CEHv12-18 - IoT and OT Hacking

In

IoT Basics

Connecting everyday objects and systems to networks to make them globally available and interactive.

Components of IoT

  1. Things: everyday devices like refrigerators, washing machines, sensors, cameras, and network devices connected to the internet.
  2. Gateway: connects IoT devices to each other, end users, or the cloud.
  3. Cloud Server: stores and processes IoT data, making it available for consumption.
  4. Remote Apps: interface for users to connect and manage IoT devices, often via smartphones or laptops.

Types

  • Consumer IoT: devices like smart refrigerators, washing machines, IP cameras, and routers.
  • Industrial IoT: sensors for monitoring industrial processes, pressure, heat, fluid flow, etc.

IoT architecture

  1. Edge Technology: IoT hardware components.
  2. Access Gateway: allows communication between different IoT technologies.
  3. Internet layer: IP-based communication for IoT devices.
  4. Middleware: services running in the background to support the application layer.
  5. Application Layer: end-user interface for interacting with IoT devices.

IoT applications

  • Healthcare: heart monitors, medical sensors.
  • Military: monitoring and control systems for military equipment.
  • IT: environmental monitoring of server rooms.
  • Transportation: tire pressure sensors, traffic monitoring.
  • Energy: monitoring and control in power plants, solar, hydroelectric.

Communication technologies and protocols

  • Common technologies:: Wi-Fi, RFID, ZigBee, LTE, LP WAN, SigFox, Ethernet.
  • Operating Systems: embed OS, Windows 10 IoT, Contiki NG, Ubuntu Core.

Communication models

  1. Device to Device: direct communication between two devices.
  2. Device to Cloud: devices communicate with the app service provider.
  3. Device to Gateway: devices communicate with an IoT gateway which then connects to the app service provider.
  4. Backend Data Sharing: device communicates with multiple app service providers.

Security challenges

No or weak security, poor access control, vulnerable web applications, clear text communications, lack of support, physical theft.

IoT threats and vulnerabilities

OWASP Top 10 IoT Threats

  1. Weak, guessable, or hard-coded passwords: easily guessed or hard-coded credentials pose significant security risks.
  2. Insecure network services: services that lack encryption and other security measures are vulnerable to attacks.
  3. Insecure ecosystem interfaces: includes web applications, APIs, and other components that interact with the device.
  4. Lack of secure update mechanism: firmware updates without secure methods can be exploited for attacks.
  5. Use of insecure or outdated components: deprecated or insecure software components can be compromised.
  6. Insufficient privacy protection: user data must be stored and transmitted securely to protect privacy.
  7. Insecure data transfer and storage: sensitive data should be encrypted during transfer and storage.
  8. Lack of device management: poor management interfaces can lead to security lapses.
  9. Insecure default settings: default settings like “admin/admin” for username and password should be avoided.
  10. Lack of physical hardening: physical access to the device can lead to its compromise.

IoT Attack Surfaces

  1. Physical interfaces: ports and physical connections on the device that can be exploited.
  2. Firmware: vulnerabilities in the firmware can be exploited through updates.
  3. Network traffic: unencrypted communications can be intercepted.
  4. Vendor and third-party APIs: APIs must be secure to prevent unauthorized access.
  5. Local Storage: data stored on the device should be protected.
  6. Mobile applications: security weaknesses in associated mobile apps can be exploited.

Additional IoT vulnerabilities

  • MFA/2FA: implementing multi-factor authentication to enhance security.
  • Lockout policies: prevent brute force attacks by locking accounts after several failed attempts.
  • DDoS protection: devices should be protected against denial-of-service attacks.
  • Regular updates and patches: ensure timely updates to address vulnerabilities.
  • Insecure third-party components: ensure third-party components are secure.
  • Hardware access ports: secure physical ports like JTAGs and UARTs to prevent unauthorized access.

IoT attacks tools and countermeasures

Hardware Tools

  • JTagulator: used for identifying JTAG interface pins.
  • UART TTL to USB Device: connects UART to USB, enabling device communication.
  • Bus Pirate: interfaces with hardware devices for testing and debugging.
  • SOIC Clip: connects to integrated circuits for direct interaction.
  • CR232 to USB Adapter: interfaces with Serial Peripheral Interface (SPI) chips.

Software Tools

  • Shodan: searches for internet-connected devices and identifies vulnerabilities.
  • Censys and Thingful: similar to Shodan for identifying and analyzing IoT devices.
  • Wireshark/TCPDump: network protocol analyzers for monitoring network traffic.
  • Burp Suite/OWASP ZAP: web application security testing tools.
  • GNU Radio/RTL-SDR: software and hardware for software-defined radio (SDR) applications.

Unique IoT Attacks

  • HVAC attacks: exploiting web-managed heating, ventilation, and air conditioning systems.
  • Rolling Code attacks: intercepting and predicting codes used in key fobs.
  • Bluetooth attacks: exploits like BlueBorne and Bluejacking.
  • DDoS via jamming: overwhelming IoT devices’ communication channels.
  • Sybil attack: overloading systems with false identities, e.g., causing traffic jams via manipulated GPS data.

OT basics

Operational Technology (OT):

  • Technologies used in manufacturing, energy, and critical infrastructure.
  • Involves managing, monitoring, and controlling industrial systems and operations.
  • Companies like Siemens, Schneider Electric, and Allen Bradley are prominent OT manufacturers.

Components and systems:

  1. ICS (Industrial Control Systems):

    • Systems that control industrial processes.
    • e.g. Control systems in a power plant.

  2. SCADA (Supervisory Control and Data Acquisition):

    • Gathers and presents data to operators.
    • Operators use this data to make decisions and control processes.

  3. DCS (Distributed Control Systems): focuses on automation and process control with minimal operator interaction.

  4. PLCs (Programmable Logic Controllers):

    • Physical devices that control machinery and processes.
    • e.g. A PLC could control a valve or a pump in a manufacturing process.

  5. RTUs (Remote Terminal Units):

    • Similar to PLCs but more robust and suitable for harsh environments.
    • Often have better environmental tolerances and higher autonomy.

  6. BPCS (Basic Process Control Systems):

    • Ensures operator decisions are implemented in the physical processes.
    • Receives information and makes sure actions are executed.

  7. SIS (Safety Instrumented Systems):

    • Ensures safety by automatically handling anomalies and emergencies.
    • Example: Shutting off power to prevent explosions.

  8. HMI (Human Machine Interface):

    • Interface through which operators interact with OT devices.
    • Often touchscreen-based for ease of use.

  9. IED (Intelligent Electronic Devices):

    • Devices that receive data and issue control commands.
    • e.g. Tripping a breaker during a voltage anomaly.

  10. IIoT (Industrial Internet of Things):

    • Integration of IT and OT.
    • Connects traditional OT systems to IT networks for enhanced management.

Security Challenges:

  • Plain rext protocols: many OT protocols are not encrypted.
  • Complexity: high complexity can make security management difficult.
  • Proprietary and legacy technology: hard to secure due to outdated systems and proprietary designs.
  • Convergence issues: combining IT and OT brings IT security vulnerabilities into OT environments.

OT attacks tools and countermeasures

Vulnerabilities

  1. Interconnected systems: often connected to the internet for remote access, exposing them to external threats.
  2. Missing/non-existent updates: lack of regular updates due to perceived isolation, increasing vulnerability.
  3. Weak passwords/no authentication: often overlooked as systems were initially isolated.
  4. Weak firewall rules: inadequate firewall configurations, leading to security breaches.
  5. Non-existent network segmentation: flat networks without segmentation make it easier for attackers to access the entire system.
  6. Weak/non-existent encryption: lack of encryption due to a false sense of security.

Threats

  1. Malware: can be introduced via removable media, external hardware, web applications, and end-user devices.
  2. Denial of Service (DoS/DDoS) attacks: can disrupt critical services, leading to indirect human life risks.
  3. Sensitive data exposure: breaches leading to exposure of critical operational data.
  4. HMI-based attacks: exploiting human-machine interfaces through software vulnerabilities or physical access.
  5. Human rrror: programming or configuration errors, physical mishandling of equipment.
  6. Side channel attacks: exploiting physical aspects like timing, power consumption, and electromagnetic emanations.
  7. Radio Frequency (RF) attacks: capturing or injecting RF signals to manipulate or gain access to OT systems.

Tools

  1. Shodan: search engine for internet-connected devices, useful for identifying vulnerable OT systems.
  2. Search Diggity: suite of tools for searching and analyzing potential attack vectors via search engines.
  3. S7 Scan: python tool for scanning and enumerating Siemens PLCs.
  4. PLC Scan: scans PLC devices over S7 or Modbus protocols.
  5. SmartRF Studio: Texas Instruments tool for evaluating and debugging RF systems.
  6. Industrial Exploitation Framework (ISF): dramework similar to Metasploit for exploiting vulnerabilities in ICS and SCADA systems.

Countermeasures

  • Regular updates and patches: ensure systems are regularly updated to mitigate known vulnerabilities.
  • Strong authentication: implement strong passwords and multi-factor authentication.
  • Robust firewall configurations: Set up and regularly review firewall rules.
  • Network segmentation: divide networks into segments to limit access and contain breaches.
  • Encryption: use strong encryption for data in transit and at rest.
  • User training: educate users on best security practices and potential risks.
  • Monitoring and auditing: continuously monitor systems and conduct regular security audits.
  • Incident response planning: develop and regularly update an incident response plan.