Hacking IoT devices

Internet of things is an umbrella for all sorts of embedded devices which were previously on their own, or mostly connected in ad-hoc mesh network. The difference is that the devices are now connected to the Internet.  Many of these devices are used to collect data from their surroundings and upload them to the cloud services, which can do analytics and provide some valuable trends to the users. In certain cases, the devices might just be used to obtain information (like photographs/music) from the web to be displayed/played .

There are expected to be 25 billion such devices  by 2025 and they are going to be incredibly cumbersome not just to manage, but to be secure. It’s worth to understand them what’s underneath the box. There are plenty of websites with news on devices getting hacked, but no one tells about how to do it. This post will be mostly about the latter. We will break into a Pixstar photo frame, which has been a highly rated IoT device.

At some level, I believe, “If I own the hardware, I must 0wn the software too!”. Since, these devices run some variant of Linux, it’s easy to make them do things you like. There are some things about the computing machines that have not changed substantially since their inception and one of it is the booting process (apart, from the fast boots!).

If you look at your old Desktops, you would see the first screen that pops up tells you about POST check(video card, asynchronous communication, and other peripherals/ports) by the BIOS, followed by the loading of your bootloader and then loading the operating system. Interesting security research continues to happen to secure this procedure from being attacked by stealthy malware and rootkits.

We tap into IoTs just when it is powered on and boots up! and communicate with the asynchronous communication port using UART (universal asynchronous receiver/transmitter) device. We can do this by serial communication using RS-232 and hijack the device, even before it loads the bootloader. For this, we need a USB to TTL adapter like the one shown below.

bub

Mordern device USB bub ||

There is plenty of hardware in the wild, one above can be purchased – USB bub mordern device .

UARTs most commonly operate at 3.3 volts, but can also be found operating at other standard voltages (5, 1.8, etc). You would have to use a multimeter to find the voltages on the PCB/motherboard before you can plug this device, else it might damage your IoT! Once you have the above components, you have the right hardware to the task.

multimeter

Next, we look at the PCB and figure out the voltages to connect the IoT device to your laptop using the USB to TTL adapter.

motherboard2

PCB of photoframe

Above shows the connection of PCB with the USB to TTL adapter using wires.

You can presume to do these simple steps for almost all the IoTs before you get into the real deal of actually breaking into the device. These devices will always have serial communication ports for debugging purposes which you can tap into, unless FCC decides to eliminate them with their new rules (Google to know more!). This is a bit primitive from hacking into your Wireless routers(on the higher end), where you can use JTAG to do the exact same thing.

Next, install minicom on your Linux box and configure it to talk on the USB port. Once you have done this, power on the IoT device and see boot messages on your minicom. Make sure your connections are good and the baudrate is correct, else you will see binary blobs on screen!

It seems, this hardest part is the easiest one for the photoframe as you can keep pressing Esc and you will landup with the command prompt before the bootloader is loaded. Following that, type bootcmd to run the bootloader.

hacked_screen

0wned by yet another haX0r

Above is a shell on the device where you can mount a USB drive and run your own binary/shell code as you wish.