License
Copyright © 2015 Michael Schloh von Bennewitz
Permission is granted to copy, distribute and/or
modify this document under the terms of the GNU Free
Documentation License, Version 1.3 or any later version
published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no
Back-Cover Texts. A copy of the license is included
in the document entitled “fdl-1.3.txt”
Attacking Internet
of Things Telemetry
Presented by: Michael Schloh von Bennewitz
Download at: lect.europalab.com/ccciotelm
In this hour…
- IoT definitions
- Industrial trends
- Sensor & actuators
- Telemetry & telecommand
- Protocols & transports
- Coding & attack demos
Experimentation
Experimentation
Experimentation
Warning: Passive
monitoring demos
Scanning the network…
Albert Einstein's IBM
Ada Lovelace's PDP-11Attack scenarios
| Method | Device | Passive | Active |
|---|---|---|---|
| 802.3 capture | Ethernet tap | ✓ | ✕ |
| 802.11 MITM | Pineapple MKV | ✓ | ✕ |
| BT/BLE capture | Ubertooth one | ✓ | ✕ |
| Z-Wave/Zigbee | MuCCC Rad1o | ✕ | ✕ |
MQTT cat client sample 0
$ mosquitto_pub -h mqtt.devlol.org -t "devlol/winkekatze" -m "WINK"
$Publishing to cat using mosquitto_pub(1)
Web history
- Web 1.0
- Web 2.0
- Social web
- Mobile web
- Ubiquitous web
The case for IoT
- IDC: $8.9 trillion market in 2020
- Gartner: 26 billion IoTs by 2020
- ABI Research: 30 billion IoTs by 2020
- Tech providers growing deal size
Sensor platforms
Sensor platforms
Sensor platforms
Beacon construction
Sensor platforms
Sensor platforms
M2M sensor routing
Biological sensor routing
Wearables
Wearables
Q: What does a ‘BAN’ connect?
Q: What does a ‘BAN’ connect?
A: BAN == Body Area Network
Not a sensor platform
Crit infrastructure
- Pressure temperature
- Military geolocation
- Aircraft altitudes
- Water chemistry
Ethics & legality
- Insulin pump 0 day
- EKG heartmon 0 day
- Electropill dose 0 day
- EFF policy distance
Device relations
- Sensors produce telemetry
- Actuators consume telecommands
- Computers route, store, forward
- IoT is a buzzword (don't use it)
Defining telemetry
NASA: “the highly automated communications process by which measurements are made and other data collected at remote or inaccessible points and transmitted to receiving equipment for monitoring.”
Defining telecommand
Wikipedia: “A telecommand is a command sent to control a remote system or systems not directly connected (e.g. via wires) to the place from which the telecommand is sent.”
Protocols
- MQTT (OASIS spec)
- CoAP (RFC 7252)
- AMQP (ISO/IEC 19464)
- LWM2M (OMA LWM2M)
- ZeroMQ (Nospec)
Transports
- Bluetooth 2/3
- Bluetooth LE
- Zigbee
- Z-Wave
- Internet
Q: Which IM app uses MQTT?
Q: Which IM app uses MQTT?
A: Facebook Messenger!
MQTT
MQTT JavaScript code sample 1
// Simple subscribe client (use test.mosquitto.org?)
var mqtt = require('mqtt'), locli = mqtt.connect('mqtt://host/');
locli.subscribe('messages');
locli.on('message', function(topic, message) {
console.log(message.toString());
});Subscribing topics via MQTT from the broker
MQTT JavaScript code sample 2
// Simple publish client (use test.mosquitto.org?)
var mqtt = require('mqtt'), locli = mqtt.connect('mqtt://host/');
locli.publish('messages', 'Mqtt is pretty cool');
locli.end();
// Other MQTT features like last will
// testament, data retention, or QoS
Publishing messages via MQTT to the broker
IEEE802.11 sniffing
Capture by MITM insertion
IEEE802.3 tapping
Easy capturing from Ethernet cable
Network topologies
P2P topology
Tree topology
Mesh topology
Star topology
piconets
Master operates on only one 
mode
Dissecting 
BD_ADDR 00:06:66:42:21:52
Dissecting
sniffing
- Piconet
- Slave device
- Master device
- BT device address
- LAP
- UAP
- NAP
sniffing
- Timing
- CLK27
- CLKN
- Frequency hopping
- AFH map
- We need LAP, UAP and CLKN!
packet injection
- Channel map size
- Changed mapping
- (Non)AFH piconets
- Transmit time slot <10 ms
- Sloppy retry until lucky?
packet injection
- CRC checksum
- Auto retrans req
- Packet whitening
- Role switches and…
- Sniff, hold, park mode
attack vectors
- Packet injection
- Service denial
- Data manipulation
- Evil twin MITM
- Connection hijacking
- Reconnect in specification
attack vectors
- Passive analysis
- Identity theft
- Data theft
- Staged trigger
- Timed attack
- NFC combination
BLE applications
- Heart rate monitors
- Blood pressure monitors
- Beacon geography targets
- Industrial monitoring sensors
- Public transportation apps
demonstrations
sniffing
Penetration testing
recon
// BlueZ samples
$ hcitool scan
Scanning ...
98:D6:XX:XX:XX:XX Nexus 4
00:0D:XX:XX:XX:XX Bluetooth Speaker
$ hcitool inq
Inquiring ...
98:D6:XX:XX:XX:XX clock offset: 0x0000 class: 0x5a020c
00:0D:XX:XX:XX:XX clock offset: 0x5a75 class: 0x240404
$ ./btclassify.py 0x5a020c 0x240404
0x5a020c: Phone (Smartphone): Telephony, Object Transfer, Capturing, Networking
0x240404: Audio/Video (Wearable Headset Device): Audio, Rendering
$ sdptool browse 98:D6:XX:XX:XX:XX | grep Service\ Name
Service Name: Headset Gateway
Service Name: Handsfree Gateway
$ sdptool records 00:0D:XX:XX:XX:XX
Service RecHandle: 0x10001
Service Class ID List:
"Audio Sink" (0x110b)
$ hcidump -w /tmp/inquriy.cap
$ wireshark && echo filter bthci.evt_code == 0x2f
Conducting reconnaissance with BlueZ
recon
// Ubertooth samples
$ ubertooth-specan-ui
$ ubertooth-scan -s -t 40 -x
// Pair master and slave
$ ubertooth-rx
$ ubertooth-dump
$ sudo ubertooth-follow -l cafe00 -u 0x12 -a
Address given, assuming address is remote
Address: 00:00:12:CA:FE:00
AFH Map=0x3cffe01f0000007f01df
systime=1431730852 ch= 0 LAP=cafe00 err=0 clk100ns=1240630361 clk1=12257125 s=-71 n=-86 snr=15
Packet decoded with clock 0x40 (rv=1)
Type: POLL
Type: POLL
systime=1431730852 ch= 0 LAP=cafe00 err=2 clk100ns=1242681473 clk1=12257453 s=-17 n=-86 snr=69
Packet decoded with clock 0x40 (rv=1)
Type: POLL
Type: POLL
systime=1431730852 ch= 0 LAP=cafe00 err=0 clk100ns=1243456829 clk1=12257577 s=-16 n=-86 snr=70
Packet decoded with clock 0x40 (rv=1)
Type: DM1
LT_ADDR: 2
LLID: 0
flow: 0
payload length: 29
Data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Type: DM1
LT_ADDR: 2
LLID: 0
flow: 0
payload length: 29
Data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Conducting reconnaissance with Ubertooth
BLE recon
$ ubertooth-btle -f
systime=1431576352 freq=2402 addr=8e89bed6 delta_t=316892.462 ms
00 15 07 13 8c c0 1a 1c 02 01 1a 0b ff 4c 00 09 06 03 86 0a 00 00 07 8d d3 0a
Advertising / AA 8e89bed6 / 21 bytes
Channel Index: 37
Type: ADV_IND
AdvA: 1c:1a:c0:8c:13:07 (public)
AdvData: 02 01 1a 0b ff 4c 00 09 06 03 86 0a 00 00 07
Type 01 (Flags)
00011010
Type ff
4c 00 09 06 03 86 0a 00 00 07
Data: 07 13 8c c0 1a 1c 02 01 1a 0b ff 4c 00 09 06 03 86 0a 00 00 07
CRC: 8d d3 0a
systime=1431576415 freq=2402 addr=8e89bed6 delta_t=1280.003 ms
00 0d 53 6f e6 0e fd 08 02 01 18 03 19 c0 00 db b7 44
Advertising / AA 8e89bed6 / 13 bytes
Channel Index: 37
Type: ADV_IND
AdvA: 08:fd:0e:e6:6f:53 (public)
AdvData: 02 01 18 03 19 c0 00
Type 01 (Flags)
00011000
Type 19
c0 00
Data: 53 6f e6 0e fd 08 02 01 18 03 19 c0 00
CRC: db b7 44
...or via Wireshark(1)
$ ubertooth-btle -f -c /tmp/pipe
$ echo 'Filter connection requests and nonzero data packets...'
$ echo 'btle.type == 0x05 || (btle.data && btle.length > 0)'
Conducting BLE reconnaissance with Ubertooth
Dirty tricks
Android HCI capture
/etc/bluetooth/bt_stack.conf
Free telem book
IBM Redbooks (Ebook, 2014)
Building... with MQTT, Boyd et al
Free IoT book
APress Open (Online Ebook, 2014)
Rethinking the IoT, Francis daCosta
To be continued…
- Bluetooth LE
- Active attacks
- Z-Wave (closed) ↓
- ZigBee 802.15.4
- Kisbee hardware
- The MuCCC Rad1o!
Human controlling the IoT or…
things controlling the human?
IoT definitions
Industrial trends
Sensor & actuators
Telemetry & telecommand
Protocols & transports
Industrial trends
Sensor & actuators
Telemetry & telecommand
Protocols & transports