Last Updated on : 2022-03-03 06:23:09download
This topic describes how to perform security tests on the Tuya IoT devices from different aspects based on the overall IoT framework.
|Test classification||Test item|
|Hardware security||Physical damage, firmware fetching, and storage media|
|Firmware security||Firmware OTA security, firmware static analysis, firmware dynamic debugging, and firmware signature verification|
|Communication security||Wi-Fi protocol, Bluetooth protocol, Zigbee protocol, and NFC/RFID|
|System security||Open port of device local service, privilege separation, system kernel vulnerabilities, buffer overflow, and information leakage|
|Encryption and authentication algorithm||Encryption and authentication algorithm|
|Privacy security||User data deletion|
|Server security||Server security test|
A printed circuit board (PCB) is an important electrical component.
The first step of a hardware attack is usually to disassemble the device, and then get more information by checking the device’s chips and exposed ports to prepare for subsequent analysis.
The main inspection scope includes:
The main risks include but are not limited to:
The most effective approach for hackers to attack hardware is fetching the firmware. After fetching the firmware, the hacker can analyze and test the firmware to exploit the general vulnerabilities of the firmware. Or the hacker can analyze the hard-coded parameters of the firmware to get a guessable password (usually referred to as a backdoor) for this model. There are many approaches to read and get the firmware for a more comprehensive analysis.
The firmware is the operating system that the device runs. The firmware is generally stored in the chip and exported from the flash, and then operated by the CPU. Storage in flash can be encrypted, but flash can also be stored in plain text, and the data recalled from the memory can also be in plain text.
Firmware is classified into two types: login Shell system and non-login Shell system. The two types of systems differ in analysis, but in general, they can still be reversely analyzed.
In addition to flash, some special devices have additional storage, such as SD cards. These storages have special functions, such as updating firmware locally.
Common devices with such functions are cameras, routers, and more. If such functions exist and the firmware is not verified during the local update, arbitrary code execution might occur.
Over-the-air programming (OTA) is a method for distributing new software, configuration, and even updating encryption keys for devices. The process of firmware OTA is also susceptible to security problems, such as OTA hijacking, firmware downgrade, and more.
After getting the firmware of the smart device, the hacker needs to get the files in the firmware. The firmware content can be fetched manually or with an automated tool. The fetched firmware is generally a hexadecimal .bin file or a .hex file. After reverse analysis or unpacking, the actual logic code is got, and the key code is analyzed or modified according to the requirements. And the logic code is repackaged and flashed back to the chip. The attack is implemented by making the hardware run the modified firmware.
Firmware hard-coding is actually just a common type of problem in static analysis. Hackers can also analyze the firmware to find vulnerabilities and get technical information to check for plain texts or sensitive information that can be guessed. By discovering a series of problems and using them as a combination, the hackers can crack the device and get the device permissions.
After getting the firmware, the hackers need to run the firmware to simulate the firmware program for debugging and vulnerability exploiting.
This operation is to run the fetched firmware and prepare for the security analysis afterward.
QEMU is an emulator written by Fabrice Bellard that distributes source code under a GPL license, and it is widely used on the GNU/Linux platform. It is similar to Bochs and PearPC except for some attributes such as high speed and cross-platform. Through a closed-source accelerator KQEMU, QEMU can simulate the speed close to a real computer.
Two modes for QEMU:
Check for the tamper verification mechanism of the firmware, such as version number verification. Check whether the firmware can be edited the second time or the malicious firmware can be updated, thus causing the problems of device permissions being got and a backdoor being added to the device.
Wi-Fi is a wireless local area network technology based on the IEEE 802.11 standard.
Common Wi-Fi problems include but are not limited to data replay, key leakage, decryption, and message forgery.
Bluetooth Low Energy (Bluetooth LE) is a personal local area network (LAN) created by Bluetooth SIG. The Bluetooth LE applies to the healthcare, fitness, beacons, security, and home entertainment fields. Compared to classic Bluetooth, Bluetooth LE is intended to provide considerably reduced power consumption and cost while maintaining a similar communication range.
Since the current devices are mostly using Bluetooth LE, the test here is based on Bluetooth LE.
Common Bluetooth LE problems include but are not limited to device deadlock, overflow, key information leakage, key data replay, and more.
Zigbee is a wireless network protocol for low-speed and short-range communication. The bottom layer is a media access layer and a physical layer in compliance with the IEEE 802.15.4 standard. The main attributes of Zigbee are low speed, low power consumption, low cost, low complexity, high reliability, high security, and supporting a large number of network nodes and multiple network topologies.
Common Zigbee problems include but are not limited to default key usage, key data replay, key information leakage, overflow, and more.
Radio frequency identification (RFID) is a contactless data communication between a reader and a label, enabling target recognition. RFID applies to a wide range of fields including animal chips, car chip anti-theft devices, access control, parking lot control, production line automation, and material management.
Additional ports include ports whose purpose is not clear, ports that are not used in production, and more. Such ports can easily cause leakage of sensitive information, buffer overflow, command injection, and other problems.
If you can log in to the device through the serial port, the system executes with a root permission account. When entering the system, the hacker has the root permissions right away.
The system version is too early and has multiple Linux kernel vulnerabilities that are often used for permission escalation.
An attack method of writing data beyond the length limit in the heap or stack thereby destroying the operation of the program and even getting control of the system. It is easy to cause problems such as system permissions and DDos being got.
The transmitted information that is unencrypted or carrying sensitive information is at the risk of being exploited by hackers.
Check whether the device uses reliable encryption when communicating with the cloud, whether the integrity of the communication content is verified, and whether communication certification and authorization detection are completed.
The sensitive user information needs to be deleted after reset.
The device and the cloud usually communicate through the Internet. The data packets exchanged during the communication may contain sensitive information such as device operation information and device MAC address, which can be used for device binding and other operations. The inspection of data communication includes whether the communication is encrypted, whether the encryption is complete, whether the integrity verification and certification are executed for the communication, whether there is a vulnerability in the authorization, and whether the data packet can be run after being replayed, and more.
Is this page helpful?YesFeedback
Is this page helpful?YesFeedback