Embedded devices And IoT
Embedded devices are systems designed to perform specific functions within larger systems.
- π¦ Compact size while not necessarily small
- π‘ Low power consumption
- π§ Longer lifespan that usual systems
- π€ Constrained environment (computer power, small memory, etc.)
They are often connected to other devices and the internet forming a network called the Internet of Things π€ (IOT).
Many functions require them to exchange data or to remote control other devices. Some protocols were designed specifically for IoT.
- "IoT data protocol" for protocols over TCP
- "IoT network protocol" for protocols over wireless technology
Low-Level Communication
The basis of low-level communication is to send zeros and ones by respectively turning off and on the power.
UART And USART β Low-Level Communication
Universal Asynchronous Receiver-Transmitter (UART) or Universal Synchronous Asynchronous Receiver Transmitter (USART) are both clock-less serial communication protocols.
For UART, one wire RT
is used to receive data, while another wire TX
is used to send data. The devices define the communication settings:
- π Baud rate or bit rate (communication speed)
- πΌοΈ Frame size (often 8 bits per message)
- β±οΈ Start/Stop bits (before/after the message was sent)
- ...
It usually involves a CTS
, a RTS
, and a GND
wires.
SPI β Low-Level Communication
The Serial Peripheral Interface (SPI) is often used for communication between microprocessors and peripherals (ex: SD Card).
There is a channel SCK
with the clock telling the receiver when it needs to read data, and channels DATA IN/OUT
to read/write data.
- It's faster and more reliable that UART.
- Clock signals are only sent from one "controller" device
I2C β Low-Level Communication
The Inter-Integrated Circuit (I2C) was designed to be faster than UART using a clock, while using fewer wires than for SPI.
Logic Analyzer Tools
saleae can be used to capture and analyze UART traffic. Create an analyzer with the correct settings, and click on the terminal to view the analyzed text messages given the settings.
IoT Communications
Common failures πͺ¦: weak or non-existent encryption, authentication, or authorization mechanisms...
MQTT Protocol
MQTT (Message Queuing Telemetry Transport) is a publish-subscribe communication protocol where a broker store the last message from a publisher and continuously relays them.
A message is associated with a topic, usually <name>/<id>/<function>
, which allows brokers to handle multiple messages. The ID refers to the device ID typically fetched from the topic device/init
.
$ sudo nmap -p 1883 IP -vv -sV -sC
$ sudo apt install -y mosquitto-clients
$ mosquitto_sub -t device/ping
$ mosquitto_sub -h example.com -t device/ping
$ mosquitto_pub -h example.thm -t xxx/yyy -m "A message"
$ # -d | -i id | -p port | -u user | -P pass | -url URL
π By default, anyone can read/write to any topic.
CoAP Protocol
CoAP (Constrained Application Protocol) is a protocol converting HTTP requests to a simple and lightweight message format over UDP.
AMQP Protocol
AMQP (Advanced Message Queuing Protocol) is a protocol for asynchronous messaging between various different applications.
DDS Protocol
DDS (Data Distribution Service) is a publish-subscribe communication protocol for real-time and embedded systems.
Firmware Analysis
Moved to Firmware Analysis.
π» To-do π»
Stuff that I found, but never read/used yet.
- Access Point > to-do (Zigbee and Z-Wave)
- Investigation > IoT
- variot.eu
- IoT (VLAN (technology) - IoT (concept))
- we want to isolate them
- printer
- segment IoT devices
- WI-FI IoT SSID "XXX-IOT"
- hidden from users
- rust-embedded
- iothacking101
- EMBA
- OWASP IoT Project
- IoT Village
Physical device vulnerabilities
- poor manufacturing or design practices => audits
- weak/default passwords => strong password policy
- Ex: Mirai botnet
- Limit access to devices
- Device hardening
Protocols
- Fiddler (tool)
- Limit access to devices
- Radio frequency (RF)
- Zigbee, Z-wave, and Bluetooth
Attacks
- Fuzzing: test crashes/... American Fuzzy Lop (AFL), Peach Fuzzer, Spike Proxy, Sulley
- Network scanners: Angry IP Scanner
- Exploitation frameworks: CANVAS, CORE IMPACT
- ChipWhisperer, Glitch, or Shakti
- JTAG or UART