Chapter 2 - 07 - Understand IoT, OT, and Cloud Attacks - 02_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

BlueBorne Attack
A BlueBorne attack is performed on

'

and take full control of the

target device
After gaining access to a device, the attacker can penetrate any corporate network using that device to
about the organization and
to nearby devices

Discover Bluetooth Device

Retrieve MAC Address

e

Retrieve OS information

BlueBorne

-

_.é-

>

Gains Access and Controls Printer

"

to access Corporate Network

-

(.

- T—
Bluetooth-enabled
Printer

Corporate Network

Attack

A BlueBorne attack is performed on Bluetooth connections to gain access to and take full
control of the target device. Attackers connect to nearby devices and exploit the vulnerabilities
of the Bluetooth protocol to compromise the devices. BlueBorne is a collection of various
techniques based on the known vulnerabilities of the Bluetooth protocol. This attack can be
performed on multiple loT devices, including those running operating systems such as Android,
Linux, Windows, and older versions of iOS. In all operating systems, the Bluetooth process has
high privileges. After gaining access to one device, an attacker can penetrate

network using that device to steal critical information
malware to nearby devices.

from

any corporate

the organization

and

spread

BlueBorne is compatible with all software versions and does not require any user interaction,
precondition, or configuration except for Bluetooth being active. This attack establishes a
connection with the target Bluetooth-enabled device without even pairing with the device.
Using this attack, an attacker can discover Bluetooth-enabled devices, even though they are not
in an active discovery mode. Once the attacker identifies any nearby device, he/she tries to
extract the MAC address and OS information to perform further exploitation on the target OS.
Based on the vulnerabilities present in the Bluetooth protocol, attackers can even perform
remote code execution and man-in-the-middle attacks on the target device. This attack can be

performed

on various 10T devices, such as smart TVs, phones, watches, car audio systems,

printers, etc.
Steps to perform BlueBorne attack:
=

Attacker

discovers

active

Bluetooth-enabled

devices

around

him/her;

all Bluetooth-

enabled devices can be located even if they are not in discoverable mode

Module 02 Page 364

Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

=

After locating any nearby device, the attacker obtains the MAC address of the device

=

Now, the attacker sends continuous probes to the target device to determine the OS

=

After identifying the OS, the attacker exploits the vulnerabilities
protocol to gain access to the target device

*

Now the attacker can perform remote code execution or a man-in-the-middle attack
and take full control of the device

in the

Bluetooth

Discover Bluetooth Device......................................................... >
Retrieve MAC Address

—

STl......................................................... >
Retrieve OS information
Gains Access and Controls Printer

‘

(' -—-

>

AR TILILIID 3
4

Bluetooth-enabled

Printer

Corporate Network

to access Corporate Network

Attacker

Figure 2.72: lllustration of BlueBorne attack

Module 02 Page 365

Certified Cybersecurity Technician Copyright © by EC-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

SDR-Based Attacks on IoT
The attacker uses software defined radio (SDR) to examine the communication signals in the loT
network and sends spam content or texts to the interconnected devices
e

o Replay Attack

‘

=

Theattacker obtains the specific frequency used for sharing information between connected devices and captures the
original data when a command is initiated by these devices

=
e

The attacker segregates the command sequence and injects it into the 10T network

P Cryptanalysis Attack
=

The attacker uses the same procedure as that followed in a replay attack, along with reverse engineering of the protocol

=

The attacker must be skilled in cryptography, communication theory, and modulation schemes to perform this attack

to capture the original signal

e

o Reconnaissance Attack

‘

=

The attacker obtains information about the target device from the device's specifications
=

The attacker then uses a multimeter to investigate the chipset and mark some identifications such as ground pins to
discover the product ID and other information

Copyright
© by

EC-Council.

All Rights Reserved. Reproduction
is Strictly Prohibited

\

SDR-Based Attacks on IoT

Software-defined radio (SDR) is a method of generating radio communications and
implementing signal processing using software (or firmware), instead of the usual method of
using hardware. Using this software-based radio communication system (self-created SDRs), an
attacker can examine the communication signals in 10T networks and send spam content or
texts to interconnected devices. The SDR system can also change the transmission and
reception of signals between devices, depending on their software implementations. The attack
can be carried out on both full-duplex (two-way communication) and half-duplex (one-way
communication) transmission modes.

Types of SDR-based attacks performed by attackers to break into an loT environment:
=

Replay Attack
This is the major attack described in IoT threats, in which attackers can capture the
command sequence from connected devices and use it for later retransmission.
An attacker can perform the below steps to launch a replay attack:
o

Attacker targets
between devices

o

After obtaining the frequency, the attacker can capture the original data when the
commands are initiated by the connected devices

o

Once

the

original

the

specified

data

frequency

is collected,

the

that

is required

attacker

uses

free

to share

tools

information

such

as

URH

(Universal Radio Hacker) to segregate the command sequence
o

Attacker then injects the segregated command sequence on the same frequency
into the 10T network, which replays the commands or captured signals of the devices

Module 02 Page 366

Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

Cryptanalysis Attack
A cryptanalysis attack is another type of substantial attack on loT devices. In this attack,
the procedure used by the attacker is the same as in a replay attack except for one
additional step, i.e., reverse-engineering the protocol to obtain the original signal. To
accomplish this task, the attacker must be skilled in cryptography, communication
theory,

and

modulation

scheme

(to remove

noises

from

the

signal).

This

attack

is

practically not as easy as a replay attack to launch, yet the attacker can try to breach
security using various tools and procedures.
Reconnaissance Attack

This is an addition to a cryptanalysis attack. In this attack, information can be obtained
from the device’s specifications. All loT devices that run through RF signals must be
certified by their country’s authority, and then they officially disclose an analysis report
of the device. Designers often prevent this kind of analysis by obscuring any
identification marks from the chipset. Therefore, the attacker makes use of multimeters

to investigate the chipset and mark out some identifications, such as ground pins, to
discover the product ID and compare it with the published report.

Module 02 Page 367

Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

HMI-based Attacks
(
f

Attackers often try to compromise the HMI system as it is the core hub that controls the critical infrastructure

g

Attackers gain access to the HMI systems to cause physical damage to the SCADA devices or collect sensitive
information related to the critical architecture
SCADA vulnerabilities exploited by attackers to performm
perform HMI-based attacks:

Memory Corruption.d
‘d

Lack of Authorization/Authentication

and Insecure Defaults

h‘

Credential Management

Code Iniection.
Code Injection

v

HMI-based Attacks

Attackers often try to compromise an HMI system as it is the core hub that controls critical
infrastructure. If attackers gain access over HMI systems, they can cause physical damage to the
SCADA devices or collect sensitive information related to the critical architecture that can be
used later to perform malicious activities. Using this information, attackers can disable alert
notifications of incoming threats to SCADA systems.
Discussed below are various SCADA vulnerabilities exploited by attackers to perform HMI-based
attacks on industrial control systems:

=

Memory Corruption
The vulnerabilities in this category are code security issues that include out-of-bound
read/write vulnerabilities and heap- and stack-based buffer overflow. In an HMI,
memory corruptions take place when the memory contents are altered due to errors
residing in the code. When these altered memory contents are used, the program
crashes or performs unintended executions. Attackers can accomplish memory
corruption tasks simply by overwriting the code to cause a buffer overflow. Sometimes,
the unflushed stack can also allow attackers to use string manipulation to abuse the
program.

=

Credential Management
The vulnerabilities in this category include the use of hard-coded passwords, saving
credentials in simple formats such as cleartext, and inappropriate credential protection.
These vulnerabilities can be exploited by the attackers to gain admin access to the
systems and alter system databases or other settings.

Module 02 Page 368

Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

Lack of Authorization/Authentication and Insecure Defaults

The vulnerabilities in this category include transmission of confidential information in
cleartext, insecure defaults, missing encryption, and insecure ActiveX controls used for
scripting. An authentic SCADA solution administrator can view and access the passwords
of other users. Attackers can exploit these vulnerabilities to gain illegal access over the
target system, and further record or manipulate the information

being transmitted or

stored.
Code Injection
The vulnerabilities in this category include common code injections such as SQL, OS,
command, and some domain-specific injections. Gamma script is one of the prominent
domain-specific languages for HMIs that is prone to code injection attacks. This script is
designed to develop fast phase Ul and control applications. An EvalExpression (Evaluate,
compile, and execute code at runtime) vulnerability in Gamma script can be exploited by
attackers to send and execute controlled arbitrary scripts or commands on the target
SCADA system.

Module 02 Page 369

Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.