Learn the different attack vectors for IoT devices and ways to exploit the vulnerabilities.

1. IOT SECURITY
ASSESSMENT:
PENTESTER’S
APPROACH
Jatan Raval
Is Smart Home Safe?

2. IoT Device Concept

3. IoT Device Concept

4. Attack Surfaces on IoT
● Hardware Level
● Software Level
● Communication Protocol Analysis

5. Hardware Level Attack Vectors
● Hardware Level
○ Gaining shell via debug points
■ Identifying the communication points
(Tx, Rx)
○ Dumping firmware from the memory chip
■ De-soldering the component and read
the content.
○ Fault Injection
■ Voltage/Clock Glitching
■ Optical Fault Injection
■ Electromagnetic Fault Injection

6. Software Level Attack Vectors
● Software Level
○ Getting sensitive information from the
firmware
○ Modifying the firmware
○ Updating the malicious firmware
○ Gaining shell via default password
○ Emulate the firmware
○ Hook the function and understand the
logic

7. Communication Attack Surface
● Communication Level
○ Sniffing
○ Injection attack
○ Fuzzing the protocol
○ Replay Attack
○ MiTM

8. Smart Home Automation

9. Pentester’s Approach
● Understanding the Architecture
● Identifying the attack vectors on the Smart switch
● Observing Hardware details
● Extracting Firmware from the chip
● Analyzing the firmware for the sensitive information
● Getting into the network
● Understanding the communication
● Duplicating the communication and controlling the switch

10. Hardware Level - Identifying the Hardware details
● Open the IoT device hardware
● Identify each component
● Identify the ways to communicate with chip
● Identify the model of CPU/SPI
● To communicate with CPU/SPI download the
datasheet and understand the way to
communicate with CPU.

11. Download the firmware via onboard pins
● Identify the on board pins to communicate with
CPU

12. Download the firmware via onboard pins
● Solder the headers to connect

13. Download the firmware via onboard pins
● Download the required tools to dump the firmware

14. Download the firmware via onboard pins
● Connect the pins to the USB-TTL and connect to the laptop.

15. Download the firmware via onboard pins
● Download the firmware

16. Download the Firmware via desoldering SPI
● Identify the SPI which stores the firmware

17. Download the Firmware via desoldering SPI
● De-solder the SPI from the PCB

18. Download the Firmware via desoldering SPI
● Put the SPI into the SPI reader

19. Download the Firmware via desoldering SPI
● Read the entire chip content

20. Firmware Analysis
● Try to search for the WiFi password to enter into the network.
Password
Password
SSID
SSID

21. Connecting to the Network

22. Communication Protocol Analysis
● Identify and understand the protocol being used for the communication

23. Communication Protocol Analysis
● Sniff the packets between the Mobile Application and Switch
● Create the duplicate request
● Send it to the Switch IP and check the status.

24. Packet Duplication
● We need to perform MiTM attack to sniff the traffic between the
application and Switch.

25. Packet Duplication
● Sniff the traffic between application and Switch

26. Packet Duplication
● Send the duplicate request from our machine and we get a success
response

27. Alternative Ways
1. Use frida to hook the exact function which creates the request
○ Helps in understanding the encryption logic
○ Control other switches
2. Use scapy to create network packet and send it to switch
○ Understand the packet structure

28. Q & A