Control option via a web interface
- The ability to control the camera by means of a computer app
- Video stream storage on a MicroSD card
Having examined the documentation, we find out that the camera works within local network only but, most likely, allows firmware updates over the internet.
First, we should check connections over local and external networks for the possibility of a man-in-the-middle attack. For both mobile and stationary devices, we need to analyse the communication protocol first and only then move on with the protection scheme.
The next thing is to check the web interface for encrypted connection (https) and common web application exploits from the OWASP Top 10 list.
As I have mentioned above, we will analyse the camera itself separately. In most cases, the task boils down to extracting the firmware, which enables us to update the scheme with new details and proceed to white-box testing.
As a quick disclaimer, it’s worth mentioning that testing devices without approval from the vendor isn’t always welcome. At the same time, it’s noteworthy that this practice became legal in the US after the adoption of the Digital Millennium Copyright Act (DMCA).
The basic security steps for IoT devices include:
- Changing all default usernames and passwords
- Connecting to the network via a router that’s, in turn, connected to VPN service – almost all new router models can function that way
- Update the device’s firmware on a regular basis.