RedaMastouri/IoT-PenTesting-Research-

Demonstrate skills in creating, implementing & maintaining virtual machines: Windows OS, Kali & Ubuntu for both attack and victim machines.

IoT-PenTesting-Research-

Demonstrate skills in creating, implementing & maintaining virtual machines: Windows OS, Kali & Ubuntu for both attack and victim machines.

Contents

• Analysis, Reports and Slides
• Communities
• IoT Hacks
  • Thingbots
  • RFID
  • Home Automation
  • Connected Doorbell
  • Hub
  • Smart Coffee
  • Wearable
  • Smart Plug
  • Cameras
  • Traffic Lights
  • Automobiles
  • Airplanes
  • Light Bulbs
  • Locks
  • Smart Scale
  • Smart Meters
  • Pacemaker
  • Thermostats
  • Fridge
  • Media Player & TV
  • Firearms
  • Toilet
  • Toys
  • Drones

Analysis, Reports and Slides

• Internet of Things Research Study (HP 2014 Report)
• The Internet of Fails, (video)
• Cameras, Thermostats, and Home Automation Controllers, Hacking 14 IoT Devices
• Hack All The Things: 20 Devices in 45 Minutes - (wiki, video)
• Careful Connections: Building Security in the Internet of Things (FTC)
• Analysis of IoT honeypot data; How devices are hacked, type of infections and origin of attacks (Kaspersky lab, 2018)

Communities

• IoT Village^TM
• BuildItSecure.ly
• Secure Internet of Things Project (Stanford)
• The Open Web Application Security Project (OWASP)

IoT Hacks

Thingbots

• Proofpoint Uncovers Internet of Things (IoT) Cyberattack

RFID

• Vulnerabilities in First-Generation RFID-enabled Credit Cards
• MIT Subway Hack Paper Published on the Web
• Tampered Card Readers Steal Data via Bluetooth

Home Automation

• IOActive identifies vulnerabilities in Belkin WeMo's Home Automation
• Cameras, Thermostats, and Home Automation Controllers, Hacking 14 IoT Devices
• Popular Home Automation System Backdoored Via Unpatched Flaw

Connected Doorbell

• CVE-2015-4400: Backdoorbot, Network Configuration Leak on a Connected Doorbell, (video)

Hub

• TWSL2013-023: Lack of Web and API AuthenticationVulnerability in INSTEON Hub

Smart Coffee

• Reversing the Smarter Coffee IoT Machine Protocol to Make Coffee Using the Terminal

Wearable

• How I hacked my smart bracelet

Smart Plug

• Hacking the D-Link DSP-W215 Smart Plug
• Reverse Engineering the TP-Link HS110
• Hacking Kankun Smart Wifi Plug
• Smart Socket Hack Tutorial

Cameras

• Trendnet Cameras - I always feel like somebody's watching me
• Hacker Hotshots: Eyes on IZON Surveilling IP Camera Security
• Cameras, Thermostats, and Home Automation Controllers, Hacking 14 IoT Devices
• Hacker 'shouts abuse' via Foscam baby monitoring camera
• Urban surveillance camera systems lacking security
• TWSL2014-007: Multiple Vulnerabilities in Y-Cam IP Cameras
• Say Cheese: a snapshot of the massive DDoS attacks coming from IoT cameras
• Samsung SmartCam install.php Remote Root Command Exec

Traffic Lights

• Green Lights Forever: Analyzing The Security of Traffic Infrastructure
• Hacking US (and UK, Australia, France, etc.) Traffic Control Systems

Automobiles

• Hackers Remotely Attack a Jeep on the Highway
• Comprehensive Experimental Analyses of Automotive Attack Surfaces

Airplanes

• Hackers could take control of a plane using in-flight entertainment system

Light Bulbs

• Hacking into Internet Connected Light Bulbs
• Hacking Lightbulbs: Security Evaluation Of The Philips Hue Personal Wireless Lighting System
• IoT Goes Nuclear: Creating a ZigBee Chain Reaction
• Extended Functionality Attacks on IoT Devices: The Case of Smart Lights

Locks

• Lockpicking in the IoT

Smart Scale

• Fitbit Aria Wi-Fi Smart Scale

Smart Meters

• Solar Power Firm Patches Meters Vulnerable to Command Injection Attacks

Pacemaker

• Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

Thermostats

• Cameras, Thermostats, and Home Automation Controllers, Hacking 14 IoT Devices
• Google Nest: Exploiting DFU For Root
• Smart Nest Thermostat, A Smart Spy in Your Home
• TWSL2013-022: No Authentication Vulnerability in Radio Thermostat

Fridge

• Proofpoint Uncovers Internet of Things (IoT) Cyberattack - Spam emails from fridges.
• Hacking Defcon 23'S IoT Village Samsung Fridge

Media Player & TV

• Breaking Secure-Boot on the Roku
• Google TV Or: How I Learned to Stop Worrying and Exploit Secure Boot
• Chromecast: Exploiting the Newest Device By Google
• Ransomware Ruins Holiday By Hijacking Family's LG Smart TV on Christmas Day

Firearms

• DEF CON 25 - Plore - Popping a Smart Gun (Slides)
• Hacking a IoT Rifle - BlackHat 2015 - 36 slides
• Hackers Can Disable a Sniper Rifle—Or Change Its Target - Wired 2015

Toilet

• TWSL2013-020: Hard-Coded Bluetooth PIN Vulnerability in LIXIL Satis Toilet

Toys

• TWSL2013-021: Multiple Vulnerabilities in Karotz Smart Rabbit
• Fisher-Price smart bear allowed hacking of children's biographical data (CVE-2015-8269)
• Hello Barbie Initial Security Analysis
• Security researcher Ken Munro discovers vulnerability in Vivid Toy's talking Doll 'Cayla'
• Data from connected CloudPets teddy bears leaked and ransomed, exposing kids' voice messages

Drones

• Parrot Drones Hijacking - RSA2018 Video, Pedro Cabrera, March 2018 (Slides)
• Hacking the DJI Phantom 3, Paolo Stagno, January 25, 2017
• PHDays VI, hacking Syma X5C quadcopter, Pavel Novikov and Artur Garipov, June 9, 2016
• All your bebop drones still belong to us, drone hijacking, Pedro Cabrera, 2016
• Shelling out on 3DR Solo, Kevin Finisterre,June 15, 2015

Software Tools

Software tools for analyzing embedded/IoT devices and firmware.

Analysis Frameworks

• EXPLIoT - Pentest framework like Metasploit but specialized for IoT.
• FACT - The Firmware Analysis and Comparison Tool - Full-featured static analysis framework including extraction of firmware, analysis utilizing different plug-ins and comparison of different firmware versions.
  • Improving your firmware security analysis process with FACT - Conference talk about FACT 📺.
• FwAnalyzer - Analyze security of firmware based on customized rules. Intended as additional step in DevSecOps, similar to CI.
• HAL – The Hardware Analyzer - A comprehensive reverse engineering and manipulation framework for gate-level netlists.
• HomePWN - Swiss Army Knife for Pentesting of IoT Devices.
• IoTSecFuzz - Framework for automatisation of IoT layers security analysis: hardware, software and communication.
• Killerbee - Framework for Testing & Auditing ZigBee and IEEE 802.15.4 Networks.
• PRET - Printer Exploitation Toolkit.
• Routersploit - Framework dedicated to exploit embedded devices.

Analysis Tools

• Binwalk - Searches a binary for "interesting" stuff, as well as extracts arbitrary files.
• emba - Analyze Linux-based firmware of embedded devices.
• Firmadyne - Tries to emulate and pentest a firmware.
• Firmwalker - Searches extracted firmware images for interesting files and information.
• Firmware Slap - Discovering vulnerabilities in firmware through concolic analysis and function clustering.
• Ghidra - Software Reverse Engineering suite; handles arbitrary binaries, if you provide CPU architecture and endianness of the binary.
• Radare2 - Software Reverse Engineering framework, also handles popular formats and arbitrary binaries, has an extensive command line toolset.
• Trommel - Searches extracted firmware images for interesting files and information.

Extraction Tools

• FACT Extractor - Detects container format automatically and executes the corresponding extraction tool.
• Firmware Mod Kit - Extraction tools for several container formats.
• The SRecord package - Collection of tools for manipulating EPROM files (can convert lots of binary formats).

Support Tools

• JTAGenum - Add JTAG capabilities to an Arduino.
• OpenOCD - Free and Open On-Chip Debugging, In-System Programming and Boundary-Scan Testing.

Misc Tools

• Cotopaxi - Set of tools for security testing of Internet of Things devices using specific network IoT protocols.
• dumpflash - Low-level NAND Flash dump and parsing utility.
• flashrom - Tool for detecting, reading, writing, verifying and erasing flash chips.
• Samsung Firmware Magic - Decrypt Samsung SSD firmware updates.

Hardware Tools

• Bus Blaster - Detects and interacts with hardware debug ports like UART and JTAG.
• Bus Pirate - Detects and interacts with hardware debug ports like UART and JTAG.
• Shikra - Detects and interacts with hardware debug ports like UART and JTAG. Among other protocols.
• JTAGULATOR - Detects JTAG Pinouts fast.
• Saleae - Easy to use Logic Analyzer that support many protocols 💶.
• Ikalogic - Alternative to Saleae logic analyzers 💶.
• HydraBus - Open source multi-tool hardware similar to the BusPirate but with NFC capabilities.
• ChipWhisperer - Detects Glitch/Side-channel attacks.
• Glasgow - Tool for exploring and debugging different digital interfaces.
• J-Link - J-Link offers USB powered JTAG debug probes for multiple different CPU cores 💶.

Bluetooth BLE Tools

• UberTooth One - Open source 2.4 GHz wireless development platform suitable for Bluetooth experimentation.
• Bluefruit LE Sniffer - Easy to use Bluetooth Low Energy sniffer.

ZigBee Tools

• ApiMote - ZigBee security research hardware for learning about and evaluating the security of IEEE 802.15.4/ZigBee systems. Killerbee compatible.
• Atmel RZUSBstick - Discontinued product. Lucky if you have one! - Tool for development, debugging and demonstration of a wide range of low power wireless applications including IEEE 802.15.4, 6LoWPAN, and ZigBee networks. Killerbee compatible.
• Freakduino - Low Cost Battery Operated Wireless Arduino Board that can be turned into a IEEE 802.15.4 protocol sniffer.

SDR Tools

• RTL-SDR - Cheapest SDR for beginners. It is a computer based radio scanner for receiving live radio signals frequencies from 500 kHz up to 1.75 GHz.
• HackRF One - Software Defined Radio peripheral capable of transmission or reception of radio signals from 1 MHz to 6 GHz (half-duplex).
• YardStick One - Half-duplex sub-1 GHz wireless transceiver.
• LimeSDR - Software Defined Radio peripheral capable of transmission or reception of radio signals from 100 KHz to 3.8 GHz (full-duplex).
• BladeRF 2.0 - Software Defined Radio peripheral capable of transmission or reception of radio signals from 47 MHz to 6 GHz (full-duplex).
• USRP B Series - Software Defined Radio peripheral capable of transmission or reception of radio signals from 70 MHz to 6 GHz (full-duplex).

RFID NFC Tools

• Proxmark 3 RDV4 - Powerful general purpose RFID tool. From Low Frequency (125kHz) to High Frequency (13.56MHz) tags.
• ChamaleonMini - Programmable, portable tool for NFC security analysis.
• HydraNFC - Powerful 13.56MHz RFID / NFC platform. Read / write / crack / sniff / emulate.

Books

• 2020, Fotios Chantzis, Evangel Deirme, Ioannis Stais, Paulino Calderon, Beau Woods: Practical IoT Hacking
• 2020, Jasper van Woudenberg, Colin O'Flynn: The Hardware Hacking Handbook: Breaking Embedded Security with Hardware Attacks
• 2019, Yago Hansen: The Hacker's Hardware Toolkit: The best collection of hardware gadgets for Red Team hackers, Pentesters and security researchers
• 2019, Aditya Gupta: The IoT Hacker's Handbook: A Practical Guide to Hacking the Internet of Things
• 2018, Mark Swarup Tehranipoor: Hardware Security: A Hands-on Learning Approach
• 2018, Mark Carney: Pentesting Hardware - A Practical Handbook (DRAFT)
• 2018, Qing Yang, Lin Huang Inside Radio: An Attack and Defense Guide
• 2017, Aditya Gupta, Aaron Guzman: IoT Penetration Testing Cookbook
• 2017, Andrew Huang: The Hardware Hacker: Adventures in Making and Breaking Hardware
• 2016, Craig Smith: The Car Hacker's Handbook: A Guide for the Penetration Tester
• 2015, Keng Tiong Ng: The Art of PCB Reverse Engineering
• 2015, Nitesh Dhanjan: Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts
• 2015, Joshua Wright , Johnny Cache: Hacking Wireless Exposed
• 2014, Debdeep Mukhopadhyay: Hardware Security: Design, Threats, and Safeguards
• 2014, Jack Ganssle: The Firmware Handbook (Embedded Technology)
• 2013, Andrew Huang: Hacking the XBOX

Research Papers

• 2020, Oser et al: SAFER: Development and Evaluation of an IoT Device Risk Assessment Framework in a Multinational Organization
• 2019, Agarwal et al: Detecting IoT Devices and How They Put Large Heterogeneous Networks at Security Risk
• 2019, Almakhdhub et al: BenchIoT: A Security Benchmark for the Internet of Things
• 2019, Alrawi et al: SoK: Security Evaluation of Home-Based IoT Deployments
• 2019, Abbasi et al: Challenges in Designing Exploit Mitigations for Deeply Embedded Systems
• 2019, Song et al: PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary
• 2018, Muench et al: What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices
• 2017, O'Meara et al: Embedded Device Vulnerability Analysis Case Study Using Trommel
• 2017, Jacob et al: How to Break Secure Boot on FPGA SoCs through Malicious Hardware
• 2017, Costin et al: Towards Automated Classification of Firmware Images and Identification of Embedded Devices
• 2016, Kammerstetter et al: Embedded Security Testing with Peripheral Device Caching and Runtime Program State Approximation
• 2016, Chen et al: Towards Automated Dynamic Analysis for Linux-based Embedded Firmware
• 2016, Costin et al: Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces
• 2015, Shoshitaishvili et al:Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware
• 2015, Papp et al: Embedded Systems Security: Threats, Vulnerabilities, and Attack Taxonomy
• 2014, Zaddach et al: Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares
• 2014, Alimi et al: Analysis of embedded applications by evolutionary fuzzing
• 2014, Costin et al: A Large-Scale Analysis of the Security of Embedded Firmwares
• 2013, Davidson et al: FIE on Firmware: Finding Vulnerabilities in Embedded Systems using Symbolic Execution

Case Studies

• Binary Hardening in IoT products
• Cracking Linksys “Encryption”
• Deadly Sins Of Development - Conference talk presenting several real world examples on real bad implementations 📺.
• Dumping firmware from a device's SPI flash with a buspirate
• Hacking the DSP-W215, Again
• Hacking the PS4 - Introduction to PS4's security.
• IoT Security@CERN
• Multiple vulnerabilities found in the D-link DWR-932B
• Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol
• PWN Xerox Printers (...again)
• Reversing Firmware With Radare
• Reversing the Huawei HG533

Free Training

• CSAW Embedded Security Challenge 2019 - CSAW 2019 Embedded Security Challenge (ESC).
• Embedded Security CTF - Microcorruption: Embedded Security CTF.
• Hardware Hacking 101 - Workshop @ BSides Munich 2019.
• IoTGoat - IoTGoat is a deliberately insecure firmware based on OpenWrt.
• Rhme-2015 - First riscure Hack me hardware CTF challenge.
• Rhme-2016 - Riscure Hack me 2 is a low level hardware CTF challenge.
• Rhme-2017/2018 - Riscure Hack Me 3 embedded hardware CTF 2017-2018.

Websites

• Hacking Printers Wiki - All things printer.
• OWASP Embedded Application Security Project - Development best practices and list of hardware and software tools.
• OWASP Internet of Things Project - IoT common vulnerabilities and attack surfaces.
• Router Passwords - Default login credential database sorted by manufacturer.
• Siliconpr0n - A Wiki/Archive of all things IC reversing.

Blogs

• RTL-SDR
• /dev/ttyS0's Embedded Device Hacking
• Exploiteers
• Hackaday
• jcjc's Hack The World
• Quarkslab
• wrong baud
• Firmware Security
• PenTestPartners
• Attify
• Patayu
• GracefulSecurity - Hardware tag
• Black Hills - Hardware Hacking tag