Embedded devices And IoT ¶

Embedded devices are systems designed to perform specific functions within larger systems.

• 📦 Compact size while not necessarily small
• 🏡 Low power consumption
• 🧓 Longer lifespan that usual systems
• 🤖 Constrained environment (computer power, small memory, etc.)

They are often connected to other devices and the internet forming a network called the Internet of Things 🤖 (IOT).

Many functions require them to exchange data or to remote control other devices. Some protocols were designed specifically for IoT.

• "IoT data protocol" for protocols over TCP
• "IoT network protocol" for protocols over wireless technology

The basis of low-level communication is to send zeros and ones by respectively turning off and on the power.

UART And USART — Low-Level Communication ¶

Universal Asynchronous Receiver-Transmitter (UART) or Universal Synchronous Asynchronous Receiver Transmitter (USART) are both clock-less serial communication protocols.

For UART, one wire RT is used to receive data, while another wire TX is used to send data. The devices define the communication settings:

• 🚗 Baud rate or bit rate (communication speed)
• 🖼️ Frame size (often 8 bits per message)
• ⏱️ Start/Stop bits (before/after the message was sent)
• ...

It usually involves a CTS, a RTS, and a GND wires.

SPI — Low-Level Communication ¶

The Serial Peripheral Interface (SPI) is often used for communication between microprocessors and peripherals (ex: SD Card).

There is a channel SCK with the clock telling the receiver when it needs to read data, and channels DATA IN/OUT to read/write data.

• It's faster and more reliable that UART.
• Clock signals are only sent from one "controller" device

I2C — Low-Level Communication ¶

The Inter-Integrated Circuit (I2C) was designed to be faster than UART using a clock, while using fewer wires than for SPI.

Logic Analyzer Tools ¶

saleae can be used to capture and analyze UART traffic. Create an analyzer with the correct settings, and click on the terminal to view the analyzed text messages given the settings.

MQTT Protocol ¶

MQTT (Message Queuing Telemetry Transport) is a publish-subscribe communication protocol where a broker store the last message from a publisher and continuously relays them.

A message is associated with a topic, usually <name>/<id>/<function>, which allows brokers to handle multiple messages. The ID refers to the device ID typically fetched from the topic device/init.

$ sudo nmap -p 1883 IP -vv -sV -sC

$ sudo apt install -y mosquitto-clients
$ mosquitto_sub -t device/ping
$ mosquitto_sub -h example.com -t device/ping
$ mosquitto_pub -h example.thm -t xxx/yyy -m "A message"
$ # -d | -i id | -p port | -u user | -P pass | -url URL 

📚 By default, anyone can read/write to any topic.

CoAP Protocol ¶

CoAP (Constrained Application Protocol) is a protocol converting HTTP requests to a simple and lightweight message format over UDP.

AMQP Protocol ¶

AMQP (Advanced Message Queuing Protocol) is a protocol for asynchronous messaging between various different applications.

DDS Protocol ¶

DDS (Data Distribution Service) is a publish-subscribe communication protocol for real-time and embedded systems.

Moved to Firmware Analysis.

• Access Point > to-do (Zigbee and Z-Wave)
• Investigation > IoT
• variot.eu
• IoT (VLAN (technology) - IoT (concept))
• we want to isolate them
• printer
• segment IoT devices
• WI-FI IoT SSID "XXX-IOT"
• hidden from users
• rust-embedded
• iothacking101
• EMBA
• OWASP IoT Project
• IoT Village

Physical device vulnerabilities

• poor manufacturing or design practices => audits
• weak/default passwords => strong password policy
  • Ex: Mirai botnet
• Limit access to devices
• Device hardening

Protocols

• Fiddler (tool)
• Limit access to devices
• Radio frequency (RF)
• Zigbee, Z-wave, and Bluetooth

Attacks

• Fuzzing: test crashes/... American Fuzzy Lop (AFL), Peach Fuzzer, Spike Proxy, Sulley
• Network scanners: Angry IP Scanner
• Exploitation frameworks: CANVAS, CORE IMPACT
• ChipWhisperer, Glitch, or Shakti
• JTAG or UART