An introduction to IoT device embedded hardware hacking

Deral Heiland of Rapid7

Smart cars, fridges, security cameras and medical implants are all around us, and always connected and communicating. This means they are constantly swapping data with other devices, says Deral Heiland, IoT research lead at Rapid7, and uploading it to the global internet to help these devices perform better. It’s hard to argue IoT’s value but there is an essential need to secure these devices as their popularity grows at pace.

Many IoT devices are susceptible to vulnerabilities and often security teams can’t dedicate either the time or the expertise to secure connected devices on their own. If you’re a researcher, or technology or security professional intrigued by the idea of opening up and exploring embedded technologies but aren’t sure where to begin, I will give you some starting points by covering a number of tools, basic methods, and concepts.

However, if you’re an organisation creating a new IoT product or deploying an IoT solution you need an experienced and skilled consultant that will help you identify any risks and vulnerabilities and apply solutions to mitigate security issues across your IoT ecosystem.

The tools required

The first step to hardware hacking is getting the tools that you need. Often, only some basic equipment is needed that costs just £15 (€17) to £25 (€28). When conducting testing and research on embedded technology, tools typically fall into these categories:

  • Disassembly and assembly
  • Electronic signal analysis and measurement
  • System control and injection

More costly equipment is also available and can be upward of hundreds of pounds, but this guide will focus on some of the basic tools required in each category, which you can build upon as necessary.

Disassembly and assembly

  1. It’s essential to have a good pair of pliers and set of screwdrivers.
  2. Invest in an adjustable temperature soldering iron with interchangeable tips. This will enable you to solder, solder flux, and de-solder wick with efficiency.

Electronic signal analysis and measurement

In this category, I recommend two must-have tools: a simple digital multimeter and a logic analyser.

  1. A simple digital multimeter measures voltage levels on devices and components, allowing you to identify ground and map out circuit board paths.
  2. Choose a logic analyser that is quality-built and has several models available for different budgets. I recommended Saleae. This is a fundamental part of your toolkit and is a common analysis tool used by engineers, hardware researchers and testers to analyse the digital signals of embedded devices.
  3. The JTAGULATOR is another useful tool that identifies industry standard marks from JTAG and ‘keys to the kingdom’ UART ports. It allows you to automatically walk through and test all the possible pinout combinations by connecting all the pins of a header.

System control and injection

There are several inexpensive tool options in this category that help you to gain access, extract or alter data of embedded technology

  1. The Bus Pirate, enables you to connect to UART, I2C, SPI, and JTAG communication protocols. Or the Shikra, a similar device, is faster when extracting flash memory over SPI and also supports UART and JTAG.
  2. Another robust tool for testing JTAG and Serial Wire Debug (SWD) is the Seggar J-link that has a less expensive education version as well as a professional version.
  3. The BeagleBone Black is also a great all-rounder test tool with a development platform that can be utilised to perform a number of tests.

To connect to the embedded devices for testing and hacking you should also purchase some simple items such as jumper wires and headers. Be sure to consider the following:

  • 27mm male straight single-row pin header
  • 54mm male straight single-row pin header
  • Male-to-female solderless flexible breadboard jumper wires

Disassembly of hardware

To begin, hardware hacking often requires gaining some physical access to a device, during which its essential to be slow and cautious in order to avoid damaging the equipment, or yourself for that matter.

The bottom of the device will usually be your starting point, ensure you look under any labels or rubber feet as these might be hiding the screws you need. If the product you’re inspecting is made in the US for the US market, you can also look for Federal Communications Commission (FCC) records. If a device uses any wireless or radio frequency (RF) communication, then it should have an FCC ID or it should be labelled due to industry requirements. Once you have it, enter it into this website, which will provide you with RF test reports and internal images, which are the most helpful asset, because they help show you how the device is assembled.

This is where you’ll find out if the case is glued or epoxied shut, if so, you’ll need to use a Dremel tool or other potentially destructive tool to cut it yourself. However, the risks are much higher of injuring yourself, so follow all safety precautions to ensure you don’t damage either you or the circuit boards.

Examining the circuit

Once you have the device open, you need to identify and map out the circuit and components. You may well find some obviously marked debug ports such as JTAG, UART and SWD that the manufacturer has marked. After which you want to identify other important features such as header connections, which may be used for JTAG, UART and all the key IC chips (CPU, memory, RF, and Wi-Fi).

Next, I recommend trying to download the component’s datasheets for each IC chip, found by Googling the device name and information stamped on them, as these will aid you during further testing and analysis of the embedded device’s functionality and security.

Inspecting firmware

When testing for security issues, examining firmware can also assist in revealing invaluable information and there are a few methods for gaining access to it. Firstly, see whether the vendor allows direct download of firmware over the internet and if not then I attempt to capture it using Wireshark. To accomplish this, you need to capture all network communication while the embedded device is doing a firmware upgrade, it can then often be extracted from the captured pcap data (if it’s not encrypted) by using the Export Objects feature within Wireshark.

There are also other ways if this isn’t possible, such as using the mobile application used to manage or control the embedded device, because if the device can be controlled via this then you may be able to also access the firmware upgrade process too. If so, it may reveal the URL Path and access codes needed to download the latest firmware.

If all else fails, you may have to go directly to the flash memory storage on the device, for which there are multiple methods depending on the type of board. For instance, you may be able to read the flash in-circuit or may need to de-solder the chip. Then you may need a chip reader if it’s not available via SPI. The best thing to do is research the device online and look for datasheets that will help you properly identify the memory storage and best methods for data extraction. Often there are others that have encountered the same memory extraction issues and so you can find documented methods.

What does this mean if I’m business?

If an organisation considers the firmware on its IoT device to be proprietary intellectual property, then it is important to protect it. The easiest and cheapest solution is to disable UART prior to going to market with your product, because a persistent individual with physical access and time will nearly always find a way to compromise the device and gain access to the firmware via the UART connection.

The IoT is complex and of course the penetration and system analysis testing of professional security firms will go beyond this to consider the whole ecosystem in order to ensure every segment is covered, as well as how each impacts the security of the whole. Have fun exploring but contact experts when required.

The author is Deral Heiland, IoT research lead at Rapid7

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES

Panasonic and Jasmy unveil Web3 Platform for IoT data control

Posted on: March 28, 2024

Panasonic has joined forces with Jasmy (JASMY) blockchain to introduce a Web3 platform that will facilitate the connection of personal data on the Internet of Things (IoT). The collaboration between the Japanese-based blockchain and Panasonic Advanced Technology was initiated in February, but the official announcement was made on March 26.

Read more

Driving connected personalised user experiences with Generative AI

Posted on: March 27, 2024

As the world continues to rapidly move towards digitalisation, customer expectations are also on the rise. Around the globe, telcos are grappling with meeting these expectations. As well as ensuring connectivity in a secure, seamless, and consistent manner 24/7, to compete and differentiate, operators now need to provide personalised experiences that are as unique as

Read more
FEATURED IoT STORIES

What is IoT? A Beginner’s Guide

Posted on: April 5, 2023

What is IoT? IoT, or the Internet of Things, refers to the connection of everyday objects, or “things,” to the internet, allowing them to collect, transmit, and share data. This interconnected network of devices transforms previously “dumb” objects, such as toasters or security cameras, into smart devices that can interact with each other and their

Read more

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more