Dear PenTest Readers,
IoT Security is one of the fastest growing areas of the whole industry. An estimated interconnectedness of 30 billion devices for 8 billion people in the near future is not science-fiction at all, as the “Industrial Revolution 4.0” is happening right before our eyes right now. 5G and next-to-come generations of network connectivity will only accelerate this process. With all of these smart devices, physical controllers, objects, sensors and transmitters, the number of potential vulnerabilities and attack vectors is skyrocketing. That’s why we dedicate this edition to the topic of IoT offensive security. Thus, we proudly present you with “Latest Trends in IoT Pentesting”!
Our contributors did a marvelous job, bringing to the table the finest selection of diverse approaches to the subject. To start with, Gilles Lionel aka Topotam, of whom you might have heard of in the context of his recent attack discovery on Windows, writes a really interesting real case of an IoT penetration test, performing U-Boot exploitation on UART Ports.
Jean-Georges Valle brilliantly demonstrates how to start practicing your IoT pentests without spending big on hardware. The author proves the point that a low-budget philosophy is totally efficient!
Roberto Camarinesi brings in an important industrial perspective to the magazine with his article on IIoT. Presenting a multi-pivoting technique, Roberto shows the importance of paying attention to particular devices during the deep monitoring of internal networks.
Chirag Jariwala writes a comprehensive article on various emerging attack vectors in the Internet of Things era. The author emphasizes that no attack vector should be overlooked, for the sake of user’s privacy and in some cases even physical security.
Mark Antwi Acquaisie demonstrates a case of building a secured IoT Solution based on his own interesting project - Cyber Safe Haven.
Cesar Soto refers to the research of the other contributor to this issue - PetitPotam NTLM Relay Attack by Topotam! Cesar demonstrates how to perform this attack. The cybersecurity world is small, isn’t it? :)
Julien Sebire contributes a thought-provoking article on the need for new ways of implementing security in the new industrial revolution. Ghiles Mahleb presents an interesting, practical case study on reverse engineering of IoT firmware, using Binwalk and QEMU.
For those of you who wish to read about something different than IoT security, we have two nice articles. Bige Beşikci wrote an article on decreasing the cybersecurity costs for start-ups, which doesn’t mean ignoring security, but choosing less expensive alternatives. Last but not least, Jesse Rivera of Cobalt offers a credible review of different cybersecurity certifications, sharing his reflections on entering the cybersecurity job market as well.
Without further ado,
Let’s dive into the reading!
PenTest Magazine's Editorial Team
Table of Contents
UART + U-Boot = U-AR-PWN
by GILLES Lionel aka Topotam
In this article, we will look back at a real case we encountered during an IoT penetration test. The IoT solution was composed of a ZigBee gateway/concentrator, a smart door lock and a mobile application to remotely control the lock.
Starting with IoT Security: Attacking Hardware on the Cheap
by Jean-Georges Valle
Electronics have never been as cheap and available as they are now (bar COVID’s Chipmageddon consequences) and the shift from super expensive proprietary devboards and compilers to open-source hardware and development tool chains was never as beneficial to the consumers. Economical and philosophical considerations aside, we went from an entry ticket of “500 USD boards with licensed compilers” towards something along the lines of “a 2 USD board and an apt command”. So, whether you are a seasoned pentester with an itch for burning your fingers or a newcomer that wants a change of scenery from the web-pentest puppy mill, getting into hardware has never been so easy.
IoT Pivoting in Industrial Case
by Roberto Camarinesi
The pivoting technique allows you to create a bridge to those networks or targets that are otherwise unreachable. It's a technique used to explore and descend deeper and deeper into the various sub-networks or to discover hosts with particular restrictive access policies that respond only to particular requests but also to make lateral movement; it is therefore particularly useful and almost indispensable in the post exploitation phases. It is useful to know that chains of bridges can be created, to create a chain of connections concatenated between them. This is called multi-pivoting. The longer the chain, the more distant we will be in terms of routing jumps from the target, thus increasing the time for detection.
Emerging Threats and Attack Vectors in IoT Security
by Chirag Jariwala
One can attach the power analysis tools, such as an oscilloscope or logic analyzer, and they can intercept the original plain text by power analysis while cipher text signal is transmitted over hardware to hardware communication. For multiplication operations, the CPU requires more voltage hence the higher resultant current and for addition operation less current is produce due to lower voltage. And by obtaining the mathematical operation states the original plain text is recovered from the cipher text. The RSA algorithm is, by design, a secure battle tested algorithm, but in this case, the problem is the implementation part in circuit design that fails to prevent such voltage leakage.
A Cyber Safe Haven - A Secured Approach in Building an IoT Solution [FULL ARTICLE AVAILABLE IN THE FREE PREVIEW VERSION]
by Mark Antwi Acquaisie
To draw the curtains, we need to rethink the IoT security approach especially with the expected launch of 5G wireless tech which is based on low latency, ultra-high speeds, and uninterrupted availability. Latest security trends must be always incorporated in the security design of any IoT build, taking into consideration the three core security triads namely, Confidentiality, Integrity and Availability, while using the purple team approach. Implementing these security techniques such as device and authentication management solutions, based on encryption techniques, with the expert knowledge mobilized as early as possible to medium and big companies or small project owners can prevent unauthorized access to data, devices, and software of any IoT build.
PetitPotam NTLM Relay Attack: What Can We Do?
by Cesar Soto
On this occasion, we will demonstrate how to execute the attack, using mimikatz in conjunction with the kekeo tool and the modified impacket ntlmrelayx of the pull request mentioned above, as well as the exploitation via PetitPotam.py.
Security by Design
by Julien Sebire
Ten years of experience led to dealing with deeply technical questions and major improvements in everyday operations. Beyond following basic principles such as password size and management, the industry dealt with technical and operational cryptography mechanisms being problematic. Secure storage of security keys, various processes to implement, update, or renew keys have been thoroughly studied. Proactive solution towards future problems have also been considered, from simple provision of resources dedicated to security updates, to non-repudiation implementation in firmware updates.
IoT Firmware Reverse Engineering
by Ghiles Mahleb
Reverse-engineering is the act of dismantling an object to see how it works. It is done primarily to analyze and gain knowledge about the way something works but often is used to duplicate or enhance the object. Many things can be reverse engineered, including software, physical machines, firmware and more.
How to Decrease Cybersecurity Costs for a Start-Up
by Bige Beşikci
There are various cybersecurity costs that startups are faced with commonly. Some of these costs are direct costs and others indirect costs. These direct costs may constitute monetary theft, compliance and regulatory fines, public relations and legal fees, systems repair and remediation, identity theft repairs, insurance premiums, among others. Some of the indirect costs may include the loss of intellectual property, loss of clients or customers, loss of business downtime, disruptions of business operations, damage to the company's reputation, brand, and credibility.
What the Cert!?! A Frank Observation of Certifications
by Jesse Rivera (Cobalt)
We can see there’s a clear demand for security professionals and an archaic organizational system that serves as a barrier for entry. So what was the fix? Well, to aid this bottleneck, there needed to be support for HR to recruit talent for positions that might not have existed in the organization before. There also had to be some scrutiny of the “Professional” at hand. So, the DNA of what a professional will look like is outlined, sent to HR, and posted. There’s a problem here though, another barrier.