This presentation aims to share working knowledge on how attackers are taking an advantage of connected (IOT) devices for scaling attacks. From hardware to repeatable software exploitation that scale. X-ray on the current security resilience of some of today's connected devices. Typically challenges developers are facing today and a proof of concept attack on a "secure" connected camera with critical consequences. Finally we give valuable takeaways for improving the security of your solutions and avoid these horrible mistakes.

1. 1
Hack an IoT device,
break them all:
Escalating hardware
attacks
Rafael Boix Carpi
Principal Trainer & Security Specialist

2. 2
About me
• Principal Trainer & Security specialist at
Riscure (The Netherlands)
• Riscure provides training, tooling, security
evaluations and consultancy on hardware
and software solutions
• Automotive
• Smart-cards / secure elements / …
• Hardened cryptographic
implementations
• Mobile payment solutions
• Pay-TV / Content-Protection / …
• TEEs / White-box-crypto / secure
boot…

3. 3
A couple stories about
IoT (in)security

4. 4
A couple stories about IoT (in)security
Intro
2017: Over 8.4 billion “things” connected to internet

5. 5
A couple stories about IoT (in)security
Intro
Fish tank
Img src: https://www.bitdefender.com/box/blog/iot-news/attacker-uses-smart-fish-tank-steal-casino-data/
2018: IoT fish tank

6. 6
A couple stories about IoT (in)security
Intro
Fish tank
Img src: https://www.bitdefender.com/box/blog/iot-news/attacker-uses-smart-fish-tank-steal-casino-data/
https://www.quora.com/What-is-the-difference-between-the-thinking-of-Programmer-and-Hacker
2018: IoT fish tank

7. 7
A couple stories about IoT (in)security
Intro

8. 9
Img src: https://www.amazon.com/FoxDen-IoT-Multi-color-Smart-Bulb/dp/B01MQQHR00
2018: IoT light bulb
A couple stories about IoT (in)security
Intro
Light bulb

9. 10
A couple stories about IoT (in)security
Images/video from full report:
http://iotworm.eyalro.net/iotworm.pdf
Intro

10. 12

11. 13
Why does
security go wrong
in IoT devices?

12. 14
X-ray of an IoT device
Typical IoT device:
Heart of the device:
• general purpose microcontroller (MCU)
TON of features for extremely low $$$
• WiFi / Bluetooth / ZigBee / memory / …
• Lots of interfaces & sensors
• Feature-packed devkit typically < 20$
IoT Achilles heel: hardware (physical) attacks
• All general purpose MCUs quite vulnerable
to hardware attacks (SCA/FI/…)
• Yes, all general purpose MCUs
• Chip vendors know: also offer secure
MCUs 

13. 15
The challenge of IoT developers
Putting proper security in devices is not free
• Secure MCUs/protocols/coding standards/… cost money and time
The IoT doom pattern
Time pressure + limited budget + design tradeoffs == bad security
practices
IoT
Developers
Security Eng.

14. 16
How fast can
security issues escalate
in IoT devices?

15. 17
Escalating a hardware attack
General purpose MCUs are vulnerable to hardware attacks
Hardware attacks reveal secrets/information about a device
• What if that secret information affects all devices?
• What if that secret information exposes a remote attack path?
• If yes to both: attack SCALES VERY FAST
Repeat
forever

16. 18
Escalating hardware attacks on a generic
ES
Hardware
attacks expose
flaws
• Reverse Engineer
• SCA/FI
• …
Find a
remote way
to access
the flaw
Remote
exploitation
of flaw

17. 19
Escalating hardware attacks on IoT devices
Hardware
attacks expose
flaws
• Reverse Engineer
• SCA/FI
• …
Find a
remote way
to access
the flaw
Remote
exploitation
of flaw
Achilles
heel of
IoT
I in IoT
stands for
internet
Bad
security
practices

18. 20
Case 1:
IoT camera

19. 21
Case 1: IoT camera
• IoT camera bought from China
• 17 euros ( ~1500 rupee)
• Tons of features
• Wi-Fi connection
• 2-way audio
• HD image
• Motors for rotating the camera
• IR light for night imaging
• Logs data to microSD card
• Phone app for Android & iOS
• ….
What can go wrong?
Case 1: IoT camera

20. 22
Case 1: IoT camera
Let’s open the camera and
identify interfaces
Case 1: IoT camera

21. 23
Case 1: IoT camera
Let’s open the camera
and identify interfaces
Case 1: IoT camera
Google + a bit of RE:
• Ingenic T10 SoC
• Heart of the system
• MediaTek MT7601 SoM
• Wifi comms
• DoSilicon FM25Q64A
• Storage for OS
(linux)
• Atmel AT24C02 I2C flash
• Storing camera
model
• MAC address
• Transistor array
• Powering the motors

22. 24
Case 1: IoT camera
The camera runs an OS… can we see it?
• Most embedded systems still have a
UART
• Of course, this camera too
Case 1: IoT camera
UART TX
UART RX

23. 25
Demo:
From local attack
to remote
worldwide attack

24. 34
Case 1: recap
Camera security fully bypassed & backdoor for free
• These cameras are used typically as baby monitors: privacy violation
• Linux system: can be used for illicit activities, e.g. bitcoin miners
• IoT botnet Mirai almost brought down DNS in parts of the world
Remark: don’t access other people cameras without permission, it is illegal
Case 1: consequences
HW attack:
Serial port reveals root
password
Found telnet:
users & config
exposed
Access remotely
video stream &
all config

25. 35
Case 1: takeaways
Takeaway 1: bad security practices + hardware attack == scalability
• Use strong passwords
• Do a little pentesting, including hardware attacks
• Put firewalls
Takeaway 2: flawed IoT devices == stepping stone for bigger attacks
• Root access to Linux system: enemy in-house
Takeaway 3: proper security is not free; demand proof of security work
done
• Evaluation labs are like doctors:
• You can choose not to go
• But if you don’t go, prepare for the consequences
• In the IoT realm: consequences can scale really fastCase 1: takeaways

26. 36
Case 2:
AES on IoT device

27. 37
Case 2: AES on IoT device
In a much better world…
• IoT devices have a Secure Development Life Cycle (SDLC)
• Follow security best-practices
• Use strong crypto & protocols
Is it still enough?
Case 2: AES password on IoT

28. 3838

29. 39
Case 2: AES on IoT device
Lots of people solved the software challenges
But very few attempted the SCA and FI challenges 
Typical reasons given:
• “The SCA equipment is very expensive”
• “SCA and FI are too difficult”
• “These attacks are only for evaluation labs”
• “I’m allergic to mathematics”
• “I will destroy my device”
Case 2: AES password on IoT

30. 40
Case 2: AES on IoT device
Challenge: Piece of SCAke (available on
riscure.com/Github)
Goal
• Get the AES key from the device
Info
• Device has no logic flaws
• The device performs AES encryption of a message
• Then replies the encrypted message
Case 2: AES password on IoT
Plain text Encrypted

31. 41
Case 2: AES on IoT device
Note: there are SCA/FI attacks for all sorts of crypto
Case 2: AES password on IoT

32. 42
Case 2: AES on IoT device
Side-Channel Attacks (SCA) recipe:
1 – Talk or listen to a device doing crypto (e.g. AES)
2 – Measure power consumption of device doing crypto
3 – SCA program “computes math” with collected data
4 – You get the crypto key
Full detailed walkthrough of this attack using only Open Source software and cheap
tools: http://www.riscure.com/gocheap
Case 2: AES password on IoT

33. 43
Case 2: AES on IoT device
INTRODUCTION
Computer
Resistor
Power measurement
Power trace:
- Measured power
- I/O data

34. 44
Demo: SCA attack

35. 45
Case 2: recap
AES cryptographic key revealed
• This allows to impersonate manufacturer / authorized users
• Malicious updates will be indistinguishable from legit updates
• Update a malicious firmware: IoT device as attack tool
• This can also allow to decrypt IoT device communications
Case 2: consequences
HW attack:
SCA reveals AES master key
from devices
All devices share
the same master
key
Forge signatures,
intercept&decrypt
traffic, MitM
attacks …

36. 46
Case 2: takeaways
Takeaway 1: sophisticated hardware attacks now affordable for
anyone
• Full setup costs less than 50 euro (~4000 rupees)
Takeaway 2: problems are much more persistent than they seem
• Even with good practices, there can be security issues
• But good practices make attack scalability (much) harder 
Case 2: takeaways

37. 47
Wrap-up:
Is there any hope?

38. 48
Wrap-up: is there any hope?
The IoT doom pattern will chase us for a long time
• Time pressure + low budget + design tradeoffs == doom 
• Bad security practices often lead hardware attacks to global scale
Can you do something now?
Apply mitigations until good security is forced into all IoT devices
• Firewalls, IDS, network segmentation, firmware updates…
• Holistic view for security: look at a system level, not device-level
More info: Thread group, OWASP IoT Project, “Security Engineering”
book…
Conclusions

39. 49
Wrap-up: is there any hope?
Perfect security does not exist, but good enough security does
• Other markets have achieved good security: it is possible
Can you do something now?
• Follow good security practices
• Strong, per-device passwords/keys; proper crypto & protocols
• Don’t use broken stuff
• Follow a good security training course and ask the experts for
help
• If you already follow good practices: keep & step up your security
game
• Defensive coding, hw protections, …
Conclusions

40. 50
Q&A
Q&A

41. 51
Challenge your security
Riscure B.V.
Frontier Building, Delftechpark 49
2628 XJ Delft
The Netherlands
Phone: +31 15 251 40 90
www.riscure.com
Riscure North America
550 Kearny St., Suite 330
San Francisco, CA 94108 USA
Phone: +1 650 646 99 79
inforequest@riscure.com
Riscure China
Room 2030-31, No. 989, Changle Road, Shanghai 200031
China
Phone: +86 21 5117 5435
inforcn@riscure.com
Further questions/information:
Rafael Boix
Principal Security Specialist
📩 rafael@Riscure.com