CEH 18- IoT Hacking

In this article, we will learn about the basics of IoT Hacking. 

Hacking IoT means compromising electronic/embedded devices that are connected to the internet.

To know about IoT Hacking, first we need to know about the "IoT, IoT devices and its working". So, let's get started.

Disclaimer: The articles provided on HackWithV is purely for informational and educational purpose only, and for those who are willing and curious to know & learn about Ethical Hacking, Security and Penetration Testing. Anytime the word "Hacking" that is used on this site shall be regarded as Ethical Hacking. 

What is IoT?

  • IoT Stands for IoT "Internet of Things".
  • Internet of Things is the concept of connecting any device to the Internet and to other connected devices, which collect and share data. 

  • The ‘thing’ in IoT could be a person with a heart monitor or an automobile with built-in-sensors, i.e., objects can collect and transfer data over a network without manual assistance or intervention. 

  • The technology i.e., embedded in the objects help them to interact with other devices and sensors. 

  • The IoT devices are often divided into consumer, enterprise, and infrastructure spaces based on the functions. 

  • The examples of IoT devices are: Car Tracking Adapter, Smart Health Monitor, Smart Bulbs, Switch Smart Plug, Smart Lock, Smart Pet Feeder, All household appliances. 


IoT Hacking:

  • IoT Hacking means compromising smart devices like automobiles, printers, door locks, washing machines, etc., to gain unauthorized access to network resources and IoT devices. 

  • By hacking IoT devices, a hacker can gain following benefits:

  1. Create a botnet of the compromised IoT devices to launch DDoS attacks. 
  2. Sell compromised data in black markets. 
  3. Carry out malicious activities on compromised IoT devices. 
  4. Install ransomware to block access to an IoT device and demand for ransom. 
  5. Compromised IoT device could be used to steal the identity of a victim and carry out credit card related frauds.

Vulnerabilities in IoT Design: 

1. Insecure Web Interface: 

  • It can result in data loss, lack of accountability, denial of access and can lead to complete device takeover.

2. Insufficient Authentication/Authorization: 

  • It can result in complete compromise of the device and user accounts. 


3. Insecure Network Services: 

  • It can result in the facilitation of attacks on other devices. 


4. Lack of Transport Encryption/Integrity Verification: 

  • It can result in data expose, and could open doors to compromise the device or user accounts. 


5. Privacy Concerns: 

  • Collecting personal data and storing it without applying any protection can lead to the identity theft. 


6. Insecure Cloud Interface: 

  • It could cause a threat to user data which can be used to take control of the device. 


7. Insecure Mobile Interface: 

  • It can be easy to discover by simply reviewing the connection to the wireless networks and by using the password reset mechanism to identify valid accounts which can lead to account enumeration. 


8. Insufficient Security Configurability: 

  • It could lead to compromise of the device whether intentional or accidental. 


9. Insecure Software/Firmware: 

  • Capturing update files via unencrypted connections, the update file itself is not encrypted, or they can perform their malicious update via DNS hijacking. 
  • The attack could come from the local network or the internet. 


10. Poor Physical Security: 

  • Using vectors such as USB ports, SD cards or other storage means to access the Operating System and potentially any data stored on the device.

Attacks on IoT Devices: 

  1. DDoS attack. 

  2. The attack on HVAC systems. 

  3. Rolling code attack. 

  4. Blue borne attack. 

  5. Jamming attack. 

  6. Remote access using the backdoor. 

  7. Remote access using telnet.

  8. Man in the middle attack.

Mitigations:

  • All smart devices must be updated on a regular base.
  • Default configurations should be changed during the initial setup.
  • Ensure that user credentials are properly protected.
  • Implement two-factor authentications to guard against unauthorized access.
  • Password recovery mechanisms must be robust.
  • Use secure protocols such as SSL and TLS while transiting data over the network. 
  • Make sure that only the necessary ports are exposed and available. 
  • Ensure that services are not vulnerable to DoS or buffer overflow attacks.
  • Make sure that cloud-based web interface is not susceptible for XSS, SQL Injection or CSRF attacks. 
  • Services should have the ability to separate regular users from users with administrative privileges.


Be Aware, Be Secure.

Thank You 🙏

Comments

Popular posts from this blog

Demo 1- How to Track Location by a Link

Snyk - Ubuntu 20.04 (Linux)

Cracking VNC Password Using Hydra