Please enable JavaScript.
Coggle requires JavaScript to display documents.
IoT attack surface, Payatu IoT Top 10 Vuln, OWASP Internet of Things (IoT)…
IoT attack surface
Device
Authentication
Sensor interface (The interface to the physical world)
Monitor (pulse, motion, temp, etc.)
Control (locks, dispenser, etc)
Hybrid - combine of monitor and control (temp control, lights based on time of the day, etc)
Data derived from the physical world will be transferred to the cloud
Critical interface
Storage
Microcontroller Internal Memory
SRAM
EEPROM
FLASH
External
SD Card
USB
Volatile (RAM)
SRAM (Static Random Access Memory)
- holds data which is lost when chip is powered off
DRAM (Dynamic Random Access Memory)
- Data is held for a period after which it is lost unless it is refreshed during run-time, shorter lifespan than SRAM
Persistent
EPROM
EEPROM
FLASH
Peripheral interfaces
Encryption
Hardware Communication interfaces
UART (Universal asynchronous receiver-transmitter)
- In many devices, UART ports are left open
Used for diagnostics, log messages, and as a debug console for verifying configurations
One of the most common sources of input
in firmware
Root access is commonly granted once connected, but there are time when UART access is password protected
UART contains about eight data lines with control pins and also has two serial wires which are the receive data and transmit data wires (RX/TX)
UART pinouts on the PCB are TX, RX, Vcc (voltage), and GND (ground)
For protection, some manufacturers may remove the UART header pins
from the PCB or cover UART header
pins with various layers of silkscreen and cover the headers with another integrated circuit
Microcontroller Debug port
- Using special pin that are connected to pin-outs on the board. Used by developer to debug, read/write firmware and internal memory, control/test pins post-production.
One of the most critical attack surfaces
Standard interfaces
JTAG (Join test action group)
TMS pin - Test Mode Select
TCK pin - Test Clock
TDI pin - Test Data In
TDO pin - Test Data Out
TRST pin - Test Reset (optional pin)
These pins are used to communicate with
TAP
(Test Access Port), which regulates a state when accessing registers on chips
Used as a source of debugging, similar to UART
There is the ability to password protect JTAG access, but the BYPASS mode should still work
Firmware can be dumped for analysis or upgraded using JTAG and device like flash or RAM can be directly accessed
cJTAG (Compact JTAG)
Backward compatible with JTAG
TCK pin and TMS pin
new TAP
SWD (Serial Wire Debug)
SWDIO (Bidirectional)
SWCLK (clock)
This is
ARM specific protocol
that used ARM CPU standard bidirectional write protocol, defined in the ARM Debug Interface v5.
More efficient than JTAG
SPI (Serial Peripheral Interface)
Short distance communication protocol
Master-Slave (single master) architecture
Four-wire bus: SCLK (clock), MOSI / MOSO (master out/in slave in/out), and SS (slave select)
I2C (Inter-Intergrated Circuit)
Short distance communication protocol
Master-Slave (multi) architecture
Two-wire bus: SDA (Serial Data) and SCL (Serial Clock)
USB communication interface
Other hardware interfaces
D-Subminiature
Recommended Standards - RS protocol
On-Board Diagnostics (OBD)
Network Communication
WiFi
Ethernet
Radio
(The one that require a gateway like Smart Hubs that implement both WiFi and Radio)
Communication
Simple / Unstructured
Use simple (mostly proprietary) data (stream) and send it across via the radio interface
Easy to sniff using radio hardware tool like SDR (Software Defined Radio)
Complex / Structured
Use structure packets for radio communication, which are complex since it carry additional and metainformation about the protocol
Bluetooth (and BLE), ZigBee, Zwave, NFC, RFID, LoRA, Wireless HART
Human machine interfaces (HMI). ex: touch screen, pushbutton, touchpad
Cloud
Generic mobile vulnerabilities (OWASP Mobile Top 10, etc.)
Generic web/cloud vulnerabilities (OWASP WebTop 10, etc.)
Authentication
Storage
Encryption
Communication
Communication (protocol only)
Authentication
Deviation from protocol standard
Encryption
Protocol implementation anomalies
Web (HTTP(S) protocol)
Others protocols
CoAP
MQTT
AMQT
CANbus
WebSocket
Modbus
HL7
Profibus
BACNet
DNP3
UPnP
DNS
XMPP
SSH
etc.
Mobile (app)
Storage
Authentication
Encryption
Communication
Generic mobile vulnerabilities (OWASP Mobile Top 10, etc.)
Payatu IoT Top 10 Vuln
P1. Hardcoded Sensitive information
Credentials - of device services, cloud services, etc.
Encryption keys - private keys, symmetric encryption keys
Certificates - client certificates, etc.
API keys - private/paid APIs
URLs - development, firmware related, user related, backend, etc.
Configuration
P2. Enable hardware debug ports
The level of interaction and privilege is dependent on the type of protocol and its usage
P3. Insecure Firmware
Refer to the way firmware is managed but not specifically firmware code vulnerabilities
If the firmware in storage or in motion (updates) is not properly encrypted attacker can access to plain text firmware
Issues
Firmware is stored in plaintext on memory chips
Firmware is not signed and/or bootloader does not verify the integrity of the firmware before loading
Firmware updates are transported over a plaintext communication protocol. Ex: HTTP
Firmware updates are transported in plaintext from the cloud or mobile to the device
Firmware encrypted with a single symmetric key for all the device instances
Firmware encryption keys transferred along with the update to device
Properly implemented of
PKI - Public Key Infrastructure
based system can ensure
optimum security
. However, low power sensor lack computation for PKI and the key can still be extracted if device has other vuln
P4. Insecure data storage
Issues
Sensitive data stored in plaintext on memory chips
Sensitive data stored encrypted, but, encryption key is accessible
Custom encryption used to encrypt data
No access control for modifying data
Insecure data storage in mobile app
P5. Insufficient authentication
Issues
No client authentication
Authentication over plaintext communication channel
Improper encryption used for credentials
Predictable credentials
Default credentials
P6. Insecure communication
Issues
Unencrypted communication while sharing sensitive information
Using custom encryption
Using custom/proprietary protocols
Improper encryption used
Using protocol default (weak) security mode
Using protocol with known issues
Replay issues
P7. insecure configuation
Issues
Using default insecure configuration
Disallowing integrators and/or users from modifying the configuration
Insecure low-level protocol and hardware configuration in release products
Insecure encryption modes and settings
Low or no visibility on user's personal data shared or stored
P8. Insufficient data input filtration
P9. Insecure mobile interface
P10. Insecure cloud/web interface
OWASP Internet of Things (IoT) Top 10 2018
I1 Weak Guessable, or Hardcoded Passwords
I2 Insecure Network Services
I3 Insecure Ecosystem Interfaces
I4 Lack of Secure Update Mechanism
I5 Use of Insecure or Outdated Components
I6 Insufficient Privacy Protection
I7 Insecure Data Transfer and Storage
I8 Lack of Device Management
I9 Insecure Default Settings
I10 Lack of Physical Hardening
Reference
Hands-on Internet of Things Hacking (Payatu)
OWASP Internet of Things (IoT) Top 10 2018 [
https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Top_10
]
OWASP Top 10 Web Application Security Risks 2021 [
https://owasp.org/www-project-top-ten/
]
OWASP Top 10 Mobile Risks 2016 [
https://owasp.org/www-project-mobile-top-10/
]
fccid.io [
https://fccid.io/
]
Note
FCC / FCC ID
The
FCC - fccid.io
publishes various design documents, datasheets, internal images, external images, test reports, various manuals, wireless frequencies, and more
An
FCC ID
is a unique identifier assigned to a device registered with the United States Federal Communications Commission
Used to view the PCB and locate components in an IoT device