In this article we will learn about Hardware Hacking for IoT Devices – Offensive IoT Exploitation.
Introduction to Hardware Hacking for IoT Devices :
Whenever we look at any embedded device, there are various ways we can attack it. One of the most useful ways to attack it is using hardware-based exploit techniques. These techniques are quite effective because most of the devices we encounter on a daily basis usually do not have security protection built on the hardware aspect.
We start with Hardware Reconnaissance
To learn more about hardware exploitation techniques and built-in devices, we must first understand what we expect to see once we open the device. For the simplicity of this blog post, we’ll open a router, which is a nice example of an embedded device. Our device of choice in this case is the TP Link MR-3020. So go ahead and open the Mr-3020 router and you will see a hardware board similar to the one shown below.
Once we have the device open, we can see that there are various chips on the hardware board. Look closely and try to identify the different chips that are present and compare them to the list below:
- H1601CG: Ethernet transformer
- A3S56D40GTP: Synchronous DRAM
The first step, once we have identified the various components on it, is to look online and try to identify the data sheets for those elements.
For example, if we search online for chip [name], we come across the following URL from a Google search – http://www.kean.com.au/oshw/WR703N/teardown/H1601CG%20Ethernet%20Transformer.pdf
Similarly, when we search for A3S56D40GTP, we find that it is a DRAM with a datasheet available on a third party site at the URL – http://www.datasheetspdf.com/PDF/A3S56D40GTP/938648/
When we open the data sheet, we find that there is a lot of information about our target available in the data sheet, which is useful for our information. For example, in a device where we can identify SPI flash, we immediately identify that it is an SPI flash chip with a given amount of storage, along with detailed pinouts that may come in handy later.
For some popular hardware devices, you can find information online. For example, in the case of our router – TPLINK MR3020, we can find information from the OpenWRT wiki ( https://wiki.openwrt.org/toh/tp-link/tl-mr3020 ), which lists the various important components available on the hardware board.
A good exercise would be to look up the datasheets for each of the components and keep them in mind as to which component does what. There’s also additional analysis you can do, such as pin tracing and getting an idea of the chip’s purpose based on proximity to other components and pin traces on the device. This stuff is beyond the scope of this post, but it’s something that’s covered in our hands-on training – Exploiting the Internet of Things Offensively.
In embedded devices, there are always a number of circuits that exchange information with each other. For the exchange of information, the circles in the discussion should agree on a common protocol. These protocols can generally be divided into two groups – serial and parallel.
The difference between a parallel and a serial interface is quite clear. Parallel interfaces allow multiple bits of data to be exchanged at the same time, which requires a large number of pins to facilitate this. Whereas in a serial interface, data is transferred one bit at a time, which is slower than parallel, but has the advantage of requiring fewer pins. In almost all of the cases we will see in this blog post, and even in most real-world scenarios, you will encounter serial interfaces due to the requirement for shrinking embedded device sizes.
Some of the popular examples of protocols using serial communication are Universal Serial Bus (USB), Ethernet, UART, SPI, and I2C.
Identification of serial interfaces
Serial interfaces in any IoT device are quite useful for a penetration tester because they provide an entry point for an attacker to interact with the device, even if the device looks completely locked down from the outside. Different kinds of interfaces may be available – they vary from device to device, but the most useful for us are:
A Universal Asynchronous Receiver/Transmitter, or UART as it is commonly known, is a serial interface protocol that allows data to be transferred without the need for an external clock; hence it is called asynchronous.
The UART also acts as an intermediary between the parallel and serial interfaces. It is especially useful for a pentester to sniff debug and run messages, logs, access the shell and so on.
While using real IoT devices, we will often see that connecting to a device via UART directly gives us unauthenticated root access, which is like a gold mine for a pentester.
Serial Peripheral Interface or SPI, unlike UART, is a synchronous serial communication interface, which means it will require a clock to facilitate communication. Later we will see the different pinouts in SPI and how we can use them for something as useful as extracting firmware from a device.
SPI works on a master-slave architecture, which means that one device will send data and the other device will receive data. So the pinouts are named as MISO (Master Out Slave In) and MOSI (Master Out Slave In).
To work with SPI, USB-TTL will not be sufficient; rather, we will have to go for devices with an FTDI chip, such as the Attify Badge, the FT-232H Breakout (from Adafruit) or the C232H.
Inter-Integrated Circuit or I2C (this could be pronounced either I-two-C or I-squared-C, both are correct, I prefer I-two-C). I2C enables the communication of multiple slave chips with one master. Using I2C from a pentester’s perspective is very similar to SPI.
Now that we know the basics of the various serial interfaces available, we’ll now go ahead and try to use them to learn more about our target device and further exploit it.
Using UART to interact with the device
Identifying the UART interface in a hardware device is quite simple. We simply need to look for pins (or pads) in a combination of 3 or 4. When looking for pins, we need to look at the following four pins:
- Transfer: Uses this device to transfer data from a device to another element. Simply put, this means that the data comes from the device.
- Receive: This pin is used to receive data from the other component to the device. Simply put, the receive pin is used to get the data into the device.
- Ground floor
These different pins in the UART are also labeled Tx, Rx, GND and Vcc.
If you’ve opened the MR-3020 you’ll notice that the UART ports are exposed, also shown in the image below as four holes, three of which are fitted with header pins in the red highlighted area.
Now that we have identified the pins, we simply need to identify which pin corresponds to which pin on the external component and then connect to them using a USB-TTL serial or FTDI cable. In Attify we have a custom exploit called Attify Badge that could be used to perform UART, SPI, I2C and JTAG exploits on target devices. More information about the Attify badge can be found at http://attify.com/hardware-hacking-kit/.
We could use either a multimeter or a logic analyzer to identify the individual pins in pinouts. Alternatively, we could also use a device like the JTAGulator (which we will cover in the next post while using JTAG). For this post, and for the sake of simplicity, we’ll use our friendly Multimeter tool to identify individual pins. A multimeter is a device that helps us analyze the voltage as well as the current on a target device. You can use a $10 digital multimeter for this exercise.
Pin identification using a multimeter
We start by identifying the Ground. You don’t need to turn on the device for this. First, switch the multimeter to continuity mode. Continuity mode is displayed as a volume icon on the multimeter.
To identify GND, simply place the red probe on one of the pins and the black probe on any of the metal surfaces you see on the board. Try this with each of the pins until you hear a “beep”. The pin where you hear the sound will be the GND for this device.
Now that GND has been identified, turn on the device. Hold the black end of the probe against the metal surface and the red end against each of the pins until you see the voltage fluctuate significantly and eventually almost stop at a higher value. This will be our Transmit (Tx).
The remaining two pins are Rx and Vcc. To identify Vcc, simply hold the black probe on a metal surface and move the red probe to the remaining pins. The pin that is constant high will be our Vcc.
Now, since there is only one pin left, it is safe to assume that it will be Receive (Rx). In case you want to find out the Rx, it will usually be a very lower voltage value because not much information is coming from our system to the device.
Once we’ve identified all four pins, it’s time to communicate with them using the FT232 (or USB-TTL) device.
Identification of the transmission rate
To access router via serial port, connect USB-TTL to laptop and connect Tx to Rx, Rx to Tx and Gnd to Gnd.
Once we’ve connected the device’s UART ports to our USB-TTL cable, we can now move on to the next step, which is identifying the correct baud rate.
But before we identify the transfer rate, we first need to find out the identifier of our device and the location assigned to it. This can be done by using lsusb and checking that we have Future Devices connected to it.
Gain shell access on the target device
If it is connected, we can move on to the next step of identifying the serial port interface name. This can be done by looking for the available interfaces listed in /dev/tty. For Mac this will be a device named /dev/tty.usbserial- while for Linux it will be /dev/ttyUSB*. Before proceeding to the next step, make sure that you have already identified the correct serial port interface.
Bit rate is simply the rate at which information is transmitted as symbols per second. Baudrate.py is a script written by Craig Heffner that can help us identify the baud rate for a given device, which we can then use to communicate. Standard baud rate values are 1200, 2400, 4800, 19200, 38400, 57600 and 115200. The script can be downloaded from https://github.com/devttys0/baudrate/blob/master/baudrate.py.
After downloading, simply give it permission to run and run it as shown below. Here we can use the up and down arrow keys to switch between different baud rates. The value we see, readable data, is the correct baud rate for the target device.
Once the correct baud rate is identified (in this case 115200) the next step is to open a serial terminal program such as minicom or screen that will allow us to access the device via the serial interface – in this case UART. Once you get to it, below is what you will see.
As we can see from the screenshot above, here we have root shell access enabled with the target device running OpenWRT. From there, we can now explore the file system, modify files, and even identify sensitive information.