So how do hackers find security vulnerabilities? And how did they manage to exploit them? These were some of the topics I recently covered at a presentation at UNSW, as well as how this now affects the growing Internet-of-Things (IoT) space.
Disclaimer first: it doesn't mean that you should go ahead and start breaking things. Hacking anything that you are not authorised to do will only land you in big trouble.
First of all, hacking is not dark magic. It's not someone putting on a dark hoodie, sitting in a dark corner, typing away on their keyboard, and then suddenly pulling a rabbit out of a hat.
It all comes down to having a strong foundation in computer science. So if you want to become an ethical pen tester or hacker, the recipe lies in the same knowledge, skills and aptitude required to become a capable computer engineer.
You will need to understand some programming language, but it doesn't matter which language you learn, whether C, C++, Java or Haskell. What really matter is you understanding how the computer works logically, and how the program makes the computer work – because that is what really helps in understanding the target you're trying to hack.
You will also need to know something about operating systems. OS knowledge shows you how the OS layers work, because as we know, all software, even IoT, runs on some kind of operating system. It can be a BusyBox, or running on some proprietary firmware, but it is still some kind of OS. So knowing how OS work really helps once you get into the operating system and try to control it.
Same with networking skills. Understand how protocols like TCP/IP, SSH, SSL, and FTP work also help with hacking because that’s how computer components communicate.
It’s not so much your hard skills but your analytical ones that come into play. That's the skill you learnt when you’re trying to find that inconspicuous bug in your code, or reading up some protocol RFC and trying to understand how it works. That part is really important when it comes to analysing how the vulnerability works.
Curiosity is often the most important quality in a penetration tester or a hacker. That's when you go to a restaurant and use your iPad to order food from a menu, and you might wonder how the menu works and how it sends the order into the kitchen. Or you might look at a schedule board at a train station and wonder how it works, and what kind of operating system it’s running on.
Last but not the least, try harder. It's a motto in pen testing, but it doesn't mean that you just keep trying to bruteforce a brick wall. It means being patient, and don’t easily give up. Sometimes if you just try that little bit harder, you will get there, and that's important in pen testing.
So if you combine all of the above, and put on a hoodie, you might just have all it needs to become a successful hacker!
Vulnerability is something you hear all the time in terms of security, by what is it really? Think of it this way: when you’re faced with a tall gate with a big lock, how do you plan it get in?
That is what vulnerabilities and exploits are often about. We are not trying to brute force our way through that gate (although that’s one way to do it), but a lot of times we're trying to find an unlocked side gate that wasn’t built with security in mind, and get in that way.
So how do we find these vulnerabilities? There's always a methodology, and this is the same methodology that you use whether you're a good guy (a white hat) or a bad guy (a cybercriminal).
It doesn't matter whether you are trying to hack into a nuclear plant or an IoT device, everyone is following roughly the same kind of methodology and process in hacking it. The only difference is how many resources you throw at it, how much time you invest, and the tools you use.
Hacking starts with reconnaissance. Before you break into a house, you want to case the joint and find out what are the entry points are. Think of it as walking around a house to try to see if any windows or doors are unlocked.
The same principle applies to apps and software. What technology are being used? Is it running a Linux or Apache system? Knowing that is often the first step to finding vulnerabilities or exploits.
After you've done your reconnaissance and have all this information, what do you do next? That's where you put your mind at work to find different ways to interact with a digital product or solution.
So instead of inputting a username and password on a login screen, what if I input 400 or 1000 As? How would the program react? Would it a crash? Would it segfault? If it did, you've got the system running in a different and potentially vulnerable state, and you might be able to get something out of it.
Always look for corner cases. If it accepts numbers, then try characters and see how it works.
Even if it doesn't show any sign of breakage, you could always break it apart by means of reverse engineering or decompiling the binary. This will help you understand how the program works.
Try to find any known vulnerabilities within the technology or systems that you know. The more time you spend with it, the more likely you will find an opening.
Keep in mind a vulnerability only exists if you can have a way of interacting with it. If a PC is shut down and not connected to Internet, there’s no way that anyone can hack it (barring physical access and stealing it). The only way we can hack it is if there's something exposed, or what we call an attack surface that people can use to get in.
When you do find the vulnerability, the next step is to weaponise an exploit. This is where hackers look for a proof of concept code on the Internet or read up on details of the published vulnerability, and you put in your own code so the exploit will work as you instructed to (remember an exploit is nothing more than a program). It could be in your favourite language - C, Python, or Shellcode in Assembly - but the goal is to gain access and take control.
Sometimes you might get lucky with your hacking and find a zero-day vulnerabilities, and you write up your own exploit. One of those can be worth a lot of money, with companies such as Google offering $1.5 million if you find a vulnerability in the Titan M chip used in their Pixel phones. Just remember it's very rare to find a zero-day, maybe 1% chance at most.
So you send in your payload, which is your malicious code, via the vulnerability and take control. You also need a channel out back to your own computer, so you can use HTTPS, SSH, or something similar to take control of the operating system on the other side.
When you are in, that’s when you have access to sensitive data. A hacker may take it for themselves and use it for their own profit, such as turning the system into a botnet, but as an ethical hacker, you would report this and use this knowledge to strengthen and secure the product or service.
IoT vs. Traditional Pen Testing
These days, the Internet-of-Things (IoT) is pretty much everywhere. You see the technology used in cars, medical devices, smart homes, IP cameras, and more.
Since IoT is everywhere, it’s no surprise to see news of it getting hacked. It could be anything from a web cam to uncommon devices like pet feeders, fish tanks, and bedside hotel robots.
IoT can be hacked at various points in its communication process. It could be in the cloud interface that the device is trying to talk to, the border gateway routers, a mobile app if you're using it to talk to the device, or the Bluetooth, NFC or anything else that the device trying to communicate to the cloud. It could even be in the way the IoT device handles updates.
Everything that's talking to the Internet is a target for attack. But if you look at each individual IoT device and its usage, the attack surface may not be that big. It might just be talking to the cloud or mobile phone, and that's it.
To compare traditional pen test versus what we would do in an IoT pen test, let’s take a look at the high-level IoT architecture. Consider how a typical smart device communicates with a router, which is connected to the Internet and uses a cloud server for data transfer. Then you have a local user or a remote user that's connected to cloud servers via a smart device, which all creates a lot of opportunities for attack.
In a traditional pen test, we would do web app and API pen testing, maybe to a server in a cloud. We might do a mobile app pen test, or we might do a network infrastructure pen test, which is attacking the routers from the Internet side. So far everything in IoT is covered by traditional pen testing. The difference in the presence of a smart device, because that's the one thing a traditional pen test doesn't touch on - it requires specialised tools or protocols, and a bit more research to understand how things work.
There's a security organisation called OWASP, which stands for Open Web Application Security Project. It's well-known in the web app space and has grown to become the de-facto standard in application security.
Just like it did for web apps, OWASP has developed an IoT pen test guide. If you look at it, you will find it covers vulnerabilities in insecure web interfaces, insufficient authorisation, lack of transport encryption, etc, everything that is covered by a web app pen test. The point that really specifically applies to IoT is number nine, which talks about firmware and physical security.
OWASP’s Top 10 vulnerabilities for IoT also shares similarity with their OWASP Top 10 for web apps. The first three cover simple security exploits such as weak/guessable passwords, insecure network services that do not have encryption enabled, lack of a security update mechanism, and other common issues. Only at number ten, where the lack of proper device management is highlighted, such as not getting updates or lacking any default alerting if something goes wrong.
There’s no shortage of pen testing tools for IoT. In terms of cloud and web app, we have Burp, which the pen tester’s Swiss Army knife in web app pen testing. Nmap, which is great for using port scanning to find out weaknesses in the system, and Wireshark, which is used for doing any kind of communication between your IoT device and computer.
If you need to reverse engineer the binaries, you can always use Binwalk, which is for searching binaries for files and code. IDA is also commonly used for decompiling binaries, and understanding the logistics behind them and the different components.
In terms of networking, we have gadgets such as the Alfa wireless dongle, which is used for interpreting and capturing wireless traffic. Ubertooth for Bluetooth and UART to USB cables are used for hardware hacking and understanding hardware interfaces.
When it comes to pen testing, one thing that doesn't get mentioned enough, or maybe too much, is OSINT or open source intelligence. It's about using something that’s out in public and then using it to carry out recon.
Shodan is well known for this, which is basically Google for IoT. Unlike Google, which just crawls the Internet and looks for port 80 and 403 to grab the banner, Shodan does this for everything connected to the Internet on any port. This makes it useful for finding any IoT devices that could be vulnerable.
In the wrong hands, an IoT vulnerability can cause a lot of damage. This was demonstrated in 2016, when the Mirai malware was used to create a botnet. Like Shodan, it looked for any devices connected to the Internet, be it an IP camera or home router. But what it also did was try to access the admin interface using a list of default usernames and passwords. It may seem like a simple hack that just exploits the default credentials on a device.
However, at its peak, Mirai took control and used 600,000 other devices to carry out a destructive DDoS attack. Even to this day, we're still seeing a lot of variants of Mirai on the Internet. It goes to show that some of the biggest and damaging hacks came from essentially basic security flaws.
The size of the IoT market is what makes it so devastating – it has been estimated to be worth around $500 billion dollars. Now what is interesting, is that out of that, 26% are used in smart cities, 24% in industrial plants, and 20% in healthcare. There’s been no shortage of news headlines about IoT getting hacked, but most of the cases were consumer devices. But what about all the smart cities and industrial devices? Are they not getting hacked at all?
The connected nature of an IoT device makes it vulnerable to attack, but that doesn’t mean it should be difficult to secure. Start by fixing the simple flaws and you may have 80% of your security set up. Case in point, the Australian government recently released a voluntary code of conduct for IoT device vendors to follow. It contains a lot of common sense around default secure settings, such as not using any default passwords and generating random ones, making sure you're updating the devices often, etc.
As the above demonstrates, securing an IoT device doesn't involve getting a pen test every time you change a setting or connection. Instead, set aside some time and put a little bit of thinking into what you are trying to protect, what the potential threats are, what they are likely to do if they get through, and then look for ways to secure those gaps.
Remember, the biggest and worst hacks were not the result of zero-day exploits – it was actually against known vulnerabilities and simple security (mis)configurations. Sometimes we can do just a little that goes a long way into making this digital world much more secure.