This document summarizes a presentation about insecure and obsolete Internet of Things (IoT) devices. It discusses how to obtain old IoT devices, disassemble them to identify components, reverse engineer interfaces like UART and JTAG, extract file systems, and use tools like OpenOCD to hack the firmware. It also covers software-defined radios and how emergency sirens can potentially be hacked by spoofing radio signals. The presentation aims to show how trivially many IoT devices can be hacked and encourages securing obsolete technology before it becomes a bigger problem.
11. FINDING GROUND
• Using the MultiMeter we can figure out which of the pins
on our headers connect to ground and which have
voltage.
GroundVoltage
Specifically
3.3v
• Got Ground?
13. COMMON INTERFACE TYPES
• UART - Universal Asynchronous Receiver/Transmitter
• SPI – Serial Peripheral Interface
• I2C – Inter Integrated Circuit
• JTAG – Joint Test Action Group – Hardware Debugging
Interface
• CAN – Controller Area Network (Cars/ATM/etc)
• RS232- Serial Interface used on many legacy devices
14. PINOUT REVERSING
• SALEAE LOGIC ANALYZER
• ~100 BUCKS ON THE LOW END @
HTTPS://WWW.SALEAE.COM
• ALSO, EDU DISCOUNTS AVAILABLE UP TO 50%
DEPENDING ON MODEL.
• KEEP IN MIND THAT LOGIC ANALYZERS ARE SAMPLING WHICH
CAN CAUSE ARTIFICIAL DATA DEPENDING ON THE SAMPLING
RATE AND THRESHOLDS.
• WORKS FOR I2C, UART, SPI, JTAG, CAN, ETC, ETC
15. CONNECTING TO INTERFACES
• Bus Pirate
• Less of a learning curve
• Slower transfer speeds
• Supports UART, SPI, I2C and JTAG
• Shikra
• No UI but faster transfer speeds as a result
• Supports UART, SPI, I2C and JTAG
• TIAO USB Multiprotocol Adapter
• No UI but faster transfer speeds as a result
• Supports UART, SPI, I2C, JTAG, RS-232
• Supports multiple connections from same device
• Slightly less reliable in my experience
16. CONNECTING TO UART
The command used to connect to a UART serial adapter will vary by
device and OS but will generally be similar to the command below.
sudo screen /dev/[device id] baud rate
Or the the case of the Device ID below for the Shikra:
sudo screen /dev/ttyUSB0 115200
20. FILE SYSTEM FIDDLING
Often times embedded device manufacturers leave important file systems
unmounted.
Another good Resource:
http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_
25. HOW TO CONNECT WITH OPENOCD
The command to initiate openocd is : openocd –f interface –
f target
But now what? There are errors and stuff!!!!!
#openocd on
26. HOW TO CONNECT WITH OPENOCD(2)
Silly openocd!
That’s more like it J
28. REVERSE ENGINEERING
• Binary Ninja
• Free version available
• Limited Architecture Support
• Learn one IL to reverse them all
• Ida Pro
• Paid Version required for disassembly
• ARM decompiler available but $$$$
• Also very good debugger
• Radare2
• Free multiplatform support
• No decompiler available
35. RTL-SDR
500 KHZ - 1.7 GHZ
RX ONLY
$25
HACKRF ONE
1 MHZ - 6 GHZ
RX/TX @ HALF-DUPLEX
$315
USRP
70 MHZ - 6 GHZ
RX/TX @ FULL-DUPLEX
$900
DIFFERENT THINGS
36. CAUSES TORNADOES
Only way to stop the noise was “to unplug the radio systems and
the repeater”
Could have recorded the commands during a system test or
actual tornado, and then played them back.
Source: https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-
spoof-alarm-says-city-manager/
Controlled by tone combinations used by the Emergency Alert
System broadcast over the National Weather Service's weather
radio – Spoofed?
Can also be controlled by Dual-Tone Multi-Frequency (DTMF) or
Audio Frequency Shift Keying (AFSK) encoded commands from
a dispatcher or command center terminal sent over UHF radio
frequencies -- 700 MHz range.