Practical IoT Hacking

Practical IoT Hacking

by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Woods
Released March 2021
Publisher(s): No Starch Press
ISBN: 9781718500907

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Drawing from the real-life exploits of five highly regarded IoT security researchers, Practical IoT Hacking teaches you how to test IoT systems, devices, and protocols to mitigate risk.

The book begins by walking you through common threats and a threat modeling framework. You'll develop a security testing methodology, discover the art of passive reconnaissance, and assess security on all layers of an IoT system. Next, you'll perform VLAN hopping, crack MQTT authentication, abuse UPnP, develop an mDNS poisoner, and craft WS-Discovery attacks.

You'll tackle both hardware hacking and radio hacking, with in-depth coverage of attacks against embedded IoT devices and RFID systems.

You'l also learn how to:

Write a DICOM service scanner as an NSE module

Hack a microcontroller through the UART and SWD interfaces

Reverse engineer firmware and analyze mobile companion apps

Develop an NFC fuzzer using Proxmark3

Hack a smart home by jamming wireless alarms, playing back IP camera feeds, and controlling a smart treadmill

The tools and devices you'll use are affordable and readily available, so you can easily practice what you learn. You can also download this book's code examples at the link provided below the description.

Whether you're a security researcher, IT team member, or hacking hobbyist, youll find Practical IoT Hacking indispensable in your efforts to hack all the things.

REQUIREMENTS: Basic knowledge of Linux command line, TCP/IP, and programming

Table of contents

  1. Foreword
  2. Acknowledgments
  3. Introduction
    1. This Book’s Approach
    2. Who This Book Is For
    3. Kali Linux
    4. How This Book Is Organized
    5. Contact
  4. Part I: The IoT Threat Landscape
    1. Chapter 1: The IoT Security World
      1. Why Is IoT Security Important?
      2. How Is IoT Security Different than Traditional IT Security?
        1. What’s Special About IoT Hacking?
        2. Frameworks, Standards, and Guides
      3. Case Study: Finding, Reporting, and Disclosing an IoT Security Issue
      4. Expert Perspectives: Navigating the IoT Landscape
        1. IoT Hacking Laws
        2. The Role of Government in IoT Security
        3. Patient Perspectives on Medical Device Security
      5. Conclusion
    2. Chapter 2: Threat Modeling
      1. Threat Modeling for IoT
      2. Following a Framework for Threat Modeling
        1. Identifying the Architecture
        2. Breaking the Architecture into Components
        3. Identifying Threats
        4. Using Attack Trees to Uncover Threats
      3. Rating Threats with the DREAD Classification Scheme
      4. Other Types of Threat Modeling, Frameworks, and Tools
      5. Common IoT Threats
        1. Signal Jamming Attacks
        2. Replay Attacks
        3. Settings Tampering Attacks
        4. Hardware Integrity Attacks
        5. Node Cloning
        6. Security and Privacy Breaches
        7. User Security Awareness
      6. Conclusion
    3. Chapter 3: A Security Testing Methodology
      1. Passive Reconnaissance
      2. The Physical or Hardware Layer
        1. Peripheral Interfaces
        2. Boot Environment
        3. Locks
        4. Tamper Protection and Detection
        5. Firmware
        6. Debug Interfaces
        7. Physical Robustness
      3. The Network Layer
        1. Reconnaissance
        2. Network Protocol and Service Attacks
        3. Wireless Protocol Testing
      4. Web Application Assessment
        1. Application Mapping
        2. Client-Side Controls
        3. Authentication
        4. Session Management
        5. Access Controls and Authorization
        6. Input Validation
        7. Logic Flaws
        8. Application Server
      5. Host Configuration Review
        1. User Accounts
        2. Password Strength
        3. Account Privileges
        4. Patch Levels
        5. Remote Maintenance
        6. Filesystem Access Controls
        7. Data Encryption
        8. Server Misconfiguration
      6. Mobile Application and Cloud Testing
      7. Conclusion
  5. Part II: Network Hacking
    1. Chapter 4: Network Assessments
      1. Hopping into the IoT Network
        1. VLANs and Network Switches
        2. Switch Spoofing
        3. Double Tagging
        4. Imitating VoIP Devices
      2. Identifying IoT Devices on the Network
        1. Uncovering Passwords by Fingerprinting Services
        2. Writing New Nmap Service Probes
      3. Attacking MQTT
        1. Setting Up a Test Environment
        2. Writing the MQTT Authentication-Cracking Module in Ncrack
        3. Testing the Ncrack Module Against MQTT
      4. Conclusion
    2. Chapter 5: Analyzing Network Protocols
      1. Inspecting Network Protocols
        1. Information Gathering
        2. Analysis
        3. Prototyping and Tool Development
        4. Conducting a Security Assessment
      2. Developing a Lua Wireshark Dissector for the DICOM Protocol
        1. Working with Lua
        2. Understanding the DICOM Protocol
        3. Generating DICOM Traffic
        4. Enabling Lua in Wireshark
        5. Defining the Dissector
        6. Defining the Main Protocol Dissector Function
        7. Completing the Dissector
      3. Building a C-ECHO Requests Dissector
        1. Extracting the String Values of the Application Entity Titles
        2. Populating the Dissector Function
        3. Parsing Variable-Length Fields
        4. Testing the Dissector
      4. Writing a DICOM Service Scanner for the Nmap Scripting Engine
        1. Writing an Nmap Scripting Engine Library for DICOM
        2. DICOM Codes and Constants
        3. Writing Socket Creation and Destruction Functions
        4. Defining Functions for Sending and Receiving DICOM Packets
        5. Creating DICOM Packet Headers
        6. Writing the A-ASSOCIATE Requests Message Contexts
        7. Reading Script Arguments in the Nmap Scripting Engine
        8. Defining the A-ASSOCIATE Request Structure
        9. Parsing A-ASSOCIATE Responses
        10. Writing the Final Script
      5. Conclusion
    3. Chapter 6: Exploiting Zero-Configuration Networking
      1. Exploiting UPnP
        1. The UPnP Stack
        2. Common UPnP Vulnerabilities
        3. Punching Holes Through Firewalls
        4. Abusing UPnP Through WAN interfaces
        5. Other UPnP Attacks
      2. Exploiting mDNS and DNS-SD
        1. How mDNS Works
        2. How DNS-SD Works
        3. Conducting Reconnaissance with mDNS and DNS-SD
        4. Abusing the mDNS Probing Phase
        5. mDNS and DNS-SD Man-in-the-Middle Attacks
      3. Exploiting WS-Discovery
        1. How WS-Discovery Works
        2. Faking Cameras on Your Network
        3. Crafting WS-Discovery Attacks
      4. Conclusion
  6. Part III: Hardware Hacking
    1. Chapter 7: UART, JTAG, and SWD Exploitation
      1. UART
        1. Hardware Tools for Communicating with UART
        2. Identifying UART Ports
        3. Identifying the UART Baud Rate
      2. JTAG and SWD
        1. JTAG
        2. How SWD Works
        3. Hardware Tools for Communicating with JTAG and SWD
        4. Identifying JTAG Pins
      3. Hacking a Device Through UART and SWD
        1. The STM32F103C8T6 (Black Pill) Target Device
        2. Setting Up the Debugging Environment
        3. Coding a Target Program in Arduino
        4. Flashing and Running the Arduino Program
        5. Debugging the Target
      4. Conclusion
    2. Chapter 8: SPI and I2C
      1. Hardware for Communicating with SPI and I2C
      2. SPI
        1. How SPI Works
        2. Dumping EEPROM Flash Memory Chips with SPI
      3. I2C
        1. How I2C Works
        2. Setting Up a Controller-Peripheral I2C Bus Architecture
        3. Attacking I2C with the Bus Pirate
      4. Conclusion
    3. Chapter 9: Firmware Hacking
      1. Firmware and Operating Systems
      2. Obtaining Firmware
      3. Hacking a Wi-Fi Modem Router
        1. Extracting the Filesystem
        2. Statically Analyzing the Filesystem Contents
        3. Firmware Emulation
        4. Dynamic Analysis
      4. Backdooring Firmware
      5. Targeting Firmware Update Mechanisms
        1. Compilation and Setup
        2. The Client Code
        3. Running the Update Service
        4. Vulnerabilities of Firmware Update Services
      6. Conclusion
  7. Part IV: Radio Hacking
    1. Chapter 10: Short Range Radio: Abusing RFID
      1. How RFID Works
        1. Radio Frequency Bands
        2. Passive and Active RFID Technologies
        3. The Structure of RFID Tags
        4. Low-Frequency RFID Tags
        5. High-Frequency RFID Tags
      2. Attacking RFID Systems with Proxmark3
        1. Setting Up Proxmark3
        2. Updating Proxmark3
        3. Identifying Low- and High-Frequency Cards
        4. Low-Frequency Tag Cloning
        5. High-Frequency Tag Cloning
        6. Simulating RFID Tags
        7. Altering RFID Tags
        8. Attacking MIFARE with an Android App
        9. RAW Commands for Nonbranded or Noncommercial RFID Tags
        10. Eavesdropping on the Tag-to-Reader Communication
        11. Extracting a Sector’s Key from the Captured Traffic
        12. The Legitimate RFID Reader Attack
        13. Automating RFID Attacks Using the Proxmark3 Scripting Engine
        14. RFID Fuzzing Using Custom Scripting
      3. Conclusion
    2. Chapter 11: Bluetooth Low Energy
      1. How BLE Works
        1. Generic Access Profile and Generic Attribute Profile
      2. Working with BLE
        1. BLE Hardware
        2. BlueZ
        3. Configuring BLE Interfaces
      3. Discovering Devices and Listing Characteristics
        1. GATTTool
        2. Bettercap
        3. Enumerating Characteristics, Services, and Descriptors
        4. Reading and Writing Characteristics
      4. BLE Hacking
        1. Setting Up BLE CTF Infinity
        2. Getting Started
        3. Flag 1: Examining Characteristics and Descriptors
        4. Flag 2: Authentication
        5. Flag 3: Spoofing Your MAC Address
      5. Conclusion
    3. Chapter 12: Medium Range Radio: Hacking Wi-Fi
      1. How Wi-Fi Works
      2. Hardware for Wi-Fi Security Assessments
      3. Wi-Fi Attacks Against Wireless Clients
        1. Deauthentication and Denial-of-Service Attacks
        2. Wi-Fi Association Attacks
        3. Wi-Fi Direct
      4. Wi-Fi Attacks Against APs
        1. Cracking WPA/WPA2
        2. Cracking into WPA/WPA2 Enterprise to Capture Credentials
      5. A Testing Methodology
      6. Conclusion
    4. Chapter 13: Long Range Radio: LPWAN
      1. LPWAN, LoRa, and LoRaWAN
      2. Capturing LoRa Traffic
        1. Setting Up the Heltec LoRa 32 Development Board
        2. Setting Up the LoStik
        3. Turning the CatWAN USB Stick into a LoRa Sniffer
      3. Decoding the LoRaWAN Protocol
        1. The LoRaWAN Packet Format
        2. Joining LoRaWAN Networks
      4. Attacking LoRaWAN
        1. Bit-Flipping Attacks
        2. Key Generation and Management
        3. Replay Attacks
        4. Eavesdropping
        5. ACK Spoofing
        6. Application-Specific Attacks
      5. Conclusion
  8. Part V: Targeting the IoT Ecosystem
    1. Chapter 14: Attacking Mobile Applications
      1. Threats in IoT Mobile Apps
        1. Breaking Down the Architecture into Components
        2. Identifying Threats
      2. Android and iOS Security Controls
        1. Data Protection and Encrypted Filesystem
        2. Application Sandbox, Secure IPC, and Services
        3. Application Signatures
        4. User Authentication
        5. Isolated Hardware Components and Keys Management
        6. Verified and Secure Boot
      3. Analyzing iOS Applications
        1. Preparing the Testing Environment
        2. Extracting and Re-Signing an IPA
        3. Static Analysis
        4. Dynamic Analysis
        5. Injection Attacks
        6. Keychain Storage
        7. Binary Reversing
        8. Intercepting and Examining Network Traffic
        9. Avoiding Jailbreak Detection Using Dynamic Patching
        10. Avoiding Jailbreak Detection Using Static Patching
      4. Analyzing Android Applications
        1. Preparing the Test Environment
        2. Extracting an APK
        3. Static Analysis
        4. Binary Reversing
        5. Dynamic Analysis
        6. Intercepting and Examining Network Traffic
        7. Side-Channel Leaks
      5. Avoid Root Detection Using Static Patching
        1. Avoid Root Detection Using Dynamic Patching
      6. Conclusion
    2. Chapter 15: Hacking the Smart Home
      1. Gaining Physical Entry to a Building
        1. Cloning a Keylock System’s RFID Tag
        2. Jamming the Wireless Alarm
      2. Playing Back an IP Camera Stream
        1. Understanding Streaming Protocols
        2. Analyzing IP Camera Network Traffic
        3. Extracting the Video Stream
      3. Attacking a Smart Treadmill
        1. Smart Treadmills and the Android Operating System
        2. Taking Control of the Android Powered Smart Treadmill
      4. Conclusion
  9. Tools for IoT Hacking
  10. Index

Product information

  • Title: Practical IoT Hacking
  • Author(s): Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Woods
  • Release date: March 2021
  • Publisher(s): No Starch Press
  • ISBN: 9781718500907