IoT Security Part 13 (Introduction to Hardware Recon) This blog is part of the IoT Security series where we discuss the basic concepts pertaining to the IoT/IIoT eco-system and its security. If yo...

MQTT Broker Security - 101 This blog is part of IoT Security series where we discuss the basic concepts pertaining to the IoT/IIoT eco-system and its security. If you have not gone through the pre...

Ten Security Objectives to consider while Building an IoT/IIoT product As calculated by former Cisco researcher David Evans, every second, https://www.politico.com/agenda/story/2015/06/internet-of...

This blog is part of the IoT Security series where we discuss the basic concepts pertaining to the IoT/IIoT eco-system and its security. If you have not gone through the previous blogs in the series, ...

This blog is part of IoT Security series where we discuss the basic concepts pertaining to the IoT/IIoT eco-system and its security. If you have not gone through the previous blogs in the series, I wo...

Introduction This blog is part of the “IoT Security” series. If you haven’t read the previous blogs (parts 1 - 8) in the series, I urge you to go through them first unless you are already fa...

Introduction This blog is part of the “IoT Security” series. If you haven’t read the previous blogs (parts 1 - 7) in the series, I urge you to go through them first unless you are already fa...

Introduction This blog is part of the “IoT Security” Series. If you haven’t read the previous blogs (parts 1 - 6) in the series, I urge you to go through them first unless you are already fa...

Welcome to Part-2 of ARM firmware emulation blog series. If you haven’t gone through part 1 of Firmware Emulation, I would recommend to go through it. ARM system built during https://payatu.com/blog...

ZigBee Security 101 This blog is part of the “IoT Security” Series. If you haven’t read the previous blogs (parts 1 - 5) in the series, I urge you to go through them first unless you are alr...

ZigBee Protocol 101 This blog is part of the “IoT Security” Series. If you haven’t read the previous blogs (part 1- 4) in the series, I urge you to go through them first unless you are alrea...

CVE Details ID : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12763 https://payatu.com/advisory/trendnet-wireless-camera-buffer-overflow-vulneribility Description TrendNet ProVi...

Introduction Security analysis of the device firmware is a very crucial part of IoT Security Auditing. Obtaining firmware is amongst the many challenges of the analysis and there are tons of techn...

Introduction Hello everyone, this blog demonstrates how to simulate/virtualize the ARM-based firmware in your system. This blog is for the people who are interested in IoT security and love playin...

Stack exploitation based on buffer overflow has been one of the well-known security exploits. Refer https://payatu.com/blog/Siddharth-Bezalwar/understanding-stack-based-buffer-overflow for the basic u...

I have been wanting to write this blog for quite some time, either I was busy or lazy. I have been asked by so many people on the list of hardware to buy to get started with hardware hacking. To be honest, there are a lot of products available, but not many target beginners. In this blog i will cover about using SPI, I2C, JTAG/SWD and JTAGenum using Raspberry Pi. I will be using Raspberry pi zero w, as it is dead cheap and small. Setting up your Raspberry Pi Before you go into each section, I would suggest you boot into your raspberry pi and enable SPI, I2C, GPIO from the interfacing options in the raspi-config menu.  You can follow this link for setting up your Pi.  In all the connection pinouts, It is the hardware pin location and not the GPIO number. ...

This is my another case of a vulnerable IoT device. In my previous blogs, we talked about vulnerabilities there was found in Smart lock and beacons. This one is a fun device, which is made for kids to learn to code and play with it. I don’t have access to the device, so I just checked on the mobile app and found series of vulnerability. These are my findings on a Connected smart toy – MyMiko by Emotix from their Android app. Findings 1: Hard Coded information in the android app It was identified on extracting the android app. several hard-coded information is present. These hard-coded information involves API calls, Web Endpoints and other information which could pose a threat. Steps:...

With the advent of IoT, everything is getting connected to the internet. Bluetooth is one such protocol which is used to connect devices to the internet as the most mobile device has Bluetooth Capability, you can check this blog on how to reverse a Bluetooth communication.  There are devices called Bluetooth beacons which are used to track devices which are in close proximity, companies have started connecting these beacons to the internet with geolocation and this is one such example. This is a case of my findings on a Smart Bluetooth Beacon from Sensegiz The testing was done on their Android Mobile Application. For User's privacy, the IP/End-Point is not disclosed. It will be replaced by xxx. Findings 1: Directory indexing...

If you haven’t read through Part 1 to Part 3 of our IoT Security Blog series I would urge you to go through them first unless you are already familiar with the basics of IoT. Link to the previous blog – IoT security – Part 3 Bluetooth has been a buzz-word as people wanted all their devices to be smart and which basically implies that you get to control things across the devices and not needing to carry wire around. Bluetooth has been in the market for more than a decade. If you’re a millennial, you would have used those classic fancy Nokia phone which has Bluetooth in it. Bluetooth was invented by Ericsson and other vendors have started using Bluetooth. Soon after that, all the major vendors created a consortium called as Bluetooth Special Interest Group – SIG which governs how the standard should be and the interoperability between different versions. We are not going to talk about Bluetooth. Bluetooth by itself is a massive stack and their specification is around 2000+ pages.  In this blog, I will be covering only the Bluetooth Low Energy more famously known as BLE. With the advent of connecting all the things to the internet, there comes the problem of power and resource. As I mentioned early, Bluetooth is a huge stack. Implementing it in an end device like a fitness band would take more power and resource. So in the Bluetooth 4.0 standard, they introduced something called Low energy which is specially targeted for IoT and smart devices which runs on memory and power constrained devices. Bluetooth SIG started selling the standard as Bluetooth Smart. Which has two components, Bluetooth smart devices are end devices which have only the Bluetooth Low Energy component and Bluetooth smart Ready are the device which is capable of doing both the Bluetooth LE and the EDR-Bluetooth classic component which could be your central device, ie, mobile phone or laptop. ...

  Disclaimer: The smart lock which i got is pretty common and it is even available in amazon. Several thousands devices are already in the market, I have changed the name of the brand to something imaginary – “*unhackable*” Smart Lock.     Smart Lock: The lock which i got is from a company called as *unhackable*, which is a chinese company . You also get the same lock locally from amazon. So people do use these devices. The specifications are good too.  ...

When talking about Top Ten vulnerabilities, the first thing that comes to our mind is OWASP. Why not, after all they are the pioneers in defining top 10 vulnerabilities for web and mobile. I’m an OWASP fan, simply because of the work the OWASP community has done over the years to define Application security issues, provide free tutorials and open source tools for the Industry to mitigate the risks and vulnerabilities. It would be highly unlikely that you haven’t heard of OWASP or read content from their website, however if you have not, I strongly suggest that you go through their website  https://www.owasp.org OWASP has also started the IoT security initiative where the community has defined the IoT attack surface and the IoT Top 10 vulnerabilities in addition to web and mobile. They are in the right direction and soon enough it will be an excellent place for IoT security content. The content relevant to the reader for IoT security on OWASP website is as follows: 1. OWASP Web Top 10 project: – https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 2. OWASP Mobile Top 10 Project: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project 3. OWASP Internet of things project: https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project...

Welcome to the 2nd post in Radio Hacking series. I hope you have gone through the 1st part. If not please check Part-1. Also, I hope you have installed GQRX on your PC/LAPTOP. Let’s start. What we will learn – In this post, we will learn how to use GQRX along with RTL-SDR. We will be using RTL-SDR to receive FM signal for listening  a song. Tools – We will use RTL-SDR and GQRX. Please install GQRX on your PC/LAPTOP. What is RTL-SDR – RTL-SDR is a cheap USB dongle which can be used for “RECEIVING” Radio Signal. In our case, it will capture the FM signal. It’s price is around $20. RTL-SDR is also referred as RTL2832U, DVB-T SDR, RTL dongle or the “$20 Software Defined Radio”. There are many other software defined radios better than the RTL-SDR, but they all come at a higher price. RTL-SDR looks like this –...

IoT and smart devices are dominating the market at a tremendous rate. But with growing competition in the market, these devices often forgo proper standard and security procedures leadin g to attacks, including, Mirai botnet, reaper attack, and others that are yet to be discovered. The good news is these incidents have cautioned companies to take security testing more seriou sly. This has resulted in a host of security testers, developers and software security professionals getting into IoT penetration testing. ...

I have been working with Bluetooth for quite some time. I chose to reverse engineer a smart device to prove how crazy is the security standard being implemented in these smart devices. In this post, I will be showing you how I reverse engineered a Bluetooth based (Smart) Massager and how I could exploit it to make it lethal. Now how is a massager lethal? Massager works on a principle called as TENS — transcutaneous electrical nerve stimulation. Our entire nervous system works based on neural impulse, which is electric signals. Sense of p inch to the sense of orgasm is an electrical impulse which is going to secrete different hormones in your brain and you feel pain or pleasure....

Welcome! I hope you have gone through the previous blog post “IoT Security – Part 1” If not, I would urge you to go through it to understand the meaning of IoT and IoT architecture. Now we will start getting into security and try to define a way to understand and create a structured process to perform security research or penetration testing of IoT. If we look at the architecture defined in the previous post, it now becomes clear and easy for us to segregate the components of IoT and try to define the attack surface for each one of them individually and then combine them to create a holistic overview of the IoT ecosystem attack surface. I call it IoT ecosystem instead of IoT product because it indeed is an ecosystem of different components talking to each other and solving a particular real world problem. Let’s go ahead and define the attack surface of IoT ecosystem and discuss each component’s attack surface in detail. The attack surface by components can be divided into three or four( if we include communication as an attack surface) major areas as follows: Mobile Cloud Communication...

The problem with every new and complex technology for security researchers is not knowing where to start and how/where to attack. This is a common problem and has a common solution i.e. breaking the technology into small components and start learning each component individually. This process makes you master each component and guides you to focus on the most interesting components according to the researcher. If you have read till here, I’m assuming you are going to stick around and read through. So, without any delay let’s start : ) . Note: 1. The information in this blog series is generic and can be applied to the security research of IoT products in any domain irrespective of their usage including Home automation, Industrial Control Systems, Healthcare, Transportation etc. 2. I will use the words device, hardware and sensor interchangeably to mean the same thing unless specifically mentioned with explanation. 3. I mention IoT ecosystem to mean an IoT product or a solution due to the nature of the IoT technology that comprises of different technologies. IoT != Hardware...

In this blog series, we will be learning about Radio Frequency (henceforth RF) theory, various modulation techniques and how to analyze them. Since the topic is huge, we will cover RF basics and theory in this part. Also, instead of using technical terms and definition, I will be using simple words to make you understand any topic/concept easily. Why we should study RF ?? – Internet of things – IoT, we all have heard this term right?? The popularity of IoT and all the devices getting connected wirelessly is imminent in today’s life. The majority of these devices will communicate with each other wirelessly using radio protocols ( frequency range ~ 3 kHz to 300 GHz). IoT devices use different Radio protocols such as ZigBee, RFID, Bluetooth etc. for communication. If we go back in time, many vulnerabilities have been found and exploited in IoT devices using some sort of radio communication. So, for pentesting IoT devices we need to have a strong foundation of various radio protocols, how they communicate and different modulation schemes they use for communication.  Thus, analyzing radio communication is of utmost importance from a security point of view and cannot be taken for granted. So let’s start....

Before we start, we need to understand first Bluetooth communication, there are 2 types Bluetooth communications, Classic Bluetooth i.e Bluetooth 2.0 Bluetooth Low energy i.e BLE 4.0 Actually, Classic Bluetooth specification started from Bluetooth 1.0 and 1.0B, these specifications are handled by SIG (Bluetooth Special Interest Group) and all Bluetooth manufacturers and service companies are a member of SIG....

Firmware analysis gives more understanding about the embedded device and what it contains. It helps to, Identify vulnerabilities in the embedded device firmware. Improve product stability and resistance to attacks. Do security auditing...