Table of Content
- The Raspberry PI 2’s IP address and port
- Changing the Raspberry PI 2’s IP address
- Changing the RPI2’s username and password
- Getting expert security hardware advice
Previously, we talked about the inherently insecure nature of IoT Devices and explored some of the vulnerabilities of these devices. Now, we will dive into more details on how attackers could execute them.
Let’s say an attacker is in the same network as the device. The attacker would need to connect to the router to connect to the device’s network.
In this case, the attacker can use the following two attacks to extract information about the device’s model:
MAC spoofing: The attacker could connect to the device to change its MAC address. The attacker would do this by injecting a particular WEP packet that would replace the standard data received by the machine—crafted so that it would only work with the device.
WPS beacon: The attacker could connect to the device to inject a specially crafted beacon. When the device receives the beacon, it will react differently than it would with the standard packets. For example, the device might change its MAC address.
SMS beacon: The attacker could connect to the device to send a specially crafted beacon. When the device receives the beacon, it will change the mobile number. Attackers could intercept SMS messages the device would typically send.
Web application beacon: The attacker could connect to the device to inject a specially crafted beacon. When the device receives the beacon, it will access the site attacked. An attacker might exploit any web application vulnerabilities to get access to the device’s data traffic.
Attackers might use any vulnerabilities that might allow them to access the data traffic sent by the device.
The attacker could potentially spoof an access point to connect to the device to grab any information about the machine—even using this to change its configuration or settings.
The attacker could send a specially crafted message that would cause a response which is a denial of service condition or crash the device.
WPA and WPA2: In WPA/WPA2, there is no bullet-proof protection against this attack. An attacker could connect to the network to inject a beacon and then cause the attack.
If the device doesn’t require encryption, an attacker can sniff and replay network packets. WPA2 does not require the use of encryption (it’s still in WPA), so the sniffing scenario above is not possible, but the replay scenario is.
Most modern devices have many WLAN interfaces which would allow an attacker to target a victim device. In a coffee shop, it would be a perfect setup: an attacker with a laptop or netbook (with WLAN), an attacker with a smartphone (which works for WPA attacks but not for WPS ones), an attacker in a neighboring room (with a computer) and wireless router in the coffee shop (with WPS).
If the device is a laptop with WLAN, it is easy for the attacker to connect the computer to the router using a wireless adapter to sniff the air. Then the attacker can replay the traffic captured. If the router supports WPS, the attacker can trigger a WPS attack more quickly than a classic attack.
A lot of devices can use an antenna when the WLAN isn’t available. The easiest way for the attacker to do this is to open the Wi-Fi network in a hotel or apartment and then open a browser on his mobile device to visit a malicious website.
Therefore, the device must have WPA2, and the client must validate the association with WPA-PSK (WPA pre-shared key). The problem is that WPA is insecure, and the default configuration of many devices is insecure.
WPA-PSK configuration is too weak: weak security allows a WPA-PSK to be easily brute-forced in a matter of seconds.
WPA-PSK uses the device ID of the network—meaning that you can sniff the network’s traffic for a device with a client having the same name as the network. (For example, if I connect to a network “Rack,” I can sniff all traffic from any device which uses “rack” as its WPA-PSK).
There is no password-less configuration option. Some devices allow a weakly encrypted configuration such as “password” or “no encryption,” allowing an attacker to decrypt the traffic from a victim device without a password.
So, to secure against the “coffee shop attack,” you should use WPA2-EAP. You can also combine it with a PIN (since many devices require one).
If the device has a display and the attacker has the PIN of a victim, he can make the device appear to be in the victim’s presence even if the victim is miles away—because of the PIN (i.e., password) entered into the machine.
If a user can get to your device, they can type any password into the WPA2 network page and then type it into any other device requiring a password—allowing the device to connect to your Wi-Fi network. If the connection is encrypted, they can now read your wireless traffic.
Many users turn off encryption, leave a weak password that is easy to type, or otherwise compromise the WPA2 security protocol.
A possible way to truly stop this kind of attack is to force every device that connects to your network to use some device-specific authentication (such as a static PIN for mobile devices). If the user can’t get to your device, they can’t enter the PIN. If you have any reason to think someone is trying to get to the device, you can force a PIN and see if they could connect without that PIN.
The Raspberry PI 2’s IP address and port
The Raspberry Pi controller board is one of the most popular IoT devices globally, which deserves special attention. Let’s explore it a bit.
The manufacturer assigns the device’s IP address and port to a unique address, usually between 192.168.1.x. The device’s IP address is assigned based on its MAC address.
The port is a number that identifies a service or process that a program runs on. An application running on the device would then communicate with the device using the particular port number.
The default IP address of the Raspberry PI 2 (RPI2) device is 192.168.1.100. The default TCP port is 80. The device also has a web server running by default.
An attacker can connect to this device using a web browser to see what the device is doing. This device also has a default username and password assigned to it. If an attacker knows this, he can log in to this device using his default username and password. The attacker could potentially change this default username and password.
Changing the Raspberry PI 2’s IP address
The RPI2 has a default IP address of 192.168.1.100. An attacker could modify the device’s configuration to change its IP address to another address.
However, if an attacker could connect to the RPI2 using the device’s IP address, he could change the device’s settings. He could then use the device at that new IP address. An attacker could also create a new connection using the old IP address to change the device’s configuration.
An attacker could also try to connect to this device using the old username and password to change the device’s configuration. However, if an attacker could relate to the RPI2 utilizing the device’s IP address, he could change the device’s settings.
Changing the RPI2’s username and password
The device’s default username and password are typically pi—stored in a configuration file. If an attacker can get a copy of the configuration file and use it to connect to the RPI2, he could change the device’s username and password to something else.
Getting expert security hardware advice
IoT devices present a myriad of security challenges, and as an organization, you shouldn’t let your guard down. Therefore, as developers of IoT-enabled applications, we create secure software by default; nevertheless, getting additional expert security advice is always a good option, especially when securing the hardware aspects of your IoT deployment.
In a subsequent article (IoT Devices Security Concepts, Measures and Protocols), we will explore measures to secure IoT devices trending in the industry, so stay tuned.