Working with a Real Device

Let’s take a sample device and start looking at it as just described. In this case, the device is a navigation system and the model is Navman N40i.

This useful information will be helpful if we later decide to find vulnerabilities in the Navman system. This quick example illustrates how to approach your device once you get it and the initial analysis that you should perform.

Finding Input and Output Ports

The next step is to understand how the input and output (I/O) of the device works and the number of I/O ports and other connections. In Figure 3-1, we can see that the Navman system consists of a 3.5-inch screen with five buttons on the front, along with an LED indicator on the left.

Similarly, in Figure 3-2 we can see the power button and a couple of click buttons.

Figure 3-3 shows the volume control buttons and a headphone jack.

In Figure 3-4, you can see two screws and a docking connector.

Figure 3-5 shows an SD card slot, a GPS antenna port, and a USB port.

This is how we perform a visual exterior inspection of a given IoT device. Remember, this is only the first step in analyzing the hardware. To perform a good inspection, you need to analyze both exterior and interior components along with creating an attack surface map as discussed in Chapter 2 .

Internal Inspection

After the exterior inspection, we move on to an internal inspection. As the name suggests, this involves opening the device and looking at its internal components to better understand the device and identify the possible attack surfaces.

To open the device, we need to unscrew the screws. IoT devices can have varying types of screws and often a typical screwdriver set will fail to open some of the less common types of screws found in the devices. Make sure that you have a good screwdriver set handy whenever performing IoT exploitation on the device. Also, take special care while opening the device so as not to damage the device and its internal circuitry. One of the most common mistakes I have seen people make is trying to force open the device, which often leads to physical damage to the device, in some cases rendering it nonfunctional.

If you are seeing the internals of the device for the first time in your life, you might be fascinated by what you see. The device’s internals usually involve many components including the printed circuit board (PCB), connectors, antenna, peripherals, and so on. Try to open the target device carefully and remove all the attached cables, ribbons, or any other peripherals one after the other (see Figure 3-6).

If you look closely at Figure 3-6, you can see a camera module, a battery, a headphone, a GPS connector, and a GPS antenna on the top with an LCD connected by a ribbon cable. If you look at the other side of the board, Figure 3-7 shows what you will see.

Now let’s look at the different components and analyze their functionality, starting with the processor. Figure 3-8 shows the processor used in our navigation system.

The processor is one of the vital components of any IoT device. In this case, the processor that is used is the S3C2440AL, which is a Samsung ARM processor. If we look online for S3C2440AL, we will be able to find the data sheet for the processor, which could lead us to more insightful information about it (Figure 3-9). The data sheet for this processor can be found at http://www.keil.com/dd/docs/datashts/samsung/s3c2440_um.pdf . It contains information such as the I/O ports, interrupts, Real Time Clock (RTC), Serial Peripheral Interface (SPI), and more.

Next, we can look at other components, such as SDRAM and ROM, that are present in the device, as shown in Figure 3-10.

In Figure 3-10, the components used have the numbers K4M561633G, which by looking online we can see is a 4M × 16Bit × 4 Banks Mobile SDRAM from Future Electronics, and we can also see 512 MB ROM in it.

Continuing on, we can keep looking for different components—identifying their part numbers and then looking them up online to learn more about them. One of the other ways you can identify components is by looking at their logos and checking an online reference catalog such as https://www.westfloridacomponents.com/manufacturer-logos.html .

To look for data sheets, you can either simply search online for the component number or you can visit one of the web sites holding data sheet catalogs such as http://www.alldatasheet.com/ or http://www.datasheets360.com/ .

There is one final point we haven’t looked at so far, which is probably the most important aspect, the debug ports and interfaces. Often, devices would expose communication interfaces that could be exploited to gain further access to the device to perform actions such as reading the debug logs or even to gain unauthenticated root shell on the target device. As you can see in Figure 3-11, in our device, we have the device exposing interfaces that we could use to communicate with the device using UART and JTAG.

These interfaces can be found by just looking at the PCB and identifying the Tx and Rx for UART and TRST, TMS, TDO, TDI, and TCK for JTAG, both of which we cover in depth over the upcoming chapters. If you are not familiar with these terms, don’t worry, as this is where we will be spending most of our hardware hacking time in the rest of the book.

Analyzing Data Sheets

Devices might not have a lot of technical information available on their official web site. This is where the FCC ID database comes to the rescue.

If you are an electronics engineer and you would like to dig deeper into the device and maybe even look at the schematics of the device, where do you go? The FCC database is the answer. So, what is the FCC database, you might ask.

What Is FCC ID

The Federal Communication Commission (FCC) is a general body to regulate various devices emitting radio communications (which is most IoT devices). The reason for the regulation is that the radio spectrum is limited and there are devices operating at different frequencies.

In case of no regulatory body, one can decide to manufacture and choose his or her device to use a frequency that might already be in use by another device and lead to interference in the communications of other equipment.

Thus, any device that uses radio communication must go through a set of approval processes, which involves several tests, after which approval is granted by FCC for the device. The FCC ID of a device will be the same for a given model of a specific manufacturer. However, an important thing to note is that the FCC ID is not a permission to transmit, rather just approval by a U.S. government regulatory agency.

You can find the FCC ID of the device either printed on the device itself or by looking online at different sources. Also, don’t get confused with the devices that simply comply with the FCC regulations, as those might not require an FCC ID, given that they don’t communicate wirelessly and just generate small amounts of unintentional radio noise.

The information for the testing process is available on the FCC’s web site, unless the manufacturer specifically asks for a confidentiality request for the document. You can search for a device’s information by providing its FCC ID, either on the official FCC web site located at https://apps.fcc.gov/oetcf/eas/reports/GenericSearch.cfm or via a third-party unofficial web site such as fccid.io or fcc.io.

Using the FCC ID to Find Device Information

Let’s get hold of a real commercial device and use the FCC ID to find information about the device. In this case, we will use the device Edimax 3116W, which is an IP camera controllable by both mobile and web applications.

Figure 3-12 shows what the device looks like. Notice the FCC ID on the label on the back.

If we look up the FCC ID of the device, which is NDD9530401309, on the web site at https://fccid.io , you will see the screen shown in Figure 3-13.

On the web site, we can see various information about the device, such as the frequency range, access to lab setup, internal pictures, external pictures, user manual, Power of Attorney (PoA), and more.

One of the most interesting things to look at while analyzing the FCC ID information is the internal pictures of the device. You can find these at https://fccid.io/document.php?id=2129020 .

Figure 3-14 shows the internal pictures of the device. An interesting fact to note is that in this case, the pictures also reveal that this IP camera has a UART interface as suggested by the four pads shown in the photo. This is also something we will exploit in our upcoming chapters to get a root shell on the device.

Thus, as we can see, FCC IDs can be a goldmine of information and can help us learn a lot of details about the device and its workings.

Another interesting fun fact to know is that sometimes the manufacturer fails to ask for a confidentiality request on a device’s sensitive information, such as the schematics of the device. Access to the schematic of the device is extremely useful as it tells us what the different electronic components are that are used to build the device, and helps us understand the device in much greater depth.

Component Package

One of the things worth mentioning, whenever we discuss embedded or hardware analysis, is the packaging type. Whenever you look at a device’s interior, you will see a number of different components. Each of the components will vary in size, shape, and other aspects based on the device’s characteristic and functionality.

During manufacturing and development of an embedded device, there are several packaging options to choose from. Based on what packaging a component is using, for analysis, we would require corresponding hardware adapters and other components to interact with them. The most commonly used packaging types are listed here and shown in Figure 3-15.

1. 1.
   DIL

   1. a.

      Single in-line package

       
   2. b.

      Dual in-line package

       
   3. c.

      TO-220

       
    
2. 2.
   SMD

   1. a.

      CERPACK

       
   2. b.

      BGA

       
   3. c.

      SOT-23

       
   4. d.

      QFP

       
   5. e.

      SOIC

       
   6. f.

      SOP