March 23, 2022

Last Updated on January 14, 2024

Because of all the software that’s generally associated with connecting to the Internet of Things (IoT) devices, it’s often preferable to compromise a device remotely to gain access to a wider attack surface.

What are some of the approaches that cybercriminals use to hack IoT hardware from the software side?

Hardware hacker extraordinaire, Joe Grand, discusses this issue in-depth in a recent episode of The Virtual CISO Podcast. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.

Find a reasonable facsimile

As someone who teaches others how to hack hardware so they can secure it better, Joe has a wealth of experience breaking IoT security. One of his favorite approaches is to reverse engineer a representative sample of a device being used on a target network.

“If I’m going after, say, an industrial control system, and I know this company uses this type of technology, I will go find one,” says Joe. “I might not have physical access to that exact unit used in a building, but I’ll find one that I can use as a reference to understand and reverse engineer. Then maybe I can find some remotely accessible vulnerability that applies to all such devices. That’s when you get into the next level.”

As an example, Joe cites his infamous hack into the City of San Francisco smart parking meters in 2009. To breach the card-based system, Joe found some decommissioned parking meters from the same vendor on eBay. He took one apart in his lab, figured out the communication mechanisms to access the system, and then attacked a deployed parking meter.

Leveraging external interfaces

“Once I know that, I can target your particular infrastructure that uses that same device,” explains Joe. “That’s when you don’t need physical access anymore. Now we go through the network, or we try to find some out-of-band management interface or something. Once a device is in the field, you’re still going to want to have some sort of maintenance access or administrative access or configuration access. Maybe that’s physical, but a lot of times these days it’s going to be remote. We can find those and then maybe start attacking the device that way, remotely over the network.”

These “external interfaces” can be all kinds of standard or custom network protocols—anything that communicates to the outside world or that’s accessible to the outside world, according to Joe. Or it could be a physical connector like a USB, VGA or RS-232 port. It could even be a keypad or micro SD card. If you can determine how an interface works and what data’s being transmitted over it, you may find a foothold for an attack.

Another way to “turn a hardware problem into a software problem” is to compromise the device’s firmware. Linux-based systems, for example, are both commonplace and known for their vulnerability to attack, even reprogramming. Whereas some embedded, real-time operating systems are more secure by design.

“It all comes back to the fact that these devices are computers running some code,” Joe relates. “And if we find [the code], then we can go in that direction as well. That opens it up to people who are skilled in software [versus specifically hardware].”

Dealing with design realities

One of the biggest challenges with securing IoT hardware is the choice constraints designers face from the outset.

“Unless you’re designing everything from the ground level where you can choose a field-programmable gate array (FPGA), or you can create your own custom hardware inside a chip instead of using off-the-shelf chips… then you can start devising encryption on the fly and implement that in a better operating system, if you need an operating system,” Joe recounts. “Generally, the chips you use are going to be dependent on what you’re trying to do and then how those chips run is going to be dependent on how the vendor has anticipated you’re going to run them. You can try to break out of that and do something else, but engineers don’t like to recreate the wheel and we’re going to use what the vendor has given us as a starting point, whether it’s good or not.”

What’s Next?

Ready to hear this podcast episode with Joe Grand from the beginning? Click here: https://pivotpointsecurity.com/podcasts/ep-75-joe-grand-how-hardware-hackers-exploit-iot-vulnerabilities/  

Interested in elevating your IoT security testing skills? You’ll appreciate this recent blog post: https://pivotpointsecurity.com/blog/the-cloud-security-alliance-csa-plans-to-certify-iot-testers/