Usually, when you read an IoT hacking report or blog post, it ends with something along the lines of, "and that's how I got root," or "and there was a secret backdoor credential," or "and every device in the field uses the same S3 bucket with no authentication." You know, something bad, and the whole reason for publishing the research in the first place. While such research is of course interesting, important, and worth publishing, we pretty much never hear about the other outcome: the IoT hacking projects that didn't uncover something awful, but instead ended up with, "and everything looked pretty much okay."
So, this HaXmas, I decided to dig around a little in Rapid7's library of IoT investigations that never really went anywhere, just to see which tools were used. The rest of this blog post is basically a book report of the tooling used in a recent engagement performed by our own Jonathan Stines, and can be used as a starting point if you're interested in getting into some casual IoT hacking yourself. Even though this particular engagement didn't go anywhere, I had a really good time reading along with Stines' investigation on a smart doorbell camera.
While Burp Suite might be a familiar mainstay for web app hackers, it has a pretty critical role in IoT investigations as well. The "I" in IoT is what makes these Things interesting, so checking out what and how those gadgets are chatting on the internet is pretty critical in figuring out the security posture of those devices. Burp Suite lets investigators capture, inspect, and replay conversations in a proxied context, and the community edition is a great way to get started with this kind of manual, dynamic analysis.
While Burp is great, if the IoT mobile app you're looking at (rightly) uses certificate pinning in order to secure communications, you won't get very far with its proxy capabilities. In order to deal with this, you'll need some mechanism to bypass the application's pinned cert, and that mechanism is Frida. While Frida might be daunting for the casual IoT hacker, there's a great HOWTO by Vedant that provides some verbose instructions for setting up Frida, adb, and Burp Suite in order to inject a custom SSL certificate and bypass that pesky pinning. Personally, I had never heard of Frida or how to use it for this sort of thing, so it looks like I'm one of today's lucky 10,000.
When mucking about with firmware (the packaged operating system and applications that makes IoT devices go), Binwalk from Refirm Labs is the standard for exploring those embedded filesystems. In nearly all cases, a "check for updates" button on a newly opened device will trigger some kind of firmware download—IoT devices nearly always update themselves by downloading and installing an entirely new firmware—so if you can capture that traffic with something like Wireshark (now that you've set up your proxied environment), you can extract those firmware updates and explore them with Binwalk.
Allsocket eMMC153 chip reader
Now, with the software above, you will go far in figuring out how an IoT device does its thing, but the actual hands-on-hardware experience in IoT hacking is kinda the fun part that differentiates it from regular old web app testing. So for this, you will want to get your hands on a chip reader for your desoldered components. Pictured below is an Allsocket device that can be used to read both 153-pin and 169-pin configurations of eMMC storage, both of which are very common formats for solid-state flash memory in IoT-land. Depending on where you get it, they can run about $130, so not cheap, but also not bank-breaking.
Thanks again to Jonathan Stines, who did all the work that led to this post. If you need some validation of your IoT product, consider hiring him for your next IoT engagement. Rapid7's IoT assessment experts are all charming humans who are pretty great at not just IoT hacking, but explaining what they did and how they did it. And, if you like this kind of thing, drop a comment below and let me know—I'm always happy to learn and share something new (to me) when it comes to hardware hacking.
More HaXmas blogs
- Help Others Be "Cyber Aware" This Festive Season—And All Year Round!
- UPnP With a Holiday Cheer
- Metasploit Tips and Tricks for HaXmas 2020
- Top Security Recommendations for 2021
- Rapid7 Labs’ 2020 Naughty List Summary Report to Santa
- Taking Inspiration from Our Security Nation in an Otherwise Uninspiring Year
- Metasploit 2020 Wrap-Up
- Predicting the Unpredictable: What Will the Cybersecurity Space Look Like in 2021?