CSY304 Week 01 Advanced

"Security is not a product, but a process." — Bruce Schneier

IoT & Embedded Systems Security

Track your progress through this week's content

Opening Framing

The Internet of Things (IoT) has dissolved the perimeter. We no longer have a "corporate network" inside a firewall; we have lightbulbs talking to cloud servers, infusion pumps connected to Wi-Fi, and cars receiving over-the-air firmware updates.

The Fundamental Shift: In traditional IT (Information Technology), we prioritize Confidentiality. If a bank server is attacked, we shut it down to protect the data. In OT (Operational Technology) and IoT, we prioritize Availability and Safety. If a connected pacemaker or a chemical plant valve is attacked, shutting it down might kill someone.

Why This Course Exists: IoT devices are rarely designed with security in mind. They are constrained by power, cost, and legacy code. This course is about the offensive and defensive techniques required to secure this chaotic new world.

Week Learning Outcomes:
  • Contrast the CIA Triad (IT) with the AIC/Safety Triad (OT/IoT).
  • Dissect the anatomy of an IoT device (MCU vs MPU, Firmware types).
  • Map the expanded attack surface (Physical, Radio, Network, Cloud).
  • Analyze the Mirai Botnet source code to understand automated exploitation.
  • Apply OSINT techniques (Shodan, FCC ID) to perform passive reconnaissance.
  • Evaluate the impact of new regulations (EU CRA, US Cyber Trust Mark).

1) The Paradigm Shift: CIA vs AIC

You cannot secure IoT using only IT mental models. 


[ TRADITIONAL IT SECURITY ]       [ IOT / OT SECURITY ]
Priority: C.I.A.                  Priority: S.A.I.C.

1. Confidentiality (Data)         1. SAFETY (Human Life/Physics)
2. Integrity                      2. Availability (Uptime)
3. Availability                   3. Integrity
                                  4. Confidentiality

[ SCENARIO: RANSOMWARE ]
IT Server: "Isolate the machine immediately!" (Acceptable downtime)
Smart Grid: "CANNOT ISOLATE." (Blackout kills hospital patients)

The Concept of "Cyber-Physical Systems"

IoT devices are Cyber-Physical Systems (CPS). They translate digital bits into kinetic action.

  • Bit to Atom: A command `set_temp(100)` turns on a physical heater.
  • Atom to Bit: A physical temperature sensor sends data `temp=100` to the cloud.
Kinetic Impact: Unlike a database breach, an IoT breach can cause fires, crashes, floods, or physical injury. This is the defining characteristic of our field.

2) Anatomy of an IoT Device

To hack it, you must know what it is made of. It is not just a "small computer".

The Brain: MCU vs MPU

Feature Microcontroller (MCU) Microprocessor (MPU)
Architecture Everything on one chip (CPU, RAM, Flash). Separate RAM, Flash, Peripherals.
OS Bare Metal or RTOS (FreeRTOS). Full OS (Linux, Android).
Resources KB of RAM, MB of Flash. GB of RAM, GB of Storage.
Typical Device Smart Bulb, Thermostat, Sensor. Smart TV, Router, Gateway.
Security Implication Hard to patch. No ASLR/DEP usually. Complex attack surface. Full Linux stack vulnerabilities.

Firmware Types

Bare Metal / Superloop

Code runs in a `while(1)` loop. No OS. Direct hardware access.
Vuln: Memory corruption crashes the whole device instantly.

RTOS (Real-Time OS)

Scheduler handles tasks (Network, Sensor, GUI). e.g., FreeRTOS, Zephyr.
Vuln: Task isolation is often weak. One crashed task can halt the scheduler.

3) The Expanded Attack Surface

In web security, you worry about ports 80/443. In IoT, the attack surface is 360 degrees.

Layer 1: Physical Surface

If the attacker can touch the device, it's game over.

  • Exposed Ports: USB, Ethernet, SD Slots.
  • Debug Interfaces: UART (Serial console), JTAG (Processor control).
  • Chip Attacks: Glitching (Fault Injection), Side-Channel Analysis (Power monitoring).
  • Storage: Desoldering the Flash chip to read firmware directly.

Layer 2: Wireless/Radio Surface

Signals leave the building. You can be attacked from the parking lot.

  • Wi-Fi: Deauth attacks, weak WPA2 psk.
  • Bluetooth (BLE): Spoofing, Man-in-the-Middle (MITM) during pairing.
  • Zigbee/LoRa: Replay attacks, Key sniffing.
  • SDR (Software Defined Radio): Replaying garage door openers (Sub-GHz).

Layer 3: Network Surface

The "Traditional" attack surface, but with older protocols.

  • Telnet: Yes, it is still used in 2025.
  • UPnP: Universal Plug and Play exposing internal devices to the WAN.
  • Unencrypted Protocols: MQTT, HTTP, FTP sends passwords in cleartext.

Layer 4: Cloud/API Surface

The "Backend" that controls the device.

  • Insecure APIs: IDOR (Insecure Direct Object Reference) allowing User A to turn off User B's alarm.
  • Hardcoded API Keys: Found inside the firmware image.

Layer 5: Supply Chain Surface

The code you didn't write and the chips you didn't design.

  • Third-Party Libraries: "Ripple20" found flaws in a TCP/IP stack used by hundreds of vendors.
  • Counterfeit Chips: Cloned hardware with backdoors or lower tolerances.
  • Vendor Compromise: Attackers hacking the build server (SolarWinds style) to push malicious firmware updates.

4) Deep Dive: OWASP IoT Top 10

The definitive list of IoT vulnerabilities. We will break down each one.

I1: Weak, Guessable, or Hardcoded Passwords

The Flaw: Shipping devices with credentials like `admin:1234` or hardcoding a backdoor root password in the firmware that represents a "Golden Key" for all devices.

Real World: The Mirai Botnet. Mirai didn't use an exploit; it just tried 62 common user/pass combos via Telnet. It enslaved 600,000 devices in days.

I2: Insecure Network Services

The Flaw: Running unnecessary services (Telnet, SSH, FTP, Debug) or exposing them to the internet via UPnP.

Remediation: Shrink the attack surface. If you don't need it, close the port.

I3: Insecure Ecosystem Interfaces

The Flaw: The device is safe, but the Mobile App or Cloud API is weak.

Real World: Nissan Leaf API. Security researchers found they could drain the battery of any Nissan Leaf in the world just by knowing the VIN number, because the API had no authentication.

I4: Lack of Secure Update Mechanism

The Flaw: Devices that cannot be patched, or updates that are sent over HTTP without digital signatures.

Remediation: All firmware updates must be Signed (Cryptographically verified) and Encrypted.

I5: Use of Insecure or Outdated Components

The Flaw: Using a 5-year-old version of OpenSSL or a legacy Linux kernel.

The Fix: Maintain a Software Bill of Materials (SBOM) and monitor for CVEs.

I6: Insufficient Privacy Protection

The Flaw: Storing user data (voice, video, GPS) that isn't needed for the device to function.

Example: A smart vacuum uploading a map of your house to the cloud.

I7: Insecure Data Transfer and Storage

The Flaw: Storing Wi-Fi passwords in plaintext in the EEPROM or sending telemetry over unencrypted MQTT.

I8: Lack of Device Management

The Flaw: No way to inventory devices or decommission them safely (wipe data) when selling.

I9: Insecure Default Settings

The Flaw: Shipping with debug ports open or "Guest Mode" enabled by default.

I10: Lack of Physical Hardening

The Flaw: Allowing easy access to the PCB, debug pads, or SD card slots.

5) Deep Dive: The Mirai Botnet

In 2016, three teenagers created a botnet that took down the internet for the US East Coast. It relied entirely on fundamental IoT weaknesses.

The Code Anatomy

Mirai wasn't complex. It was brutally efficient.

scanner.c (Simplified Logic)

// 1. Generate random IP address
ip = generate_random_ip();

// 2. Try to connect to Port 23 (Telnet)
if (connect(sock, ip, 23) == SUCCESS) {
    // 3. Brute force with small dictionary
    for (int i=0; i < 62; i++) {
        if (try_login(usernames[i], passwords[i])) {
            report_success_to_loader(ip, user, pass);
            break;
        }
    }
}

The Combo List

Mirai didn't crack passwords; it guessed them. The 62 combinations included:

admin:admin
root:root
root:12345
admin:password
support:support
root:vizxv
admin:1111
guest:12345
tech:tech

6) Deep Dive: Stuxnet (The Physical Attack)

Stuxnet (2010) is the most famous cyber-weapon in history. It destroyed nuclear centrifuges in Iran. It is the ultimate example of "Effects-Based" cyber attacks.

The Kill Chain

  1. Infection: USB drives dropped in parking lots (Bridging the Air Gap).
  2. Propagation: 4 Zero-Day exploits in Windows Print Spooler and LNK files (Layer 3).
  3. The Target: It looked specifically for Siemens Step7 software (SCADA Layer 2).
  4. The Payload:
    • It injected malicious ladder logic into the PLC (Level 1).
    • The logic spun the centrifuges at 1410 Hz (too fast) then 2 Hz (too slow), causing them to shatter (Level 0).
    • The Mask: It replayed "System Normal" sensor data to the control room, so operators saw nothing wrong until they heard the explosions (S.A.I.C violation).

7) The OSINT Toolkit

Before an attacker touches a device, they perform Passive Reconnaissance.

Shodan: The Search Engine for IoT

Google crawls text; Shodan crawls banners. It connects to port 80, 21, 22, 502 (Modbus) and records the response.

Shodan Query Cheat Sheet

# Find exposed Webcams
"Server: SQ-WEBCAM" port:80

# Find Industrial Control Systems (Modbus)
port:502

# Find MQTT Brokers with no auth
port:1883 "MQTT Connection Code: 0"

# Find default Routers in Australia
country:AU default password

# Find VNC (Remote Desktop) without Auth
"authentication disabled" "RFB 003.008"

FCC ID Lookup

Every wireless device sold in the USA must register with the FCC. This public database is a goldmine.
Search: fccid.io/[ID_ON_BACK_OF_DEVICE]

Pro Tip: Always check the FCC ID first. It tells you exactly what hardware you are attacking (Chipset, RAM, Flash, Frequency) without opening the box.

8) Regulations: The Law Has Arrived

For decades, IoT was the "Wild West". That ended in 2024.

EU Cyber Resilience Act (CRA)

Mandatory key features:
- No default passwords.
- Mandatory vulnerability reporting (within 24 hours).
- Security updates for the expected lifespan of the product (min 5 years).
Penalty: Up to €15M or 2.5% of global turnover.

UK PSTI Act (2024)

Bans generic default passwords (e.g., "admin"). Requires a published point of contact for vulnerability researchers.

US Cyber Trust Mark

A voluntary labeling program (like Energy Star) for secure IoT devices. Consumers scan a QR code to see privacy data.

9) Career Pathways in IoT Security

Where does this course lead you? The industry is desperate for specialists.

The Breaker

Role: IoT Penetration Tester
Focus: Reverse engineering, exploiting buffer overflows, soldering headers.

The Builder

Role: Embedded Security Architect
Focus: Designing secure boot, implementing TrustZone, code reviews.

The Defender

Role: OT Security Analyst
Focus: Monitoring Intrusion Detection Systems (IDS) in factories, Incident Response.

Guided Lab: Digital Exhaust

Objective: Perform passive reconnaissance on a target device using OSINT.

Target: A popular IP Camera (simulated scenario).

Step 1: The FCC Recon

1. Go to fccid.io.

2. Search for `2AD6M-C12` (Example generic camera ID).

3. Find "Internal Photos".

4. Identify the SoC: Look for the biggest chip. Is it HiSilicon? Mediatek?

5. Identify Debug Ports: Look for 3-4 holes in a row labelled `TX`, `RX`, `GND`.

Step 2: Shodan Hunting

1. Go to shodan.io (Create a free account).

2. Search: cam_user_config_file (A known weak header).

3. Observe how many devices expose their config files to the open internet.

4. Do NOT interact. Looking is legal; touching is a crime.

Step 3: CVE Lookup

1. Go to cve.mitre.org.

2. Search for the vendor name found in Step 1.

3. Are there unpatched RCE (Remote Code Execution) vulnerabilities?

XP REWARD: +300 XP (The Watcher)

Tools of the Trade

The standard toolkit from Phase 1 (Reconnaissance).

Tool Function Cost Link
Shodan Search engine for IoT devices. Freemium shodan.io
Censys Competitor to Shodan, better for Certs. Freemium censys.io
GreyNoise Analyze "Background Noise" (Is this IP scanning everyone?). Freemium greynoise.io
Aircrack-ng Wi-Fi packet capture and cracking. Free aircrack-ng.org
Wireshark Packet analysis. Free wireshark.org
Binwalk Firmware extraction tool. Free github.com/ReFirmLabs/binwalk

Glossary of Terms

AIC / CIAA
Availability, Integrity, Confidentiality, Authenticity. The priority stack for IoT/OT.
Attack Surface
The sum of all potential entry points (Physical, Network, Radio, Supply Chain).
Cyber-Physical System (CPS)
A system where software controls physical mechanisms/processes.
Firmware
Permanent software programmed into a read-only memory.
Kinetic Impact
Physical damage or effect caused by a cyber attack.
MCU
Microcontroller Unit. A low-power computer-on-a-chip (RAM+CPU+Flash).
Mirai
A malware that turns networked devices running Linux into remote controlled bots.
OSINT
Open Source Intelligence. Gathering data from public sources (Google, Shodan, FCC).
RTOS
Real-Time Operating System. An OS designed for deterministic task execution (e.g., FreeRTOS).
SBOM
Software Bill of Materials. A list of all software components/libraries in a device.
Shodan
A search engine for internet-connected devices.
Side-Channel Attack
Attacking a device by measuring physical leakage (power consumption, electromagnetic radiation) rather than software bugs.
Stuxnet
A malicious computer worm, first uncovered in 2010, that targets industrial control systems.
UART
Universal Asynchronous Receiver-Transmitter. A hardware serial protocol often used for debugging consoles.

Weekly Reflection

Look around your room. Pick one "Smart" device.
1. Who made the chip inside it? (Supply Chain)
2. When was it last updated? (Lifecycle)
3. Does it need to be on the internet? (Attack Surface)


"Security is not a product, but a process." — Bruce Schneier

Week 01 Quiz

Test your understanding of the weekly concepts.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz