Certified Ethical Hacker (CEHv13) Module 18 IoT and OT Hacking

Internet of Things (IoT)/Internet of Everything (IoE)

Refers to computing devices that are web-enabled and have the capability of sensing, collecting, and sending data using sensors, and the communication hardware and processors that are embedded within the device

IoT Primary Systems

- IoT devices

- Gateway systems

- Data storage systems

- Cloud technology

IoT Technology Components

- Sensing Technology

- Cloud Server/Data Storage

- IoT Gateways

- Remote Control using Mobile App

IoT Gateways

Gateways are used to bridge the gap between an IoT device (internal network) and the end-user (external network), thus allowing them to connect and communicate with each other. The data collected by the sensors in the IoT device is sent to the connected user or cloud through the gateway

IoT Layers

1. Edge Technology Layer

2. Access Gateway Layer

3. Internet Layer

4. Middleware Layer

5. Application Layer

Edge Technology Layer

This layer consists of all the hardware components and the device itself. These entities are the primary part of the data sensors that are deployed in the field for monitoring or sensing various phenomena.

Access Gateway Layer

This layer helps to bridge the gap between two endpoints by carrying out message routing, message identification, and subscribing. The initial data handling also takes place in this layer.

Internet Layer

This is a crucial layer as it serves as the main component in carrying out communication between two endpoints or back-end data sharing.

Middleware Layer

This layer sits in the middle of the application layer and the hardware layer, thus behaving as an interface between these two layers.

Application Layer

This layer, placed at the top of the stack, is responsible for the delivery of services to the relevant users

Short Range Wireless Technologies

- Bluetooth Low Energy (BLE)

- Light-Fidelity (Li-Fi)

- Near Field Communication (NFC)

- QR Codes and Barcodes

- Radio-Frequency Identification (RFID)

- Thread

- WiFi

- WiFi Direct

- Z-Wave

- Zigbee

- ANT

Bluetooth Low Energy

A wireless personal area network.

Light-Fidelity (Li-Fi)

Li-Fi is like Wi-Fi with only two differences: the mode of communication and the speed. Li-Fi is a Visible Light Communications (VLC) system that uses common household light bulbs for data transfer at a very high speed.

Near Field Communication (NFC)

NFC is a type of short-range communication that uses magnetic field induction to enable communication between two electronic devices.

QR Code and Bar Code

These codes are machine-readable tags that contain information about the product or item to which they are attached. A quick response code, or QR code, is a two-dimensional code that stores product information and can be scanned using smartphones, whereas a barcode comes in both one-dimensional (1D) and two-dimensional (2D) forms of code.

Radio-Frequency Identification (RFID)

RFID stores data in tags that are read using electromagnetic fields

Thread

A thread is an IPv6-based networking protocol for IoT devices. Its main purpose is home automation so that the devices can communicate with each other on local wireless networks.

Wi-Fi

Wi-Fi is a technology that is widely used in wireless local area networking (LAN)

Wi-Fi Direct

This is used for peer-to-peer communication without the need for a wireless access point. Wi-Fi direct devices start communication only after deciding which device will act as an access point.

Z-Wave

Z-Wave is a low-power, short-range communication designed primarily for home automation. It provides a simple and reliable way to wirelessly monitor and control household devices

Zig-Bee

This is another short-range communication protocol based on the IEEE 203.15.4 standard. Zig-Bee is used in devices that transfer data infrequently at a low rate in a restricted area and within a range of 10-100 m.

Adaptive Network Topology (ANT)

A multicast wireless sensor network technology mainly used for short-range communication between devices related to sports and fitness sensors

Medium-Range Wireless Communication Technologies

- HaLow

- LTE-Advanced

- 6LoWPAN

HaLow

This is another variant of the Wi-Fi standard; it provides an extended range, making it useful for communications in rural areas. It offers low data rates, thus reducing the power and cost of transmission.

LTE-Advanced

LTE-Advanced is a standard for mobile communication that provides enhancement to LTE, focusing on providing higher capacity in terms of data rate, extended range, efficiency, and performance.

IPv6 over Low-Power Wireless Personal Area Networks

An Internet protocol used for communication between smaller and low-power devices with limited processing capacity

Quick UDP Internet Connections (QUICs)

Multiplexed connections between IoT devices over the User Datagram Protocol (UDP); they provide security equivalent to SSL/TLS.

Long-Range Wireless Communication Technologies

- LPWAN (LoRaWAN, Sigfox, Neul)

- VSAT

- Cellular

- MQTT

- NB-IoT

Low Power Wide Area Networking (LPWAN)

A wireless telecommunication network, designed to provide long-range communications between two endpoints

Low Power Wide Area Networking (LPWAN) Technologies and Protocols

- LoRaWAN

- Sigfox

- Neul

Long Range Wide Area Network (LoRaWAN)

Used to support applications such as mobile, industrial machine-to-machine, and secure two-way communications for IoT devices, smart cities, and healthcare applications

Sigfox

This is used in devices that have short battery life and need to transfer a limited amount of data

Neul

This is used in a tiny part of the TV white space spectrum to deliver high-quality, high-power, high-coverage, and low-cost networks

Very Small Aperture Terminal (VSAT)

VSAT is a communication protocol that is used for data transfer using small dish antennas for both broadband and narrowband data

Cellular

Cellular is a type of communication protocol that is used for communication over a longer distance. It is used to send high-quality data but with the drawbacks of being expensive and having high power consumption

Message Queuing Telemetry Transport (MQTT)

MQTT is an ISO standard lightweight protocol used to transmit messages for long-range wireless communication. It helps in establishing connections to remote locations, for example via satellite links

Narrowband IoT (NB-IoT)

NB-IoT is a variant of LoRaWAN and Sigfox that uses more enhanced physical layer technology and the spectrum used for machine-to-machine communication

Wired Communication Technologies

- Ethernet

- Multimedia over Coax Alliance (MoCA)

- Power-Line Communication (PLC)

Ethernet

Ethernet is the most commonly used type of network protocol today. It is a type of LAN (Local Area Network) that consists of a wired connection between computers in a small building, office, or campus

Multimedia over Coax Alliance (MoCA)

MoCA is a type of network protocol that provides high-definition videos and related content to homes over existing coaxial cables

Power-Line Communication (PLC)

This is a type of protocol that uses electrical wires to transmit power and data from one endpoint to another

IoT OSs

- Windows 10 IoT

- Amazon FreeRTOS

-Fuchsia

- RIOT

- Ubuntu Core

- ARM Mbed OS

- Zephyr

- Embedded Linux

- NuttX RTOS

- Integrity RTOS

- Apache Mynewt

- Tizen

IoT Application Protocols

- Constrained Application Protocol (CoAP)

- Edge

- LWM2M

- Physical Web

- Mihini/M3DA

- XMPP

Constrained Application Protocol (CoAP)

Constrained Application Protocol (CoAP) is a web transfer protocol used to transfer messages between constrained nodes and IoT networks. This protocol is mainly used for machine-to-machine (M2M) applications such as building automation and smart energy.

Edge

Edge computing helps the IoT environment to move computational processing to the edge of the network, allowing smart devices and gateways to perform tasks and services from the cloud end. Moving computational services to the edge of the network improves content caching, delivery, storage, and management of the IoT.

Lightweight Machine-to-Machine (LWM2M)

Lightweight Machine-to-Machine (LWM2M) is an application-layer communication protocol used for application-level communication between IoT devices; it is used for IoT device management

Physical Web

Physical Web is a technology used to enable faster and seamless interaction with nearby IoT devices. It reveals the list of URLs being broadcast by nearby devices with BLE beacons

eXtensible Messaging and Presence Protocol (XMPP)

XMPP is an open technology for real-time communication used for IoT devices.

Mihini/M3DA

Mihini/M3DA is a software used for communication between an M2M server and applications running on an embedded gateway. It allows IoT applications to exchange data and commands with an M2M server

IoT Communication Models

- Device-to-Device Communication Model

- Device-to-Cloud Communication Model

- Device-to-Gateway Communication Model

- Back-End Data-Sharing Communication Model

Device-to-Device Communication ModelIn this type of communication, inter-connected devices interact with each other through the Internet, but they predominantly use protocols

In this type of communication, inter-connected devices interact with each other through the Internet, but they predominantly use protocols

Device-to-Cloud Communication Model

In this type of communication, devices communicate with the cloud directly, rather than directly communicating with the client to send or receive data or commands.

Device-to-Gateway Communication Model

In the device-to-gateway communication model, the IoT device communicates with an intermediate device called a gateway, which in turn communicates with the cloud service. This gateway device could be a smartphone or a hub that is acting as an intermediate point, which also provides security features and data or protocol translation.

Back-End Data-Sharing Communication Model

This type of communication model extends the device-to-cloud communication type such that the data from the IoT devices can be accessed by authorized third parties. Here, devices upload their data onto the cloud, which is later accessed or analyzed by third parties.

Challenges of IoT

- Lack of Security and Privacy

- Vulnerable Web Interfaces

- Legal, Regulatory, and Rights Issues

- Default, Weak, and Hardcoded Credentials

- Clear Text Protocols and Unnecessary Open Ports

- Coding Errors (Buffer Overflow)

- Storage Issues

- Difficult-to-Update Firmware and OS

- Interoperability Standard Issues

- Physical Theft and Tampering

- Lack of Vendor Support for Fixing Vulnerabilities

- Emerging Economy and Development Issues

- Handling of Unstructured Data

- Scalability

- Power Consumption

- Regulatory Compliance

- Integration with Legacy Systems

OWASP Top 10 IoT Threats

1. Weak, Guessable, or Hardcoded Passwords

2. Insecure Network Services

3. Insecure Ecosystem Interfaces

4. Lack of Secure Update Mechanisms

5. Insecure or Outdated Components

6. Insufficient Privacy Protection

7. Insecure Data Transfer and Storage

8. Lack of Device Management

9. Insecure Default Settings

10. Lack of Physical Hardening

OWASP IoT Attack Surface Areas

1. Ecosystem (General)

2. Device Memory

3. Device Physical Interface

4. Device Web Interface

5. Device Firmware

6. Device Network Services

7. Administrative Interface

8. Local Data Storage

9. Cloud Web Interface

10. Third-party Backend APIs

11. Update Mechanism

12. Mobile Application

13. Vendor Backend APIs

14. Ecosystem Communication

15. Network Traffic

16. Authentication/Authorization

17. Privacy

18. Hardware (Sensors)

OWASP IoT vulnerabilities

1. Username Enumeration

2. Weak Passwords

3. Account Lockout

4. Unencrypted Services

5. 2FA

6. Poorly Implemented Encryption

7. Update Sent without Encryption

8. Update Location Writable

9. DoS

10. Removal of Storage Media

11. No Manual Update Mechanism

12. Missing Update Mechanism

13. Firmware Version Display and/or Last Update Date

14. Firmware and Storage Extraction

15. Manipulating the Code Execution Flow of the Device

16. Obtaining console access

17. Insecure Third-Party Components

Username Enumeration

Ability to collect a set of valid usernames by interacting with the authentication mechanism

IoT Threats

- DDoS Attack

- Attack on HVAC Systems

- Rolling Code Attack

- BlueBorne Attack

- Jamming Attack

- Remote Access using Backdoor

- Remote Access using Telnet

- Sybil Attack

- Exploit Kits

- MITM Attack

- Replay Attack

- Forged Malicious Device

- Side channel attack

- Ransomware attack

- Client impersonation

- SQLi

- SDR-Based Attack

- Fault Injection Attack

- Network Pivoting

- DNS Rebinding Attack

- Firmware Update (FOTA) Attack

Rolling Code Attack

An attacker jams and sniffs the signal to obtain the code transferred to a vehicle's receiver; the attacker then uses it to unlock and steal the vehicle

BlueBorne Attack

Attackers connect to nearby devices and exploit the vulnerabilities of the Bluetooth protocol to compromise the device

Jamming Attack

An attacker jams the signal between the sender and the receiver with malicious traffic that makes the two endpoints unable to communicate with each other

Sybil Attack

An attacker uses multiple forged identities to create a strong illusion of traffic congestion, affecting communication between neighboring nodes and networks

MITM Attack

An attacker pretends to be a legitimate sender who intercepts all the communication between the sender and receiver and hijacks the communication

Replay Attack

Attackers intercept legitimate messages from valid communication and continuously send the intercepted message to the target device to perform a denial-of-service attack or crash the target device

Side channel attack

Attackers perform side-channel attacks by extracting information about encryption keys by observing the emission of signals

Ransomware attack

Ransomware is a type of malware that uses encryption to block a user's access to his/her device either by locking the screen or by locking the user's files

SQLi

Attackers perform SQL injection attacks by exploiting vulnerabilities in the mobile or web applications used to control the IoT devices, to gain access to the devices and perform further attacks on them

SDR Based Attack

Using a software-based radio communication system, an attacker can examine the communication signals passing through the IoT network and can send spam messages to the interconnected devices.

Fault Injection Attack

A fault injection attack occurs when an attacker tries to introduce fault behavior in an IoT device, with the goal of exploiting these faults to compromise the security of that device

Network Pivoting

An attacker uses a malicious smart device to connect and gain access to a closed server, and then uses that connection to pivot other devices and network connections to the server to steal sensitive information

DNS Rebinding

DNS rebinding is a process of obtaining access to a victim's router using a malicious JavaScript code injected on a web page.

Firmware Update (FOTA) Attack

Attacker intercepts and manipulates the firmware update process to inject malicious code.

Rolling/Hopping Code

The code that locks or unlocks a car or garage is called a rolling code or hopping code

Software Defined Radio (SDR)

SDR is a method of generating radio communications and implementing signal processing using software (or firmware), instead of the usual method of using hardware.

Cryptanalysis Attack

In this attack, the procedure used by the attacker is the same as in a replay attack except for one additional step, reverse-engineering the protocol to obtain the original signal.

Reconnaissance Attack

This is an addition to a cryptanalysis attack. In this attack, information can be obtained from the device's specifications. All IoT devices that run through RF signals must be certified by their country's authority, and then they officially disclose an analysis report of the device. Designers often prevent this kind of analysis by obscuring any identification marks from the chipset. Therefore, the attacker makes use of multimeters to investigate the chipset and mark out some identifications, such as ground pins, to discover the product ID and compare it with the published report.

Types of Fault Injection Attacks

- Optical, Electromagnetic Fault Injection (EMFI), Body Bias Injection (BBI)

- Power/Clock/Reset Glitching

- Frequency/Voltage Tampering

- Temperature Attacks

Optical, Electromagnetic Fault Injection (EMFI) and Body Bias Injection (BBI) Attacks

The main objective of these attacks is to inject faults into devices by projecting lasers and electromagnetic pulses that are used in analog blocks such as random number generators (RNGs) and for applying high-voltage pulses. These faults are then used by the attackers in compromising the system security

Power/Clock/Reset Glitching

These types of attacks occur when faults or glitches are injected into the power supply that can be used for remote execution, also causing the skipping of key instructions. Faults can also be injected into the clock network used for delivering a synchronized signal across the chip.

Frequency/Voltage Tampering

In these attacks, the attackers try to tamper with the operating conditions of a chip, and they can also modify the level of the power supply and alter the clock frequency of the chip. The intention of the attackers is to introduce fault behavior into the chip to compromise the device security.

Temperature Attack

Attackers alter the temperature for operating the chip, thereby changing the whole operating environment. This attack can be operated in non-nominal conditions

IoT Hacking Methodology Phases

1. Information Gathering

2. Vulnerability Scanning

3. Launch Attacks

4. Gain Remote Access

5. Maintain Access

NAND Glitching

NAND glitching is the process of gaining privileged root access while booting a device, which can be performed by making a ground connection to the serial I/O pin of a flash memory chip

Operational technology (OT)

OT is a combination of hardware and software that is used to monitor, run, and control industrial process assets

Zones and Conduits

Zones and conduits is a network segregation technique used to isolate networks and assets to impose and maintain strong access control mechanisms

Business Network

An enterprise or business network comprises a network of systems that offer an information infrastructure to the business.

Industrial Network

OT generally comprises a collection of automated control systems. These systems are networked to achieve a business objective. A network comprising these systems is known as an industrial network.

Network Permiter

The network perimeter is the outermost boundary of a network zone. It acts as a point of separation between the interior and exterior of a zone.

Electronic Security Permiter

An Electronic Security Perimeter refers to a boundary between secure and insecure zones

Critical Infrastructure

Critical infrastructure refers to a collection of physical or logical systems and assets, the failure or destruction of which will severely impact security, safety, the economy, or public health

Industrial Control System (ICS)

An ICS often refers to a collection of different types of control systems and their associated equipment, such as systems, devices, networks, and controls used to operate and automate several industrial processes

ICS Operation Modes

- Open Loop

- Closed Loop

- Manual Loop

Open Loop

The output of the system depends on the preconfigured settings

Closed Loop

The output always has an effect on the input to acquire the desired objective

Manual Loop

The system is totally under the control of humans

Components of ICS

- Distributed Control System (DCS)

- Supervisory Control and Data Acquisition (SCADA)

- Programmable Logic Controller (PLC)

- Basic Process Control System (BPCS)

- Safety Instrumented Systems (SIS)

Distributed Control System (DCS)

A DCS is used to control production systems spread within the same geographical location. Such systems are primarily used for large, complex, and distributed processes. A DCS is generally a highly engineered and large-scale control system that is often used to perform an industry-specific task

Supervisory Control and Data Acquisition (SCADA)

SCADA is a centralized supervisory control system that is used for controlling and monitoring industrial facilities and infrastructure. Many organizations incorporate SCADA systems for the automation of complex industrial processes, measuring trends in real time, and the detection and correction of problems. Generally, SCADA systems are distributed over a wide geographical area.