IoT & Embedded: Hacking the Physical World

Billions of connected devices with minimal security. IoT and embedded systems control critical infrastructure, medical devices, industrial processes, and home automation. When these get compromised, the consequences are physical, not just digital.

Physical Consequences

Unlike traditional IT systems, IoT attacks can cause physical harm. Compromised medical devices can hurt patients. Hacked industrial controllers can damage equipment or endanger workers. Smart locks can let intruders in. The stakes are higher than data theft.

IoT Architecture & Attack Surface

┌─────────────────────────────────────────────────────────────────────┐
│                      IOT ATTACK SURFACE                              │
├─────────────────────────────────────────────────────────────────────┤
│                                                                       │
│   DEVICE LAYER           NETWORK LAYER          CLOUD/APP LAYER     │
│  ┌─────────────┐        ┌─────────────┐        ┌─────────────┐      │
│  │  Hardware   │        │    WiFi     │        │   Cloud API │      │
│  │   JTAG/SWD  │◄──────►│  Bluetooth  │◄──────►│   Backend   │      │
│  │   UART      │        │   Zigbee    │        │   Mobile App│      │
│  │   SPI/I2C   │        │   LoRa      │        │             │      │
│  └──────┬──────┘        └──────┬──────┘        └──────┬──────┘      │
│         │                      │                      │              │
│         ▼                      ▼                      ▼              │
│  ┌─────────────┐        ┌─────────────┐        ┌─────────────┐      │
│  │  Firmware   │        │  Protocol   │        │    Auth     │      │
│  │  Analysis   │        │  Attacks    │        │   Bypass    │      │
│  │  Extraction │        │  MITM/Replay│        │  API Abuse  │      │
│  └─────────────┘        └─────────────┘        └─────────────┘      │
│                                                                       │
│  COMMON VULNERABILITIES:                                              │
│  ├── Default credentials (admin:admin, root:root)                    │
│  ├── Unencrypted communications                                      │
│  ├── Debug interfaces left enabled                                   │
│  ├── No secure boot / unsigned firmware                              │
│  ├── Hardcoded secrets in firmware                                   │
│  └── Outdated/unpatched software                                     │
│                                                                       │
└─────────────────────────────────────────────────────────────────────┘

Hardware Hacking

Identifying Debug Interfaces

COMMON DEBUG INTERFACES:

UART (Universal Asynchronous Receiver-Transmitter)
├── Usually 4 pins: VCC, GND, TX, RX
├── Common baud rates: 9600, 19200, 38400, 57600, 115200
└── Often provides root shell access

JTAG (Joint Test Action Group)
├── 10 or 20 pin connector (sometimes less)
├── Allows: memory reading, debugging, flash programming
└── Tools: JTAGulator, Bus Pirate, OpenOCD

SWD (Serial Wire Debug)
├── 2-wire alternative to JTAG (ARM devices)
├── Pins: SWDIO, SWCLK, GND
└── Tools: ST-Link, J-Link

SPI (Serial Peripheral Interface)
├── 4 wires: MOSI, MISO, SCLK, CS
├── Used for flash memory chips
└── Tools: flashrom, Bus Pirate

UART Exploitation

# Identify UART pins with JTAGulator or multimeter
# - GND: Use continuity test to find ground
# - VCC: Usually 3.3V or 5V
# - TX: Voltage fluctuates when device boots
# - RX: Stable voltage, accepts input

# Connect with USB-to-UART adapter
screen /dev/ttyUSB0 115200
# or
minicom -D /dev/ttyUSB0 -b 115200

# Common things to try:
# - Single keypress during boot (may interrupt bootloader)
# - Default passwords: root, admin, password, (blank)
# - Magic key combinations: Ctrl+C, Ctrl+Z

Dumping Flash Memory

# Identify flash chip
# Look for 8-pin SOIC chips (SPI flash)
# Read chip markings, search datasheet

# Connect to SPI flash with flashrom
flashrom -p ch341a_spi -r firmware.bin

# For NAND flash, use more specialized tools
# Flashcat, TNM5000, etc.

# If chip is soldered, options:
# 1. Clip-on (SOIC8 clip)
# 2. Desolder and use adapter
# 3. In-circuit reading (may need to cut traces)

Firmware Analysis

Firmware Extraction

# Download from vendor website (often available)
# Capture OTA update traffic
# Extract from mobile app APK/IPA
# Dump from hardware (JTAG, SPI flash, UART)

# Identify firmware format
file firmware.bin
binwalk firmware.bin

# Extract filesystem
binwalk -e firmware.bin
# or
firmware-mod-kit extract firmware.bin

# For encrypted firmware:
# - Look for decryption keys in bootloader
# - Check for hardcoded keys in previous versions
# - Analyze update mechanism

Firmware Analysis

# Find interesting files
find extracted/ -name "*.conf" -o -name "*.cfg"
find extracted/ -name "shadow" -o -name "passwd"
find extracted/ -name "*.key" -o -name "*.pem"

# Search for hardcoded credentials
grep -rE '(password|passwd|pwd|secret)' extracted/
strings firmware.bin | grep -iE 'password|admin|root'

# Find URLs and IPs
grep -rE 'https?://[a-zA-Z0-9.-]+' extracted/
strings firmware.bin | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'

# Analyze binaries
file extracted/usr/bin/*
strings extracted/usr/bin/target_binary
objdump -d extracted/usr/bin/target_binary  # If not stripped

Emulating Firmware

# Use QEMU for ARM/MIPS firmware
# firmadyne automates this process

# Setup firmadyne
./fat.py -c extracted/ -o firmware.tar.gz

# Or manual QEMU
qemu-arm -L /path/to/libs ./extracted/usr/bin/target

# For full system emulation
qemu-system-arm -M versatilepb -kernel kernel \
    -drive file=rootfs.ext2 -append "root=/dev/sda"

# Use firmware analysis framework
# - EMBA (Embedded firmware analyzer)
# - FACT (Firmware Analysis and Comparison Tool)

IoT Network Attacks

Protocol-Specific Attacks

MQTT (Message Queuing Telemetry Transport)

# Scan for MQTT brokers
nmap -p 1883,8883 --script mqtt-subscribe TARGET

# Subscribe to all topics (if no auth)
mosquitto_sub -h TARGET -t '#' -v

# Common interesting topics:
# - /home/+/sensors
# - /device/+/command
# - /admin/#

# Publish malicious commands
mosquitto_pub -h TARGET -t '/device/lock/command' -m 'unlock'

CoAP (Constrained Application Protocol)

# Discover CoAP resources
coap-client -m get coap://TARGET/.well-known/core

# Read sensor data
coap-client -m get coap://TARGET/sensors/temperature

# Write commands (if allowed)
coap-client -m put coap://TARGET/actuators/door -e "open"

Zigbee

# Sniff Zigbee traffic (requires compatible hardware)
# HackRF, YARD Stick One, or CC2531 USB dongle

# Using KillerBee toolkit
zbstumbler  # Find networks
zbdump -w capture.pcap -c 15  # Capture on channel 15
zbwireshark -r capture.pcap  # Analyze

# Common attacks:
# - Replay attacks
# - Key extraction (if using default keys)
# - Injection attacks

Cloud Backend Attacks

# Find API endpoints
# Decompile mobile app, look for URLs
strings mobile_app.apk | grep -E 'https?://'

# Common IoT cloud vulnerabilities:
# - IDOR (access other users' devices)
# - Insecure API (no authentication)
# - Hardcoded API keys

# Test for IDOR
# Change device_id parameter
curl "https://api.iot.com/device/12345/data"
curl "https://api.iot.com/device/12346/data"  # Different device

# Mass assignment
curl -X POST "https://api.iot.com/device/register" \
    -d '{"name":"mydevice","is_admin":true}'

Industrial Control Systems (ICS/SCADA)

Critical Infrastructure Warning

Attacking industrial systems without authorization is extremely dangerous and illegal. These systems control power grids, water treatment, manufacturing, and more. Unauthorized access can cause physical destruction and endanger lives.

ICS Protocols

# Modbus (TCP/502)
# Read holding registers
python3 -c "from pymodbus.client import ModbusTcpClient; \
    c = ModbusTcpClient('TARGET'); c.connect(); \
    print(c.read_holding_registers(0,10))"

# DNP3 (Distributed Network Protocol)
# Used in utilities, SCADA systems
# Port 20000 typically

# BACnet (Building Automation)
# Discovery
nmap -sU -p 47808 --script bacnet-info TARGET

# OPC UA (Open Platform Communications)
# Modern industrial protocol
# Port 4840 typically

ICS Scanning

# Shodan queries for ICS
shodan search "port:502"  # Modbus
shodan search "port:102"  # S7comm (Siemens)
shodan search "port:44818"  # EtherNet/IP

# Use specialized tools
# - PLCScan
# - Redpoint (Nmap scripts for ICS)
# - Industrial exploitation framework

# Nmap ICS scripts
nmap -p 502 --script modbus-discover TARGET
nmap -p 102 --script s7-info TARGET

Essential IoT Tools

Hardware Tools

Tool	Purpose	Cost
Bus Pirate	Multi-protocol interface (UART, SPI, I2C, JTAG)	$30-50
JTAGulator	JTAG/UART pin identification	$200
Logic Analyzer	Signal analysis	$10-500
SOIC8 Clip	In-circuit flash reading	$10
CH341A Programmer	SPI flash read/write	$5
HackRF One	Software-defined radio	$300

Software Tools

Tool	Purpose
Binwalk	Firmware extraction and analysis
Firmwalker	Automated firmware secret finder
EMBA	Embedded firmware analyzer
Ghidra	Reverse engineering (supports embedded architectures)
OpenOCD	JTAG debugging
firmadyne	Firmware emulation

Detection & Protection

IoT Security Best Practices

Network Segmentation: Isolate IoT devices from critical networks
Disable Debug Interfaces: JTAG, UART should be disabled in production
Secure Boot: Verify firmware signatures before execution
Encrypted Storage: Protect sensitive data on device
Regular Updates: Patch vulnerabilities promptly
Change Defaults: Never deploy with default credentials
TLS Everywhere: Encrypt all network communications

Previous Mobile Attacks Next Advanced Techniques