Cover image for Practical IoT Hacking

Practical IoT Hacking

Release Date: 2021/03/01
ISBN: 9781098128876
Topic:
0%
33
Chapters
0-1
Hours read
0k
Total Words
    Start Reading Now    
       Add to Wishlist       
View table of contents

Drawing from the real-life exploits of five highly regarded IoT security researchers, Practical IoT Hacking teaches you how to test IoT systems, devices, and protocols to mitigate risk.

The book begins by walking you through common threats and a threat modeling framework. You'll develop a security testing methodology, discover the art of passive reconnaissance, and assess security on all layers of an IoT system. Next, you'll perform VLAN hopping, crack MQTT authentication, abuse UPnP, develop an mDNS poisoner, and craft WS-Discovery attacks.

You'll tackle both hardware hacking and radio hacking, with in-depth coverage of attacks against embedded IoT devices and RFID systems.

You'l also learn how to:

Write a DICOM service scanner as an NSE module

Hack a microcontroller through the UART and SWD interfaces

Reverse engineer firmware and analyze mobile companion apps

Develop an NFC fuzzer using Proxmark3

Hack a smart home by jamming wireless alarms, playing back IP camera feeds, and controlling a smart treadmill

The tools and devices you'll use are affordable and readily available, so you can easily practice what you learn. You can also download this book's code examples at the link provided below the description.

Whether you're a security researcher, IT team member, or hacking hobbyist, youll find Practical IoT Hacking indispensable in your efforts to hack all the things.

REQUIREMENTS: Basic knowledge of Linux command line, TCP/IP, and programming

Table of Contents

  1. Foreword
  2. Acknowledgments
  3. Introduction
    1. This Book’s Approach
    2. Who This Book Is For
    3. Kali Linux
    4. How This Book Is Organized
    5. Contact
  4. Part I: The IoT Threat Landscape
    1. Chapter 1: The IoT Security World
    2. Why Is IoT Security Important?
    3. How Is IoT Security Different than Traditional IT Security?
    4. What’s Special About IoT Hacking?
    5. Frameworks, Standards, and Guides
    6. Case Study: Finding, Reporting, and Disclosing an IoT Security Issue
    7. Expert Perspectives: Navigating the IoT Landscape
    8. IoT Hacking Laws
    9. The Role of Government in IoT Security
    10. Patient Perspectives on Medical Device Security
    11. Conclusion
    12. Chapter 2: Threat Modeling
    13. Threat Modeling for IoT
    14. Following a Framework for Threat Modeling
    15. Identifying the Architecture
    16. Breaking the Architecture into Components
    17. Identifying Threats
    18. Using Attack Trees to Uncover Threats
    19. Rating Threats with the DREAD Classification Scheme
    20. Other Types of Threat Modeling, Frameworks, and Tools
    21. Common IoT Threats
    22. Signal Jamming Attacks
    23. Replay Attacks
    24. Settings Tampering Attacks
    25. Hardware Integrity Attacks
    26. Node Cloning
    27. Security and Privacy Breaches
    28. User Security Awareness
    29. Conclusion
    30. Chapter 3: A Security Testing Methodology
    31. Passive Reconnaissance
    32. The Physical or Hardware Layer
    33. Peripheral Interfaces
    34. Boot Environment
    35. Locks
    36. Tamper Protection and Detection
    37. Firmware
    38. Debug Interfaces
    39. Physical Robustness
    40. The Network Layer
    41. Reconnaissance
    42. Network Protocol and Service Attacks
    43. Wireless Protocol Testing
    44. Web Application Assessment
    45. Application Mapping
    46. Client-Side Controls
    47. Authentication
    48. Session Management
    49. Access Controls and Authorization
    50. Input Validation
    51. Logic Flaws
    52. Application Server
    53. Host Configuration Review
    54. User Accounts
    55. Password Strength
    56. Account Privileges
    57. Patch Levels
    58. Remote Maintenance
    59. Filesystem Access Controls
    60. Data Encryption
    61. Server Misconfiguration
    62. Mobile Application and Cloud Testing
    63. Conclusion
  5. Part II: Network Hacking
    1. Chapter 4: Network Assessments
    2. Hopping into the IoT Network
    3. VLANs and Network Switches
    4. Switch Spoofing
    5. Double Tagging
    6. Imitating VoIP Devices
    7. Identifying IoT Devices on the Network
    8. Uncovering Passwords by Fingerprinting Services
    9. Writing New Nmap Service Probes
    10. Attacking MQTT
    11. Setting Up a Test Environment
    12. Writing the MQTT Authentication-Cracking Module in Ncrack
    13. Testing the Ncrack Module Against MQTT
    14. Conclusion
    15. Chapter 5: Analyzing Network Protocols
    16. Inspecting Network Protocols
    17. Information Gathering
    18. Analysis
    19. Prototyping and Tool Development
    20. Conducting a Security Assessment
    21. Developing a Lua Wireshark Dissector for the DICOM Protocol
    22. Working with Lua
    23. Understanding the DICOM Protocol
    24. Generating DICOM Traffic
    25. Enabling Lua in Wireshark
    26. Defining the Dissector
    27. Defining the Main Protocol Dissector Function
    28. Completing the Dissector
    29. Building a C-ECHO Requests Dissector
    30. Extracting the String Values of the Application Entity Titles
    31. Populating the Dissector Function
    32. Parsing Variable-Length Fields
    33. Testing the Dissector
    34. Writing a DICOM Service Scanner for the Nmap Scripting Engine
    35. Writing an Nmap Scripting Engine Library for DICOM
    36. DICOM Codes and Constants
    37. Writing Socket Creation and Destruction Functions
    38. Defining Functions for Sending and Receiving DICOM Packets
    39. Creating DICOM Packet Headers
    40. Writing the A-ASSOCIATE Requests Message Contexts
    41. Reading Script Arguments in the Nmap Scripting Engine
    42. Defining the A-ASSOCIATE Request Structure
    43. Parsing A-ASSOCIATE Responses
    44. Writing the Final Script
    45. Conclusion
    46. Chapter 6: Exploiting Zero-Configuration Networking
    47. Exploiting UPnP
    48. The UPnP Stack
    49. Common UPnP Vulnerabilities
    50. Punching Holes Through Firewalls
    51. Abusing UPnP Through WAN interfaces
    52. Other UPnP Attacks
    53. Exploiting mDNS and DNS-SD
    54. How mDNS Works
    55. How DNS-SD Works
    56. Conducting Reconnaissance with mDNS and DNS-SD
    57. Abusing the mDNS Probing Phase
    58. mDNS and DNS-SD Man-in-the-Middle Attacks
    59. Exploiting WS-Discovery
    60. How WS-Discovery Works
    61. Faking Cameras on Your Network
    62. Crafting WS-Discovery Attacks
    63. Conclusion
  6. Part III: Hardware Hacking
    1. Chapter 7: UART, JTAG, and SWD Exploitation
    2. UART
    3. Hardware Tools for Communicating with UART
    4. Identifying UART Ports
    5. Identifying the UART Baud Rate
    6. JTAG and SWD
    7. JTAG
    8. How SWD Works
    9. Hardware Tools for Communicating with JTAG and SWD
    10. Identifying JTAG Pins
    11. Hacking a Device Through UART and SWD
    12. The STM32F103C8T6 (Black Pill) Target Device
    13. Setting Up the Debugging Environment
    14. Coding a Target Program in Arduino
    15. Flashing and Running the Arduino Program
    16. Debugging the Target
    17. Conclusion
    18. Chapter 8: SPI and I2C
    19. Hardware for Communicating with SPI and I2C
    20. SPI
    21. How SPI Works
    22. Dumping EEPROM Flash Memory Chips with SPI
    23. I2C
    24. How I2C Works
    25. Setting Up a Controller-Peripheral I2C Bus Architecture
    26. Attacking I2C with the Bus Pirate
    27. Conclusion
    28. Chapter 9: Firmware Hacking
    29. Firmware and Operating Systems
    30. Obtaining Firmware
    31. Hacking a Wi-Fi Modem Router
    32. Extracting the Filesystem
    33. Statically Analyzing the Filesystem Contents
    34. Firmware Emulation
    35. Dynamic Analysis
    36. Backdooring Firmware
    37. Targeting Firmware Update Mechanisms
    38. Compilation and Setup
    39. The Client Code
    40. Running the Update Service
    41. Vulnerabilities of Firmware Update Services
    42. Conclusion
  7. Part IV: Radio Hacking
    1. Chapter 10: Short Range Radio: Abusing RFID
    2. How RFID Works
    3. Radio Frequency Bands
    4. Passive and Active RFID Technologies
    5. The Structure of RFID Tags
    6. Low-Frequency RFID Tags
    7. High-Frequency RFID Tags
    8. Attacking RFID Systems with Proxmark3
    9. Setting Up Proxmark3
    10. Updating Proxmark3
    11. Identifying Low- and High-Frequency Cards
    12. Low-Frequency Tag Cloning
    13. High-Frequency Tag Cloning
    14. Simulating RFID Tags
    15. Altering RFID Tags
    16. Attacking MIFARE with an Android App
    17. RAW Commands for Nonbranded or Noncommercial RFID Tags
    18. Eavesdropping on the Tag-to-Reader Communication
    19. Extracting a Sector’s Key from the Captured Traffic
    20. The Legitimate RFID Reader Attack
    21. Automating RFID Attacks Using the Proxmark3 Scripting Engine
    22. RFID Fuzzing Using Custom Scripting
    23. Conclusion
    24. Chapter 11: Bluetooth Low Energy
    25. How BLE Works
    26. Generic Access Profile and Generic Attribute Profile
    27. Working with BLE
    28. BLE Hardware
    29. BlueZ
    30. Configuring BLE Interfaces
    31. Discovering Devices and Listing Characteristics
    32. GATTTool
    33. Bettercap
    34. Enumerating Characteristics, Services, and Descriptors
    35. Reading and Writing Characteristics
    36. BLE Hacking
    37. Setting Up BLE CTF Infinity
    38. Getting Started
    39. Flag 1: Examining Characteristics and Descriptors
    40. Flag 2: Authentication
    41. Flag 3: Spoofing Your MAC Address
    42. Conclusion
    43. Chapter 12: Medium Range Radio: Hacking Wi-Fi
    44. How Wi-Fi Works
    45. Hardware for Wi-Fi Security Assessments
    46. Wi-Fi Attacks Against Wireless Clients
    47. Deauthentication and Denial-of-Service Attacks
    48. Wi-Fi Association Attacks
    49. Wi-Fi Direct
    50. Wi-Fi Attacks Against APs
    51. Cracking WPA/WPA2
    52. Cracking into WPA/WPA2 Enterprise to Capture Credentials
    53. A Testing Methodology
    54. Conclusion
    55. Chapter 13: Long Range Radio: LPWAN
    56. LPWAN, LoRa, and LoRaWAN
    57. Capturing LoRa Traffic
    58. Setting Up the Heltec LoRa 32 Development Board
    59. Setting Up the LoStik
    60. Turning the CatWAN USB Stick into a LoRa Sniffer
    61. Decoding the LoRaWAN Protocol
    62. The LoRaWAN Packet Format
    63. Joining LoRaWAN Networks
    64. Attacking LoRaWAN
    65. Bit-Flipping Attacks
    66. Key Generation and Management
    67. Replay Attacks
    68. Eavesdropping
    69. ACK Spoofing
    70. Application-Specific Attacks
    71. Conclusion
  8. Part V: Targeting the IoT Ecosystem
    1. Chapter 14: Attacking Mobile Applications
    2. Threats in IoT Mobile Apps
    3. Breaking Down the Architecture into Components
    4. Identifying Threats
    5. Android and iOS Security Controls
    6. Data Protection and Encrypted Filesystem
    7. Application Sandbox, Secure IPC, and Services
    8. Application Signatures
    9. User Authentication
    10. Isolated Hardware Components and Keys Management
    11. Verified and Secure Boot
    12. Analyzing iOS Applications
    13. Preparing the Testing Environment
    14. Extracting and Re-Signing an IPA
    15. Static Analysis
    16. Dynamic Analysis
    17. Injection Attacks
    18. Keychain Storage
    19. Binary Reversing
    20. Intercepting and Examining Network Traffic
    21. Avoiding Jailbreak Detection Using Dynamic Patching
    22. Avoiding Jailbreak Detection Using Static Patching
    23. Analyzing Android Applications
    24. Preparing the Test Environment
    25. Extracting an APK
    26. Static Analysis
    27. Binary Reversing
    28. Dynamic Analysis
    29. Intercepting and Examining Network Traffic
    30. Side-Channel Leaks
    31. Avoid Root Detection Using Static Patching
    32. Avoid Root Detection Using Dynamic Patching
    33. Conclusion
    34. Chapter 15: Hacking the Smart Home
    35. Gaining Physical Entry to a Building
    36. Cloning a Keylock System’s RFID Tag
    37. Jamming the Wireless Alarm
    38. Playing Back an IP Camera Stream
    39. Understanding Streaming Protocols
    40. Analyzing IP Camera Network Traffic
    41. Extracting the Video Stream
    42. Attacking a Smart Treadmill
    43. Smart Treadmills and the Android Operating System
    44. Taking Control of the Android Powered Smart Treadmill
    45. Conclusion
  9. Tools for IoT Hacking
  10. Index
18.222.184.162