Chapter 31 Exercises: IoT and Embedded Systems Hacking

Exercise 31.1: IoT Attack Surface Mapping (Beginner)

MedSecure deploys a wireless patient vital signs monitor with the following specifications: - ARM Cortex-M4 processor with 512KB flash, 128KB RAM - BLE 5.0 for communication with provider mobile app - WiFi 802.11n for cloud connectivity (MQTT to AWS IoT Core) - Local web interface for device configuration (port 80) - USB port for firmware updates - UART debug header on PCB (4-pin) - Measures: heart rate, blood pressure, SpO2, temperature - Local storage: 2MB SPI flash for firmware, 8MB for patient data - Runs FreeRTOS with lwIP networking stack

Create a comprehensive attack surface map that identifies: 1. All physical interfaces and their potential attack vectors 2. All network interfaces and protocols with associated risks 3. All data storage locations and sensitivity levels 4. All software components and potential vulnerability classes 5. Prioritize the attack vectors from highest to lowest risk

Exercise 31.2: UART Identification and Connection (Beginner)

You have opened an IoT device and found a 4-pin header on the PCB. Using a multimeter, you measure the following voltages on each pin (with the device powered on):

  • Pin 1: 0.0V (steady)
  • Pin 2: 3.3V (steady, with brief dips during boot)
  • Pin 3: 3.3V (steady, no variation)
  • Pin 4: 3.3V (steady)

Questions: 1. Which pin is most likely GND? Why? 2. Which pin is most likely TX? Why? 3. Which pin is most likely RX? Why? 4. What baud rates would you try first? 5. Write the exact commands to connect using screen and minicom 6. What information do you expect to see when the device boots?

Exercise 31.3: Firmware Extraction and Analysis (Intermediate)

Download a practice firmware image (such as from the Firmware Analysis Toolkit or AttifyOS practice files) and perform the following analysis:

  1. Use binwalk to identify the firmware components
  2. Extract the filesystem
  3. Identify the operating system and architecture
  4. Search for and document: - All user accounts and password hashes - Any hardcoded credentials in configuration files - Network service configurations (SSH, HTTP, MQTT) - Cryptographic keys or certificates - Custom binaries and their purpose
  5. Analyze at least one custom binary for potential vulnerabilities
  6. Document all findings in a professional report format

Exercise 31.4: MQTT Security Assessment (Intermediate)

Set up a Mosquitto MQTT broker on your lab environment and perform a security assessment:

  1. Install Mosquitto broker with default configuration
  2. Test unauthenticated access: mosquitto_sub -h localhost -t '#' -v
  3. Subscribe to system topics ($SYS/#) and document exposed information
  4. Publish test messages to verify write access
  5. Configure authentication and ACLs, then verify restrictions work
  6. Test with TLS encryption enabled
  7. Compare the security posture of the default configuration versus the hardened configuration
  8. Write a security assessment report for the MQTT broker

Exercise 31.5: BLE Device Assessment (Intermediate)

Using a BLE-capable device and tools (nRF Connect app, gatttool, or bettercap):

  1. Scan for BLE devices in your environment
  2. For each discovered device, document: - Device name and MAC address - Advertised services and their UUIDs - Pairing requirements (if any) - Readable characteristics and their values
  3. For a test BLE device (such as a smart light bulb or fitness tracker): - Enumerate all services and characteristics - Read all readable characteristics - Identify which characteristics are writable - Test writing values to writable characteristics - Analyze whether sensitive data is transmitted in plaintext
  4. Discuss the privacy implications of BLE device scanning

Exercise 31.6: Embedded Web Interface Testing (Intermediate)

Using a practice IoT device or an emulated firmware web interface (such as from DVID):

  1. Identify the web server type and version
  2. Test for default credentials (use a list of common IoT default passwords)
  3. Enumerate all accessible pages and endpoints
  4. Test for command injection in any input fields (especially network diagnostic tools)
  5. Test for directory traversal
  6. Check for authentication bypass (direct URL access to admin pages)
  7. Analyze the JavaScript source for hardcoded information
  8. Check for unencrypted credential transmission
  9. Document all findings with severity ratings

Exercise 31.7: Firmware Update Security Analysis (Intermediate)

Analyze the firmware update mechanism of a practice IoT device:

  1. Capture the firmware update process (network traffic)
  2. Answer the following questions: - Is the update downloaded over HTTP or HTTPS? - Is the firmware image signed? If so, what algorithm? - Is the firmware image encrypted? - Can you modify the firmware image and have the device accept it? - Is there a rollback protection mechanism? - Can the update server be spoofed via DNS?
  3. If the update is not properly secured, demonstrate how an attacker could push malicious firmware
  4. Recommend security improvements for the update mechanism

Exercise 31.8: IoT Network Protocol Identification (Beginner)

Given the following packet capture summary from an IoT network, identify each protocol and assess its security implications:

1. TCP 192.168.1.100:8234 -> 52.14.23.45:1883  [MQTT CONNECT]
2. UDP 192.168.1.101:5683 -> 192.168.1.1:5683  [CoAP GET]
3. TCP 192.168.1.102:4321 -> 192.168.1.1:502   [Modbus Read]
4. TCP 192.168.1.103:8080 -> 192.168.1.103:80  [HTTP GET /admin]
5. BLE 192.168.1.104 -> AA:BB:CC:DD:EE:FF      [GATT Write]
6. TCP 192.168.1.100:9876 -> 52.14.23.45:8883  [MQTT CONNECT TLS]
7. UDP 192.168.1.105:47808 -> 192.168.1.200:47808 [BACnet]

For each connection: 1. Identify the protocol 2. Determine if encryption is used 3. Assess the security risk 4. Recommend improvements

Exercise 31.9: Zigbee Security Analysis (Advanced)

Research Zigbee security and answer the following:

  1. What is the Zigbee Trust Center and how does key distribution work?
  2. What is the "well-known" default Trust Center link key? Why is it a security concern?
  3. Explain how Zigbee network key sniffing works during device pairing
  4. What tools are needed for Zigbee security testing?
  5. How does Zigbee 3.0 improve security over previous versions?
  6. Design a Zigbee security testing methodology for a smart building deployment

Exercise 31.10: Hardware Interface Identification (Intermediate)

You are examining the PCB of an IoT device and find the following:

  1. A 10-pin header near the main processor
  2. A 4-pin header near the edge of the board
  3. A small 8-pin IC chip labeled "W25Q64FV"
  4. Two test points labeled "SDA" and "SCL"

For each finding: 1. Identify what interface it likely represents 2. Describe the tools needed to interact with it 3. Explain what data or access it could provide 4. Rate the difficulty of exploitation (Easy/Medium/Hard)

Exercise 31.11: ICS/SCADA Security Research (Intermediate)

Research the Stuxnet attack and answer the following questions:

  1. What was the target of Stuxnet and what physical damage did it cause?
  2. What industrial protocol(s) did Stuxnet manipulate?
  3. How did Stuxnet propagate to reach its target (which was air-gapped)?
  4. What zero-day vulnerabilities did Stuxnet exploit?
  5. How did Stuxnet hide its activities from operators (the "man-in-the-middle" on the PLC)?
  6. What lessons does Stuxnet provide for IoT and ICS security testing?
  7. Compare Stuxnet with two other ICS attacks (e.g., BlackEnergy/Ukraine, Triton/TRISIS)

Exercise 31.12: IoT Device Forensics (Advanced)

Develop a forensic analysis plan for a compromised MedSecure vital signs monitor:

  1. Evidence preservation: - What volatile data should be captured first? - How would you create a forensic image of the SPI flash? - What network traffic should be captured?
  2. Analysis: - How would you determine when the compromise occurred? - What artifacts would you look for in the filesystem? - How would you analyze MQTT message logs?
  3. Timeline reconstruction: - What data sources could establish a timeline? - How would you correlate device logs with network captures?
  4. Chain of custody: - What documentation is required for IoT forensic evidence? - How does IoT forensics differ from traditional digital forensics?

Exercise 31.13: Building a MedSecure IoT Test Environment (Advanced)

Design and implement a test environment that simulates MedSecure's IoT ecosystem:

  1. Using a Raspberry Pi as the "medical device": - Install Mosquitto as MQTT client - Create a Python script that simulates vital signs data - Set up a simple web management interface (Flask) - Configure BLE advertisement (if BLE-capable)

  2. Using another device as the "MQTT broker": - Install Mosquitto broker - Configure topics matching MedSecure's structure - Set up monitoring and logging

  3. Perform a complete security assessment of your test environment: - Network scanning and service discovery - MQTT authentication and authorization testing - Web interface vulnerability assessment - Data-in-transit encryption verification - Firmware extraction (from SD card) and analysis

  4. Document all findings and remediation steps

Exercise 31.14: Side-Channel Attack Research (Advanced)

Research side-channel attacks on IoT devices and answer:

  1. What is a power analysis attack? Explain the difference between Simple Power Analysis (SPA) and Differential Power Analysis (DPA)
  2. What is electromagnetic emanation analysis?
  3. What is a timing attack and how can it be used against an IoT device's authentication?
  4. What is fault injection (glitching) and what can it achieve?
  5. What defenses exist against side-channel attacks?
  6. For MedSecure's medical devices, which side-channel attacks are most realistic? What would a successful attack enable?

Exercise 31.15: IoT Security Policy Development (Advanced)

Develop a comprehensive IoT security policy for MedSecure that addresses:

  1. Device procurement requirements (minimum security features)
  2. Network segmentation requirements for medical IoT devices
  3. Authentication and credential management standards
  4. Firmware update and patch management procedures
  5. Monitoring and incident response for IoT devices
  6. End-of-life device handling and decommissioning
  7. Vendor security assessment requirements
  8. Compliance mapping (HIPAA, FDA guidance for medical devices)
  9. Physical security requirements for deployed devices
  10. BLE and wireless communication security standards

The policy should be detailed enough to serve as an actual organizational standard.

Exercise 31.16: MedSecure IoT Threat Model (Advanced)

Create a comprehensive threat model for MedSecure's vital signs monitoring system:

  1. System decomposition: - List all components (device, BLE, mobile app, MQTT, cloud) - Map all data flows - Identify trust boundaries

  2. Threat identification using STRIDE: - For each component and data flow - Consider physical, network, and application-layer threats

  3. Risk assessment: - Likelihood and impact for each threat - Consider patient safety implications - Map to CVSS scores where applicable

  4. Mitigation planning: - Propose mitigations for all High and Critical risks - Prioritize by implementation feasibility - Estimate implementation effort