Mobile Comms and IOT

Question 1

Bring Your Own Device (BYOD)

Answer 1

Allowing employees to use a personal phone for company business and to store company data on the phone

Question 2

Smartphone attacks

Answer 2

1. Attack the device: Browser attack, phishing, SMS, rooting and jailbreaking
2. Network attack: DNS cache poisoning, rogue access points, packet sniffing
3. Data center or cloud attack:

Question 3

OWASP Top Ten for Mobile

Answer 3

M1: Improper Platform Usage
M2: Insecure Data Storage
M3: Insecure Communication
M4: Insecure Authentication
M5: Insufficient Cryptography
M6: Insecure Authorization
M7: Client Code Quality
M8: Code Tampering
M9: Reverse Engineering
M10: Extraneous Functionality

Question 4

M1: Improper Platform Usage

Answer 4

Android intents,
platform permissions,
misuse of TouchID, the Keychain or other security control that is part of the mobile operating system.

Question 5

M2: Insecure Data Storage

Answer 5

Insecure data storage and unintended data leakage,

Question 6

M3: Insecure Communication

Answer 6

Poor handshaking, 
incorrect SSL versions, 
weak negotiations, 
clear-text communication of sensitive assets, 
insecure communications channels.

Question 7

M4: Insecure Authentication

Answer 7

Failing to identify the user, failure to maintain user’s identity and weakness in session management

Question 8

M5: Insufficient Cryptography

Answer 8

Anything and everything related to TLS or SSL but not if cryptography is not employed which is M2. This is attempting to use cryptography just not correctly.

Question 9

M6: Insecure Authorization

Answer 9

Failures to properly authorize a user.

Question 10

M7: Client Code Quality

Answer 10

Code level implementations in the mobile client like buffer overflows,
format string vulnerabilities, and
various other code level mistakes where the solution is to rewrite (patch) the code.

Question 11

M8: Code Tampering

Answer 11

Binary patching, 
local resource modification, 
method hooking, 
method swizzling, and 
dynamic memory modification.

Question 12

M9: Reverse Engineering

Answer 12

Analysis of binaries to determine its source code, libraries, algorithms, and other assets. Tools like IDA Pro, Hopper, otool are binary inspection tools.

Question 13

M10: Extraneous Functionality

Answer 13

Build in a backdoor

Question 14

Rooting and jailbreaking

Answer 14

Modifying a mobile OS to gain root access to the device. 
Rooting Android tools: 
KingoRoot, 
TunesGo, 
OneClickRoot, 
MTKDroid

Jailbreaking IOS tools: 
evasi0n7, 
GeekSn0w, 
Pangu, 
Redsn0w, 
Absinthe, 
Cydia

Question 15

Three Techniques of Jailbreaking IOS

Answer 15

1. Untethered jailbreaking: The kernel will remain patched (jailbroken) after reboot, with or without a system connection
2. Semi-tethered jailbreaking: a reboot no longer retains the patched kernel but the software resides and can be applied again when needed
3. Tethered jailbreaking: A reboot removes all jailbreaking patches and the phone may get stuck in a perpetual loop at startup requiring a USB system connection to repair.

Question 16

Three types of Jailbreaking IOS

Answer 16

1. Userland exploit: Cannot be tethered and can be patched by Apple. Provides user-level access but not Admin. Equates to OS level
2. iBoot exploit: vulnerability found in the device’s bootloader. iBoot to turn codesign off and run a program. iBoot can be semi-tethered and patched by Apple
3. BootROM exploit - Allows access to the file system, iBoot, and custom boot logos and is found in the device’s first bootloader, SecureROM. This can be untethered and cannot be patched by Apple. The bootrom exploit is the lowest level and the only way apple can “fix” this is by releasing new hardware.

Question 17

Android Device Administration API

Answer 17

Provides system-level device administration to create security-aware apps.

Question 18

Mobile Device Management - MDM

Answer 18

Can push security policies, applications, and monitor device, passcodes for device unlocking, remote locking, remote wipe, root or jailbreak detection, policy enforcement, inventory and monitoring. Solutions: XenMobile,
IBM MaaS360,
AirWatch,
MobiControl

Question 19

Bluetooth

Answer 19

Open wireless technology for data exchange over short range (10 meters or less). Easy to discover and hack. Has two modes, Discovery Mode and Pairing Mode.

Question 20

Bluetooth Discovery Mode

Answer 20

Determines how the device reacts to inquiries from other devices looking to connect. Has three actions:

1. Discoverable - respond to all queries
2. Limited Discoverable - restrict who can query
3. Nondiscoverable - ignores all queries

Question 21

Bluetooth Pairing Mode

Answer 21

Tells the device how to react when another Bluetooth system asks to pair with it.

1. Pairable
2. Nonpairable

Question 22

Mobile Attacks

Answer 22

SMS Phishing
Trojans: Android: Obad, Fakedefender, TRAMPA, ZitMo
Spyware: Mobile Spy, Spyera
Tracking: AndroidLost, FindMyIphone,WheresMyDroid

Question 23

Stagefright

Answer 23

Software bugs affecting Android operating systems to perform remote code execution and privilege escalation

Question 24

Mobile Device as an attack platform

Answer 24

Network Spoofer

DroidSheep - perform sidejacking by listening to wireless packets and pulling session IDs

Question 25

NetCut

Answer 25

You can identify all systems on your current WiFi and cut them off with the click of a button

Question 26

Bluetooth attacks

Answer 26

1. Bluesmacking - denial of service attack 2. Bluejacking - sending unsolicited messages to and from mobile devices 3. Bluesniffing - discover bluetooth devices (like war driving) 4. BlueBugging - successfully access a bluetooth device and remotely use its features 5. Bluesnarfing - theft of data from a mobile device due to an open connection 6. Blueprinting - footprinting for Bluetooth

Question 27

Bluetooth attack tools

Answer 27

``` Bluescanner - locates bluetooth devices BtBrowser - locate and enumerate Bluesniff btCrawler Bloover - good for bluebugging Phonesnoop - spyware Super Bluetooth Hack - all in one software for hacking bluetooth ```

Question 28

Internet of Things - wearables

Answer 28

Array of smart watches and other items worn by a user that are internet accessible

Question 29

IOT

Answer 29

A network of everyday objects with IP addresses that have the capability of sensing, collecting, and sending data to each other made possible by machine to machine communication, large availability of storage and inter networked communication.

Question 30

IOT Components

Answer 30

1. Sensing Technology 2. IOT Gateways 3. Cloud

Question 31

IOT Operating Systems

Answer 31

Riot OS - embedded systems, actuator boards, sensors, energy efficient and uses minimal resources ARM mbed OS - low powered wearable devices RealSense OS X - cameras, Intel's depth sensing version Nucleus RTOS - used in Aerospace, medical and industrial applications Brillo - Android based OS normally found in thermostats Contiki - made for low powered devices found in street lighting and sound monitoring Zephyr - low power devices Ubuntu Core - used in robots, drones - also known as snappy Integrity OS - found in aerospace, medical, defense, industrial and automotive sectors Apache Mynewt - devices using Bluetooth Low Energy protocol

Question 32

IOT Communications models

Answer 32

1. Device to Device 2. Device to Gateway (before sending to cloud) 3. Device to Cloud 4. Back-end data sharing

Question 33

Vehicle Ad Hoc Network (VANET)

Answer 33

Used by vehicles and the creation of a spontaneous creation of a wireless network for vehicle-to-vehicle (V2V) data exchange

Question 34

IOT Architecture Layers

Answer 34

Edge Technology Layer - sensors, RFID tags, readers and devices Access Gateway Layer - First data handling, message identification and routing Internet Layer - main component for all communication Middleware Layer - handles data and device management, data analysis and aggregation Application Layer - delivery of services and data to the user

Question 35

OWASP - Top ten IOT vulnerabilities and attacks

Answer 35

I1: Insecure Web Interface I2: Insufficient authentication/authorization I3: Insecure Network Services I4: Lack of transport encryption/integrity verification I5: Privacy Concern I6: Insecure Cloud Interface I7: Insecure Mobile Interface I8: Insufficient Security Configurability I9: Insecure Software/Firmware I10: Poor Physical Security

Question 36

Attacks against IOT

Answer 36

``` Distributed Denial of Service (DDOS) Sybil Attack Rolling Code attack Ransomware Man in the middile Side Channel Malware ```

Question 37

Sybil Attack

Answer 37

is an attack wherein a reputation system is subverted by forging identities in peer-to-peer networks.In a Sybil attack, the attacker subverts the reputation system of a peer-to-peer network by creating a large number of pseudonymous identities and uses them to gain a disproportionately large influence. A reputation system's vulnerability to a Sybil attack depends on how cheaply identities can be generated, the degree to which the reputation system accepts inputs from entities that do not have a chain of trust linking them to a trusted entity, and whether the reputation system treats all entities identically. Multiple forged identities are used to create the illusion of traffic congestion that affects everyone else in the local IOT network.

Question 38

Rolling Code attack also called a hopping code

Answer 38

The code used by a car key fob is called a rolling code. An attack can sniff for the first part of the code, jam the key fob, and sniff the second part, allowing the attacker to steal the code and the car. Tool: HackRF

Question 39

Blueborne Attack

Answer 39

An amalgamation of techniques against known, already existing Bluetooth vulnerabilities

Question 40

IOT Hacking Methodology

Answer 40

``` Information gathering, vulnerability scanning, launching attacks, gaining access and maintaining access ```

Question 41

IOT Search Engine

Answer 41

Shodan

Question 42

Vulnerability scanners and assessment tools for IOT

Answer 42

``` NMAP RIoT Vulnerability Scanner beSTORM IoTSploit IoTInspector Nessus ```

Question 43

Attacking IOT tools

Answer 43

``` Firmalyzer KillerBee JTAGulator Attify Zigbee Framework Telnet ```

Question 44

IOT Sniffers

Answer 44

Foren6 Z-wave Cloudshark

Question 45

OWASP I1: Insecure Web Interface

Answer 45

Account enumeration, lack of account lockout and weak credentials present

Question 46

OWASP I2: Insufficient Authentication/Authorization

Answer 46

Weak passwords

Question 47

OWASP I3: Insecure Network Services

Answer 47

Susceptible to buffer overflow attacks or create denial of service opportunities

Question 48

OWASP I4: Lack of Transport Encryption/Integrity Verification

Answer 48

Allows data to be viewed as it travels over local networks or the Internet

Question 49

OWASP I5: Privacy Concern

Answer 49

Collection of personal data without proper protection

Question 50

OWASP I6: Insecure Cloud Interface

Answer 50

When easy to guess credentials are used or account enumeration is possible

Question 51

OWASP I7: Insecure Mobile Interface

Answer 51

When easy to guess credentials are used or account enumeration is possible

Question 52

OWASP I8: Insufficient Security Configurability

Answer 52

When users of the device have limited or no ability to alter its security controls

Question 53

OWASP I9: Insecure Software/Firmware

Answer 53

Lack of the ability to be updated

Question 54

OWASP I10: Poor Physical Security

Answer 54

When an attacker can disassemble a device to easily access the storage medium