Back in 2019 I gave a presentation at hardwear.io titled “Day One with a TTIG-868” . My talk was aimed at two aspects: An insight into device, I was curious as I had seen multiple commercial LoRaWAN gateways before and sharing the concept of single day security tests. Right now, I’m back at the point to want to stress the method as a potential quality assurance approach.
What is Pentest?
Covered in many ISMS documents, personal and emotional discussions, a Pentest is a thorough security analysis which is usually wrapped in a scope and time constraints, usually limited by the budget. The scope in return describes the attack surface (protocols, interfaces, API endpoints, specific attacks) which should be covered. Within the scope, ideally, a human security expert hacks away, applying personal experience and creativity and checking for both known and unknown issues.lThe creativity invested into this process, is what makes Pentests so helpful. This at the same time is the core difference to an automated vulnerability or security scan.
Even though often not transparent, the final testimony is simple: An attacker with the knowledge of the tester should not be able to hack the target within a timeframe close to the one of the Pentest. Obviously, this description doesn’t sound as sexy as “it’s secure now”.
To be fair, especially when talking embedded devices, there will always be a way to remove the chips from the device, dissolve their package in acid and go for the die, but… These considerations usually go into the quote for a Pentest and are the basis for the time estimations. “How far would typical attackers go, and how long do we need to do the same?”
One Day Pentest
The idea of the One Day Pentest is slightly different. It’s still a Pentest, with a Security expert doing his job, the scope in return is only limited by the single day invested into testing. While a “regular” Pentests aims at checking whether the target can be rated as being secure, the One Day Pentest is only aimed at verifying the device is not insecure.
Otherwise said: If the device can a successfully be owned within a single day, maybe it shouldn’t be on the market.
What a Does a One Day Pentest Look Like?
- Unboxing
- Take pictures
- Open the device
- Take pictures of the PCB
- Create list of large components
- Create list of interfaces
- Evaluate PCB interfaces
- Serial
- JTAG / other programming
- Evaluate firmware with FACT, EMBA if extractable
- Evaluate the IP part
- Connect via ethernet, WiFi, cellular
- Portscan
- Vulnscan
- Attack what ever was found before
- If firmware access wasn’t possible, unsolder flash memory and dump (if existent)
I might honestly perform the vuln and port scans overnight, as some weaker devices can’t take the load of quick scans.
What are Typical Results?
The largest issue usually are serial debugging interfaces, which show a bootlog and then end in shells or at least bootloader access allowing trivial access to the firmware. For the firmware side, next to insecure credentials, the used software and applications are usually old and contain multiple vulnerabilities. Self-coded software then brings hardcoded credentials and exposes all secrets to fully pwn the target device or even jump to the backend.
Nothing unexpected, I guess.
The Sad Part
If I can find significant vulnerabilities within a single day, 8h not 24h, my honest opinion, the device shouldn’t even be on the market. It’s proof that the manufacturer didn’t do any security at all and well, probably doesn’t even care. While my post so far is mainly written around consumer electronics, why not apply the same to the corporate world? A single day Pentest should be something between 1000€ and 1800€ and while it doesn’t tell you whether your new or planned acquisition is secure, it should give you a traffic light style red light to stop you from making a bad mistake. Or give you a yellow light proceed with care.
For more inspiration have a look at: