This document provides an overview of exploiting insecure IoT firmware. It begins with an introduction to IoT protocols like CoAP, MQTT, XMPP, and AMQP. It then discusses the OWASP top 10 security risks for IoT, focusing on insecure software/firmware. Common debugging interfaces for firmware like UART, JTAG, SPI, and I2C are explained. Operating systems and compilers used for IoT development are listed. Finally, the document outlines a methodology for exploiting insecure firmware, including getting the firmware, performing reconnaissance, unpacking, localizing points of interest, and then decompiling, compiling, tweaking, fuzzing, or pentesting the firmware. Tools mentioned include binwalk, firmwalk

1. An Introduction
IoT Exploitation

2. Name : veerababu penugonda
IoT enthusiast
maintainer at

3. Agenda:
. Introduction to IoT
. Information About IoT protocols
. Attack Surfaces
. IoT Exploitation Methodology
. Demo

4. What is IoT?
Network of physical devices, vehicles, buildings and other
items-embedded with electronics, software, sensors, actuators,
and network connectivity that enable these objects to collect and
exchange data (Wikipedia).
Bringing together people, process, data, and things to make
networked connections more relevant and valuable than ever
before-turning information into actions that create new capabilities,
richer experiences, and unprecedented economic opportunity for
businesses, individuals, and countries. (CISCO)

5. IoT Protocols
CoAP
Constrained application
MQTT
Message Queue Telemetry
Transport.

6. IoT Protocols:
CoAP:
. Simple to encode: targets 8 bits MCU (Microcontroller Unit).
. UDP based, targets low power IP networks.
. Two level of QoS (Qulaity of Service): confirmable message
or not.
. Simple observation mechanism.
CoAP Security:
. DTLS (TLS on UDP Datagrams)
. Pre-shared key or not
. DTLS is not really light

7. Microcontroller:

8. . Very simple and light protocol on top of TCP.
. Good fit for wireless applications.
. Publish/Subscribe paradigm.
. Websocket support.
MQTT
:
. Uses SSL/TLS on top of the TCP stream.
. Pre-shared key encryption is supported.
MQTT Security :

9. IoT Protocols
XMPP
Extensible Messaging and
Presence Protocol
AMQP
Advanced Message Queuing
Protocol

10. XMPP:
XMPP provides a general framework for messaging across a network, which
offers a multitude of applications beyond traditional Instant Messaging (IM) and
the distribution of Presence data.
WhatsApp,
Gtalk
Facebook Chat
Who using this protocol:
https://xmpp.org/uses/internet-of-things.htmlFind more info from here:

11. AMQP:
https://www.amqp.org
. It is used in one of the world’s largest biometric databases India’s
Aadhar project—home to 1.2 billion identities.
. It is used in the Ocean Observatories Initiative—an architecture that
collects 8 terabytes of data per day.
AMQP is a binary wire protocol which was designed for
interoperability between different vendors. Where other protocols
have failed, AMQP adoption has been strong. Companies like JP
Morgan use it to process 1 billion messages a day.
find more infor from here:

12. IoT Attack Surfaces:

13. OWASP Top 10 for IoT:

14. What we going to discuss about:
I9:Insecure software/firmware:

15. What is Firmware:
Firmware is a type of software that provides control,
monitoring and data manipulation of engineered products
and systems. Typical examples of devices containing
firmware are embedded systems (Wikipedia)

16. . VoIP
. Cars
. Drones
. Networking devices(routers, firewalls, IDS)
. Medical devices(Health monitors)
. Mobile phones.
. Home security systems
. Vehicles
. Thermostats, metering systems, consumer electronics
Displays
what are Embedded devices:

17. What we need to know?
The most common architectures for IoT
devices:
• ARM (ARM7, ARM9, Cortex)
• MIPS

18. what we required ?
Debug interfaces :
.UART (Universal Asynchronous Receive &
Transmit)
.JTAG (Joint Test Action Group) – HW Debug
.SPI (Serial Peripheral Interface)
.I2C (Inter-Integrated Circuit)

19. UART Debugger:
A UART usually contains the following
components:
1.input and output shift registers
2.transmit/receive control
3.read/write control logic
4.First-in, first-out (FIFO) buffer memory
(optional)
5.Signals needed by a third party DMA
controller (optional)

20. JTAG Debugger(Joint Test Action
Group):
-support in-circuit debugging and firmware
programming as well as for boundary scan testing.
-Modern 8-bit and 16-bit microcontroller chips, such
as Atmel AVR and TI MSP430 chips, support JTAG
programming and debugging
-Almost all FPGAs and CPLDs used today can be
programmed via a JTAG port.
-Many MIPS and PowerPC processors
have JTAG support

21. • JTAG – Joint Test Action Group
– Finding TDI (Test Data In),
– Hardware Debugging via OpenOCD / GDB
– Jtagulator is awesome for brute-forcing
pinout

22. An Example view of Jtag connection

23. http://www.grandideastudio.com
- On-chip debug (OCD) interfaces can provide chip-level control of a target device
and are a primary vector used by engineers, researchers, and hackers to extract
program code or data.
- JTAGulator is an open source hardware tool that assists in identifying OCD
connections from test points, vias, or component pads on a target device.

24. Operating systems for IoT:
• Contiki
• RIOT
• mbed
• TinyOS
• NanoRK
• Mantis
• emb ::6
• Free RTOS

25. • U-Boot
• RedBoot
• BareBox
• Ubicom bootloader
Bootloaders:
What are these?
.Bootloader is a piece of code that runs before any operating system is running.
.Bootloaders usually contain several ways to boot the OS kernel and also contain
commands for debugging and/or modifying the kernel environment.

26. • busybox + uClibc
• buildroot
• openembedded
• crosstool
• crossde
Are they Compilers..?

27. Compilers for IoT:
The computing environments are developing to the IoT services
which exchange a lot of information using various and
heterogeneous devices that always connected on networks.
Since the data communication and services take places on the
various devices including not only traditional computing
environments and mobile devices such as smartphone but also
household appliances, embedded devices,and sensor nodes,
the security requirements is getting more important at this point in
time In this paper, the compiler with secure software concept was
proposed to develop the secure applications for IoT services

28. IoT exploitation methodology ..
-Identify Device, hardware revisions, document hardware components
-Research chip datasheets - figure out features
-Identify hardware communication interfaces possibilities
-Identifying wireline protocol logic (How the hell do I talk to these
chips?)
-Hardware tools for accessing interfaces
-Firmware Reverse Engineering
-Vulnerability Research / Exploitation

29. "routers & cars & drones are also hackable"

30. Lets get into our topic :
Insecure software/firmware:

31. Insecure software/firmware
• Encryption Not Used to Fetch Updates
• Update File not Encrypted
• Update Not Verified before Upload
• Firmware Contains Sensitive Information
• No Obvious Update Functionality

32. We are targetting the router firmware..?
I already have DVRF V3
No practicle device hacking?

33. For firmware analysis what we required .?
Tools for analysis:
.Binwalk
.Firmwalk
.Firmdyne
.Firmware-mod-kit
.ERESI framework
.FRAK - firmware reverse anaysis konsole

34. What to do?
• Get the firmware
• Reconnaissance
• Unpacking
• Localize point of interest
• Decompile/compile/tweak/fuzz/pentest/fun!
What not to do?
• Never try on home or company devices ..
when work is going on ..!

35. Get the DVRF here..?
https://github.com/praetorian-inc/DVRF
Lets start test
and the get the info
using Binwalk.!
. Download from manufacturer FTP/HTTP site
. Device memory dump

36. Reconnaissance:
getting information about the firmware for the And analysing
the string values .

37. Unpacking:
. Use binwalk to extract any files that it finds in the firmware image

38. Localize Point of Interest:
This instructs binwalk to search the specified file(s) for executable opcodes
common to a variety of CPU architectures. Note that some opcode signatures
are short and thus are prone to producing false positive results.

39. Decompile/compile/tweak/fuzz/pentest/fun!
.Running hexdump can help identify the type of firmware build
.QEMU emulation is also another way to examine binaries

40. Any
Questions..?