What is IoT? How is IoT penetration testing carried out?
Internet of things (IoT) is a network of physical objects that are embedded with sensors, smart software’s and artificial intelligence technology with an intention of connecting them to different physical devices and exchanging information and data through the internet These devices include everything from ordinary household objects to sophisticated and complex industrial tools. It is estimated that more than 7 billion objects are connected over the internet and is estimated to grow to 22 billion by the year 2025.
Why are IoT devices so useful and important?
IoT is basically based on the principle that the digital world is seamlessly integrating with the physical world. We can connect everyday objects and devices such as cars, kitchen appliances, smart watches, speakers, thermostats et al via embedded devices which ensure seamless communication between the devices. Low-cost computing, cloud technology, big data, data analytics and evolving mobile technologies, ensure that the devices can share and collect data in an automated way without human intervention. The internet gives the devices the medium to record, monitor and adjust interaction between the connected devices.
IoT products and devices are no exception for security vulnerabilities and can be attacked just like the other devices. IoT devices should be tested for vulnerabilities and should have the same security standards as the rest of the devices. As the number of IoT devices are expected to grow exponentially, not having secured IoT devices can be catastrophic. Symantec’s internet security study conducted in 2019 shows that IoT attacks have increased by 600% in the past three years. On an average nearly 5200 devices are attacked in a month and 90% of these attacks are connected to routers and embedded cameras. IoT attacks are critical as it may lead to data leaks and unauthorised use of data for criminal activities. As these devices are connected with our daily lives, securing them is a must. Penetration testing can ensure that these devices are without any vulnerabilities and secure.
Penetration testing on IoT devices
The following are OWASP’s ten things to avoid when building, deploying or managing IoT devices. This list can provide as a reference to check list when performing a penetration testing on IoT devices.
- Weak, Easily Guessable, or Hardcoded Passwords.
- Insecure Network Services.
- Insecure Ecosystem Interfaces.
- Lack of Secure Update Mechanism
- Use of Insecure or Outdated Components.
- Insufficient Privacy Protection.
- Insecure Data Transfer and Storage.
- Lack of Device Management
- Insecure Default Settings
- Lack of Physical Hardening
IoT pen testing is assessment and exploitation of various components in an IoT device to check for vulnerabilities and make it more secure. There are three types of attacks on an IoT device and its embedded systems, they are software attacks, non-invasive hardware attacks and invasive hardware attacks. The software attacks include attacks on the firmware and targeting its vulnerabilities. The second type of attack includes extracting data from the hardware without damaging it whereas the third type involves opening or destroying the hardware to infiltrate and extract the data. Here is a list of tests conducted to check for vulnerabilities and weaknesses:
Software attacks:
Detecting exposed communication ports which are poorly protected: The ports in the IoT devices are sometimes left open due to an oversight or for debugging. Shodan, a search engine for connected devices on the net gives an overview of the system that are connected to each other. You can search for default credentials of your device and collect information about your devices and other services. Tools like Nmap, a port scanner enables the pen tester to check for open ports that are not secured. Monitoring the data traffic also makes it possible for the tester to monitor different ports and check whether they are secured or not. Open ports indicate vulnerabilities connected to the internal systems which can be exploited.
Sniffing: The devices use a wireless interface or communication mode in the form of packets to exchange data and information. Wireshark, a packet analysis tool intercepts the packets which are being transmitted to and fro from the source device to different IoT devices and retrieves information from them. During a pen test, the packet analyser prevents encryption of the data and looks for critical information such as passwords, keys and hashes which can be exploited.
Detecting backdoors and configuration interfaces: Configuration interfaces are designed for a product to make it easier for the developer to test and modify the product. But the developers sometime fail to secure this interface and leave a backdoor open for an attack. Pen testers use sniffing to detect these interfaces by isolating data exchanges.
Buffer overflow: Buffer overflow is writing data onto the buffers of the embedded systems beyond its capacity. This results in the adjacent memory space being rewritten as buffers have relatively low memory capacity. This leaves the embedded system open, and the attacker can then send malicious code to the rewritten part of the buffer. Pen test enables testing of buffers with larger values and thus detects vulnerabilities and weaknesses which the attackers can exploit.
Password breaking: Bypassing passwords or breaking it is possible in IoT devices cause the default passwords are in use since the product development phase. Also, the same password is used across multiple devices which makes it easier for the hacker to hack into multiple devices. Pen testing use password directories and brute force method to crack the passwords and check the password strength.
Debugging: Often debugging interfaces are still open and available on the IoT devices which are targeted. Accessing this interface will save the attackers a lot of time and give them direct control over the device. Pen testing checks if the devices still have their debugging interfaces open and alerts the organisation.
Firmware modification: IoT devices have many vulnerabilities which can be exploited. One such vulnerability is the firmware modification which includes malware injection into the firmware, conducting memory dumps, study the memory interface through reverse engineering and injecting the malicious code into the memory and then put the code back to the device which will execute the malware script and infiltrate the system giving access to the attackers.