Ethical hacking: IoT hacking tools
IoT (Internet of Things) and embedded devices present a new challenge to ethical hackers hoping to understand the security vulnerabilities these devices contain. To hack IoT interfaces as well as the integrated applications, a person requires knowledge of Python, Swift and PHP, among others. Knowledge of these programming languages, combined with the use of some IoT hacking tools, will provide you with the ability to hack several types of IoT devices.
Useful IoT hacking tools
Hacking tools make ethical hacking convenient because they help in automating the steps involved. Certified hackers can use them to perform certain functions that aid in finding loopholes in a device. Knowledge of existing flaws can then be shared with the manufacturers to help fortify their defenses better.
With that in mind, here’s a look at some of the popular IoT hacking tools that are capable of making every ethical hacker’s job easier.
Because IoT devices rely on networks to communicate with each other and with external routers, it’s crucial to find a way to capture packets and debug network information in order to find vulnerabilities. That’s where Wireshark comes in handy. Using the Export Objects feature within the tool, you can extract all of the network communication from the collected pcap data to see if an attacker is attempting to sniff the traffic generated by the IoT device.
Ethical hackers can also leverage the TCP handshake to set up a TCP communications channel in Wireshark for TCP reflection and DDoS amplification. As targets, TCP reflections DDoSing applications can be identified by programs within the network, especially those transmitting large quantities of SYN/ACK packets but receiving no response.
Fiddler is an open-source tool that enables users to track, manipulate and reuse HTTP requests. Many utilize it for debugging to see the HTTP requests their system is sending to a site or a service. What a lot of ethical hackers don’t know is that it can actually be used as an HTTP proxy.
In Fiddler’s settings, there’s a “Connections” tab that lets users choose a “Remote Connections” option. After that option has been selected, you can go to an IoT device that lets you configure a proxy and tell it to use your computer’s IP address as the HTTP proxy. By performing these steps, you will ensure that all types of activities performed on that device are routed via Fiddler.
As a result, you can scan the traffic going on between the server and the IoT device to look for issues like cleartext (which was found on the Nest thermostat).
Binwalk is a firmware extraction tool developed by Craig Heffner. It helps ethical hackers understand and analyze an IoT device’s firmware. Running binwalk on the firmware file of an embedded device will enable you to retrieve the contents of the file system and other data that is saved inside the firmware.
Once extracted, the tool can be used to analyze any version of common binaries to see if there is a corresponding exploit present in firmware images. Binwalk utilizes libmagic library, so it’s also compatible with magic signatures made for Unix file utilities. More details on Binwalk’s availability can be found here.
Firmwalker is a bash script that scans the files extracted from the IoT firmware to see if they’re vulnerable. The only requirement is that the tool and the extracted firmware file should be in the same folder.
Once you put them in the same location, the output file generated by Firmwalker — Firmwalker.text — will highlight a list of potential issues, which can be any of the following:
- etc/ ssl directory
- etc/passwd and etc/shadow
- configuration, script and other .bin files
- Keywords like remote, admin, password, etc.
- Common binaries like dropbear, tftp and ssh
- Common web servers present on IoT devices
- Random IP addresses, email IDs, and URLs
- Experimental ability to use Shodan CLI for making a call to Shodan API
All the IoT devices facing any of these issues are vulnerable and can be attacked.
It’s crucial to ensure that the cloud-facing interface of an IoT device is not susceptible to XSS, CSRF and SQLi. This is where SAINT – a static taint analysis program — shines.
Essentially, SAINT tracks the flow of information from sensitive sources (like internet connections) to discover sensitive data flows in IoT applications. It then conducts static taint analysis that monitors how source data propagates in the sink, e.g., network interface.
All of that is done by extracting an IR (immediate representation) from the source code of the IoT app. Run the SAINT analyzer to get started and then wait for the IR to construct event handlers, call graphs and entry points.
SAINT does not say whether the data flows and potential leaks are harmful or malicious; however, an ethical hacker can further analyze SAINT’s output to learn whether an IoT app abides by its ethics and alert users to make an informed decision about app-related privacy risks, such as when the user location is transmitted.
OWASP ZAP (Zed Attack Proxy)
The web interfaces on some IoT devices don’t sign users out of their accounts after multiple failed login attempts, as well as offering inadequate protection against SQL injections and XSS. Fortunately, tools like Zed Attack Proxy allow ethical hackers to perform proxying, spidering and fuzzing in order to attack the web interface and find potential vulnerabilities.
Upon launching ZAP, the right-hand section will provide you with a URL section for specifying the target to scan. The tool also allows ethical hackers to launch their preferred browser for manual testing. Detected issues are transferred to the bottom section, where an “Alert” tab provides more information on the vulnerabilities discovered.
ZAP can be used to check if operating system commands have been abused to spy on the files present in the web app’s server hosting, whether proper input sanitization was applied on the input field with the help of malicious payloads like /etc/passwd& and more.
This is a suite of tools that can be used to perform attacks on IoT apps. Metasploit comes with a range of modules (software components that perform a certain attack on a chosen target) that can test the app for common vulnerabilities black-hat hackers exploit. Once launched, you can execute commands that use a module with an exploit that you want to run against the app to try and break it.
To give an example, several REST APIs are increasingly dependent on SSL. With Metasploit’s modules, you can test the system to see how it responds to SSL vulnerabilities like the popular Heartbleed flaw. Overall, the IoT hacking tool has hundreds of exploits that you can test the apps against.
After learning what these IoT hacking tools have to offer, you will come to realize that you can ethically hack and test many aspects of an IoT device. With these handy programs, you can check for insecure firmware, analyze web interfaces and more. Feel free to test them and don’t forget to come back and leave a comment about your experience.
- Lab 9.1.3 Using Wireshark to Observe the TCP Three-way Handshake, Cisco
- Sebastian Vasile, David Oswald, and Tom Chothia, “Breaking all the Things — A Systematic Survey of Firmware Extraction Techniques for IoT Devices,” University of Birmingham
- OWASP Zed Attack Proxy (ZAP), OWASP