An introduction to IoT device embedded hardware hacking
Smart cars, fridges, security cameras and medical implants are all around us, and always connected and communicating. This means they are constantly swapping data with other devices, says Deral Heiland, IoT research lead at Rapid7, and uploading it to the global internet to help these devices perform better. It’s hard to argue IoT’s value but there is an essential need to secure these devices as their popularity grows at pace.
Many IoT devices are susceptible to vulnerabilities and often security teams can’t dedicate either the time or the expertise to secure connected devices on their own. If you’re a researcher, or technology or security professional intrigued by the idea of opening up and exploring embedded technologies but aren’t sure where to begin, I will give you some starting points by covering a number of tools, basic methods, and concepts.
However, if you’re an organisation creating a new IoT product or deploying an IoT solution you need an experienced and skilled consultant that will help you identify any risks and vulnerabilities and apply solutions to mitigate security issues across your IoT ecosystem.
The tools required
The first step to hardware hacking is getting the tools that you need. Often, only some basic equipment is needed that costs just £15 (€17) to £25 (€28). When conducting testing and research on embedded technology, tools typically fall into these categories:
- Disassembly and assembly
- Electronic signal analysis and measurement
- System control and injection
More costly equipment is also available and can be upward of hundreds of pounds, but this guide will focus on some of the basic tools required in each category, which you can build upon as necessary.
Disassembly and assembly
- It’s essential to have a good pair of pliers and set of screwdrivers.
- Invest in an adjustable temperature soldering iron with interchangeable tips. This will enable you to solder, solder flux, and de-solder wick with efficiency.
Electronic signal analysis and measurement
In this category, I recommend two must-have tools: a simple digital multimeter and a logic analyser.
- A simple digital multimeter measures voltage levels on devices and components, allowing you to identify ground and map out circuit board paths.
- Choose a logic analyser that is quality-built and has several models available for different budgets. I recommended Saleae. This is a fundamental part of your toolkit and is a common analysis tool used by engineers, hardware researchers and testers to analyse the digital signals of embedded devices.
- The JTAGULATOR is another useful tool that identifies industry standard marks from JTAG and ‘keys to the kingdom’ UART ports. It allows you to automatically walk through and test all the possible pinout combinations by connecting all the pins of a header.
System control and injection
There are several inexpensive tool options in this category that help you to gain access, extract or alter data of embedded technology
- The Bus Pirate, enables you to connect to UART, I2C, SPI, and JTAG communication protocols. Or the Shikra, a similar device, is faster when extracting flash memory over SPI and also supports UART and JTAG.
- Another robust tool for testing JTAG and Serial Wire Debug (SWD) is the Seggar J-link that has a less expensive education version as well as a professional version.
- The BeagleBone Black is also a great all-rounder test tool with a development platform that can be utilised to perform a number of tests.
To connect to the embedded devices for testing and hacking you should also purchase some simple items such as jumper wires and headers. Be sure to consider the following:
- 27mm male straight single-row pin header
- 54mm male straight single-row pin header
- Male-to-female solderless flexible breadboard jumper wires
Disassembly of hardware
To begin, hardware hacking often requires gaining some physical access to a device, during which its essential to be slow and cautious in order to avoid damaging the equipment, or yourself for that matter.
The bottom of the device will usually be your starting point, ensure you look under any labels or rubber feet as these might be hiding the screws you need. If the product you’re inspecting is made in the US for the US market, you can also look for Federal Communications Commission (FCC) records. If a device uses any wireless or radio frequency (RF) communication, then it should have an FCC ID or it should be labelled due to industry requirements. Once you have it, enter it into this website, which will provide you with RF test reports and internal images, which are the most helpful asset, because they help show you how the device is assembled.
This is where you’ll find out if the case is glued or epoxied shut, if so, you’ll need to use a Dremel tool or other potentially destructive tool to cut it yourself. However, the risks are much higher of injuring yourself, so follow all safety precautions to ensure you don’t damage either you or the circuit boards.
Examining the circuit
Once you have the device open, you need to identify and map out the circuit and components. You may well find some obviously marked debug ports such as JTAG, UART and SWD that the manufacturer has marked. After which you want to identify other important features such as header connections, which may be used for JTAG, UART and all the key IC chips (CPU, memory, RF, and Wi-Fi).
Next, I recommend trying to download the component’s datasheets for each IC chip, found by Googling the device name and information stamped on them, as these will aid you during further testing and analysis of the embedded device’s functionality and security.
When testing for security issues, examining firmware can also assist in revealing invaluable information and there are a few methods for gaining access to it. Firstly, see whether the vendor allows direct download of firmware over the internet and if not then I attempt to capture it using Wireshark. To accomplish this, you need to capture all network communication while the embedded device is doing a firmware upgrade, it can then often be extracted from the captured pcap data (if it’s not encrypted) by using the Export Objects feature within Wireshark.
There are also other ways if this isn’t possible, such as using the mobile application used to manage or control the embedded device, because if the device can be controlled via this then you may be able to also access the firmware upgrade process too. If so, it may reveal the URL Path and access codes needed to download the latest firmware.
If all else fails, you may have to go directly to the flash memory storage on the device, for which there are multiple methods depending on the type of board. For instance, you may be able to read the flash in-circuit or may need to de-solder the chip. Then you may need a chip reader if it’s not available via SPI. The best thing to do is research the device online and look for datasheets that will help you properly identify the memory storage and best methods for data extraction. Often there are others that have encountered the same memory extraction issues and so you can find documented methods.
What does this mean if I’m business?
If an organisation considers the firmware on its IoT device to be proprietary intellectual property, then it is important to protect it. The easiest and cheapest solution is to disable UART prior to going to market with your product, because a persistent individual with physical access and time will nearly always find a way to compromise the device and gain access to the firmware via the UART connection.
The IoT is complex and of course the penetration and system analysis testing of professional security firms will go beyond this to consider the whole ecosystem in order to ensure every segment is covered, as well as how each impacts the security of the whole. Have fun exploring but contact experts when required.
The author is Deral Heiland, IoT research lead at Rapid7