WHAT IS IOT? HOW IS IOT PENETRATION TESTING CARRIED OUT?

Internet of things (IoT) is a network of physical objects that are embedded with sensors, smart software, and artificial intelligence technology with an intention of connecting them to different physical devices and exchanging information and data through the internet These devices include everything from ordinary household objects to sophisticated and complex industrial tools. It is estimated that more than 7 billion objects are connected over the internet and is estimated to grow to 22 billion by the year 2025.

IoT products and devices are no exception for security vulnerabilities and can be attacked just like the other devices. IoT devices should be tested for vulnerabilities and should have the same security standards as the rest of the devices. As the number of IoT devices is expected to grow exponentially, not having secured IoT devices can be catastrophic. Symantec’s internet security study conducted in 2019 shows that IoT attacks have increased by 600% in the past three years. On average, nearly 5200 devices are attacked in a month and 90% of these attacks are connected to routers and embedded cameras. IoT attacks are critical as they may lead to data leaks and unauthorised use of data for criminal activities. As these devices are connected with our daily lives, securing them is a must. Penetration testing can ensure that these devices are without any vulnerabilities and are secure.

Read Also: Artificial Intelligence and the changing Cyber Security landscape in 2021

PENETRATION TESTING ON IOT DEVICES

The following are OWASP’s ten things to avoid when building, deploying, or managing IoT devices. This list can provide a reference to the checklist when performing penetration testing on IoT devices.

• Weak, Easily Guessable, or Hardcoded Passwords.
• Insecure Network Services.
• Insecure Ecosystem Interfaces.
• Lack of Secure Update Mechanism
• Use of Insecure or Outdated Components.
• Insufficient Privacy Protection.
• Insecure Data Transfer and Storage.
• Lack of Device Management
• Insecure Default Settings
• Lack of Physical Hardening

IoT pen testing is the assessment and exploitation of various components in an IoT device to check for vulnerabilities and make it more secure. There are three types of attacks on an IoT device and its embedded systems, they are software attacks, non-invasive hardware attacks, and invasive hardware attacks. The software attacks include attacks on the firmware and targeting its vulnerabilities. The second type of attack includes extracting data from the hardware without damaging it whereas the third type involves opening or destroying the hardware to infiltrate and extract the data. Here is a list of tests conducted to check for vulnerabilities and weaknesses:

SOFTWARE ATTACKS:

Detecting exposed communication ports that are poorly protected: The ports in the IoT devices are sometimes left open due to an oversight or for debugging. Shodan, a search engine for connected devices on the net gives an overview of the system that are connected to each other. You can search for the default credentials of your device and collect information about your devices and other services. Tools like Nmap, a port scanner enable the pen tester to check for open ports that are not secured. Monitoring the data traffic also makes it possible for the tester to monitor different ports and check whether they are secured or not. Open ports indicate vulnerabilities connected to the internal systems which can be exploited.

Sniffing: The devices use a wireless interface or communication mode in the form of packets to exchange data and information. Wireshark, a packet analysis tool intercepts the packets which are being transmitted to and fro from the source device to different IoT devices and retrieves information from them. During a pen test, the packet analyzer prevents encryption of the data and looks for critical information such as passwords, keys, and hashes that can be exploited.

Detecting backdoors and configuration interfaces: Configuration interfaces are designed for a product to make it easier for the developer to test and modify the product. But the developers sometimes fail to secure this interface and leave a backdoor open for an attack. Pen testers use sniffing to detect these interfaces by isolating data exchanges.

Buffer overflow: Buffer overflow is writing data onto the buffers of the embedded systems beyond its capacity. This results in the adjacent memory space being rewritten as buffers have relatively low memory capacity. This leaves the embedded system open, and the attacker can then send malicious code to the rewritten part of the buffer. Pentest enables testing of buffers with larger values and thus detects vulnerabilities and weaknesses which the attackers can exploit.

Password breaking: Bypassing passwords or breaking them is possible in IoT devices cause the default passwords are in use since the product development phase. Also, the same password is used across multiple devices which makes it easier for the hacker to hack into multiple devices. Pen testing use password directories and the brute force method to crack the passwords and check the password strength.

Debugging: Often debugging interfaces are still open and available on the IoT devices which are targeted. Accessing this interface will save the attackers a lot of time and give them direct control over the device. Pen testing checks if the devices still have their debugging interfaces open and alert the organisation.

Firmware modification: IoT devices have many vulnerabilities which can be exploited. One such vulnerability is the firmware modification which includes malware injection into the firmware, conducting memory dumps, studying the memory interface through reverse engineering and injecting the malicious code into the memory, and then putting the code back to the device which will execute the malware script and infiltrate the system giving access to the attackers.

Read Also: Vulnerability Scanning Vs Penetration Testing

This article was originally published at https://securetriad.io/what-is-iot-how-is-iot-penetration-testing-carried-out/ on 26 October 2021