EXAMENSARBETE INOM DATATEKNIK, GRUNDNIVÅ, 15 HP STOCKHOLM, SVERIGE 2020 Ethical Hacking of an IoT-device: Threat Assessment and Penetration Testing A Survey on Security of a Smart Refrigerator FREDRIK RADHOLM NIKLAS ABEFELT KTH SKOLAN FÖR ELEKTROTEKNIK OCH DATAVETENSKAP Ethical Hacking of an IoT-device: Threat Assessment and Penetration Testing A Survey on Security of a Smart Refrigerator FREDRIK RADHOLM NIKLAS ABEFELT Bachelor in Computer Science First Cycle, 15 Credits Supervisor: Pontus Johnson Examiner: Robert Lagerström Examiner: Ibrahim Orhan TRITA-CBH-GRU-2020:210 School of Electrical Engineering and Computer Science Swedish title: Etisk Hackning av en IoT-enhet: Hotbedömning och Penetrationstestning Abstract Internet of things (IoT) devices are becoming more prevalent. Due to a rapidly growing market of these appliances, improper security measures lead to an expanding range of attacks. There is a devoir of testing and securing these devices to contribute to a more sustainable society. This thesis has evaluated the security of an IoT-refrigerator by using ethical hacking, where a threat model was produced to identify vulnerabilities. Penetration tests were performed based on the threat model. The results from the penetration tests did not find any exploitable vulnerabilities. The conclusion from evaluating the security of this Samsung refrigerator can say the product is secure and contributes to a connected, secure, and sustainable society. Keywords Internet of things (IoT), device, security, penetration testing, threat assessment, vulnerabilities Sammanfattning Internet of Things (IoT) enheter blir mer allmänt förekommande. På grund av en snabbt expanderande marknad av dessa apparater, har bristfälliga säkerhetsåtgärder resulterat till en mängd olika attacker. Det finns ett behov att testa dessa enheter for att bidra till ett mer säkert och hållbart samhälle. Denna avhandling har utvärderat säkerheten av ett IoT-kylskåp genom att producera en hot modell för att identifiera sårbarheter. Penetrationstester har utförts på enheten, baserade på hot modellen. Resultatet av penetrationstesterna hittade inga utnyttjningsbara sårbarheter. Slutsatsen från utvärderingen av säkerheten på Samsung-kylskåpet är att produkten är säker och bidrar till ett uppkopplat, säkert, och hållbart samhälle. Keywords Internet of things (IoT), enhet, säkerhet, penetrationstester, hotbedömning, sårbarheter Acknowledgement We would like to thank our supervisor Pontus Johnson and examiners Robert Lagerström and Ibrahim Orhan for allowing us to conduct this thesis. The support and guidance have been excellent during this period. Our knowledge regarding computer security has been greatly increased and will benefit us in the future. Fredrik and Niklas June 2020 Contents Introduction ____________________________________________ 1 1.1 Problem Definition __________________________________________ 2 1.2 Objective _________________________________________________ 2 1.3 Delimitations _______________________________________________ 3 Background ____________________________________________ 4 2.1 Introduction to the Internet of Things ____________________________ 5 2.1.1 Definition of IoT _________________________________________ 5 2.1.2 The Security Concern ____________________________________ 5 2.2 Consequences of Cyber Attacks _______________________________ 5 2.2.1 Mirai Botnet DDoS Attack _________________________________ 5 2.2.2 The Stuxnet Worm Attack _________________________________ 6 2.2.3 Economic Impact________________________________________ 6 2.3 Introduction to Ethical Hacking _________________________________ 7 2.4 Mitigating Security Risks and Threats ___________________________ 7 2.4.1 NCSC Security Analysis for the UK Telecom Sector_____________ 8 2.4.2 STRIDE Threat Analysis __________________________________ 9 2.4.3 DREAD Rating System ___________________________________ 9 Theoretical Background _________________________________ 10 3.1 Ports and Protocols ________________________________________ 11 3.1.1 Introduction to Ports ____________________________________ 11 3.1.2 The Internet Protocol – IP ________________________________ 11 3.1.3 The Hypertext Transfer Protocol – HTTP ____________________ 12 3.1.4 The Security Protocols – SSL/TLS _________________________ 12 3.1.5 Constrained Application Protocol – CoAP ____________________ 12 3.2 Firmware ________________________________________________ 13 3.3 Threat Modelling __________________________________________ 13 Research Methodology __________________________________ 15 4.1 Ethical Hacking ___________________________________________ 16 4.1.1 Method of Threat Assessment ____________________________ 16 4.1.2 Penetration Testing Methodology __________________________ 16 4.2 Environment and Utility _____________________________________ 18 4.2.1 Information Gathering Utilities _____________________________ 18 4.2.2 Tools for Man-in-the-middle ______________________________ 19 4.2.3 Tools for Target System Exploitation _______________________ 20 4.2.4 Utilities for Decompiling Mobile Applications __________________ 20 4.2.5 Documentation and Journaling ____________________________ 21 System Under Consideration _____________________________ 22 5.1 Samsung Family Hub Side-by-side Refrigerator __________________ 23 5.1.1 Tizen Operating System ________________________________ 23 5.1.1.1 Tizen Security Model _________________________________ 24 5.1.2 Samsung SmartThings Mobile Application __________________ 24 Related Work _________________________________________ 26 6.1 Related Work in Areas of Concern ____________________________ 27 Implementation ________________________________________ 28 7.1 Planning and Reconnaissance _______________________________ 29 7.1.1 Information Gathering __________________________________ 29 7.1.1.1 Passive Information Gathering __________________________ 29 7.1.1.2 Active Information Gathering ___________________________ 30 7.1.1.3 Acquiring Firmware __________________________________ 32 7.2 Scanning and Discovery ____________________________________ 33 7.2.1 Single Port Probing and Analysis __________________________ 33 7.3 Threat Assessment ________________________________________ 36 7.3.1 Identifying Assets ______________________________________ 37 7.3.2 Decomposing the System Under Consideration ______________ 38 7.3.3 Identifying Threats _____________________________________ 41 7.3.3.1 Relevant Attack Vectors and Documenting Threats __________ 43 7.3.3.2 Rating Threat Impact and Function Sensitivity ______________ 46 7.4 Attack and Gaining Access __________________________________ 46 7.4.1 Access User and Application Data _________________________ 46 7.4.1.1 Same-origin Policy Bypass _____________________________ 47 7.4.1.2 Open Redirect and Address Bar Spoofing _________________ 48 7.4.1.3 Further Penetration Testing with BeEF ___________________ 49 7.4.2 Abuse Open and Unsecured Ports ________________________ 49 7.4.2.1 Vulnerability Scan and Brute-force Attack with Nikto _________ 49 7.4.2.2 TCP SYN Flood Attack ________________________________ 51 7.4.2.3 CoAP Resource Discovery Tampering ____________________ 52 7.4.3 Spoof External Services _________________________________ 54 7.4.3.1 Spoofing Against Cloud-services ________________________ 54 7.4.3.2 Impersonating the Cloud-services _______________________ 54 7.4.3.3 Decompiling and Analysing the Mobile Application __________ 55 Result _______________________________________________ 57 8.1 Threat Traceability Matrix ___________________________________ 58 Discussion ___________________________________________ 59 9.1 Result __________________________________________________ 60 9.2 Sustainability and Ethics ____________________________________ 60 9.3 Further Research _________________________________________ 61 Conclusion ___________________________________________ 62 Bibliography __________________________________________ 64 Chapter I Introduction Overview of the project. Contains the classification of the thesis and revised topics such as the problem definition, objectives, and delimitations. CHAPTER 1. INTRODUCTION 1.1 Problem Definition Internet of things (IoT) devices are becoming more popular and according to the International Data Corporation (IDC) the number of these connected apparatuses will be estimated to 42 billion in 5 years1. An IoT device can be described as a physical object that have embedded cameras, sensors and with the purpose of transferring data from and to systems and other devices2. The data amount generated by IoT’s will produce up to 79 Zettabytes in the year of 2025. These devices will be connected to the internet and in some cases to each other, to build a more smart and sustainable society where these products will take care of certain tasks. Cyber-attacks are becoming more common and the need for securing these devices are becoming more vital as the attack surface is constantly growing, Symantec reported in 2017 a 600% increase in IoT attacks in 2017 [1]. Several units such as refrigerators, cars, lamps, and locks are connected, and security is becoming an increasingly important factor. The need for improving the security of these devices are vital when the use of IoT’s are rapidly increasing. 1.2 Objective The goal of this report is to evaluate the security of an IoT-device by using ethical hacking, where the product is proactively tested – with penetration testing – to contribute to a more secure and sustainable society. Actions that will be taken will be in the manner