Hacking the IoT Isn’t Rocket Science
November 02, 2021
For strategies, advice, and best practices for securing your IoT devices, check out Embedded Computing Design’s IoT Device Security Conference, held on November 9 (and archived for viewing thereafter). These talks will help you accelerate your time to security. Along with my BG Networks colleagues, I'll present a talk titled Use Open Source to Secure Your IoT OS. We'll show how generally available open-source code can be used to secure your IoT devices and protect against the hacking tools mentioned here.
Are you aware how easy it is to hack an IoT device? Besides the obvious—most IoT devices lack security—it's easy due to a surprising array of software and hardware tools available to hackers that too often makes their job of finding and exploiting IoT vulnerabilities trivial. These tools exploit insecure interfaces, decompile firmware, and simulate and analyze code to find flaws leading to cyber-exploits. An IoT device without the proper cybersecurity can be hacked in a matter of hours, and if it has no cybersecurity, in minutes. At the recent DEFCON conference, some of the more notable IoT device hacks included Apple Air Tags, Sonos network audio devices, and Landis and Gyre electrical meters.
This article is the third installment of a series that examines real-world IoT hacks and how the exposed vulnerabilities can be addressed. The goal is to help you improve the cybersecurity of your IoT devices by presenting controls that would have mitigated the attacks. In the first article, Lessons Learned from the Colonial Pipeline Attack, we answer the question as to why a ransomware attack led to the shutdown of an operation technology system (i.e., the pipeline). The second, Automotive Cybersecurity: Progress, But Still Room for Improvement, reviewed how far automotive cybersecurity has progressed by comparing the level of effort and results of an attack from 5 years ago to one disclosed last year.
Here we'll review the tools cyber-adversaries use to attack IoT devices. The methods to expose real-world vulnerabilities in office phones will illustrate the use of these tools. By using both hardware and software tools, numerous flaws were found. However basic security features, including software updates and encrypting code, mitigate the attacks. In this case, the encryption of code is not only to protect sensitive data but also to protect the device's overall security from these hacking tools by making plain text listing of code nearly impossible to obtain.
Figure 1. Jtagulator: acceses open interfaces (JTAG, UART)
The work to find 40 vulnerabilities in 33 different VoIP office phones was done by Stephan Huber and Philipp Roskosch from Fraunhofer FIT and was presented at DEFCON 27. The vulnerability types found were diverse. There was a total of thirteen in all, including bad cryptography, stack overflows, and passwords that can be changed without authentication. The dumping of firmware from flash to gain access to plain text listings of code was used extensively. This helped immensely to reverse engineering efforts and to identify vulnerabilities. Both static and dynamic analysis was used on extracted plain text code. If these phones included secure boot, encryption of flash memory, and secure software updates, it would have made it much more difficult to access the plain text listings and find weaknesses to exploit.
Figure 2. BuSPIrate: accesses open interfaces (SPI, UART, JTAG)
Attempts to obtain plain text code is commonly one of the first steps hackers take. Because of the value of plain text listings, many different approaches are tried to extract it. In this research, one was to check if the firmware was available directly from the manufacturer. Another was to trigger a software update and if it was not encrypted, sniff the packets of the downloaded network traffic to obtain the plain text code listing. Updates sent using HTTPS (i.e., encrypted) close this vulnerability. A third approach and the one used most often was to obtain the code from the phone itself.
There are a surprising number of reverse engineering/hacking tools available. The phone research used tools to obtain root access, extract code, and emulate code extracted. The tools used to extract the code include BuSPIrate and JTAGulator. Both use serial terminals and a USB connection from a PC. BuSPIrate is described as an "open-source hacker multi-tool." It can interface to I2C, SPI, JTAG, and several others. JTAGulator will detect a connection to JTAG/IEEE 1149.1, ARM Single Wire Debug (SWD), or UART pins. When a board's debug interfaces are unknown, JTAGulator's detection capability makes it much easier to make a connection as it will automatically identify the interface type. It will run through different pin permutations and look for a match to one of these three protocols.
Figure 3. QEMU Open Source CPU Instruction Set and OS Emulator
Figure 4. Lightweight CPU Instruction Set Emulator that Builds on QEMU and Adds features
Once plain text code was extracted from the phones, software simulation tools were used. These included QEMU and Unicorn. QEMU is an open-source emulator/virtualizer that supports emulation of specific operating systems (Linux, Windows, etc..) and instruction sets (MIPS, ARM, x86). In this research, the ARM/MIPS processor core emulation capabilities of the QEMU tool were used with gdb to acquire traces of code. Unicorn is a CPU emulator based on QEMU but is lighter weight and offers several additional features, including instrumentation.
Figure 5. Reverse Complication Tool Developed by the NSA
Other emulation tools that were not used for the phone security research but are worth mentioning are Ghidra (developed by the NSA), IDA Pro, and Angr. Ghidra and IDA Pro are reverse engineering tools that support decompiling of binaries for several processor types, including x86, ARM, PPC, MIPS, MSP430, and AVR32. Angr is a Python framework for analyzing binaries. It uses static and dynamic symbolic analysis.
Figure 6. Angr: Tool for Static and Dynamic Symbolic Analysis of Code
Because of how easy these tools enable the reverse engineering of IoT devices, which reveals vulnerabilities in code, it is vital to protect IoT devices from exploitation by these tools. To protect against easy extraction of code, serial/JTAG interfaces should be locked. Furthermore, for a defense-in-depth approach, code should also be encrypted. This provides another layer of protection in case the interfaces to the device are compromised or other methods are used to compromise the non-volatile memories.
Multiple approaches were pursued to obtain the code from the flash memory of the various phones. BuSPIrate and JTAGultor devices were used to gain access through SPI, UART, or JTAG interfaces. UART interfaces were checked for a bootloader with a command interface or possible root access to a Linux shell. IP-based approaches lead to memory dumps and Telnet command injection yielded root access. If code in flash memory was encrypted, gaining access to the code listings would be more difficult.
Several vulnerabilities were exploited due to access to plain text code. Without these code listings, identification of these flaws would have been more difficult. They contributed to identifying the following vulnerabilities: remotely changing an admin password without authorization, a hardcoded key for admin password was found in the code, and a weak password encryption scheme. In another phone, a DES encryption scheme was used, which is not secure. DES was introduced over 40 years ago and now can be brute-forced in a reasonable amount of time (days) with a single, modern PC.
Many of the vulnerabilities presented in this work were exploited at run-time. This highlights the importance of also having good run-time protection, such as the use of trusted execution environments like TrustZone and Intrusion Detection System (IDS) software that can detect the change in the operation of the code due to an attack.
For more information on how to protect your IoT devices, check out our webinar that presents methods for implementing cybersecurity features quickly and correctly that shows a complete security architecture for IoT devices.