IoT & Hardware hacking

  Hello guys,

I am a newbie IoT  and hardware hacker and i would like to share some of resources and findings as i  learnt Router exploitation and other hardware hacking.

My journey

I wanted some challenge for something new for research. I thought for sometime then i decided to start do IoT hacking.I have some IoT and embedded  devices on My house such as smart Tvs and router.

so i started to look at smart Tv exploitation.There are a few writeups or videos out there.

After watching  the videos i noted key points such as attack surface on the TVs and some key points while hacking smart TVs

After some weeks i found some vulnerabilities that i will talk about in another writeup.

After some few months i decided to look at router exploitation.I had read of high payouts by ZDI on pwn2own competitions on router exploits.So i searched for their writeups. I found advisories on  vulnerabilities affecting different routers but  no clear step to step to hacking routers.

so i decided to go on youtube and watch videos, noted down the attack surfaces and some attacks.

I also looked for disclosed router CVEs and exploit-db writeups.

With some knowledge on where and what to look for i started hacking the routers.As a web hacker,i first proxied the admin panel to burpsuite and started looking for web vulnerabilities such as xss,ATO etc

After few hours i got CSRF,xss and Auth bypass.I was amazed at how easy it was or maybe my router is shit!

Rested then i started thinking of  serious bugs such as RCE and other firmware vulnerabilities.

I downloaded the router firmware from the vendor's website .Extracted the firmware and started looking for vulnerabilities.I got default credentials and other memory bug classes.

I also took apart the router and tried extracting firmware via UART.I searched on google what the different components on the router were.Luckily, the components were labelled.

Attack surfaces on the Router

I will list some attack surfaces i looked at while hacking the routers.

1.Open ports

2.Firmware

3.Admin panel

4.check exported logs

5.Default creds

6.Transmission protocol

7.Remote management feature

8.Chips on the router board

My Findings On two Routers;

Insecure Http transmission of sensitive data

Backdoor account found on  firmware

one router had open web admin panel :)

CSRF to change DNS settings,port forward and enabling Remote web management

DOS

XSS

AUTH bypass

RCE

Memory bugs in firmware 

Resources

search router on title search bar of exploit-db

https://www.exploit-db.com/search?q=router

https://www.youtube.com/watch?v=2ev4t_uOg38

https://www.youtube.com/watch?v=vhR9gcTtx0g

https://www.youtube.com/watch?v=bGe1DBfy76g

Google

https://www.youtube.com/watch?v=yBK_2fApGgg

https://www.youtube.com/watch?v=ZmZuKA-Rst0

The bugs were submitted to the vendor and got feedback that some will be fixed.When fixed i will write the technical analysis of the vulnerabilities found.Currently i cannot name the vendor.

Comments

Post a Comment

Popular posts from this blog

SOME BUGS

Image
 It's been  a while since i wrote anything related to bug bounty or hacking.In that time i have had some interesting and bad experiences with bug bounty programs.from fast responses to scam external  programs I won't be naming/ shaming the programs but soon i will put up a comprehensive list of scam programs to avoid. Let's talk about some of the bugs; 1. Authentication bypass via path normalization i was hunting on some match matching/dating site.after finding subdomains via crt.sh and fuzzing the subdomains with a wordlist.i found a login page;  min.site.com I started to fuzz to files with ffuf with a custom wordlist.with no result i looked for sqli but found non.tried response manipulation.again failed I was about to give up then i click on a png file.deleted the pic.png and got 403 error.using script https://github.com/iamj0ker/bypass-403 on it i  could list images on the server! https://login.site.com/images// I tried https://login.site.com// also https://...
Read more

Not A Guide to hacking betting sites

  DISCLAIMER!!!   This is for educational purposes only and not a guide to hacking betting sites. In this writeup i will try to provide some bugs i have found on betting sites during my almost 3years bug bounty journey.I have reported more than 100 vulnerabilities on betting websites and android application but i will only talk about some bugs.Sorry,I don't have screenshots to demonstrate the vulnerabilities so i will just list  some bugs and their impacts.I will not name the companies for obvious reasons The writeup lists some  vulnerabilities bug hunters can look for while hunting on betting platforms so grab some coffee and popcorn and enjoy! Some are interesting like  changing odds or withdrawing twice or withdrawing money more than your balance:) IDOR I found most of IDOR on betting sites on profile id parameters.some occurred on bet history where i could change user bet id history and get any user betting history on the site. SQLI Most of then were blind s...
Read more

Taking a Delorean car back to the future:Time related attacks

Image
After thinking about what to write about and having some ideas which are still half done and in draft.I decided to write this! As a car enthusiast with love for classic cars and passion for bringing back old cars to life. I would admit and hope my good friend mark whom we disagrees on most ideas are on the same page here.Delorean was a beauty.If you have not watched Back to the Future movies you are missing out. sit at the back left and let me drive you through time.oops! i forgot delorean is a two-passenger sports car ,but why not go to the future,2024 and get the new powerful delorean alpha5.A better looking super-fast,2+2 coupe , electric car. Enough with the car analogy,we as hackers love technical stuff,nevertheless i believe nowadays i am starting to appreciate the non-technical aspects,folks and roles in tech. In this blog i will discuss some attacks that could impact software from a time change.changing time to the future or back to the past could impact the normal working of ...
Read more