Pentesting IoT

Pentesting IOT

Every day the devices connected to our lives increase more. The attack surface is immense: Internet, mobile devices, Bluetooth, custom RF protocols, DAB, imported USB multimedia files, remote diagnostics, telematics, mobile applications, among many others. Can an attacker abuse this interface?

Mobile app and API
The most common source of remotely exploitable vulnerabilities is the mobile app. After all, the mobile app is designed to interact with the IOT device, and often from anywhere in the world.

Many mobile applications interact with an API server. Detecting the traffic between a device and the API server, or decompiling the mobile application, will allow you to discover and test how the API works.

What are the most common problems in these areas?

• Use of clear text communications, allowing traffic to be intercepted and altered. Transport encryption is vital, especially on mobile devices that often use untrusted Wi-Fi connections.
• Insecure storage of data on the device, allowing an attacker to obtain secrets such as stored passwords, Wi-Fi PSK and other keys. Capturing the device or a malicious application can make this possible.
• Insecure direct object reference: API uses something like a VIN number or sequential ID without authorization checks to access data.
• Weak device connection: It is important that it is not possible to pair a new mobile device with an already paired device!
• Debug or hide functionality: The mobile app often contains references to features that should never end up in the hands of a customer.
• Development of outsourced applications, leading to loss of control and oversight of API and application security.
• OWASP and others publish guidelines to help secure mobile apps and web APIs.

10 best practices to protect the Internet of things in your organization.

The 10-step list compiled by Conner Forrest includes input from numerous IoT experts, including John Pironti, president and chief information risk strategist at IP Architects, Gartner vice president of research, Earl Perkins, and Merritt Maxim, senior analyst at Forrester Research:

• Understand your Endpoints: Every new IoT endpoint introduced to a network provides a potential entry point for cybercriminals to be addressed.]
• Track and manage your devices – Understand what connected devices are in your organization by deploying an asset discovery, tracking, and management solution at the start of an IoT project.
• Identify what IT security cannot solve: Identify which aspects of the physical device cannot be protected by IT security practices.
• Consider patches and solutions: Evaluate IoT devices in part in terms of their potential for patching and solutions.
• Use a risk-based strategy: prioritize critical assets in your IoT infrastructure first.
• Test and Evaluate – Perform some kind of penetration test or evaluation of the device before deployment.
• Change default passwords and credentials: While common sense, some IoT devices have default passwords that are difficult to change or cannot be changed.
• Look at the data: Understanding how an IoT device interacts with the data is crucial to securing it.
• Rely on up-to-date encryption protocols: Businesses must encrypt data going in and out of their IoT devices, relying on the most powerful encryption available.
• Moving from device level control to identity level control: As more IoT devices offer the ability to connect multiple users to a single device, the focus of security should shift to identity level control.