Security Test

This topic describes how to perform security tests on the Tuya IoT devices from different aspects based on the overall IoT framework.

Test scope

Test classification	Test item
Hardware security	Physical damage, firmware fetching, and storage media
Firmware security	Firmware OTA security, firmware static analysis, firmware dynamic debugging, and firmware signature verification
Communication security	Wi-Fi protocol, Bluetooth protocol, Zigbee protocol, and NFC/RFID
System security	Open port of device local service, privilege separation, system kernel vulnerabilities, buffer overflow, and information leakage
Encryption and authentication algorithm	Encryption and authentication algorithm
Privacy security	User data deletion
Server security	Server security test

Hardware security

Physical damage

A printed circuit board (PCB) is an important electrical component.
The first step of a hardware attack is usually to disassemble the device, and then get more information by checking the device’s chips and exposed ports to prepare for subsequent analysis.

The main inspection scope includes:

• Check whether the debugging port and other important ports are open, and evaluate the impact after opening.
• The chip and ports of the circuit need to be secured to ensure that the model pin information is not leaked. The information leakage will speed up cracking and cause problems such as faster access to the device permissions.

The main risks include but are not limited to:

• Enabling the port for debugging or other ports may cause the firmware to be fetched.
• Through the port for debugging, the hacker can get operating parameters to debug or run the vulnerabilities.
• Through the port for debugging, the system permission can be got, which causes the fall of the entire system and trojan invasion by the hackers.

Firmware fetching

The most effective approach for hackers to attack hardware is fetching the firmware. After fetching the firmware, the hacker can analyze and test the firmware to exploit the general vulnerabilities of the firmware. Or the hacker can analyze the hard-coded parameters of the firmware to get a guessable password (usually referred to as a backdoor) for this model. There are many approaches to read and get the firmware for a more comprehensive analysis.
The firmware is the operating system that the device runs. The firmware is generally stored in the chip and exported from the flash, and then operated by the CPU. Storage in flash can be encrypted, but flash can also be stored in plain text, and the data recalled from the memory can also be in plain text.
Firmware is classified into two types: login Shell system and non-login Shell system. The two types of systems differ in analysis, but in general, they can still be reversely analyzed.

Storage media

In addition to flash, some special devices have additional storage, such as SD cards. These storages have special functions, such as updating firmware locally.
Common devices with such functions are cameras, routers, and more. If such functions exist and the firmware is not verified during the local update, arbitrary code execution might occur.

Firmware security

Firmware OTA security

Over-the-air programming (OTA) is a method for distributing new software, configuration, and even updating encryption keys for devices. The process of firmware OTA is also susceptible to security problems, such as OTA hijacking, firmware downgrade, and more.

Firmware static analysis

After getting the firmware of the smart device, the hacker needs to get the files in the firmware. The firmware content can be fetched manually or with an automated tool. The fetched firmware is generally a hexadecimal .bin file or a .hex file. After reverse analysis or unpacking, the actual logic code is got, and the key code is analyzed or modified according to the requirements. And the logic code is repackaged and flashed back to the chip. The attack is implemented by making the hardware run the modified firmware.
Firmware hard-coding is actually just a common type of problem in static analysis. Hackers can also analyze the firmware to find vulnerabilities and get technical information to check for plain texts or sensitive information that can be guessed. By discovering a series of problems and using them as a combination, the hackers can crack the device and get the device permissions.

Firmware dynamic debugging

After getting the firmware, the hackers need to run the firmware to simulate the firmware program for debugging and vulnerability exploiting.
This operation is to run the fetched firmware and prepare for the security analysis afterward.
QEMU is an emulator written by Fabrice Bellard that distributes source code under a GPL license, and it is widely used on the GNU/Linux platform. It is similar to Bochs and PearPC except for some attributes such as high speed and cross-platform. Through a closed-source accelerator KQEMU, QEMU can simulate the speed close to a real computer.

Two modes for QEMU:

• User mode: QEMU can launch the Linux programs compiled for different CPUs. Wine and Dosemu are its main targets.
• System mode: QEMU can simulate the entire computer system, including the CPU and other peripherals. QEMU makes it easy to test and debug programs across platforms. It can also be used to virtualize several different virtual computers on one host.

Firmware verification

Check for the tamper verification mechanism of the firmware, such as version number verification. Check whether the firmware can be edited the second time or the malicious firmware can be updated, thus causing the problems of device permissions being got and a backdoor being added to the device.

Communication security

Wi-Fi protocol

Wi-Fi is a wireless local area network technology based on the IEEE 802.11 standard.
Common Wi-Fi problems include but are not limited to data replay, key leakage, decryption, and message forgery.

Bluetooth protocol

Bluetooth Low Energy (Bluetooth LE) is a personal local area network (LAN) created by Bluetooth SIG. The Bluetooth LE applies to the healthcare, fitness, beacons, security, and home entertainment fields. Compared to classic Bluetooth, Bluetooth LE is intended to provide considerably reduced power consumption and cost while maintaining a similar communication range.
Since the current devices are mostly using Bluetooth LE, the test here is based on Bluetooth LE.
Common Bluetooth LE problems include but are not limited to device deadlock, overflow, key information leakage, key data replay, and more.

Zigbee protocol

Zigbee is a wireless network protocol for low-speed and short-range communication. The bottom layer is a media access layer and a physical layer in compliance with the IEEE 802.15.4 standard. The main attributes of Zigbee are low speed, low power consumption, low cost, low complexity, high reliability, high security, and supporting a large number of network nodes and multiple network topologies.
Common Zigbee problems include but are not limited to default key usage, key data replay, key information leakage, overflow, and more.

NFC/RFID

Radio frequency identification (RFID) is a contactless data communication between a reader and a label, enabling target recognition. RFID applies to a wide range of fields including animal chips, car chip anti-theft devices, access control, parking lot control, production line automation, and material management.

System security

Open port of device local service

Additional ports include ports whose purpose is not clear, ports that are not used in production, and more. Such ports can easily cause leakage of sensitive information, buffer overflow, command injection, and other problems.

Privilege separation measures

If you can log in to the device through the serial port, the system executes with a root permission account. When entering the system, the hacker has the root permissions right away.

System kernel vulnerabilities

The system version is too early and has multiple Linux kernel vulnerabilities that are often used for permission escalation.

Buffer overflow

An attack method of writing data beyond the length limit in the heap or stack thereby destroying the operation of the program and even getting control of the system. It is easy to cause problems such as system permissions and DDos being got.

Information leakage

The transmitted information that is unencrypted or carrying sensitive information is at the risk of being exploited by hackers.

Encryption and authentication algorithm

Check whether the device uses reliable encryption when communicating with the cloud, whether the integrity of the communication content is verified, and whether communication certification and authorization detection are completed.

Privacy security

The sensitive user information needs to be deleted after reset.

Server security test

The device and the cloud usually communicate through the Internet. The data packets exchanged during the communication may contain sensitive information such as device operation information and device MAC address, which can be used for device binding and other operations. The inspection of data communication includes whether the communication is encrypted, whether the encryption is complete, whether the integrity verification and certification are executed for the communication, whether there is a vulnerability in the authorization, and whether the data packet can be run after being replayed, and more.

• Sensitive information can cause risks such as devices being paired and bound by force and device information being got.
• The lack of integrity verification can cause risks such as data being tampered, and thus device permissions being got.
• Invalid authorization can cause risks such as going beyond the power.
• Replay attacks can cause the risk of the device being arbitrarily manipulated.