Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things [1 ed.] 1718500904, 9781718500907, 9781718500914

Written by all-star security experts, Practical IoT Hacking is a quick-start conceptual guide to testing and exploiting

4,418 1,194 24MB

English Pages 464 [467] Year 2021

Report DMCA / Copyright

DOWNLOAD FILE

Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things [1 ed.]
 1718500904, 9781718500907, 9781718500914

  • Commentary
  • Vector PDF

Table of contents :
Practical IoT Hacking
Brief Contents
Contents in Detail
Foreword
Acknowledgments
Introduction
This Book’s Approach
Who This Book Is For
Kali Linux
How This Book Is Organized
Contact
Part I: The IoT Threat Landscape
1: The IoT Security World
Why Is IoT Security Important?
How Is IoT Security Different than Traditional IT Security?
What’s Special About IoT Hacking?
Frameworks, Standards, and Guides
Case Study: Finding, Reporting, and Disclosing an IoT Security Issue
Expert Perspectives: Navigating the IoT Landscape
IoT Hacking Laws
The Role of Government in IoT Security
Patient Perspectives on Medical Device Security
Conclusion
2: Threat Modeling
Threat Modeling for IoT
Following a Framework for Threat Modeling
Identifying the Architecture
Breaking the Architecture into Components
Identifying Threats
Using Attack Trees to Uncover Threats
Rating Threats with the DREAD Classification Scheme
Other Types of Threat Modeling, Frameworks, and Tools
Common IoT Threats
Signal Jamming Attacks
Replay Attacks
Settings Tampering Attacks
Hardware Integrity Attacks
Node Cloning
Security and Privacy Breaches
User Security Awareness
Conclusion
3: A Security Testing Methodology
Passive Reconnaissance
The Physical or Hardware Layer
Peripheral Interfaces
Boot Environment
Locks
Tamper Protection and Detection
Firmware
Debug Interfaces
Physical Robustness
The Network Layer
Reconnaissance
Network Protocol and Service Attacks
Wireless Protocol Testing
Web Application Assessment
Application Mapping
Client-Side Controls
Authentication
Session Management
Access Controls and Authorization
Input Validation
Logic Flaws
Application Server
Host Configuration Review
User Accounts
Password Strength
Account Privileges
Patch Levels
Remote Maintenance
Filesystem Access Controls
Data Encryption
Server Misconfiguration
Mobile Application and Cloud Testing
Conclusion
Part II: Network Hacking
4: Network Assessments
Hopping into the IoT Network
VLANs and Network Switches
Switch Spoofing
Double Tagging
Imitating VoIP Devices
Identifying IoT Devices on the Network
Uncovering Passwords by Fingerprinting Services
Writing New Nmap Service Probes
Attacking MQTT
Setting Up a Test Environment
Writing the MQTT Authentication-Cracking Module in Ncrack
Testing the Ncrack Module Against MQTT
Conclusion
5: Analyzing Network Protocols
Inspecting Network Protocols
Information Gathering
Analysis
Prototyping and Tool Development
Conducting a Security Assessment
Developing a Lua Wireshark Dissector for the DICOM Protocol
Working with Lua
Understanding the DICOM Protocol
Generating DICOM Traffic
Enabling Lua in Wireshark
Defining the Dissector
Defining the Main Protocol Dissector Function
Completing the Dissector
Building a C-ECHO Requests Dissector
Extracting the String Values of the Application Entity Titles
Populating the Dissector Function
Parsing Variable-Length Fields
Testing the Dissector
Writing a DICOM Service Scanner for the Nmap Scripting Engine
Writing an Nmap Scripting Engine Library for DICOM
DICOM Codes and Constants
Writing Socket Creation and Destruction Functions
Defining Functions for Sending and Receiving DICOM Packets
Creating DICOM Packet Headers
Writing the A-ASSOCIATE Requests Message Contexts
Reading Script Arguments in the Nmap Scripting Engine
Defining the A-ASSOCIATE Request Structure
Parsing A-ASSOCIATE Responses
Writing the Final Script
Conclusion
6: Exploiting Zero-Configuration Networking
Exploiting UPnP
The UPnP Stack
Common UPnP Vulnerabilities
Punching Holes Through Firewalls
Abusing UPnP Through WAN interfaces
Other UPnP Attacks
Exploiting mDNS and DNS-SD
How mDNS Works
How DNS-SD Works
Conducting Reconnaissance with mDNS and DNS-SD
Abusing the mDNS Probing Phase
mDNS and DNS-SD Man-in-the-Middle Attacks
Exploiting WS-Discovery
How WS-Discovery Works
Faking Cameras on Your Network
Crafting WS-Discovery Attacks
Conclusion
Part III: Hardware Hacking
7: UART, JTAG, and SWD Exploitation
UART
Hardware Tools for Communicating with UART
Identifying UART Ports
Identifying the UART Baud Rate
JTAG and SWD
JTAG
How SWD Works
Hardware Tools for Communicating with JTAG and SWD
Identifying JTAG Pins
Hacking a Device Through UART and SWD
The STM32F103C8T6 (Black Pill) Target Device
Setting Up the Debugging Environment
Coding a Target Program in Arduino
Flashing and Running the Arduino Program
Debugging the Target
Conclusion
8: SPI and I2C
Hardware for Communicating with SPI and I2C
SPI
How SPI Works
Dumping EEPROM Flash Memory Chips with SPI
I2C
How I2C Works
Setting Up a Controller-Peripheral I2C Bus Architecture
Attacking I2C with the Bus Pirate
Conclusion
9: Firmware Hacking
Firmware and Operating Systems
Obtaining Firmware
Hacking a Wi-Fi Modem Router
Extracting the Filesystem
Statically Analyzing the Filesystem Contents
Firmware Emulation
Dynamic Analysis
Backdooring Firmware
Targeting Firmware Update Mechanisms
Compilation and Setup
The Client Code
Running the Update Service
Vulnerabilities of Firmware Update Services
Conclusion
Part IV: Radio Hacking
10: Short Range Radio: Abusing RFID
How RFID Works
Radio Frequency Bands
Passive and Active RFID Technologies
The Structure of RFID Tags
Low-Frequency RFID Tags
High-Frequency RFID Tags
Attacking RFID Systems with Proxmark3
Setting Up Proxmark3
Updating Proxmark3
Identifying Low- and High-Frequency Cards
Low-Frequency Tag Cloning
High-Frequency Tag Cloning
Simulating RFID Tags
Altering RFID Tags
Attacking MIFARE with an Android App
RAW Commands for Nonbranded or Noncommercial RFID Tags
Eavesdropping on the Tag-to-Reader Communication
Extracting a Sector’s Key from the Captured Traffic
The Legitimate RFID Reader Attack
Automating RFID Attacks Using the Proxmark3 Scripting Engine
RFID Fuzzing Using Custom Scripting
Conclusion
11: Bluetooth Low Energy
How BLE Works
Generic Access Profile and Generic Attribute Profile
Working with BLE
BLE Hardware
BlueZ
Configuring BLE Interfaces
Discovering Devices and Listing Characteristics
GATTTool
Bettercap
Enumerating Characteristics, Services, and Descriptors
Reading and Writing Characteristics
BLE Hacking
Setting Up BLE CTF Infinity
Getting Started
Flag 1: Examining Characteristics and Descriptors
Flag 2: Authentication
Flag 3: Spoofing Your MAC Address
Conclusion
12: Medium Range Radio: Hacking Wi-Fi
How Wi-Fi Works
Hardware for Wi-Fi Security Assessments
Wi-Fi Attacks Against Wireless Clients
Deauthentication and Denial-of-Service Attacks
Wi-Fi Association Attacks
Wi-Fi Direct
Wi-Fi Attacks Against APs
Cracking WPA/WPA2
Cracking into WPA/WPA2 Enterprise to Capture Credentials
A Testing Methodology
Conclusion
13: Long Range Radio: LPWAN
LPWAN, LoRa, and LoRaWAN
Capturing LoRa Traffic
Setting Up the Heltec LoRa 32 Development Board
Setting Up the LoStik
Turning the CatWAN USB Stick into a LoRa Sniffer
Decoding the LoRaWAN Protocol
The LoRaWAN Packet Format
Joining LoRaWAN Networks
Attacking LoRaWAN
Bit-Flipping Attacks
Key Generation and Management
Replay Attacks
Eavesdropping
ACK Spoofing
Application-Specific Attacks
Conclusion
Part V: Targeting the IoT Ecosystem
14: Attacking Mobile Applications
Threats in IoT Mobile Apps
Breaking Down the Architecture into Components
Identifying Threats
Android and iOS Security Controls
Data Protection and Encrypted Filesystem
Application Sandbox, Secure IPC, and Services
Application Signatures
User Authentication
Isolated Hardware Components and Keys Management
Verified and Secure Boot
Analyzing iOS Applications
Preparing the Testing Environment
Extracting and Re-Signing an IPA
Static Analysis
Dynamic Analysis
Injection Attacks
Keychain Storage
Binary Reversing
Intercepting and Examining Network Traffic
Avoiding Jailbreak Detection Using Dynamic Patching
Avoiding Jailbreak Detection Using Static Patching
Analyzing Android Applications
Preparing the Test Environment
Extracting an APK
Static Analysis
Binary Reversing
Dynamic Analysis
Intercepting and Examining Network Traffic
Side-Channel Leaks
Avoid Root Detection Using Static Patching
Avoid Root Detection Using Dynamic Patching
Conclusion
15: Hacking the Smart Home
Gaining Physical Entry to a Building
Cloning a Keylock System’s RFID Tag
Jamming the Wireless Alarm
Playing Back an IP Camera Stream
Understanding Streaming Protocols
Analyzing IP Camera Network Traffic
Extracting the Video Stream
Attacking a Smart Treadmill
Smart Treadmills and the Android Operating System
Taking Control of the Android Powered Smart Treadmill
Conclusion
Tools for IoT Hacking
Index

Polecaj historie