Skip to main content
HashnodeCyber Journey

Command Palette

Search for a command to run...

Importance of IoT security. RFID world.

Updated
6 min read
Importance of IoT security. RFID world.
J
Jonas Satkauskas

Intro

IoT nowadays is everywhere. Now there’s about 20 billion IoT devices. In 2031 there will be around 35 billion IoT devices connected to the internet.

Interesting information about IoT devices & other stuff

When more network devices we have and more digital components ads up to the systems, we get bigger attack surface.

SCADA/ICS are also very very important. The Industrial systems are in control of our water and electricity.

  • The best hack is the one that nobody has discovered.

Microwave is working on the same frequency as the Wi-Fi - 2.4-2.5GHz. If you’ll turn on the microwave, it will jam the Wi-Fi signal.

On IoT device’s small Linux systems, there’s not enough storage place for a good encryption or other security methods. Encryption takes computing power.

Interesting attacks:

  • Node Cloning

    • You can clone a bluetooth device. It can send a communication to the device which is paired with simillar MAC Address device.

  • Zigbee - it is a main protocol for IoT

Speed vs Security

IoT devices need speed. It does not have time for encryption. If you encrypt data, it takes time and time means latency. So IoT transfers data in clear text.

IoT OS

Most of the IoT devices are using OWRT.

STRIDE Classification Model

  1. Spoofing

  2. Tampering

  3. Repudiation

  4. Information Disclosure

  5. Denial of Service

  6. Elevation of Privilege

3 steps of STRIDE

  1. Identify the Architecture

  2. Identify the Architecture Components

  3. Identify the Threats

Security solutions

  • You can set up the devices to use different ports. Not the default ports. Just as like default credentials. Change ports and credentials.

Tools for IoT Reconnaissance

One of the best tools is header grabber - Shodan. This is the main point where you want to go.

Cameras

Hikvision and Dahua Technology ar chinese cameras and they are very insecure.

They are sold also as a white label. Dahua and Hikvision have 100+ relabelers/OEMs.

Main cameras protocols:

  • RTSP (Real-Time Streaming Protocol) - usually port 554. Sometimes owners wants to change the port and they just add one more 5, so the port will be 5554 or 8554. Ending by “54” is most of the time will be a camera. RTSP is used only for cameras.

    • Used for Live Streaming

    • Example would look rtsp://example.com

  • RTP (Real-Time Transport Protocol)

  • PSIA

    • Used for configuration, camera discovery and live streaming (using RTSP)

  • ONVIF (Open Network Video Inteface Forum) - it allows access through a set of standardized API’s.

    • Used for camera discovery, configuration and live streaming (using RTSP)

    • ONVIF requests are transmitted through XML SOAP messages.

List of default cameras passwords:

Link

Always try the simplest technique first.

cameradar is a best tool to brute force credentials and fint the route.

Some vulns found in Dahua cameras:

CVE-2021-33044

CVE-2021-33045

Shodan API

You can use Shodan API. Install it via pip:

pip install shodan

shodan init

shodan search <example>

You can use API and then put the search results into a file and save it for later

Camera hacking

  • It is important to check what is the firmware. If the firmware is 3.0+, it was patched.

  • There’s a chrome extension which helps to make MiTM attack to get the password reset for the dahua camera.

  • To see the camera you need to use Microsoft Edge (a.k.a. Internet Explorer)

  • The best hack is the one that victim does not know about.

  • Always cover your tracks!

  • You should make upload validation for firmware version updates. There are input validations, but there also should be upload validation.

  • There’s always a way to get into the system

Useful Tools

  • Pale Moon browser (Also streams video from cameras) - use 32bit version.

  • Mousepad - a good txt editor for Kali. Don’t think that it will be better than Nano though :D

  • Ipinfo.io - useful info about IPs

  • Do not leave a user with a name admin. It makes a lot easier for an attacker to get in. He only need to guess the password.

RFID

RFID is a form of anti-theft control. It is a way to track the items/people/products and other stuff.

  • RFID readers can act as IoT devices.

  • RFID usually feeds data into the IoT network.

RFID Tags

There are active, passive and semi-passive tags.

  • It has it’s own power source

Advantages of RFID are:

  • Speed

  • Durability

  • Security - if it is encrypted. Encryption has to be good.

NFC is a sub-set of RFID.

You could use high gain antena and pick the NFC signal.

Challenges of RFID

  • Cost

  • Interference

  • Privacy

Additional info about RFID

Low frequency = low range

Higher frequency = more memory

Higher frequency = Problems with interference

MIFARE is a most popular player. They are made by NXP technology, a dominant player in this field.

2G/3G mobile phones operate at Ultra-High Frequency (UHF) - 860-960 MHz.

LF cards are easier to work with. It is also easier to clone.

VPN security

If you use VPN, you hide your traffic from ISP. Of course if you use cookies, you show lots of information to the endpoint. It does not matter that you use VPN. VPN does not make you safe.

If you use for example VPN + Firewall + IDS, it is safer, because there are more layers that attacker has to pass.

Fortinet is not very secure, there has been many CVEs showing Fortinet gaps.

Router security

If you compromise the router, you own all of the traffic on the network.

RouterSploit works good for easy stuff. Always use the easiest way first.

When you compromise SNMP v1, you are in the network. There’s a good tool in Kali - snmpcheck.

There are also some other good tools for routers security cracking.

Bluetooth security

There are some HW tools which makes the cracking BL/BLE security easier.

You should keep in mind that Bluetooth is difficult to jam, because it does frequency hopping.

One of the key BL security is frequency hopping.

Hedy Lamarr invented the bluetooth frequency hopping.

For example your keyboard has bluetooth and you crack the keyboards bluetooth security. Then you can send the keystrokes to the computer remotely. If you send keystrokes, you control the device.

Bluetooth classic

  • It operates at 2.4GHz ISM

  • It uses 79 channels, each spaced by 1MHz apart, ranging from 2402MHz to 2480MHz

  • Typical range - up to 100 meters

  • Each Bluetooth device has a unique 48-bit address (BD_ADDR)

  • It consumes more power than BLE (Bluetooth Low Energy)

Bluetooth BLE

It operates in 2.4GHz ISM band. It uses 40 2-MHz channels. Typical range up to 50 meters

  • It allows devices to work for months or even years with a small battery. Device only wakes up when it is needed.

  • It supports 2 types of communication - device to device and broadcast-based.

  • Key protocols are GATT (Generic Attribute Profile) and GAP (Generic Access Profile)

  • It is not compatible with Bluetooth classic. Usually devices has both, BLE and Bluetooth Classic.

  • BLE is ideal for IoT.

Mesh

Possibly Mesh networking will be the future.

Outro

It was really interesting to dive into these technologies. I’ve used some Linux tools, I’ve purchased some HW for the tasks.

Security of these technologies is really important. It is a great challenge, but with great challenges comes the best experience and lessons.

As always I’d like to give a big credit to Master OTW. I really like his learning style. If you want to dive deeper into IoT hacking. Check out OTW course on Hackers-Arise.

#iot#iot-security#iot-solutions#linux#hacking#cybersecurity#cybersecurity-1#cybersec#learning#otw#hashnode#learning-journey#cyber-security#cyber#cybr
17 views

More from this blog

C

Cyber Journey

41 posts