This article provides reasons for the top IoT Vulnerabilities, the attack surface of these vulnerabilities.

IoT Vulnerabilities:

1. Username Enumeration

• It’s the Ability to collect a set of valid usernames by interacting with the authentication mechanism
• Attach Surface:
  • Administrative Interface
  • Device & Web Interface
  • Cloud Interface
  • Mobile Application

2. Weak Passwords

• Ability to set account passwords to ‘1234’ or ‘123456’ for example.
• Usage of pre-programmed default passwords
• Attack Surface:
  • Administrative Interface
  • Device & Web Interface
  • Cloud Interface
  • Mobile Application
• Example: The Mirai Botnet (aka Dyn Attack)

3. Account Lockout

• Ability to continue sending authentication attempts after 3 - 5 failed login attempts
• Attack Surface:
  • Administrative Interface
  • Device & Web Interface
  • Cloud Interface
  • Mobile Application

4. Unencrypted Services

• Network services are not properly encrypted to prevent eavesdropping or tampering by attackers
• Attack Surface:
  • Device Network Services

5. Two-factor Authentication

• Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
• Attack Surface:
  • Administrative Interface
  • Cloud & Web Interface
  • Mobile Application

6. Poorly Implemented Encryption

• Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
• Attack Surface:
  • Device Network Services

7. Update Sent Without Encryption

• Updates are transmitted over the network without using TLS or encrypting the update file itself
• Attck Surface:
  • Update Mechanism

8. Update Location Writable

• Storage location a.k.a repository/artifactory for update files is writable by anyone, potentially allowing firmware to be modified and distributed to all users
• Attck Surface:
  • Update Mechanism

9. Denial of Service

• Service can be attacked in a way that denies service to that service or the entire device
• Attck Surface:
  • Device Network Services

10. Removal of Storage Media

• Ability to physically remove the storage media from the device
• Attck Surface:
  • Device Physical Interfaces

11. No Manual Update Mechanism

• No ability to manually force an update check for the device
• Attack Surface:
  • Update Mechanism

12. Missing Update Mechanism

• No ability to update device
• Attck Surface:
  • Update Mechanism

13. Firmware Version Display and/or Last Update Date

• Current firmware version is not displayed and/or the last update date is not displayed
• Attack Surface:
  • Device Firmware

14. Firmware and storage extraction

• Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
• Attack Surface:
  • JTAG / SWD interface
  • In-Situ dumping i.e. replacement of the original firmware by fradulant one at the same location.
  • Intercepting a OTA update
  • Downloading from the manufacturers web page
  • eMMC tapping
  • Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
• Example:
  • Shining a Light on SolarCity: Practical Exploitation of the X2e IoT Device

15. Manipulating the code execution flow of the device

• With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
• Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
• Attack Surface:
  • JTAG / SWD interface
  • Side channel attacks like glitching

16. Obtaining console access

• By connecting to a serial interface, we will obtain full console access to a device
• Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.
• Attack Surface:
  • Serial interfaces (SPI / UART)

17. Insecure 3rd party components

• Out of date versions of busybox, openssl, ssh, web servers, etc.
• Attack Surface:
  • Software

IoT Attack Surface Areas

Attack Surfaces	Vulnerabilities
IoT Ecosystem	Interoperability standards Data governance System wide failure Individual stakeholder risks Implicit trust between components Enrollment security Decommissioning system Lost access procedures
Device Memory	Sensitive data      Cleartext usernames      Cleartext passwords      Third-party credentials      Encryption keys
Device Physical Interfaces	Firmware extraction User CLI Admin CLI Privilege escalation Reset to insecure state Removal of storage media Tamper resistance Debug port      UART (Serial)      JTAG / SWD Device ID/Serial number exposure
Device Web Interface	Standard set of web application vulnerabilities, see:      OWASP Web Top 10      OWASP ASVS      OWASP Testing guide Credential management vulnerabilities: Username enumeration Weak passwords Account lockout Known default credentials Insecure password recovery mechanism
Device Firmware	Sensitive data exposure (See OWASP Top 10 - A6 Sensitive data exposure):      Backdoor accounts      Hardcoded credentials      Encryption keys      Encryption (Symmetric, Asymmetric)      Sensitive information      Sensitive URL disclosure Firmware version display and/or last update date Vulnerable services (web, ssh, tftp, etc.)      Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc) Security related function API exposure Firmware downgrade possibility

References:

• IoT Vulnerabilities Project
• IoT Attack Surface Areas Project