Internet of things Security

The definitive guide to attack the IoT

The definitive guide to attack the IoT
Written by ga_dahmani
The definitive guide to attack the IoT

Previously, we reviewed The Book of Ghidra: The Ultimate Guide because several of us were working with Ghidra, and it was a topic that made sense. Similarly, we spend a lot of time thinking and talking about the security of the Internet of Things (IoT). Whether Craig Young winning the first SOHOpeless Broken contest at DEF CON or the team running the IoT Hack Lab at SecTor for several years, IoT is a popular topic within the team. So it only made sense for us to take a look at Practical IoT Hacking: The Ultimate Guide to Attacking the Internet of Things.

One of the aspects of the book that I appreciated was the design. I often feel overwhelmed with a new book, especially if I don’t plan on reading it cover to cover. With technology books, I often try to skip topics I’m familiar with or read sections related to projects I’m currently working on. In this case, having two tables of contents: Brief Content, which came with the parts of the book and chapter titles, and Detailed Content, which came with both and a detailed breakdown, was great. The index shares a similar level of breakdown that sometimes seemed excessive or perhaps inaccurate. This may make more sense with an example.

Since this is an IoT hacking book, I decided to take a look at your references to binwalk. There are five pages in total referenced in the index. Three of those pages are next to ‘binwalk’ and the other two are next to ‘binwalk Nmap command’. There is no binwalk Nmap command, so I was curious what those two pages were. The pages are part of the Network Assessments chapter in a section titled “Identifying IoT Devices in the Network” and a subsection titled “Password Discovery Using Fingerprint Services.” This subsection takes you on a journey that feels disconnected. Almost as if it started with the conclusion and the authors tried to find a way to tell the story of how they got there. It feels very out of place and lacks much explanation. The other three pages that refer only to binwalk include an entry in a tools appendix and two pages about the tool. The first two pages (linking Nmap and binwalk) seemed like a bug that went uncaught, and the others felt like the bare minimum explanation I wanted to see.

Beyond that though, I enjoyed the material referenced. Let’s see how the others felt.


reviewing Practical IoT Hacking

Practical IoT Hacking it is full of great information. The book covers a very diverse set of technologies and seamlessly crosses the domains of hardware, software, networking, and RF. This book has enough guidance to get someone started with an audit, but it lacks depth and can sometimes lose some novice students. Although I have yet to work through any of the exercises, the instructions generally seem clear to anyone with moderate Linux experience. The book comes with supplemental resources for completing various exercises throughout the book, including working with external devices such as Software Defined Radio (SDR) interfaces, Raspberry Pi, ESP32, and Arduino. Personally, I’m looking forward to working on some of the hands-on hardware hacking activities in Part 3 of the book.

However, I was sometimes surprised which topics were selected (or skipped) and how many pages were devoted to different tactics or tools. For example, there is a section on MQTT that includes a 10-page exercise to recreate an existing password cracking tool, but there is no mention that clients can request all data at once from a broker using a wildcard topic name. In the section on Wi-Fi, I was also wondering why there is a section on WPA2-Enterprise that contains only a brief explanation of the attack surface instead of referencing or demonstrating any of the various tools to automate these attacks. Personally, I would have preferred to read a bit more about WPA3 and the attacks described in Mathy Vanhoef’s research. There is also a notable absence of some key vulnerability categories that commonly affect HTTP interfaces for IoT devices. While there is a passing reference to cross-site request forgery, I did not find any mention of locating or exploiting DNS rebinding, command injection, directory traversal, or HTTP authentication bypass vulnerabilities. In general, there is relatively little discussion about the prevalence of faults in local IoT web interfaces or how to find them.

The section that really stood out to me because it lacked content was chapter 39 titled “Firmware Hacking.” This chapter describes how to extract file systems and perform device emulation after obtaining a firmware image. I feel like this chapter really fails to capture a lot of the basic information that researchers should be looking for when analyzing firmware. The chapter focuses on a rather boring CVE and analytics tool from 5 or 6 years ago. Unfortunately, this academic tool has very limited capabilities, and I think readers would have been much better off with a few pages discussing the intricacies of using it. chroot, nvram-faker, Y LD_PRELOAD or uploading firmware components to development boards and other devices. The book doesn’t really discuss the tremendous value of being able to identify system components, check server-side sources, and find vulnerabilities or even backdoors.

Like I said, the book is packed with all sorts of interesting information, but it also has some notable gaps and room for expansion. I would recommend this book to someone interested in understanding more about the IoT attack surface and becoming familiar with some tried and tested techniques, but I don’t think it’s ideal for teaching readers processes for finding vulnerabilities in new devices.

Rating: 3.9/5

craig young

Principal Security Investigator

trip wire

Practical IoT Hacking is definitely a book I would recommend to anyone involved with IoT, especially those working in any type of cybersecurity role, as well as any type of IoT developer. The book has a good mix of general and specific knowledge in the main domains that make up the IoT. I really like how they introduced the topic in the first chapter, especially how they introduced and explained the legal issues one can face when doing security research. I also like that they introduced other high-level aspects early on, like threat modeling and a security testing methodology. Subsequent parts of the book focused on network, hardware, and radio hacking, and these chapters included more or less what you would expect from a book like this. The last two chapters rounded out the book nicely with discussions of attacking mobile apps, as well as a comprehensive walkthrough of hacking into a smart home. I do say that the steps you followed to hack a smart treadmill seemed a bit silly to me (at first) as the hack required physical access to the device, and in our world, if you have physical access, then it’s game over. . They did, however, illustrate how to get out of the device UI, and from a security perspective, there is insight that others can gain from that illustration. An area of ​​improvement for the book could be to add a more extensive discussion of IoT and its relationship to the cloud provider and/or infrastructure. Overall I enjoyed the book and will probably read it again in the future.

Rating: 4.5/5

thames lane

Principal Security Investigator

trip wire

Practical IoT Hacking is a crisp, well-designed book that first takes readers by the hand through the IoT landscape. It reveals why IoT security is important and the multiple threat models and processes that can be used in a simple yet effective way. After a brief introduction on security testing methodologies, the book takes the reader to the IoT network portal and provides examples of common workplace and home setups with detailed attacks that most people with novice knowledge they could play. The hardware hacking section of the book is where things get interesting for me as a reader. With limited experience in hacking knowledge of physical hardware, I felt that the author gave very detailed and easy to understand examples, as well as introducing some great tools like Ghidra and JTAGulator.

Near the end of the book, in the final chapters, the author quickly goes through some examples and tools that can be used to target the IoT ecosystem, which for this part resides mostly in the reader’s home or on their phone. That said, the author does give real-world examples of what could happen and offers plenty of tools to test his examples. overall i enjoyed Practical IoT Hacking. The book provides many real-world examples and many resources that a reader can use to help them delve deeper into the IoT landscape.

Rating: 4.5/5

Matt Jerzewski

security investigator

trip wire

Practical IoT Hacking provides a wide variety of information, from finding security issues at the application layer to physical access. The book suggests starting to look for vulnerabilities by using a vulnerability scanner. This is a great suggestion because many IoT devices suffer from the same, if not similar, problems. The book also covers extracting firmware using binwalk, which can give you access to a wealth of information about the device’s services. Near the end of the book, the authors explain how to use JTAG to exploit IoT devices. General, Practical IoT Hacking provides a wide range of information and gives the reader an idea of ​​how to start looking for security issues in IoT devices.

Rating: 4.0/5

Andrew Swoboda

senior security researcher

trip wire

At the end of the day, I think I would tend to agree with Andrew in rating this one and call it a 4.0/5 myself.

#TripwireBookClub – Practical IoT Hacking: The Ultimate Guide to Attacking the Internet of Things

Overall Rating: 4.2/5

About the author

ga_dahmani

Leave a Comment