This article provides reasons for the top IoT Vulnerabilities, the attack surface of these vulnerabilities.
IoT Vulnerabilities:
1. Username Enumeration
- It’s the Ability to collect a set of valid usernames by interacting with the authentication mechanism
- Attach Surface:
- Administrative Interface
- Device & Web Interface
- Cloud Interface
- Mobile Application
2. Weak Passwords
- Ability to set account passwords to ‘1234’ or ‘123456’ for example.
- Usage of pre-programmed default passwords
- Attack Surface:
- Administrative Interface
- Device & Web Interface
- Cloud Interface
- Mobile Application
- Example: The Mirai Botnet (aka Dyn Attack)
3. Account Lockout
- Ability to continue sending authentication attempts after 3 - 5 failed login attempts
- Attack Surface:
- Administrative Interface
- Device & Web Interface
- Cloud Interface
- Mobile Application
4. Unencrypted Services
- Network services are not properly encrypted to prevent eavesdropping or tampering by attackers
- Attack Surface:
- Device Network Services
5. Two-factor Authentication
- Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
- Attack Surface:
- Administrative Interface
- Cloud & Web Interface
- Mobile Application
6. Poorly Implemented Encryption
- Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
- Attack Surface:
- Device Network Services
7. Update Sent Without Encryption
- Updates are transmitted over the network without using TLS or encrypting the update file itself
- Attck Surface:
- Update Mechanism
8. Update Location Writable
- Storage location a.k.a repository/artifactory for update files is writable by anyone, potentially allowing firmware to be modified and distributed to all users
- Attck Surface:
- Update Mechanism
9. Denial of Service
- Service can be attacked in a way that denies service to that service or the entire device
- Attck Surface:
- Device Network Services
10. Removal of Storage Media
- Ability to physically remove the storage media from the device
- Attck Surface:
- Device Physical Interfaces
11. No Manual Update Mechanism
- No ability to manually force an update check for the device
- Attack Surface:
- Update Mechanism
12. Missing Update Mechanism
- No ability to update device
- Attck Surface:
- Update Mechanism
13. Firmware Version Display and/or Last Update Date
- Current firmware version is not displayed and/or the last update date is not displayed
- Attack Surface:
- Device Firmware
14. Firmware and storage extraction
- Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
- Attack Surface:
- JTAG / SWD interface
- In-Situ dumping i.e. replacement of the original firmware by fradulant one at the same location.
- Intercepting a OTA update
- Downloading from the manufacturers web page
- eMMC tapping
- Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
- Example:
15. Manipulating the code execution flow of the device
- With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
- Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
- Attack Surface:
- JTAG / SWD interface
- Side channel attacks like glitching
16. Obtaining console access
- By connecting to a serial interface, we will obtain full console access to a device
- Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.
- Attack Surface:
- Serial interfaces (SPI / UART)
17. Insecure 3rd party components
- Out of date versions of busybox, openssl, ssh, web servers, etc.
- Attack Surface:
- Software
IoT Attack Surface Areas
Attack Surfaces | Vulnerabilities |
---|---|
IoT Ecosystem |
Interoperability standards Data governance System wide failure Individual stakeholder risks Implicit trust between components Enrollment security Decommissioning system Lost access procedures |
Device Memory |
Sensitive data Cleartext usernames Cleartext passwords Third-party credentials Encryption keys |
Device Physical Interfaces |
Firmware extraction User CLI Admin CLI Privilege escalation Reset to insecure state Removal of storage media Tamper resistance Debug port UART (Serial) JTAG / SWD Device ID/Serial number exposure |
Device Web Interface |
Standard set of web application vulnerabilities, see: OWASP Web Top 10 OWASP ASVS OWASP Testing guide Credential management vulnerabilities: Username enumeration Weak passwords Account lockout Known default credentials Insecure password recovery mechanism |
Device Firmware |
Sensitive data exposure (See OWASP Top 10 - A6 Sensitive data exposure): Backdoor accounts Hardcoded credentials Encryption keys Encryption (Symmetric, Asymmetric) Sensitive information Sensitive URL disclosure Firmware version display and/or last update date Vulnerable services (web, ssh, tftp, etc.) Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc) Security related function API exposure Firmware downgrade possibility |