CHAPTER 22

Internet of Things to Be Hacked

This chapter covers the topic of Internet-connected devices, called the Internet of Things (IoT). The phrase “Internet of Things” was first coined in a 1999 presentation at MIT by Kevin Ashton.1 In 2008, the number of connected devices surpassed the number of humans on the planet at 8 billion,2 so the security of these devices is becoming increasingly important. The pace at which IoT devices are connected is staggering. Cisco expects the number of IoT devices to exceed 50 billion by 2020.3 Think about that for a moment: that is more than 8 connected devices for each human on the planet by 2020. With connected devices controlling an increasing amount of our lives and even acting on our behalves, it is crucial to understand the security risks these devices impose on their unsuspecting users, if misconfigured, poorly designed, or just connected to the Internet with default credentials.

In this chapter, we cover the following topics:

•   Internet of Things (IoT)

•   Shodan IoT search engine

•   IoT worms: it was a matter of time

Internet of Things (IoT)

The Internet of Things may very well become the Internet of things to be hacked if we are not careful.4 In fact, as we discuss in this chapter, we are already too late and this statement is well on its way to becoming a reality. What is really scary is that users often trade convenience over security and are currently not as concerned about security as we security professionals would prefer.5

Types of Connected Things

There are various types of connected things: some are of large form factors, such as robotic machines in factories, and others are very small, such as implanted medical devices. The smaller devices suffer from limitations that affect security, such as limited memory, processing capacity, and power requirements. Power sources include batteries, solar, radio frequency (RF), and networks.6 The scarcity of power, particularly in remote small devices, is a direct threat to security controls such as encryption, which might be deemed too expensive, power-wise, and therefore be left out of the design altogether.

The list of connected things is too long to provide here, but to get you thinking of the various potential security issues, the following short list is provided7:

•   Smart   things Smart homes, appliances, offices, buildings, cities, grids, and so on

•   Wearable items   Devices for the monitoring of movement, such as fitness and biomedical wearables (for example, smart devices with touch payment and health-monitoring options)

•   Transportation and logistics   RFID toll sensors, tracking of shipments, and cold chain validation for produce and medical fluids (such as blood and medicine)

•   Automotive   Manufacturing, sensors on cars, telemetry, and autonomous driving

•   Manufacturing   RFID supply chain tracking, robotic assembly, and part authenticity

•   Medical and healthcare   Health tracking, monitoring, and delivery of drugs

•   Aviation   RFID part tracking (authenticity), UAV control, and package delivery

•   Telecommunications   Connecting smart devices with GSM, NFC, GPS, and Bluetooth

•   Independent living   Telemedicine, emergency response, and geo-fencing

•   Agriculture and breeding   Livestock management, veterinarian health tracking, food supply tracking and cold chaining, and crop rotation and soil sensors

•   Energy industry   Power generation, storage, delivery, management, and payment

Wireless Protocols

Most connected devices have some form of wireless communication. The wireless protocols include the following:

Cellular   Cellular networks, including GSM, GPRS, 3G, and 4G, are used for long-range communications.8 This form of communication is helpful when great distances exist between nodes, such as connected buildings, automobiles, and smartphones. At the time of this writing, this form of communication remains the most secure of the alternatives and is difficult to attack directly, but it may be jammed.

Wi-Fi   The venerable IEEE 802.11 protocol has been in place for decades and is well known and understood. Of course, there are many security issues with Wi-Fi that are also well known. This form of communication has become the de facto standard for mid-range communications of connected devices.9

Zigbee   The IEEE 802.15.4 protocol is a popular standard for short-to-medium-range communications, normally up to 10 meters and in some conditions up to 100 meters. The protocol is very useful in applications with low power requirements. The protocol allows for a mesh network, enabling intermediate nodes to relay messages to distant nodes.10 Zigbee operates in the 2.4 GHz range, which competes with Wi-Fi and Bluetooth.

Z-Wave   The Z-Wave protocol is also a popular standard used in the short-to-medium range, but offers a longer range due to the lower frequency (908.42 MHz in the US). Due to the separate frequency range, it does not compete with other common radios such as Wi-Fi and Bluetooth and experiences less interference.

Bluetooth (LE)   The ubiquitous Bluetooth protocol has undergone a facelift of late and has been reborn as Bluetooth Low Energy (LE), emerging as a viable alternative.11 Although it is backward compatible with Bluetooth, the protocol is considered “smart” due to its ability to save power.12 As with Zigbee and Z-Wave, Bluetooth and Bluetooth LE cannot communicate directly with the Internet; they must be relayed through a gateway device, such as a smartphone or smart bridge/controller.

6LoWPAN   The Internet Protocol version 6 (IPv6) over low-power Wireless Personal Area Networks (6LoWPAN) is emerging as a valuable method to deliver IPv6 packets over 802.15.4 (Zigbee) networks. Because it can ride over Zigbee and other forms of physical networks, it competes with Zigbee, but some would say it completes Zigbee because it allows for connection with other IP-connected devices.13

Communication Protocols

IoT has several communication protocols—far too many to list—but here are a few of the commonly used ones14:

•   Message Queuing Telemetry Transport (MQTT)

•   Extensible Messaging and Presence Protocol (XMPP)

•   Data Distribution Service for Real-Time Systems (DDS)

•   Advanced Message Queuing Protocol (AMQP)

Security Concerns

The traditional view of confidentiality, integrity, and availability applies to security devices, but often not in the same way. When it comes to traditional network devices, a premium is normally placed on confidentiality, then integrity, and then availability. However, when it comes to connected devices, the order is often reversed, with a premium being placed on availability, then integrity, and then confidentiality. This paradigm is easy to understand when we consider an embedded medical device that is connected via Bluetooth to the user’s phone and thereby the Internet. The primary concern is availability, then integrity, and then confidentiality. Even though we are talking about sensitive medical information, there is no need to be concerned with confidentiality if the device can’t be reached or trusted.

There are, however, some additional security concerns:

•   Vulnerabilities may be difficult, if not impossible, to patch.

•   Small form factors have limited resources and power constraints, often preventing security controls such as encryption.

•   Lack of a user interface makes the device “out of sight, out of mind.” It’s often online for years with little to no thought on the owner’s part.

•   Protocols such as MQTT have limitations, including no encryption, often no authentication, and cumbersome security configuration, as you will see later in this chapter.

Shodan IoT Search Engine

The Shodan search engine is focused on Internet-connected devices15 and is slowly becoming known as the Internet of Things (IoT). It is important to realize that this is not your father’s Google. Shodan searches for banners, not web pages. In particular, Shodan scans the Internet looking for banners it recognizes and then indexes that data. You can submit your own banner fingerprints and IPs for scanning, but that requires a paid license.

Web Interface

If you want to lose an afternoon, or even weekend, simply go to https://images.shodan.io (requires $49/year membership). Perhaps you will find a large toddler, napping, as shown next. (That’s a joke; this is obviously a tired adult.)

Images

Images

On a more serious note, with a little more searching, using the search string “authentication disabled” and filtering on VNC, you’ll receive more interesting results (notice the “Motor Stop” button).

Images

If you’re interested in industrial control systems (ICS) and are looking for uncommon services, you can use the search string “category:ics -http -html -ssh -ident country:us,” which yields the following view.

Images

From this view, we can tell there are more than 200,000 ICS services running besides HTTP, HTML, SSH, and IDENT (which are common services). Further, we can tell the most common cities, top services, and top organizations hosting these ICS services. Of course, we would need to do further filtering and rule out honeypots—but more on that later.

If we wanted to show this data in a report format, we could generate a free report, as shown here.

Images

Shodan Command-Line Interface

For those who prefer the command line, Shodan does not disappoint. It offers a powerful command-line tool, with full functionality.

Images

NOTE   The labs in this chapter were performed on Kali Linux 2017 (32 bit), but should work on other versions of Linux. Also, an API key is required from Shodan, which you can get for free by registering an account there.

Lab 22-1: Using the Shodan Command Line

In this lab, we will explore the Shodan command line. Install the toolset using easy_install, like so:

Images

Then, initialize the API key:

Images

Next, test for credits available in your account:

Images

Finally, run a scan to find VNC services (RFB), showing IP, port, org, and hostnames:

Images

One feature of the command-line tool is the ability to check the honeyscore, a score that tests whether a site is a honeypot using heuristics developed by Shodan:

Images

Shodan API

Others may prefer a Python interface to the Shodan data, and, of course, you can use that, too. The Shodan Python library comes with the Shodan command-line tools, but the library may be installed separately, as well, using pip.

Lab 22-2: Testing the Shodan API

In this lab, we test out the Shodan API. You need an API key; a free one will do for this test case because we are not using any filters. We will build a Python script to search for MQTT services that include the word alarm in the banner. This code and all code in this chapter can be found on the book’s download site and GitHub repository.

Images

Images

Next, we run the MQTT search and observe the results:

Images

Lab 22-3: Playing with MQTT

In the previous lab, the search string “mqtt alarm” was supplied to Shodan to identify IP addresses running MQTT with an alarm listening. In this lab, we scan one of the resulting IPs for additional information. The following code was adapted from an example by Victor Pasknel.16

Images

Images

This Python program is simple: after loading the mqtt.client library, the program defines a callback for both the initial connection Images (print the connection message and subscribe to all topics on the server) and when a message is received Images (print the message). Next, the client is initialized Images and the callbacks are registered ImagesImages. Finally, the client is connected Images (be sure to change the masked IP on this line) and sent into a loop Images.

Images

NOTE   No authentication is involved here (unfortunately), so no kittens were harmed in the filming of this movie!

Next, we run the MQTT scanner:

Images

The output will be analyzed in the next section.

Implications of This Unauthenticated Access to MQTT

Much to our surprise, the output of the MQTT scanner shows the home not only has alarm information (Disarmed) but garage status as well. Also, through the magic of the creepy OwnTracks app running on the user’s phone, we know the owner is not home and is on the move, because every few seconds new LAT/LONG data is provided. That’s like having a police scanner telling you how long until the owner is home. Wow, now that is scary! As if that weren’t bad enough, some home automation systems allow for writing, not just reading.17 Writing is done through the publish command, so instead of subscribing, you can publish. For example, we can issue a fake command to a fake system (really, it does not exist; it is just an example).

Images

NOTE   To issue commands and change a configuration on a system that does not belong to you may cross some legal lines and certainly crosses ethical lines, unless you are authorized to test the system. You have been warned!

Here’s our fake system example (given for illustrative purposes only), again adapted from the example given by Victor Pasknel18:

Images

IoT Worms: It Was a Matter of Time

In late 2016, attackers became upset with Brian Krebs, an Internet journalist who documented several hacks, and knocked him offline using a massive distributed denial-of-service (DDOS) attack.19 Now, DDOS attacks are not uncommon, but what is new is the method of attack. For the first time in history, an army of vulnerable IoT devices, namely cameras, were used in the attack. Further, DDOS attacks are normally reflective types of attacks, whereby an attacker tries to amplify the attack by leveraging protocols that require a simple command request and have a massive response. In this case, it was not a reflective attack at all—just normal requests, coming from countless infected hosts, which generated some 665 Gbps of traffic, nearly doubling the previous record.20 On the sending end of the attack were Internet-connected cameras that were found by attackers to have default passwords. The worm, dubbed Mirai, after a 2011 anime series, logs into Internet-based cameras using a table of more than 60 default passwords, commonly known from different vendors. The worm was careful to avoid the United States Post Office and Department of Defense IPs, but all others were fair game.21 The servers that hosted Krebs’ website had no chance, and even their hosting service, Akamai, who is known for protecting against DDOS attacks, dropped him after reportedly painful deliberations.22 The Mirai worm hit others as well, becoming the most notorious worm at that time and garnering much publicity and causing worldwide concern. Later, Mirai-infected hosts were used to exploit other vulnerabilities in routers, extending the threat of the original vulnerability.23 Eventually, copycats joined in and many Mirai variants sprung up.24 The number of infected hosts nearly doubled to 493,000 after the source code was released.25

At the time of this writing, attackers are beginning to target IoT devices more and more. No longer are attackers checking for default passwords; authors of the IoT Reaper worm are wielding vulnerabilities that leave millions of online cameras vulnerable.26 One thing is for sure: IoT devices cannot hide, as this chapter has shown. If they are connected to the Internet, they will be found.

Lab 22-4: Mirai Lives

Even after more than a year of battling Mirai, many infected hosts are still online. With Shodan, we can search for Mirai-infected hosts:

Images

Prevention

Now that you have seen the implications of open systems with no authentication on the Internet, here is some practical advice: hack yourself! Seriously, Shodan has many free searches, so why not take advantage of that service—before someone else does? Conduct a search of your home IP address, using www.whatismyip.com or a similar service, as well as the IP addresses of your family members, business, or anyone you know. Another valuable resource you should know about is the Internet of Things Scanner by BullGuard (see the “For Further Reading” section). It allows you to scan your home and see whether or not you are in Shodan.

Summary

In this chapter, we discussed the increasing array of Internet-connected things that comprise the IoT and discussed the network protocols they use. Next, we explored the Shodan search engine, which specializes in finding IoT devices. Finally, we discussed what was bound to happen: the advent of IoT worms. After reading this chapter, you should be better prepared to identify, protect, and defend your things and those of your friends, family, and clients.

For Further Reading

“Distinguishing Internet-Facing Devices using PLC Programming Information”   https://www.hsdl.org/?abstract&did=757013

Internet of Things Scanner by BullGuard   https://iotscanner.bullguard.com/

NIST Special Publication 800-82, Revision 2, “Guide to Industrial Control   Systems (ICS) Security” http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

“Quantitatively Assessing and Visualizing Industrial System Attack Surfaces”   https://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf

References

1.  X. Xu, “Internet of Things in Service Innovation,” The Amfiteatru Economic Journal, 4(6, November 2012): 698–719.

2.  M. Swan, “Sensor Mania! The Internet of Things, Wearable Computing, Objective Metrics, and the Quantified Self 2.0,” Journal of Sensor and Actuator Networks, 1(3, November 8, 2012): 217–253.

3.  D. Evans, “The Internet of Things How the Next Evolution of the Internet Is Changing Everything [Internet],” Cisco, April 2011, https://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf.

4.  The Economist, “The Internet of Things (to Be Hacked),” July 12, 2014, https://www.economist.com/news/leaders/21606829-hooking-up-gadgets-web-promises-huge-benefits-security-must-not-be.

5.  A. Harper, “The Impact of Consumer Security Awareness on Adopting the Internet of Things: A Correlational Study,” Dissertation, Capella University, 2016, https://pqdtopen.proquest.com/doc/1853097232.html?FMT=ABS.

6.  D. Bandyopadhyay, J. Sen, “Internet of Things: Applications and Challenges in Technology and Standardization,” Wireless Personal Communications, 58(1, May 2011): 49–69.

7.  Harper, “The Impact of Consumer Security Awareness on Adopting the Internet of Things.”

8.  Z. Chen, F. Xia, T. Huang, F. Bu, and H. Wang, “A Localization Method for the Internet of Things,” The Journal of Supercomputing, 63(3, March 2013): 657–674.

9.  H. Jayakumar, K. Lee, W. Lee, A. Raha, Y. Kim, and V. Raghunathan, “Powering the Internet of Things,” in Proceedings of the 2014 International Symposium on Low Power Electronics and Design, ACM, 2014, 375–380, http://doi.acm.org/10.1145/2627369.2631644.

10.  Zigbee, Wikipedia, 2017, https://en.wikipedia.org/w/index.php?title=Zigbee&oldid=809655996.

11.  Harper, “The Impact of Consumer Security Awareness on Adopting the Internet of Things.”

12.  H. Jayakumar, et al., “Powering the Internet of Things.”

13.  J. Sarto, “ZigBee VS 6LoWPAN for Sensor Networks,” LSR, https://www.lsr.com/white-papers/zigbee-vs-6lowpan-for-sensor-networks.

14.  S. Schneider, “Understanding the Protocols Behind the Internet of Things,” Electronic Design, October 9, 2013, www.electronicdesign.com/iot/understanding-protocols-behind-internet-things.

15.  J. Matherly, Complete Guide to Shodan: Collect. Analyze. Visualize. Make Internet Intelligence Work for You, Lean Publishing, 2017.

16.  V. Pasknel, “Hacking the IoT with MQTT,” Morphus Labs, July 19, 2017, https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b.

17.  Pasknel, “Hacking the IoT with MQTT.”

18.  Pasknel, “Hacking the IoT with MQTT.”

19.  Mirai (malware), Wikipedia, 2017, https://en.wikipedia.org/w/index.php?title=Mirai_(malware)&oldid=807940975.

20.  S. M. Kerner, “DDoS Attacks Heading Toward 1-Terabit Record,” eWEEK, September 25, 2016, www.eweek.com/security/ddos-attacks-heading-toward-1-terabit-record.

21.  Mirai (malware), Wikipedia.

22.  Kerner, “DDoS Attacks Heading Toward 1-Terabit Record.”

23.  C. Farivar, “Computer Science Student Pleads Guilty to Creating Mirai Botnet,” Mirai | Tim’s Tablet Web Site, October 13, 2017, http://tablets.yourfreewordpress.com/?tag=mirai.

24.  B. Krebs, “New Mirai Worm Knocks 900K Germans Offline,” Krebs on Security, November 16, 2016, https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/.

25.  M. Mimoso, “Mirai Bots More Than Double Since Source Code Release,” October 19, 2016, https://threatpost.com/mirai-bots-more-than-double-since-source-code-release/121368/.

26.  T. Fox-Brewster, “A Massive Number of IoT Cameras Are Hackable—And Now the Next Web Crisis Looms,” Forbes, October 23, 2017, https://www.forbes.com/sites/thomasbrewster/2017/10/23/reaper-botnet-hacking-iot-cctv-iot-cctv-cameras/.